How can the U.S. stop an insider with an agenda?


For any organization that keeps secrets on computer networks, the lesson of WikiLeaks is painfully clear: In the cyber age, there are few things so damaging as a determined insider with the right passwords.

The Pentagon already knew that, it turns out. In February, the Defense Department hired a former hacker to lead a research program to detect digital spying by employees. That was before a disgruntled Army intelligence analyst allegedly used his computer access to fuel the biggest disclosure of secret national security information in American history.

Peiter Zatko, who is known in the hacker world as Mudge, is in charge of the Cyber Insider Threat program at the Defense Advanced Research Projects Agency, or DARPA, which was created in 1958 as a response to the Soviet Union’s Sputnik satellite launch.


“I’ve played both offense and defense,” said Zatko, who began hacking as a teenager in the 1980s, but then switched sides to help the government protect systems in the 1990s. “I’ve been the person tasked with breaking into systems and I’ve also been tasked with defending them. I look at what I would do to impede myself.”

His program, however, is years from producing deployable solutions because the technology is in its infancy. And in the meantime, the WikiLeaks releases show that the Pentagon failed to take basic steps to protect sensitive information, such as detecting and preventing surreptitious, unauthorized downloads, said Steven Aftergood, who tracks intelligence for the Federation of American Scientists.

“There was no top-secret material there, no raw intelligence, not the most sensitive stuff,” Aftergood said of the WikiLeaks disclosures, the latest of which involves nearly 250,000 diplomatic cables. “But the idea that someone could sit with access to a USB port and just download to their heart’s content — that’s poor security practice.”

The Pentagon has taken some immediate steps to prevent unauthorized downloading of classified material, including disabling drives that would allow users to record and remove data. The Defense Department also is installing basic detection systems similar to those used by credit card companies to detect and monitor fraud, said press officer Maj. Chris Perrine.

But those systems have difficulty detecting the sorts of subtle anomalies that might give away a sophisticated espionage network, cyber-security experts say.

That’s where Mudge’s program comes in.

“If there was a private company that already had this, that we could purchase off the shelf, it wouldn’t be a DARPA hard issue,” Zatko said.

The Cyber Insider Threat program, known as CINDER, will award grants to companies that propose ways of detecting improper activity by users across an array of secret government systems. It is aimed at finding, for example, a network of corrupt employees whose behavior seems normal in isolation, but taken together presents a threat, said Alan Norquist, chief executive of Veriphyr, a cyber-security company applying for funding.

Such systems might detect people who delete their searching history or cookies, Zatko said, or who take an unusual interest in who is logging on a particular network.

Officials believe the theft of the material that has fueled a series of WikiLeaks disclosures, including the State Department cables made public Sunday, was simple in its execution. Army Pfc. Bradley Manning, an intelligence analyst with the 10th Mountain Division in Iraq, is accused of downloading reams of material from a secure military network known as SIPRnet, for Secret Internet Protocol Network.

About 500,000 people have access to that network, U.S. officials say.

Rep. Pete Hoekstra of Michigan, the ranking Republican on the House Intelligence Committee, said he was convinced foreign intelligence services had penetrated the SIPRnet.

“Who designed this system?” Hoekstra said. “You don’t put all of the data into one database and then give everybody access to it. … This is the ultimate honeypot. I think the Russians and the Chinese are all over this system.”

Manning chatted online with hacker Adrian Lamo, according to, and Lamo turned him in to authorities. Manning is being held at Marine Corps Base Quantico, in Virginia, awaiting military legal proceedings on charges of improperly accessing classified information. His lawyer, David Coombs, did not respond to phone and e-mail messages.

So-called complicit insiders are “one of the things the Department of Defense most fears,” said Dale Meyerrose of Harris Corp., the former chief information officer for the U.S. intelligence community. “You’re never going to completely prevent it. …To me, this WikiLeaks element is not a technology issue. This is a personal reliability issue. This is somebody that went bad and we didn’t detect it.”