Lessons From WikiLeaks
Rarely does a story with a strong information security thread garner quite so much attention in the mainstream press. However, when the leaking of secret state information is combined with pent-up public interest in subject matter like current and future adventures in the middle east, climate change, the banking crisis, and international relations, demand meets supply and column inches result.
Leaks directly concerning the UK included US opinion of the incoming government of 2010, the Iraq war enquiry and the risk it may expose US interests, the special relationship and managing the British public’s perception of it, Iran and nuclear non-proliferation, the UK’s approach to the banking crisis, and the Icesave/Landsbanki dispute.
The WikiLeaks publication of US State Department cables in November/December 2010 was featured in the recent Q4 2010 issue of Executive Intelligence, the 360is Quarterly for UK CSOs/CIOs and IT Security Directors:
“On November 28th, the whistle-blower web site WikiLeaks began disclosing the first 220 of 251,287 US State Department cables dating from the 1966 to 2010. These cables ranged from SECRET//NOFORN to UNCLASSIFIED in their protective marking, and contained many unguarded, frank, and often critical comments from US diplomats on a range of subjects.”
Putting to one side the virtues or vices of making this particular information public, what lessons can we learn from it as Information Security professionals? What actions should we propose to our directors while the subject of information security is fresh in the mind of the main board? Executive Intelligence, the 360is Quarterly for UK IT Security Professionals, tries to be strategic. What tactical, practical advice can we put into action in light of what this WikiLeaks episode has taught us?
Information Security problems of this type are a subject that many find difficult to discuss. For the most part we are talking about the actions of insiders; employees, contractors, or close members of your supply chain. Managers find the broad subject of insiders harder to broach than that of the threat from external attack. However, most of the practical advice we have for our clients is around process rather than people, and can be implemented without alienating staff or making them feel spied upon.
At the US State Department, post 9/11, there was an imperative to share information more openly between intelligence, law enforcement, military, and diplomatic staff. Lack of sharing was cited as a significant problem prior to the events of 2001. It may be that this increased openness contributed to “Cablegate”. It is rumoured that over a million individuals had some level of access to the leaked material. The UK’s own intelligence sharing platform “Scope Phase 2” was aborted in Q1 2008, citing delays, cost overruns, and technical problems. Eventually another attempt will be made at such a platform, when it is, the architects would do well to remember a civil engineering proverb:
“There is more to be learnt from a bridge that collapses than one that remains standing.”
Recognise Where You Are Vulnerable
As with external information security threats, the key to improving your internal information security posture is to first recognise where you are vulnerable. Understanding your current vulnerability to leaks should be a part of formal Information Risk Management. Make a start by writing down answers to the following questions:
- Where is confidential information kept in your organisation?
- In how many different places can it currently be found?
- Are multiple copies routinely created of confidential information?
- How many different access methods are there to this information?
- What size community of users have access to it?
- What controls are there over who can access what, where, and when?
Armed with answers to these questions and the rest of this article, you may begin a process of prioritisation, focusing on where your most leak-worthy data is kept. Target areas where the greatest quantity of the most confidential information is held, made available to the largest user community, with the minimum of controls.
The full details of how the US State Department leak came to pass have yet to be released and may never be fully disclosed. However, given the speculation that a relatively low level, young Private of a few years service had access to all this material, and did not arouse suspicion when extracting it, the US State Department would score very low on any Information Security scorecard one can imagine.
Know If You Are A Target
Some organisations attract leaks because they are repositories for particular confidential information, or because the information they hold is highly newsworthy, others find themselves subject to leaks because their employees sometimes struggle with difficult and conflicting concerns about the nature of their work. While your newsworthiness may fluctuate over time, certain sectors tend to experience a perennial popularity with leakers. If you are in the energy, pharmaceutical, government, or banking sectors, you should consider yourself a prime candidate for leakers at this time. Companies engaged in arms manufacture or doing any kind of business in troubled parts of the world are likewise a target. Are you an aggregator of sensitive information from several of the sources above? If you operate a law or consultancy firm, or other business where you are entrusted with sensitive information from clients in these industries or geographies, then you will be a target for leaks.
As both a prominent government office and an aggregator for all types of sensitive information from diplomats around the world, the US State Department is one of the more likely targets for leakers.
Diligence & Statutory Obligations (Compliance)
As a minimum, you as the designated Information Security officer should ensure your organisation’s awareness of, and adherence to, the minimum standards for compliance. As CSO (or equivalent) failure to do so will eventually end up being a problem that lands at your office door. Confidentiality and privacy are key tenets of several pieces of compliance legislation designed to protect the information of individuals, particularly where you may be required to hold personally identifiable information. However, you may have obligations even if you do not handle this kind of information. Of particular relevance to UK companies are the Data Protections Act, the UK Corporate Governance Code, the Freedom Of Information Act, and for many, PCI. All off these have Information Security connotations although some more oblique than others.
Segment Your Data
Do you currently segment your sensitive information, or do you maintain a single monolithic store for all confidential material? If a potential leaker were to gain access to that store, what is the scope of disclosure that you might suffer? By segmenting your sensitive data you have a better chance of limiting the scope of a leak.
- Segment by status: active client versus inactive/former clients.
- Segment by “security level” of the information: secret, confidential, unclassified.
- Segment by time: don’t keep files for completed projects with open client files.
- Segment by user/group: litigation versus patent, analysts versus sales.
Segmenting your sensitive information sounds complicated but it can be as simple as not keeping project files older than 3 months in the same place as current files, along with a process for individuals to obtain access to the archive with the proper authorisation and oversight. Increasingly, Email is used as a long term information store, ignoring the huge problems created by doing that, secure Email archiving and retrieval products can facilitate the same segmentation of Email that you would have with traditional filestores.
Enforcing the most basic file-folder security on drive shares (by user, by group), or more complex access control lists (if supported by your storage) can dramatically reduce your vulnerability to a State-Department-sized leak.
Finally, do you individually encrypt the most sensitive documents or indeed any documents in your organisation? Encryption of individual documents, or individual client folders is another way of limiting widespread uncontrolled disclosure of confidential information. It is not difficult to imagine a regime of individual passwords for individual projects, clients, or business units.
The Human Element, Maturity & Common Sense
Do not give low-level or casual staff a high-level of security clearance, this includes staff working in IT. Of course in order for the phrase “low or high level” to have any meaning at all, you first need to have implemented segmentation. Regardless of employee seniority or access, some staff may still feel compelled to leak. What then?
Consider establishing an internal ethics board where staff can take their concerns and have them heard. However, your best chance of preventing information leaks comes during the initial staff recruiting and vetting process. Do you vet staff who regularly handle highly sensitive or client confidential information?
Consider employing the services of a suitable staff vetting agency. Instruction is also available for your fellow directors and senior company officers on the correct way to invoke UK Legal Professional Privilege, and general handling practices for the most sensitive communications.
If the current speculation is to be believed, a relatively low-level, young Private, of only a few years service had access to the leaked material. In addition to this, it is also speculated that over a million other individuals had access to some or all of the information. This would suggest that either the information should not have been marked secret/confidential at all, or that there has been a failure to consider the human element in it’s handling. Even the most optimistic Information Security professional will find it hard to believe that any “secret” shared with a million individuals or more will remain secret for very long.
Handling A Leak
Sooner or later your confidential information will escape either accidentally or with help from an external hacker or an insider with access. Once this happens, it is the way in which your organisation handles the leak that partly determines total cost to your organisation in terms of reputation and revenue loss.
Ensure the right personnel are press/media trained
At what point do you inform your clients if there are potential implications for them? Who will handle enquiries from the press? What assurances will you offer partners, suppliers, and customers/clients that information concerning your business dealings will be better protected in future? How can you “get ahead of the story” and start taking control of the incident?
- Put a plan in place now
- Rehearse that plan periodically
- Use external professional crisis management if you lack relevant experience in-house
- Understand any legal obligations to clients, partners, and the regulator
- Ensure the right personnel are press/media trained
360is are able to assist in improving your organisation’s Information Security posture, and in implementing the advice given in this article. While it may be impossible to guarantee that your confidential information will stay that way, you can significantly reduce the chances of the kind of widespread leak experienced by the US State Department in December 2010. To speak to one of our consultants, visit our contact page and request a meeting.