It seems that Wikileaks has become the cause-du-jour. In late 2010, rabidinous supporters launched targeted cyberattacks in efforts to bring their own DDoS-flavored retribution upon dissenters. Working in the field of information security, it is difficult to not be whole-heartedly against both this position and method of “support”.
Data classification is the bedrock upon which information security best practices are founded. Without an understanding of what data is more sensitive in nature than other data, determining appropriate protection levels is folly.
Should financial data be considered any more sensitive than e-mail correspondence? Should Human Resource data be handled differently than a stock image archive? Certainly. Why? Because corporations, and as we have most recently learned, banks and their account holders; can be damaged or otherwise placed at a competitive disadvantage by the unauthorized disclosure of their financial data. Because as individuals, the unauthorized disclosure of our SSNs or background check data can lead to identity theft among other long-term harm. It is the same reason why we cringe whenever we receive correspondence that begins, "We regret to inform you..." and blush when our personal correspondence or photos become public.
Therefore, the impact of the disclosure or breach of such data may fairly be considered to be justifiably high. The probability of its unauthorized disclosure or breach in this example is also recognizably influenced by the quality of controls protecting the data, inclusive of both the logical and physical.
Supposing that government or bank classification systems overprotect data in conflict with the right to public knowledge is to arrive at a belief without due consideration given to employed risk assessment metrics inclusive of probability, impact, and contributing risk factors. As such, the public, is at an unfortunate disadvantage in its ability to weigh the threat posed by unauthorized disclosure and astoundingly unqualified to speak to its need.
Consider this: If your fellow employee were to use their database access privileges to review your compensation package for use in their own salary negotiations, have they violated corporate trust? If the same employee then were to e-mail your compensation package to a company-wide distribution list, have they violated your right to personal privacy? If the same employee were to publish your compensation package to the web as they passionately argued that the information illustrates principles of corporate greed and the unfair labor practices of third world countries, have either corporate trust or your right to personal privacy been violated? Did the worthiness of the cause justify the unauthorized action?
In the case of Wikileaks, Mr. Assange's alleged source of 260,000 United States State Department cables, 22-year old Army intelligence analyst Private Bradley Manning, despite the extensive background checks employed by the military prior to granting clearance, still allegedly found a need to share. Since then, it has been reported that former Swiss banker Rudolf Elmer, despite the due care similarly taken prior to granting his access, also felt compelled to admittedly share over 2,000 confidential records of account holders in violation of Swiss banking laws in supposed reaction to bank inaction regarding alleged tax crimes. Further rumor of future release of internal banking documents have also been speculated to be pending.
While it can be certain that in post-breach lessons learned data, the United States government and banks around the world will pay closer attention to identity governance controls if not, at least, Data Loss Prevention considerations; the concept that it may be acceptable to flaunt organizational policy, state and federal laws, or even societal mores given personal belief in just cause is a slippery slope. Any media outlet willing to be complicit further threatens to erode whatever journalistic integrity it may have otherwise possessed.
