WikiLeak charges show future for private corporate data

Every company has dozens of Bradley Mannings ready to leak

After seven months of investigation, the U.S. military has lodged 22 additional charges against the low-level intelligence clerk alleged to have downloaded and released hundreds of thousands of top secret documents and videos through WikiLeaks.

The incident, referred to as CableGate started an international political firestorm.

It also turned the IT world upside down even though, on its surface, it had little or nothing to do with corporate computing.

Whoever turned over hundreds of thousands of documents to WikiLeaks (allegedly Manning, though that's yet to be proven), demonstrated how devastating it can be to trust the wrong person with access to information you'd prefer would remain secret.

All of the assumptions and most of the technology currently in vogue assumes a business environment in which the Circle of Trust expands far beyond a small number of full-time senior staff with long-term job prospects and an interest in keeping the company's secrets.

Flat organizational structures, contractors hired instead of employees and the shift of critical data from databases to unstructured email, documents, web-based apps, SharePoint and other collaboration software all make information available to far more people, with far fewer controls.

In a study released in the U.K. in November almost three quarters of employees admitted to stealing corporate data; almost half know someone who has also done it, and two thirds believe a competitor got information from a fellow employee.

Mobile-computing, wireless or inadequately secured bring-your-own-device policies, cloud- and SAAS-based computing open the doors further, even as increased spending requirements for compliance pull budget dollars away from security efforts designed to get ahead of the threat, rather than last-ditch, defend-the-edge firewalls.

All of that makes the security position of any company more tenuous, and that of anyone in IT responsible for security even more precarious.

And that's without even considering the impact the WikiLeak had on threats from outside, such as the 4Chan.org-based hactivist group Anonymous that no doubt inspired thousands of copycats in its successful rampage against financial organizations that refused to allow contributions to Assange's defense and attacks at totalitarian governments in the Middle East.

Those attacks and a growing concern over data security and whistleblowers raised to critical the constant, low-intensity debate over who owns and who can publish information considered proprietary by corporations or governments, how to punish those who release it, and why supposedly high-security systems are so vulnerable.

Top-Secret and Secret [security designations] mean little without the appropriate protections in place to secure them from a motivated thief....the old ways of protecting these documents become ineffective in today’s digital world. Similarly, legacy technology-based solutions that we most frequently think of for computer protection, like AV or firewalls are completely uselessin this type of data theft. – Dave Meizlik

To supplement [IT data] security, every business should also develop an appropriate incident response plan so that it is adequately prepared to respond to a security breach in the event that the worst occurs. – Thomas J. Smedinghoff, Wildman Harrold, attorneys

Wikileaks is, in effect, a huge tax on internal coordination... the fact that [everyone you work with] had a detailed understanding of the [organization's] mission and methodology become enormous liabilities. In a Wikileaks world, the greater the number of people who intimately understand your organization, the more candidates there are for revealing that information to millions of voyeurs. – Noam Scheiber, The New Republic

The Army is prosecuting PFC Bradley Manning to the full extent of its capabilities, and no doubt revamping the lax interconnected security system that enabled all those cables to be downloaded by someone who had no reasonable need to see them.

The U.S. business world is far less organized, far less conscious of its own vulnerability and far less willing to admit or pay for mitigation of that risk.

Whatever you think of what Manning allegedly did, or WikiLeaks published, both no doubt inspired others to follow their example, gaining power over the bosses whose decisions they despise and whose company policies they believe to be criminal, stupid or simply insensitive.

They dish about that all to each other, and sometimes post bits and pieces of it anonymously (not Anonymously, for the most part, though that may come in time) to the web.

Plenty of them also swipe information for their own benefit or to sell to identity thieves or competitors, though reporting and enforcement of those incidents tends to be hush hush.

Soon enough we'll see more of them posting sensitive data not for money, but for reasons they think of as altruistic, though as often it will be for revenge or simple rebellion.

Last year the news was filled with Gen-X or Y'ers fired or embarassed by Facebook photos of themselves acting drunk or stupid.

This year I expect it will become far more common than it is now for companies to be embarrassed in the same way; only it won't be the bosses being embarrassed who are doing the posting. So far it doesn't look like they'll be able to prevent it, either.

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies