As unlikely as it would be for the Wikileaks phenomenon to be uttered in proximity of FUD, our returning champion Chris Swan felt compelled to speak on the matter. Let’s hope he doesn’t get us DDoS’d (Wait. DDoS attacks are just FUD, right? We’ve lost track.)
by Chris Swan (@cpswan)
Firstly this isn’t a post about the rights or wrongs of Wikileaks itself. That’s been covered elsewhere in a more serious, thoughtful and funny way than I could ever do myself.
This is about Wikileaks being the new mother lode of FUD. It’s becoming the centre of the stories that security vendors tell customers to keep them scared at night.
I’m not going to link to the guilty. We all know who they are, and I could never be comprehensive enough. It would be like having just a few hundred examples out of a quarter of a million. We could point and laugh at one culprit without realising that an even more egregious example is just around the corner.
What I have to say here has its genesis in Andrew McAfee’s post a few days ago ‘Did WikiLeaks’ “Cablegate” Result From Too Much Information Sharing?’. This is a problematic question, and seems to put information sharing (which is key to running a business or government) at odds with security (which is key to running a business or government) – what to do?
I made some comments on the post, which are worth repeating here:
The problem here wasn’t classification. The material was correctly classified, and processed on the right systems.
The problem here wasn’t clearance. Whoever did this almost certainly needed access to material of this protective marking.
As you rightly point out the problem isn’t about sharing. The intelligence community (and military at large) have got better at sharing, and need to continue.
The problem is aggregation. This is a well known problem in the military/security community, and one that has changed dramatically in the digital era. It’s bad enough if you have an entire aircraft, ship or tank filled with sensitive material on paper fall into enemy hands, but as we see here that’s nothing compared to what you can get onto a thumb drive.
The massive fail appears to be that the monitoring systems didn’t ring alarm bells when somebody was bulk downloading massive quantities of data. Quantities of data that couldn’t possibly have been read by an individual (or even a large unit). This should be the focus of the fire drill that’s surely going on right now. This isn’t about horses or stable doors, this is about somebody driving a virtual semi-trailer out the gate and nobody noticing.
I’ve since had time to reflect on those comments…
I now very much doubt that the material was correctly classified. A lot of it is marked SECRET, and it’s worth having a quick reminder of its definition – “Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security. Arguably ‘serious damage’ hasn’t (yet) been caused, and hence QED the documents were incorrectly classified. It’s also worth mentioning here that the US seems to be stuck in an old world system of ‘classification’ where others (such as the UK) have moved on to a more refined concept of ‘protective marking’. In that system there’s a sub category for ‘Impact on foreign relations’ and at business impact level 3 we find ‘Cause embarrassment to Diplomatic relations’, which is where we seem to find ourselves.
Pointing the finger at aggregation is perhaps an oversimplification. Schneier is right that it’s really an access control issue – at least to the extent that you don’t get an inappropriate aggregation if you have the right access control. It would appear that the issue with SIPRNet is that there’s no effective compartmentalisation of material (as there would be on systems holding TOP SECRET) material. Of course we see this issue in business too. Cleared to see != need to know, and there’s often a specific need for compartmentalisation to create ethical boundaries (or their more politically incorrect cousins Chinese firewalls).
It’s at this point that the FUD toting security industry bandwagon rolls into town and says ‘my product/service can solve these (access control) issues’. We’ll be seeing a lot of DLP/ERM/IRM vendors doing this over the coming weeks and months. More so if Wikileaks move on from government to big business, as has been threatened. The problem is that this is total BS. I wrote some years ago about ‘the wrongs of enterprise rights management’ and spent a great deal of time socialising the issues with security vendors. Largely those issues have been ignored, and the vendors have continued to peddle solutions that are just as broken now as they were then. That’s because these are hard problems. Problems that require business commitment and human input. Problems that can’t be solved by a technology silver bullet. Of course the technology could get better at helping us with the organisational and people issues here, but it’s not a magic wand.
Perhaps some of the solutions out there could have helped with what happened on SIPRNet by creating workable compartmentalisation overlays, observing anomalous access patterns or preventing exfiltration. But that would be a question of scope and scale, and ‘cablegate’ may be unique in that. The real problem here is that there’s nothing technology can do about an authorised insider turning rogue and leaking a single critical piece of information, and that’s what we’re likely to see next – single smoking guns that cause real harm to businesses (and likely an ethical car crash for added PR impact). The FUDmeisters might claim that they can sell the solution to these problems, but I fear they can only solve much simpler issues.
@krowney responded via Twitter:"Sorry it’s a fact: #DLP has busted many cases like these." http://twitter.com/#!/krowney/statuses/13380620344369152and"Srsly, there’s a long resume of busts of malicious insiders w/ #DLP. Many malicious insiders do en-masse clear-text exfiltration" http://twitter.com/#!/krowney/statuses/13382078385102848I don’t disagree (read the final paragraph carefully). Some of the existing DLP tools would likely have been effective if they’d been applied to SIPRNet to spot bulk exfiltration. That wasn’t my point.My point was that it only takes a single email to cause trouble, and a savvy insider will adapt around DLP, even if that means taking a picture of their screen with a camera on their phone.
Yep. I agree. I don’t have a problem with wikileaks as such – the Internet and indeed the world is full off nutters, manipulators and crooks claiming a higher cause when in fact all they want is publicity and notoriety. What I dislike is everyone else jumping on the band wagon and scaring corporate enterprise to apply even stricter data security policies and controls. There are enough of both already. What is missing is good policing and enforcement of existing rules and conditions. Thanks to wikileaks we’ll probably end up being mind probed when we start and leave work each day or maybe it will be done randomly!!!
@correyvoo – great point about making existing rules work rather than bolting on new stuff.We see the worst examples of this in public policy. Something slips through the net, and the politicians appease the press by bringing into law a bigger net rather than fixing the one we have.The military already have stricter controls in place than most enterprises, but this happened anyway. Not because the controls were weak, but because a trusted insider had the means and the motive to exploit a chink in the armour.At this point it’s far to easy to get sucked into what Schneier calls ‘magical thinking’ and add new defences that deal with the last attack. That’s a game that we call ‘whack a mole’, and it’s no different when you’re trying to whack real moles.
My point:"savvy insiders" r rare. Managing 2 this exception=poor defense. Our field exp.+counter-intel lit backs that p.o.v.
Wow – Posterous managed to totally mangle that last comment into an out of context disaster.The words now showing as mine are in fact @krowney’s from http://twitter.com/#!/krowney/statuses/13740596254478336My response was that the cable leaks were clearly done by a savvy insider, so using them to promote general tools/approaches is classic FUD.Of course we do have tools/approaches that are effective with the easy pickings, and I hope the industry will continue to improve. I think there’s a Pareto thing going on here, and we’re already well past 80:20 – probably as far as 95:5. Kevin is completely right that you shouldn’t (just) use a 5% corner case to drive strategy. At the same time the FUD peddlers are out of line to imply 100% efficacy with phrases like ‘assures protection’.
I wonder if the people who say there needs to be DLP/better controls/better classification/better rights mgmt….have ever actually come close to working on those specific goals/tasks. I really doubt it.Also, I would disagree that savvy insiders are rare, but only because I don’t feel safe saying such. But I will say that attackers/exfiltrators/regular joes will take the path of least resistence to achieve what they want to do, including slightly "advanced" techniques to bypass/fool DLP (i.e. the effort even regular people go through to bypass web filters at work).BTW, excellent blog post!
Yeah, those are my tweets. @cpswan has, I think, got the gist of my argument that a Pareto-rule applies here: a huge swath of the current malicious insider activity is done by either a) technically ignorant parties, or b) technically-competent parties who make mistakes. The actual ratio of events in the "easy-pickings" to "thoroughly-obfuscated" is clearly hard to measure, but at least anecdotally most responsible people think this is around an 80/20 or even higher as @cpswan says.I agree: nothing assures protection. Look at, for instance, the Anna Montes case. As a spy for Cuba placed high with the DIA, she ran exfiltration….by memorizing what she was looking at.Fact is, most malicious insiders just are not that careful nor all that disciplinied. Part of that is the demographics of our society. Who among us has the discipline of a trained spy? Part of the poor care these malicious insiders take also comes from the fact that many of these thefts are crimes of passion. The perpetrators are often motivated by a sense of greed and revenge and their emotional state discourages rational or careful thinking about trade-craft (or consequences for that matter.)Kevin
But/And Beware of the equal/opposite trick of Anti-FUD.This is when a vendor, who can’t solve hard/specific problems, messages against [and tries to marginalize away] real material weaknesses in their products and real threat scenarios.The Wikileaks and Aurora phenomenons will drive more people to buy "data security", but if FUD or Anti-FUD wins, they will buy more (or less) than what they need. More – not better."The solution should be as simple as it can be, but no simpler." – Big "E"We also need to stop blindly touting 80/20 Pareto.Sometime we spend 80% of our time/money on 20% (or less) of the solution.I believe in 80/20 as a concept.But/And… don’t by faith assume whatever we’re doing is 80/20.It might be 20/80. (XX/YY).It’s all about knowing the make-up of the XX and the YY over time.There is no magical power keeping 80/20 in place for us.Fight FUD *and* Anti-FUD.I keep meaning to write another FUDsec post on this "FUD Continuum" … maybe during the holidays.
Never underestimate the prevalence of crimes of opportunity. The file is right there in your face, no one is watching…
funny to see a cousin of the CESG document that I linked to above being the subject of a freedom of information wrangle – http://www.theregister.co.uk/2010/12/15/gchq_keeps_tabs_on_foi_requestors
some wise words from Martin Kuppinger on Wikileaks and IRM http://is.gd/iUaZ7