Vulnerabilities / Threats
7/28/2010
11:14 AM
Connect Directly
RSS
E-Mail
50%
50%

WikiLeaks Tests Feasibility Of Government Data Security

Governments will always face the twin challenges of balancing the need for secrecy with the need to collaborate, say experts.

In the wake of the release by WikiLeaks on Sunday of more than 90,000 documents pertaining to the war in Afghanistan, will government data ever be safe again? In other words, can the U.S. government -- or for that matter, any government, corporate entity, or organization -- prevent a similar mass document disclosure in the future?

"Of course not, because remember this isn't technical, this is a human problem," said Bruce Schneier, chief security technology officer of managed computer network security service provider BT Counterpane. "The technical thing is that WikiLeaks enables this to happen easily and relatively safely, but fundamentally, human beings read these messages." When they have concerns, such as over the missile attack in Iraq, or this release of documents [from Afghanistan], then the related information may well find its way public.

WikiLeaks founder Julian Assange, who has talked about the global network of servers and technology that make his site "uncensorable," hammered that ease-of-submission point home yesterday. "We never know the source of the leak," he told reporters in London, according to published accounts. "Our whole system is designed such that we don't have to keep that secret."

"Fundamentally, this is about a whistle-blower," said Schneier. "No government or company can ever protect or defend against that. You can make it harder -- disable print, e-mail forwarding -- but at worst, I can take a photograph of the screen and mail it to you," he said.

In other words, the WikiLeaks phenomenon is primarily about people, not technology.

"In general, at any company and any government agency, authorized insiders have access to information, and if they decide to violate laws and policy and make inside information public, there is no 100% foolproof way of stopping them," said John Pescatore, VP and research fellow at Gartner Research. "That is why companies and government agencies spend a lot of time on background checks and personnel vetting, but that is not foolproof either -- as just about every spy case points out."

If you overly restrict access to information, such as the from-the-battlefield communications released by WikiLeaks, people can die, and do. "A good example is how much information the U.S. actually had prior to the terrorist attacks of September 2001 that were strongly protected and weren't shared, leading to a major failure of the intelligence community," said Pescatore.

Even so, he predicts that the fallout from the WikiLeaks disclosure, like the Pentagon Papers before it, may lead government agencies toward "an over-reaction towards too much secrecy, which then impedes real need for collaboration."

The real lesson, he said, should be about always trying to find the right balance between "need to know" with "need to share," which the private sector seems to do relatively well, said Pescatore. "Notice you don't tend to see, say, Cisco or SAP having corporate secrets released, but they do a very good job of collaborating across their companies. They balance security with usability -- it is not impossible to do so."

Unfortunately, he said, "governments tend to not be able to easily define that middle ground."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.