If the communication logs from the Afghan and Iraqi wars weren't enough of a sign, the release by WikiLeaks of a quarter of a million US Embassy cables from around the world mark a new era for privacy and confidentiality. Or rather, the end of an era. Ironically, this new era will be marked by more secrecy and less openness.
You may not be among the politicians, civil servants, editors, journalists, NGO staff or business leaders who fear the worst for having spoken candidly with US diplomats in the belief that your views would remain confidential. But that doesn't mean you shouldn't be afraid. Very afraid.
The organisation, which bills itself as an aid to “whistle-blowing”, has already stated its intent to go after Bank of America. Meanwhile, anonymous defenders of WikiLeaks and its head, Julian Assange, have successfully struck major firms viewed as hostile to their hero. Denial of service attacks have hit the sites and service capabilities of MasterCard, Visa, Swiss Bank, Amazon.com and PayPal. Twitter is rumoured to be next.
The likelihood that your company will eventually get hit has just gone through the roof. No information is safe any more.
The question is no longer about the specifics of the latest WikiLeaks incident.
It isn't about whether diplomatic communications should all be in the clear, or whether a lack of confidentiality will cripple diplomacy as we know it. It is no longer about whether wholesale disclosure, as opposed to specific whistle-blowing, is justified by the mere possibility that evidence of wrongdoing might emerge from trawling the archive. It is no longer about whether Assange is doing the right thing, and if so, whether he is sufficiently careful about revealing the identities of sources who may find themselves endangered by the revelations.
Even if Assange were a hero and a saint, interested only in truth and saving lives, going only after confirmed evildoers, and scrupulously withholding information that he, in his sole discretion and superior wisdom, deems worthy of secrecy, anyone else can do what he did. If WikiLeaks disappears tomorrow, whether by legal means or dark conspiracy, a dozen copycats will spring up to take its place. They may well have even fewer scruples than Assange claims for himself.
Relying on the idea that WikiLeaks is doing good, and targeting only a few organisations who are either unlucky or deserve it, is na"ive.
For the realists and pragmatists employed to run the companies and manage the capital of shareholders, the question should be about how to deal with secret information.
Broadly speaking, there are two kinds of claim to confidentiality. Both are legitimate.
One is a claim based on corporate interests, such as competitive intelligence or strategic plans. There are many examples, such as how high you're authorised to go on a bid, how extensive your capabilities are, what you're working on in your R&D labs, or how long you can afford to sustain a price war. No good can come of disclosing such information, except to your competitors.
The other is confidentiality required by law or under contract. Private customer data or internal employee evaluations would fall into this category.
Just as there are different kinds of information that merit protection, different categories of information are not equally likely to be targeted for leaks. Traditionally, the focus has been on a limited set of strategic data vulnerable to industrial espionage, and to well-defined types of confidential data protected in compliance with law or regulation. If wholesale disclosures are going to become more frequent, the focus will have to shift to embrace all information, even if only for fear that it might embarrass the company if disclosed or taken out of context.
The likelihood that your company will eventually get hit has just gone through the roof. No information is safe any more.
Ivo Vegter, ITWeb contributor
The traditional risk equation, in which the cost of a breach times the likelihood of its occurrence accounts for risk, has just become a whole lot uglier.
The range of responses will have to be broad. IT security will have to be beefed up. It would not be surprising to find companies turn to encrypting information by default, rather than protecting only information that formerly appeared to be sensitive.
Access to information policies may well be reversed: whereas information sharing used to be thought a virtue, and was freely permitted and even promoted unless it was specifically classified as sensitive, the default in many companies will now become to permit access on a need-to-know basis only.
Companies will want to make it hard for untrusted or partially-trusted parties not only to access information, but also to disseminate it. Both role- and identity-based access control will have to become much more rigorous. Software lockdowns on employee machines, and policies about their use of non-approved devices, such as their own smartphones or WiFi networks, will have to become stricter. This will annoy your staff, and make them less productive.
New technical measures will have to be considered to protect information, such as physical security keys, biometric encryption, and multi-party decryption policies. Logging and tracking technologies will need to be implemented, to keep a detailed record of exactly who sees what information under what authority, and to alert security officers as soon as any breach of protocol is detected.
Don't be surprised to come across exotic counter-intelligence measures such as poison pills able to physically destroy compromised data, or which undermine the integrity and credibility of real data by seeding it with false data.
Beyond physical and operational security procedures, companies will have to rethink their approach to “soft security”.
Do you have a fall-back plan if a key strategy is exposed and thereby rendered ineffective? Do you have a credible presence in the media, including social media? Do you have a detailed crisis response plan to deal with reputation damage because a careless executive defamed a competitor or employee in an internal e-mail? Can you go on radio or TV in half an hour to explain to the public a brutally candid cost-benefit analysis of measures to protect the environment, food hygiene procedures in your fast-food outlets, or safety devices for the children's toys you produce?
Do you have contractual arrangements that impose heavy penalties on employees, customers and partners who compromise confidential information? Do you have contract clauses that allow you to recover in a negotiation scuppered by a leak of confidential data?
The worst impact of WikiLeaks, however, is not just the ominous rise of paranoid security measures. The worst may be a future in which less information is committed to any sort of permanent record. If it becomes routine to avoid recording discussions and negotiations that, if disclosed to the wrong people, might harm corporate or personal interests, the implications will be grave. Corruption and crime will be easier to get away with. Oversight by shareholders, regulators, or the media will become more difficult. In civil courts, more cases may founder at the evidence discovery stage, which will reduce the availability of justice to those who are wronged.
The ironic impact of a new age in which confidentiality and secrecy are so easily compromised is not that customers, competitors, and citizens will be better informed, and governments and companies will be more honest and ethical in their business.
The impact will be that even comparatively harmless information will become ever-more zealously guarded. Access to data and information sharing will become more difficult, and fraught with reservations, validation prerequisites, contractual penalties and technical barriers.
Companies will guard their information better than ever. Customers, competitors and citizens will know less, and perversely, they will get to pay the cost of the technical and procedural measures that attempt to ensure this.
Also, while you're busy selling your shares in banks, pharmaceutical companies, telcos, oil majors and big retailers, remember to buy information security firms with the proceeds. They're going to love 2011.
Share