9/19 Session #2: "The Dirty Shutdown"

Scott Parr, Branch Chief for Information Technology at the Office of Military Commissions (“OMC”) and the Convening Authority, is on the witness stand. Questioning him is Gary Sowards, one of KSM’s attorneys.  Their talk will bear on AE155, and IT obstacles confronting the defense.  The witness serves, he says, as something of a liaison to the Defense Department’s network, and the IT people that run it.

OMC help desk and administration staffers, Parr testifies, do have access to defense files. The much-discussed “replication,” Parr goes on, was meant to provide better services to OMC computer users, such that a document modified in GTMO would appear so in D.C., and vice versa, automatically.  GTMO relies on satellites for communication, and prior to replication, OMC computers suffered from latency problems and delays.  Sowards asks: what agencies can access information transmitted by satellite?  The court squints at the suggestion that the defense should have its own separate satellite link or fiber optic cable---an idea which Sowards jokingly calls “intriguing.”

Replication should have been seamless, according to Parr---though that’s not how things turned out, of course.  Parr does not recall users lacking access to shared drives, or their materials being mistakenly “remapped”---that is, pushed to inappropriate or unknown places elsewhere on the network.  Likewise, though he is aware of a server outage in January, Parr doesn’t remember any earlier server outages.  As for what he does recall, the witness associates some later data loss, in February, to what he calls a “dirty shutdown”----essentially a turning off of GTMO’s networked computers in a quicker than usual, more cumbersome and even harmful manner.  Initially, this was thought to be the fault of users at GTMO; but later, Parr discovered that DoD IT personnel, and Microsoft consultants to DoD, had caused the muckup.  The military judge asks whether this causes Parr concern, given that, as Judge Pohl puts it, the latter two groups evidently “missed IT 101,” and failed to backup the network.  Indeed it does cause Parr anxiety, among other things because regular backups are fundamental to basic IT work.  Sowards asks a few more dirty shutdown-ish questions, but then sums up the chronology: data backup didn’t really happen until March of 2012?  Right, answers Parr.  So what is the status of replication now?  The court wants to know.  Parr says OMC, the trial judiciary and prosecution participate in the replicated network, but the defense does not---the latter being a consequence of Col. Mayberry’s instructions.

Sowards sits and Cheryl Bormann, lawyer for Bin Attash, stands.  She asks, among other things, about a December 2012 email from Parr.  In it, he passed on information from DoD IT personnel, who had advised Parr (wrongly, it turns out) that all server data had been copied from D.C. drives to their GTMO counterparts.  Bormann’s next line of questioning has to do with attempts to improve the defense’s IT setup.  Parr tells her that he took part in an April 11 video conference between, among others, Col. Mayberry and the Convening Authority, regarding replication and information security.  Though slides from that meeting speak of a significant data loss, Parr says that the data actually wasn’t gone.  In fact, it just needed to be restored, from backups maintained by DoD IT offices. The networks had special folders, he tells Bormann, in which accidentally deleted or disappeared files would be stored temporarily---though he doesn’t know for how long.  Bin Attash’s lawyer finishes; then Col. Sterling Thomas, Ammar al-Baluchi’s counsel, asks a bit more about “IT 101.”  Why wasn’t DoD IT backing up GTMO servers in December, every 24 hours, per standard IT practice?  The witness doesn’t know.

The prosecutor Jeffrey Groharing cross-examines Parr, and, among other things, seeks greater clarity about the “missing files” folder Parr described earlier, to Bormann.  The witness: that is where disappeared GTMO files would go during replication.  Such files thus were not “lost,” but merely put in a different place, pending restoration.  And, importantly, Par says he has been advised that all pre-existing folder files have been restored, to defense lawyers and others on the computer system.  A scrupulous witness likewise tells Groharing about other files on a separate server in Washington, which were not replicated.  Thankfully, those are still intact, too, give or take some small exceptions.  (PST files, for example, are awfully large, and can cause corruption; Parr’s crew doesn’t mirror those.)  Okay, Groharing sums up, if users at OMC in Washington create files, then those same files will be readable and in updated condition, down at GTMO?  Yup.

Groharing asks about permissions to access defense files.  Permissions are associated with users’ individual accounts, and regulate who can access what on the network.  Relevant here, OMC allows defense lawyers so-called “organizational” access to defense folders, and likewise allows specific defense team members to work with subfolders belonging to each commission case.  When questioned by the court, Parr agrees that, if the system works, then only a defense user will have access to a subfolder belonging to a team.  That said, Parr acknowledges monitoring by DOD security officials, which is an entirely separate matter.  Would it be acceptable for a network administrator to provide a defense user’s credentials to others, asks Groharing.  No, Parr says.  And Parr has taken steps to preclude prosecution administrators from tinkering with their defense counterparts.  When asked, the witness tells the prosecutor that the current IT arrangement adequately protects confidentiality.  Of course, Parr says his main responsibility is to improve IT services, as a general matter---for defense lawyers and for everybody else.  Groharing finishes.

Some brief re-direct follows.  Thomas asks about a discussion he had with Parr, regarding files belonging to Thomas and his co-counsel, James Connell III.  The attorney hints at what he’s after: documents created in May and April of 2012, which never were found on backup tapes or discovered by subsequent forensic investigation or reporting. Thomas explains his point to the judge, by noting that, if he is correct, subsequent examinations have understated the total amount of lost privileged and confidential materials.

Now Sowards rises, and asks, among other things, about backups.  That’s a job for the DoD IT operations people, as opposed to DoD engineering people, who were responsible only for replication.  Of course we now know there were no backups ongoing, between December 2012 and March.  Sowards: did operations folks ever talk to untrained engineering folks, in the interim, about the elementary IT activity of backing up server data?  Parr doesn’t know if they did or not, but says every IT person, whatever their duties, knows that backups are required.   A bit more: as Parr seen the prosecution’s response to AE155?  There, the government suggested that previously, administrators in the defense office could review unencrypted, networked files belonging to the prosecution, and vice versa.  Parr thinks that’s possible.  He also acknowledges a proposal, going forward, to bring IT personnel within the defense’s privilege bubble.  Parr doesn’t comment on it, other than to insist that broad IT access to data is critical.  Take that away, and a user could lose files, say when they aren’t properly backed up.  The witness adds that IT people could care less about what’s on a system’s files.

A query or three more from Sowards, among other things about DoD IT’s past representations to Parr, that all defense files had been restored (Parr wouldn’t have any basis to question that); about one administrator’s provision of the defense’s confidential stuff to another administrator (that’s technically possible, but quite inappropriate); and about the system’s current ability to ensure the security of confidential defense materials (Parr has confidence in that system, though he isn’t a lawyer, and hasn’t read, for example, American Bar Association opinions  on attorneys’ obligations).  A bit more, and Sowards concludes.

Bin Attash lawyer Cheryl Bormann brings Parr’s examination to a close.  She refers to an email, sent from one of Parr’s subordinates, which says that OMC servers had tanked “again.” That last word implies some history; how many shared drive outages had happened prior to this?  Parr doesn’t remember exactly, though he recalls the “big three” server lapses, which he mentioned in earlier testimony.  Bormann wonders whether Parr would really be in a position to know about every compromise of defense information, or the restoration of lost files.  Would he even be advised of a defense file loss, by defense personnel or DoD IT?  Parr is indeed out of that loop, generally, but says he might learn of a significant loss or restoration issue that couldn’t be resolved outside his office. Next Bormann asks about permissions.  Those are granted by DoD?  They are.  So DoD IT folks can go into a defense computer, access a defense file and move it to someplace else?  They can, though Parr doesn’t know why such folks would want to.  Bormann confirms: you aren’t involved in any security monitoring, or investigative security searches, or physical email migration?  No, the witness answers.  His bailiwick is management, not physical IT work.  A final point: DoD controls IT systems, much as it controls this trial?  Apparently.