Update: November 30, 10:40AM PST
There’s plenty of talk about the information recently released by Wikileaks. But there’s more information there than is generally being reported.
Two weeks ago, I wrote about the vulnerability of our infrastructure to cyberattacks. Do you think Wikileaks is the only organization to have obtained classified information without authorization? While Iran and North Korea are not hotbeds of hacking activity, they do have the money to pay people who are elite hackers.
Much of the world of hackers today exists within the sphere of organized crime. As with organized crime of years past, the driving forces are money and power, and the organizations have many layers, mostly insulated from each other. If someone within that community is able to gather classified information, it’s much more valuable than a database of credit cards. Even after filtering through all of the layers, with each taking a cut, the finder of the information makes a substantial amount of money.
There are many other ways in which such information may be obtained. Many young hackers are hired as contractors to write code to provide remote access. Others are then hired to collect files. Still others are hired to decrypt them, if they’re encrypted. None are aware of what the others are doing, nor do they know for whom they are working. The money’s good, so why does it matter?
Going after Wikileaks might make the public feel better, but they aren’t the root problem. The existence of Wikileaks is more of a symptom of a deeper issue, that of insufficient security of classified data.
In the end, the worst aspect of the publication of these documents isn’t that the Wikileaks information is now available to everyone. It’s that, even before Thanksgiving, it was already available to the people we least want to see it.
Update: The Cablegate site is currently under a DDoS attack, making the materials unavailable on the Internet, at least for the time being.
- Hacker Takes Responsibility for Wikileaks Takedown (mashable.com)
- Obama Administration Orders Review Of Procedures For Safeguarding Classified Information (huffingtonpost.com)
- Wikileaks evades hackers with shift to Amazon (guardian.co.uk)
Gotta agree here. The real criminals are the incompetent jackasses in charge of security for the government. It clearly started with the Bush administration, but it seems to have continued in the Obama administration.
Just consider that, under the current laws, your email, the sites you visit, basically your digital footprint, must be kept and turned over to the feds pretty much any time they ask — yet the last administration lost how supposedly classified or vital information? (These leaks, the missing emails from the Bush administration, etc, etc.)
The recipe for keeping a secret isn’t difficult to follow:
1. restrict the handling of the information you want to keep secret to the people who need to know. (Obviously violated in the case of the Wikileaks log dumps.)
2. don’t make systems containing secret information accessible to the internet or allow access through an intermediary storage (like a thumb drive or other recordable media) except under conditions (multiple observers, witnesses, that sort of thing) which make it difficult, if not impossible, to have it go missing. (Obviously violated in the case of the Wikileaks log dumps.)
3. log everything. Every copy of classified information must be logged and tracked from creation to destruction. A beneficial side-effect of this would be a decrease in the amount of classified information produced, as, if this were rigidly enforced, people would be careful about creating stuff they need to track and handle properly. (Now, I don’t know about this one, but my impression is that, by creating entire secret facilities — where classified information was apparently passed around like candy at a pre-school birthday party — the security establishment somehow thought they could relax this stricture. But I don’t know for certain.)
Maybe this is the real value of Wikileaks.
Apparently, those in diplomatic circles thought that their email and other electronic communications were somehow secure. Those of us in business, and in government, have been aware for some time that such communications are subject to discovery motions in the first case and FOI or similar requests in the second.
I personally have not written anything in the last few years that I’ve not said, “I wonder how this would look if the readers of a morning newspaper, or a jury, saw this?”
Ironically, this is the standard my Mom first taught me when I learned to write letters.
Yes, those defenses make it harder to get the data. But they don’t prevent it. Remember, Stuxnet got into a highly secure area, despite an air gap. And logs are pretty easy to circumvent if it’s in your best interest to do so.
The sad truth is that nothing will protect you from the person with a clearance who want to divulge some classified information — but you can first make it very difficult for them to walk out with gigabytes of data, and second, you can find out who had access immediately, and, if you have restricted that group, finding the culprit becomes a lot easier — and acts as a deterrent.
a very valid point that people were looking at this long before it was publicized. I was thinking about wiki-leaks this morning and the concept of electronic medical records in a national data base. Generally I like the idea since it will likely save lives and maybe even a little money, but can you imagine if some tool or some criminal got their hands on that database? The implications are almost too much to imagine.
A couple comments I’d like to add.
First is that Bradley Manning represented an almost ideal security compromise (he was a naive individual with a grudge and a Top Secret/SCI clearance) and yet despite a substantial amount of coaching and prodding from WikiLeaks he was not able to compromise significantly damaging information. I suspect that there are several reasons for this, but regardless most everything in these WikiLeaks releases was already common knowledge and has been for some time – the majority of these cables aren’t even classified.
Second is that Manning had access to this much information because we have deliberately made it available on classified networks over the years in the interests of breaking down barriers to information flow within the intelligence apparatus. It was in the 9/11 Commission report, remember? As such compartmentalizing the network more heavily or removing data to more secure networks is really a non-starter and the government is taking an active rather than a passive approach to insider threats nowadays. Unfortunately the simple fact is that some secret data is always going to leak and at these classification levels it’s important to minimize rather than outright prevent leakage.
I’d also like to point out that we stood up Cyber Command this year to deal with these kind of electronic threats. Considering that Stuxnet is widely suspected to be an American job I’d say we’re not doing too badly for ourselves.
Good observations. I agree that, at least within the context of whistleblower channels, things could be a whole lot worse.
As for Stuxnet, there’s at least as much credibility behind the notion that it’s Israeli as there is that it’s American. My personal belief is that it’s more likely to have come from Israel, based on the way it was crafted. But I’ll readily admit that I don’t have enough information to be confident in that belief.
Reading a conversation between Michael and AW is like wandering into the wrong classroom at college and realizing you’re WAY over your head. Intimidating and illuminating. Awesome and scary.
Welcome, AW… I’m impressed.
Er… don’t mind me.. sorry… carry on…
I’m honored, thank you. I’m a junior officer in the US Army, and I’ve been following Nate Silver’s excellent work on 538 (and the comment threads!) since the 2008 election. Your new comment system here makes it easy for a person like me who hates registering for things to participate. 😉
I hadn’t considered the Israeli angle, although it does seem very likely that Stuxnet was their work now that I think about it. The recent assassinations of Iranian nuclear scientists also fit into how Mossad has been known to operate.
On the other hand I note that the US is positioned very well in the Iranian nuclear crisis. The Israeli threshold of action is much lower than our own, so we can restrain them from launching attacks and then if the situation becomes too dire they can be counted on to do our dirty work for us – the backlash from which would then fall back on them and could be used to force them into making the concessions we want them to make on the Palestinians and so on. The great thing about this is that it does not require the US to act in bad faith with any of the parties involved – the situation falls together by itself.
What I’m trying to get at (in an indirect sort of way) is that an Israeli Stuxnet still serves American interests – a strike by a our proxies is still a strike against Iran.
It certainly does. It might be worth stepping back, though, and asking which American interests it serves, and why we have those interests.
Letting the Iranians develop nuclear weapons would endanger all of Europe and Central Asia from just the threat of missile attack, setting aside the possibility of them passing a bomb off to terrorists. We’ve got enough nightmares about Pakistani nukes as-is. 😉
Exactly. Why isn’t it the job of some European or Asian countries to take care of this? That’s what I mean about stepping back. Sure, those countries may be our allies, but that hardly means that it’s our job to take care of everything. After all, Spain is Germany’s ally, but we don’t see Spain stepping up; we see the US stepping up.
See what I mean? We’re still stuck in 1955 in many ways. The world changes, and it’s worth stepping back and reevaluating every now and then.