The U.S. Intelligence Community recently had another massive and embarrassing breach. Why are we having so many more breaches of classified information in comparison to 40 years ago? Unfortunately, people in and out of the government still don't understand the difference between cyber and physical security.
In the old days, 30 years ago, physical security adequately secured things of importance. Whether it was money, documents, research, or expensive equipment, it was a physical entity. Classified information was primarily on paper. Research and Development was captured in documents. Money was a physical piece of paper. These physical entities were protected by gates, guns, and guards which adequately protected them. In the military, if we had a highly classified document, it was on a printed piece of paper. That piece of paper was locked in a safe drawer inside of a locked room inside of a locked building that had armed security guards on an installation with fences, gates, and guards. Pretty secure! To compromise that classified document would require significant risk and expertise. You would have to get past all of that physical security to get in, bypassing physical locks, alarms, and guards. Not likely to happen. Breaching the system would generally require an insider with authorized access.
Because these were physical documents, the thief would be limited in what they could actually get their hands on. It would also take time to copy each document or photograph it. Then they would have to get the copies or photographs out of the facility.
Back in 1987, my agency did information systems vulnerability assessments. A commander would ask us to assess the vulnerability of their information systems. We would do this first in a covert op and afterwards in an overt, announced phase. One particular agency (that paid everyone in the Air Force) requested an assessment. In the covert phase, we went to all of the dry cleaners in the area pretending to be security from this agency. We asked if they had found any badges for the facility we were assessing. They all had a procedure for what to do if they came across a badge, and we soon found that one of the dry cleaners actually had one for our agency's facility. Without being required to show any identification, they gave me the badge. It was a badge of a female.
The facility had a procedure for the guards where they had to physically touch the badge of people entering in order to force them to look at the person’s picture. They also did random searches of briefcases and purses of people leaving the facility. So at lunch time when half of the guards were at lunch, I entered the facility with the female’s badge and an empty briefcase. I walked in with a group of strangers that were coming back from lunch. While walking on the outside of the group, I put my finger over the picture and held up the badge as the guard waved us all in.
Once inside, I stole paper and diskettes from empty offices (remember–this was 1987). At one desk, I actually sat down, found some brand new unformated diskettes, formatted them on the desktop, and copied files from the mainframe. I only stopped because my briefcase was full. As I exited the facility, the guard stopped me and said he needed to look in my briefcase. My life passed before me. I'm busted, right? The guard opened the briefcase, shuffled the diskettes around, and said, "Okay, you can go.” In complete disbelief, I asked him what he was looking for. He said, "You wouldn't believe how many calculators we lose.”
Physical calculators had value of course, but the agency's information had none.
In the mid-'90s, agencies started to recognize the change occurring and finally implemented procedures to prevent transferring digital media in and out of their facilities. They still relied on their security guards and policemen to check your briefcases coming in and out. They didn't physically search each person, though. Did you know that the 3 1⁄2 inch disk was designed to fit in a man's shirt pocket? You can imagine the possible outcomes of security searching just briefcases and purses and not the people themselves.
In the '90s and even in the early 2000s, when asked to go to an agency's classified facilities to provide a cyber-crime briefing to their agency's staff, the staffer would meet me in the parking lot to escort me into the facility. They asked for my briefing, which they put into their pocket and then escorted me into the facility. The same procedure was followed to get my briefing out of the facility. Those briefings were on diskettes and CDs, which have a rather small capacity compared to digital devices today.
Today, a smuggled digital device could contain as much information as would have resided in every building of that agency's facility. Couple that with putting everything on a network connected to the Internet, and you can now access not only one office’s documents, but all of that company or agency’s documents from all over the planet.
And there is little to no risk for the thief. More information at stake with little to no risk. Remember the "Good Ol’ Days”? They're gone!
Jim Christy is VP of Investigations and Digital Forensics at Cymmetria. Jim retired from the U.S. government in 2013, ending a career investigating computer crimes and running digital forensics labs that began in 1986 at the Air Force Office of Special Investigations.
Jim can be reached by email at email@example.com.
Connect with Jim on Twitter: @jimchristyusdfc