The Effect of Wikileaks

  2010-12-18

The Effect of Wikileaks

  22:47, by Hagai Bar-El   , 689 words
Categories: IT Security

Wikileaks did evil. It published stuff that should not have been published. Julian Assange acted carelessly, I think. Still, the impact of Wikileaks is not what we usually think it is. The security of citizens was not affected by Wikileaks, but by the leak itself, and the publicity given to those leaks, in itself, may bring citizen security to a higher standard in the long run. The problem with Wikileaks is that it created a new market for leaked documents; a market which may increase the appeal of low-risk data theft.

Let us start with one observation: Wikileaks did not cause the leaks it published. Julian Assange did not break into computers, and Wikileaks does not run its own malware operations to get at new data. Wikileaks is merely a distributor. It gets documents that were leaked already, and makes them available to the public. The impact on the security of citizens, through terrorists and enemy states, is caused by the availability of classified documents to terrorists and enemy states, not to the general public. The enemies are resourceful and usually poll data rather than wait for it to be available on the net. If certain data can leak, then it will eventually find its way to the resourceful enemy. Further exposure to the general public shall be seen as a second order effect, regardless of the order in which it happens.

If a disgruntled corporal could leak documents just for “ideology”, rest assured that another disgruntled corporal already leaked these documents for cash or employment. For sure? Obviously not; but if this hasn't happened, then it is just a matter of circumstance, not for a reason that can be relied upon in the general case. In the general case, if data was easy enough for the bored loner to get at, then it was easy enough for foreign intelligence to get at. If it did not happen the day before — it would have happened the day after.

Wikileaks made us all aware of what was stolen, in terms of types and quantities of documents. This, as a side effect, holds the government accountable. The public now knows more on how data is stored and to what extent it is protected; it is now at a position to demand what might need to be demanded.

In California, as well as in many other states by now, there is a data breach notification law that forces private organizations to notify the public when data breaches occur that involve, e.g., customer data. The idea is that the bad PR involved in such disclosures may serve to encourage companies to do more to avoid such breaches in the first place. Companies are less inclined to prevent data breaches if they can keep data on those breaches secret. In a sense, the government is now made subject to a similar drive.

So why do I still think Wikileaks is a phenomenon that shall be stopped? Because aside of the fact that it does not cause leakage, just puts it in the public attention, it also serves a secondary, negative, purpose by forming a new incentive for marginal criminals to participate in data security crimes. So far, the attack surface of a classified information system consisted mainly of foreign intelligence agents, and of idiots who leak data by mistake. There have always been the activists as well, but lacking means to demonstrate their loot, they were less inclined to exploit the system and actually leak out anything in tangible form. By providing them with such a portal, all would-be activists who are not top-grade computer criminals, but who have access to classified documents, are more likely to put the extra effort into carrying out something that they consider as a meaningful act.

Data breaches occur, and have nothing to do with Wikileaks. Wikileaks at least makes us aware of what was lost, and puts the government at a position of accountability. The problem with Wikileaks, however, is that it encourages people of certain ideologies, and who are positioned at certain places, to carry out computer crimes they may have never been inclined to perform.

No feedback yet