WikiLeaks’ Biggest Revelation: Poor Security
The biggest revelation from WikiLeaks is government incompetence not government secrets, and Gary McKinnon did it first, says Eric Doyle
There is an elephant sitting in the corner of government chambers that’s being ignored while the powers-that-be concentrate public attention on the guerrilla in the room – WikiLeaks.
While Julian Assange, WikiLeaks’ whistleblower-in-chief, is being demonised by government leaders, and the US races to shut Wikileaks down, the fact that their security is leaking like a sieve appears to be going unnoticed.
Many Lessons Still To Be Learnt
The recent political disclosures show that governments still have to learn the lessons about digital security that their citizens have been trying to learn. Security has to be a prime concern and, if it is not, you only have yourself to blame.
There are lessons in these bad experiences for businesses who may be thinking of cutting security budgets to fund other IT projects.
We take it on trust that banks and other bodies are treating our security with the utmost care. We believe that national security organisations, such as the offices of Military Intelligence and the CIA, are watertight after years of defending the secrets of our nations.
In both cases we are often let down. Not only let down but double-crossed. If money mysteriously disappears from a bank account it is often the customer who is guilty until proved innocent. There is an arrogance in this “computer says no” business world that trusts technology implicitly and doubts the customer.
In the national security world there appears to be an almost cavalier attitude towards security. The UK Ministry of Defence has the worst record of all government departments for losing vital information on laptops, disks and USB sticks. The financial costs of these losses are great but the implications to national security are immense.
In the US, the situation appears to be much the same. WikiLeaks has hundreds of thousands of messages to dip into for its disclosures and, we are told, many of these came from a single source.
Assuming American soldier Bradley Manning is actually guilty and not the fall-guy to placate national outrage, how did a Private First Class have open access to sensitive files about Iraq and Afghanistan? According to reports, he was able to siphon-off information from agency databases by simply downloading them to memory sticks and CDs labelled as albums by Lady GaGa. Poker-faced cheek, one might say.
Surely, the download of numerous files by an individual should have triggered an alert? A secondary concern surrounds the question of whether the files were encrypted.
The fact that a review has been instigated into how the leaks happened and how security can be improved shows that there was a serious vulnerability in the overall security policy that should not have been there.
It is paralleled by the case of UK hacker Gary McKinnon who allegedly broke into 97 computers belonging to the US armed forces, Department of Defense and NASA. For eight years, McKinnon has had the threat of extradition hanging over his head and a potential 60 year penitentiary sentence is still possible.
McKinnon Not A Hacking Genius
Several years ago, before he was diagnosed with Asperger’s Syndrome, I spent two hours chatting to McKinnon. He claimed that many of the systems he broke into had, at best, rudimentary security protection and some had open access.
He didn’t strike me as being the malicious hacking genius that the US justice system makes him out to be. On the contrary, he appeared to be quite ordinary but with an obsession about governments hiding evidence of contacts with extra-terrestrial life.
He even found apparent references to extra-terrestrial officers serving in the US armed forces which fired his curiosity – until he discovered these were earth-bound officers who happened to be astronauts.
If a bedroom hacker can break into systems and cause an international stir, it is certain that professional hackers and espionage agents working for enemy states and criminal gangs would also have easy access.
These organisations that whinge about hackers making public their misdeeds want access to messages sent by the public in the fight against terrorism. Surely this door swings both ways. If a government or its agencies are behaving badly, it is in the public interest that these exploits are made public and remedied.
McKinnon admits he has a case to answer but deems the punishment to outstrip the crime Equally, Assange has a case to answer, Some of the tittle-tattle embassy messages he has made public may prove harmful – though we must not lose sight of the fact that unwarranted human rights abuses have alsocome to light through disclosures from WikiLeaks and others.
In the end, it all comes down to security policies. Knowing what sensitive information is held within an organisation, protecting it (preferably with encryption), controlling who has unchallenged access to that information and auditing what has happened are the essential elements.
The popular view that “if you have nothing to hide, you have nothing to fear” is a myth. Everyone has something to hide – it depends on how the viewer interprets the information presented.