Okay we get it. WikiLeaks had the gumption to collect private cables sent to and from the United States State Department, and actually publish them on a website accessible by anyone with Internet access. But the United States State Department blaming USB thumb drives and/or WikiLeaks for their failure to properly mitigate the risks associated with sensitive communications between government officials and ambassadors is just ridiculous.
I remember shortly after the 9/11 terrorist attacks the country waged all-out war on white box vans at U-Haul trucks, because those might have been the means in which terrorists would conduct future attacks. Creating an immediate policy that bans the use of USB thumb drives by United States government officials is not only overkill, but it also doesn’t make sense and it won’t work unless we also start banning iPhone’s, blackberries, digital cameras, portable scanners, wristwatches, necklaces, belts, laptops, fax machines, e-mail and all the other ways that individuals are storing and moving information.
Here’s an opportunity for our government to start to consider not just classifying data but generally making an effort to enforce policies around access and usage. Of the hundreds of thousands of tables that have been reportedly sent to Wikileaks, some news agencies are reporting over 3 million individuals have access. Let’s put that into perspective. If one of the world’s largest financial institutions decided to give 3 million individuals access to Social Security numbers, bank accounts and credit card numbers that financial institution would be run out of business and subject to fines, penalties and the mundane congressional hearing. It just doesn’t happen.
Just like any company or institution that stores and shares data on its customers and/or constituents, the US government, specifically the US State Department needs to be held accountable for access control policies, the enforcement of those policies and visibility into both the access of and usage of sensitive information. But clearly there is an issue of way too many ungoverned pipes connected to critical data stores and sources. Managed file transfer is certainly part of the answer. Consolidating all of those ungoverned pipes can help as well. A little content management and DLP may likely be valuable too. Or maybe just a good old reclassification and risk mitigation of sensitive data so that it isn’t accessible by 3 million people.
Over the last 9 1/4 years we stopped a lot of white box vans but I’ve yet to see a security report or an intelligence report (provided by the news media, I am not one of the 3 million who have access to that type of information) that says we’ve significantly mitigated our risk of terror attacks because we don’t allow white box vans.