I have been working at the News International end of Wapping for the past three weeks on a virtual-CISO engagement that I will write about here only in the most general terms — the scope of what is and is not appropriate to share, in a moment where the company is the subject of an active police investigation, two ongoing parliamentary inquiries, and a public inquiry being chaired by Lord Justice Leveson, is rather narrower than my usual confidentiality boundary. There are nonetheless things I want to write down because they are about how a major media organisation reorganises its information-security posture under acute external pressure, and because they touch on questions about the operational shape of journalism that I do not see well covered elsewhere.
The proximate cause for the engagement is the closure of the News of the World on the tenth of July, and the consequent need at News International to reconcile what happened in its journalistic operations over the past decade against the framework of compliance and information-governance the parent company is now committing to. The Milly Dowler revelation from the Guardian on the fourth of July was the precipitating event. The closure followed within a week. The resignations — Rebekah Brooks on the fifteenth, Les Hinton on the same day, Andy Coulson's arrest a week earlier — closed the period in which News International could continue with anything resembling its previous operating model.
What that means in technical terms is that the engagement has become substantially about archive, retention, and access. There are large quantities of journalistic correspondence, source-protection material, expense records, IT-system logs and supplier records that the company holds, that the Operation Weeting investigation is actively interested in, that the parliamentary inquiries will likely request, and that the Leveson Inquiry will subpoena in due course. The legitimate retention requirements run alongside legitimate source-protection requirements run alongside legitimate corporate-confidentiality requirements run alongside the active obligation to preserve evidence under police investigation. I have spent the past three weeks in rooms with lawyers more than I have with engineers, which is unusual for me.
What I can write about is the broader shape of the engagement, which I think is going to be relevant to any organisation that finds itself in similar circumstances over the coming years. The first thing is that the IT and information-security function in a major newsroom is structured very differently from the equivalent function in any other large UK organisation I have worked with. Newsrooms run on speed; the technical infrastructure is configured for journalistic efficiency rather than for control; access patterns within editorial systems are wide because the cost of asking permission for routine work would slow the journalism. This is operationally rational under normal circumstances and operationally problematic when external scrutiny arrives. The first task of the engagement has been simply to make the access patterns visible enough that an honest answer can be given to the question "who could see what, when".
The second thing is that the transition from "newsroom security operating model" to "organisation-under-investigation security operating model" cannot be done quickly without producing information losses that look, from outside, like evidence destruction. Every step has to be done carefully and documented. This applies to mundane things like archive consolidation, decommissioning of legacy email systems, and changes to access-control configurations. Doing the right thing technically can look indistinguishable from cover-up if the documentation is not in place. We are spending unusual amounts of time on documentation.
The third thing — and this is the part I will write more about later — is the question of what source protection actually means under conditions where police investigation is legitimate. There is a long tradition in UK journalism of source-protection as a near-absolute. There is also a long tradition in UK law enforcement of source-protection being conditioned by the public-interest framework, which has historically been generous to journalists. The current moment is the most acute public test of those frameworks I have seen. The technical implementations of source-protection — burner phones, encrypted communications, anonymous tip-handling — are areas where the engineering work is meaningful and where the practical advice has to balance journalistic operational reality against legal exposure. I am not going to write about specific implementations here for obvious reasons. I will write more about the underlying engineering questions when I can do so without compromising the engagement.
There is an aspect of the broader story that has been bothering me from outside the engagement. The press coverage of the phone-hacking scandal has, understandably, focused on the celebrity victims and the political angle. The technical question — how exactly was voicemail interception happening, what was the role of Glenn Mulcaire and the network of private investigators around him, what infrastructure supported the systematic intercepts — is much less well-covered in the mainstream coverage. The technical answer is mostly straightforward: voicemail systems at UK mobile networks shipped with default PINs, the PINs were not enforced to be changed, and a competent investigator with access to a few thousand pounds and a list of telephone numbers could systematically dial in and listen. The defensive failure was at the mobile networks, sustained over years; the operational failure was the journalistic culture that turned the access into routine practice. The structural similarity to the Tunisian Internet Agency credential injection in January is closer than most of the press coverage has noticed — different operators, different motives, but the same class of underlying weakness: a credential or authentication mechanism that has been deployed at scale without anyone bothering to make the default secure.
The next post will probably be the SQL-injection methodology piece the engagements team has been waiting for since January, drawing on the HBGary Federal incident and several others I have been collecting. The Wapping work will continue for several months at least.