By Madison Rupert
End the Lie News
Access classified data without authorization, use your account after you’ve been fired, or anonymously request a new account for an Afghan friend – these are just some of the features available in State Department’s SMART system, BuzzFeed reports.
In the wake of the Manning and Snowden classified US intelligence leaks, internal documents obtained by Buzz Feed reveal that the US State Departments’ security systems are vulnerable if not providing open access to classified information.
The breaches in security, horrifying to any IT expert, are reported in the State Messaging and Archival Toolset (SMART) – a cable and messaging system which is based on MS Outlook. The SMART operates with working emails and cables, stored both in classified (ClassNet) and unclassified (OpenNet) enclaves.
SMART was initially created for improving information sharing after the 9/11 attacks. The internal messaging application has been built and maintained by a team of State Department employees and IT contractors under the $2.5 billion Vanguard contract.
It became fully operational in September 2008 under US State Secretary Hillary Clinton. However, it turns out the system never complied with all the requirements of the Federal Information Security Management Act and the National Institute of Standards and Technology requirements, according to a 2010 Office of Inspector General (OIG) report.
Failing to provide enough cyber protection, the system regularly received failing or below-failing grades from its internal monitoring system, according to documents obtained by BuzzFeed.
The SMART’s monitoring system, deployed for the purpose of determining whether there has been unauthorized access or modification of files, frequently fails to perform any of that, the report said. And with an existing backdoor between the classified and non-classified enclaves, state secrets can be accessed by a user without proper clearance, even unintentionally, BuzzFeed writes.
Access restriction is in fact one of the biggest problems with SMART, it’s well-known but one nobody is willing to fix.
According to the report, in 2012 three SMART accounts were created for users in Kabul, Afghanistan. Internal audit had shown no one has any idea of who requested their creation or was using them. Since then the mystical accounts have been deleted, but no results on possible unauthorized activities via them have been made public.
Reuters / Kacper Pempel
That unauthorized access was not an isolated incident. According to the report accounts for former employees remain active for some time after they leave. In addition the State Department can only guess about the number of contractors who have access to the system, and whether those contractors have gone through proper security checks.
In some cases, the computer systems also allowed access to data to unregistered users through anonymous unsecured access points with default credentials.
Currently, the database has no hashing, time-stamping, or other capabilities tell that the records have not been accessed, tampered with, copied by unauthorized users, or even switched for a fake.
After the 2010 leak of hundreds of thousands of Pentagon and State Department documents by Army Private Bradley Manning to the anti-secrecy website WikiLeaks, the department has disabled the ability to forward messages, but failed to block the ability to cut and paste messages and cables, BuzzFeed reports.
Legitimate users are also contributing to potential classified data leaks with their routine actions. When a non-classified user’s email on an operating level is included in a classified group mailing list – he begins receiving all classified attachments. Users also regularly mislabel classified information as unclassified, BuzzFeed reports, because they just like unclassified system better and appreciate its user friendly interface.