In February 2009 the State Department asked all US missions abroad to list all installations whose loss could critically affect US national security.Something that Internet Security people had to grapple with a decade ago is called "Responsible Disclosure". Imagine that you're a security researcher. Imagine that you discover a vulnerability that effects many, many computers on the 'Net. Do you notify the vendor that created the software, who could create a fix, or do you call a press release?
The list includes pipelines, communication and transport hubs.
Several UK sites are listed, including cable locations, satellite sites and BAE Systems plants.
BBC diplomatic correspondent Jonathan Marcus says this is probably the most controversial document yet from the Wikileaks organisation.
If you announce the vulnerability before there's a fix available, then you put lots of people at risk. There's nothing that they can do to defend themselves (remember, there's no fix available because you didn't notify the vendor), but the Bad Guys will have information they can use to create a new attack.
While Responsible Disclosure remains somewhat controversial to this day, the basic motivation is solid. The world is filled with soft targets, and people who would like to exploit them. You don't just recklessly disclose this sort of thing without good - really good - justification.
I'm struggling to understand Wikileak's rationale. What does releasing the location of the terminus of the tran-Atlantic fiber optic cables accomplish? I mean, politically?
Having been in the Internet Security community for a long time, I have personal experience with being stonewalled by vendors who didn't want to make a fix. For one vendor (no, it wasn't Microsoft), I had to call one of their people in the Netherlands because nobody in Mountain View would get back to us. I called himj because he was active on the security Usenet lists, and so I knew that his heart would be in the right place. It was. That's no way to run a RailRoad, but it would have been irresponsible for us to throw up our hands and go public on a vulnerability in widely deployed software, for which there was no way for people to defend themselves.
It looks like Wikileaks just did precisely that.
Cables about Gitmo or the like are plausibly political in nature. Their release could cause embarrassment to governments, and potentially effect the political debate in the West. But releasing the fact that such-and-such factory is critical for the nation's blood supply?
I'm normally one to take statements about the need for secrecy from government officials with a huge grain of salt. But this seems so reckless that it gives credibility to this:
Are they interested? I don't know. Could they use this to cause terrible damage? It sure seems plausible. And Wikileaks' PR flack simply sounds idiotic here:
Former UK Foreign Secretary Sir Malcolm Rifkind condemned the move.
"This is further evidence that they have been generally irresponsible, bordering on criminal," Sir Malcolm said. "This is the kind of information terrorists are interested in knowing."
Mr. Stevens, you sound precisely like a bunch of Internet Security nerds I've run across before. With them, it wasn't about security, it was about getting in the glare of the Klieg Lights.
But Wikileaks lawyer Mark Stevens denied that Wikileaks was putting people and facilities at risk.
"I don't think there's anything new in that," he told the BBC.
"What I think is new is the fact that it's been published by Wikileaks and of course we have the Wikileaks factor because a number of governments have been embarrassed by what's happened..."
Hat tip: Legal Insurrection.