Three can keep a secret, if two of them are dead.
— Benjamin Franklin
By this time, there has been a very great deal written and said about the WikiLeaks disclosure of US diplomatic messages. I don’t intend to comment on either the legal aspects of the situation, since I have no particular legal expertise; nor do I want to comment on the political implications, since I think that ground has been pretty thoroughly covered. I do, though, want to mention a few aspects of the case that seem to me interesting from a security perspective.
(Incidentally, there is a good, although unfortunately titled, article at Technology Review, that gives a summary of some of the factual background of the case, written by Prof. Jonathan Zittrain of Harvard Law School, and co-founder of Harvard’s Berkman Center for Internet and Society, and Molly Sauter, on the staff of the Center.)
The messages that have been published via WikiLeaks were apparently obtained, in the first instance, from a classified US government network called SIPRNet (Secret Internet Protocol Router Network), which is used by the Departments of State and Defense. Although it contains classified information, it is not used for the most sensitive material (such as items classified as Top Secret). I have seen estimates of the number of people having access to SIPRNet ranging from 500,000 to 3 million. I find it hard to imagine that anyone thought a network with that many users would not leak. Calling a network secret does not make it so.
The number of messages that WikiLeaks claims to have is also fairly large, at around 250,000. Admittedly, given the capacity of storage devices and media today, that data need not be bulky. But I find it very surprising that the system did not have some kind of monitoring function that would alert the system’s managers of such a large download of data; and I have not found any indication in the published accounts that such a monitoring function existed. The person alleged to have taken the data, Army Pfc. Bradley Manning, was apparently first suspected when he allegedly made an on-line boast about getting it. I would certainly think that downloading 250,000 messages would qualify as unusual activity.
It’s been reported that the US military has now banned the use of removable storage devices and media (such as USB thumb drives, or recordable CDs) on computers that are connected to SIPRNet. From a security perspective, this is a good idea; one wonders why no one thought of it before.
Admittedly, it is fairly common for a system’s users to resist this kind of directive. I was involved with a network security project (in the financial services world) back in the early 1990s; one of the concerns that motivated the project was to prevent sensitive data, particularly customer information, from leaking. One of the principal recommendations was that the floppy disk drives and any CD burners be removed from all user computers. (This was before the age of ubiquitous USB ports and so on.) I don’t think the users’ reaction could have been much more negative if we had suggested selling their first-born children into slavery. So this is at least as much a management problem as a technical one.
Leaking confidential information selectively has been a popular sport in Washington DC for decades, if not centuries; it is done sometimes to advance an agenda, or to discredit a rival, for example. I would be absolutely astonished if all the politicians loudly denouncing WikiLeaks had clean hands in this regard. What is more to the point, as the New York Times pointed out in a recent article, is that the economics of leaking information have changed dramatically, in favor of the leaker.
Even two decades ago, in the days of kilobytes and floppy discs, such an ocean of data would have been far more difficult to capture and carry away. Four decades ago, using a photocopier, a leaker might have needed a great many reams of paper and a tractor-trailer.
Long before WikiLeaks, of course, reporters often met bureaucrats with troubled consciences or agendas, and produced sensational disclosures. The Pentagon Papers is the iconic case.
Add to this the reality of the Internet, which even authoritarian governments cannot entirely suppress, and on which information can be distributed widely and rapidly at almost zero marginal cost; and you have a world in which keeping secrets is hard, and retrieving them once they’re disclosed is effectively impossible. Other organizations need to pay attention to these lessons, too, as an article in The Economist points out.
The State Department has learned what the music and film industries learned long ago: that digital files are easy to copy and distribute, says Bruce Schneier, a security expert. Companies are about to make that discovery, too. There will be more leaks, and they will be embarrassing.
Everyone concerned with information security needs to make sure that his/her thinking and analysis reflects the reality of the digital world of today.