WikiLeaks fallout: White House orders classified data security review

Agencies to do post-WikiLeaks assessment of security protocols

The White House has told federal agencies to immediately evaluate their security practices to see if they have adequate restrictions in place on employees’ access to classified data and their ability to copy classified documents onto mobile devices. The move comes after WikiLeaks' massive disclosure of classified diplomatic cables.

The White House will also conduct its own security review of agencies that handle classified information, wrote Jacob Lew, director of the Office of Management and Budget, in a memo dated Nov. 28.

Related stories:

WikiLeaks upends digital security assumptions

Could WikiLeaks set back information sharing?

OMB, the Information Security Oversight Office and the Office of the Director of National Intelligence “will stand up processes to evaluate, and to assist agencies in their review of, security practices with respect to the protection of classified information,” Lew wrote.

The memo reminds federal executives that unauthorized disclosure of classified information is a violation of law and compromises national security. Such violations are unacceptable and will not be tolerated, Lew wrote.

The memo tells each federal department or agency that handles classified information to establish a security assessment team composed of counterintelligence, security and information assurance experts. The teams will review the agencies' implementation of procedures for protection of classified information.

The reviews should include an assessment of system configurations to ensure that users do not have broader access than needed for their jobs, Lew wrote. They should also assess whether there are appropriate restrictions in place on the use of classified networks and the removal of data from those networks for storage on a mobile device.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Sun, Dec 5, 2010

Agreed with the comments regarding the overclassification of data. Another problem is the lack of accountability at the highest levels. Senior leaders who fail to allot sufficient resources to security management or who tolerate incompetence are not disciplined because their relationships shield them from the consequences of their inaction. Subordinates who fall prey to the culture of sloppiness which these leaders have permitted to flourish are often punished severely, but the policies or lack of enforcement of policies which permitted or encouraged this behavior are rarely reviewed. Subordinates who try to point out bad policies are often ignored or are derided for wanting to make everyone else's jobs harder. This needs to be taken much more seriously than it has been in the past, not just with classified documents, but also sensitive documents containing Personally Identifiable Information.

Thu, Dec 2, 2010 BobbyMc

The overuse of classification is a problem. Classification Authorities should re-address their directives to assure classification of only data needing protection. The reduction in data volume would benefit control capability.

Thu, Dec 2, 2010 Jeffrey A. Williams

I forgot to add in my earlier comments to this Memo that the negating of removable media will do absolutely nothing to prevent accessing sensitive information effectively and will potentially create a problem with the transport of such data in some circumstances much more difficult rendering some operations less effective accordingly.

Thu, Dec 2, 2010 Jeffrey A. Williams

I agree with Ken's comments. IAM and the STRONG encryption of data, which the USG doesn't seem to have now, both at rest and in transit is the keys to preventing these sorts of 'leaks' and/or 'Exposiers' in the future and should have already been in effect. Encryption Key managment is also an important element as well. What's been troubling me of late is the weak Encryption standard set by NIST. 256k just isn't strong enough to secure very sensitive data, nor prevent a hacker from cracking and than gaining access without detection.

Wed, Dec 1, 2010

It is a lot easier to secure a gallon jug than a swimming pool. A BIG part of the problem is that too much stuff gets classified by habit or because 'that's the way we've always done it', and so nobody takes the system seriously. Just because something is stamped Secret or TS or whatever, doesn't mean it actually should be. If only critical stuff was actually classified, the volume would be lower, and it would be easier to keep track of.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group