Impact of Wikileaks on InfoSec professionals

In the last few days the Wikileaks cables have dried up somewhat, and Assange waits for his finalised bail conditions, so I’ve turned my thoughts to the likely impacts of this whole episode. There are two debates to be had here: the first is on the wider implications of the leaks, and the second, the impact on us as IA practitioners.

The moral debate is far wider than ‘should he have done it?’. Rather, in the Wikileaks case, it is the question of what will happen to the law and to corporate approach as a result of the leaks that is interesting, as its impacts are far reaching. It is no surprise that governments say and do things in our name that maybe we consider to be wrong or even reprehensible – this has happened since not long after humans were chucking rocks at mammoths.

The actions of attempted remediation by the authorities have set off a chain reaction of highly publicised and relatively new actions. From a more general perspective, they have raised questions about whether Visa/Mastercard/Paypal should legitimately refuse payments offered to Wikileaks. From a technology standpoint these questions include: ‘ethics based’ DDOS attacks, mass use of volunteer botnets and the use of Twitter in court by reporters. It is interesting to note that a relatively small number of people running the DDOS attacks have created far more havoc than, say, the student protest in central London. How long before this sort of protest becomes commonplace?

The Swedish Government had sites taken down by Operation Payback and there were threats to the UK Government site network should Assange have not made bail. The volunteer botnets piece is ludicrous and anyone with half a brain will have stayed well clear, but it’s not a huge leap to imagine this sort of approach will be used again, and by a variety of campaigns (anti-vivisection/ pro-life / national independence?). Is it a leap too far to imagine botnets being rented by campaigners in the future? And the idea of Twitter in court is a new one. The presiding judge allowed it in the first Assange-bail hearing but declined to allow it at the second. One argument says it allows open information flow on the judicial process, the other than it could be manipulated and it circumnavigates the normal court information release process, jeopardising the integrity of the witness system.

The upshot for IA professionals is a confusing muddle. Initially, it was all about sniggering behind our hands at the US State Department’s inability to deploy process and technology to stop people exporting data onto removeable media. It’s now turned into a potential storm that includes hugely increased numbers of DDOS attacks and the question of whether stuff like LIOC (Low Orbit Ion Cannon – the tool downloaded by volunteers to take part in the DDOS) constitutes proper malware. If I deliberately download the LOIC package to my home computer, should my AV stop it? It’s my PC, my connection, my right surely? When I use it to take part in the attacks, sure, that’s bad, but is the actual act of download and install bad? What about the use of Twitter? Twitter has blocked Wikileaks from issuing updates to its followers. Why them? What about (for example) student protesters who advocate ‘direct action’ (i.e. trashing the place) or the English Defence League and their nasty racist ilk? Where do we as IA professionals draw the line?

My core point today is simple and overarching. We technologists are used to dealing with fast-paced change. But the change we are seeing right now is happening in days, sometimes hours. The world has changed in the last 30 days, and we had better get used to it. Technology allows minority groups to cause massive damage quickly, and upset the applecart with impunity. We have little regulatory/statutory guidance to help us, and what there is cannot cope with a borderless foe. We need to be ready to defend our turf with the same level of vigour and cunning as those attacking it, and hope the authorities get a move on establishing what is and is not acceptable.


About Graeme Stewart, McAfee

I work for McAfee as Director of Public Sector Strategy and Relations, UK&I
This entry was posted in Legal, Security, Sophos, Wikileaks. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s