Kevin Beaver's Security Blog

The WikiLeaks lack of security responsibility & mental disorder connection

Last week I wrote out some talking points in preparation for a TV interview with the Canadian Broadcasting Corporation on the WikiLeaks issue and what businesses can do to keep their information secure. At the last minute they ended up not doing the segment so I thought I’d post my perspective here:

• The leaks are not the problem – it’s the choices and all the events to lead to information being exposed that needs the attention. Surprisingly, we’re not hearing much about that.
• Certain fundamental aspects of information security like business need to know, data classification, and separation of duties are often ignored OR they’re mired in a wealth of complexity and bureaucracy that to the point where they cannot be enforced or they just don’t work at all.
• Government agencies and people have been trying to keep secrets for centuries…arguably since the dawn of time. We’re just experiencing a new means of keeping secrets and subsequent exposure.
• The issue we’re now facing is information systems complexity. Be it inside government agencies or in businesses computers systems, applications, and all the hands in the pie create a scenario whereby it’s virtually impossible to ensure that everything of value is secure ALL the time. A fundamental principle of information is that it wants to be free. That, and the fact that the same electronic asset can be in multiple locations at the same time has created a monster that can be difficult to tame if you don’t go about it the right way.
• You cannot simply classify ALL of your electronic assets as “sensitive” or “critical” like what many people are accusing government agencies of doing – if you do, then it negates most of the benefit.
• Just because someone has passed a background check, obtained a security clearance, or had glaring references doesn’t mean they’re NOT going to do something bad moving forward…it may also mean they just haven’t gotten CAUGHT.
• As long as human beings are involved in the process, there will continue to be information risks to government agencies and businesses alike.
• There’s a fundamental issue here that’s come into play in so many situations – mostly in business: INACTION. Management is out of the loop, users don’t want to be inconvenienced, and many people just keep their heads in the sand.

• There’s a three-step solution to keeping information secure:

1. Know what you’ve got and where it’s located
2. Understand how it’s at risk
3. Do something about it by putting reasonable and measurable controls in place to keep things in check. Okay, maybe a step four: be very careful what you store electronically!

• Even with all the security controls like tracking suspicious behavior and blocking people from downloading sensitive material to thumb drives and external hard drives there’ll ALWAYS be a way around it.
• I suspect this data leakage problem will only get worse.

And finally, a few more personal points of view I just thought of. President Obama has created a new position to investigate the leaks…I say, Mr. Obama why not just ask government agencies why they’re not following their own rules?? Bigger government certainly won’t help the matter…

Furthermore, it’s obvious Julian Assange is no fan of our country and wants to weaken the U.S….presumably for the same reason so many other people around the world want to weaken us as well. Don’t get me wrong, I’m all for freedom of speech, transparency in government and so on. I’m just going about it from a different angle. It is funny how such activists promote “democracy” and rail against censorship while at the same time the politicians they support want to silence anyone who disagrees with their viewpoints.

It’s complex world we live in.