How did such an enormous electronic database come into existence and then apparently be so easily leaked? The answer lies in the tag “Sipdis” which appears on the string of address codes heading each cable.
It stands for Siprnet Distribution. Siprnet is itself an acronym, for Secret Internet Protocol Router Network. Siprnet was designed to solve the chronic problem of big bureaucracies – how to share information easily and confidentially among large numbers of people spread around the world. Siprnet is a worldwide US military internet system, kept separate from the ordinary civilian internet and run by the defence department in Washington.
Since the terrorist attacks of September 2001, there has been a move in the US to link up separate archives of government information, in the hope that key intelligence no longer gets trapped in information silos or “stovepipes”.
An increasing number of US embassies were plugged into Siprnet in the last decade, so that military and diplomatic information can be shared. In 2002, 125 embassies were on Siprnet; by 2005, there were 180.
An internal guide for state department staff advises them to use the “Sipdis” designation only for “reporting and other informational messages deemed appropriate for release to the US government interagency community.” The guide specifies a number of other channels for even more sensitive material including Nodis, Exdis, Roger and the Docklamp Channel (for communication between defence attaches and the Defence Intelligence Agency), and by now the vast majority of US missions worldwide are linked to the system.
This means that a diplomatic dispatch marked Sipdis is automatically downloaded on to its embassy’s classified website. From there it can be accessed not only by anyone in the state department, but also by anyone in the US military who has a computer connected to Siprnet. Millions of US soldiers and officials have “secret” security clearance. The US general accounting office identified 3,067,000 people cleared to “secret” and above in a 1993 study. Since then, the size of the security establishment has grown appreciably. Another GAO report in May 2009 said: “Following the terrorist attacks on September 11 2001 the nation’s defence and intelligence needs grew, prompting increased demand for personnel with security clearances.” A state department spokesman today refused to say exactly how many people had access to Siprnet.
Within that staggering number of security-cleared individuals, a much smaller number would have a role which allowed them to access Siprnet. And in theory there are built-in safeguards. Users are issued a username and a “strong” password (of 10 characters or more, at least two capitals, two numbers and two special symbols), which must be changed at least every 150 days. In theory at least, the user has to stay at the computer at all times while logged on, logging off even to go to the toilet or get a cup of coffee.
Again in theory, any memory stick or CD connected to a computer with Siprnet access must automatically be labelled secret and stored securely. If a personal device such as an iPod is connected it can be confiscated. In practice these multiple layers of security were relaxed to make the system as easy to use as possible.
There have been suggestions that an alarm system to detect suspicious use of the network was suspended for US military personnel in Iraq after they complained it was inconvenient.
The state department declined to comment on this but spokesman PJ Crowley said: “The defense department is reviewing all of their relevant procedures and taking appropriate action. In the interim, the state department has ensured that essential material reaches those who need it.”