WikiLeaks: Stratfor emails reveal problems with Web security

McClatchy NewspapersFebruary 29, 2012 

WASHINGTON — On April 24, 2010, George Friedman, the CEO and founder of Stratfor, an Austin, Texas, company that specializes in writing analyses of international political developments, sent an email from his BlackBerry to one of his employees. It was a response to a suggestion that the company buy email encryption software. He no doubt rues his short missive today.

"40k is a lot of money to spend on that obviously," he wrote. "It probably prices the solution out of our means right now."

Nearly two years later, Stratfor's internal emails, more than 5 million pieces, are being published — drip, drip, drip, 100 or so per day — by the website WikiLeaks, which has provided access to all of the documents to 25 organizations around the world, including McClatchy.

The emails, whose publication began Monday, contain some startling assertions, almost none of which have been confirmed.

In one, from Jan. 26, 2011, the firm's vice president for intelligence, a former State Department counter-terrorism officer named Fred Burton, claimed to know the disposition of a grand jury investigation into WikiLeaks founder Julian Assange. "We have a sealed grand jury indictment," he wrote.

But Burton offered no explanation for how he knew, and apparently none of the other participants in the exchange thought to ask him. More than a year later, no other report of an indictment has surfaced, though the existence of a grand jury is well documented. The Justice Department refused to say Tuesday whether an indictment exists, citing an ongoing investigation.

In another email, 11 days after the special forces raid last May 2 in Pakistan that killed al Qaida founder Osama bin Laden, Burton reported that he'd been told that several members of the Pakistani military, "less than 12," knew of bin Laden's presence in the country. The email chain implied that Burton had acquired that information through access to records and other materials recovered from the bin Laden house.

But no further details are offered in subsequent emails, and while the information seems plausible — bin Laden had been living just a few hundred yards from Pakistan's premier military academy for five years — Burton doesn't repeat it in a 3,892-word commentary on the bin Laden raid that was distributed to Stratfor subscribers on May 26.

In announcing that WikiLeaks was making Stratfor's emails public, Assange referred to the company as a "shadow CIA." WikiLeaks said the emails would reveal "Stratfor's web of informers, payoff structure, payment-laundering techniques and psychological methods."

But while Stratfor may have aspired to become a private equivalent to the CIA, analysts who are familiar with the burgeoning market for international political analysis say it's not among the world's premier players. Friedman's rejection of encryption software over a mere $40,000 is evidence of that.

"Gathering global intelligence requires lots of resources," said Jo Jakobsen, an associate professor at the Norwegian University of Science and Technology and one of the few scholars who've devoted their academic careers to studying the risk analysis industry.

Before Monday, Jakobsen said, he'd never heard of Stratfor.

"I was a little bit surprised about hacking a medium or even small company like that," Jakobsen said.

"WikiLeaks, as such, is brilliant," Jakobsen said, in an unsolicited paean to the website that gained its fame by publishing hundreds of thousands of U.S. government documents. "But," he added, "the way they have portrayed how these risk analysis firms operate shows they don't really understand. My guess is that most of (Stratfor's) time is spent on the Internet."

WikiLeaks' publication of the Stratfor emails, naturally, has been controversial. WikiLeaks says it doesn't know the source of the emails, though it's been known since December that Stratfor's computers had been violated. That's when Anonymous, a group of Internet hackers who target corporations they deem guilty of wrongdoing, published the names of Stratfor's customers and their credit card numbers. The controversy has touched the news organizations that have been given access to the emails.

"McClatchy’s relationship with WikiLeaks is the same as we have with hundreds of people and organizations that provide information to our newspapers," said Anders Gyllenhaal, McClatchy's vice president for news and its Washington editor. "This is not a partnership. We have no role in how WikiLeaks operates. We simply have an arrangement that enables us to review documents ahead of others. We then determine the information’s validity and value and publish based on our independent news judgment."

Friedman founded Stratfor in 1996 after he left Louisiana State University, where he was a political science professor, and it's made its reputation by distributing analyses of breaking international news developments on its website.

American journalists found Stratfor analysts particularly accessible and often used their postings and comments when official law enforcement sources were unavailable. McClatchy, for example, cited a Stratfor analysis of burn patterns in a mosque to discuss the likely cause of an explosion last June that wounded former Yemeni President Ali Abdullah Saleh as he was praying.

Without doubt, Stratfor is much smaller than the world's most prominent risk-analysis firms. The granddaddies of the trade include New York-based Control Risk Group, with offices in 34 countries, and London-based Merchant International Group, which boasts operations in 100 countries. There are hundreds, if not thousands, of others.

By comparison, Stratfor's employee complement is fewer than 100 people, according to one former insider, who spoke only on the condition that he not be identified, to preserve his status in the industry. Stratfor itself isn't commenting.

One of Stratfor's emails lists 24 people by name who are authorized to receive missives as part of the company's "secure" email list.

The company's financial statements — they, too, can be found in the WikiLeaks emails, unencrypted — indicate that Stratfor is profitable, though not wildly so.

According to its eight-month income statement for 2011, revenues through August were $7.6 million, of which $6.7 million came from subscriptions to the company's publications. Costs, including $4.9 million in salaries and benefits, totaled $6.48 million. That left a net income, through August, of $516,401.

That same profit and loss statement indicated that Stratfor had just one U.S. government client last year, the Marine Corps, which was billed $34,000 in October, apparently for consulting services.

In 2010, according to a list of receivables found among the email, the Department of the Air Force owed Stratfor $119,950. That same year, the "commandant of the Marines" is listed as owing Stratfor $48,000.

As for Stratfor's other clients, there were nine that made payments in the first eight months of 2011, according to the financial statement. The largest was Chevron Latin America, which paid Stratfor $81,700. A 10th client was added in September — according to an email from Friedman to his staff that month — the Turkish Industry and Business Association. It was billed $75,000 in October, according to a note that accompanied the financial statement.

Another client, Dallas-based Hunt Oil, renewed its subscription to Stratfor's research for $42,394. According to the emails, Stratfor monitors events in Iraq, Peru and Yemen for Hunt, which has oil interests in those countries, and along the U.S.-Mexican border, where Hunt controls the electrical transmission lines between Mexico and Texas.

Despite the existence of emails that indicate Dow Chemical had asked Stratfor to gather information on advocates for victims of the 1984 chemical spill in Bhopal, India, there's no indication in the financial statement that Dow made any payments to Stratfor in 2010 or 2011. The monitoring appears to have been done by Allis Information Management, a political analysis firm based in Midland, Mich., where Dow's headquarters are also. Allis didn't respond to requests for comment.

Without doubt, according to the emails, Stratfor's most colorful personality is Burton, the VP for intelligence, who announced the news of a sealed indictment of Assange to his incurious colleagues last year. Even without the emails, Burton is a bigger-than-life figure.

A former deputy director of the Counter Terrorism Division of the State Department's Diplomatic Security Service, Burton has written two books. The first, "Ghost: Confessions of a Counterterrorism Agent," made The New York Times best-seller list when it was published in 2008.

He casts a long shadow in the Stratfor emails. He slams the CIA, suggests that Assange should be waterboarded and takes an unpopular position, at least among some analysts he's exchanging emails with, that sometimes one source is all you need — if the information is good enough and the source trusted.

"If a source has a strong record for accuracy and the info being sent adds up, I don't see why we need to wait for it to be corroborated," Burton wrote in an email Nov. 14.

He was a proponent of improving the company's Internet security, calling for encrypting nearly everything, including the company's financials, its reports to its clients and other potentially sensitive communications.

The admonition fell largely on deaf ears.

Last summer, Stratfor began a rush program to gather all of its analysts' sources into a central database, urging in repeated emails that they send the lists, with names, numerical code designations and contact information, all color-coded according to Stratfor's standards: red for people who should be contacted only sparingly, orange for those who are more accessible and yellow for sources who seem willing to be contacted at any time.

Only once in the flurry of emails did an analyst suggest that perhaps this information should be encrypted. All the others apparently sent their lists as they kept them, in Excel spreadsheets that soon will be available for all the world to peruse — scores of names and phone numbers in Asia, Africa and Latin America.

"That's the big scandal here," said Jakobsen, the Norwegian risk analysis industry expert. "An intelligence company being hacked."

ON THE WEB

WikiLeaks' Global Intelligence Files

MORE FROM MCCLATCHY

Wounded, Yemen's Saleh finds his support undamaged

WikiLeaks: Doctors of Venezuela's Hugo Chavez disagree over his health

Without credit card donations, WikiLeaks facing funding crisis

Follow Mark Seibel on Twitter.

McClatchy Newspapers 2012

Idaho Statesman is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service