The following text is copyright 2010 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

 

WikiLeaks is not the actual problem

 

By Scott Bradner

Another day, another quarter of a million confidential government documents leaked via WikiLeaks.  This one was particularly well orchestrated with the first announcements coming a week or so ago.  As if to increase the impact, multiple governments went all a twitter with the US government warning of dire consequences to US diplomacy and the UK government going so far as to ask the UK press not to publish the material.  As the articles in the New York Times and the other newspapers that got an advance look at the material show, there is plenty of news in this release.  But, the underlying story, and lesson, concerns the protection, or non-protection, of US government documents.

 WikiLeaks have come a long way, at least in mindshare, in the almost four years since I last wrote about them.  (Wikileaks: a site for exposure, http://www.sobco.com/nww/2007.edited/bradner-2007-01-22.html)  They have been roundly painted as an evildoer, when, in fact, they can't publish anything they have not been given.  (They cannot actually publish anything as I write this since they are under a "massive distributed denial of service attack".  There is no indication yet as to who might be directing the attack but it does not seem like the normal bad guys would pick WikiLeaks as a target.  It also should be noted that the attack did not stop the publication of the news articles or of quite a few documents on the newspaper web sites, or, it turns out, all the documents at WikiLeaks.)

WikiLeaks has been on quite a roll of late.  While they have not confined themselves to leaked US government documents, they have published quite a few of those starting with a US Department of Defense counterintelligence analysis of WikiLeaks itself. The publication of a video of a US helicopter attack in Baghdad was the first in a still ongoing series of large-scale publications of US government documents.   In July WikiLeaks published about 75 thousand pages of documents about the Afghan war followed by about 400 thousand pages of documents about the Iraq war.  Just before Thanksgiving WikiLeaks said that the next release would 7 times the size of the Iraq war release but the Times reports that today's release is 'only' 250 thousand pages, meaning that there are about 2.5 million pages to come.

 

There has been a lot of press speculation that all of the documents, starting with the helicopter attack video have come from the same source, a young US Army intelligence analyst, who has been arrested.  If that is the case it looks like access to vast databases of secret US government documents was rather broadly available and access was not reasonably logged.  None of the documents released to date have been marked top secret so, maybe, the database had some level of data segregation.  But, if news reports are accurate, no log was kept of access to the database or, if such a log exists, it was not regularly reviewed, since suspicion was directed at the analyst by a person outside the US military.

 

So, it looks like the system is setup to permit low level people wide access to millions of classified documents, without a way to monitor such access, and the system permitted bulk download of these documents.  What you think if your corporate software development team had put together such a system for your confidential corporate documents?  There are lessons to be learned here, not just by the US government.

 

The surprise about this series of leaks is not that it happened, but how it had not happened long before.  Actually, maybe it has -- not everyone who would like a copy of such information would be interested in publishing it. 

 

disclaimer:  I know of no Harvard opinion on WikiLeaks, or on these disclosures and I express no opinion here of the correctness of WikiLeaks publishing such documents but the opinion on document insecurity is mine.