WikiLeaks Exploits Weaknesses in Technology, Human Nature

Kate Woodsome | Washington, D.C. 03 December 2010

Historians, anti-war activists and armchair observers of human nature have had plenty to mull over in recent years thanks to the online group WikiLeaks.

The Web site has published hundreds of thousands of stolen U.S. military and diplomatic documents from as recently as February of this year and as far back as the 1960s. The latest round of leaks, involving diplomatic cables, has renewed efforts by the U.S. government to tighten security on its computer systems. But cyber-security experts point out the leaks were less a breakdown of technology than of trust.

That fact now has the U.S. government scrambling to secure its computer networks. But Bruce Schneier, British Telecom's chief security technology officer, says even the most secure systems will still be vulnerable to human nature.

"You could take a computer, bury it in the ground, make sure you never turn it on," Schneier says. "Don't tell anybody where it is and it's probably pretty secure. But as soon as you turn it on and have people look at it, you have to trust the people."

Tightening security

The U.S. Defense and State Departments say they are working to limit users' ability to download material onto removable media, like CDs and USB "thumb drives." And they are working to better track suspicious behavior.

"In general, I think reducing the capabilities of the hardware is probably not the way to go," Schneier says. "Although as a temporary measure after this has already happened, it’s seems like an okay, quick solution. But long-term, it seems kind of dumb."

He says a better solution would be to limit access to the diplomatic cables in the first place. "Make sure people who only need to know them have access to them. And make sure that people who read them, make sure an audit log record is kept."

But that wasn't the case when U.S. Army intelligence specialist Private Bradley Manning committed one of the biggest information breaches in U.S. history while listening to Lady Gaga's hit song "Telephone." Manning says he lip-synched the words to the song while downloading a quarter-million classified diplomatic cables from the Defense Department's data network onto a Lady Gaga CD.

If access was far more limited, as Schneier recommends, there's no way Private Manning and his Lady Gaga tunes could have touched the network and all the diplomatic cables it stored. But he did. Because at that time, government agencies were sharing more intelligence in the wake of the September 11 terrorist attacks in 2001.

This week, U.S. Defense Secretary Robert Gates told reporters the procedures spread information too widely.

Demystifying state secrets

Instead of rolling back information sharing, says Steven Aftergood, director of the Project on Government Secrecy at the Federation of American Scientists, the U.S. government instead should keep fewer secrets.

"If we kept less information classified, it would be an easier, more manageable task to protect that smaller volume of information," Aftergood says. "When you start getting into tens of millions of secrets being produced every year, you can easily swamp the system and lose control precisely of what you're trying to protect."

The secrecy system now in place has its roots in the Cold War, when U.S. President Harry Truman signed an executive order in 1951 establishing standards to classify and control information in the name of national security.

But now the defense and intelligence bureaucracy is so massive that is has outgrown, and outdated, that Cold War-era system. "Information is produced and consumed and transferred in completely different ways from what was true 10, 20 or 30 years ago. And the classification system has not yet adapted to that," Aftergood says.

Overhauling the system

U.S. President Barack Obama says he recognizes the problem. Last year, he ordered an overhaul of how the government keeps its top secrets. In May this year, the government disclosed the size of its nuclear weapons arsenal for the first time. And in September, the director of National Intelligence and Defense Secretary Gates revealed the total intelligence budget.

Aftergood calls the changes "momentous."

"Government officials have resisted disclosure of this information literally for decades," he says. "And the fact that it is finally possible to get this information out into the open and do so as a standard practice means that the system is not totally calcified. It's not totally stuck in concrete."

Still, keeping fewer secrets will not stop hackers from trying to break into secure networks. For about 18 minutes in April, China Telecom rerouted about 15 percent of U.S. and foreign Internet traffic through Chinese servers. According to the U.S.-China Economic and Security Review Commission, that traffic included communications from the U.S. government and military in a breach far greater than WikiLeaks. It is not clear how the information was, or will be, used.

Man versus machine?

David Gewirtz, the director of the U.S. Strategic Perspective Institute, says cyber-war is inevitable because it is just too easy and effective to ignore.

"Cyber-terrorism is much more like a cancer. It just sort of eats at you from the inside as opposed to traditional terrorism, where you can actually see flames."

Gewirtz says the U.S. is now focused on improving its cyber-defense, but it is an uphill battle because of the sheer number of vulnerabilities. Government computer networks not only need to be protected against state-sponsored cyber attacks and rogue hackers, but also against internal threats such as Private Manning. Cheap consumer electronics like USB "thumb drives," cameras and mp3 players can turn any network user into a threat.

"Everybody has these things, and so we have a million points of weakness instead of just one or two."

Private Manning now sits in military custody where he faces charges of leaking classified documents. As he awaits trial, U.S. officials are left grappling with a security problem that technology alone cannot solve.