WikiLeak's Next Dump May Alter Enterprise Security Forever

Tuesday, November 30, 2010

Anthony M. Freed


If the recent classified data disclosures by whistleblower organization WikiLeaks can be said to have officials in the U.S. other governments in a scramble, then it would be fair to say that the pending release of confidential records from private enterprises should have executives and shareholders in a serious pucker.

In an interview with Andy Greenberg of Forbes in early November, fugitive activist Julian Assange revealed that his next target is the private sector, and the implications for the future of enterprise information security efforts is unprecedented.

Assange made clear his intentions to release damning documentation of improprieties by at least one major US bank. Also pending release are documents from pharmaceutical companies, financial firms and energy companies.

"We have one related to a bank coming up, that's a megaleak," Assange asserts. "It will give a true and representative insight into how banks behave at the executive level in a way that will stimulate investigations and reforms, I presume... For this, there's only one similar example. It's like the Enron emails..."

The Enron emails revealed a calculated culture of corporate corruption and an ethical void so vast that the disclosures spurred one of the biggest regulatory reforms in American history, yielding the passage of the Sarbanes-Oxley Act, which nearly ten years later is still finding its ultimate reach.

Information security professionals, both inside and outside the corporate structure, have long been fighting an uphill battle in their efforts to bring assurance to the forefront of enterprise management activities.

The widespread dependence on information technology and the dynamic nature of the challenges inherent in the protection of sensitive and proprietary data make security efforts difficult to justify to executives with a return-on-investment mindset that was drilled into them in business school.

Information security is seen as a cost-center proposition, where risk is most often evaluated in the absence of a breach event, leaving security professionals in the awkward position of proving a negative in order justify an increased need for resources to counter burgeoning threats.

This information security paradox becomes readily apparent to all involved in the aftermath of a catastrophic data security event, and WikiLeaks is pursuing just that.

The crux of the problem for enterprise security is the fact that increased regulation has not resulted in increased security, in fact the contrary may be true. Mandated audits and the threat of regulatory sanction too often appear to be greater threats to the company bottom-line than does the risk of a data loss event.

In a recent interview, Larry Clinton, President of the Internet Security Alliance said, "in short many organizations are now devoting their cyber security resources primarily to audit compliance which does not necessarily correspond to improved security. Indeed by drawing resources away from actual security to focus on regulatory compliance we may well be weakening our security."

The focus on compliance also gives the executive class a false sense of security. When all of the checklist boxes are filled in, the required certifications are in place, and the audit teams have given enterprise security efforts the green light, their focus turns elsewhere.

The pending release of thousands of pages of confidential information by WikiLeaks will undoubtedly shock corporate management out of their state of complacency.

So what is at stake? Well, a lot.

Potentially, the revelations could shake shareholder confidence across multiple sectors, and we could witness a sharp decline in the stock prices of enough companies to negatively affect any hope of an economic recovery for some time.

It could also, as Assange predicts, be the catalyst for even more regulatory reforms that, while well intentioned, will again ultimately do little to increase enterprise security while further raising the cost of compliance - a cost ultimately borne by consumers.

But on the positive side of things, it could be the impetus that the information security sector needs to finally garner the resources required to optimize security efforts, ultimately reduce the risk of data loss events, and realize long term savings for businesses.

This utopian feat will be evident when security best practices finally become "baked-in" to the enterprise at every stage of operations, in sharp contrast to the "we built this, don't let anyone break it" mentality that is currently the status quo.

Unfortunately, but predictably, it takes an event of such catastrophic magnitude to cause a sea change on the level we will witness after WikiLeaks decides to pull the trigger on the private sector.

Get ready to see how the sausage is made.

Possibly Related Articles:
Enterprise Security
Compliance Enterprise Security Risk Management Data Loss Prevention Information Technology WikiLeaks
Post Rating I Like this!
Robb Reck Has anyone said how WikiLeaks received these documents? Was it an insider giving away the info (as happened with the military docs) or someone hacked into the bank? I haven't followed the story very closely.

It seems very unlikely to me that the release of these documents will effect the stock price of anyone other than the company directly effected... and that company probably will be effected an amount proportional to the amount of media coverage the story gets. Just about every big company has suffered significant data breaches, and as of yet I haven't heard of it hitting their stock price significantly. Unless, of course, the breach uncovers the kind of inappropriate/illegal activity that we saw with Enron. Then all bets are off.
Anthony M. Freed @Robb - Heartland Payment Systems had a more than 50% drop in their stock price immediately after the breach was revealed, and it has never fully recovered despite a vigorous balance sheet. And the reason I feel that this release may hit the DOW as a whole is that the pending dump represents several major sectors of the market index, and yes - they probably shows illegal activities of some degree, at least according to Assange. Also, the docs pertaining to the "major bank" may have to do with the securitization of mortgages during the bubble, poor lending practices, and other issues related to the current foreclosure crisis. If so, it could spill the beans of more than just the bank in question and rock the markets. The release could also spur any number of investor or consumer class action suits, as well as regulatory investigations. Stock prices are for the most part comprised of two elements: capitalization and shareholder confidence. A deficit in either can make a stock price fall like a rock.
Brian Bartlett @Anthony, yes far too many people miss the psychological element to market behavior and far too often some little thing will, a few decades later, lead everyone over a precipice. ["The Housing Bubble" and mortgage crisis actually started gestating four decades ago.] In reference to those executives that either will not invest in security or consider compliance as equivalent to secure I have one observation: That warm fuzzy feeling knowing that you aren't going to prison where you will meet a cell-mate named "Bubba"? Priceless.
J J Wow, you are so misguided. You think that because Wikileaks is telling us, the American people, exactly how ethically corrupt the executives of our banks are, it just means that you'll get a bigger potential check from said executives? So you think that maybe you'll enable a little more corruption and ignore the deluge of legislation on the way, eh?
Anthony M. Freed @JJ - We are talking about information security here, not other peoples lack of morals - that is best left to other forums. Sure, this time it was just WikiLeaks and the stolen data might be a peep show into corporate greed, but it could just have easily been the Russian mob and they could have taken the pensions of a few dozen saintly nuns, or your parents, or your kids college fund. Or it could be jihadists taking plans for a dirty bomb, or a Nobel Prize winning scientist's research on a cure for cancer. The same principles of quality security assurance are at play either way. And yes, I hope they cut us all big, big, big checks to protect their data, because that is our job.

@Brian - Thanks - agreed - priceless!
Danny Lieberman Anthony,

First of all like you say - this is a good thing for information security consultants and solution providers, especially if it drives companies to invest in DLP. There are some good technologies out there and companies that implement DLP thoughtfully (even if for dubious reasons) will be profiting from the improved visibility into transactions on their network and better protection of IP and customer data.

Second of all - this is purely speculative - but
I have a gut feeling that the Obama administration is behind the Wikileaks disclosures on US banking. I am not one for conspiracy theories but it is consistent with the Obama policy that required banks to accept TARP funds and stress testing in order to make the financial institutions more beholden to the Federal government.

This is also consistent with the State Department cables, which also appear (from my vantage point in the Middle East) to be deliberate leaks in order further the agenda against the Iranians without coming out and saying so specifically.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.