Can you keep a secret? The nonsense of security classifications that #Wikileaks exposes

Like many million others, I’m just starting to digest the first of wave of news about the latest Wikileaks exposé.  A couple of thoughts cross my mind.

Firstly, the Guardian reports, “More than 3 million US government personnel and soldiers, many extremely junior, are cleared to have potential access to this material”. There seems to be an intellectual disconnect between such permeability and the directive to “strictly protect” foreign informants. I fully support and understand the authorities’ desire to keep an ever wider constituency of public officials fully informed, particularly in this post 9/11 world, but surely this old-boy system of “cables” has had its day: surely diplomats should be preparing well-honed, sharply analytical briefs in place of these Facebook and Twitter style diplomatic gossip that their authors will now be repenting at their leisure.

Secondly, what is a “secret” anyway? One official reaction quoted states that, “We have been taking aggressive action in recent weeks and months to enhance the security of our systems and to prevent the leak of information.”. Well, that doesn’t sound like a security policy to me, quite the opposite. As I and many others have argued for years, if your security policy is predicated on the assumption that the information is secure, you have already lost. In a world where 1.6 GByte of text is leaked on a small thumbdrive, no security dam is capable of all-seeing, all-knowing impermeability. I’d only disagree with Simon Jenkins in one detail, when he states that, “there is no longer such a thing as a safe electronic archive, whatever computing’s snake-oil salesmen claim“. There never was.

I’m reminded of the scene in “Yes, Minister” when the new minister get’s excited by the whispered “Can you keep a secret?” from his Permanent Secretary, Sir Humphry. Expectant for some confidential tidbit, he conspiratorily replies, “yes!”, only for Sir Humphry to dryly retort, “So can I”. A secret’s not a secret if you share it with someone else, let alone 3 million people, so I really find the reactions of outrage – however valid the concerns about breaches of confidentiality, security and trust – difficult to take seriously.

Rather than attempt to batten down the hatches, it seems that a more thorough approach to information security is required, one that recognises that leaks do, and will always, happen. Only then will a real information security policy emerge and with it, a clear approach to handling information leaks when they happen again, as they will…

A starting point would be to recast our understanding of how information is captured and copied: if the act of reading, let alone copying, digitized text and media is seen as an active transaction rather than just a passive act, then there is hope. We understand money these days as being more than exchanging bills and coins, and yet we hold on to a quaint, outdated and dangerous attitude towards the currency of modern society – digital information – as something passed around in bits and bytes, sometimes protected, oftentimes not, without any attention to the massive potential that technology could offer.

Advertisements
This entry was posted in Data Protection, SOA and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s