After a four-year hiatus WikiLeaks has plans to resurrect its controversial “most wanted list.” Its aim is to coax whistleblowers to expose specific government secrets, and first up the group wants the unreleased text of the CIA torture report and leaks from spy agencies around the world.
But new cloud server security could make it much more difficult and dangerous for Julian Assange’s potential sources to come forward.
That list “got me in a lot of trouble,” Assange said when we spoke about his new book inside the Ecuadorian embassy in London late last year. Dormant since 2009, the list's appeal for secret Iraq War documents was used as evidence to convict WikiLeaks’ source Pfc. Chelsea Manning in 2013. And it prompted an ongoing investigation of whether Assange engaged in a conspiracy to commit espionage.
“There needs to be a cablegate for the CIA, for GCHQ, MI6, for the Chinese Public Security Bureau, for the FSB.”
Despite the legal threat, “ultimately I have decided it is the proper function of investigative journalism to ask people for material,” Assange said. “It would be the thin edge of the wedge if journalists start ceding that ground,” he continued, “merely because they are being threatened and accused under the Espionage Act.”
At the top of the list today? A leak of “the 6,000 page CIA torture report, which is still being suppressed by the CIA and the U.S. Senate Intelligence Committee,” he said. The December release of a 500-page summary of the report detailing the torture of detainees by the U.S. received wide criticism from Bush officials, including former Vice President Dick Cheney who called it "a partisan hack job” and “full of crap.” Yet Assange thinks the world should see what’s beyond the 8.3% that has been released to the public.
He also asked whistleblowers to come forward with copies of data the NSA collects on average citizens. “That would be of titanic importance,” he said, since Snowden’s documents “have included very few actual intercepts,” which is the majority of the data the NSA collects. “There needs to be a cablegate for the CIA, for GCHQ, MI6, for the Chinese Public Security Bureau, for the FSB,” he added, including “the many private intelligence firms that actually run the NSA like Booz Allen Hamilton and Raytheon.”
Cloud Crackdown
Unfortunately for WikiLeaks’ would-be sources, the ongoing transition to cloud computing within U.S. intelligence agencies, along with increased vigilance to insider threats, is delivering security measures to make whistleblowing much more difficult.
“Had this ability all been available at the time, it is unlikely that U.S. solider Bradley Manning would have succeeded in obtaining classified documents in 2010.”
U.S. intelligence is consolidating data from the NSA; CIA; National Geospatial Intelligence Agency (NGA); National Reconnaissance Office (NRO); and Defense Intelligence Agency (DIA) in a cloud network, according to a September 2014 article in CIO magazine.
“Our team has developed a way to tag data at the cell level and, accordingly, through PKI [public key infrastructure] certificates, every person,” NSA Chief Information Officer Lonny Anderson told CIO. For each file, he continued, that “means being able to track what happens to it as long as it is in the system. For a person, it means more than what you do with a file, it also means what you are authorized to see.”
Effectively the new technology allows the agency to track every employee or contractor’s access to sensitive files down to a single word or name in a document, and whether they downloaded, copied, printed, forwarded, or modified it in any way.
“Had this ability all been available at the time,” CIO magazine concludes, “it is unlikely that U.S. soldier Bradley Manning would have succeeded in obtaining classified documents in 2010.”
Ecuadorian Embassy, London Credit: Graham Lanktree
Anderson’s comments about the power of these tools, however, could be overblown to deter employees from becoming another Manning or Snowden. His "claim is probably bravado," said Bruce Schneier, a cryptographer, privacy specialist and Fellow of Harvard's Berkman Center for Internet & Society, in an email. But the bottom line is "we don't know," he wrote. "Certainly there is better auditing that they can do, but it won't be foolproof. I have no idea what measures they've put in place post-Snowden. And, of course, they don't want us knowing."
But there are clues the effort to gain these technical powers is real. A month after the Snowden story broke in 2013, In-Q-Tel – an investment fund with CIA and Homeland Security links, which selectively invests in technologies to “support the mission of the U.S. Intelligence Community” – poured money into Mountain View, California tech firm HyTrust.
The aim was for HyTrust to “deliver audit, enforcement, and policy controls to the administrative layer” within cloud servers and implement a ‘two man rule’ requiring a separate employee’s approval to access sensitive data, said HyTrust President and Co-Founder, Eric Chiu in a statement.
Inside Threat
Insiders, not hackers, are the threat intelligence agencies believe will loom larger and larger in the future, said Andrew Fitzmaurice, Chief Executive of UK security consultants Templar Executives, speaking in October at a Royal College of Defence Studies talk sponsored by Boeing.
“Bradley [Chelsea] Manning, then followed by Edward Snowden probably suggest to us that we can’t have open access to all the information we have” among employees, said Fitzmaurice, warning his audience of security contractors and government officials from various countries.
Fitzmaurice, who works extensively in the UK’s Cabinet Office and GCHQ, said security systems should be less like an armadillo armed against outside threats but rather layered like an onion with different rings of security between employees, and information sharing on a need-to-know basis.
Vigilance against the insider threat is now at an all-time high. In a December 2013 U.S. Homeland Security assessment, insiders were picked out as an underestimated threat to critical government infrastructure. And the report recommends not only should employee data be tracked in the workplace, but also on social media, along with behavioural monitoring by other employees.
This January, the UK’s Centre for Protection of National Infrastructure issued major new guidelines for employee vigilance and pre-employment screening, highlighting the threats posed by insiders. And other groups are working to build a profile of an insider to pick out employees and contractors for extra scrutiny.
The world as it really is?
Despite these efforts “there will always be too many people with access to too much information to stop bulk leaking,” Google executive chairman Eric Schmidt writes in the new afterword to his 2013 book The New Digital Age.
Leaks from whistleblowers, Assange maintains, are the only way to continue to hold public and private organizations to account. “The larger effect is that it creates disincentives for organizations that create unjust plans or engage in unjust acts,” he writes in When Google Met WikiLeaks.
Yet the vast majority of history still remains unexplored, Assange told me.
“You think to yourself ‘wow you’ve learned a lot by those WikiLeaks publication of the cables, and Afghan and the Snowden stuff’, it’s like ‘wow, the world seems different now,’” he explained, “but if you take your mind back before all that happened, it was all still happening - you just didn’t know. What we perceive to be human civilization, isn’t human civilization. The reality we live in is still to be uncovered.”
Edit: This post was edited from the original to include comments from Bruce Schneier.