How the Swedish administration leaked EU’s secure STESTA intranet to Russia, then tried glossing over it
The Swedish administration is leaking its secret intranet and databases to Russia, via its Transport Agency, via the IBM cloud, via IBM's subcontractor NCR (formerly AT&T) in Serbia, which is a close Russian military ally. Giving staff in Serbia administrative access to these networks practically guarantees that Russia also has access to the network. The European Union's secure STESTA network is also connected to the leaked intranet. But this is not about geopolitics and who’s allied with whom, but about how an administration tries to quiet down and gloss over an apocalyptically stupid and monstrously damaging data leak.
Yesterday on this site, we told the story of the Swedish Transport Agency leaking pretty much every classified database to foreign operators, and how the responsible Director-General was docked half a month’s paycheck as punishment. It is not just a monumental boneheadedness from this agency, but also from the government in charge, who still don’t get the severity of the situation.
Let’s go back a bit. In late 2016, the name “Egor Putilov” was all over Swedish media. The name belongs to a Russian-born businessman, and the fear of having somebody Russian-born even come into contact with Swedish security administration sent shivers through the Swedish media landscape (Newsweek). It was something the Swedish mainstream media kept repeating over, and over, and over again. At this time, the Swedish administration had already known for six months that a key Swedish agency was leaking Swedish and European classified networks wholesale directly to Russia, which is arguably a much worse scenario than having somebody Russian-born be employed by a Member of Parliament, and yet said nothing and did nothing. It would take another full year and a media storm to start unraveling the most damaging military and civilian leak in Sweden’s modern history.
People all over the political spectrum were basically trying to have heads roll because somebody born in Russia had been hired as a political secretary to somebody elected to Parliament according to all rules and regulations in place. The interesting thing here is not Mr. Putilov, but the contrast in establishment’s noise level to the leak scandal surfacing now.
In May 2015, IBM won a hundred-million-range-contract for managing the Swedish Transport Agency’s databases and networks, outsourced from the country. It is relevant that a) this agency manages a lot of top secret data, such as the identities and photos of undercover and operative personnel, as well as relocated witnesses, and b) this was not taken into account at all when sending the databases right out of the country. It was a very big contract in a public procurement, so anybody interested in these matters at the state actor level will have known about it and have had the ability to plant personnel with the respective subcontractors.
The interesting events start taking place in January of this year, when Maria Ågren, the Director-General of the Transport Agency was fired in maximum silence, citing “disagreements”. In reality, this event followed a 250-page mostly-redacted investigation from the Security Police. This event means that other people have been aware of the severity of the leaks for quite some time, and yet not done anything about them as they are still ongoing as of July 22, 2017. Things went to criminal trial for the charge of “criminal negligence in handling classified information”, and this is where the first really upsetting thing happens: Ågren is allowed to make a guilty plea (acceptera strafföreläggande).
This deserves some clarification.
In Sweden, a guilty plea may only be used for the very lightest of crimes – shoplifting and speeding are given as examples on the Prosecution Authority’s website – as it evades the due process of a full and public trial in a court of law.
…let’s read that again: “evades the due process of a full and public trial in a court of law”.
…does leaking most of the entire government to a foreign adversary really rank on the same level as shoplifting and speeding, and so justifies the availability of this option for a high ranking official who has just committed this monumental negligence?
Of course it doesn’t.
It doesn’t take a Mensa member to realize that strings were pulled to downgrade the severity of the crime to keep it as much out of public eyes as possible, avoid a public discovery process, and so avoid embarrassment.
Basically, just hoping nobody notices the monumental ongoing leak and the resulting danger to the country and its staff.
This is the first of the obvious steps to silence the matter. There’s more: by this guilty plea, an appeal (by either prosecutor or defense) has been prevented, and so things will never go to public court and discovery. Further, since there is no appeal, the penalty has been set in stone – Ågren loses half a month’s pay in fines for leaking pretty much the entire military and civilian database set. It was this punishment that was the clue for many: the fact that somebody was found guilty at all in an establishment where everybody covers everybody else’s back must mean that something truly awful has taken place.
The second thing that upsets a lot of people is the fact that everybody was aware they were breaking the law by being negligent with classified information, but just didn’t care. They even had formal meeting notes where the decision was taken to “make deviations from the law [about proper procedures for classified data]”. Normally, we would not call this “meeting notes about the decision to make deviations from law” but rather something more like a “written and signed confession of a committed crime”.
The third step is the complete and utter silence from people in charge, and whom we now know knew about this for a considerable time. By now, mainstream media has published documents that show that the Interior Minister and the Infrastructure Minister were completely aware of the ongoing leaks as early as 18 months ago, and they said and did nothing. Further, most of the media focus has been on the leaks of, and damage to, Swedish secrets. But this affair goes way beyond Sweden and its administration.
Part of what IBM contracted to was run, and which was run from Serbia, was the Swedish government’s secure intranet – the SGSI, the Secure Government Swedish Intranet. This network is in turn connected to the European Union’s STESTA, which is a European Union secure network. This is what the Swedish Transport Agency gave staff in Serbia administrative network access to, and it is no conspiracy theory that Serbia is a close military ally with Russia. While it can’t be proven in this specific case that high-value military information in Serbia’s hands also comes into Russia’s hands, it’s one of those things that should just be assumed in the general case.
The net effect here is that the EU secure Intranet has been leaked to Russia by means of deliberate lawbreaking from high ranking Swedish government officials. Even if there are additional levels of encryption on STESTA, which there may or may not be, this has “should never happen” written all over it.
At some point you have to ask yourself how long it’s okay to just keep silent and, as detailed above, pull strings to keep things silent and just hope nobody notices how insanely badly high-ranking officials really screwed up and how much data is still leaking. At what point is glossing over something like this ever acceptable?
And of course, you have to remember – again – that if a government is this incapable and unwilling to protect even its own secrets, you can never trust a government to keep your data safe, under any circumstance.
The leak continues to this day, July 22. It may be fixed some time this fall. Maybe.
And the contrast between the government’s silence on this, vis-a-vis the government’s utter panic about Egor Putilov, is stunningly embarrassing.
Privacy remains your own responsibility.