Another day, another quarter of a million confidential government documents released via WikiLeaks.
This one was particularly well orchestrated, with the first announcements coming a week or so ago. As if to increase the impact, multiple governments went all atwitter with the U.S. government warning of dire consequences to U.S. diplomacy and the U.K. government going so far as to ask the U.K. press not to publish the material. As the articles in the New York Times and the other newspapers that got an advance look at the material show, there is plenty of news in this release. But the underlying story, and lesson, concerns the protection, or non-protection, of U.S. government documents.
WikiLeaks has come a long way, at least in mindshare, in the almost four years since I last wrote about it (Wikileaks: a site for exposure). WikiLeaks has been roundly painted as an evildoer, when, in fact, it can’t publish anything it has not been given.
WikiLeaks has been on quite a roll of late. While it has not confined itself to leaked U.S. government documents, it has published quite a few of those — starting with a Department of Defense counterintelligence analysis of WikiLeaks itself. The publication of a video of a U.S. helicopter attack in Baghdad was the first in a still ongoing series of large-scale publications of U.S. government documents.
In July, WikiLeaks published about 75,000 pages of documents about the Afghan war, followed by about 400,000 pages about the Iraq war. Just before Thanksgiving, WikiLeaks said that the next release would be seven times the size of the Iraq war release but the Times reports that the initial new release is “only” 250,000 pages, meaning that there are about 2.5 million pages to come.
There has been a lot of press speculation that all of the documents, starting with the helicopter attack video, have come from the same source, a young U.S. Army intelligence analyst, who has been arrested. If that is the case it looks like access to vast databases of secret U.S. government documents was rather broadly available and access was not reasonably logged. None of the documents released to date have been marked top secret so, maybe, the database had some level of data segregation. But, if news reports are accurate, no log was kept of access to the database or, if such a log exists, it was not regularly reviewed, since suspicion was directed at the analyst by a person outside the U.S. military.
So, it looks like the system is set up to permit low-level people wide access to millions of classified documents without a way to monitor such access, and the system permitted bulk download of these documents.
What would you think if your corporate software development team had put together such a system for your confidential corporate documents? There are lessons to be learned here, not just by the U.S. government.
The surprise about this latest series of leaks is not that it happened, but how it had not happened long before. Actually, maybe it has — not everyone who would like a copy of such information would be interested in publishing it.
Disclaimer: I know of no Harvard opinion on WikiLeaks, or on these disclosures and I express no opinion here of the correctness of WikiLeaks publishing such documents. But the opinion on document insecurity is mine.
