Information Security Lessons from Wikileaks: A Closer Look at SIPRnet

The release of 260,000 US embassy messages by Wikileaks this week is certainly generating headlines. I don't know whether to go with the 'sky is falling, end of world' tendency or the 'so-what, nothing new there' brigade so I just ponder at what it all means for information security.

The leak itself appears to have been as simple as saving files to a CD-RW disc. Access to the database (it's called the Secret Internet Protocol Router Network, or "SIPRnet") is available to over 2 million users with clearance. This level of access is deliberate, because post 9/11 the urge was for better information sharing amongst the intelligence community. SIPRnet seems to be lower-level on the scale of secure intelligence systems and databases, and there are others I am sure with far higher obstacles to access. What happens when a message is marked as "Sipdis" is that it can and should be distributed to the inter-departmental community on SIPRnet as e-mails and hypertext documents.

How do you secure an environment like SIPRnet? Apart from building the IP router network itself, they have strong passwords and obligatory changes every 150 days. There's an audit trail of all users, which includes the identity of all persons accessing or attempting to access SIPRnet, and any noteworthy activities that might indicate an attempt to bypass security. There are rules about never leaving a connected computer logged-on when not present. Using removable hard drive or media storage devices in the secure work area is frowned upon. If you do connect a memory stick or a CD writer to a computer with SIPRnet access, you're obliged to label the USB stick or CD as "secret" and look after it. Synch-ing your iPod during work hours is probably not encouraged either. But it seems in this case that an individual's right to be able to access iTunes at all times edged out the need for national security at embassies and intelligence facilities.

So if even Hillary Clinton has to say "I have directed that specific actions be taken ... so that this kind of breach cannot and does not ever happen again"  then spare a thought for the average company trying to secure their files and information. Their next measure may be to disconnect Government departments from SIPRnet, but in the private sector if that stalled a company's commercial operations, it wouldn't be much of an option. We'll get a sense of that in early 2011 if and when Wikileaks does publish information concerning a major US bank, as it has said it will do.

All software has security issues and nothing is 100% resilient. And the issue for the US Government is the same as for all of us - sharing while still protecting information. Not every company has gone beyond FTP and file-sharing services yet, but there is at least a clear alternative with CogniDox and similar systems for controlling customer licensing and information dispersal. CogniDox provides clear access tokens (licenses), separation of rights (certain people can grant licenses to documents, others grant licenses to customers), email notifications about changes and an audit trail (changes to the database and customer downloads). It also helps that any download is watermarked with the downloader's name and company - another disincentive to sharing when sharing is not authorised.

But that isn't the lesson of Wikileaks. The dilemma it raises is about internal trust and access to internal company knowledge. Using security profiles goes some way by protecting the document wherever it is moved within the system, and if this is done well it can be largely transparent to end-users. In our next software release due out in a few weeks we will be introducing more emphasis on document analytics, which is using statistics about use of documents to help identify trends.

At the time of release it will predominantly be a framework and we'll be issuing a request to our user base to come up with use cases that they think will be useful to implement upon the framework. I'm going to predict that pinpointing unusual trends in internal document downloads ("user X has downloaded 250,000 documents") will be one of them.

None of this is to ignore the bigger moral and ethical issues around Wikileaks - when is a 'whistle-blower' a hero and when a villain? And now the news is that the Wikileaks site has been under a massive distributed denial-of-service attack and they've been obliged to move from their hosted service in France to Amazon cloud servers in Ireland and the USA. It seems that no matter what 'side' you're on, information protection is a big issue today and may be the issue of the coming decade.