søndag 9. januar 2011

WikiLeaks lessons

ENISA identified three major incidents from "WikiLeaks Cablegate". In summary, these three incidents are:
  • The leaks themselves
  • DNS and Cloud Service interruption
  • Hacktivist DDoS attacks
To address the first issue, the US government has distributed an internal memo, which ironically has been leaked. The memo focuses on assessments of the technical solutions and policies. While these areas certainly are important, one must keep in mind that the leaks were done by people who see their loyalty to "the world population" rather than "the boss". Hence the "leakers" are known as whistle blowers, rather than parts of a broken system.

No matter how strict you define your policies and attempt to enforce these through access restrictions, this will never account for the whistle blowing humans you employ. Hence the real issue for each agency should then be the psychology of whistle blowers, not system cracksdowns.

In other words, the system will take care of internal policies and access control, and you could tighten up firewalls against external threats, but WikiLeaks is about whistle blowers - the people you thought were loyal to you turn out to be loyal to their personal ethical principles instead.

Principles of whistle blowing
  • The sound of the whistle is something that was supposed to be secret.
  • The whistler has something to gain by whistling, for one of these reasons;
    The tone of the whistling is in disharmony with the whistler.
    The whistler gains something politically, economically or other.
  • The whistling is amplified by a party that gains something by doing this job.
Hidden information leakage between agencies are known as espionage and are not considered leakage. While an employee is still the weak link in the security chain, the reason for leaking are quite different, and therefore differs also in psychology and machinery: While espionage is dependent on nobody knowing that the espionage has occured, leaking is based on public disclosure as a weapon. This, again, means that the disclosure is effective only when the content is to the benefit of the public - either directly by the disclosure of disharmonious behaviour (the most common forms of leakage) or indirectly by amusement.

Further, one might claim that information that only causes amusement is not directly harmful. On the other hand, secret information that is to public benefit typically means that the information is in regard to organizational behaviour in disharmony with public opinion.

So how do we avoid leakage?

Be good.

No seriously, don't do anything that the public would hate you for if they knew about it.

Ingen kommentarer:

Legg inn en kommentar