DoD Takes Flexible View on Deleting Wikileaks Docs

Department of Defense employees who downloaded classified documents from Wikileaks onto unclassified government computer systems may delete them without further “sanitizing” their systems or taking any other remedial measures, the Pentagon said in a policy memo (pdf) last week.

The release of classified State Department cables and other classified documents by Wikileaks has produced special consternation among security officers, who have tended to respond “by the book” to this unprecedented breach of security procedures.  But “the book,” which is the product of an earlier era, is quickly becoming obsolete.  And in the worst case, some officials say, the government’s unimaginative response to Wikileaks could do more damage than the original disclosures.

But now some tentative signs of flexibility can be detected from Pentagon policy makers.

Under the new guidance, DoD employees and contractors who have downloaded classified documents from the Wikileaks website onto an unclassified government computer or network — which is still prohibited — do not need to take any extreme corrective measures in response, the Pentagon said.  In particular, there is no need to prepare a formal incident report or to “sanitize” their information systems by overwriting or degaussing them.  Instead, the documents can simply be deleted.

“In the case of classified documents inadvertently accessed or downloaded from the WikiLeaks website or other websites posting WikiLeaks-related classified documents, the IAM [information assurance manager] will document each occurrence and delete the affected file(s) by holding down the SHIFT key while pressing the DELETE key for Windows-based systems,” said Acting Under Secretary of Defense Thomas A. Ferguson in a January 11 memo.

Using the shift and delete keys simultaneously is a way of “permanently deleting” a document, so that it is removed from the file directory and does not appear in the Trash or Recycle Bin.  This action does not, however, physically erase or eliminate the document from the computer’s hard drive.  In other cases of inadvertent transfer of classified information to an unclassified system, a more rigorous response is often required.  But this will now be good enough for the purpose of eliminating classified Wikileaks documents.

“No incident report or further sanitization of government IT systems is required,” Under Secretary Ferguson continued.

The new flexibility only extends to Wikileaks-related documents, not to other “spillages” of classified information, he said.  “This guidance pertains only to the accessing or downloading of the classified documents described above because of the extent of the compromise and the prohibitive cost of standard sanitization procedures.  All other classified spillages must be handled in accordance with existing regulations,” according to the Pentagon memo.

See “Notice to DoD Employees and Contractors on Protecting Classified Information and the Integrity of Unclassified Government Information Technology (IT) Systems,” memorandum for senior DoD officials from Acting Under Secretary of Defense Thomas A. Ferguson, January 11, 2011.

No Responses to “DoD Takes Flexible View on Deleting Wikileaks Docs”

  1. Rob Rosenberger January 20, 2011 at 10:39 PM #

    Translation: DoD told IT admins to stop inflicting “sanitization” on soldiers’ PCs as non-judicial punishment just because they visited Wikileaks.

    Your column leads me to speculate on something I discussed in one of my own columns. I believe a systemic breakdown of “COMPUSEC surety” has crept into the Pentagon’s cyber operations like a noxious weed. In my column, I asked “what IS the punishment” for accidentally spilling classified details in an unclass email? I deduced it must be happening on a rather large scale, yet I can’t even find data on Articles 15, let alone courts-martial. This new policy memo suggests (but does not confirm) low-ranking information assurance officers may be taking matters into their own hands, meting out non-judicial punishment in the form of a sanitization procedure. “Good grief, airman, you created a classified spreadsheet when you combined these three pieces of information! I know you you were obeying your captain’s request, but I’m going to punish you anyway by wiping your hard disk and making you re-take your information assurance CBTs…”

    Because if that low-ranking IA officer doesn’t punish people for accidentally spilling classified data … who will?