It’s hard to believe that over nine years have passed since Edward Joseph Snowden leaked highly classified information from the National Security Agency (NSA). Snowden, who was 29 years old at the time, didn’t work for the NSA directly but was an employee of the defense contractor Booz Allen Hamilton.
Everything related to the Snowden leaks is controversial. The US Government has condemned his actions as having done “grave damage” to its intelligence capabilities; Snowden’s disclosures have fueled debates over mass surveillance, government secrecy, and the balance between national security and information privacy. Some people regard Snowden as a traitor, whistleblower, dissident, and coward; others say he’s a hero and a patriot.
Cutting Edge Needs to be More than Perception
Most people think the NSA is at the cutting edge of cybersecurity. However, an intelligence official said at the time, “It’s 2013 and the NSA is stuck in 2003 technology.” So, as we roll past the nine-year anniversary of the Snowden leaks, it’s worth taking a moment to think about what went wrong, what problems led to the leaks, and what remedies have been proposed, implemented, or set aside for the future?
Depending on the network, the technology predominantly used by the government circa 2013 included the Windows Vista or Windows 7 operating systems. If file encryption was used at all, it was implemented in software using BitLocker. The National Institute of Standards and Technology (NIST) SP 800-53 Rev 3, which recommends security controls for federal information systems and organizations, was also being used at that time. In addition, a template and guideline to identify, eliminate, and minimize risks called the NIST Risk Management Framework (RMF), which was introduced in 2010, was starting to be employed.
Enforcement Matters
Unfortunately, some of the methodologies, procedures, and technologies that could have prevented the breach—like least-privilege or Zero Trust, which limits users’ access rights to only what are strictly required to do their jobs—were considered but not enforced. Snowden exploited a gaping hole in the NSA’s antiquated internal security system, which helped him gain access to elevated privileges. Only Snowden knows the exact details, but as the story goes, after rummaging at will through the NSA’s servers, he copied tens of thousands of documents onto a thumb drive, at which point he strolled out of the door with the government’s best kept secrets in his pockets.
The sad news is that, today in 2022, relatively little has changed. Now, the government typically uses the Windows 10 operating system, but Windows 7 computers are still found. In the case of file encryption, BitLocker (with its several vulnerabilities) is still being employed. (It’s a sad fact that Microsoft’s monopoly on the DoD’s operating system of choice allows them to not care about being the most secure or achieving NSA-level specifications because they rarely see the DoD adopting their competitors’ better cutting-edge technologies.)
The government has adopted NIST SP 800-53 Rev 5, but that doesn’t mean that things are enforced any differently. In fact, the only significant changes are the adoption of the RMF and the introduction of Cybersecurity Maturity Model Certification (CMMC), which provides assurance that contractors and subcontractors are meeting DoD’s cybersecurity requirements.
Technologies Exist to Help Protect Data from Theft
The really sad news is that technologies exist that can provide high confidence in an institution’s cybersecurity. For example, adopting a Zero Trust (ZT) security model, with the underlying concept “never trust, always verify.” In other words, devices should not be trusted by default, even if they are connected to a managed corporate network such as the corporate LAN, and even if they have been verified previously. Another technology is to use solid-state drives (SSDs) in the form of self-encrypting drives (SEDs) that contain a hardware encryption engine (EE) that encrypts data as it’s written onto the disk. Also, to use drives (like DIGISTOR C-Series drives) that maintain internal hardware logs of any file accesses, and that can be setup to require multi-factor authentication (MFA), such as facial recognition to allow users to even open, copy, or transmit files.
Had there been a whitelist of approved two-part pin encrypted drives (again, like DIGISTOR’s advanced C-Series drives), Snowden would have been forced to either find another elevated user accomplice or singlehandedly defeat the NSA’s encryption standards, making this feat nearly impossible. Hopefully, it won’t be long before the government avails itself of these 21st century technologies and data breaches like the Snowden leaks become a thing of the past.
DIGISTOR Can Help
At DIGISTOR, we specialize in helping military and government agencies and commercial entities of all sizes find the right encrypted storage solutions to secure their data. With a wide range of secure storage offerings, from bare drives to removable solutions to Commercial Solutions for Classified (CSfC)-ready SSDs, we can assist you with specifying the appropriate storage devices to secure your important data. If you have any questions as to how securing DAR might apply to your own data security requirements, please feel free to contact us.
Additional Resources
Whitepaper: Building a Citadel of Trust in a Zero Trust World
Whitepaper: Is Your Data at Rest (DAR) Truly Secure?
Blog: Is BitLocker Sufficient?
Blog: Hardware-Based Full Disk Encryption vs. Software-Based Full Disk Encryption
Blog: Why Should I Buy FIPS-Certified SSDs?
Blog: What is Common Criteria and Why Should You Care?
Blog: Securing Data at Rest Resurfaces as White House Priority
Blog: Securely Erasing SSDs
Blog: Humans Aren’t Built for Security
Blog: DIGISTOR C Series SEDs: Data Security Through Data Invisibility
Recent Comments