I woke up this morning to the news that WikiLeaks had dumped thousands of U.S. confidential documents out into the Web and that no one had blown either them or us up yet. While some are arguing that it is time for a new, more open style of governing, I'm fascinated with two things: The U.S. government isn't more concerned that if WikiLeaks was able to gain access so easily, almost any foreign government probably had better access for years and just didn't report it; and people, even in government, who should know better, evidently fail to realize that e-mail isn't secure and what you write in an e-mail may show up at a future date.
Let's explore both this week.
The One-Leak Security Fallacy
Many people believe that if you've found one major problem within a company or organization then you've found the entire population. This is incredibly wishful thinking because those of us who do security audits know that it is very unusual to find one theft, and generally focus on seeing if the opportunity is likely. If it is and you find one, the potential population is 1+, and the "+" could be any number. And as much as we want it to be zero it probably isn't.
This leak was apparently not identified until WikiLeaks actually reported that they had the information that suggested that internal monitoring and classified information security in the U.S. government is unable to identify such leaks, only track them back once the leak is externally reported. Often the search for additional leaks is done by the very people who are responsible for making sure they didn't happen in the first place, making it less likely they will find more.
In this instance, allegedly, the theft of the documents was by a low-level government employee with no special talents. Assuming that people with specialized talents have been pulling even more damaging documents should have been a better initial position.
If you have a leak, research the cause, assume there are likely others and patch the holes in the process so that the act can't be repeated by anyone else. If you put all your effort into crucifying a scapegoat, the problem will likely come up again, and a bigger problem may go unfound.
E-mail is Not Secure
Much of what is being disclosed appears to be in communications and has a decidedly high school/Facebook feel to it. The concept of diplomats doing espionage and writing personal opinions of world leaders in e-mail both seem very foolish, and yet I'm reminded of an e-mail exchange I witnessed a few years ago between two managers.
In this case, an African-American woman had asked for some resources from her second line manager because her first line manager had refused her. The second line manager had responded, not realizing he had copied the woman, in a racially charged note that insulted her on a number of levels including her race, while granting the request. The woman's brother was an attorney who specialized in discrimination litigation. That turned out to be an expensive e-mail for the company and both managers lost their jobs that week.
E-mail is not a secure method of communication, they can be easily subpoenaed and they can also easily be forged. They aren't particularly easy to delete as there are often backup copies on both the sender's and recipient's e-mail servers ready for discovery. We knew of this in the 1988 arms-for-hostages scandal, which had, at its source, a PROFS e-mail that was deleted but backed up (governments tend to be slow learners).
This suggests that this stuff will be around for a while and will likely be used more successfully against you than for you in the future. This also suggests that firms should think about having in place e-mail guidelines that are regularly audited with regard to what goes into e-mail and what should likely use a different and more secure communications method.
In any case, comments that are offensive and don't have a business purpose should likely be out of all forms of written communication unless you like taking unnecessary risks.
The WikiLeaks scandal represents a warning that we can become so focused on a single theft that we miss the bigger problems that surround it and that highly damaging comments should not be put into poorly secured media like e-mail. We can also learn lessons from the mistakes of others and this is a good opportunity to do that before similar mistakes hit us.