Following a seemingly endless string of news stories revealing data losses from large organisations, the recent revelation that NASA had lost an unencrypted laptop containing the access codes to the space station seems to have got rather lost in space.
But its significance is profound. Sitting as it does at the top of scientific research in space, defence and scientific innovation, NASA’s intellectual property is unarguably some of the most valuable in the world. So it should be one of the most secure organisations in the world.
Yet at the end of February NASA Inspector General Paul Martin told the US House of Representatives Committee on Science, Space and Technology that a laptop stolen in March 2011 had, “resulted in the loss of the algorithms used to command and control the International Space Station”.
Martin added that despite the risk of losing laptops, the computer had not been encrypted. The NASA boss also confirmed that another laptop contained sensitive information on the NASA’s Constellation and Orion programs, as well as Social Security numbers, had also been lost. But Martin said he did not expect the data security situation to improve.
Instead he warned the committee that the increase in use of mobile devices made it easier for material to fall into the wrong hands. “Until NASA fully implements an agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft,” he said, conceding that some 50 devices were either lost or stolen in between 2011 and 2012.
Despite spending £37m of its £1bn IT budget on computer security, Martin admitted that one of the challenges facing the organisation had been the, “slow pace of encryption for NASA laptop computers and other mobile devices”.
Only around 1 percent of NASA’s mobile storage devices are encrypted, a staggering admission perhaps for NASA, and yet sadly a picture that is reflected right across the industries of the Western World, at a time when Western governments have admitted that they are facing an unprecedented attack in search of sensitive data, encrypting sensitive assets is very far down on the list of priorities.
Quite simply, most organisations do not encrypt sensitive information because they do have a method in place to properly evaluate information in the first place. Without that they do not know what information is vital to them, what value it may have to a competitor or what it could be worth to a criminal.
Martin’s own submission underlines the point. “We found significant weaknesses that resulted in computers and hard drives being sold or prepared for sale even though they still contained sensitive NASA data,” he told committee members.
“One Centre released 10 computers to the public that had failed sanitisation testing. OIG auditors confiscated four additional computers that had failed sanitisation testing but were nevertheless being prepared for sale.”
This apparently casual attitude to data was highlighted by recent research which found that in the UK alone 15.1m Gigabytes of data is discarded every year on hard drives alone. The research bears out Martin’s claim that the amount of devices leaking data can only increase, as does research by the USB manufacturer Kingston, a producer of encrypted USB devices, which found that 50 percent of employees put data on USB drives without permission and the 28 percent do not inform anyone when they have lost them.
The Kingston research, “the state of USB drive security in Europe“, further bore out the casual business attitudes about the value of the data, despite being aware of the way their employees use USB drives, 75 percent of companies said they were not willing to pay to ensure the USB drives used by employees were secure.
This was despite the even more alarming finding that 70 percent of study respondents said that they are absolutely certain (47 percent) or believe that it was most likely (23 percent) that a data breach was caused by sensitive or confidential information contained on a missing USB drive.
The organisations contacted confirmed that they had lost more than 12,000 records about customers, consumers and employees as a result of missing USB drives alone. And the cost of the loss of that data is something that those organisations will not be able to quantify because they have never undertaken an exercise to assess its value.
This point was point stressed at a recent presentation by Context Information Security, a leading global security consultancy. Context, which used the event to launch “Crouching Tiger, Hidden Dragon, Stolen Data” – a white paper which unusually points out the specific role that the Chinese state has allegedly been playing in the data thefts known as Advanced Persistent Threat attacks.
“One of the issues that people don’t yet understand is the need for businesses to identify the information that is valuable to them and then take steps to protect the access to it, to know where it is, what copies are in existence and who is using it,” said Context’s CEO, Mark Raeburn.
“People have to understand what and where there assets are in all forms. You have to understand the value of information to you but more particularly the value of information to other people. We often find that there are people out there who place an entirely different value on information to those who are holding it.”
So a business also needs to consider how it uses information and what the role of information is to it. This approach has not been lost on Chinese officials who, according to the Context white paper, know exactly what data they are after and even have a structured program to acquire it.
“There are clues to which companies and the types of data most at risk. In particular the Five Year Plan and the National Outline for Medium and Long Term S&T Development give detail on the areas in which China intends to excel and identifies specific technology which the Chinese want to develop or otherwise acquire.
“Electronics, telecoms, manufacturing, extraction, energy, biotech, pharmaceuticals, aerospace, space and defence are areas of the highest risk alongside companies and services such as law and accountancy firms which support them and hold their data,” it warned.
Such reports and the NASA incident have prompted me to once again call for the widespread adoption of encryption technologies to protect valuable data – and for the development of simple rules to help organisations assess the value of the data they hold.