Ride the Lightning
Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.
WikiLeaks: How Bad is U.S. Cybersecurity? (Bad – Really, Really Bad)
December 9, 2010
Let me answer my question this way. In a cyberwar between China and the U.S., my money is on the Chinese – and that doesn't make me happy. I think we're just lucky that the Russians and their cyber-experts are so bent on cybercrime that cyberwarfare has taken a back seat. Heaven help us if it takes a front seat because the cyber experts of the Russian Mafia are very sharp indeed. And the line between the Russian government and the Russian Mafia is very thin, as the recent cables released by WikiLeaks suggest.
OK, back to the original quesion. How did a mere private gain access to so much data and then copy and transport it? Regrettably, it was child's play.
He brought in a CD-RW labeled something like "Lady Gaga," erased the music and wrote a compressed split file. Private Manning rather accurately observed the total absence of security noting that there were "weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis… a perfect storm."
It would be difficult to describe it better. Manning allegedly recounted his clandestine exploits in a series of conversations that Adrian Lamo, the onetime hacker best known for breaking into networks belonging to the New York Times Co. and Yahoo, recorded in full. It makes for fascinating reading.
It is horrifying to see how lax security is or was. How is it possible that there was no access control here, allowing Manning to see things no private should have access to? How is it possible that internal alerts didn't go off when so much data was accessed and copied? How is it possible that there were no controls on removeable devices? This is clearly a case where heads should roll - those in charge of information security weren't just asleep at the switch – they were comatose.
We need roving teams of penetration experts assessing security throughout the government, but especially where classified data is held. Pretty simple idea, huh? Every network that holds such data should be assessed at least quarterly by those who know what they are doing – and that's the problem – such folks seem to be in short supply in the U.S.
Manning apparently saw himself as a whistleblower and wanted to stimulate worldwide discussion and reform. Indeed, as the cables prove, governments lie and lie chronically to their citizens. Not news, but without leaks we wouldn't have proof of the lies. What Manning did was clearly illegal and he will no dobut be punished severely, but what about WikiLeaks?
That is much less clear. No one has yet been able to point to a law that WikiLeaks broke though there are a lot of tortured efforts to make existing laws applicable. The New York Times and every other major newspaper has been printing leaks for years. WikiLeaks just got a lot of leaks in a very short time frame – the beauty and horror of a cyberworld.
There has been much wailing about the endangerment of lives, but it sounds pretty hollow. Bob Woodward, of Watergate fame, has taken a measured view of this. He noted that governments always claim that lives are endangered when information is leaked but in fact most of the leaks fall more into the embarassing category than the life-threatening category. Note that the cables have been redacted both on WikiLeaks and in the media to try to protect certain sources.
Frankly, I want to know that 85% of the humanitarian aid we sent to Pakistan was diverted to covert military actions. It's a pity that it takes a leak to rip the veil of deception from the government's face. The idea that the government can do anything it likes in utter secrecy (trust me, I'm from the government) has never had an appeal for free-thinking citizens.
I have an enormous respect for the Fourth Estate, which so often protects us from government and military misconduct by making it public.
Mind you, there need to be some secrets. No one would deny that. And there can be no secrets while government cybersecurity is so lax. But before condemning WikiLeaks or the newspapers which are publishing the cables, we should remember the words of Thomas Jefferson:
Our liberty depends on the freedom of the press, and that cannot be limited without being lost.
As a final note, anyone who has read the full account of the sex charges against WikiLeaks founder, Julian Assange, will note a rancid odor. Both women invited Mr. Assange to stay with them and acknowledge that the sex was consensual. Apparently in one case his condom broke and the other case is a little murkier as to what happened, but neither woman seemed inclined to press charges at the outset. In fact, the original rape charge was dropped a day later, only to be reinstated for reasons that remain suspect.
It doesn't pass the smell test. I think most fair-minded people have concluded that these charges are less about prosecution than persecution. Mr. Assange has become a most inconvenient fellow for many governments.
I do not know enough about Mr. Assange to know whether he is the folk hero that so many hold him to be. I do know that he lives austerely and that he seems to be committed to making information free, especially information indicating deceptive behavior by governments (and he apparently has such information regarding mega-corporations as well).
I admire the fact that he gave the keys to his data to four of the most respected international newspapers. He did give warning that these cables would be released. He has redacted information to protect sources. So far, he seems neither a fool nor a man who wishes to cause harm directly, though of course indirect harm may follow. He appears to have weighed inaction against action and found action warranted.
He has taken extrodianry steps to control the data through an encryption scheme that is apparently unbreakable by the most modern super computers. Hard to be in our business and not have a sneaking admiration for the intellect, cunning and planning that has thus far utterly defeated government and private attempts to circumvent Mr. Assange's work. Apparently those that used to process financial donations (MasterCard, VISA, PayPal, etc.) are currently suffering the rath of DDOS (Distributed Denial of Service) attacks from "unknown" sources. Perhaps they will reverse their decision to abandon the processing of donations for WikiLeaks, but I doubt it.
Few stories in my lifetime have been as interesting as this one, perhaps because it reminds me so much of Watergate and Vietnam and their related revelations about government corruption and deception, but escalated beyond imagining by the vast volumes of data in the cyberworld.
*****************************************
Click on the banner below to vote for your 12 favorite legal blogs among those honored to be included in the ABA Journal's Blawg 100. I am pleased that Ride the Lightning was included in the company of so many well-respected blogs. The last day to vote is December 30th.
Listen to the Podcast
