Earlier this year, the actions of a 22-year-old brought WikiLeaks, a previously obscure website, into the public spotlight. Pfc. Bradley Manning, an Army intelligence analyst, allegedly downloaded hundreds of thousands of files from classified U.S. government computer systems onto a CD labeled "Lady Gaga" and provided them to WikiLeaks, which promptly posted them on the Internet, causing scandals within the military and diplomatic corps. The incident left many security professionals around the world wondering about the vulnerability of their own organizations to a similar attack.
While your business secrets might not be as sensational as those exposed by Private Manning, you surely have information that you wouldn't want disclosed to the public, your clients or your competitors. What lessons can you and your business take away from the recent WikiLeaks disclosures and the government's response?
In the wake of the Sept. 11 attacks on the United States, the intelligence community was lambasted before Congress for compartmentalizing information in a manner that prevented analysts in many agencies from seeing the full picture of intelligence gathered from multiple sources. In their final report, the members of the 9/11 Commission stated that "even the best information technology will not improve information sharing so long as the intelligence agencies’ personnel and security systems reward protecting information rather than disseminating it." These words triggered a pendulum swing within the intelligence community toward the open sharing of information among agencies, arguably a swing that went so far as to allow Private Manning to steal hundreds of thousands of classified documents that he might not have had access to in earlier times.
So, how did the government react to the WikiLeaks disclosures? Part of their response was an effort to unring the bell — demanding that WikiLeaks remove the documents from the Internet and turn over any classified U.S. government information in the organization's possession. Not surprisingly, WikiLeaks leader Julian Assange refused those requests, claiming journalistic protections. The second half of the federal response involved a number of countermeasures designed to protect against similar leaks in the future. These steps included:
Some of these actions, especially the drastic cutting off of access to State Department systems, might be seen as a knee-jerk reaction that moves the government back into the protective state that the 9/11 Commission criticized so harshly. Whether or not you think the government security pendulum has swung too far in the opposite direction, there are lessons that you can learn from the federal experience with WikiLeaks.
Is your business in the sights of WikiLeaks contributors? Do you have a Bradley Manning on your payroll? These are the questions keeping security administrators awake at night as we turn the calendar pages to 2011. There are three specific lessons you should take to heart to protect your organization from this type of public embarrassment or corporate espionage.
1. Implement strong personnel security. This is often one of the most overlooked areas of security because, quite frankly, it's boring. Nobody wants to spend time performing background investigations on new employees or monitoring the behavior of existing staff, but this might be the single most important action you can take to protect your business data. If you stop personnel with questionable backgrounds from entering your organization in the first place, you've done quite a bit to protect yourself from the insider threat. Some of the actions you might take in this area include:
2. Limit access to sensitive information on a need-to-know basis. The government tried both extremes of this philosophy — locking down access very tightly and a free-for-all, everyone-can-access-everything approach. Learn from their mistakes and find a middle ground that allows staff the latitude to access information that they may need to perform their jobs but tightly limits access to the most sensitive information. Here are some specific ideas:
3. Build a strong technology base for your security program. Once you've hammered out a program that addresses the personnel and access issues associated with information security, use technology to monitor them on an ongoing basis. Some ideas to consider are:
As the publicity fades from the WikiLeaks disclosure, it's likely that the government's security pendulum will swing back toward center. When incidents like this occur to others, they provide an excellent opportunity to reflect upon our own security programs and identify opportunities that can improve our defenses.