The last week of November 2010 saw the often-labeled whistleblower website WikiLeaks publish around a quarter million confidential diplomatic cables, much to the embarrassment of the US government.
Among the information leaked in the diplomatic cables is correspondence discussing the connections between the Chinese government and the Operation Aurora attacks that dominated the news at the beginning of 2010.
Other cables demonstrate an apparent link between US and Israeli researchers – according to a recent analysis by the New York Times – as they teamed up to set the Iranian nuclear program back as much as five years by delivering the destructive malware known as Stuxnet to systems operating its nuclear centrifuges.
The cables themselves became almost a sideshow to the more sensational spin-off stories – the legal troubles of WikiLeaks and its co-founder Julian Assange, the retaliatory distributed denial-of-service attacks (DDoS) that ensued, greater questions about the legitimacy of WikiLeaks’ role in informing the general public, how an Army private was able to make off with so much classified information, and the government’s ability to protect its own data.
Let the Battles Begin
The DDoS attacks started before WikiLeaks even officially published the cables, as a modest application-level hack ahead of the well-leaked release briefly took down the WikiLeaks site on Nov. 28, prompting the organization to redirect its DNS configurations from its Swedish provider to Amazon cloud services in the US and Ireland.
The very next day saw the US government issue a memo to all federal departments and agencies, directing each of them to create an assessment team to evaluate employees’ access rights, in addition to the use of removable media devices on computers with access to classified government networks.
It was a direct response to the alleged method by which the documents were believed to be leaked, as Private Bradley Manning, an intelligence analyst with the US Army, used a simple USB drive to make off with classified materials that included the State Department cables.
In the memo, Jacob Lew, the Office of Management and Budget director who issued the document, alluded to the political ramifications of the cable leaks when highlighting the trust aspects underlying the whole affair: “Our national defense requires that sensitive information be maintained in confidence to protect our citizens, our democratic institutions. Any unauthorized disclosure of classified information is a violation of our law and compromises our national security.”
Next, on Dec. 2, the State Department severed the information-sharing connection between it and the Department of Defense that was established in the wake of the 9/11 terrorist attacks.
Then the internet war ensued. Many commercial websites fell afoul of the amassing pro-WikiLeaks contingent over the next week or so, with the entire event spawning the ‘Anonymous’ attack group and a DDoS battle.
‘Operation Payback’, as it was labeled, was directed at those thought responsible for the arrest of WikiLeaks founder Julian Assange, in addition to organizations that sought to distance themselves from WikiLeaks. These included PayPal, Visa, MasterCard, and its hosted cloud services provider, Amazon.
In a well-publicized show of support for WikiLeaks, the Anonymous Group wreaked widespread yet relatively minor havoc over the affected commercial sites to the tune of about 3–4 Gbps of DDoS traffic. As Craig Labovitz, chief security scientist with Arbor Networks put it, “other than the intense media scrutiny, the attacks were unremarkable”.
What the affair did create, however, was a social movement said Amichai Schulman, chief technology officer at security firm Imperva. The company’s data indicated that the Anonymous group effectively created a botnet of over 40 000 computers over a very short timeframe, derived partly from an open-source network stress testing tool “tweaked to include a central command-and-control module”.
All of the high drama played out on an international stage, and just before the holiday season. It had many wondering, is WikiLeaks the new ‘Deepthroat’ of the digital age, a symbol of courage in the face of wrongdoing? Or is the site – which considers itself to be at the cutting-edge of journalism – doing just nothing more than quasi-criminal espionage?
Regardless, one thing, is certain: this latest, most infamous example of insider data leakage gave those in the information security business plenty to talk about heading into 2011.
It was immediately believed that the most damaging aspect of the entire ‘Cablegate’ incident would be the actual content of the cables, anticipating they would contain either highly damaging or perhaps embarrassing revelations.
To be sure, there are some of these nasty little bits in the documents, but even WikiLeaks itself has redacted some cables it views as national security risks.
The true shockwaves of the entire event seem to center around questions about how this happened in the first place, and how it can be prevented in the future. If you ask some experts in the IT security industry, it appears to come down to two culprits: policy and technology.
Alan Bentley, VP international for security firm Lumension, agreed with the Obama administration’s immediate call for a review of user access privileges as outlined in the aforementioned memo from OMB director Jacob Lew. “The insider is by far the biggest threat to data security”, he said when commenting on the memo. “And this is unlikely to change as there has to be a level of trust assigned to employees to enable them to be productive.”
Putting thoughts on examining policy aside, Bentley did warn that similar considerations need to be taken into
account when it comes to restricting the ability to place classified information on removable media.
It seems the actual technology involved in the data theft – those all-too-ubiquitous thumb drives – have also been a target of the post-incident cleanup effort.
In the immediate aftermath of the WikiLeaks affair, US Air Force Maj. Gen. Richard Webber, commander of the branch’s Network Operations arm, issued an order banning the use of removable media on all devices accessing the Defense Department’s Secret Internet Protocol Router Network, or SIPRNet, which allows DoD personnel to transmit highly classified information in an encrypted manner.
Many applauded the Air Force directive as a sensible solution; others criticized it as a knee-jerk response. Craig Robinson, chief operating officer of GlobalSCAPE, told Infosecurity US that the decision to ban thumb drives is a stop-gap measure, and is not a long-term solution to prevent another WikiLeaks scenario.
Robinson said one solution to prevent a similar leak would be the ‘two-person rule’, which would prohibit a single person from accessing confidential data without someone else being present.
“The WikiLeaks incident highlights the risk that is inherent in having so much information readily available at somebody’s fingertips”, he noted. “I think the real long-term fix involves policy change and technology change as well.”
The US government again responded with further instruction from the OMB on Jan. 6, 2011, as a memo issued by the agency, crafted by some of the Obama administration’s top intelligence officials, handed down instructions with 100 questions to ask during federal agency security reviews. The aim of the questions was to measure the ‘trustworthiness’ of government employees.
The memo makes specific reference to the ‘post-WikiLeaks environment’ and asked agency officials to assess the trustworthiness of its staff much in the way psychologists measure employee job satisfaction – it was thought that the soldier who leaked the classified cables was upset with being demoted before he gave up the documents to WikiLeaks.
The Political Ramifications
One consequence of the WikiLeaks cables is a tightening on the grip of information sharing among different government agencies that was loosened after the 9/11 terrorist attacks. Less than a week after the cables were posted online, access to the State Department’s database of embassy cables was rolled back, cutting off the military’s ability to view the documents via SIPRNet.
SIPRNet was expanded after 9/11 to help prevent another one of those unconnected dot situations that allowed the terrorist attacks to proceed undetected. It is believed, however, that this very loosening allowed the accused WikiLeaks informant to get his hands on the confidential cables.
If the aim of the new order after 9/11 was to promote the sharing of information among the intelligence community, then there is no telling the long-term ramifications of this policy reversal.
The political hacktivist response to WikiLeaks, furthermore, is nothing new said Ray Stanton, the global head of business continuity, security, and governance for BT, the world’s largest telecommunications provider. “We’ve seen idealists threaten to engage in DDoS attacks before”, listing as examples the 2007 attacks in Estonia and similar efforts targeting the G-20 summits, to name a few.
“These are things that organizations have seen, and organizations need to be prepared for. It’s not going away and is going to continue into the future.”
The most damaging aspect of the diplomatic cable leaks, added Stanton, may be a loss in confidence in the US government and in its ability to maintain the security of its information. “It’s about how your brand gets damaged in this case – whether you’re a government or a corporate.”
He said that the effects on the intelligence/defense agencies may not be immediate. In the long-run, however, some people may lose their jobs over the leak.
And while he contended that a loss in confidence is inevitable, it may lead to an ironic increase in funding to help enhance security. “If you cut things to the bone”, Stanton frankly acknowledged, “then mistakes are going to happen.”
While WikiLeaks, Julian Assange, and Bradley Manning appear to be under the strain of the US legal system, the US diplomatic corps appears to have survived the entire incident relatively unscathed. Thankfully, for the State Department, the WikiLeaks story has taken on a life of its own, relegating the content of the cables to just a footnote.