Wikileaks

Now I may have some opinions about whether or not it was a good idea to leak those documents from SIPRNet. But that's not what I want to talk about. No, I want to talk about information security.

Simon Jenkins makes a very nice point on the Huffington Post: The documents taken from SIPRNet were available to "some 2-3 million authorized accessors to the State Department intranet worldwide."

In a pool of 2-3 million accessors, there is guaranteed to be a good sized pool of spies and other individuals who would be...umm...susceptible to assorted temptations and coercions. It boggles the mind that the State Department/Department of Defense would leave the kinds of documents included in the leak out there for just any of those 2-3 million people to read.

Basic IT security includes providing access to information on a Need to Know basis. Did all of those 2-3 million people (or for that matter a Pfc, such as Bradley Manning, putative source of the leaks) really need access to all of that data? In addition, thumb drives and writeable media are a known source of data loss. There is a whole branch of IT security known as Data Loss Prevention (aka Data Leak Prevention) which attempts to address the problem of leaks. In general it's a tough problem, but on the other hand, it's really not rocket science to turn off USB ports and CD writers on computers that can access sensitive data.

I would be willing to bet pretty good money (like a bank account much larger than my own) that many, many of those 250,000 documents to be leaked by Wikileaks were out there long, long ago in the hands of people who weren't intended to see them.

I'm with Jenkins: "Blame the State Department, Not the World's Media" (or Wikileaks).