Witness | US v Pfc. Manning, Captain Thomas Cherepko, Assistant S6, Information Assurance Security Officer, 2nd Brigade Combat Team, 10th Mountain Division

  • posted December 18, 2011

UPDATE POST COURT-MARTIAL

United States v. Pfc. Manning was conducted in de facto secrecy. The public was not granted contemporaneous access to court filings or rulings during her trial. In addition to reporting on her trial, I transcribed the proceedings, reconstructed the censored appellate list, and un-redacted any publicly available documentation, in order to foster public comprehension of her unprecedented trial.

As a result of a lawsuit against the military judge and the Military District of Washington brought by the Center for Constitutional Rights, as well as my own FOIA requests and research, an official court record for US v. Pfc. Manning was released seven months after her trial. That record is not complete.

The official trial docket is published HERE and the entire collection of documents is text searchable at usvmanning.org.

*During the pretrial proceedings, court-martial and sentencing of Pfc. Manning, Chelsea requested to be identified as Bradley and addressed using the male pronoun. In a letter embargoed for August 22, 2013 Chelsea proclaimed that she is female and wished to be addressed from that moment forward as Chelsea E. Manning.

General Description

Captain Thomas Cherepko is currently a Deputy Communications and Information Systems (CIS) officer who trains officers for multinational NATO. operations. He is a Functional Area 53, Information Systems Manager, which focus on technical aspects of running a network.

Captain Thomas Cherepko has been in the Army 16 years. Cherepko was a Brigade Automations Officer for the 2nd Brigade Combat Team (BCT) from 2009 till Summer 2011. Cherepko primary duties were to establish, maintain, and secure Brigade communications. Cherepko served as Brigade Information Assurance Manager (IAM). As the Brigade Information Assurance Manager (IAM), Cherepko was in charge of insuring information practices are followed, training as required is conducted, and the information work force is appointed and trained.

Captain Thomas Cherepko explained the protocol for obtaining access to SIPRNet. One had to get approval of a first-line supervisor; had to complete required paperwork, which included a request for access document; and an Acceptable Use Policy (AUP).

Captain Thomas Cherepko says that only program administrators, and not soldiers, were allowed to install software on their workstation computers.

Captain Thomas Cherepko says that Wget was not authorized. Wget is the program that defense asserts is the legal theory behind the Government’s 18 USC 1030(a) “unauthorized access” charges. The Prosecutions has said as much, but they may be hiding the ball.

Captain Thomas Cherepko says that mIRC was used by soldiers to communicate between the 10th Mountain Division (Light Infantry) and 2nd Brigade Combat Team (BCT). Brigade aviation cells used to communicate with aviation community using mIRC.

Captain Thomas Cherepko says that he required soldiers to sign an Acceptable Use Policy (AUP) when soldiers arrived, but he arrived in Theater after Manning, and could not locate his or Bradley Manning’s AUP. He said that both AUP’s were misplaced because there were over 2,000 soldiers and the files were maintained as paper copies.

Captain Thomas Cherepko said the SIPRnet network administrator’s function was suppose to monitor and maintain upkeep of network, ensure that there are communications 24 hours per day, security, upgrades, and troubleshooting of users’ problems.

Captain Thomas Cherepko says there was an operational requirement to burn CD’s. Captain Casey Martin (married name Fulton) Platoon leader and Brigade Assistant S2 Officer says the reason for the ability to burn CD’s was to share information with Iraqis. It was part of the mission. Captain Steven Lim 2nd Brigade Military Intelligence (MI) Company Commander Brigade S2 says US Forces Iraq partnered with Iraq 2nd Brigade, and the Brigade was authorized to release that information to Iraqi defense forces because that was part of their mission to train the Iraqi’s how to use information and to share information with Iraqis.

Captain Thomas Cherepko says he did not perform a DIACAP (Department of Defense Information Assurance Certification and Accreditation Process) package, which ensures whatever one needs to accredit meets requirements. Captain Thomas Cherepko admits the DIACAP would have provided insurance regarding vulnerabilities.

In March of 2011, Captain Thomas Cherepko received a letter of admonishment from General Robert L. Caslen for “failure to ensure brigade was properly certified.”

Captain Thomas Cherepko says he only occassionaly went into the Brigade S2 T-SCIF for “troubleshooting and occasionally to pick up officers to go to lunch.”

Captain Thomas Cherepko says that the DAIG [Department of the Army Inspector General] did not perform an inspection until late in deployment.

Captain Thomas Cherepko says the “T-SCIF” for which he was responsible was inspected, but he admits a S.C.I.F Security Officer was not installed, he did not know was a SSR – S.C.I.F. Security Representative was.

Captain Thomas Cherepko says he saw music installed in soldier’s personal folders on the shared SIPRNet T-Drive. Cherepko said there was no authorized music folder, and he would delete it when he saw it, but it kept reappearing. Cherepko said no one was punished for having music on the SIPRNet shared T-Drive.

According to Rainy Reitman’s notes, David Coombs, lead civilian defense counsel, “asked if Cherepko remembered saying about the training he received in a sworn statement on January 6, 2011 that ‘we were given just enough knowledge to screw things up.’ Cherepko balked slightly at confirming it, though I believe he ultimately did say he could have said that. Coombs responded that ‘If you were here in person I would show you your sworn statement.'”

According to Rainy Reitman’s notes, “Cherepko knew that having music, movies and games violated the Authorized Use Policy. He had seen programs being added to the T-Drive, including games, and he had notified his supervisors. He was unaware of any action being taken based on these concerns, and the practices continued until they were redeployed.”

According to Rainy Reitman’s notes, “Cherepko was then asked whether he had received an executable file from CID. He confirmed that he had. He confirmed he had used it. But when asked whether the program was approved, he admitted he didn’t know.”

According to Rainy Reitman’s notes, “Cherepko provided them with server logs from the network and shared drive as well as email logs. Cherepko was able to get some of the requested logs but not all of them. Some of them they did not maintain. He explained that they only maintained generic server logs for troubleshooting purposes.”

Special Agent Calder Robertson CCIU said Captain Thomas Cherepko secured some network logs which are official communications between computers, but according to Rainy Reitman’s notes, Cherepko couldn’t answer the Government’s questions about what the log files contained. Special Agent Calder Robertson CCIU said unnamed people on his team instructed Captain Thomas Cherepko on how to obtain those logs and conduct forensic investigations.

According to Rainy Reitman’s, “Cherepko stated that the CID agents had asked him to create images of a computer and, after some concern, he tasked one of his solders with doing the imaging (either Sgt Joseph Benthal or Private Dodley; he didn’t remember which.). He believed a supply sergeant’s [Peter Bigelow] computer was imaged but couldn’t remember if additional devices were imaged as well.”

According to Rainy Reitman’s notes, “Cherepko stated he was concerned about his ability to create forensically sound images. He had expressed this concern to the CID agent, and the agent had responded (basically) that it was OK because the devices hadn’t been seized yet and it’s already been so long that they are already tainted.”

According to Rainy Reitman’s notes, “Cherepko was also asked to make a copy of Manning’s log file and folder. He didn’t remember who asked, but he received tutoring in doing it. (Specifically, how to maintain the metadata.) Then the CID agent sent him an executable program. Cherepko noted that the copy he made was from the day he copied it, not on a prior version.”

Individuals named in the testimony of Captain Thomas Cherepko:

  • General Robert L. Caslen
  • Unnamed supervisors whom Captain Thomas Cherepko notified about unauthorized music and games on the shared SIPRNet T-Drive
  • Unnamed people on Special Agent Calder Robertson CCIU team who instructed Captain Thomas Cherepko on how to obtain server logs from the network and shared drive as well as email logs and how to conduct forensic analysis
  • Captain Thomas Cherepko tasked of his soldiers with doing the forensic imaging either Sergeant Joseph Benthal or Private Dodley He could not remember which
  • unnamed Army Criminal Investigation Command (CID) agent who said to Captain Thomas Cherepko when he was concerned about his ability to create forensically sound images “that it was OK because the devices hadn’t been seized yet and it’s already been so long that they are already tainted”

No. 20 on December 2, 2011 Defense Request for Article 32 Witnesses on December 2, 2011

XXXXXXXXXX [CPT Thomas Cherepko, Information Assurance Security Officer, 2nd Brigade Combat Team, 10th Mountain Division] He was the assistant S-6 for the 2BCT. He will testify that the information assurance procedures were not being followed by the brigade. He knew that Soldiers would go to the local market and buy movies, music and games and place the information on their SIPR and NIPR computers. He tried to address the issue but could not get any support from the leadership to enforce the standards. He raised the movie and music concern to the S6, XXXXXXXXXX [UNIDENTIFIED BRIGADE S6] and the Brigade XO [Brigade Executive Officer], XXXXXXXXXX [Lt. Col. Brian Kerns], but that nothing was done. When the mood struck him, he would scan the shared drive for music, movies, and games and will testify that he would find it every day. Every time that he found unauthorized material on the SIPRNet, he would delete it. Occasionally, he would find a Soldier that would have a huge amount of unauthorized material on their computer -in one instance it was 500 Gigabytes of information, but nothing was done. He will testify that as the IASO [Information Assurance Security Officer] he did not know that he needed to prepare a DoD Information Assurance Certification and Accreditation Process (DIACAP) packet for certification and accreditation of the brigade network. He will also testify that due to this failure, it was later determined that the brigade did not have an Approval to Operate (ATO) or an Interim Approval to Operate (IATO) for their network. Additionally, the brigade did not receive a formal IA [Information Assurance] certification and accreditation inspection during its tour, contrary to the guidance in MNF-I [Multi-National Force – Iraq] Directives. Finally, he will testify that he knew about personal software being loaded on the SIPRNet and he would remove the software when he came across it. XXXXXXXXXX [WHAT IS THIS?]

Additional Article 32 Pretrial, 12/18/11 (by an anonymous journalist, ed. by Alexa O’Brien)

See Transcript of US v Pfc. Bradley Manning, Article 32 Pretrial Hearing, 12/18/11 (Additional)

NEXT WITNESS CAPTAIN THOMAS CHEREPKO, U.S. FORCES, N.A.T.O via TELEPHONE

Prosecution: Current position?

Cherepko: Deputy C.I.S. [Communications and Information Systems] officer for Madrid. My duties: to assist primary CIS officer in planning, executing for training officers for multinational N.A.T.O. operations. I’m a Functional [Area] 53, Information Systems Manager.

Prosecution: What do you do for the army?

Cherepko: Depends. Ranges from cyber defense to… [Cherepko mentions other things]. I’ve been in the Army 16 years. For 2.5 years – since Summer 2009 – I’ve been a C.I.S. officer. Previously Engineer Officer, 4 years.

Prosecution: What type of training do you receive?

Cherepko: Went through Functional Area 53 training at Fort Gordon in Georgia. Brigade Automation Officer responsible for overseeing NIPRnet and SIPRnet. NIPRnet System, unclassified network that allows you access to world wide web, Google, Yahoo, ESPN if you like. Only used for unclassified information. SIPRnet is a global Intranet for the Department of Defense. Closed network, classified up to SECRET.

Prosecution: What were qualifications in order to have SIPRnet account?

Cherepko: You had to have approval of your first-line supervisor; had to complete required paperwork, which included a request for access document; and an A.U.P. – Acceptable Use Policy.

Prosecution: When completing steps for access, you had to prove you had security clearing. Why did you need a security clearance to get on network?

Cherepko: Because SIPRnet can contain up to SECRET information.

Prosecution: A.U.P. – Acceptable Use Policy – tells you what you can and cannot do on network. You have to read and sign. Explain…?

Cherepko: It’s online training giving you basic security proceedings. Gives examples of what to do and what not to do.

Prosecution: Give examples of different types information in training?

Cherepko: Perfect example: the use of I.D. cards to get into buildings. You’re supposed to use I.D. card to get into buildings. If someone goes to a door without ID, there’s a protocol on what you’re supposed to do.

Prosecution: Sharing passwords?

Cherepko: You’re not authorized to share.

Prosecution: Conduct yourself while using classified information?

Cherepko: Can’t remember if there’s anything specific to classified. But even to get a NIPRnet account, you have to go through this training.

Prosecution: Focusing just on SIPRnet, what is network administrator’s function?

Cherepko: Monitor and maintain upkeep of network. Ensure that there are communications 24 hours per day. Security, upgrades, troubleshooting of users’ problems.

Prosecution: Soldiers: authorized to install programs on 2-10 Mountain [2nd Brigade Combat Team, 10th Mountain Division (Light Infantry)] SIPRnet program?

Cherepko: No.

Prosecution: Who was authorized?

Cherepko: Program administrators.

Prosecution: Have you heard of WGET?

Cherepko: Yes.

Prosecution: Was it authorized?

Cherepko: No. To my knowledge, doesn’t have specific [Missed] of net worthiness.

Prosecution: mIRC Chat? What is it?

Cherepko: Chat system.

Prosecution: Similar to I.M. [Instant Message]?

Cherepko: Yes.

Prosecution: Was there an operational need to have?

Cherepko: Yes.

Prosecution: What?

Cherepko: Used to communicate between Division [10th Mountain Division (Light Infantry)] and Brigade [2nd Brigade Combat Team – BCT]. Brigade aviation cells used to communicate with aviation community.

Prosecution: Authorized to be installed on your computer?

Cherepko: We had to have it in order to communicate with the aviation community.

Prosecution: Was it authorized, though?

Cherepko: To my knowledge, yes – it was on systems when I got there.

Prosecution: Did you install?

Cherepko: Yes, part of the package we installed.

Prosecution: Was WGET part of that?

Cherepko: No.

Prosecution: A.U.P. – Acceptable Use Policy. Soldiers required to sign before deployment?

Cherepko: Don’t know.

Prosecution: Requirement to have A.U.P.’s [Acceptable Use Policy]?

Cherepko: Yes.

Prosecution: When you were Systems Officer, did you require soldiers to sign?

Cherepko: I did, Sir. Can only assume it was done before I arrived – I had to sign when I got there.

Prosecution: Manning there when you arrived in theater?

Cherepko: Yes.

Prosecution: Did you maintain Manning’s A.U.P. when you were there?

Cherepko: Have to say, no – we couldn’t find it when asked to find it. Mine was one of the ones we couldn’t find too.

Prosecution: Why?

Cherepko: Over 2,000 users; we kept paper copies in file folders; they were misplaced.

Prosecution: Standard language in A.U.P. [Acceptable Use Policy]?

Cherepko: No forwarding of chain emails. Can’t use it for personal business. Can only access network for what you have permission to access. You can’t install programs, you can’t look at porno or racist material.

Prosecution: Whose is the ultimate responsibility?

Cherepko: It’s the user’s.

Prosecution: Executable code mentioned?

Cherepko: Don’t know.

Prosecution: Did you have a shared drive? What is it?

Cherepko: Yes. Not unlike U.S.B. drive, but it’s larger and is a server. 11 Terabytes, not all of which was accessible by users. Server on network connected by I.P. address to the main network. Users could map server to their local machine, use as hard drive locally.

Prosecution: Was there a common name for 2nd Brigade Mountain [2nd Brigade Combat Team, 10th Mountain Division (Light Infantry)] shared drive?

Cherepko: T Drive. Classification was SECRET.

Prosecution: Who had access?

Cherepko: Anyone given permission.

Prosecution: Anyone on SIPRnet?

Cherepko: Anyone on SIPRnet who was also given access. I don’t know anyone who was not given access.

Prosecution: Just from your Brigade?

Cherepko: Inherited from 82nd Air Brigade. They’d also inherited. Collection of archived documents from the past several years.

Prosecution: Also movies and music on shared drive?

Cherepko: Yes.

Prosecution: Assuming soldier had SIPRnet access, what prevented a soldier from removing information from shared drive and putting on his or her own computer?

Cherepko: Nothing. You could move data back and forth between it.

Prosecution: What prevented a soldier from burning a C.D. of classified information?

Cherepko: No technical restriction from burning a CD.

Prosecution: Why?

Cherepko: There was no requirement to have a restriction; no need to.

Prosecution: Was there an operational requirement needed to allow burning of a C.D.?

Cherepko: Yes. Like I said, there was no technical restriction. Only prevention was trust that a soldier would not do that.

DEFENSE EXAMINES CAPTAIN THOMAS CHEREPKO

[Discussion about him not being there in person. Mr. David Coombs says he sounds like a Sprint commercial.]

Defense (Coombs): How long did you work as the Brigade Automations Officer as 2nd BCT [Brigade Combat Team]?

Cherepko: From 2009 till this past summer [2011]. Primary duty: establish, maintain, secure Brigade communications. Serve as Brigade Information Assurance Manager [I.A.M.].

Defense (Coombs): Typical day?

Cherepko: Day would begin with PTs [Physical Training], go to work. Once I arrived, day had fairly typical rhythm: read through logs to make sure back-ups had occurred. Check emails to see if anything needed to be action’ed on immediately. Checked with soldiers in the Help Desk. Rest of my day, minus meetings, consisted of troubleshooting network and doing everything I could to keep it operational.

Defense (Coombs): FA53 [Functional Area 53] course – you went, correct?

Cherepko: Yes.

Defense (Coombs): Functional area?

Cherepko: Overall, focuses on technical aspects of running a network. Courses are fairly good. Civilian system academy. Prepared us as well as you could in a nine month course. They trained us for Certified Information Security Professional Exam. I wish they would have trained us more on how the Army does things, but you could pick things up pretty quickly.

Defense (Coombs): Would you agree that FA [Functional Area] did not teach you the way Army does things?

Cherepko: Yes.

Defense (Coombs): When did you arrive at F.O.B. Hammer? What time in November?

Cherepko: Would guess around 14th.

Defense (Coombs): Within a few days, RIP/TOA [Relief in Place/Transfer of Authority] took place?

Cherepko: I arrived after.

Defense (Coombs): You are also the Information Assurance Manager for the Brigade? When?

Cherepko: Don’t know specific date. After New Year when orders are written and signed.

Defense (Coombs): Responsibility as Information Assurance Manager?

Cherepko: I was the person in charge of insuring information practices are followed, training as required is conducted, and to insure information work force is appointed and trained.

Defense (Coombs): Conduct additional training?

Cherepko: Not for the staff or Brigade as whole; just for my soldiers.

Defense (Coombs): As I.A.M. [Information Assurance Manager], are you required to conduct security scans?

Cherepko: Don’t know.

Defense (Coombs): Do anything other than I.A. [Information Assurance] scans?

Cherepko: Yes. Coordinated through [Missed] Brigade and through Corps to do security assessment of network.

Defense (Coombs): Anything besides that?

Cherepko: No sir.

[Missed a couple things.]

Defense (Coombs): What’s a DIACAP [Department of Defense Information Assurance Certification and Accreditation Process] package?

[Cherepko explains – something that ensures something you’re trying to accredit meets requirements.]

Defense (Coombs): Did you do a DIACAP [Department of Defense Information Assurance Certification and Accreditation Process] package for the Brigade? Were you trained? Did you know how to submit?

Cherepko: [Answers, “No” to all questions.]

Defense (Coombs): Would have provided insurance regarding vulnerabilities, correct?

Cherepko: Yes.

Defense (Coombs): Have you ever submitted?

Cherepko: No.

Defense (Coombs): March of 2011 – you received a letter of admonishment? For failure to ensure brigade was properly certified? From General Robert L. Caslen?

Cherepko: [Answers, “Yes” to all questions.]

Defense (Coombs): Ever go into the Brigade T-S.C.I.F?

Cherepko: Yes.

Defense (Coombs): Why?

Cherepko: Troubleshooting and occasionally to pick up officers to go to lunch.

Defense (Coombs): Now – normal S.C.I.F operations still apply to in theater S.C.I.F, right?

Cherepko: Don’t know if rules apply.

PROSECUTION OBJECTION: SUBJECT MATTER OUT OF RANGE

OVERRULED

Defense (Coombs): Did you ever receive any DAIG [Department of the Army Inspector General] inspections while you were there? Know why not?

Cherepko: No. Was never told why.

Defense (Coombs): What is it?

Cherepko: Department of the Army Inspector General. Brigade went through one well after we were deployed. FORSCOM agents went through a checklist to make sure we met requirements.

Defense (Coombs): Did you view inspecting T-S.C.I.F. part of your job as information Assurance Manager?

Cherepko: I didn’t treat it any differently than any other Brigade. To me, S2 [Intelligence] offices were same as S3 [Training and Operations] or anything else.

Defense (Coombs): Did you view inspecting T-S.C.I.F as part of your job?

Cherepko: Yes, Sir. Inspections…they don’t rule out specific places because of their job. So if I did an inspection, I would include T-S.C.I.F., yes.

Defense (Coombs): Know if T-S.C.I.F. was inspected?

Cherepko: I believe it was inspected. [Missed the rest of his answer.]

Defense (Coombs): S.C.I.F Security Officer installed? Why not?

Cherepko: No.

Defense (Coombs): SSR – S.C.I.F. Security Representative, was there one?

Cherepko: Don’t even know what that is.

Defense (Coombs): Did you ever see music on the T-Drive?

Cherepko: Yes.

Defense (Coombs): How was it stored?

Cherepko: Like everybody else’s documents – people had music in their folders.

[Indecipherable from transcribers transcript.]

Defense (Coombs): You did not have an authorized music folder, right?

Cherepko: Right.

Defense (Coombs): When you saw music, you would delete?

Cherepko: Yes.

Defense (Coombs): And apparently it would go back on T-Drive?

Cherepko: Yes because it kept reappearing.

Defense (Coombs): Was anyone ever punished?

Cherepko: No.

Defense (Coombs): Did you recommend that anyone ever be punished?

Cherepko: Wouldn’t say anyone was punished.

[END OF TRANSCRIPT BUT NOT END OF DAY]

MISSED COMPLETE CAPTAIN THOMAS CHEREPKO

Other Resources: