How Not To Update Secret Lists

The press has made much of Wikleaks publishing a cable containing names of installations around the world which the US State Department considers critical to national security. Naturally the news organizations, apart from explaining how terrible this was and how useful it would be to terrorists, also included excerpts from the list just to show how bad it was that terrorists could find out all this stuff without doing the obligatory five minutes research on Google.

It made me wonder: why would the US State Department be sending such a list of supposedly sensitive information to its embassies around the world?

So rather than read the media gossip, I read the cable. It’s remarkably boring. But if the list is as sensitive as has been claimed, it also demonstrates some questionable judgement on the part of the State Department.

If you had a list of your friends, and wanted to make sure each of their addresses was up to date, would you email the entire list to all your friends and ask them to update their entry? No you wouldn’t. You would be worrying about friend A seeing the information about friend B.

But this is precisely what the US State Department did. It mailed the 2008 list of critical infrastructure outside the USA to all of its embassies and asked each embassy to update the parts it knew about, thus ensuring the list had the greatest possible chance of being accidentally disclosed.

Of course, if the list itself wasn’t that sensitive, this was the sensible way to get it updated quickly and efficiently. If it was that sensitive, then each embassy should only have been sent that part of the list that it knew about, and no more.

So did the US State Department really screw up? Are we really suddenly at risk from terrorists unable to use Google? Or is this just another case of the media (and various governments) blowing everything out of proportion for their own ends?