Will WikiLeaks change the way organisations control their information?

Stewart Room’s article about WikiLeaks explains that the ongoing revelations could make organisations consider how they can handle data better and may drive them to change, by forcing them to review their data processing and confidentiality of information. “WikiLeaks might later be seen as a force for good, because it causes organisations to tighten up their systems and data handling”. Regency IT Consulting has the experience and expertise to assist organisations in ensuring that their data is protected.
Wikipedia describes WikiLeaks as an “international new media non-profit organisation that publishes submissions of otherwise unavailable documents from anonymous news sources and leaks”. WikiLeaks regularly seize the media headlines with their publishing of documents and videos. The leaks this year have included the Afghan War Diary, containing over 76,900 documents about the War in Afghanistan that were not previously in the public domain, 40,000 documents called the Iraq War Logs, and a hugely embarrassing stream of US State Department diplomatic cables. The releases so far have concentrated on government information but, according to Reuters, a forthcoming leak will focus on a major US bank.
The latest release on the 5th December 2010 concentrated on US Critical Foreign Dependencies (Critical Infrastructure and key resources located abroad). This cable comprised a list of those installations worldwide which, if compromised, would critically affect US national security. The list includes facilities within Britain, ranging from Cornwall to Scotland. This leak has prompted the UK’s National Security Adviser, Sir Peter Ricketts, to ask all government departments to review their computer security.
The information that WikiLeaks is publishing is not intercepted data; it has been provided to them by one of their sources. It is believed that the latest publications were provided by one of their main sources, Bradley Manning. He is an army intelligence analyst currently accused of mishandling and leaking classified information. He is being held in pre-trial detention in Kuwait after being charged, on 26th July 2010, with eight violations of US criminal law and four violations of army regulations. Reports suggest that Manning told Californian hacker, Adrian Lamo, that he was systematically downloading this information and sending it to Julian Assange, the founder of WikiLeaks. When asked, Manning said that his actions were made possible by “weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis … a perfect storm.” In June 2010 Lamo informed the US Army authorities that Manning had released classified information to him.
According to BBC Diplomatic Correspondent Jonathan Marcus, the latest WikiLeaks document is probably the most controversial so far. The geographical range of the document is extensive. Whilst no details of security at the various locations listed are provided, nor the precise addresses, anyone with Internet access could easily track down the locations. The fact that the US rates the importance of these installations so highly within the cable may prompt terrorist attackers to broaden their range of potential targets.
Anyone can upload content to WikiLeaks. A team of volunteers (who are all journalists) then decide if the details merit publication. WikiLeaks place great emphasis on their ability to protect an informant’s identification, including a promise to prevent encrypted documents from being "technically traceable to your PDF printing program, your word installation, scanner, printer" and to make the contributor anonymous from an early stage. WikiLeaks have released no information regarding their sources and will neither confirm nor deny if Manning was a source.
Many people believe that, by publishing this information, WikiLeaks are putting lives at risk. As Amazon Web Services pointed out: “it is not credible that the extraordinary volume of 250,000 classified documents that WikiLeaks is publishing could have been carefully redacted in such a way as to ensure that they weren’t putting innocent people in jeopardy”. However, WikiLeaks lawyer Mark Stephens disagreed and denied that WikiLeaks were putting people or facilities at risk.
Before the arrival of the Internet, leaking this amount of information would have been far harder if not impossible. Whereas the “Pentagon Papers” were released to the press by being handed to a journalist in printed form, any number of documents can now be released electronically with relative ease, making them accessible to the whole world. All that is required is access to the material – whether authorised or illicit.
Could this have been prevented?
There is no mistaking the importance of vetting and security clearances, but they need to be considered as part of a layered approach to protecting data. The WikiLeaks source seems to have had authorised access to the systems concerned and was able to extract and transfer the data with impunity. There are some fundamental questions regarding the release of this information:

If Bradley Manning did indeed release this information, why did he have access to it in the first place? Did he have a “need to know” this type of data in order to carry out his primary job? If so, did he really need access to all of this data?

It is reported in the Guardian that the information was extracted onto CD. Was there a business requirement for Manning to be able to copy data onto removable media? If so, what processes were in place to control and monitor this activity?

The Sunday Times (5th December 2010) reported that Manning arrived in Iraq in October 2009 and mentions claims that “he started downloading files between November that year and last May.” Why did it take so long to discover that these files had been compromised?

Could the whole sorry saga have been prevented if relevant security controls, including access to data and efficient protective monitoring, had been in place? If these measures had been implemented effectively then access to this vast amount of data would have been closely controlled and monitored, leading (in the worst case) to early detection of the compromise and any data loss being minimised.
How can Regency ITC help?
Regency IT Consulting comprises some of the industry’s most experienced security consultants and is one of the largest independent employers of CLAS consultants. We have the capabilities and expertise to deliver strategic, comprehensive security solutions to enable organisations to anticipate, overcome and reduce security threats, risks and vulnerabilities in support of their business objectives.
Regency IT Consulting can provide you with the expertise and experience you need to help prevent your company losing data by ensuring that your information systems are fully compliant with recognised best practice in information assurance and enabling you to keep your professional reputation intact.
By conducting Privacy & Business Impact Assessments, supported by a full risk assessment on your IT infrastructure and user policies, Regency IT Consulting can help you to identify current risks and advise you on how to reduce them. In short, we can support you in taking all reasonable steps to protect the data that you hold.
Regency IT Consulting “Regency Protect” provides a professional, efficient and effective protective monitoring managed service. A properly managed protective monitoring service enables the detection and prevention of both authorised and unauthorised access to data within a system. Well managed protective monitoring logs can provide objective evidence regarding where and when specific records were accessed the actions completed on them and by whom i.e. removal to media. A well run protective monitoring solution can provide significant benefits for the functionality and efficiency of the monitored system, including situational awareness of system-wide activity and verification of implemented changes. In short, protective monitoring helps to ensure the confidentiality and integrity of your data. Most importantly, protective monitoring acts as an effective deterrent by ensuring that users who might be considering attacking or misusing a system are aware that their activities on the system are monitored, recorded and traceable.
For more information on our services, please visit us at www-test.regencyitc.co.uk or call 01242 225 699.