Part I: Dumb Criminals, Smart Criminals
Manning came to the attention of the FBI and Army investigators after he contacted former hacker Adrian Lamo late last month over instant messenger and e-mail. Lamo had just been the subject of a Wired.com article. Very quickly in his exchange with the ex-hacker, Manning claimed to be the Wikileaks video leaker.
I’ll start out by not even commenting on the morality of what has transpired in the above article. I’ll start elsewhere.
There are dumb criminals and there are smart criminals. Smart criminals are the ones we (people in general, but also law enforcement) fear the most. Especially smart criminals with financial backing doing ‘white collar’ types of premeditated (or even random opportunistic) crimes…those are difficult to pursue!. They’re typified by not being dumb enough to necessarily get caught. Not all smart criminals get away with what they do, but they tend to be the ones to get away with it if anyone does.
Dumb criminals get caught. Much like your general hacker criminals, they tend to do dumb things, have spotty skills, and more likely end up talking about what they’ve done by making dumb decisions or having dumb associations and misplaced trust.
Manning did a dumb thing: he talked to someone. Not only did he talk to someone, he talked to someone with a level of celebrity status (for better or worse), who has ties to the FBI (for good or bad), and has an interest in not harboring national security secrets for another criminal. Ouch.
A smarter criminal would not have talked, or if he did, he would do exactly as Liquidmatrix mentioned: either nut up or shut up.
Another thing: Just how long and how much could have been disclosed had Manning not been dumb and talked to someone? How many not-dumb Mannings are lurking in your network?
Part II: Challenges in Organizational Security
“If you had unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months, what would you do?” Manning asked.
I knew before reading the article that I wasn’t going to be impressed with how Manning exfiltrated the videos (and thousands of other files) from secure locations.
The sobering thought on this is…Manning had no real beef with what he was doing. He wasn’t getting paid, he didn’t seem to have some external motivation. He performed what I consider a crime of opportunity. Thankfully, that’s “all” it seemed to be. Sure, it was performed over many months of time and repeatedly, but I still consider all of that to be opportunistic as far as crimes go.
But this is why espionage (both national and corporate) scare me more than even anonymous Internet-borne crime: they physically influence and turn a real, living asset who has access into your secret network and information, and leverage that relationship to siphon out information. Or worse, actually perform active sabotage or other planting of access for others. This is why “cyberwar” doesn’t scare me as much as rogue insiders, depending on the organization in question.
What if a nation-state had targeted and turned Manning successfully? Someone like him truly is a goldmine worth the cost to acquire.
And don’t make the mistake in thinking Manning is an outlier. He’s just another face on the crowd, not much different at all from the rest. The sort of guy and white-collar crime that can be really scary to address.
I haven’t even touched on the fact that Manning had the warning signs of being a disgruntled worker. (Though how many people *wouldn’t* have those signs to some degree, who knows, but it should increase the level of organizational paranoia nontheless!)
Part III: Information Just Wants To Be Free
“He would message me, Are people talking about it?… Are the media saying anything?” Watkins said. “That was one of his major concerns, that once he had done this, was it really going to make a difference?… He didn’t want to do this just to cause a stir…. He wanted people held accountable and wanted to see this didn’t happen again.”
Part of the underlying ‘hacker ethic’ deals with the tendency of information to be free, much in the same way that electrons tend towards chaos or water tends to fill whatever form it can that presents the least resistence.
Perhaps Manning will ultimately be hailed as a moral whistleblower who is exposing secrets that should be made available to the public, for the good of the public.
But at least think about that when thinking about what should be held secret by a company and what effort may be needed to keep that “tendency toward freedom” that information tries to flow. (And how powerful it may make a third party who suddenly has possession of such valuable information, like WikiLeaks reportedly may be now.) If your organization truly wants to emulate the, “Do no evil,” mentra, then there shouldn’t be many terribly damaging pieces of information (other than patents and trade secrets and the like) inyour possession, right? Mistakes, sure, but is it better to bury them or be transparent with them?