The Swedish IT leak scandal has caused a governmental crisis: even when having every kind of self-interest to read up on IT security, today’s politicians just can’t get it right. The Swedish leak where classified data and networks were outsourced outside the European Union was not an isolated incident, but a pervasive pattern where things are kept safe mostly by good luck and the occasional person who knows their stuff fixing things properly out of pure subordination. This week, the opposition leader stated that the physical location of a server is of no importance as far as security goes.
Heads are rolling in Swedish government following the revelation that classified data and networks have been leaking out of the country for two years, and still are. Unfortunately, the major players have turned it into politics-as-usual and are trying to score cheap points like it were any other matter, which devalues the seriousness of the matter considerably, and politicians are exposing their utter and shocking cluelessness in the process.
A quick recap: A Swedish governmental agency finds security laws annoying, makes a formal and notarized meeting decision to break the laws, and subsequently exposes everything from military operators to protected witnesses to uncleared personnel in foreign countries. The head of the agency is fined half a month’s paycheck and fired. Media finds out not from press releases, but from extensive digging: it’s clear that the government has tried to hush the whole thing up as far as possible.
Subsequently, there’s a governmental crisis, a vote of no confidence has been announced, and two ministers were been fired from the cabinet (before the vote had a chance to take place) for their role in knowing about this and doing just about nothing.
So do politicians understand why this catastrophic leak is, well, catastrophic? Unfortunately, no. Not in the slightest. They just understand that people are mad about something, and are trying to capitalize on it. I’d like to present just this short exchange from the Swedish Public TV, equivalent to the United States NPR but for television. At 12:30 into the interview, there’s this exchange:
Reporter: “But the political decision to outsource this IT activity at the Transport Agency, that decision was taken by [a government lead by your party as opposed to the current government] in 2012? What’s your responsibility for this leak?”
Politician: “The particular location in the world of a server isn’t what’s important here, but how you take responsibility for security.”
The politician in question is Anna Kinberg-Batra — the effective opposition leader, and the person who would become prime minister if there were a successful vote of no confidence against the government. Let’s take that again, because it’s important: this is not a person from the government responsible for the leak, but the opposition leader.
Her statement looks reasonable on the surface, but completely glosses over the fact that the jurisdiction and location are the very first things you consider for server security. The team at Private Internet Access has to consider this all the time. This is the reason I’m running servers in my home: the legal security of the physical location. The very first rule of computer security is that if an adversary can have physical access to your computer, then it’s not your computer anymore.
The nationality of the police who are able to walk straight into a server room and copy anything they want, because the government of the soil where the server room is located wants them to, is the very first thing you consider when placing national-security-related data on a server somewhere.
In other words, today’s politicians can’t get IT security right even when their future as a prime minister depends on them getting it less than a hundred percent wrong and they’ve had several days at their disposal to read up on the subject. It’s really that bad.
This is how bad it is.
It is absurd. It is bad. Today’s politicians are headdeskingly clueless about IT security, even in a career critical moment when they’ve had days to study for it.
(Footnote: in case the Swedish Public TV times out their website’s copy of the interview, it’s also available here.)
Privacy remains your own responsibility for sure.