Posted on Jul 22, 2017 by Rick Falkvinge

How the Swedish administration leaked EU’s secure STESTA intranet to Russia, then tried glossing over it

The Swedish administration is leaking its secret intranet and databases to Russia, via its Transport Agency, via the IBM cloud, via IBM's subcontractor NCR (formerly AT&T) in Serbia, which is a close Russian military ally. Giving staff in Serbia administrative access to these networks practically guarantees that Russia also has access to the network. The European Union's secure STESTA network is also connected to the leaked intranet. But this is not about geopolitics and who’s allied with whom, but about how an administration tries to quiet down and gloss over an apocalyptically stupid and monstrously damaging data leak.




Yesterday on this site, we told the story of the Swedish Transport Agency leaking pretty much every classified database to foreign operators, and how the responsible Director-General was docked half a month’s paycheck as punishment. It is not just a monumental boneheadedness from this agency, but also from the government in charge, who still don’t get the severity of the situation.

Let’s go back a bit. In late 2016, the name “Egor Putilov” was all over Swedish media. The name belongs to a Russian-born businessman, and the fear of having somebody Russian-born even come into contact with Swedish security administration sent shivers through the Swedish media landscape (Newsweek). It was something the Swedish mainstream media kept repeating over, and over, and over again. At this time, the Swedish administration had already known for six months that a key Swedish agency was leaking Swedish and European classified networks wholesale directly to Russia, which is arguably a much worse scenario than having somebody Russian-born be employed by a Member of Parliament, and yet said nothing and did nothing. It would take another full year and a media storm to start unraveling the most damaging military and civilian leak in Sweden’s modern history.

People all over the political spectrum were basically trying to have heads roll because somebody born in Russia had been hired as a political secretary to somebody elected to Parliament according to all rules and regulations in place. The interesting thing here is not Mr. Putilov, but the contrast in establishment’s noise level to the leak scandal surfacing now.

In May 2015, IBM won a hundred-million-range-contract for managing the Swedish Transport Agency’s databases and networks, outsourced from the country. It is relevant that a) this agency manages a lot of top secret data, such as the identities and photos of undercover and operative personnel, as well as relocated witnesses, and b) this was not taken into account at all when sending the databases right out of the country. It was a very big contract in a public procurement, so anybody interested in these matters at the state actor level will have known about it and have had the ability to plant personnel with the respective subcontractors.

The interesting events start taking place in January of this year, when Maria Ågren, the Director-General of the Transport Agency was fired in maximum silence, citing “disagreements”. In reality, this event followed a 250-page mostly-redacted investigation from the Security Police. This event means that other people have been aware of the severity of the leaks for quite some time, and yet not done anything about them as they are still ongoing as of July 22, 2017. Things went to criminal trial for the charge of “criminal negligence in handling classified information”, and this is where the first really upsetting thing happens: Ågren is allowed to make a guilty plea (acceptera strafföreläggande).

This deserves some clarification.

In Sweden, a guilty plea may only be used for the very lightest of crimes – shoplifting and speeding are given as examples on the Prosecution Authority’s website – as it evades the due process of a full and public trial in a court of law.

…let’s read that again: “evades the due process of a full and public trial in a court of law”.

…does leaking most of the entire government to a foreign adversary really rank on the same level as shoplifting and speeding, and so justifies the availability of this option for a high ranking official who has just committed this monumental negligence?

Of course it doesn’t.

It doesn’t take a Mensa member to realize that strings were pulled to downgrade the severity of the crime to keep it as much out of public eyes as possible, avoid a public discovery process, and so avoid embarrassment.

Basically, just hoping nobody notices the monumental ongoing leak and the resulting danger to the country and its staff.

This is the first of the obvious steps to silence the matter. There’s more: by this guilty plea, an appeal (by either prosecutor or defense) has been prevented, and so things will never go to public court and discovery. Further, since there is no appeal, the penalty has been set in stone – Ågren loses half a month’s pay in fines for leaking pretty much the entire military and civilian database set. It was this punishment that was the clue for many: the fact that somebody was found guilty at all in an establishment where everybody covers everybody else’s back must mean that something truly awful has taken place.

The second thing that upsets a lot of people is the fact that everybody was aware they were breaking the law by being negligent with classified information, but just didn’t care. They even had formal meeting notes where the decision was taken to “make deviations from the law [about proper procedures for classified data]”. Normally, we would not call this “meeting notes about the decision to make deviations from law” but rather something more like a “written and signed confession of a committed crime”.

The third step is the complete and utter silence from people in charge, and whom we now know knew about this for a considerable time. By now, mainstream media has published documents that show that the Interior Minister and the Infrastructure Minister were completely aware of the ongoing leaks as early as 18 months ago, and they said and did nothing. Further, most of the media focus has been on the leaks of, and damage to, Swedish secrets. But this affair goes way beyond Sweden and its administration.

Part of what IBM contracted to was run, and which was run from Serbia, was the Swedish government’s secure intranet – the SGSI, the Secure Government Swedish Intranet. This network is in turn connected to the European Union’s STESTA, which is a European Union secure network. This is what the Swedish Transport Agency gave staff in Serbia administrative network access to, and it is no conspiracy theory that Serbia is a close military ally with Russia. While it can’t be proven in this specific case that high-value military information in Serbia’s hands also comes into Russia’s hands, it’s one of those things that should just be assumed in the general case.

The net effect here is that the EU secure Intranet has been leaked to Russia by means of deliberate lawbreaking from high ranking Swedish government officials. Even if there are additional levels of encryption on STESTA, which there may or may not be, this has “should never happen” written all over it.

At some point you have to ask yourself how long it’s okay to just keep silent and, as detailed above, pull strings to keep things silent and just hope nobody notices how insanely badly high-ranking officials really screwed up and how much data is still leaking. At what point is glossing over something like this ever acceptable?

And of course, you have to remember – again – that if a government is this incapable and unwilling to protect even its own secrets, you can never trust a government to keep your data safe, under any circumstance.

The leak continues to this day, July 22. It may be fixed some time this fall. Maybe.

And the contrast between the government’s silence on this, vis-a-vis the government’s utter panic about Egor Putilov, is stunningly embarrassing.

Privacy remains your own responsibility.

About Rick Falkvinge

Rick is Head of Privacy at Private Internet Access. He is also the founder of the first Pirate Party and is a political evangelist, traveling around Europe and the world to talk and write about ideas of a sensible information policy. Additionally, he has a tech entrepreneur background and loves good whisky and fast motorcycles.


VPN Service

Leave a Reply to Carl Cancel reply

Your email address will not be published. Required fields are marked *

7 Comments

  1. Carl

    Hi, indeed this is extremely serious. However, I am not sure I agree with your first point.

    First, in terms of the relevant sentencing scale (fine or imprisonment up to 1 year) the punishment is reasonable (the punishment for shoplifting is a fine or imprisonment up to 6 months). Given the severity of the leak this might seem very mild, but the prosecutor must apply the law as it is.

    Second, it appears from the investigation that the director general’s involvement, although the matter is very serious, was more limited than appears from reporting.

    Third, should this have gone to trial, the basis of the trial would be the evidence in the investigation that is now public (in part) and it would most surely been enough for a sentence. A trial would not likely demand any further evidence. Furthermore, wheter to go to trial or not is a legal decision not the prosecutor’s own discretion.

    In summary, I think your assessment is very fair. However, I do not agree this is a cover up on the part of the judiciary.

    Best,

    5 months ago
    Reply
  2. VP

    “While it can’t be proven in this specific case that high-value military information in Serbia’s hands also comes into Russia’s hands, it’s one of those things that should just be assumed in the general case.”

    So the word Russia can be replaced with any other country basically ?=)

    5 months ago
    Reply
  3. V

    “While it can’t be proven in this specific case that high-value military information in Serbia’s hands also comes into Russia’s hands, it’s one of those things that should just be assumed in the general case.”

    So Russia can be replaced with any other country, basically ?=)

    5 months ago
    Reply
  4. Gringo

    Good Russia and Putin have this info If they need to help the Vikings out with the mess their soicialistic government have done to It`s own people , massinvation of thirld World people and criminals who they have to pay for by higher and higher taxes.
    Btw I`m Swedish

    5 months ago
    Reply
  5. petar petrovic

    For somebody who claims to be about information liberty, liberty in general and freedom, you need to seriously dampen yourself when it comes to accusing whole countries of being Russian allies.You are on a fishing trip and have zero evidence for anything.

    For starters, today’s Serbia has one of the worst western bootlicking governments since 1885 most probably, while any exercises we do with Russia are part of our military neutrality agreements, that nobody in the west respects anyway. We do more exercises with NATO as part of Partnership for Peace then we ever did with Russia, even though those garbage men only deal with training our grunts, while for tank and airforce training we have to turn to Russia, not only because we use russian equipment, like most Eastern European nations, but because NATO trash won’t train anything but our grunts so that they can one day hopefully take participation in some NATO war.

    Not only that, but our traitorous governments SEPA agreements from 2007 and the new one from 2015 basically make us a NATO member in all obligations, without any benefits of membership (not that we’d want to be there anyway, at least the people, though nobody gives a… about what they think).

    Under SEPA agreements, we literally allow shitty NATO to rummage all over our country with full NATO soldiers immunity to rape and pillage in our country, without so much as a formal notice (though troop movements are supposed to be directed and approved in advance, at least on paper), and this includes the ability of NATO to inspect any military or non military facility, to the point of having authority to go and inspect high school chemistry facilities and what goes in them if they so please, and the trash that signed this wouldn’t have the authority to say no.

    This kind of shit and our refusal is what started WWI, and now after a hundred years, we are giving our buttonholes to you for free, even more then what we refused in 1914.

    All I’ve said above doesn’t even begin to consider the fact that our security service (BIA) is completely and thoroughly penetrated by the CIA, to the point of their officers literally sitting in BIA offices, directing shit. When i think about it, same goes for our military.

    Next time you accuse a country of being a russian ally, make sure you’re not full of it.

    5 months ago
    Reply
    1. helmut

      butthurt serb spotted

      4 months ago
      Reply
    2. Israelson

      Well I have to agree with Petar Petrovic about Serbs and Serbia being Russian allies. Serbs and Serbia are not allies with Russian, that ARE Russians.

      C’mon man I really do hope your just kidding. Not allies hahahhah

      3 months ago
      Reply