Listen to the podcast:
Julian Assange, the Australian founder of WikiLeaks, the controversial website that has been posting classified government documents, is now being held without bail in the U.K., awaiting extradition to Sweden for questioning regarding an alleged rape. But sensational news aside, his site’s recent release of confidential U.S. State Department cables has implications for businesses and corporations with sensitive information to shield, according to experts at Wharton and the University of Pennsylvania.
“WikiLeaks is a fascinating microcosm of a larger trend — that the Internet allows freer flow of information, including things we want to be available and things we don’t,” says Wharton professor of legal studies and business ethics Kevin Werbach. While premeditated leaks and other types of unauthorized disclosures are nothing new, he adds, digital technology makes it much easier for “one disgruntled individual” to unleash massive troves of information almost instantaneously.
For many, the WikiLeaks case has opened up a fundamental debate over privacy of information versus public access on the open web. In a column on The Guardian‘s website on December 6, John Naughton wrote: “The most obvious lesson [of the WikiLeaks case] is that it represents the first really sustained confrontation between the established order and the culture of the internet. There have been skirmishes before, but this is the real thing.” Indeed, while Assange is behind bars, WikiLeaks and other “mirror sites” that have sprung up to distribute its material are threatening to release a code that would unleash more sensitive, uncensored data from governments and corporations if Assange is killed or convicted. On December 8, the site said the arrest would not stop it from posting new revelations, and WikiLeaks subsequently published a new set of cables about the British government’s decision to release convicted Libyan Lockerbie bomber Abdel Baset Ali al-Megrahi.
For companies, the WikiLeaks case may ultimately serve as a parable on guarding sensitive information. Joseph Turow, professor of communication at the University of Pennsylvania’s Annenberg School for Communication, says the State Department cables released by WikiLeaks, while controversial, are perhaps more well-thought-out than most internal corporate communications. “If I were a CEO, this would not make me feel comfortable. I would be very concerned that this would happen in my company,” he says. “The cables that have been released look incredibly tame compared to the e-mail that people send around corporations.”
Bad Publicity and Trade Secrets
Bruce Schneier, an author of books on cyber-security and founder of BT Counterpane, a security firm, argues that WikiLeaks rose up because of an excessive amount of classification of information and a weak press that “acts like a stenographer” for the government. He adds that the U.S. government is now experiencing what the music and entertainment industries have endured during the past several years — digital distribution networks that sprang up as alternatives to the systems that recording labels and producers tried to control.
Although WikiLeaks has been disseminating information for 18 months, much of it about the Iraq and Afghanistan wars, Werbach notes that the state department communiqués seem to have raised the site’s profile and generated a strong reaction. For example, credit card companies, PayPal and Amazon decided to cut off links that helped fund WikiLeaks, apparently under pressure from government officials. “It’s dangerous when [the] government tells private companies that certain content should be kept off the network,” he notes. It is also “reasonable for companies to be thinking about whether WikiLeaks crossed the line in its most recent disclosures.”
Andrea Matwyshyn, Wharton professor of legal studies and business ethics, says society is struggling to find a balance between control of information and disclosures that may help the nation “better plot its own trajectory.” Governments and corporations should focus less on WikiLeaks and more on the initial source of disclosures, she notes, because “once [information] goes out into the wild blue yonder of the Internet, getting it back from cyberspace is impossible.”
Indeed, Australian Foreign Minister Kevin Rudd, who was identified as a “control freak” in the cables, says it is not Assange who is responsible for the unauthorized release of more than 200,000 diplomatic documents. “The bad people in this little exercise are the people who gave the information to him, because they are the people who breached the trust. They deserve to be chased and prosecuted,” Rudd told reporters. Army Pfc. Bradley Manning has confessed in online chats that he downloaded classified documents from Army networks — including U.S. State Department cables — and gave them to WikiLeaks. He is being held at the U.S. Marine Corps brig at Quantico, Va. and faces 52 years in prison on charges of passing unauthorized information from military computers.
In addition to preventing bad publicity, Matwyshyn points to the importance of a proactive strategy to protect corporate trade secrets in the courts. She notes that a company does not really know if its information is a trade secret until it is forced to challenge a suspected violator in court. Rulings on whether a legitimate trade secret has been breached depend heavily on whether a company can prove that it valued a piece of intellectual property enough to take adequate steps to protect it from leaking outside the organization.
Companies “fail chronically” to establish a system-wide approach to the protection of information and rely, too often, on technology-based security solutions, Matwyshyn says. “They think that if they have a strong IT department they are covered. That’s the wrong approach, because information flows need to be monitored not only through information technology, but holistically throughout the entire organization.”
Wharton management professor Lawrence Hrbeiniak says that the WikiLeaks disclosures have prompted him to think about the strategic implications of outsourcing — for better or worse. He notes that one WikiLeaks release was a so-called “hit list” of government and private sector facilities around the world — including vaccine and essential medicines plants, mines and industrial facilities — that, if attacked, could harm the U.S. population. “Outsourcing for governments and companies has benefits, but it also increases one’s dependency [on] or vulnerability [to] those who control what the governments or companies need,” he says. “WikiLeaks suggests this vulnerability for governments, but the same implications exist for companies. Extreme dependency on others can increase their power and control over us.”
A ‘Cyborg Dynamic’
Top managers need to have the mindset that information security is important and work collaboratively across internal divisions to preemptively plug sources of potential leaks, Matwyshyn and other experts say. In the case of the diplomatic cables, the State Department decided that for the sake of convenience, employees would be able to use thumb drives which resulted in “default permission” to copy materials, according to Matwyshyn. “And this person copied it and walked out the door.”
Even employees restricted by confidentiality agreements break those contracts with results that can have ramifications beyond the employee-employer relationship, Matwyshyn notes. Organizations that depend on keeping secrets need to develop systemic processes covering information sharing. She observes that a duality is taking place throughout business in approaches to corporate information. On the one hand, the rise of social media has made companies eager to embrace the Internet to connect with new customers and build a greater presence in communities. “For marketing purposes,” Matwyshyn says, “technology and outreach is a boon.” At the same time, she continues, a “cyborg dynamic” is developing. Companies are increasing the use of technology internally. As they become more mechanized, and less human, they rely on the integration of computer systems to secure sensitive information, which she notes “may or may not be operating optimally.”
Matwyshyn argues that computer-based information systems need “human backstops” who are able to look at the larger picture of information security on an ongoing basis to determine where information flows are being used and where they might need to be redirected. She suggests corporations develop new systems for information sharing from the top down through the collaboration of the chief technology officer, chief security officer, the CEO and other officer-level positions. Working together, high-level executives should be able to develop integrated and thoughtful information sharing policies along with the corporate culture to enhance and enforce the rules. “These are decisions that need to come from the top and create a culture of information care within an organization — not only for its own information but for the security of consumer information the organization possesses.”
Businesses now possess huge amounts of customer data that is vulnerable to premeditated, as well as accidental, disclosure, Matwyshyn points out. Consumers, she notes, are growing increasingly alarmed about letters they receive from companies indicating that their private information has been breached. In the past decade, 45 states have created statutes requiring companies to notify consumers of the possibility that their secure information may have been breached. “The arrival of a widespread regime of law is unprecedented in its speed,” she says, reflecting “a consumer outcry and heightened concerns over control.” Consumers want to be able to share the information to gain better access to products and services, but they also want that information contained, leading to what academics call the “privacy paradox.”
“Consumers are looking for a regime of trust and the ability to have some kind of input on their data usage. Essentially, [they want to] have a stronger contractual regime around the licensing of their information,” says Matwyshyn, who adds that it is possible to imagine a time when companies would be liable for damages for lapses in protecting consumer information. “But consumers aren’t really interested in seeking damages. They simply want to control their information.”
It Boils Down to Trust
In the aftermath of the WikiLeaks furor, Pentagon and State Department officials have said some foreign officials now seem reluctant to trust U.S. officials. “We have already seen some indications of meetings that used to involve several diplomats and now involve fewer diplomats,” said State Department spokesman P.J. Crowley. “We’re conscious of at least one meeting where it was requested that notebooks be left outside the room.”
According to Turow, there is a tension between the need for corporate executives to be able to communicate honestly and openly and the potential fallout if frank discussions are later revealed. He suggests highly sensitive matters should not be committed to writing or should have tight information controls. While companies can adopt best practices for information management, such as limits on the amount of material an individual can download, there is no technology to guard against a determined rogue individual. “In the end, it comes down to the trust of your employees. Their loyalty is what [counts].”
Werbach says the most recent WikiLeaks information releases reflect less focus on scandal than in the past. The cables, he notes, are mostly day-to-day communications that are interesting, but do not seem to represent dangerous secrets. It is likely the U.S. government has more sensitive communications behind tighter security, he adds. Still, “the number of corporate laptops that are stolen and are not encrypted is truly frightening.”
And while the volume of leaks of U.S. communications seems large, it is probably only a small fraction of the “daily chatter” in diplomatic networks, Werbach points out. He notes that high level discussions between the President and Chinese leaders or about nuclear strategy are likely protected by tight access. Any organization needs to prioritize the level of information it wants to protect and set up appropriate levels of security, he says. “You can’t just put a cone of silence around everything.”