January 15, 2011 By Dan Lohrmann
“What do think about that WikiLeaks situation?”
I’ve been getting that question a lot lately - not only from the typical techies or security pros, but from just about everyone else. From government leaders to self-confessed Luddites to elderly acquaintances at church, lots of people are talking about WikiLeaks – still.
For example, last month I ran in to a former government executive who moved on to a leadership role in the private sector several years back. The conversation went something like:
Former Gov Exec: “Dan – you won’t believe this, but I was just thinking about you and your state security organization. I was shocked by those WikiLeaks disclosures! I can’t get that topic off my mind."
Dan: “Really? You’re the second person who mentioned that today.”
Former Gov Exec: “You know, they don’t understand computer security or these risks the same way in the private sector as in government. Many of my current colleagues just don’t get it. (Laughing) Everyone was blown away by that WikiLeaks thing….”
(After a long, serious pause) “So what should we be doing now?”
I sent my old friend a few resources. But no doubt, this is tough (and difficult) question to answer. I’d like to share some of the same advice I gave my colleague.
Over the past several months, there have been numerous articles offering “lessons learned” from WikiLeaks. Here are a few of the interesting articles that I’ve read on this topic:
Yes, there are plenty of misperceptions out there amongst people who should probably know better. A few government managers have commented, “We don’t have anything worth protecting here. We’re not the Department of Defense (DoD), you know.”
These naïve perspectives may shock some (for good reason), but they cause me to relook at our security training for business areas. In the defense of some state and local government staff, a large amount of government information is (and should be) open and the information is available via the Freedom of Information Act (FOIA) or even freely on public websites.
Newly elected officials and legislators and/or other new state or local execs may not be aware of the various compliancy and legal issues we must abide by to protect citizen information. We can certainly use WikiLeaks as a training opportunity.
Bottom line, we do have plenty of sensitive data that must be protected, and no citizen wants their health records, high school test scores, social security numbers or tax records revealed to the world.
So what WikiLeaks lessons am I suggesting? Here are three, keeping it simple in this particular blog:
1) The “insider threat” is real for all of us.
2) Yes, we have sensitive data to protect in state and local governments.
Final thoughts: Government Technology Magazine ran this article stating that City Leaders are worried about the implications of WikiLeaks for security in their jurisdictions. This gives readers an opening to educate others on the importance of good practices.
There is also this webinar from Governing coming up later this month that may help you in this area if you want to learn more as we begin 2011.
Any opinions on WikiLeaks that you would like to share?
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.