9/20 Session #5: Still More IT
The witness: Ronald Bechtold, Pentagon IT Chief. His cross-examiner: J. Connell III. Their subject: You know well by now. AE155 and information technology are under discussion, still, at Guantanamo’s Expeditionary Legal Complex.
Published by The Lawfare Institute
in Cooperation With
The witness: Ronald Bechtold, Pentagon IT Chief. His cross-examiner: J. Connell III. Their subject: You know well by now. AE155 and information technology are under discussion, still, at Guantanamo’s Expeditionary Legal Complex.
Connell asks about the defense’s loss, in December of 2012, of server-stored data. A defense attorney had subsequently doubted claims by Bechtold’s group, that lost data had been restored. But, Bechtold says, he compared data volume as of the earliest backup date, and as of the comparison date, and found them equivalent. Migration is Connell’s next topic. Why, he asks, are so many email accounts populating with this strange formulation---”dprov?” Bechtold doesn’t know, but that’s on his list of issues to run to ground, during his stay at Guantanamo. He doesn’t have the answers right now, but hopes to learn them. Connell sits.
Maj. Jason Wright, one of KSM’s lawyers, rises and asks Bechtold about how the defense’s shared drives would function, under one of two IT fixes now being reviewed by the Chief Defense Counsel. Those indeed would be separate, and thus safer, but Bechtold thinks this arrangement won’t work well without audit logs being added. And he recommends augmenting OCDC IT staff, too. But, Wright asks, has he recommended appointment of dedicated, defense IT staff before? Yes, but the witness doesn’t recall when exactly---though he did so prior to any discussion of proposed “courses of action” (“COAs”), or IT fixes. Wright is particularly interested in July and September dates, when COAs were presented to Col. Mayberry and the Convening Authority. Wright presses: did you then recommend the immediate appointment of a defense-only IT person? The attorney openly doubts the implication that Col. Mayberry has been given recommendations to hire, or that IT slowdowns are attributed to her.
The next topic is investigative search requests (“ISR”), and Al-Qosi. One search swept up 541,000 emails? That’s right, Bechtold confirms. But there are new procedures being drafted for ISRs, says the witness. Say the word “Jihad” is contained in a message that lands in Wright’s email account---as surely will happen, given the allegations in the case. Do standing ISR procedures address this scenario? The current policy doesn’t, Bechtold says, but he’s convened a working group and, again, the new procedures are forthcoming. Now to network replication. Bechtold knows that a “Dirty Shutdown”---or improper manual shutdown of one or more machines---occurred during this, though he attributes that to training and knowledge problems; he also is aware that daily backups did not happen during the replication process. Referring to the latter, he thinks engineering and operational personnel may not have worked well with one another. But he disputes Wright’s suggestion of any “data loss.” He doesn’t know, and can’t say that such loss actually happened.
Finally, monitoring---a term that Bechtold disputes. Remember, nobody from his shop actually peers into an individual laptop’s contents; monitoring instead takes place at the network, data-transmission level. Well then, how does the witness respond to a DoD document, which speaks of monitoring desktops and users’ working documents? Guess what? The document is, in fact, Bechtold’s own declaration. Addressing counsel, its author explains: he referred in his declaration to the fact that, periodically, DoD IT must do tests, to ensure that staffers and so forth can detect anomalous behavior. That can mean going into desktops, to ensure their equipment with antivirus software and so forth. But this doesn’t happen, the witness says, without consultation with the affected agency. And it probably wouldn’t in, say, the judiciary, where lots of privileged information is in play. Wright: does Bechtold coordinate with CSA, DIA? No. NSA? Bechtold says he collaborates with the agency, in that he receives briefings from it on Global Threats, and seeks to learn of helpful technologies from NSA. But he didn’t coordinate with NSA, with respect to the IT architecture of the military commissions.
Wright ends with a few questions about encryption, among other things about the agency holding encryption keys. Is this NSA? Bechtold defers to Brent Glover, his office’s expert in such things; he doesn’t know. While professing a lack of knowledge, Bechtold plays on his familiar string: he wants to sit down and work with defense counsel, to solve its IT problems. The lawyer then explores a few more topics with the witness---among others, about the encryption of emails sent from DoD users to persons outside of the DoD network, the freestanding network provided to the DoD Inspector General’s office, and omissions from a particular COA document. Then Wright comes to his final query. Does Bechtold stand by his recommendations regarding COAs? Yes. And he estimates that one COA will occupy approximately 111 days from a start date? Yes, but Bechtold believes that the matter has been escalated by the defense to the upper ranking officials at the Department of Defense. Such folks will decide, evidently, whether the defense’s IT fix goes forward.
Now James Harrington, Ramzi Bin Al-Shibh’s lawyer, asks a few follow-up questions. One concerns ad hoc, “penetration testing” searches conducted by DoD IT personnel. Once more, Bechtold confirms that this can happen, in consultation with the head of the agency affected by the test---though not the individual user. Who would this be at the Commissions? Nobody, apparently, for Bechtold says testing would not take place down here at Guantanamo at all. Issues of managing and defending the network---those examined by the tests---take place elsewhere. And this testing, says Bechtold, doesn’t look at computer files’ contents, like whether the word “jihad” is contained in a message. Instead the idea is to root around for things like malicious code, and the like. One more thing: Bechtold said he “probably” wouldn’t perform testing like this, in the trial judiciary. But not “ever?” The witness’s answer isn’t clear, though we soon learn that he will leave government service, on November 1. A few questions more, and Harrington comes to a summation: the defense should feel comfortable, that IT people aren’t rooting around in the contents of our work? Bechtold tells him that DoD personnel, to his knowledge, is not doing that. And he understands the defense’s concerns.
We’re in a brief recess.