[ISN] US military struggles with data loss

From: InfoSec News (isn@private)
Date: Tue Apr 25 2006 - 00:28:00 PDT


Forwarded from: William Knowles <wk@private>

http://www.techworld.com/security/features/index.cfm?featureID=2436

By John E. Dunn
Techworld
April 17, 06

There is a famous and sometimes embroidered story from the Cold War of
how the US managed to get its hands on a state-of-the-art Soviet
fighter, the 2,000 mph-capable Mig-25 Foxbat, after a pilot defected
to the West in 1976.

Supposedly the most advanced and fearsome craft of its type in the
world, when the men from NATO got their hands on the machine, they
made an astonishing discovery. Far from being ahead of the West, the
plane's avionic systems were built around old-fashioned valves and
vacuum tubes, a technology from a generation before the 1970s.

Why had the Soviet designers stepped back in time when smaller,
faster, and more reliable transistor-based electronics were available
to them? Then the penny dropped with a loud clang. In the event of a
nuclear war, valves would probably continue working while the much
more sensitive transistors used on US aircraft would fry in the face
of the gamma radio pollution that accompanies nuclear fission.

The Soviets had turned their backs on the latest and best out of
pragmatism. If the aircraft was ever to be used as intended, it would
need to survive the first few days of combat. There is a fair chance
the superficially more advanced US equivalents would have been left
sitting on the tarmac, unable to navigate, communicate or arm their
weapons.

It's a completely different context, but the potentially serious
problems the US military has been having with data security in its
Afghan theatre immediately put me in mind of this tale. According to a
number of well-sourced articles (see the LA Times and New York Times),
the army has lately been losing all sorts of items to theft from its
bases in the country. As well as the usual knives and watches, the
list now stretches to cheap, disposable USB drives. So disposable in
fact that they have been turning up for sale in the country's flea
markets, loaded with unencrypted classified documents covering topics
such as "which militants the US wants killed or captured".

It's a fair bet that those guys aren't hanging around in Kabul these
days.

It sounds like the old story of data incompetence in combat fatigues,
but perhaps there's more to it than that. Companies religiously share
information by putting it into a movable state, accessible to
off-the-shelf applications. The sales team will put its best leads
into a database, for instance, and then somebody else might use that
same information as the basis for a set of Powerpoint slides. There is
a fundamental principle at work here - the tendency people have of
writing everything down in a digital form, including stuff that is
supposed to be highly confidential.

A generation or more ago, this sort of information would have been in
paper files, which are still vulnerable to theft, but in a way that
makes their disappearance immediately obvious (one assumes that when
these USB drives went missing, the fact was probably not acknowledged
by anyone other than the person who looked after the device).

Back then, how many copies would have been made of low-level,
localised information such as "which guys to kill"? Probably one or
two, and perhaps even none if the information stayed in a soldier's
head.


Files never die

Modern software encourages us to make multiple copies of data files,
and allows further copies to be made without that fact being obvious.  
Files are never really "stolen" at all, despite the accepted parlance
we have all adopted from the security mindset. Files are simply
copied, or copies are stored on portable devices which are then
dropped, stolen, forgotten, flushed away.

The US military is following the same corporate logic as the business
world when it encourages its soldiers to compose thoughts and plans in
digital form that might, frankly, sometimes be better left in their
heads. The military men will counter that a soldier's memory banks are
highly corruptible, and they'd rather guarantee data integrity for a
few dollars and a USB or hard disk interface.

Naturally, its civilian wing uses the same applications as everyone
else. It's an odd symmetry, not often remarked on, that in the war the
US is waging with Al Qaeda around the globe, both sides have upgraded
to the same version of Word and Excel. About the only point of
difference appears to be that Al Qaeda's agents realise the danger in
such standardisation and have mandated (or at least that's what the
authorities are forever telling us with great foreboding) the
competent use of encryption.

This hints at something at something deep in the nature of
organisations that needs looking at. Perhaps the biggest single risk
to information security isn't malware, hackers, or insider criminals
looking to strip every morsel of useful data from the corporate bone -
it's just the tendency people have of writing important things down,
which then get into the wrong hands.

It also hints at something deep in the nature of the US military and,
you'd wager, the armies of many other countries too. Armies have come
to reflect the same mainstream corporate ethos as businesses, and so
they use broadly the same applications as do businesses. From a data
security standpoint they have precisely the same problems and probably
talk about them in the same way.

It's a place Sarbannes-Oxley and all the other corporate anti-scandal
legislation doesn't go because nobody invests money in armies. They
are still seen as somehow different even though this latest frontline
anecdote tells us they are nowadays more and more the same. Killing
isn't a profitable business but it is one that should be done
cost-effectively, and with a degree of technological sophistication.

When the military investigators have finished their enquiries into how
top secret files could possibly have ended up being exchanged for
second-hand refrigerators in a Kabul market, they should ponder that
the distance between a clean-room supercomputer and the dust and heat
of a mountain in Asia is now non-existent. Data can easily be several
places at once because it is no longer discrete.

There are three solutions, one high-tech and the other two fairly
primitive (but let's not rule anything out here).

First solution - encrypt everything. Complicated and expensive but it
would probably work up to the point soldiers started sticking the
passphrases on to the drives.

Second solution - don't put important information in digital files or
just keep it in a printed form. This is the Soviet lateral thinking
Mig-25 approach. It worked in the old days so why not now? The other
great advantage of old-world filing would be that your enemies would
have the same problems finding important files in a hurry as your own
soldiers.

Third solution - task a special company of soldiers to spend time in
Afghan markets buying up every USB drive they can find. Of course,
this might just create demand for the drives, but think of it as a
layered security approach and it will sound good to the men behind
desks.

Thinking about it more, perhaps they need to do all of the above, but
I have a feeling that, as usual, the preference will be for more
technology. When it comes to security, creative thinking is still a
rarity.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org 



This archive was generated by hypermail 2.1.3 : Tue Apr 25 2006 - 00:42:14 PDT