As noted in this Washington Post article, Investigations have now determined the system that stored the information disclosed by Wikileaks had quite a few failures of process and procedure that lead to the “leaking” of the 250,000 documents.
From a pure information security standpoint, the Information Classification Policies, the Access Control (monitoring), and the Data Handling procedures all contributed to the loss of the diplomatic cables.
- Information Classification – Everyone has an idea of information classification from watching movies and seeing file folders with the words “TOP SECRET” stamped in RED on the outside. Well we don’t use the plain manila folders as much anymore and rely on computers to store and disseminate information. To do so, information has to be properly classified and flagged so it exists in the right systems and is available to the right audience. In the case of this particular Defense Department system it appears that those responsible for flagging the data have done so incorrectly on many, many occasions. The article already states that this was done in error as embassy employees were putting information into the system without knowing what the codes meant. So at the root of the issue here is that users had access to the system and information without complete understanding/training.
- Access Control (monitoring) – I added monitoring to this because it’s not a pure access control issue. The State Department has made it practice to place monitoring tools on their systems so they can “know” where information goes as well as help prevent it from being used in an inappropriate manner. DLP (Data Loss Prevention) products are commonly used for this type of activity. Unfortunately the Defense Department much not be as on the ball as the State Department in making sure they are monitoring the use of their data. However it doesn’t absolve the State Department either as they should be also aware of where their information exists (as difficult as that really is) and help control it.
- Data Handling – you add the last two issues up and you’ve now provided the opportunity for someone do mishandle data. Wether that means you accidentally print or move a file or you copy 250,000 files to a CD and give them to someone without proper security clearance (I believe we call that espionage). Regardless the system users are also trained on what they should do (called handling) with data. Certain things you don’t print, you can’t email documents or information, you don’t put them on removable media. This is part in parcel to having a security clearance. Granted the next step in access the information is the matter of “need to know” and our initial issue with the misclassification of the documents provided access to many people without the need to know.
So prior to 9-11 we had systems that were too closed and information sharing was blamed as a root cause for not being able to detect the planning of the attacks. Now 10 years later the pendulum has swung the other direction and we are sharing to the point of being careless with information. From the surface it appears that some better training and enforcement of current policies and procedures would help bring that pendulum back to the center while also keeping the appropriate people informed to keep us all safe.
- Of Wikileaks and data theft (go.theregister.com)
- Wikileaks and the insider threat (opsecprofessionals.org)
- WikiLeaks incidents stoke IT security angst (infoworld.com)