More lessons to be learned from WikiLeaks on information sharing, access control, and trust
There is no shortage of post-hoc analysis on how a quarter million State Department cables and other documents were acquired and sent to WikiLeaks, how a recurrence of such an incident might be avoided, or on the security implications for government agencies and commercial enterprises alike. Where these points converge is in the area of granting trusted individuals access to sensitive information — a topic that is already (or should be) on the minds of managers in public and private sector organizations in just about every industry. A closer look at the situation illustrates the risks inherent in many types of information sharing, and of relying on knowing and trusting your users instead of locking down access to the systems that contain the data you want to protect.
As Joby Warrick explained in a New Year’s Eve article in The Washington Post, the Net-Centric Diplomacy database in which the classified documents were stored was built with information sharing as a priority, not on access control or monitoring user-level activity. Instead, the system relied to some extent on security-by-obscurity and, because it was deployed on the DoD’s SIPRnet classified network, the database in theory was only available to trustworthy users — that is, people who had been granted security clearances by the government. Under the system’s security model, anyone possessing an appropriate clearance could get to the information stored in the database, which by some estimates would suggest that close to a million government employees, contractors, and military personnel might have access. What the system lacked was security controls to monitor potentially unauthorized or inappropriate activities such as downloading large volumes of documents from the database. The lack of finer-grained access controls coupled with insufficient monitoring essentially left the door open to misappropriation of data by an authorized user, which is apparently exactly what happened in this instance.
Corrective actions for these security weaknesses might include implementing better access controls, or perhaps putting better audit logging or even data loss prevention mechanisms in place. The fact that the system was apparently designed and deployed with this security posture highlights the other key assumption that turned out to be false: that background checks and investigations done in order to grant security clearances are sufficient indicators of the trustworthiness of individuals. In a tacit acknowledgment of this problem, a January 3 memo from the Office of Management and Budget to all federal agencies asks, among several questions on deterring, detecting, and defending against unauthorized disclosures by employees, how agencies measure trustworthiness among employees, and specifically whether social or psychological factors are taken into account when assessing employ trustworthiness. A system with an access model that presumes anyone who can get access as an authorized user is trustworthy is clearly vulnerable to abuse of privileges, so organizations deploying systems in this way would do well to think about ways to safeguard information from misuse, and also might want to validate the means they use to grant access to users in the first place. By asking agencies to conduct a self-assessment of potential system vulnerabilities and weaknesses, officials at OMB seem to want not only to head off future leaks, but also to get agencies to take a closer look at their security measures with insider threats (like disgruntled yet authorized users) in mind.