A leaking (or spy) scandal that erupted in mid-June may illuminate the issue of cyber security. While in Iraq, U.S. Army Private First Class Bradley Manning offered an organization called Wikileaks extensive classified information on what he considered recent U.S. misdeeds. His offer included a database of 260,000 classified State Department cables, which he claimed demonstrated the numerous evils of current operations in the ongoing war against terrorism. The leaker was turned in by an earlier leaker to whom he had gone for advice; the other man was horrified by the possibility that masses of information, which he thought could cost American lives, would fall into enemy hands. Wikileaks itself has not published the supposed State Department database, and claims it was never received.
The leaker, a low-level intelligence analyst, described feelings of inadequacy and hopes that he could, through his leaking, achieve something out of his floundering military career. Wikileaks first gained notoriety by creating a video showing what appeared to be the deliberate murder of Iraqi civilians by Americans, in the aftermath of a mistaken raid on Iraqis who may not actually have been insurgents. Publicity surrounding the video, and Wikileaks' pride in exposing governmental misconduct around the world, seems to have led Manning to contact the organization.
Wikileaks exploits the character of the Internet to avoid destruction by the many governments it has embarrassed. It has no physical address and is run by computer experts who can conceal both the locations it does use and those who leak to it. In its own view, it forces governments to act more honestly by threatening to expose their sins.
This aspect of the leaking episode raises the question of boundaries: when is a leak a virtuous attack on government illegality, and when is it an attack on real national security
This is clearly not a new question, and the U.S. media have raised it repeatedly during the current war against terrorism. To what extent, for example, did it help the U.S. effort against al Qaeda and its friends to publicize attempts by the National Security Agency to read their e-mails In the past, it has generally been agreed that publicizing code-breaking and communication interception could have devastating effects on U.S. national security, but the media have been exempt from attack on those grounds.In this case the leaker fit the classic profile of someone vulnerable to recruitment by a hostile intelligence agency: a mixture of low self-esteem, resentment at not having had his talents properly recognized (he said that his military career had been ruined), and grandiosity (he had a rather inflated idea of what the release of his State Department database would have achieved). Instead of having been turned by a foreign organization, he was self-recruited, but the issue is the same.
So what does all of this say about the new world of cyber security
We tend to treat cyber security the way we treat communications security; we see it in terms of how well we can encrypt data and how well our enemies can get into our systems by breaking our codes. The point of the leak scandal is that this is only a part of the story. It may well be that most security problems are human, not cyber-technological ones. By making the cyber-world more and more mysterious to laymen, we avoid facing that reality. Some of the problems are due to laziness or, worse, to ignorance on the part of decision-makers of the implications of what they do or do not allow."Need-to-Know"
Take the Manning case. Exactly why did an Army private, presumably doing low-level intelligence analysis of insurgencies in a corner of Iraq, have access to hundreds of thousands of State Department cables
Almost certainly the reason is that it is much easier to provide a single point of access to a vast amount of information than to filter it according to "need-to-know" and professional level. In the past, having access to, say, a classified library did not mean reading at will; typically need-to-know had to be taken into account. The Internet is often likened to a vast library. In fact, the civilian Internet is surprisingly limited when it comes to specialized topics. However, if nearly all intelligence documents are produced as electronic publications and thus become available on the classified-intelligence net, then that becomes the best classified library ever created.Moreover, computer technology makes it easy to collect information by downloading onto high-capacity media. The gigabyte card you have in your camera, for example, can accommodate thousands of pages. It is not clear that senior decision-makers entirely appreciate what this sort of access means. At one point during the previous administration it was decided that filtering military Internet information was too difficult, and our Coalition partners were granted blanket access (presumably some information had been removed from that access, but that is not clear). Was that really what was wanted
About a decade ago, the late Vice Admiral Arthur K. Cebrowski celebrated the idea of increasingly "flat" organizations in which information would flow freely so all participants could understand what they had to do. That vision has now in many ways been realized, particularly in the worlds of intelligence and command-and-control. In effect, the current scandal is the flip side of that vision. Not everyone in a flat organization necessarily shares the goals of the organization. The dot-coms suffered horrific losses partly because they had eliminated the usual hierarchy of decision-makers (and responsibility-takers); it was too easy for someone to spend irresponsibly on attractive but pointless things, like luxury pool tables.
In the Wikileaks case, the equivalent of gross overspending on the part of the Army private was gross leaking of classified information, because he did not share the goals of his organization (the Army). In the past, the Army assumed that privates were often irresponsible, but that was tolerable because they were tightly supervised. A flat organization depends in effect on self-supervision but cannot escape the human element that earlier pyramided organizations were designed to handle.
A few years ago the inventor of a current standard form of computer encryption decided to examine security failures for a book. He thought he would take a month's worth of failures, but stopped in frustration after a few days. Again and again, those who had paid heavily for technical solutions to cyber security had defeated themselves by their laziness, stupidity, or corruption. After all, it takes only the day's password to penetrate some computer system, and if hundreds or thousands of people have (and legitimately need) such access, how difficult is it to find one susceptible to a good-sized bribe, or to a good enough threat
That is how intelligence agencies worked in the past, and people have not changed. The security inventor remarked that he had invented a million-dollar lock that had generally been installed on a glass door.Reading the Signs
In theory, modern technology makes it more difficult for anyone trying to steal classified data. Also in theory, every time PFC Manning entered some database clearly irrelevant to what he was doing, his access was recorded. In reality, although records of access probably exist, it is very unlikely that anyone was reading or understanding them. The records may be important if and when the private is court-martialed, but they were not used to detect his efforts. Nor is it clear that telling all intelligence analysts that "big Brother is watching" will improve their morale or their productivity. Taking need-to-know to its logical limit kills the creativity that is so important, but surely there is some point at which a very inexperienced low-level intelligence employee ought to have his access limited.
It is not clear just how damaging Manning's efforts were. Ideally, his case will wake us up to the reality of cyber security
that it is far more than an exercise in sophisticated computer (including software) technology. History suggests some other issues. The most depressing aspect of past experience in code-breaking is that the victims very often denied any allegation that their codes had been compromised. Many accounts of the successful Allied attack on German and Japanese codes claim that the victims resisted awareness because of the evil nature of their societies. That does not quite explain why so many in the U.S. government resisted awareness that codes had been compromised in the 1970s. Explanations of failed operations and the unexpected appearance of Soviet warships near, for example, U.S. submarines showed eerie echoes of World War II German and Japanese explanations of misfortunes that we now know came out of Allied code-breaking. It seems no one in the 1970s wanted to admit that, once the U.S. code machines had been lost on board the USS Pueblo (AGER-2), any compromise of code keys would be fatal.How different was the decision to use standard machines on board the intelligence-gathering ship, which had a fair chance of being seized, from the decision that every private in Army intelligence should have total access to information
Both decisions were made in the darkest part of the code-and-intelligence world, and few outside would have been aware of them or of their likely consequences. Unless there is a widespread understanding of the issues not the classified details of cyber-security, key unfortunate decisions will likely be unknown until their consequences bite us just as they did in the code disasters of the past.