Schwartz On Security: WikiLeaks Highlights Cost Of Security

The lack of advanced safeguards on the State Department cables represents an astute non-investment, given their stale content.

Mathew Schwartz

December 8, 2010

4 Min Read
Network Computing logo

"Freedom of expression is priceless. For everything else, there's MasterCard." So said one of innumerable tweets last Wednesday with the news that "Operation Payback" had taken down the MasterCard Web site after flooding it with packets.

The revenge attacks by the "hacktivist" group Anonymous have also targeted Amazon.com, EveryDNS.net, and PayPal for their decisions not to do business with WikiLeaks. "The reason is amazingly simple," Anonymous member Gregg Housh told The New York Times in an interview published on Monday. "We all believe information should be free, and the Internet should be free."

However, the attacks raise this broader question: Is it even worth -- in terms of time, money, or government resources -- trying to force WikiLeaks offline or attempting to secure the majority of government systems against leaks?

Answering the question requires identifying who's really to blame for the security leaks. Australia's Foreign Minister, Kevin Rudd told Reuters on Monday that the culprit isn't WikiLeaks founder Julian Assange. "Mr. Assange is not himself responsible for the unauthorized release of 250,000 documents from the U.S. diplomatic communications network," he said. "The Americans are responsible for that."

Indeed, if WikiLeaks didn't exist, and you were an insider -- perhaps a low-level Army intelligence analyst -- who wanted to leak information, what would you do? Burn some CDs and mail them to the world's major newspapers. E-mail photographs of computer screens. Read text out over the phone. End result: the same.

If government officials didn't want the State Department cables to escape, they did a poor job of securing them. In an e-mail to reporters on the eve of the first December WikiLeaks disclosures, Pentagon spokesman Bryan Whitman said 60% of Department of Defense computer systems now have software for "monitoring unusual data access or usage."

Of course, if the DoD were serious, such mechanisms should have been in place for 100% of the agency’s computer systems. "Logically, you should be able to say that a 22-year-old Private First Class shouldn't be accessing 250,000 documents and sensitive cables sent by Hillary Clinton," says Rob Rachwald, a security strategist at Imperva.

In fact, not monitoring practically invites disaster. "Absolutely, it should have been monitored, by the very fact that you call it a classified network," Rachwald says. "By its nature, it becomes more interesting and more valuable." Furthermore, the 40% of Defense Department systems that aren't being monitored -- as well as the public knowledge of that very fact -- suggests more leaks are in store.Now, for the lockdown. According to The Wall Street Journal, diplomatic cables are being removed from classified government systems. But if a classified system can't secure the information against an insider, will State Department systems?

Furthermore, beyond the brouhaha with Senator Joseph Lieberman, chairman of the Senate Homeland Security Committee, threatening The New York Times for publishing the cables, and John Boehner, soon-to-be Speaker of the House of Representatives, intimating that Assange should be executed, is WikiLeaks really a security fiasco at all?

At one extreme, commentators are calling WikiLeaks a "bogus scandal" over "empty secrets." Those are the words of author Umberto Eco, who astutely noted that the government cables contain little more than stale press clippings. "The 'extraordinary' American revelations about Berlusconi's sex habits merely relay what could already be read for months in any newspaper," he said. "The sinister caricature of Gaddafi has long been the stuff of cabaret farce."

Setting proper security controls requires devoting the most resources to secure the most important information. And by this measure, the State Department cables don't rate.

Thus, perhaps the lack of advanced security for safeguarding the cables was an astute non-investment, especially as we're now living in what John Naughton, professor of the public understanding of technology at the U.K.'s Open University, calls "a WikiLeakable world" that can't be stopped -- at least not without pulling the plug on the Internet.

Accordingly, will it be worth spending millions or billions of dollars in reaction to WikiLeaks, to secure -- in many cases -- what doesn't even qualify as dirty laundry? Instead, maybe more government information really should be "free." It's certainly the less expensive option in the long run.

SEE ALSO:

Schwartz On Security: China's Internet Hijacking Misread

Schwartz On Security: Click 'Dislike' For Facebook Safety

Schwartz On Security: Reaching The M&A Tipping Point

Schwartz On Security: Remove Dangerous Sites From Internet

Schwartz On Security: Zombie Internet 'Kill Switch'

Schwartz On Security: Can Apple Minimalism Stop Botnets?

About the Author(s)

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights