As unlikely as it would be for the Wikileaks phenomenon to be uttered in proximity of FUD, our returning champion Chris Swan felt compelled to speak on the matter. Let’s hope he doesn’t get us DDoS’d (Wait. DDoS attacks are just FUD, right? We’ve lost track.)
by Chris Swan (@cpswan)
This is about Wikileaks being the new mother lode of FUD. It’s becoming the centre of the stories that security vendors tell customers to keep them scared at night.
I’m not going to link to the guilty. We all know who they are, and I could never be comprehensive enough. It would be like having just a few hundred examples out of a quarter of a million. We could point and laugh at one culprit without realising that an even more egregious example is just around the corner.
What I have to say here has its genesis in Andrew McAfee’s post a few days ago ‘Did WikiLeaks’ “Cablegate” Result From Too Much Information Sharing?’. This is a problematic question, and seems to put information sharing (which is key to running a business or government) at odds with security (which is key to running a business or government) – what to do?
I made some comments on the post, which are worth repeating here:
The problem here wasn’t classification. The material was correctly classified, and processed on the right systems.
The problem here wasn’t clearance. Whoever did this almost certainly needed access to material of this protective marking.
As you rightly point out the problem isn’t about sharing. The intelligence community (and military at large) have got better at sharing, and need to continue.
The problem is aggregation. This is a well known problem in the military/security community, and one that has changed dramatically in the digital era. It’s bad enough if you have an entire aircraft, ship or tank filled with sensitive material on paper fall into enemy hands, but as we see here that’s nothing compared to what you can get onto a thumb drive.
The massive fail appears to be that the monitoring systems didn’t ring alarm bells when somebody was bulk downloading massive quantities of data. Quantities of data that couldn’t possibly have been read by an individual (or even a large unit). This should be the focus of the fire drill that’s surely going on right now. This isn’t about horses or stable doors, this is about somebody driving a virtual semi-trailer out the gate and nobody noticing.
I’ve since had time to reflect on those comments…
I now very much doubt that the material was correctly classified. A lot of it is marked SECRET, and it’s worth having a quick reminder of its definition – “Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security. Arguably ‘serious damage’ hasn’t (yet) been caused, and hence QED the documents were incorrectly classified. It’s also worth mentioning here that the US seems to be stuck in an old world system of ‘classification’ where others (such as the UK) have moved on to a more refined concept of ‘protective marking’. In that system there’s a sub category for ‘Impact on foreign relations’ and at business impact level 3 we find ‘Cause embarrassment to Diplomatic relations’, which is where we seem to find ourselves.
Pointing the finger at aggregation is perhaps an oversimplification. Schneier is right that it’s really an access control issue – at least to the extent that you don’t get an inappropriate aggregation if you have the right access control. It would appear that the issue with SIPRNet is that there’s no effective compartmentalisation of material (as there would be on systems holding TOP SECRET) material. Of course we see this issue in business too. Cleared to see != need to know, and there’s often a specific need for compartmentalisation to create ethical boundaries (or their more politically incorrect cousins Chinese firewalls).
It’s at this point that the FUD toting security industry bandwagon rolls into town and says ‘my product/service can solve these (access control) issues’. We’ll be seeing a lot of DLP/ERM/IRM vendors doing this over the coming weeks and months. More so if Wikileaks move on from government to big business, as has been threatened. The problem is that this is total BS. I wrote some years ago about ‘the wrongs of enterprise rights management’ and spent a great deal of time socialising the issues with security vendors. Largely those issues have been ignored, and the vendors have continued to peddle solutions that are just as broken now as they were then. That’s because these are hard problems. Problems that require business commitment and human input. Problems that can’t be solved by a technology silver bullet. Of course the technology could get better at helping us with the organisational and people issues here, but it’s not a magic wand.
Perhaps some of the solutions out there could have helped with what happened on SIPRNet by creating workable compartmentalisation overlays, observing anomalous access patterns or preventing exfiltration. But that would be a question of scope and scale, and ‘cablegate’ may be unique in that. The real problem here is that there’s nothing technology can do about an authorised insider turning rogue and leaking a single critical piece of information, and that’s what we’re likely to see next – single smoking guns that cause real harm to businesses (and likely an ethical car crash for added PR impact). The FUDmeisters might claim that they can sell the solution to these problems, but I fear they can only solve much simpler issues.