The Panama Paper leak is an example of a whistleblower situation. Clearly, some of those types of situations have been seminal events that have shaped history, policies and perceptions: e.g., Daniel Ellsberg and the Vietnam War, “Deep Throat” and Watergate, and Julian Assange of WikiLeaks to name a few. The up-side of these is that it creates a degree of transparency around something that was trying to be hidden. With regards to IT security, it’s nothing really new but the scope of it magnifies the underlying IT issue: do you have controls, audit information and mechanisms in place to track where your data is, who is accessing it, and do they have permission? The reality is, it’s extremely difficult to always to be in a position to simply say “yes, I know where my data is and who is accessing it.” Clearly in the Panama Paper leak, lots of information was given out over a long period of time: information that was intended to be private.
Are hackers, inside or out of the corporation, our new heroes? Are they modern-day Thomas Paines or John Browns?
The answer to that question, as most people already know, depends on your perspective. It’s not a black and white situation. Was the leaking of NSA information by Edward Snowden a “good thing” or a “bad thing?” People often think that a hacker is somebody outside the organization in question – a foreign government, a technical wizard looking to make a name for themselves – but often times, like Snowden, a hacker is somebody who is inside the organization who has access to important data and decides to make it available to other people regardless of the information sharing rules he had already promised to follow. I suspect many people will be happy about the Panama Papers leak because it exposes people who were doing things they shouldn’t have and now they have to answer to those actions. Keep in mind, the goal of any hacker is to have the same access and permissions as somebody on the inside. This is why many data leaks are indeed created by people who are on the inside. Often, the leaks are accidental, but in this case it was intentional.
Brad Johnson is Vice President of SystemExperts Corporation and has been a leader of the company since 1995. He has participated in seminal industry initiatives including the Open Software Foundation (OSF), X/Open, the IETF, and has published many articles on open systems, Internet security, security architecture, ethical hacking and web application security.