“You have zero privacy anyway. Get over it” – I’m sure many remember ScottÂ McNealy, CEO of Sun Microsystems coming out with that controversial phrase inÂ 1999. Yet 15 years later instead of the problem being dealt with it now is hotter thanÂ ever. In Episode 35, Forensic 4cast discussed the events surrounding HBGary,Â having been articulately hacked by activist group Anonymous – because of theirÂ assistance to government investigations against them and possible connections toÂ data leaks through website WikiLeaks.org. This attack has been particularly personalÂ for the victims who have been caught in a much bigger cyber-privacy whirlwind. WhatÂ kind of message is this sending to those in the same position as HBGary? – are theÂ enforcers who stamp out cybercrime activities likely to be at threat for providingÂ services to aid justice? Is it not acceptable for professional security firms to assist theÂ government investigating computer crimes?
Freedom of Information
First a quick history lesson – open your books at the Freedom of Information… FOIÂ has been around for a long time and is well set in legislation (FOIA 1966 US, FOIÂ 2000 UK) – laws which we the public lobbied for to gain access to information weÂ believed was our right to see. This included personal details held by governmentÂ agencies as well as restricted information deemed to be in the public’s interest. MoreÂ recently with the advent of the computer as a prime means of holding information,Â FOI matured and became more complicated. Legislation was kept up to date to dealÂ with the electronic storage of information (E-FOIA 1996) and this transparencyÂ continued to encourage good working practices. We have become used to this and IÂ have even exercised this right several times placing disclosure requests againstÂ companies who hold my data (keeps them on their toes!). In addition, it has caused aÂ transformation of the media industry who now use FOI as a key tool to writeÂ headlines and scoops. For some this was always a step too far and pushes FOI toÂ the limit of what it was really designed for.
Risk to the enforcer
While the laws haven’t changed much, the attitudes to interpreting them mostÂ certainly have. Openness and privacy have complex and contrasting meanings whichÂ are open to much interpretation – cultures, industries and the passing of time itself areÂ just a few reasons for different viewpoints. In the last few years we have heard noisesÂ from various anti-privacy groups that the restriction of information is still far to tight.Â The Anonymous/WikiLeaks story epitomizes this. In an interview in January 2011,Â Julian Assange summed up his thinking into a single paragraph:
“The more secretive or unjust an organization is, the more leaksÂ induce fear and paranoia in its leadership and planning coterie â€¦Since unjust systems, by their nature, induce opponents, and inÂ many places barely have the upper hand, mass leaking leaves themÂ exquisitely vulnerable to those who seek to replace them with moreÂ open forms of governance.” – Julian Assange, Jan 2011
I don’t know about you – but I find that a pretty frightening statement. So whatÂ message is that putting out to the HBGary’s out there? Cyber warfare is complex.Â One man’s right is another man’s wrong – Assange’s quote shows this. He would likeÂ an FOI Act on steroids. This challenge has always existed – this is just a new plain on which the challenge is being presented. Just as when the original Act was formed inÂ 1966 due to pressures on making data more open, there are those today whoÂ continue to hold the belief that the required level of transparency hasn’t yet beenÂ reached. It is still early in this struggle but it already places those like HBGary whoÂ considered themselves of integrity in the firing line for supporting the very agenciesÂ that others have determined are at fault. Does this mean forensicators dealing withÂ criminal cases should expect to have their reputation slurred by activists who don’tÂ like the laws that cover computer crimes? What about those who help secure privateÂ networks? Are they now seen to be targets as supporters of those departments whoÂ protect classified information?
There are lots of questions and chaos, and no real answers at the minute – at leastÂ none that directly respond to these new threats. However we should be able to useÂ lessons learnt from the past:
1. Accept the risks that come with the job. Basic but important to remember. JustÂ like a security guard shouldn’t be surprised to see the odd bandit, the nature of yourÂ work may mean risks of attack are always there. You need to tune your mindsetÂ accordingly.
2. Display professional discretion. To build upon the acceptance, you should beÂ wise when discussing client work and your general role in public spaces. Loose lipsÂ can sink ships.
3. Implement safeguards in your work. Those who work in forensics operate toÂ flawless procedures – where simple inaccuracies or reason for doubt can result in theÂ entire loss of a case – never mind the developing consequences on the reputation.Â Minimise the risk and put all safe guards in place. Don’t make it easy for those whoÂ wish to defame you – make your own work bulletproof.
4. Maintain your integrity. If everything else fails you will hoping you have LOTS ofÂ this. Having a reputation and history for being trustworthy by peers and clients couldÂ make the difference between surviving the rage of an attack or not. You can’t buy itÂ or get a certification in it – it’s built continually as part of your working life.
So where does this leave us?
Having to watch every step? McNeal was warning us about privacy issues in 1999,Â and others well before that. The reality is that as we battle and solve today’s fight,Â there are those planning the new attacks for tomorrow. Those in law enforcement orÂ who support government departments probably already have a built-in awareness toÂ the risks around them. It’s now clear more than ever that security firms in the privateÂ sector must also consider their ability to deal with these issues. Ultimately the risksÂ can only be managed through sensible choices – you cannot make them go away.Â Remember above all else: maintain your integrity.
David Hewitt is a security consultant and published writer of articles on digitalÂ forensics and IT law. He runs the Forensically Speaking Project, which looks atÂ emerging technologies and their impact to forensics and cybercrime. Follow him onÂ Twitter @Forensically or contact him at firstname.lastname@example.org.