For years, cybersecurity experts have warned of the dangers of unsecured cloud-based storage – but last month, the United States Department of Justice’s Inspector General’s office warned that the Federal Bureau of Investigations (FBI) was failing to label and track internal hard drives that contain sensitive and even Top Secret national security secrets.
The DOJ released an advisory memo that called for improved media accountability and disposition efforts.
“The FBI does not always account for its loose electronic storage media, including hard drives that were extracted from computers and servers, thumb drives, and floppy disks. For example, the FBI instructs field offices to remove hard drives slated for destruction from Top Secret computers to be couriered separately to save on shipping costs. However, extracted internal hard drives are not tracked, and the FBI does not have the ability to confirm that these hard drives that contained SBU and/or NSI information were properly destroyed. The lack of accountability of these media increases the risk of loss or theft without possibility of detection,” the memo noted.
The memo further warned that electronic storage media was not marked with appropriate classification, while storage media slated for disposal was not physically secured. In one case, a pallet containing extracted internal computer hard drives was stored for 21 months, with the wrapping torn and left open. It was in a facility “shared with other FBI operations, such as logistics, mail, and information technology equipment fulfillment, and had almost 400 persons with access as of May 2024, including 28 task force officers and 63 contractors from at least 17 companies.”
Those assets were not accounted for or even tracked.
The DOJ OIG made three recommendations to improve the management of the FBI’s inventory and disposition of electronic storage media. The FBI has agreed with all three recommendations – although those recommendations were not listed in the memo.
A Hard Truth
It is all too easy to think of the cloud as being unsecured, but physical media can be stolen or compromised – and doesn’t require any real high-tech skills.
“Any organization with confidential information should make sure that information is permanently inaccessible after it is no longer under their control,” warned Roger Grimes, data-driven defense evangelist at cybersecurity firm KnowBe4.
“Certainly, the FBI should be doing the best job possible to that end, and really likely is as compared to the average organization,” Grimes told ClearanceJobs.
Security Secrets Left Out in the Open?
The exact number of drives that were left on that pallet and otherwise accounted for wasn’t announced, but it remains clear that this is a problem that has been a long time in the making.
“This means a trove of potentially sensitive or even classified information is floating around the offices of the Bureau or sitting in warehouses without proper oversight,” explained Irina Tsukerman, president and geopolitical analyst at risk assessment agency Scarab Rising.
“We have already seen many cases of the destructive impact of the failures of proper compartmentalization of classified information, such as in the cases of Snowden and Texeira, and we have also seen how a lack of situational awareness in offices handling sensitive information can result in security breaches and leaks,” Tsukerman told ClearanceJobs.
She further suggested that the political and security repercussions of such an event could be potentially tremendous, as not all information slated for destruction is necessarily useless or outdated.
“Even outdated information can give adversaries or other forces seeking to understand the U.S. security landscape a significant advantage,” suggested Tsukerman. “Moreover, the very fact of a lackadaisical approach to any aspect of security signals about inherent procedural and personnel vulnerabilities to any outsider watching for such missteps.”
No Such Thing As Useless Data
It has also been suggested that the data on the drives could have value, even if the contents were outdated or mundane – including the failed efforts to maintain it.
“The very fact that this is happening may indicate that more useful sets of data may also be handled improperly,” said Tsukerman. “Generally, the lack of attention to details or procedure inside a counterintelligence agency is a huge red flag. Without some level of enforcement, oversight, and serious steps towards accountability there is no incentive to reform the procedures or to reevaluate personnel decisions.
Encryption Isn’t Enough
One issue not noted in the memo was whether or not the involved drives were protected by industry-acceptable cryptography. That could make it harder, but not impossible, for the drives to be accessed.
“I would assume – and assume is always a risky word to use – that all media capable of storing sensitive data is already, by policy if not statute, protected by unauthorized access by encryption,” said Grimes. “And if it’s adequately protected by acceptable cryptography, the physical destruction of the media isn’t quite as paramount. This seems to me to be a huge issue that remains unaddressed in the memo.”
Yet, the effectiveness of encryption is questionable, especially for those with enough time and the right skills.
“At the same time, coming sufficiently-capable quantum computers are likely to break existing, quantum-susceptible cryptography, like what is probably used on existing electronic media, in our lifetimes if not in just a few years,” said Grimes. “Even if electronic media is adequately encrypted today, will it remain so once we have sufficiently-capable quantum computers? This could be another argument for why physical destruction should be promoted over simply encryption.”