WikiLeaks a “success” for technical security: Diffie

ICANN vice president for information security and cryptography, Doctor Whitfield Diffie, says the attackers could not break the cryptographical defences of the US Defence network and were forced to use an insider.

The information security tag line `defence is harder than offence’ has been disputed by a cryptographical expert who says the WikiLeaks classified information leak was actually a triumph for technical security.

Speaking at the AISA National Conference 2012 in Sydney, ICANN vice president for information security and cryptography, Doctor Whitfield Diffie, told delegates that this was because the hackers could not break the Medley cryptographical system or the electronic key management system- so they had to use an agent, PFC Bradley Manning.

“They lost their agent [Manning] who very likely will spend the rest of his life in jail and alerted their opponent [US Defence] to that root of penetration so on that balance I think the crypto team did a pretty good job.”

Diffie is not the only security expert to argue that WikiLeaks had some benefits.

Computer Sciences Corporation (CSC) research associate, Professor Mike Nelson -- who spent four years as Senator Al Gore's science advisor and served as the White House director for technology policy on IT—said in 2011 that in a year and a half, the leaked documents would mean a "net positive" for US foreign policy in the Middle East.

"The data that was divulged provided a lot of the justification for policies that the US government had been undertaking for years," he said at the time.

Grand security challenges

While Diffie said the cryptographical side of the security industry was in good shape, the rest of information security still faced what he referred to as grand challenges.

“The first is that we need to learn how to program,” he told delegates. “Programming is still not very well understood.”

Another problem was the issue of what he referred to as the human interface, for example, click through security warnings for users when using their home PC.

“They don’t know how to deal with these warnings and I think that needs to change,” he said.

In addition, the IT industry needed to fix liability.

“For a generation or more the computer industry has gotten away with saying that it needs to be nursed along and be protected from liability,” Diffie said.

“We should have a multi-year program of moving towards strict liability for software and developing the technology necessary to impose that liability but clamping down liability over a reasonable time period like a decade.”

CSO Magazine is an official media partner for AISA National Conference 2012

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Show Comments