Admiral Mullen (Joint Chiefs of Staff) tweeted “Meant what I said: Mr. Assange & his source might already have on their hands the blood of our troops or that of our Afghan partners.” I have some issues with this comment. First, the Admiral was talking about Wikileaks release of secret information dealing with the Afghanistan war. I haven’t commented on that, but I see some arrogance in the Admiral and think we should look at a few things.
First decision theory in several domains suggests that to much information is just as bad as to little information. Lawyers in civil cases use too much information as a tactic all the time to bury the opposing council. It can take years to analyze data of that depth. It may be years before the chaff has been dealt with in the documents. There is nothing new here. It takes time to analyze data with any kind of reasoned expectation of then setting up operations based upon it.
Second, information theory suggests that collating data quickly into reasoned information summaries (for human consumption) requires a tightly aligned algorithm (or process) to the original source data. Few of the journalists are going to have that skill or capability thus slowing them down. It is likely that another nation state with intelligence systems will be able to comb through the data rapidly using their own intelligence processes similar to how the data was generated. In other words to effectively parse the data you should already have an effective intelligence group. Perhaps a few non-nation state or corporate actors will have that ability. Even then, time still be a constraint, and the set of actors able to use this data rapidly is a set rapidly approaching null.
Third, infosec theory says prior to exposure analysis should have been done on what would happen if that data was exposed by the aggrieved party. A remediation or recovery plan for each of the operations in process or strategies exposed should have been known before the exposure. How we run intel or info systems the military should not be counting on single security mechanisms that can not be flexibly adapted to the situation. Exposures happen and that is why remediation plans are so important to corporate and government systems. This is true where money is on the line. It should have been a pillar of the operational environment if peoples lives are on the line.
There seems to be an improper expectation rampant in the United States military that total secrecy with infinite temporal continuation actually exists. The reality is that all secrets are exposed by action/inaction/operational necessity over time whether overtly or covertly communicated. How you do things exposes information to an adversary. How you operate within your environment over time will expose tactical and strategic elements. there is an entire art to pattern recognition and evaluation as a tool to deciphering an opponents actions. The expectation that secrets will be kept forever, as in the over-classification phenomenon in the government currently, shows an organizational arrogance nearing on childish. There is a place in government for secrets, but there is a place in all organizations for information security.
Let’s get this straight. Wikileaks violated the secrecy of a sovereign nation. As an organization Wikileaks is operating as we might see in a fifth generation war. The politics and ambitions of this non-national actor can be rightfully questioned. If Wikileaks was a nation state the harm that could be found in the leaked information could be used as a reason for going to war. The act of spying on another nation and thus causing harm should not be understated as a reason for people to be upset. Personally I think Wikileaks sucks. I don’t know of a better way to bring transparency to government unwilling to engage in it, but I can see that Wikileaks isn’t doing to good at it either.
The issue is that if people died because of Wikileaks it is the ultimate proof that security through obscurity never works in the long term. The admiral by all accounts is upset about the exposure of information. Laying a bloody straw-man at the foot of Wikileaks looks tough, but it is the act of a pompous and arrogant man. The military is in the business of killing people not playing schoolyard bully to a website. If people have died, while leaders knew this information was going to be exposed, then it is proof of the arrogance of military leadership and the ultimate in abandonment of responsibility. I among many would look at Wikileaks and say shame on you admiral. If people died because of the loss of control over this information then shame on the military leaders. The rapid, adaptable, and reasoned response to a data exposure is to remediate and reduce risk. If people died, as the admiral says, then military leaders abandoned their posts.
Addendum: I’ve always respected Admiral Mullen, but if you believe in the mission of the military then you have to be willing to tell them when to shut up and quite whining. Give me a call Admiral we can talk about ways to implement infosec practices.