Forwarded from: William Knowles <wk@private> http://www.techworld.com/security/features/index.cfm?featureID=2436 By John E. Dunn Techworld April 17, 06 There is a famous and sometimes embroidered story from the Cold War of how the US managed to get its hands on a state-of-the-art Soviet fighter, the 2,000 mph-capable Mig-25 Foxbat, after a pilot defected to the West in 1976. Supposedly the most advanced and fearsome craft of its type in the world, when the men from NATO got their hands on the machine, they made an astonishing discovery. Far from being ahead of the West, the plane's avionic systems were built around old-fashioned valves and vacuum tubes, a technology from a generation before the 1970s. Why had the Soviet designers stepped back in time when smaller, faster, and more reliable transistor-based electronics were available to them? Then the penny dropped with a loud clang. In the event of a nuclear war, valves would probably continue working while the much more sensitive transistors used on US aircraft would fry in the face of the gamma radio pollution that accompanies nuclear fission. The Soviets had turned their backs on the latest and best out of pragmatism. If the aircraft was ever to be used as intended, it would need to survive the first few days of combat. There is a fair chance the superficially more advanced US equivalents would have been left sitting on the tarmac, unable to navigate, communicate or arm their weapons. It's a completely different context, but the potentially serious problems the US military has been having with data security in its Afghan theatre immediately put me in mind of this tale. According to a number of well-sourced articles (see the LA Times and New York Times), the army has lately been losing all sorts of items to theft from its bases in the country. As well as the usual knives and watches, the list now stretches to cheap, disposable USB drives. So disposable in fact that they have been turning up for sale in the country's flea markets, loaded with unencrypted classified documents covering topics such as "which militants the US wants killed or captured". It's a fair bet that those guys aren't hanging around in Kabul these days. It sounds like the old story of data incompetence in combat fatigues, but perhaps there's more to it than that. Companies religiously share information by putting it into a movable state, accessible to off-the-shelf applications. The sales team will put its best leads into a database, for instance, and then somebody else might use that same information as the basis for a set of Powerpoint slides. There is a fundamental principle at work here - the tendency people have of writing everything down in a digital form, including stuff that is supposed to be highly confidential. A generation or more ago, this sort of information would have been in paper files, which are still vulnerable to theft, but in a way that makes their disappearance immediately obvious (one assumes that when these USB drives went missing, the fact was probably not acknowledged by anyone other than the person who looked after the device). Back then, how many copies would have been made of low-level, localised information such as "which guys to kill"? Probably one or two, and perhaps even none if the information stayed in a soldier's head. Files never die Modern software encourages us to make multiple copies of data files, and allows further copies to be made without that fact being obvious. Files are never really "stolen" at all, despite the accepted parlance we have all adopted from the security mindset. Files are simply copied, or copies are stored on portable devices which are then dropped, stolen, forgotten, flushed away. The US military is following the same corporate logic as the business world when it encourages its soldiers to compose thoughts and plans in digital form that might, frankly, sometimes be better left in their heads. The military men will counter that a soldier's memory banks are highly corruptible, and they'd rather guarantee data integrity for a few dollars and a USB or hard disk interface. Naturally, its civilian wing uses the same applications as everyone else. It's an odd symmetry, not often remarked on, that in the war the US is waging with Al Qaeda around the globe, both sides have upgraded to the same version of Word and Excel. About the only point of difference appears to be that Al Qaeda's agents realise the danger in such standardisation and have mandated (or at least that's what the authorities are forever telling us with great foreboding) the competent use of encryption. This hints at something at something deep in the nature of organisations that needs looking at. Perhaps the biggest single risk to information security isn't malware, hackers, or insider criminals looking to strip every morsel of useful data from the corporate bone - it's just the tendency people have of writing important things down, which then get into the wrong hands. It also hints at something deep in the nature of the US military and, you'd wager, the armies of many other countries too. Armies have come to reflect the same mainstream corporate ethos as businesses, and so they use broadly the same applications as do businesses. From a data security standpoint they have precisely the same problems and probably talk about them in the same way. It's a place Sarbannes-Oxley and all the other corporate anti-scandal legislation doesn't go because nobody invests money in armies. They are still seen as somehow different even though this latest frontline anecdote tells us they are nowadays more and more the same. Killing isn't a profitable business but it is one that should be done cost-effectively, and with a degree of technological sophistication. When the military investigators have finished their enquiries into how top secret files could possibly have ended up being exchanged for second-hand refrigerators in a Kabul market, they should ponder that the distance between a clean-room supercomputer and the dust and heat of a mountain in Asia is now non-existent. Data can easily be several places at once because it is no longer discrete. There are three solutions, one high-tech and the other two fairly primitive (but let's not rule anything out here). First solution - encrypt everything. Complicated and expensive but it would probably work up to the point soldiers started sticking the passphrases on to the drives. Second solution - don't put important information in digital files or just keep it in a printed form. This is the Soviet lateral thinking Mig-25 approach. It worked in the old days so why not now? The other great advantage of old-world filing would be that your enemies would have the same problems finding important files in a hurry as your own soldiers. Third solution - task a special company of soldiers to spend time in Afghan markets buying up every USB drive they can find. Of course, this might just create demand for the drives, but think of it as a layered security approach and it will sound good to the men behind desks. Thinking about it more, perhaps they need to do all of the above, but I have a feeling that, as usual, the preference will be for more technology. When it comes to security, creative thinking is still a rarity. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Tue Apr 25 2006 - 00:42:14 PDT