In 2001, a network administrator who I worked with at one of the largest, most prestigious law firms in the United States, and whose headquarters was located in Chicago decided to do a search of all of the employee folders on one of the main servers where each employee saved their “personal” files, for any file that ended in JPG, MOV, or AVI, or in other words, any photo or video files. He was not looking for anything in particular, but instead just to see what types of things the partners and associates at this firm were looking at. Like almost every employee in that I.T. department he had full access to every file, every piece of information, no matter how mundane or sensitive that information was to the person or the firm. Major case files, major pieces of discovery, major evidence that could easily be copied on to a DVD and passed along to the opposing council, were all available to every person in that I.T. Department, completely unrestricted in any way. The only thing stopping anyone in that department from stealing any data they wanted to and passing it along to anyone they wanted to was the confidentiality agreement each employee signed, and a certain level of blind trust, not any real network security or restrictions to data, just trust. What was most interesting about what that network administrator found that day, when he searched for every photo or video file that was in the home folders of some of the highest paid partners and associates at this firm, was not the amount of sensitive legal evidence that could have been stolen and passed to council or the press, yes that was there, but instead the amount of pornography, racist or offensive “humor”, or even illegal materials that could ruin the careers of any one of those lawyers. And it wasn’t just a handful of photos and videos that were found, it was thousands. One attorney’s folder actually contained a video of a woman having intercourse with a horse. This law firm was lucky. Nothing was ever done with what was found, no one was turned in for having inappropriate materials, although they could have and probably should have, and the I.T. Department had a good laugh at the attorney’s expense, which I’m sure is some kind of HR violation right there. The files that were found were all copied for safe keeping and deleted from the attorney’s folders with certain confidence that no one would be coming to us to complain, “Where is my video of a woman screwing a horse?!” And even if that video was evidence in a case, it was not the proper place for evidence to be stored.
If you think I am trying to make some point here about what is appropriate or not appropriate to save on your work computer, or any type of commentary on the morality of attorneys, then you are wrong. Personally, having worked in Information Technology, I always find it amazing the types of things I find on the computers that people use for work. A work computer is the property of the company you work for and so is everything on it, so keep that in mind next time you are thinking about checking out barelylegal.com on your company laptop. The point I am making here is simple. What just happened to the U.S. Government with the release of tens of thousands of documents, that supposedly were considered secure but instead were easily obtainable by anyone of the 600,000 persons with security clearance to those electronic network based files, was a WikiLeaks accident just waiting to happen, and if you think the data at your own company is secure for even just one heartbeat, you are wrong. The data at your own company not only can be stolen but I will go so far to say, to some degree, it has been. Keep in mind, the U.S. government was not hacked into by international foreign spies, or by operatives working for Al Qeada. The information obtained, stolen, and given to WikiLeaks was done so by a U.S. soldier working internally inside the I.T. structure of the supposedly secure computer network of the U.S. military and government. The files leaked to the world were simply copied off a server and on to one or more DVD disks, and no one knew about it until it became international news, and a nightmare not just for the Obama administration but also governments and individuals around the world. The biggest threat to any organization whether private or public is not external threats but internal ones. Employees today have far too much access to the information stored on company networks and any person who has worked in any I.T. department for any decent amount of time will tell you that the WikiLeaks indecent doesn’t surprise them at all, in fact they will tell you that they are surprised it didn’t happen sooner. With USB flash drives available up to 64 gigabytes a person could easily walk out of a company with millions of confidential and damaging documents without ever being noticed. And to complicate things further, the trend towards outsourcing the administration of company servers and data farms to third party firms that have no vested interest in the data they are administering is like handing the keys to your house to a group of strangers and hoping they don’t steal your jewelry. According to Perimeter E-Security, a security firm based in Milford, CT, who each year publishes their list of the Top 10 Threats to Information Security, “Malicious Insiders” are the number two threat for 2010, only to be beaten by “Malware”, and falling from the number one spot last year. According to this report:
“Malicious insiders were listed as the #1 threat for 2009 and were listed as a rising threat. According to a survey released in October of 2009 by Actimize and reported by DarkReading, nearly 80% of financial institutions worldwide say the insider threat problem has increased in the wake of the economic downturn. 70% of financial institutions reported incidents of insider fraud in the last 10 months. Nearly half of the banks in the Actimize survey say they are losing 1 to 4 percent of their total revenues to insider fraud.”
This report also cites a number of specific incidents including:
- The University Medical Center in Las Vegas learned that an employee allegedly leaked confidential patient data including Social Security numbers, billing data, and full descriptions of injuries and it has been reported that the information was sold.
- A T-Mobile employee stole customer records and sold them to a data broker who in turn sold the data to T-Mobile competitors. It included millions of records that contained valuable information such as account expiration date so competitors could target those customers at the time they may look for a new provider.
- Former Bank of New York Mellon employee Adeniyi Adeyemi was indicted on identity theft charges. He was charged with grand larceny, identity theft, and money laundering after stealing and using New York Mellon employee information. He opened phony bank and brokerage accounts where he deposited stolen money.
It would be very easy for all of us to focus on the person or persons who reportedly stole this information, or the founder of WikiLeaks who made the choice to publish this information for the world to see but the reality is, it is the government who opened up their networks to far too many individuals and made it far too easy for this information to get out. Should we be surprised that there were secret deals made behind closed doors, or that the CIA is involved in things that could be considered illegal or even immoral, or that foreign leaders presented their views to the public in one way but communicated entirely different messages in “private”? There is an old saying that goes, “ignorance is bliss.” Quite frankly I depend on the fact that we don’t know everything that goes on behind the scenes nor should we. International politics is a dirty, stinky world and it is these behind closed doors where private deals and conversations make politics function. The problem is that to get us to the places that we need to be, whether it is a peace in the middle east or nuclear disarmament, trade agreements or the search for terrorists, it is counterproductive for us to know the details of every e-mail and covert operations that is happening around the world. All that we really need to know is that peace was made, deals were formed, hostages were released, and our troops came home. How it all happens is something that we are better off not knowing because if we did, much of what is now history may not have happened. The individuals who are responsible for leaking this information should be prosecuted to the full extent of the law if for no other reason than they broke the law, but they are merely a symptom of a larger problem that effects governments and private organizations around the world and that is the security of our internal networks and who is given keys to the kingdom. Without serious action taken in both the private and public sectors “Malicious Insiders” will continue to be one of the top two threats to network security and this will not be the last we will hear from WikiLeaks.