2 min read

Espionage-as-a-service

The technology connections are several, and what's remarkable is how low-tech they were in the end

The saga of Canadian Forces Sub-Lieutenant Jeffrey Delisle has everything: intrigue, danger, betrayal, political implications, cloud computing, data loss prevention … Cloud computing? DLP?

Rewind to 2007. His marriage crumbling, the naval intelligence contacted Russian security officers in Ottawa, offering to sell intelligence from to gathered by the ultra-secure Trinity operation in Halifax to Russia for $3,000 a month, according to the sailor’s confession.

The technology connections are several, and what’s remarkable is how low-tech they were in the end. That made the theft of that top-secret data, gathered by a network involving intelligence-gathering operations from Canada, the U.S., Great Britain, Australia and New Zealand, easily preventable on the one hand, but beyond detection on the other.

With access to the five nations’ military databases, Delisle typed in the laughably simple and indiscriminating search term “Russia.” Here’s Point A at which the betrayal could have been stopped: A naval officer searching databases on such a wide-ranging term on a regular basis could have set off alarm bells with an appropriate reporting regimen.

He then downloaded the results of the searches to a USB stick. It’s inexcusable that a computer involved in an ultra-secure military intelligence operation be able to transfer data to a USB key. That’s how data walks away. Just ask the Ontario Ministry of Health. Data loss prevention software would have interdicted the turnover of information and identified Delisle as a security risk immediately.But with these two obstacles overcome, Delisle’s mission becomes much simpler and almost impossible to track. The method of transmission was ingenious in its simplicity. You can’t just e-mail state secrets around. Blithe and naïve as you’d like to be, government agencies around the world are scanning your communications. Show a pattern of sharing sensitive information – or use high-strength encryption, for that matter – and you’re bound to attract the wrong kind of attention for a spy.

Yet Delisle used a bog-standard Webmail account on Middle Eastern provider Gawaba to turn over the classified data. The genius was, he never actually sent a message. He’d log in, copy and paste the information into an e-mail message, save it in draft, and log out. His Russian handler would then log in, retrieve the data from the draft, and delete it. It was like it had never happened.

What’s our takeaway from this? It’s often been said there’s no longer an excuse for unencrypted sensitive data. I’d venture to say there’s no excuse for any data worth securing to be exposed without data loss prevention technology protecting it from walking away. And it’s easy to hide in the cloud.