Both the American CIA and FBI agencies are hot on trail of a suspected CIA agent who passed on some top-secret and eye-opening secrets to WikiLeaks, who in turn published the details for all to see.
The data leak in question pertain to the CIA’s ability to hack into smartphones, smart televisions and computer systems using advanced tools.
While it is no secret that the CIA can and does hack into systems for the larger purpose of national security, the leaked documents, which were so far stored in highly secure vaults in the CIA, will let people know more about the tools being employed by the agency to perform such hacks. Both the CIA and the FBI are trying to nab the employee who managed to pass on the documents to WikiLeaks, but without success so far.
While many may wish to term the situation as an act of a whistle-blower or someone who wanted the society to know the raw truth via a data leak, what it also signifies is that a firm as protective of data as the CIA was unable to present the leakage. What does this say about large multi-nationals who store personal information of millions of people from across the globe?
“Whether individuals view this as the righteous act of a whistle-blower and a victory for free speech, an act of blatant treason, or something in-between, at its heart it is a failure of access controls and monitoring. The fact that an organisation built around a culture of confidentiality, with a high degree of security knowledge and employee screening, and which has suffered breaches in the past, can still fall victim to insider attacks is a reminder to organisations of any size, in any sector,” says Piers Wilson, Head of Product Management at Huntsman Security.
While it is not clear how long it will take for CIA to catch the culprit and avenge the data leak, the agency has chosen to target WikiLeaks instead, terming it a ‘non-state hostile intelligence service often abetted by state actors like Russia.’ While the accusation was totally expected, the CIA may also need to look within, review its security procedures and create a structure whereby employees cannot do anything with the information at hand that they aren’t supposed to.
“Prompt detection and response are at least as important as preventing that leak in the first place. Not only should a user have no access to data beyond what they need; if they somehow do access that data, or perform any unusual activity with that information they can access can access, alarm bells should ring loud and clear,” Wilson adds.