Get Ready for the Next WikiLeaks
December 10, 2010
There’s a great deal of debate over both the WikiLeaks disclosure of classified Defense Department and State Department documents, and over the response of the US government and other governments to those leaks. I’m not going to add to it here. Instead, I want to focus on what the WikiLeaks case — and the state of social media in general — can teach us about the future of such information leaks, and (for a lack of a better term) "information warfare."
Really, that’s what WikiLeaks is at its core, regardless of how it’s dressed up as free speech or an effort to create transparent government: It’s information warfare, the use of information to degrade an enemy’s ability to operate.
Julian Assange has as much as admitted that what he has done was intended to harm the US government.
Information warfare includes what we have come to refer to as cyberwarfare, but it doesn’t require malware or denial of service to be effective. Like other forms of "asymmetric" warfare, an individual or small group — in this case, a small, nonprofit organization — can inflict disproportionate harm on the operations of the target. Wikileaks aims to do damage to the US government, and many other governments it has dealt with, by revealing methods, strategies, and backroom dealings to the world.
The folks at 4Chan are well versed in the world of information warfare, as the hacking of Sarah Palin’s email by one of their crew demonstrated years back. So are the Army’s psychological ops folks and various other agencies of government around the world. The same is true of the Sea Shepherds and Greenpeace and other organizations dedicated to causes that you may or may not agree with.
Shining a harsh light on the activities of someone whose behavior you want to change, or whom you’d like to deny the ability to act at all, is a strategy that has been, is now being, and will continue to be used to effect change, regardless of legal, regulatory, and information security boundaries. And it’s only going to become more widespread.
During the period when the WikiLeaks documents were being collected, the Department of Defense had experienced a number of cyber-security breaches. The spread of malware across both unclassified and secret-classified networks had led to a DoD-wide ban on the use of removeable media. And yet, still, somehow, an Army specialist was able to use a computer attached to a classified network with a working CD burner and drag and drop and burn hundreds of thousands of classified messages.
Clearly, there weren’t adequate technical measures taken to enforce the removable media ban, or the security of the content that resided in secure internal government Websites, email, and other structured databases.
The DoD is still struggling with applying security policies effectively across its networks. There isn’t even consistent deployment of desktop security software across Defense’s network endpoints. And the need for information sharing frequently trumps security concerns, because security measures often obstruct operational needs.
If the DoD can’t get information security locked down well enough to prevent this size of a breach, how can anyone? Information security has long focused on defending networks at the borders, and despite the rise of security tools that claim to be able to prevent data exfiltration from the inside, those tools aren’t widely deployed in government or the corporate world. It’s only after the fact, by checking audit trails, that breaches are discovered — too late, usually — even with constant monitoring. And there are other ways to exfiltrate data in large volumes that can’t be detected through audit trails, because they look like legitimate data usage.
So, leaks are going to happen. If someone is determined to get information out of a classified system, and is apparently unafraid of the consequences, it’s going to happen. And in the age of social media, just shutting down a Website isn’t going to stop those leaks from propagating.
If you look at how spammers operate on Twitter, on Facebook, and on other social sites, it’s clear that using the terms-of-service violation approach won’t stop a determined messenger.
Social networks provide a distributed way to disseminate messages to a global audience, and they can be used in combination with URL shorteners and a variety of cloud services to constantly change where people are directed in order get to the information if necessary. Mirror sites for WikiLeaks spring up faster than ICANN can revoke their domain names.
Taking down WikiLeaks doesn’t solve the problem. And that’s the harsh reality of the networked world. All the technical solutions to the threat of leaks are imperfect, and no secret is ever really safe when it’s shared.