Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

WikiLeaks Tests Feasibility Of Government Data Security

Governments will always face the twin challenges of balancing the need for secrecy with the need to collaborate, say experts.

In the wake of the release by WikiLeaks on Sunday of more than 90,000 documents pertaining to the war in Afghanistan, will government data ever be safe again? In other words, can the U.S. government -- or for that matter, any government, corporate entity, or organization -- prevent a similar mass document disclosure in the future?

"Of course not, because remember this isn't technical, this is a human problem," said Bruce Schneier, chief security technology officer of managed computer network security service provider BT Counterpane. "The technical thing is that WikiLeaks enables this to happen easily and relatively safely, but fundamentally, human beings read these messages." When they have concerns, such as over the missile attack in Iraq, or this release of documents [from Afghanistan], then the related information may well find its way public.

WikiLeaks founder Julian Assange, who has talked about the global network of servers and technology that make his site "uncensorable," hammered that ease-of-submission point home yesterday. "We never know the source of the leak," he told reporters in London, according to published accounts. "Our whole system is designed such that we don't have to keep that secret."

"Fundamentally, this is about a whistle-blower," said Schneier. "No government or company can ever protect or defend against that. You can make it harder -- disable print, e-mail forwarding -- but at worst, I can take a photograph of the screen and mail it to you," he said.

In other words, the WikiLeaks phenomenon is primarily about people, not technology.

"In general, at any company and any government agency, authorized insiders have access to information, and if they decide to violate laws and policy and make inside information public, there is no 100% foolproof way of stopping them," said John Pescatore, VP and research fellow at Gartner Research. "That is why companies and government agencies spend a lot of time on background checks and personnel vetting, but that is not foolproof either -- as just about every spy case points out."

If you overly restrict access to information, such as the from-the-battlefield communications released by WikiLeaks, people can die, and do. "A good example is how much information the U.S. actually had prior to the terrorist attacks of September 2001 that were strongly protected and weren't shared, leading to a major failure of the intelligence community," said Pescatore.

Even so, he predicts that the fallout from the WikiLeaks disclosure, like the Pentagon Papers before it, may lead government agencies toward "an over-reaction towards too much secrecy, which then impedes real need for collaboration."

The real lesson, he said, should be about always trying to find the right balance between "need to know" with "need to share," which the private sector seems to do relatively well, said Pescatore. "Notice you don't tend to see, say, Cisco or SAP having corporate secrets released, but they do a very good job of collaborating across their companies. They balance security with usability -- it is not impossible to do so."

Unfortunately, he said, "governments tend to not be able to easily define that middle ground."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25250
PUBLISHED: 2021-04-13
An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a sensitive file could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privil...
CVE-2021-25253
PUBLISHED: 2021-04-13
An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to exec...
CVE-2021-28645
PUBLISHED: 2021-04-13
An incorrect permission assignment vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target ...
CVE-2021-28646
PUBLISHED: 2021-04-13
An insecure file permissions vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to take control of a specific log file on affected installations.
CVE-2021-28647
PUBLISHED: 2021-04-13
Trend Micro Password Manager version 5 (Consumer) is vulnerable to a DLL Hijacking vulnerability which could allow an attacker to inject a malicious DLL file during the installation progress and could execute a malicious program each time a user installs a program.