“You have zero privacy anyway. Get over it” – I’m sure many remember Scott McNealy, CEO of Sun Microsystems coming out with that controversial phrase in 1999. Yet 15 years later instead of the problem being dealt with it now is hotter than ever. In Episode 35, Forensic 4cast discussed the events surrounding HBGary, having been articulately hacked by activist group Anonymous – because of their assistance to government investigations against them and possible connections to data leaks through website WikiLeaks.org. This attack has been particularly personal for the victims who have been caught in a much bigger cyber-privacy whirlwind. What kind of message is this sending to those in the same position as HBGary? – are the enforcers who stamp out cybercrime activities likely to be at threat for providing services to aid justice? Is it not acceptable for professional security firms to assist the government investigating computer crimes?
Freedom of Information
First a quick history lesson – open your books at the Freedom of Information… FOI has been around for a long time and is well set in legislation (FOIA 1966 US, FOI 2000 UK) – laws which we the public lobbied for to gain access to information we believed was our right to see. This included personal details held by government agencies as well as restricted information deemed to be in the public’s interest. More recently with the advent of the computer as a prime means of holding information, FOI matured and became more complicated. Legislation was kept up to date to deal with the electronic storage of information (E-FOIA 1996) and this transparency continued to encourage good working practices. We have become used to this and I have even exercised this right several times placing disclosure requests against companies who hold my data (keeps them on their toes!). In addition, it has caused a transformation of the media industry who now use FOI as a key tool to write headlines and scoops. For some this was always a step too far and pushes FOI to the limit of what it was really designed for.
Risk to the enforcer
While the laws haven’t changed much, the attitudes to interpreting them most certainly have. Openness and privacy have complex and contrasting meanings which are open to much interpretation – cultures, industries and the passing of time itself are just a few reasons for different viewpoints. In the last few years we have heard noises from various anti-privacy groups that the restriction of information is still far to tight. The Anonymous/WikiLeaks story epitomizes this. In an interview in January 2011, Julian Assange summed up his thinking into a single paragraph:
“The more secretive or unjust an organization is, the more leaks induce fear and paranoia in its leadership and planning coterie …Since unjust systems, by their nature, induce opponents, and in many places barely have the upper hand, mass leaking leaves them exquisitely vulnerable to those who seek to replace them with more open forms of governance.” – Julian Assange, Jan 2011
I don’t know about you – but I find that a pretty frightening statement. So what message is that putting out to the HBGary’s out there? Cyber warfare is complex. One man’s right is another man’s wrong – Assange’s quote shows this. He would like an FOI Act on steroids. This challenge has always existed – this is just a new plain on which the challenge is being presented. Just as when the original Act was formed in 1966 due to pressures on making data more open, there are those today who continue to hold the belief that the required level of transparency hasn’t yet been reached. It is still early in this struggle but it already places those like HBGary who considered themselves of integrity in the firing line for supporting the very agencies that others have determined are at fault. Does this mean forensicators dealing with criminal cases should expect to have their reputation slurred by activists who don’t like the laws that cover computer crimes? What about those who help secure private networks? Are they now seen to be targets as supporters of those departments who protect classified information?
There are lots of questions and chaos, and no real answers at the minute – at least none that directly respond to these new threats. However we should be able to use lessons learnt from the past:
1. Accept the risks that come with the job. Basic but important to remember. Just like a security guard shouldn’t be surprised to see the odd bandit, the nature of your work may mean risks of attack are always there. You need to tune your mindset accordingly.
2. Display professional discretion. To build upon the acceptance, you should be wise when discussing client work and your general role in public spaces. Loose lips can sink ships.
3. Implement safeguards in your work. Those who work in forensics operate to flawless procedures – where simple inaccuracies or reason for doubt can result in the entire loss of a case – never mind the developing consequences on the reputation. Minimise the risk and put all safe guards in place. Don’t make it easy for those who wish to defame you – make your own work bulletproof.
4. Maintain your integrity. If everything else fails you will hoping you have LOTS of this. Having a reputation and history for being trustworthy by peers and clients could make the difference between surviving the rage of an attack or not. You can’t buy it or get a certification in it – it’s built continually as part of your working life.
So where does this leave us?
Having to watch every step? McNeal was warning us about privacy issues in 1999, and others well before that. The reality is that as we battle and solve today’s fight, there are those planning the new attacks for tomorrow. Those in law enforcement or who support government departments probably already have a built-in awareness to the risks around them. It’s now clear more than ever that security firms in the private sector must also consider their ability to deal with these issues. Ultimately the risks can only be managed through sensible choices – you cannot make them go away. Remember above all else: maintain your integrity.
David Hewitt is a security consultant and published writer of articles on digital forensics and IT law. He runs the Forensically Speaking Project, which looks at emerging technologies and their impact to forensics and cybercrime. Follow him on Twitter @Forensically or contact him at firstname.lastname@example.org.