By Rick Lawhorn CISSP, CISA, CHP, CHSS
After the recent announcements concerning WikiLeaks, I began to question the whistleblower website on its motives and the perceived value of disclosure. In fits of brief clarity I find myself, like many others, asking if this latest disclosure was a failure in information security or simply visible failures in leadership. My attempts to call this thing black or white have turned into a drab shade of gray. I can’t seem to get off the fence about WikiLeaks. I keep conflicting my information security spidey senses with the notion that disclosure is necessary and it’s driving me insane to try to achieve some form of closure.
Failure in information security?
Point 1: Data had value beyond that of being regulated…
On one hand, there is the basic principle of information security, which states that YOU should protect data that has value to YOU. Unless there is a legal or professional obligation, you would protect your information only and not someone else’s information. In the case of WikiLeaks cables, we (the US) should not expect another country to protect our data unless there was a legal or professional obligation to do so, right?
The first step is to blame ourselves. Before we do that, we have to ask if this data had any value to us (the US). By reading the news today, I can make a safe assumption that there was intrinsic value versus real monetary or regulatory value. Data that holds any value to an individual or group needs to be protected by the individual or group. We should not suffer tunnel vision and limit protections to information that is only financial or regulated in nature.
Point 2: Why wasn’t the data protected?
If the cable leaks were labeled and treated with certain classifications in the State Department, then why weren’t they protected based on the classification level. What are the policies associated with “Secret” government correspondence in email? You would think that high levels of classification would require controls like, I don’t know, ENCRYPTION maybe? How did the insider gain access to correspondence they normally did not have access? From 1966? Sounds a bit like a backup tape, backup hard drive or the ability to access a fileshare somewhere. A fileshare that had both classified and non-classified information sounds interesting and would integrate a couple of systems together.
As you can see, we could continue to wander down a rabbit hole asking additional questions, but at the end of the day the question is if the data had value, then what security controls were in place for the HIGHEST LEVEL OF CLASSIFICATION.
Point 3: How did the State Department pass their certification and accreditation required each year?
In the government, data and system classification is normally a big deal. There are systems that handle classified information and separate systems that handle non-classified. If the cables had a mixture of classified and non-classified data, then the mixture occurred within the State Department systems or at the point where the breach occurred.
All systems in the government must go through a certification and accreditation (C&A). C&A is a series of checklist, risk analysis and documentation exercises geared to understanding the security posture of the system in question. One of the primary drivers for ascertaining the assessment depth in a C&A is the classification of the data it will access. If data has a high classification then the reviews are at a greater depth. How did the State Department perform on their C&A, especially on the system or systems that stored the information (from 1966) in the leak? I wonder what the impact it is going to be when IT has to wipe the offending system due to classified information being store with non-classified information. Let’s hope it is just a desktop somewhere….
Point 4: Is WikiLeaks legally or professionally obligated to protect our information for us?
We should not expect another country to protect our data unless there was a legal or professional obligation to do so. Are they criminals? No, they live outside our judicial system. Yes it was our information, but our laws say that guilt has to be proven. Are they traitors? No, unless they pledged allegiance to the USA. The most dangerous thing I have been hearing is that this is somehow terrorism. I am waiting for three years for someone to provide me a definition of terrorism and how the release of data could ever be an act of terror. If data can be terror, then why hasn’t the world condemned Stuxnet as an act of terror in the same manner. There is just too much double speak.
On the other side of the fence, could the WikiLeaks disclosure be a result of a failure in leadership?
Failure in Leadership?
Point 1: Leadership should be transparent but not fraud?
The tone of the cables is rather disturbing, given that many conversations appear to be relying on some form of security to protect open communication. If security is relied upon to allow fraudulent behavior, then does that make the behavior ok? Does that make our leaders ok?
I was always under the impression that great leaders are the same no matter where they are, public or private. But if they are relying upon security to cover up bad behavior, then what kinds of leaders are they? If they did nothing wrong or simply behaved as they would normally do in public, then the disclosure would have lost a great deal of value.
Point 2: Disclosure is great as long as it’s not us
My final point is probably the greatest irony of all. The government interrogates businesses, individuals, and governments to ferret out fraud, malicious deeds, terrorism and a host of other bad things. Disclosure of there successes is considered a good thing….good for you, good for me, good for the world. The game changes when the world discloses something about our government and the harm it could be doing with other countries and their governments. Disclosure is a great thing, just as long as it is not about the behind the scenes behavior within government. I believe Enron tried this before….
At end of the day, each case has its merits. I am still on the fence and probably will be for a while. For now, I guess I am a fan for both issues versus nothing at all. Let’s see how the world accepts WikiLeaks next year when it spills the beans about a large US bank. Will that be a failure in information security as well? Stay tuned…
P.S. Please let me know where I can pick up some CDs that can hold over 5 GB of data….
Rick Lawhorn, CISSP, CISA, CHP, CHSS has over 20 years of experience in information technology which includes an extensive security, compliance, privacy and legal background. Rick has served as the Chief Information Security Officer (CISO) for two Fortune 100 companies and served in information technology and security leadership roles within multiple law firms, Department of Energy and the National White Collar Crime Center. He has been published in numerous international and domestic security magazines and currently serves on several advisory boards for new, innovative security products. He can be reached at firstname.lastname@example.org.
make sure you subscribe to my RSS feed!