There has obviously been much focus in the media on the data itself leaked via WikiLeaks – given its content. Little column space has been given to looking at the potential causes of the leak and solutions to prevent another such incident occurring.
To my mind, rather than there being a sole “silver bullet” solution, there are a combination of factors which came into play that allowed over 250,000 US diplomatic cables to find their way into the international news media.
1. Data Access Controls: “need to know” was relaxed
Firstly, and perhaps most importantly, a breakdown in procedure has contributed most significantly to the leak. The “need to know” basis for access to data in the US defence and agencies was- to some extent – relaxed. Following the terrorist attacks of September 11th, 2001 on the US, greater co-operation and data sharing was encouraged between the agencies. To some extent: this was understandable, since it appears prior to this date different agencies did not share data with each other as freely as the US government would have liked. However, it appears that the pendulum swung too much the other way, with US defence personnel having access to all data marked “SECRET NOFORN” – i.e. secret data never to be shown to non-US citizens. There was no valid reason why a soldier should see diplomatic cables.
The “need to know” basis means exactly that: that no-one should have access to data that they don’t need to perform their role. Just because you have TOP SECRET clearance, doesn’t mean you should have access to all data marked as “TOP SECRET”. So it seems here that a soldier (allegedly Bradley Manning) had access to all diplomatic cables marked “SECRET NOFORN”. The only saving grace was that the network from which the data was taken – SIPRNet – fortunately only holds data up to and including SECRET classified data – not TOP SECRET.
It is important where data is shared on a network that only the correct personnel have access to the data they require to perform their role. You could imagine, for example, the chaos that would ensue in an organisation if every employee had access to the payroll and HR data, rather than just accounts and HR respectively. The stakes are much higher in areas where the data is more valuable – such as national security.
2. There were no Removable Media Restrictions in place.
It is alleged that 1.6GB of CSV text files were downloaded onto a USB memory stick (initially piecemeal via CD RW) – containing the 250,000 diplomatic cables. It seems amazing that the network in question either had no solution to restrict the use of, and access to, removable media, where large volumes of data can be copied; or if it had, that the policy was relaxed so that a soldier had full write access to any removable media. There are legitimate reasons why – in the operational field – a USB memory stick or a CD/DVD burner may be required by a soldier, but equally, there are also solutions on the market to prevent unauthorised data loss from happening. Lumension’s Device Control solution can do exactly that – set a daily copy limit which only allows a certain amount of data per day to be copied, whilst at the same time monitoring what data is being copied. In addition, it can also restrict content via file type – thus if the soldier is using a bespoke application in the field, there is no need to allow him to copy out CSV files onto that stick.
3. Physical Security on-site appears to have been lax
It is alleged that Bradley Manning boasted how easy it was to smuggle in a CD-RW marked “Lada Gaga”, then erase the music, and replace it with a compressed split file. Again – if this had been monitored with an appropriate solution – the alarm could have been raised easily. Daily log inspection is something the industry has been evangelising for years as an extremely important information security measure: here in a defence scenario it’s critical. It seems however that the physical security has been lax in allowing soldiers to introduce their own devices and media into a secure location in the first place. Most defence locations have screening procedures and ask all visitors to leave their own media and devices at the gatehouse. Why does this not seem to apply for their own personnel?
The solution here is to only allow defence approved devices which are both monitored and controlled. Once a private device is introduced into the network, not only do you risk data leakage but also malware and inappropriate content introduction. Anyone bringing in their own device or removable media should have it secured away for return upon leaving the location. Devices which are vulnerable to malware infection and have no suitable encryption capabilities have no place in a defence scenario.
4. Encrypt data in rest as well as in motion: file encryption too?
By now most organisations have got the message that data needs to be encrypted at rest where it is likely to be exposed (e.g. full disk encryption for laptops, removable media encryption) as well as in motion (e.g. email encryption). However, in a defence scenario, it may well be appropriate also to utilise full file encryption, so that should it be copied off the network via a breach in security, then it is worthless to a third party. This is particularly true for data which is particularly sensitive such as this where diplomatic cables have caused the US and her allies embarrassment at best and a compromise to national security in the worst case scenarios. It seems odd that such important documents were held in on the network in an unencrypted format.
Of course solutions exist to enforce removable media encryption, but any thorough analysis of the security requirements will also take into account the possibility of a deliberate breach of security by an insider, which leads to:
5. Separation of duties
It is always best practice to have separation of duties. Had the files been encrypted, then it is best practice to ensure that no single person has access to both the data and the encryption keys. An algorithm is only as strong as the security of its keys. The crypto custodian (sounds like a superhero from a comic strip!) should not be the same as the system administrator who can grant/ revoke access to the data itself. This separation of duties safeguards against one person being able to bypass internal security. In addition, any technical control worth its salt must be able to provide separation of duties/ roles within the solution, (i.e. an auditor can only see logs, but not make administrative changes, etc.)
Nevertheless, there may be an occasion where despite the measures implemented above, and extensive background checks on personnel being used for the task, collusion occurs to take data off the network: this is where electronic data labelling becomes important. At the heart of the WikiLeaks issue also is the fact that the legal system is significantly behind the technology … but more on that subject later!
Phil Stewart is director of Excelgate Consulting