In December of 2006, WikiLeaks came online and has been leaking sensitive documents on its site ever since. That is the case in the recent release of 250,000 classified State Department documents and the soon to be release of sensitive internal documents from a major U.S. bank that is causing an immense controversy on the political and information assurance community.
The political aspect is obvious to many of us, but the information assurance side reveals a scary situation. If the government, with all of its resources is having difficulties protecting sensitive documents, what chances do private companies have?
It is clear the government’s information security controls were not properly implemented to prevent the access and collection of sensitive documents. It was stated Private Bradley Manning who is currently in custody by the U.S. military for releasing classified videos early this year to WikiLeaks had access to the SIPRNET network for up to 14 hours a day. The SIPRNET is a classified network used by the Department of Defense, the State Department and the Intelligence Community to communicate Top Secret information. In the clearance world, just because a person is granted a Top Secret security clearance, does not make them privy to all top secret content. There is a practice called need-to-know which states you only need to know enough information to do your task. This clearly was not the case in the recent document leaks suffered by the U.S.
This brings another information assurance issue of concern to the forefront. Internal Threats — It has been stated the greatest security threat to an organization are its employee. Several organizations focus their resources on keeping out the external threat, when many in the information assurance industry agree there need to be equal attention to internal security as well. Employees are already in the system and familiar with many of the controls and how to circumvent them as well.
As a result of the recent leaks, The White House ordered restricted access to classified documents. Furthermore, players on both sides of the WikiLeaks issues are expressing dissatisfaction with various cyber-attacks. Those against WikiLeaks practices are conducting denial-of-service cyber-attack on the site and those who favor WikiLeaks are conduct cyber-attacks against sites that have tried to hamper their operations.
The bottom-line, implementing practical information security controls that will not impede business functions are a difficult task. A balance has to be in place as well as the proper security controls to mitigate security issues.