Greensboro, N.C. – Detailed schematics of a military detainee-holding facility in southern Iraq. Geographical surveys and aerial photographs of two military airfields outside Baghdad. Plans for a new fuel farm at Bagram Air Base in Afghanistan.
The military calls it “need-to- know” information that would pose a direct threat to U.S. troops if it fell into the hands of terrorists. It’s material so sensitive that officials refused to release the documents when asked.
But it’s already out there, posted carelessly to file servers by government agencies and contractors – including Douglas County-based CH2M Hill Cos. Ltd. – accessible to anyone with an Internet connection.
In a survey of servers run by agencies or companies involved with the military and the wars in Iraq and Afghanistan, The Associated Press found dozens of documents that officials refused to release when asked directly, citing troop security.
Such material goes online all the time, posted most often by mistake. It’s not in plain sight but is almost as easy to find.
And experts said foreign intelligence agencies and terrorists working with al-Qaeda likely know where to look.
In one case, the Army Corps of Engineers asked AP to promptly dispose of several documents found on a contractor’s server that detailed a project to expand the fuel infrastructure at Bagram – including a map of the entry point to be used by fuel trucks and the location of pump houses and fuel tanks. The Corps of Engineers then changed its policies for storing material online following the AP inquiry.
But a week later, AP downloaded a new document directly from the agency’s own server. The 61 pages of photos, graphics and charts map out the security features at Tallil Air Base and depict proposed upgrades to the facility’s perimeter fencing.
“That security fence guards our lives,” said Lisa Coghlan, a spokeswoman for the Corps of Engineers in Iraq, who is based at Tallil. “Those drawings should not have been released.”
Security experts said files that never should appear online are often left unprotected by inexperienced or careless users who don’t know better.
“For some, there’s sort of this myth that ‘if I put something on the Net and don’t tell anybody,’ that it’s hidden,” said Bruce Schneier, the chief technology officer of BT Counterpane, a Mountain View, Calif.-based technology security company. “It’s a sloppy user mistake. This is yet another human error that creates a major problem.”
A spokeswoman for the U.S. Central Command, which oversees the war in Iraq, declined to say if material accidentally left on the Internet had led to a physical breach of security.
Among the documents AP found were aerial photographs and detailed schematics of Camp Bucca, a U.S.-run facility for detainees in Iraq.
It was found on the file transfer protocol server of CH2M Hill, an engineering, consulting and construction company based in Douglas County.
“None of the drawings are classified, and we believe they were all handled appropriately per the government’s direction,” said CH2M Hill spokesman John Corsi.
But the company added password protection to its FTP site after AP’s inquiry and referred the direct request for the documents to the government.
Military officials said they could jeopardize troop security and refused to release them.
AP’s discovery led the Army Corps of Engineers to immediately ask all its contractors to put such material under password protection. In fact, all the agencies and contractors contacted by AP have either shut down their FTP sites, secured them with a password or pledged to install other safeguards to ensure such material is no longer accessible.
While working on an internal security review at his job with the city of Greensboro, N.C., Christopher Freeman watched as a computer with an electronic address from Iran downloaded a file from the city server that contained design drawings for the area’s water infrastructure.
He passed along his findings to the FBI.
Mark Moss, an FBI agent who focuses on online security, said foreign intelligence agencies spend a lot of time on the Internet because online intelligence-gathering is cheap, quick and anonymous.
