Last month’s release of the incendiary Afghan War Diary by WikiLeaks raised a lot of national security questions, not the least of which is how a large, complex enterprise anticipates the human element when it builds its IT security solutions. For the White House, which issued a statement strongly condemning the disclosure of the secret documents, the human element in this security breach was not a super-sophisticated computer hacker, but what news reports suggest was a disgruntled employee (or hero, in some eyes). The whistleblowing website says it will release a CIA paper today. How do security experts fix a threat that is more about human psychology than computer programming?
I had the opportunity to interview Paul B. Kurtz on the matter. A former security adviser to President Clinton and President Bush, Kurtz began working on federal security issues two decades ago, focusing initially on weapons of mass destruction. Since 2001, his prime interest has been cybersecurity policy. He is now in private industry. Reaching him by phone at his current home in Abu Dhabi, I asked him whether I was wrong to assume that security tools are better equipped to deal with a hacker than with a leaker. Is there a security system that can guard against someone who is determined to disclose sensitive information? Here is part of his take:
Kurtz: Oh yeah, there is a lot that can be done by coupling policy and technology. The first thing that I think is relevant in the case of WikiLeaks is that you have an individual who has TS-SCI [Top Secret-Sensitive Compartmented Information] clearance and has broad access across the system. He is sitting in Baghdad and yet he is dumping information on Afghanistan — although it does appear he was passing information into WikiLeaks on what was happening in Iraq as well.
So, there are a couple of things that can be done. Are we segregating data the way we should, based upon an individual’s area of responsibility? Here we have a private who is able to access all sorts of data from Afghanistan. That doesn’t mean that nobody should have that type of global access, but you kind of have to scratch your head and ask yourself whether a private should have [the same] kind of access as an intelligence analyst.
If in fact, someone does need access, whether it is a private or a senior official, there are still technologies, in addition to policies, that can enforce that segregation and can create that accountability and tracking system. For example, if the right systems were in place, the private searching data or searching video on Afghanistan, which really has nothing to do with his responsibilities, should be caught by the system. And it wasn’t. There are lots of technologies out there that can assist with this . . . access control, authorization, monitoring. This is out there today.
But, as you said, in a situation like WikiLeaks, we can’t simply rely on technologies. We have to have technologies coupled with policies, and obviously enforcement, in order to protect against [what], in this case, is an insider.
So, what keeps Kurtz up at night?
Kurtz: There are two things that bother me now. One is economic espionage — state-sponsored espionage in particular. Massive amounts of data are being sucked out of government and private-sector systems. Emphasis on the private-sector side. We are like moths to a light on any national security-related incident, but the fact of the matter is, a lot of our very sensitive intellectual property — plans for technology — is being taken out of those systems. That is exceptionally problematic.
But the next wave of attacks that I think we are going to see is a function of the first problem. If you can gain access to data, then you can start to manipulate data. If data is manipulated and you can’t get a true sense of what data is correct or incorrect or corrupted, how do you ultimately get to the bottom of that? That is very troubling.