Thursday, April 13, 2006

Who's Minding the Store?

There's a disturbing report in the Los Angeles Times that discarded military computer hard drives, memory sticks and other storage devices are turning up for sale, in the shops and bazaars of Afghanistan. According to the Times, some of these devices contain classified or sensitive information. One flash memory drive examined by a Times reporter contained the names, photographs and phone numbers of Afghans who are working as spies for the U.S. Most of the memory devices were offered for sale near Bagram Air Base, a sprawling installation that supports air and ground operations in Afghanistan.

It doesn't take a genius to figure out that Bagram has a serious security problem. The DOD has clear, precise rule for marking, safeguarding and destroying classified media, but enforcement of those policies at Bagram ppears lax, at best. According to press accounts, military police units are canvassing the bazaars and shops, attempting to round up the computer equipment. But the Times reports that some memory devices can still be had--for a price. We can only imagine how many hard drives or memory sticks never made it to the local market and were, instead, scooped up by Al-Qaida or Taliban operatives. If I were an Afghan providing intel information to the U.S. military or an intelligence service, I'd be very, very worried.

Why has there been an apparent security melt-down at Bagram? I believe there are several factors. First of all, everyone at Bagram is deployed, serving tours ranging from a few weeks to one year. In that kind of environment--and given the installation's high operations tempo--it's difficult to sustain an effective communications security (COMSEC) program, and verify compliance. With combat operations going on literally around the clock, it's difficult to verify that everyone has their computer media properly marked, stored and classified. But, in the wake of this scandal, that approach is about to change. I'm guessing that Bagram will be getting a much more stringent COMSEC program very, very soon.

There's also the issue of exactly who has access to Bagram. Thousands of Afghans work on the base, and while they've supposedly been vetted, there may be a few Taliban and Al Qaida operatives in their ranks. With Afghans able to access many of the offices and workspaces, it would be easy for an enemy spy to pick up a memory stick, a thumb drive or even a discarded hard drive, smuggle it off base, and turn it over to his terrorist counterparts. In one respect, the devices found at the bazaars may just be the tip of the ice berg; those items were apparently looted in hopes of making a quick buck. The Taliban or Al Qaida could easily send an Afghan "insider" on a specialized shopping mission, targeting specific offices or types of information

Finally, there's the problem of old-fashioned carelessness. With the proliferation of computer technology and small memory devices, almost everyone in the military has access to them. When a personal memory stick goes missing, the errant soldier, Marine or airman probably won't report it--especially if that revelation might result in disciplinary action. Instead, they quietly procure another one, and go about their business. Meanwhile, the misplaced hard drive (or other device) winds up in the local market, for sale to the highest bidder.

Exploiting a captured memory device is well within the capabilities of Al Qaida and the Taliban. And, believe it or not, those classified documents are not the real treasure trove now on sale near Bagram. "Unclassified" hard drives and memory sticks can yield equally important information, including personnel rosters, social security numbers, phone listings, recall rosters, billeting assignments--even training and operational schedules for local units. Analyzed as a whole, such information can provide valuable insights into force levels, rotation patterns, and projected operations--data that would make it easier for the terrorists to avoid Allied attacks, while (conversely) improving their ability to strike at us.

We need to find out who was supposed to be minding the security "store" at Bagram, and hold them accountable. This appears to be a snafu of the first magnitude.

1 comment:

Red A said...

Laser engrave the id number of the person using the flsh drive on the unit.

Let's see how many go unreported missing after that.