Schwartz On Security: WikiLeaks Highlights Cost Of Security
The lack of advanced safeguards on the State Department cables represents an astute non-investment, given their stale content.
"Freedom of expression is priceless. For everything else, there's MasterCard." So said one of innumerable tweets last Wednesday with the news that "Operation Payback" had taken down the MasterCard Web site after flooding it with packets.
The revenge attacks by the "hacktivist" group Anonymous have also targeted Amazon.com, EveryDNS.net, and PayPal for their decisions not to do business with WikiLeaks. "The reason is amazingly simple," Anonymous member Gregg Housh told The New York Times in an interview published on Monday. "We all believe information should be free, and the Internet should be free."
More Security Insights
- Get Actionable Insight with Security Intelligence for Mainframe Environments
- Getting a Grip on Mobile Malware
- Hybrid Messaging Security Solutions Enhanced Security and Business Flexibility
- 4 Data Threats in a Post-PC World
However, the attacks raise this broader question: Is it even worth -- in terms of time, money, or government resources -- trying to force WikiLeaks offline or attempting to secure the majority of government systems against leaks?
Answering the question requires identifying who's really to blame for the security leaks. Australia's Foreign Minister, Kevin Rudd told Reuters on Monday that the culprit isn't WikiLeaks founder Julian Assange. "Mr. Assange is not himself responsible for the unauthorized release of 250,000 documents from the U.S. diplomatic communications network," he said. "The Americans are responsible for that."
Indeed, if WikiLeaks didn't exist, and you were an insider -- perhaps a low-level Army intelligence analyst -- who wanted to leak information, what would you do? Burn some CDs and mail them to the world's major newspapers. E-mail photographs of computer screens. Read text out over the phone. End result: the same.
If government officials didn't want the State Department cables to escape, they did a poor job of securing them. In an e-mail to reporters on the eve of the first December WikiLeaks disclosures, Pentagon spokesman Bryan Whitman said 60% of Department of Defense computer systems now have software for "monitoring unusual data access or usage."
Of course, if the DoD were serious, such mechanisms should have been in place for 100% of the agency’s computer systems. "Logically, you should be able to say that a 22-year-old Private First Class shouldn't be accessing 250,000 documents and sensitive cables sent by Hillary Clinton," says Rob Rachwald, a security strategist at Imperva.
In fact, not monitoring practically invites disaster. "Absolutely, it should have been monitored, by the very fact that you call it a classified network," Rachwald says. "By its nature, it becomes more interesting and more valuable." Furthermore, the 40% of Defense Department systems that aren't being monitored -- as well as the public knowledge of that very fact -- suggests more leaks are in store.