TotalCIO

Aug 25 2010   3:57PM GMT

WikiLeaks: When IT security threats are leakers, not hackers



Posted by: Linda Tucci
Tags:
IT security
WikiLeaks

Last month’s release of the incendiary Afghan War Diary by WikiLeaks raised a lot of national security questions, not the least of which is how a large, complex enterprise anticipates the human element when it builds its IT security solutions. For the White House, which issued a statement strongly condemning the disclosure of the secret documents, the human element in this security breach was not a super-sophisticated computer hacker, but what news reports suggest was a disgruntled employee (or hero, in some eyes). The whistleblowing website says it will release a CIA paper today. How do security experts fix a threat that is more about human psychology than computer programming?

I had the opportunity to interview Paul B. Kurtz on the matter. A former security adviser to President Clinton and President Bush, Kurtz began working on federal security issues two decades ago, focusing initially on weapons of mass destruction. Since 2001, his prime interest has been cybersecurity policy. He is now in private industry. Reaching him by phone at his current home in Abu Dhabi, I asked him whether I was wrong to assume that security tools are better equipped to deal with a hacker than with a leaker. Is there a security system that can guard against someone who is determined to disclose sensitive information? Here is part of his take:

Kurtz: Oh yeah, there is a lot that can be done by coupling policy and technology. The first thing that I think is relevant in the case of WikiLeaks is that you have an individual who has TS-SCI [Top Secret-Sensitive Compartmented Information] clearance and has broad access across the system. He is sitting in Baghdad and yet he is dumping information on Afghanistan — although it does appear he was passing information into WikiLeaks on what was happening in Iraq as well.

So, there are a couple of things that can be done. Are we segregating data the way we should, based upon an individual’s area of responsibility? Here we have a private who is able to access all sorts of data from Afghanistan. That doesn’t mean that nobody should have that type of global access, but you kind of have to scratch your head and ask yourself whether a private should have [the same] kind of access as an intelligence analyst.

If in fact, someone does need access, whether it is a private or a senior official, there are still technologies, in addition to policies, that can enforce that segregation and can create that accountability and tracking system. For example, if the right systems were in place, the private searching data or searching video on Afghanistan, which really has nothing to do with his responsibilities, should be caught by the system. And it wasn’t. There are lots of technologies out there that can assist with this . . . access control, authorization, monitoring. This is out there today.

But, as you said, in a situation like WikiLeaks, we can’t simply rely on technologies. We have to have technologies coupled with policies, and obviously enforcement, in order to protect against [what], in this case, is an insider.

So, what keeps Kurtz up at night?

Kurtz: There are two things that bother me now. One is economic espionage — state-sponsored espionage in particular. Massive amounts of data are being sucked out of government and private-sector systems. Emphasis on the private-sector side. We are like moths to a light on any national security-related incident, but the fact of the matter is, a lot of our very sensitive intellectual property — plans for technology — is being taken out of those systems. That is exceptionally problematic.

But the next wave of attacks that I think we are going to see is a function of the first problem. If you can gain access to data, then you can start to manipulate data. If data is manipulated and you can’t get a true sense of what data is correct or incorrect or corrupted, how do you ultimately get to the bottom of that? That is very troubling.

1  Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • cleverHandle
    Lotus Notes already has security features in place to severely impede or outright prevent these kinds of threats. I guess the people who designed or deployed or planned these systems didn't either know about Lotus Notes or know how to deploy it. Too bad the constant negative propaganda regarding Lotus Notes from MS discourages intelligent people from using it when they should. Believe it or not, it is true. A camera picture of the screen is sometimes the only way to get secured information out of Lotus Notes, which of course assumes access to view it in the first place which can be controlled down to the field level. If every SS# was maintained in a Lotus Notes database using shared keyed encrypted fields within encrypted documents within an encrypted database nobody would ever be able to, without the proper three encryption keys, be able to steel a SS# but would still have access to the other pieces of data in the same record that wasn't sensitive. Wish all IT folks and management knew that.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: