The WikiLeaks publication of confidential US dimplomatic cables is still causing ructions, but is it more embarrassing than dangerous? Derek Parkinson looks at the security lessons for the rest of us.
Since WikiLeaks was set up in 2006, a drip-feed of revelations about everything from corruption in Kenya to Guantanamo Bay has ensured it has never been far from public debate for long. But November 2010 was a watershed, as the organisation released the first wave of confidential cables between US diplomats worldwide and the State Department in Washington.
Global attention fastened on WikiLeaks and the people behind it, in particular, its founder, Julian Assange. The diplomatic cables give us unprecedented access to the internal deliberations of a global superpower. Their exposure to public view stands in stark contrast to the assumption of confidentiality that enabled them to be drafted. The personal nature of some of the assessments is a long way from the anodyne statements we usually associate with international diplomacy.
Then there is the sheer size of the leak – an estimated 250,000 messages, of which some 15,000 are thought to be classified as ‘secret'. The idea that such a volume of confidential diplomatic traffic could fall within the grasp of a low-ranking soldier – if US Private Bradley Manning is indeed the source of the leaks (he has been charged, but not tried, let alone found guilty) – boggles the mind.
There are many questions that can be asked about WikiLeaks, but here we will confine ourselves to the following: what have we learned from the content of the cables? What lessons are there from the way they were leaked? What must we learn about data security in general?
Behind the curtain of diplomacy
“There is very little in the leaks themselves that gives us important new information about global issues themselves. But some of the perspectives on those global issues are new,” says Wyn Rees, professor of international security at the University of Nottingham.
Among the most striking revelations, says Rees, was the apparently sanguine attitude of China to the possibility that the North Korean regime might collapse and the country become reunified, and the supposed preoccupation of Gulf states with Iran's ambitions. “We learn that for the Saudis, top of their agenda may not be the Israel-Palestinian issue. With respect to North Korea, China has been seen as a blocker to talks in the region, but we learned that this may not be the case,” he says.
We should be cautious about how we interpret the cables, says Rees. “They are recollections of what diplomats said to each other and tell us what diplomats are saying to the US on an informal basis – they're not necessarily stating government policy. Context is important.”
How far the leaks have damaged the US, or merely been a source of embarrassment, is not easy to judge. “Before the cables, a huge amount of material on Afghanistan and Iraq was released, including fine-grained information from military commanders, and the Pentagon warned that this puts lives at risk. But we also learned of attempts to disguise the killing of Afghan police, and ‘blue on blue'/friendly fire incidents, where you have the military holding back information to avoid embarrassment. And it is embarrassing more broadly. Here we have the State Department – the premier diplomatic actor – allowing its dirty linen to be washed in public view,” says Rees.
If nothing else, the cables have given researchers plenty of material to work with. “What's impressive is the level of detail. There is interesting information on extraordinary rendition, and the pressure the US put on European countries, Spain and Germany in particular. But what you really need – and may not get – is some context, not just one cable,” says Claudia Hillebrand of the department of war studies, Kings College, London. One of the more valuable insights was how the US carries out its daily diplomatic business, she says. “You get a feel for how business is actually done. It makes it more real and concrete,” she says.
That the cables were leaked at all may be damaging, but overall there don't seem to be any incendiary revelations, suggests Rees. “There's not a lot of scandal. Broadly, what the US is saying, it's doing. There doesn't seem to be much here for conspiracy theorists,” he says.
Counting the cost of data sharing
Exactly how the data was removed has been the subject of speculation. Some accounts claim an iPod was used, others that the cables were burned onto a rewritable disk disguised as a Lady Gaga CD. Whatever the method, the roots of the problem lie in attempts to improve US security, ironically enough.
“It goes back to 9/11 and the recognition that information silos were one of the causes of the failure to prevent it and that information should have been shared,” says Tom Wills-Sandford, deputy director general of UK technology industry trade association, Intellect. “It was decided that information exchange must be made more widely available, a policy that went terribly wrong. But as [former GCHQ director] Sir David Pepper has said, before we get too superior, we should recognise that something similar could happen here.”
It already has, albeit on a less spectacular scale, according to some observers. “With WikiLeaks, the focus has tended to be on the way it has been publicised, not the leaking. But leaking has been going on for years, and many companies have experienced it. In January, we have had the example of Renault and the suspicion that it has been a victim of industrial espionage,” says Henry Harrison, technical director at information intelligence company Detica.
“What is new is the influence of the web – and taking it seriously as part of protecting the reputation of an organisation. One of the interesting things we have seen with WikiLeaks and the corporate world is the share price of Bank of America drop three per cent, just on the basis of rumours that WikiLeaks is preparing to release information about its activities.” It may not be possible to know in advance where and how a leak will occur, but all organisations need to know how to respond before it occurs, says Harrison. “They must be ready to do a forensic investigation.”
The unpredictable human factor
Just how unpredictable leaks can be is illustrated by a case dealt with by forensic specialist Sapphire Technologies. “We worked with a Plc that was undergoing changes to its structure – voluntary redundancies, consolidating sites etc. It also decided not to hold a Christmas party. That one measure caused more upset than anyone expected – anonymous messages began appearing on public websites and the share price dipped. Senior management research discovered stuff all over some forums,” says Sapphire sales director David Horn.
The company blocked access to these. The information leaked was factually correct and it wasn't clear if a criminal act had been committed. Still, the breach was serious enough – year-end financial results were made public before they were released to the City. By analysing the leaked content, it was possible to narrow down the source of the leaks to a group of people, but not an individual.
There is no ‘magic bullet' that will prevent such things ever happening, but measures such as blocking access to certain sites, classifying data carefully, restricting who has access to it and how it may be transferred all have a part to play in a sensible data security strategy. However, the proliferation of personal devices will always bring risks. “Most phones have cameras, and in the end it is difficult to stop someone taking a photo of a screen,” Horn says.
Although it cannot offer infallible protection, technology has a part to play and it is important to be aware of what is available. “The best advice is to install software to enable the company to monitor the use of external devices, along with a whole host of other ‘useful' things. These include online activity, emails and remote access, as well as providing document tracking, enabling keylogging and applications opened,” says Sam Type, a director of Geek Ltd, a forensic consultancy that works with the police.
“There are plenty of off-the-shelf products. For larger companies, it is worth creating a team dedicated to incident response. An incident response plan is a sensible part of business planning and organisation,” she says.
An obvious approach to securing sensitive data is to implement some form of strong encryption. “It's possible to use encryption that can't be broken,” says cryptographic expert Fred Piper, professor at the information security group at Royal Holloway, University of London. “But technology isn't the answer to everything – some people will need keys. It will work if they are competent and honest. If they're not, the decrypt will be exposed,” he says.
Towards a data security strategy
In order to decide whether or how to use the numerous tools available, it will be necessary to take a strategic view of the value of information to the organisation. The outcome of this should be improved understanding of the dangers and a set of priorities for addressing the risks, suggests Horn. Broadly, the process can be broken down into five steps, he says: understand the endpoint risks; assess the risks to the business; draft policy; implement policy; and, last but by no means least, educate staff.
“There is a big fly in the ointment, though – we live in a volatile, changing landscape for personal devices. The arrival of things such as iPhones and iPads means that many of us have better equipment at home than at work. Plus, more and more of us are working remotely, so the question organisations face is – do we allow staff to use these for work purposes? Different organisations take different lines with this,” says Horn.
On this question, it is important that senior staff lead by example, says Vernon Poole, Sapphire's head of business consultancy. “One problem you can face as a security professional is the senior execs who want to keep up with their buddies. But you can't re-engineer the organisation for that reason. One approach is to ask them to submit a business case for using a particular device – very often, you find they don't come back. But more broadly, it is important to get senior managers to value security. To be effective, policy needs leadership and guidance from the top,” he says.
There is plenty of policy guidance available, says Danny Dresner, head of information assurance at the National Computing Centre. “ISO 27001 and BS 7799 are the obvious places to start. They are standards that address risk management and help an organisation to decide whether it's worth mitigating the risks it faces. They help you to build business impact tables that are relevant to the disclosure and the distribution of information – ie who gets to know,” Dresner says.
To the uninitiated, such standards can appear quite daunting, suggests Christine Andrews, managing director of DQM Group, a provider of data governance and management services. “ISO 27001 can put an organisation through quite a lot of turmoil – it includes 140-plus controls. It is understandable that there is a fear of standards – if you are starting from scratch, it can take months to implement ISO 27001, and then months more for it to become embedded in the organisation. That's why we developed our own guidelines endorsed by BSI. They are designed to be really useful and we think most organisations will be able to put them in place within two months,” she says.
The DQM guidelines are not intended as a substitute for the full-strength ISO standards, but they help organisations get started and point them in the right direction, she emphasises. What are the drivers for them to take the first steps on this road? “It's commonsense, and it's also the right thing to do. Many expect a breach at some point and having these policies in place will help them manage the reputational damage. The cost of not having them is too high,” she says. Increasingly, DQM's clients are seeing such policies as a condition of doing business with some large companies and government bodies. “One of the main drivers is the requirements of tenders. COI [Central Office of Information] insists that a minimum standard is met, and for companies such as BT, it's a ‘must have' now.”
If we have policy guidance to suit a range of starting-points and the technology tools we need to implement it, why aren't we better at data security? Why do leaks of confidential information continue to happen?
The guys who say no?
The need for US agencies to share information more effectively post 9/11 may be a striking example of the pressure on governments, but it is not an isolated one. In the UK, the aim of providing ‘joined-up services' geared more closely to the needs of citizens is a regularly stated goal of modern public services. The private sector is not immune to this kind of pressure – the trend towards outsourcing and, more recently, cloud-based services are obvious examples. But the outcome is the same – traditional information silos are being dismantled and organisations are becoming more porous, sharing confidential information with partners as never before, exposing them to new risks.
Part of the problem may be that our perception of the role of the information security professional is simply outmoded, unable to deal with these new challenges. “Security professionals are often seen as ‘the guys who say no' to things,” says security expert David Williams of the BCS, whose career includes military service, responsibility for security at the Foreign Office, and more recently work as a consultant. “Rather than just saying no, a good security professional needs to be good at explaining what the risks are. My advice is that you need to be involved early in the project lifecycle and to put your hand up right at the start if there are security concerns. This is important particularly with outsourcing, where you may have a partner who doesn't understand your business. A good security guy is increasingly something of a business analyst,” he says.
“It's true that a lot of security is ‘do this, do that' and not enough explaining why,” says Dresner. “That can create big problems when changes occur – you can't go back and see why the measures were there in the first place. So security can end up like a legacy system that you dare not switch off because you don't understand what it does.” In cases where this is how it is perceived or implemented, it can hardly be surprising if security is seen as adding little value to an organisation. But this is not inevitable, says Williams. “If you think about security in its broader sense – as including integrity and availability of information – then the benefits are obvious,” he says.
Culture – what isn't written down
Ensuring that security is an integral part of ‘business as usual' and that staff understand why this must be so, takes us beyond what can simply be written down in policy documents – from the security policies of an organisation to its security culture. The problems that can result when these are not aligned is demonstrated by the lost disks incident at HMRC, when thousands of records went astray. A subsequent investigation found that although there were policy documents explaining how data should be handled, many staff didn't know they existed, or where to find them.
“Culture is about how people see their role in the organisation,” says Williams. “From a security point of view, it is very important. Most organisations couldn't function with perfect security policies and technologies.”
Arguably, there are wider influences that are problematic, he suggests. “Think about how accountants and auditors work with data – they do things carefully, pay a lot of attention to detail. I have a background in mathematics, so that's how I'm used to doing things. But a lot of us have the attitude that doing things nearly right is OK. Doing things carefully is not ‘cool' in modern parlance.”
There are broader cultural currents that mean we may have only seen the start of the spectacular leaks associated with WikiLeaks. Even if it were to vanish tomorrow, the ideas behind it have taken hold, and similar organisations would almost certainly take its place.
“What we are seeing is a culture clash. We have policies such as freedom of information and what you could call the ‘Californian' vision of the web, with its emphasis on openness and claims to independence. But we also have efforts to meld the web into everyday life, along with its need for confidentiality,” says Detica's Harrison. “I would guess that it will take ten years or more for us to get the balance right.”
Wikileaks at a glance
What is WikiLeaks?
WikiLeaks describes itself as a not-for-profit global media organisation focused on bringing “important news and information to the public”. It sees itself as different from established news providers in its use of “cutting-edge cryptographic” technology to protect its sources, but claims to use “traditional investigative journalism techniques” to assess the information leaked to it.
Who is behind WikiLeaks?
Another difference between WikiLeaks and established media is its reticence to disclose who works for the organisation and what their roles are. The WikiLeaks website was launched in 2006 by Sunshine Press, which describes itself as a global organisation, although it has a mail contact address at a post box at the University of Melbourne, Australia.
How is WikiLeaks funded?
At present its main source of funds is donations, although law firms, traditional media and not-for-profit organisations are thought to have made services available free of charge. It is estimated to have a handful of salaried staff, plus up to around 1,000 volunteers at any one time. By December 2010, PayPal, Visa, MasterCard and Amazon had cut ties with WikiLeaks.
Who is Julian Assange?
Variously described as the WikiLeaks founder, spokesperson and editor-in-chief, Julian Assange has become its public face. Born in Australia in 1971, Assange showed an early interest in computing and went on to develop free and open source software in the 1990s. He was especially interested by applications of cryptographic concepts.
Why is Assange a controversial figure?
While pursuing his projects in computing, Assange developed an interest in online communities and activism. These became tools to pursue broader ethical and political objectives – Assange sees much of the secrecy in government as fundamentally in conflict with human rights. This stance, and the activities of WikiLeaks have attracted extremes of hostility and praise.
What has WikiLeaks made public?
WikiLeaks has published confidential details of the activities of governments, politicians, the military, global corporations and other powerful organisations. Notoriously it has revealed extensive information about the conduct of the US military in Iraq and Afghanistan. Embarrassingly for the UK, WikiLeaks revealed confidential Ministry of Defence guidance on how to prevent leaks.
What is ‘Cablegate'?
Beginning in November 2010, WikiLeaks released the first batch of an estimated quarter of a million cables from the US State Department – correspondence between Washington and its diplomatic outposts. It is thought that some 100,000 documents are classified ‘confidential' and a further 15,000 have the higher ‘secret' classification. None are classified as ‘top secret'.