The Yomiuri Shimbun
Mar. 15, 2006
Should all the blame fall on the Winny file-sharing software?
Not quite. Anyone dealing with sensitive information has an extremely
heavy obligation in this regard.
A number of cases of large amounts of government secrets and personal
information being accidentally disclosed on the Internet have come to
light in recent weeks, and Winny has been singled out for criticism in
all these incidents.
Winny was created to enable computer users to exchange music and video
files over the Internet. However, the development of the software has
been followed by the emergence of computer viruses that can infect
Winny, making it act in ways not intended.
If infected, Winny can upload data from computers on which it is
installed onto the Internet without the knowledge of users.
In all the information disclosures reported, the victims had stored
important data on personal computers that were running copies of Winny
that had been infected with viruses. This has prompted many people to
point a finger at the file-sharing software.
The recent spate of Winny-related incidents includes the disclosure of
information about investigations by the Okayama and Ehime prefectural
police. The tendency to single Winny out for criticism can be seen in
remarks made by senior officials at the National Police Agency, an
organ charged with supervising prefectural police authorities. "Police
personnel who use Winny on their personal computers have no awareness
of their professional duties," NPA Commissioner General Iwao Uruma
Lax security true culprit
But blaming Winny alone means blinkering oneself to the true culprit,
and one needs to look further. It is disturbing to see that the
organizations affected by the incidents were extremely lackadaisical
in protecting information and secrets.
Questions should be raised about why those responsible for the
disclosures were able to copy sensitive information from their office
computers onto their own computers, and take it home without
permission from their superiors. The ease with which this was done
means no measures had been taken to protect the confidentiality of
information held by these offices.
What if such massive amounts of information had been stored on paper,
not computers, and disclosed? The spate of disclosures would be
considered highly abnormal.
We all have good reason to raise questions about how the organizations
affected by the disclosures protect their secrets and data. Are
personnel at their offices allowed to duplicate important documents
and take them outside? Are they permitted to take such documents home?
Are the central and local governments properly equipped to manage the
many secrets and personal information entrusted to them?
The government and other pertinent organizations must thoroughly
reexamine their information-control systems.
Govt must accept responsibility
The Defense Agency intends to buy all its personnel new computers to
help them carry out their duties. The decision came after the agency
had second thoughts about its standing practice of allowing employees
to use their own computers for work.
But this purchase must be complemented by efforts to ensure
information stored on these computers is properly controlled. If
agency officials are allowed to copy data from their office computers
onto their personal computers and take them out, the agency will
remain susceptible to the disclosure of secrets and data.
Winny is not the only software that can be perverted to disclose data
stored on computers, there are others. The Defense Agency must ban
personnel from using the newly supplied computers for personal use.
No government employee should be allowed to take data outside the
workplace. Government information and data must be encoded if taken
out from the office. Doing so would prevent the data from being
understood if disclosed to an outsider. Thorough measures should be
implemented to educate government employees about how to properly
control data they handle. Furthermore, periodic inspection are needed
to ensure these safeguards are being followed.
Any organization that has a bitter experience of having secrets and
data disclosed has already taken such measures. Government
organizations must learn what it means to protect the confidentiality
of their information and data.
(From The Yomiuri Shimbun, March 15)
InfoSec News v2.0 - Coming Soon!