Wednesday, December 22, 2010

Thoughts on Wikileaks and the U.S. Government

Governments have a right and a duty to keep some things secret. Whether it's individual medical records at government hospitals or nuclear weapon design parameters, some data should never become available for all to see. That said, it's the government's responsibility to take measures to protect those secrets. Leaks by individuals trusted with secrets have always been a problem, but computer technology amplifies the danger enormously. Modern computer are built to share information, not protect it, and the price and size of data storage as dropped so low that 250,000 classified diplomatic cables can comfortably fit on a MicroSD storage card the size of a fingernail, selling for under $10. Keeping something that small from moving in or out of the most secure facility is nearly impossible.

Nor is it enough to restrict access to only people who have been vetted for security clearances. Assuming the vetting process is 99.9% effective, and 1000 cleared people have access to the data, the probability of a leak is 63% (1-.999^1000).

When I drove my son back to school after this Thanksgiving, I took him to the campus bookstore to buy him a new laptop. Driving home I got a call from my credit card company asking to verify a recent transaction. Their computers apparently found it odd that I made a large purchase 100 miles from home. Now a credit card company has a strong interest in quickly stopping misuse of a stollen card, but didn't the U.S. Government have an even stronger interest in protecting classified information? It's not as if the risk Wikileaks posed was unknown. The U.S. Army wrote a report about the security hazards posed by Wikileaks, which report found its way to the Wikileaks site.

After 9/11 attacks in 2001, there was a strong push to break down barriers sequestering information that could prevent future attacks if shared. Large amounts of classified data, including hundreds of thousands of diplomatic cables and wartime incident reports, were made accessible over special networks that could only be used by people cleared at the Secret level. Was software developed in parallel to track unusual usage by individuals? Was it deployed in the field? If not, why not? Who made the decision to allow sharing without adequate precautions? Is such software deployed universally now?  Those are the questions the U.S. Government should be pursuing, instead of the embarrassingly pointless effort to keep people from reading cables already published.

So far the leaked cables have caused more embarrassment than danger. Even the cable listing potential terrorist targets worldwide should have modest impact. It's not as if the terrorists had run out of potential targets they knew about.

My big worry is highly classified data that was not leaked, particularly software used to design nuclear bombs. The vast majority of U.S. nuclear weapons were designed between 1945 and 1983 using a series of ever more powerful supercomputers. However none of those supercomputers come close to the power of the average desktop computer in use today. Indeed most were puny compared to the Macintosh G4 released in 1999 that was the subject of the famous Apple Tank Ad, which you can watch at Those G4's now gather dust in thousands of basements. Software programs for bomb design likely would take much less space on a memory card of thumb drive than all those diplomatic cables. What is being done to insure they never leak?

No comments:

Post a Comment