Is Preventing Leaks a Technological Problem?
The WikiLeaks drama has prompted a round of outbursts from lawmakers about how federal agencies should prevent leaks of sensitive data. In a highly fraught and deeply politicized post-WikiLeaks environment, it's important that agencies come up with solutions that aren't just hasty reactions to Capitol Hill rhetoric.
Some suggestions, such as the proposal by House Homeland Security Chairman Peter King, R-N.Y., that the Treasury Department rule all business transactions (including book deals) with WikiLeaks founder Julian Assange as interactions with a "terrorist organization," already have been batted down. "We do not have evidence at this time as to Julian Assange or WikiLeaks meeting criteria under which OFAC [the Office of Foreign Assets Control] may designate persons and place them on the SDN [Specially Designated Nationals] list," a Treasury spokesperson told The Hill.Â
Others on Capitol Hill see technological solutions as an alternative to legal and economic sanctions.
In a joint commentary piece in The Wall Street Journal, Sens. Joseph Lieberman, I-Conn., and Susan Collins, R-Maine, asked federal technologists to rethink how data is moved around their agencies. They called for technological safeguards to be built into place to balance information-sharing against the threat of unlawful leaks.
Alan Paller, the research director of the cybersecurity training school the SANS Institute, defended this approach. The WikiLeaks dumps took place "because [agencies] did information sharing without putting in controls that would monitor for inappropriate information sharing. The rule became need to share rather than the need to know," said Paller.
Role-based access -- which restricts access to sensitive data to a select few who need to engage with the data -- is "available, but not implemented," he said.
That's because it's not easy to implement. It's tricky to tag documents in a way that ensures that each is accorded the proper level of access, Paller said. Too often, documents end up being graded either too inaccessible or too accessible, allowing those with the right security clearances or roles to get privileged access to a sea of data. It would have been hard to argue that Bradley Manning, the Army intelligence analyst charged with leaking 250,000 cables to WikiLeaks, didn't need the access he had in order to do his job.
While software that monitors network traffic could alert supervisors to anomalous download activity could help prevent WikiLeaks dumps, it's not the be-all and end-all. "Manning could say, 'they're checking if I download 20, so I can do 20 documents every day" over an extended period, Paller said.
With enough skill, those from within can exploit vulnerabilities in software codes or systems to successfully build backdoors that would allow them encrypted access to sensitive data. The threat from within has always existed, certainly since Daniel Ellsberg leaked the 1971 Pentagon Papers. While a combination of legal action and technological overhauls might reduce the scale of leaks, the question of how to prevent them might ultimately boil down to the simpler -- and more profound -- problem: How to ensure that those with access agree that it should remain protected?
NEXT STORY: DOD social media policy set to return to limbo