What do Metallica and the U.S. government have in common?
They are both fighting to control information once it has been placed on the internet.
Like Napster, which rocked the music industry by enabling piracy, according to critics, and was eventually sued by the band Metallica, the current WikiLeaks crisis concerning the unauthorized access and downloading of sensitive and classified diplomatic cables and other files is simply another example of a controversial yet highly efficient and hard-to-stop internet distribution engine for the global sharing of data.
Both Metallica and the U.S. government have gone after these internet distribution systems in an attempt to regain control of content they own.
But it is a losing battle. For Metallica, not much has been done to stop the millions of people who illegally access and share music files. Internet users know several Napster replacements exist that still amass files and enable the sharing of them.
When something people want – music or data – becomes public, you can be sure that people will find a way to share it. Clearly, once information is available online – whether government cables or music – the people who own the information have lost all control over it. They can discuss new laws to accommodate new technologies, ethics and so on, but an equally pertinent question is, "What could we have done to prevent this in the first place?”
The fundamental issue remains that in most organizations, trust is granted to staff, allowing them access to mass amounts of an organization's most sensitive data. And now the adoption of mobile and cloud computing pave the way for trusted staff to transfer and share data on the internet.
How do you manage trust to so much data and how do you recover your sensitive data once it is posted on the internet?
You can't put the genie back in the bottle, so the real question should be, “What are we doing to keep it in?”
In the early 1990s, both blackhats and whitehats (cyber-savvy individuals who use their know-how for bad or good, respectively) played around with ways to extract information from systems and were amazed at the assets they could access. It didn't require a high level of sophistication to generate a virus and exploit weaknesses in systems.
As the security market continued to expand, most of the early demand was for solutions to problems that didn't threaten to siphon sensitive information or steal intellectual property. Rather, the problems that people paid money to fix were annoyances that took up the IT or security department's time or that cut into employee productivity.
Still, this was enough to fuel significant investment in security products to thwart issues like denial-of-service and destruction of data. Now, for the most part, companies seem to have established at least a reasonable state of availability to servers, storage, and communication services. Headlines don't frequently talk anymore of a virus getting into a system and shutting the whole network down.
Yet we have yet to get ahead of the problem of a capable, motivated attacker who, in some cases, is sponsored by foreign governments.
The WikiLeaks loss represents yesterday's clumsy virus. Quite simply, the leak originated from a low-level analyst trusted to follow policy. And while the security community is all abuzz around emerging advanced persistent threats capable of sophisticated and coordinated attacks on nuclear plants – think Stuxnet – let us not forget that we continue to be at great risk from much less sophisticated threats, such as trusted insiders with access control enforced by nothing more than basic tools such as handbooks and written policy.
The sticky area has always been the way organizations grant trust and the amount of power given to a user once that trust has been granted.
There has to be a shift in paradigm. Companies should still aim to establish trust – with background investigations and such – when they engage with partners, employees, etc. But organizations can no longer extend that level of trust to things as powerful as information systems and technology, and in particular, those trusted to administer and manage these platforms.
Commonly, a system admin gets a background check, gains clearance and is handed the ultimate access to government or company information and infrastructure.
Companies need to move to a zero-trust model, to enforce written policy with technology.
At a minimum, the WikiLeaks loss should sound an alarm for access control of privileged users, such as web and system administrators. The potential for loss is too great to expect that all people are going to pay attention to a memo or follow the employee handbook. After all, it only took one bad seed for WikiLeaks to occur.