In case you missed it, a contractor’s laptop allowed secret plans of the new presidential helicopter to fall into foreign hands.
I’ve got some issues with both what happened, how this has been reported, and what I expect the aftermath of this to be.
First off, the individual security contractor should lose his/her job over this immediately. That was egregious and should be punished. Digging into the details of what happened yielded that the contractor reconfigured Gnutella (the peer-to-peer software involved) to share more than the default folder, causing the plans to be shared online. That was beyond dumb given the classified information on that hard disk.
Secondly, whoever was in charge of security for the contractor’s company totally dropped the ball. Congress should request an audit of the security procedures for all of its defense and security contractors immediately, before the next loss of important documents occurs.
Thirdly, why wasn’t encryption used at the file level? If something is a secret, treat it like one. If the software in use doesn’t offer encryption, our government should have a policy that mandates the boycott of said software for the purpose of secret documents. In other words, if AutoCAD doesn’t have an encryption option, AutoCAD should never be used for a sensitive project. This one is a no-brainer! What if that person’s laptop was stolen? The security breach is the same. Encryption at the file level helps here. I also think that government (and affiliate) laptops should only use encrypted filesystems as well in the case of physical theft, but that would not have helped here.
Fourthly, the news coverage of this is essentially blaming file-sharing for the breach. The breach was caused by either a lack of understanding of what a tool does, or a purposeful ignoring of what a tool does. If I shoot a nail gun into my hand, I have only myself to blame for the nail. Either I did not understand the purpose of the nail gun, I did not understand the risks involved with using a nail gun, or else I chose to ignore those risks. This was a people problem that should have been avoided.
Finally, the aftermath of this will likely involve some ridiculous agency sifting through p2p traffic looking for state secrets. Just like using child pornography as a reason to filter regular net traffic, state secrets will be used as a red herring to make the federal government sift through p2p traffic. I smell the stink of Big Copyright at work. Congress, take note: preventing future slippage of secrets does not involve sifting traffic, it involves mandating encryption and having workable security policies. It will be a huge waste of taxpayer dollars if p2p traffic becomes the target of government snoops.