The following text is copyright 2010 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
WikiLeaks is not the actual problem
By Scott Bradner
WikiLeaks have come a long way, at least in mindshare, in the almost four years since I last wrote about them. (Wikileaks: a site for exposure, http://www.sobco.com/nww/2007.edited/bradner-2007-01-22.html) They have been roundly painted as an evildoer, when, in fact, they can't publish anything they have not been given. (They cannot actually publish anything as I write this since they are under a "massive distributed denial of service attack". There is no indication yet as to who might be directing the attack but it does not seem like the normal bad guys would pick WikiLeaks as a target. It also should be noted that the attack did not stop the publication of the news articles or of quite a few documents on the newspaper web sites, or, it turns out, all the documents at WikiLeaks.)
There has been a lot of press speculation that all of the documents, starting with the helicopter attack video have come from the same source, a young US Army intelligence analyst, who has been arrested. If that is the case it looks like access to vast databases of secret US government documents was rather broadly available and access was not reasonably logged. None of the documents released to date have been marked top secret so, maybe, the database had some level of data segregation. But, if news reports are accurate, no log was kept of access to the database or, if such a log exists, it was not regularly reviewed, since suspicion was directed at the analyst by a person outside the US military.
So, it looks like the system is setup to permit low level people wide access to millions of classified documents, without a way to monitor such access, and the system permitted bulk download of these documents. What you think if your corporate software development team had put together such a system for your confidential corporate documents? There are lessons to be learned here, not just by the US government.
The surprise about this series of leaks is not that it happened, but how it had not happened long before. Actually, maybe it has -- not everyone who would like a copy of such information would be interested in publishing it.
disclaimer: I know of no Harvard opinion on WikiLeaks, or on these disclosures and I express no opinion here of the correctness of WikiLeaks publishing such documents but the opinion on document insecurity is mine.