July 1, 2013
Since 2010, when Pfc. Bradley Manning allegedly downloaded classified files from military networks and leaked them to the anti-secrecy website WikiLeaks, the Pentagon has paid millions of dollars for technology designed to protect networks against insiders intent on leaking sensitive data -- the kind of activities former National Security Agency contractor Edward Snowden claims to have done in releasing classified files on the agency's spying operations.
NSA, which is part of the Defense Department, doesn't appear to have enabled those protections, despite earlier Pentagon assertions the technology was rolled out departmentwide.
The Host-Based Security System, launched in 2010, prevents the use of removable storage devices such as CDs and thumb drives on Defense Department networks. An NSA information technology official, who left the agency in the summer of 2012, said that at that time, HBSS was not installed.
Between 2010 and early 2013, the military had spent at least $12 million on core implementation contracts, according to budget analysts. Going forward, the Defense Information Systems Agency, which provides IT support throughout the department, is expected to pay about $1.3 million annually for software licenses, said Ray Bjorklund, founder of BirchGrove Consulting.
Snowden, an NSA system administrator working for Booz Allen Hamilton until he was fired last month, allegedly transferred to a thumb drive classified information about how the agency tracks domestic call data and foreigners' Internet activities.
"There's usually a collaboration between DISA and NSA on net security technologies," Bjorklund said, but "NSA may have been responsible for funding its own implementation under the DoD directive."
In fall 2010, Defense officials directed military components to ban downloading information onto removable devices from the military's secret network, using technologies such as HBSS.
The move came after Manning, who as a low-level intelligence analyst based in Iraq in early 2010, allegedly downloaded to a CD classified files about the wars in Iraq and Afghanistan to release publicly on the anti-secrets website WikiLeaks.
A December 2010 memorandum from the Committee on National Security Systems, an interagency group that sets national policy, advised Defense organizations to “begin using physical configuration, software settings, a capability such as a Host-Based Security System (HBSS) (a DoD capability designed to address exploit traffic on network hosts)" or any combination of those approaches "to disable all 'write' privileges," meaning downloads, "for all forms of removable media devices" on national security systems.
By early spring 2012, most Defense organizations had activated the technology.
Federal spending databases indicate a slew of contractors, including General Dynamics, Northrop Grumman, and now BAE Systems were hired to deploy the McAfee-developed HBSS. Booz Allen does not appear to be on military's payroll for this particular project.
HP, NCI Information Systems and SAIC are among the vendors that individual military departments have commissioned for HBSS services, according to the databases.
NSA declined to say whether the agency had installed or activated HBSS.
July 1, 2013