All of us who utilize a government issued laptop or another device know that we are to turn it in to our employer when we depart. Then our employer sanitizes the device before it is issued to the next person or disposed of. If the device was used for a classified engagement the hard drive (if present) is often times taken out and destroyed in an accountable manner. This process is called, IT Asset Disposition or ITAD. When the ITAD process breaks down, information can be compromise and secrets lost.
German Military Secrets found on Ebay
The ITAD process failed the German military recently when a Bundeswehr ruggedized laptop was purchased on eBay for 90 euros. Security researchers from the German firm, G Data, found the laptop being offered for sale and snapped it up. They were rolling the dice that there might be something of interest and their gamble came up a winner.
Much to their surprise, and perhaps delight, they found the laptop was full of classified German military information.
The laptop contained classified documents and instructions on how to destroy the LeFlaSys Ozelot air defense system. The system, which is still in use today, was first deployed in 2001.
Security researcher Tim Berghott told DW (German periodical), “The notebook PC we acquired contains extensive technical information on the LeFlaSys system, including step-by-step instructions for operation as well as maintenance. Information on how to operate the target acquisition system, as well as the weapons platform itself, can be found on there, and, of course, instructions on how to destroy the entire system to prevent its use by enemy forces.”
When the German Defense Ministry was contacted by Der Spiegel, they said that an unidentified third-party recycling firm should have destroyed the classified materials on the laptop and it may be assumed that an error occurred and they did not destroy the data prior to recycling or reselling the IT equipment.
Trusting others to do your ITAD?
There lies the rub.
Does your entity consider destruction of data on laptops or other devices which are aged out or reissued to an employee a core responsibility or one which is contextual in nature and can be farmed out to a contract entity?
Who can you trust to destroy the classified information resident on devices for which you are accountable?
Regardless of which direction one chooses to go, in-house or third-party, you need a process and procedure which checks then double-checks that the data on the devices (laptops, servers, phones, usb sticks, external drives, internal drives, tapes and CD-ROMs). Furthermore, there needs to be a paper trail of documenting the process each step of the way.
Lastly, one should test their ITAD system, think of it as a fire drill. It also feeds the maxim that which is measured is done correctly. Your devices and data must be secure not only when they are being used by you and your employees, they need to be secured and sanitized prior to their leaving your hands.