According to an article that appeared yesterday in the Daily Mail, a London daily, test launch procedures for Lockheed Martin’s Terminal High Altitude Area Defense (THAAD ) ground-to-air missile defense system were found on a hard drive purchased on eBay. The disk also contained security policies, blueprints of facilities and social security numbers for individual employees
The disk was purchased by British researchers as part of a research project which scrutinized 300 hard drives purchased from public sources such as computer auctions and eBay. The researchers found that Lockheed Martin may not have been alone in disposing of insufficiently sanitized hard drives. Thirty-four percent of the 300 hard drives examined had identifiable personal or company data. Among the discoveries was a hard-drive with security logs from the German Embassy in Paris.
The article cited a spokesman from Lockheed Martin who stated:
Lockheed Martin is not aware of any compromise of data related to the Terminal High Altitude Area Defense programe. Until Lockheed Martin can evaluate the hard drive in question, it is not possible to comment further on its potential contents or source.
A good point and, it should be remembered, it’s possible that the hard drive was not one disposed of by Lockheed Martin but rather was a hard-drive from an employee’s home computer, although that would raise a different set of issues.
But the point here is not really whether THAAD program details were or were not on hard disk drives, or even what steps the researchers took to recover data, but rather to ask this question: “What does your compliance program say about disposal of hard-drives that may have ITAR-controlled or ECCN-controlled data? And what steps does your company take when disposing of hard-drives? Most companies probably contract those responsibilities to third-party contractors who promise to wipe or destroy the drives, a promise that, as this case may illustrate, may not always be kept.
The National Industrial Security Procedures Operating Manual, DoD 5220.22-M (“NISPOM”), which contains DoD procedures for protection of classified data, requires that disks with such data be “sanitized” prior to disposal, but the NISPOM doesn’t provide a description of satisfactory sanitization techniques. Vendors who sell disk-wiping programs, such as this one, describe the NISPOM procedure as requiring multiple overwrites of all sectors of the drive with random data, but this appears to be a reference to a 1997 version of a separate DoD document entitled “Cleaning and Sanitization Matrix.” The January 2007 edition of that matrix stated: “Overwriting is no longer acceptable for sanitization of magnetic media; only degaussing or physical destruction.” (The matrix appears to have disappeared from the Internet; if anyone has a current link, please let me know.)
There are no standard procedures mandated by DDTC or BIS for pre-disposal sanitization of hard disks containing non-classified, but ITAR-controlled or ECCN-controlled, technical data. However, a good resource for developing these procedures is a document released by the Department of Commerce’s National Institute of Standards and Technology entitled “Guidelines for Media Sanitization.” The document indicates that encryption is not a sufficient sanitization technique and recommends various other methods, including multiple overwrites, degaussing and physical destruction.
This gives companies a variety of options. Companies that would rather be safe than sorry can destroy magnetic media, and companies that would rather be green can degauss such media. And, at a very minimum, there is no excuse for not downloading a disk-wiping program and overwriting magnetic media prior to disposal or sale if the company is not going to destroy or degauss it. My personal favorite method for destroying hard drives is blowing them up with thermite, but that might not be feasible in most corporate settings.