Fear, retribution and poor security In November 2010, The New York Times reported that, the founder of whistle-blower website WikiLeaks’, Julian Assange, had threatened to ‘take down a major American bank and reveal an ‘ecosystem of corruption’ with a cache of data from an executive’s hard drive.’ Bank of America’s executives feared it was them and rumours sent its share price tumbling. Bank of America’s Chief Risk Officer launched an internal action ‘scouring thousands of documents in the event that they become public, reviewing every case where a computer has gone missing and hunting for any sign that its systems might have been compromised.’Booz Allen Hamilton was also brought in to work out the bank’s liability in the event that client information was exposed.
The US government applied pressure and some financial institutions did more: they cut services to WikiLeaks. Payment card companies stopped processing or froze donations, while Amazon withdrew webhosting services. WikiLeaks’ sympathisers retaliated by launching DDoS attacks against these companies. This ‘Operation Payback’ succeeded in bringing down both the MasterCard and Visa websites.
This was a new type of warfare. Sympathisers were the jokers in the pack; unseen entities with no direct link to the players, yet who could be anywhere. The threat was simple, highly effective and unlike anything experienced by business leaders before – and the threat grows as social media and more whistleblower sites are established.
Former Assange associate, Daniel Domscheidt-Berg, who runs rival OpenLeaks, told the press ‘the two websites and others soon to be launched could complement each other, helping to ‘decentralize’ the whistleblowing process.’ Sympathizers – the unseen enemy A cover story in Forbes was headed: ‘WikiLeaks’ Julian Assange Wants to Spill Your Corporate Secrets’ and said: ‘WikiLeaks adds another, new form of corporate data breach: It offers the conscience-stricken and vindictive alike a chance to publish documents, largely unfiltered, without censors or personal repercussions, thanks to privacy and encryption technologies that make anonymity easier than ever before.’ Another twist is the alliance WikiLeaks created with credentialed ‘old media’ like the New York Times, the Guardian, Der Spiegel, Le Monde and the Sydney Morning Herald. This assured that any leaks passed to whistleblower websites would be published by respected mainstream newspapers everywhere, rather than being sidelined on obscure internet sites.
How was it so easy?
As data security breaches go, the US Government attack was easy: disenchanted U.S. army intelligence specialist Bradley Manning downloaded the 400,000 classified documents from the Defense Department’s data network onto a CD, while reportedly lip-synching the words to Lady Gaga’s hit ‘Telephone’.Yet, the Department didn’t uncover the breach; Manning bragged in a chat forum to Adrian Lamo, the hacker who turned him in, ‘that he was going to unleash ‘worldwide anarchy in CVS format.’
All this raises some obvious questions about the Department: • Why did a 23-year old Private have access to so much classified information? • Why were event logs not being monitored to show who accessed what information? • Why was writing to portable media devices not being closely watched? The U.S. Defense and State Departments say they are working to limit users’ ability to download material onto removable media, like CDs and USB thumb drives, and they’re working to better track suspicious behaviour. This is a case of far too little too late; clearly it was just poor due diligence and IT governance.
