Commentary - What do Metallica and the U.S. government have in common?
They are both fighting to control information once it has been placed on the Internet. Like Napster,
which rocked the music industry by enabling piracy and was eventually sued by the band Metallica,
the current Wikileaks crisis concerning the unauthorized access and downloading of 250,000 sensitive
and classified diplomatic cables and other files is simply another example of a controversial yet highly
efficient and hard to stop Internet distribution engine for the global sharing of data.
Both Metallica and the U.S. government have gone after these Internet distribution systems in an
attempt to regain control of content they own. But it’s a losing battle. For Metallica, not much has
been done to stop the millions of people who illegally access and share music files. Internet users
know several Napster replacements exist that still amass files and enable the sharing of them. When
something people want—music or data—becomes public, you can be sure that people will find a way to
Clearly, once information is available online—whether government cables or music—the people who
own the information have lost all control over it. They can discuss new laws to accommodate new
technologies, ethics and so on, but an equally pertinent question is “what could we have done to
prevent this in the first place?”
The fundamental issue remains that in most organizations, trust is granted to staff allowing them
access to mass amounts of an organization’s most sensitive data. And now the adoption of mobile
and cloud computing pave the way for trusted staff to transfer and share data on the Internet. How do
you manage trust to so much data and how do you recover your sensitive data once it is posted on the
Internet? You can’t put the genie back in the bottle, so the real question should be, “What are we doing
to keep it in?”
In the early 1990’s both blackhats and whitehats (cyber-savvy individuals who use their knowhow for
bad or good, respectively) played around with ways to extract information from systems and were
amazed at the assets they could access. It didn’t require a high level of sophistication to generate a
virus and exploit weaknesses in systems. As the security market continued to expand, most of the early
demand was for solutions to problems that didn’t threaten to siphon sensitive information or steal
intellectual property. Rather, the problems that people paid money to fix were annoyances that took up
the IT or security department’s time or that cut into employee productivity. Still, this was enough to fuel
significant investment in security products to thwart issues like denial-of-service and destruction of data.
Now, for the most part, companies seem to have established at least a reasonable state of availability
to servers, storage, and communication services. Headlines don’t frequently talk of a virus getting into a
system and shutting the whole network down anymore.
Still, we have yet to get ahead of the problem of a capable, motivated attacker who in some cases is
sponsored by foreign governments. Today, we’re all talking about what happened with Wikileaks and
many are focusing on the “Wiki” and not the leaks. And, while providers have shown good faith by
shunning DNS and hosting services to the Wikileaks site, what will follow is a game of whack-a-mole.
Case in point, Napster music sharing was replaced with platforms such as Limewire and BitTorrent.
The Wikileaks loss represents yesterday’s clumsy virus. Quite simply, the leak originated from a low-
level analyst trusted to follow policy. And while the security community is all-a-buzz around emerging
advance persistent threats capable of sophisticated and coordinated attacks on nuclear plants (Stuxnet)
let us not forget that we continue to be at great risk from much less sophisticated threats like trusted
insiders with access control enforced with basic tools such as handbooks and written policy.
The sticky area has always been the way organizations grant trust and the amount of power given to a
user once that trust has been granted. There has to be a shift in paradigm. Companies should still aim to
establish trust—with background investigations and such—when they engage with partners, employees,
etc. But organizations can no longer extend that level of trust to things as powerful as information
systems and technology, and in particular, those trusted to administer and manage these platforms.
Commonly, a system admin gets a background check, gains clearance and is handed the ultimate access
to government or company information and infrastructure. Not anymore. Companies need to move
to a zero-trust model to enforce written policy with technology. At a minimum, the Wikileaks loss
should sound an alarm for access control of privileged users such as web and system administrators. The
potential for loss is too great to expect that all people are going to pay attention to a memo or follow
the employee handbook. After all, it only took one bad seed for Wikileaks to occur.
Just last month, the Executive Office of the President, Office of Management and Budget issued a memo
for the heads of departments and agencies regarding Wikileaks and misuse of classified information. The
memo includes the following immediate instruction in support of zero trust:
Each department or agency that handles classified information shall establish a security
assessment team consisting of counterintelligence, security, and information assurance experts
to review the agency’s implementation of procedures for safeguarding classified information
against improper disclosures. Such review should include (without limitation) evaluation
of the agency’s configuration of classified government systems to ensure that users do not
have broader access than is necessary to do their jobs effectively, as well as implementation
of restrictions on usage of, and removable media capabilities from, classified government
There are a lot of issues that need to be addressed by a solution to the gamut of Internet security
challenges and the need to share data. At a minimum, though, organizations should tackle high-risk
challenges posed by well understood threats that are easy to solve—like controlling administrator
and privileged access to data and systems with today’s existing technologies that are not prohibitively
expensive. In fact, a proper privilege management platform designed to control, contain, and audit
access to assets and systems needed to perform one’s job, could have prevented the Wikileaks leak.
biography Ken Ammon is the chief strategy officer at Xceedium