National Archives: What, Me Worry?

National Archives: What, Me Worry?

Summary: I propose that the National Archives change its motto from "Littera Scripta Manet" (The Written Letter Abides) to "What, Me Worry?" befitting it's current lack of data security controls.

SHARE:
31

I propose that the National Archives change its motto from "Littera Scripta Manet" (The Written Letter Abides) to "What, Me Worry?" befitting it's current lack of data security controls.

While many of you this weekend were firing up your barbecues, cooking grilled meats and drinking chilled beers, you might have missed a small announcement that the  National Archives and Records Administration (NARA) made last Thursday having to do with a eensy, weensy, rather trivial data loss -- it managed to misplace a TWO TERABYTE EXTERNAL STORAGE SYSTEM containing confidential information from the White House during the Clinton administration.

Click on the "Read the rest of this entry" link below for more.

Those of you who do not comprehend just how much data has been compromised in terms of what two terabytes (2TB) actually represents should read this great piece on the Anderson Cooper 360 site by my friend David Gewirtz, who is a highly-regarded consultant in the field of national infrastructure and data security.

The drive that was stolen was of the type you could buy at Best Buy or Tigerdirect, a consumer grade USB storage unit that costs less than $300. Most importantly, the data that was stored on it was unencrypted and contained large volumes of Clinton administration records, including the names, phone numbers and Social Security numbers of White House staff members and visitors. According to Congressional aides briefed on the matter, the device contained “more than 100,000? Social Security numbers and Secret Service and White House operating procedures. (EDIT: The drive apparently contained hard disk images of White House PCs that were used by staff during the course of that administration.)

The biggest, most serious problem with this breach is that the US Government doesn't precisely know how many records were stolen or lost. They also don't know who took the storage unit or how this data ended up on a portable, commodity PC storage device rather than in an enterprise-class, guarded, secure system with multiple levels of encryption and passwords and a document management system with sophisticated audit and logging controls.

Also Read: PDF FAQ about the lost hard drive at NARA (archives.gov)

Gewirtz makes a important point that because consumer data storage has now reached a level where it's easy to transfer huge volumes of data cheaply, that our nation's most important data is at risk. Obviously, something needs to be done in terms of improving our security controls or God knows what in terms of national secrets could end up in the hands of individuals and governments that legitimately want to do us harm.

The methodology and technology we use to keep our most guarded data safe in the government and in corporations that are trusted with confidential information requires strict regulation and sanity. If anything, we need to figure out how to keep data contained where people can view it as required by their jobs, but not necessarily be able to copy it off a system.

One of the ways I believe this can be accomplished is through a combination of policy enforcement, auditing and technology controls at the user, application and infrastructure levels. Document management software with very granular levels of access control of who can see what and elaborate logging of who looked at what is going to be required.

We also need to re-think how information is viewed and is accessible. Full-blown PCs which have the ability to transfer data from a CIFS/SMB server or storage system somewhere should not be used in Government or in institutional settings (Healthcare/Financial/Utility/Insurance) where large volumes of confidential personal information is being handled.

For these types of applications, we should probably be looking at solid state thin client devices (such as the Pano and the Sun Ray) and highly encrypted remote access systems which have USB and optical storage capabilities physically disabled and are connected to virtual destkops which are policy enforced, locked down and task-oriented for reviewing sensitive information, and should require at least two forms of biometric authentication before the data is even viewable. It should also go without saying that in any facility or area where secure data which concerns national security is being accessed, video surveillance of the end-users performing the data access should be monitored.

Have you lost your trust in the government's ability to secure data with the latest National Archives security breach? Talk Back and Let Me Know.

Topics: Hardware, Security, Storage

About

Jason Perlow, Sr. Technology Editor at ZDNet, is a technologist with over two decades of experience integrating large heterogeneous multi-vendor computing environments in Fortune 500 companies. Jason is currently a Partner Technology Strategist with Microsoft Corp. His expressed views do not necessarily represent those of his employer.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

31 comments
Log in or register to join the discussion
  • Legitimately do us harm??

    wtf do u mean
    aaaa123354
  • RE: National Archives: What, Me Worry?

    You might want to get your ducks in a row before trying to stir up some hysteria. The National Security Archives is NOT the same as the National Security Administration (Agency). The National Security Archives is a non-governmental research institute and library.
    rtkeeling
    • Correction to your correction

      rtkeeling should also check his facts. The National Security Archives is an independent non-governmental research institute and library located at The George Washington University in Washington, DC. The National Archives, or more correctly, the United States National Archives and Records Administration (NARA) is an independent agency of the United States government charged with preserving and documenting government and historical records and with increasing public access to those documents. NARA is officially responsible for maintaining and publishing the legally authentic and authoritative copies of acts of Congress, presidential proclamations and executive orders, and federal regulations. NARA is the agency which "lost" the hard drive. By the way, CNN reports that NARA has a second copy of the drive which will enable it to determine what information was on the lost drive.
      rjeremy73@...
      • Well...

        I don't think I said anything that is not correct. ZDNet updated the article to remove the misleading (and nonexistent) "National Security Administration" name.
        rtkeeling
        • "Security"

          The theft of this data really has nothing to do with data security - the data would have been stolen even it had been on a non-portable storage device the size of a locomotive.

          The security problem is in the area of the people who have been entrusted with its safekeeping.

          When powerful politicians want data, they can get it, with or without a perfect security system in place.
          financyone@...
    • It doesn't matter ...

      If the external hard drive that was lost contains social security numbers of people who were influentuial in the Clinton White House, the threat of identity theft is very real.

      What's worse is that there could be important communications on that drive which, if made public, could have far reaching implications.

      If there is no BACK-UP of that information, things could get even worse!

      It doens't have to be of a National Security Nature for the implications of this loss to be far-reaching.
      M Wagner
  • RE: National Archives: What, Me Worry?

    I am not surprised. The federal government is too large and too complex to know what for the right little finger to know what the right ring finger is doing. I agree with the thin client comment, pc's should not be used or locked down to the point that they act as a thin client. All it takes is $$$ and knowhow. But the gov is busy bailing out banks, car companies, finance, ect.
    tx_nurse@...
  • "Granular levels of Access" - probably not

    For the record (so to speak), there is no "National Security Administration". There is the National Archives and Records Administration (NARA - the National Archives) and the National Security Agency (NSA - the communications security folks).

    As for "granular levels of access", we should probably get a little more realistic. "Granularity" may make sense for relatively current, active data and systems; it doesn't make sense in an national archives context. The people and roles to which access would be granted no longer exist; the very concept of user is clouded. Moreover, simplicity - not complex rules and technologies - is the key to successful data protection in such an environment.

    - Dennis Steinauer, former deputy chief, Computer Security Division, National Institute of Standards and Technology.
    dds@...
  • never trusted 'em

    "government" and "trust" in the same sentence? Same zip code? ...NOT.
    pgit
  • RE: National Archives: What, Me Worry?

    Correct my fallible memory, but 9 to 10 years ago, 2TB in an external USB drive was not a common thing that you could buy at Best Buy. Was this drive system from the Clinton Whitehouse, or was it a National Archive system onto which Whitehouse data was copied?
    charles.kronenwetter@...
  • RE: National Archives: What, Me Worry?

    OMG!!
    I hoped they had that backed up too! lol
    jbaker.it
  • Has anyone checked...

    ...Sandy Berger's pants?
    JohnMcGrew@...
    • Sandy Berger

      You might be onto something. I loved the comment. :-)
      MadWhiteHatter
  • 2TB USB $300?

    Anyone has the SKU for the $300 2TB USB drive I could order from Best Buy?
    I'd like to buy a dozen, just in case I happen to run into some White House archived data - maybe Dick Cheney's laptop? No, Donal Rumsfeld's speeches would be better
    Thanks
    radu.m
    • 2TB drives are now selling for around $130

      I've seen 1TB internals for $75!
      M Wagner
    • 2TB drive with CLINTON era data on it?

      Just how long have 2TB USB drives been around -- and just how long has
      it been since Clinton was in office? Why in the world would drive images
      of Clinton-era laptops be stored on a device that new to the market
      place? As others have so clearly stated, there's not much excuse for data
      to be sufficiently accessible to allow such copying to an external device to
      occur unless it is under the watchful eyes of an IT unit. If that were the
      case, then what excuse could there be for no encryption? This is just
      WRONG.
      Joe Ford
      • Drive Images

        are from approx 130 4mm DAT tapes restored to a new USB drive. Presumably they were concerned about data retention and the ability to restore the data, so they transferred it over. Good idea, bad implementation.
        jperlow
  • Just a thought...

    ...did anybody think to search Sandy Berger's undergarments?
    ReadWryt (error)
  • RE: National Archives: What, Me Worry?

    2 Terabytes - man, I didn't realize the Clinton administration had that much porn stashed!

    I agree with the others... check Sandy Burgler's pants - you'll probably find the missing data there.
    biceling
  • RE: National Archives: What, Me Worry?

    The story says the disk is lost. The disk may still be in a physically secure area of the National Archives. I seem to recall a situation a couple of years ago. where the fedral government lost s device with data on it, and it had merely fallen behind someones desk. It took a week to find it. Yes the data is missing so certain security procedures must be taken, but the data isn't necessarily in the wild.
    jim77kahn@...