Calling time on whistleblowers

By Ian Clover

As the Afghanistan War leak proved, no organisation’s security perimeter is ever completely safe from breach, but companies can help to minimise risk by adopting more progressive strategies to help dilute the desire to become a whistleblower, as Ian Clover discovered.

“Security officers must not lose sight of employee management; it is partly their responsibility to ensure that staff members feel valued.”
-Ian Clover

Sporting the online moniker 'Bradass87' and offering bold, boastful claims of access to the most top-secret data within the US army, Bradley Manning - a US Army Intelligence Analyst - hardly came across as the most trustworthy surreptitious source to ever leak from the largest military power the world has known. The Internet is, after all, awash with the disillusioned, the disenfranchised, the disappointed and the downright deluded. At first glance, Manning belonged in this bracket: his deep throat-esque instant message conversations to a hitherto-unknown Californian computer hacker; the almost insatiable desire to relay 'sensitive' information that, if false could get him into serious trouble and, if true, could land him with a hefty prison sentence if ever caught; the sensational language he used when talking about 'incredible, awful things' that 'belong in the public domain and not on some server stored in a dark room in Washington DC' - it all pointed to yet another online crackpot looking to spout whatever had ailed him to anyone who would listen.

The problem for the US authorities though, was that the information Manning was all too eager to offload about the Afghan War was, in fact, true. Manning's job within the US Army afforded him privileged access to two secret networks: the Joint Worldwide Intelligence Communications System, and the Secret Internet Protocol Router Network (SIPRNET), both of which carried material that was classified as 'Top Secret'. Unrestricted access to this type of information led Manning into the realm of temptation. The sensitivity of the data and the shocking truths that it covered up (the shelling of unarmed Afghan civilians by a US helicopter in 2007 being the most damning) compelled Manning to seek to release the information into the public domain: compressing, encrypting and uploading the juiciest details to Julian Assange, founder of the Wikileaks website. Manning would even take blank CDs labelled 'Lady Gaga' with him to work at the Operation Hammer base camp some 60 kilometres east of Baghdad in Iraq, insert them into his high-security laptop and even lip-synch along to nonexistent music so as not to arouse suspicion while he was downloading the explosive information.

Such a news story raises various questions. Rumours have abounded for years about the less-than salubrious practices of the US and Allied forces in Afghanistan. But that is all they ever were before - rumours. This Wikileak uncovers the non-PR version of events in Afghanistan and they threaten to be far more damaging for the American authorities than anything that has gone before, the Pentagon Papers during the Vietnam War included. And if a body as powerful as the US Army can find its security perimeter breached by an employee on a mission, then how do mere corporations protect their sensitive data from internal threats and external malice? Is it a matter for IT departments to implement better security technology, or do companies have a duty to engender better channels of communication for employees who could become potentially disgruntled? Do corporations have a social responsibility to treat the threat of whistleblowers more seriously? The challenge for most companies lies somewhere between the two stools - better technology can certainly help to secure a company's perimeter, but failure to engage with employees, or indeed teach them the value of following secure practices, can be just as harmful for your business.

"Highly visible leaks such as the Afghanistan Wikileak should encourage all businesses to recognise how close risk is and give them impetus to document governance and process review," says Ian Winham, Chief Technology Officer for Ricoh Europe. "This story highlights just how important it is for companies to review internal security processes to ensure information is protected and access to sensitive information is restricted, but also to engage the IT community and the HR community to actually make sure that your company is addressing communication with your staff."

Failure to engage

Manning was arrested by the US Army Criminal Investigation Command in May this year and, in July, was charged on two counts of 'transferring classified data on to his personal computer and adding unauthorised software to a classified computer system'. He could be looking at a jail term of 52 years, which he would have known before acting in such a manner. His defenders have been calling him a whistleblower for free speech; others think him foolish. But the question is - what compelled Manning to act in such a manner? Did he simply want the fame, or did he feel so disengaged from his superiors, and frustrated with what he saw, that he felt he had no choice to act like he did?

Such questions are equally valid in the corporate world. Employees with access to sensitive data need to act responsibly of course, but is there a duty for the employer to ensure that its staff is made to feel valued and respected? "The armed forces can be, without wishing to say anything too detrimental, extremely negative about any form of information or feedback that is, in itself, negative," says Grahame Waite, Information Security Officer and Data Protection Officer for Fife Constabulary who spent 25 years in the armed forces. "The rank structure is designed to be rigid. You are expected to do what you're told. Then again, every serviceman that I have ever known has absolute dedication to the armed forces and it takes something really extreme to tip somebody to the point where they think 'you know what? I have to do something about this.' It really must be something extreme."

And it was. Thankfully, most companies are not waging wars in foreign lands, or being forced to act in a manner that has the potential to take lives. But what is classed as damaging information differs from company to company and organisation to organisation, and so does the type of data and structure that could lead to employees feeling aggrieved. "Whistleblowers are always a bit of a contentious issue because it all depends on which side of the fence you are on," says Waite. "They can prove really beneficial if, for instance, they go to their own executive and tell them that there is a real issue that they would like to address. This sort of culture should be encouraged. But if somebody is doing it for flagrant self-aggrandisement or malevolence, then it becomes a different matter."

Data and information security can be guarded right from the off if every employee feels that they have the relevant facility and chain of command in place that enables them to report something that they feel is wrong within an organisation. "You have to accept that technology can only deliver part of the solution," says Andy Kellett, Senior Analyst at OVUM Research. "Technology itself can be part of the problem, as we have seen with the Afghan War leaks. So if you can put a formal and secure  communications channel in place that allows people who feel that things are not going their way and need to express their concerns about something that their company is doing, that has to be advantageous. The approach could involve the use of an independent mediator to whom employees can pass information without feeling that their own position is threatened. If you can do this while making staff feel valued, it can be an important addition to your corporate structure."

"The fact is, most people become whistleblowers because they are either scared that their concerns will be ignored or know for a fact that they won't be taken seriously. Rightly or wrongly they believe that unless the information they hold goes public, nothing will be done and that they will suffer as a consequence if they make their views public." Educating your workforce is of paramount importance. If they are fully aware of their responsibilities within your organisation, then that is half of the security battle won. "The issue really boils down to the use of good technology controls alongside user education," says Kellett. "At the same time it is imperative that an organisation maintains proper relationships between itself and everyone who works for it." But there are also responsibilities on the employee to act maturely and responsibly, too. "We all go through stages where we are less happy than we could be," adds Kellett. "But the responsibility of the end user doesn't disappear just because they are discontented."

Identifying weaknesses

Every company and organisation has its vulnerabilities. The US Army, for all its might, technological power and ability to lean heavily on important decision makers to get the outcome its country seeks, is vulnerable from within; from disillusioned soldiers who, ordinarily, pledge blind loyalty to the cause. Conversely, corporate enterprises may be extremely effective at combating internal leaks and exposures but find that they are susceptible to third-party interference.

"What organisations need to do is undertake upfront risk assessments to understand and identify what and where their real vulnerabilities are," says Kellett. "For example, if you are in the retail or the financial services sector, you obviously need to protect credit card data. You need to ensure that customer information is properly protected and doesn't end up on external devices without being properly encrypted. This issue of getting your company's priorities right, of understanding the things that are really going to cause your organisation problems, is highly important."

As is applying techniques and strategies to ensure that data loss prevention and security breaches are rare occurrences. "If yours is an organisation where everything stays on central servers, then you can start to address those issues by understanding where your most sensitive data is," continues Kellett. "Very few organisations like that exist today. Realistically you are looking at business operations that support the free flow of information and, therefore, there is a need to make use of technology that can deal with things that attack your organisation but also address the issues of accidental misuse. Because it is not always a case of malicious attacks and people stealing information; the loss of files, laptops and data is often down to human error, it's stuff that people just do."

This is where security technology can work collaboratively with better corporate responsibility to both educate employees and arm them with their own sense of responsibility and better technologies that will come to shape their behaviour for the better. "Working in the police force means there is that responsible mentality already built-in that our information is exceptionally sensitive," says Waite, "but in the corporate world intellectual property can be just as valuable and sensitive, so you do not want this sort of data leaking from your company."

Having an increased awareness of the need to maintain strict security measures is just one part of the perennial battle companies are engaged in as they fight off the threat of data breaches and security lapses. "I think awareness and activity are always two things that actually are difficult to pull together," admits Winham. "There are plenty of organisations that have implemented good security policies that they are very clear about, but what they tend to overlook is the process of actually flowing these practices and policies throughout the entire organisation; there is often a lack of governance, sometimes confusion, and sometimes something as simple as oversight."

Technological help

Simply training your staff to follow stricter security protocols is only half of the battle; staff members need to be armed with a suitable security infrastructure too. Prison officers, for example, would quickly be overwhelmed if all they had at their disposal were batons, intense training and an intimidating collection of bushy moustaches and shouty voices - they need the bars, walls, razor-wire and fences to help them secure their perimeter. Likewise, a prison with no intelligent guard presence would quickly be breached. And so it is for company security. Collaboration through governance and utilisation of the appropriate technology is the most effective method.

"Sometimes there is a failure to engage by senior executives who perhaps view their data security procedures as a cost rather than an investment," says Waite. "Of course, in this day and age the plus and minus columns of balance sheets are more important than ever. But data security is an investment because it gives you and your organisation that peace of mind, and it highlights to your partners that you see security as an important issue and that you are willing to take the appropriate measures to protect the sensitive data of your organisation."

One such measure advocated by Waite and employed by every police force throughout the UK is solid encryption of data. "If you have a suitable level of encryption on a laptop, then who cares whether you lose it? All you have lost is a piece of plastic. However, if it's not encrypted or it has only a very low level of encryption, what you might lose in terms of the value of data on there can be immeasurable. I would much rather lose a piece of plastic having paid a little bit more money for a good level of encryption than face the embarrassment, the inconvenience, and the possible legislation and job loss that could follow if sensitive data was lost."

Employing a professional team to ensure the implementation of appropriate data encryption software is equally imperative as having the forethought to undertake such a strategy, as is educating every member of the workforce who works in each department about the potential dangers of data leakage. "It is relatively straightforward to introduce a secure email service system that sends all outgoing mail via an encrypted route to secure addresses," says Waite. "This is one technique that actively forces employees to take decisions on the value of the information they are trying to send, prohibiting them from sending emails to unsecured recipients. But there are programs that will allow information to be sent to insecure addresses, and it is in these instances that employees have to act responsibly."

Policies, education, auditing and technology can all be combined to minimise the threat of potential leaks and breaches. Determined whistleblowers may always attract some attention, but if they are unable to back up their claims with hard evidence, they will not be taken as seriously. Security officers must not lose sight of employee management; it is partly their responsibility to ensure that staff members feel valued, rewarded, listened to and empowered to speak their mind if they at all feel that the company they work for is engaged in some activity or practice that concerns them. These channels of communication need to be kept clear and open, or independent mediators should be employed to, while not encourage a culture of looking for problems and flagging them, at least engendering an atmosphere whereby members of staff at all levels are afforded the time and respect to make their concerns heard.

Protecting the perimeter

Mobile workforces are posing even greater challenges as companies' security perimeters grow ever larger, and potentially more porous than tighter-knit ones. The use of smartphones and laptops are great drivers for business, but bring with them their own sets of security concerns and challenges. "There are few organisations out there with common risk boundaries, so there is no single strategy for dealing with the security concerns of mobile workforces," says Kellett. "For example, a company that has a need to share its information with a third party - on supply chain relationships for instance - needs to have in place federated access controls. Where other organisations need to have visibility of your data and you need to control that access - what they can do and see etc. - the boundaries that exist in normal business relationships no longer apply. Technology allows information to move around very easily, and the amount of information that we make available is expanding all the time. Next generation technologies will open things up even more and make it even easier for information to be moved around, which poses a serious set of security questions for the future."

Central data and data on the move both need to be protected and securely encrypted so that any attempt to remove this information from within the perimeter to beyond it is flagged and of little use to the malevolents. "Most organisations don't know when somebody sticks a USB drive into the back of a machine and makes a copy of a file," says Kellett.

There are other dangers too. The printing off of sensitive information may seem charmingly old-world, but it remains a very real threat for companies that do not implement appropriate document security. "While a business may never experience such a high profile leak as the one suffered by the US Army, it is important to acknowledge the quieter risks within an organisation," explains Winham. "Business plans, product road maps or budget data that are easily printed can get into the hands of competitors and bring competitive disadvantage. In many cases a business will not even be aware that such an incident has taken place, so to help control security breaches, businesses need to take greater control on who is able to print their information, and what information they are able to print."

As the world becomes more and more digitalised, the issue of securing actual physical documents is being overlooked by many of the larger companies prone to security breaches. "A lot of security comes through the IT function, whereas a lot of document governance sits outside of the IT function and is located in a wide range of areas within a company," says Winham. "This is where things such as innocent mistakes can happen where documents are not being controlled as tightly as they could be. End-of-life employees (those coming to the end of their contract) pose a threat too, but if you know your security environment and there is an executive looking after the issue of document governance - whether this falls to the IT department or not - such threats can be minimised."

In wake of the Afghan War leak, the end-to-end processes of data security should be given even greater attention than previously. Technology can only help so far; employees need to take the responsibility afforded to them by their employers to work in a reliable and transparent manner, engaging with their superiors on matters that are giving them cause for concern without feeling the need to resort to extreme whistleblower tactics to get their message across. Equally, corporations have a duty to provide not just secure working environments but access to clear channels of communication throughout the entire structure of their organisation. Without this complete end-to-end security process, leaks like the one suffered by the US Army will continue to happen.

Out of the mouth of Manning...

Choice excerpts of Bradley Manning's conversation with Adrian Lamo, the Californian hacker he contacted.

..."If you had free rein over classified networks for long periods of time...say, 8-9 months, and you saw incredible things, awful things that belonged in the public domain and not on some server stored in a dark room in Washington DC, what would you do?"...

..."documents that expose the almost criminal political back-dealings that show how the first world exploits the third, in detail, from an internal perspective"...

..."everywhere there's a U.S. post, there's a diplomatic scandal that will be revealed"...

..."I took some information to an officer to explain what was going on. He didn't want to hear any of it. He told me to shut up"...

..."at first glance it was just a bunch of guys getting shot up by a helicopter...no big deal...about two dozen more where that came from right...but something struck me as odd with the van thing...and also the fact it was being stored in a JAG officer's directory...so I looked into it...eventually tracked down the date and then the exact GPS co-ord...and I was like...OK, so that's what happened"...

..."lets just say *someone* I know well
has been penetrating US classified networks, mining data like the ones
described...and been transferring that data from the classified networks
over the air gap on to a commercial network computer...sorting the data,
compressing it, encrypting it"...