In Laptop Age, Security Breach Concerns Are Up

[William Knowles <wk () C4I ORG>]

http://www.latimes.com/business/cutting/20001003/t000093746.html

Tuesday, October 3, 2000

By ESTHER SCHRADER, BOB DROGIN, Times Staff Writers

WASHINGTON--A 14-hour plane flight ahead of him and a schedule jammed
with sensitive meetings on the other end, a senior White House
official slipped a disk filled with classified data into his laptop
computer to review en route.

A mid-level CIA officer, driving from an audience with a foreign
intelligence contact, murmured his impressions of the meeting into a
hand-held device that he later downloaded into his computer at agency
headquarters.

A State Department official, eager to get home and hug his new baby,
left a portable hard drive in his desktop computer instead of locking
it in the safe behind his desk.

Each of these situations really occurred, and each was a violation of
the federal government's rules for protecting classified data. And all
three illustrate a problem of increasing concern in Washington: For
U.S. officials operating in the laptop age, the pressure to make every
moment count can lead to mistakes that undermine careers and, in some
cases, put sensitive information generated by the world's most
powerful government at risk.

Take Martin S. Indyk, the U.S. ambassador to Israel. The State
Department has suspended his security clearance--and his key role in
Middle East peace talks--for suspected security violations. His crime?
He allegedly drafted classified memos on an unclassified laptop
computer during a flight and took classified documents home to prepare
for meetings.

But, although Indyk's public chastisement is highly unusual, his
alleged transgressions are not, according to current and former senior
and mid-level officials at agencies throughout the U.S. government.
With government officials traveling more than ever, competing in a
world where it is now possible to write, communicate and analyze 24
hours a day, security procedures are regularly ignored, these
authorities said.

"People knowingly violate the rules. They put the information at great
risk, especially if they do it repeatedly over a long period of time,"
said Jerry Rubino, director of security and emergency planning at the
Department of Justice.

Rubino said Justice logs dozens of internal security violations a
week, most of them minor, such as leaving sensitive documents on a
desktop overnight.

Audits conducted last year by the General Accounting Office and agency
inspectors general show that 22 of the largest federal agencies have
significant computer security weaknesses. Among the common problems
cited were poor controls over system access, data access and software
development.

"Throughout the government, everyone's computer has the ability to
download onto disks," said a senior White House official who deals
with classified information every day. "When I write a classified
document or memo, I put it on a disk and give it to my secretary to
process," said the official, who was willing to discuss the problem
only on condition of anonymity. "We use disks. That's how documents
are moved around. And that means people can walk away with the disks.
That's a fact."

The government's defense against such security threats consists of a
hodgepodge of constantly evolving regulations, which vary
significantly from agency to agency and quickly become outmoded.
Current and former officials insisted that following the rules to the
letter would sharply limit the productivity of the people who engage
in some of government's most sensitive work.

"Let's be honest. Any foreign ambassador who is working hard and has a
lot of foreign contacts--how is he going to do his work if he doesn't
have these aids?" asked Myles Frechette, ambassador to Colombia from
1994 to 1997.

"Obviously, in the age of information, getting your information to
Washington fast is a real premium," Frechette said. "What is needed
are procedures that allow you to do your job, rather than procedures
that force you to spend your travel time reading magazines or
something. That produces mediocrity."

Ever since there were governments there have been government secrets,
and people careless enough--or motivated enough--to divulge them. But
when 70,000 pages of classified material can be downloaded on a
computer tape the size of a thin paperback novel, the risk of theft
rises exponentially.

"All high-level officials know that a laptop is not a secure system
and that they are pushing the envelope when they put sensitive
material on the laptop. But everyone does it," said Melvin Goodman,
professor of international security at the National War College and a
former senior analyst in Soviet affairs at the CIA and the State
Department. "There's too much intelligence out there and it's too easy
to pocket in this high-tech age."

The National Security Agency, the spy service charged with protecting
the U.S. government's communications and listening to those of its
foreign adversaries, is racing to develop new encryption software to
protect data on laptops and other portable computing devices.

The agency also is developing biometric technology to prevent
unauthorized access to computers. The technology verifies the identity
of a computer user by reading his fingerprints, voice or face or
scanning the retina and iris of his eye.

This kind of improvement is the information security equivalent of an
arms race.

"Don't you think the opposition has the latest technology money can
buy? Certainly, the drug cartels do," said Paul Boudreaux, technical
director in the NSA's Laboratory for Physical Sciences.

But in most agencies, nothing prevents someone from downloading
classified material onto a disk and walking out the door, or copying
classified material onto an unclassified computer.

"Currently, I'm unaware of a technology fix to that particular
problem," said a senior State Department security official who
requested anonymity.

Although each agency has its own security office and set of
regulations, enforcement mostly comes down to the honor system.

Throughout the government, officials who have access to classified
material are issued separate desktop computers for classified and
unclassified work. Classified laptops use a special software template
that designates when a document was classified and by whom.

Although security officers make unscheduled checks of offices
throughout the Pentagon and State Department, many officials leave
portable hard drives containing classified data in their computers or
sensitive files on their desks instead of locking them in safes
overnight.

Even when officials are cited for security infractions, they rarely
are subjected to punishment. Infractions do go in personnel records.
But, unless there is a clear pattern of repeated violations, they
generally are ignored, security officials said.

In the wake of a series of embarrassing security lapses at the State
Department, Secretary of State Madeleine Albright has vowed to clamp
down. The department is reviewing all of its security procedures and
has tightened rules on building access. According to spokesman Andy
Koss, the department has even taken the unprecedented step of
suspending all promotions for several weeks while officials check for
security violations.

Retired State Department officials who have traditionally retained
their security clearances suddenly have been barred from entering the
building without an escort, Koss said. Many who still bank at credit
union offices located there are furious.

At some agencies, security is tighter and a higher priority than at
others. At the CIA, for example, officials submit to polygraph tests
every three to five years. But officials at other agencies with access
to the same classified material do not take polygraph tests.

Pentagon officials have started conducting spot checks of laptops
carried by some of the thousands of people who enter and leave the
building each day. They currently are drafting new security
regulations to govern the use of Palm Pilots, two-way pagers and
laptops.

Pentagon officials who travel are almost always accompanied by
military aides for whom security is a top priority. The officials are
rated on attention to security issues in their promotion performance
reviews, and they know that technical violations are "career-enders,"
said Kurt Campbell, who in May left a job as a deputy assistant
Defense secretary.

"This is much more serious than driving fast on the Beltway," said Ben
Venzke, director of intelligence production at iDefense, an
intelligence computer security firm in Alexandria, Va. "Our government
is losing extremely sensitive information. . . . I don't know if
there's going to be any simple answer to it, but it's extremely
serious."

Times staff writer Paul Richter contributed to this story


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".