Published Thursday, June 15, 2000, in the San Jose Mercury News

Secrets proving more difficult to safeguard as data is shifted from paper to electronic files

BY SETH BORENSTEIN
AND THERESE POLETTI
Mercury News

People used to guard business secrets and highly classified documents with their lives. Nowadays, even national security secrets are getting lost or left in homes, hotels, taxis and train stations.

The reason? When secrets shifted from paper to electronic files, the new technology allowed workers to carry their offices around with them. But they forgot to bring along the sensitivity to security that secrets are supposed to entail.

Today's secrets may be every bit as sensitive as in years past, but computer users find electronic secrets harder to safeguard than tangible paper documents. People prize convenience and access over security, and tend to regard their computers and files as personal property rather than their office's.

Those are big mistakes.

``There are a lot of people who seem to have a very sloppy attitude toward security,'' said one of the nation's top computer-security experts, Peter Neumann, principal scientist at SRI Computer Science Lab in Menlo Park. ``We haven't seen anything yet. This is tip-of-the-iceberg stuff.''

In the blink of an eye, a laptop can disappear from an airport or even an office, which is where Michael Corby, vice president of global security at Netigy, a consulting firm in San Jose, was robbed of his laptop while visiting an East Coast firm.

``I put down a laptop on a desk and turned around to dial a phone and someone lifted it while I was on the phone,'' Corby said. ``I've seen some really bad things, especially in public transportation places, like airports and bus terminals, where people presume that just because they have a laptop in a bag, they can set it down somewhere and no one is going to care.''

Some companies, such as the ultra-competitive Intel Corp., fiercely guard their data. The world's largest semiconductor maker discourages its employees from working on confidential documents while traveling on airplanes. Its laptops have complex encrypted passwords, with the goal of making the machine unusable by anyone except the designated employee.

The company also has a check-in procedure at its Santa Clara headquarters, where visitors must register their laptops with security, to avoid any potential problems when they leave the building.

Government blunders

Increasingly, thieves are not just out to resell the computer hardware for a few hundred dollars -- they are espionage types, hired to steal corporate or government secrets, which is not that difficult when computer owners are careless.

The problem has become particularly noticeable in recent months in government agencies that are supposed to guard some of the nation's biggest secrets.

For instance:

Two hard drives with nuclear secrets were reported missing at Los Alamos National Lab in New Mexico this week. On Wednesday, senators complained that the Energy Department's security was worse than Wal-Mart's.

Last month, the State Department admitted 16 laptops (at least one with ultra-secret information) were missing from its Washington headquarters.

The FBI is investigating whether to prosecute former CIA director John Deutch for keeping highly classified information on his home personal computer.

Last month, a British naval officer lost in a London train station a laptop containing classified information about development of a joint U.S.-British stealth fighter. Later, someone offered to sell the missing secrets to a London tabloid.

And Los Alamos scientist Wen Ho Lee was arrested last December and is in jail awaiting trail on 59 charges of copying files of nuclear secrets to portable tapes.

In some cases, when laptops disappear so does critical data. But companies also try to protect themselves by backing up the most sensitive material.

Several months ago, eGroups Inc., a San Francisco-based company that lets people create e-mail groups, had a break-in at its offices, where three laptops were stolen. But because of the company's network data backup system, the theft did not cause as many problems as it could have.

``I'd love to say that we had the Mission Impossible laptop that self-destructed after being broken into,'' said Jade Dauser, vice president of corporate services at eGroups. ``But we have a pretty healthy data security program, so everybody is backed up. If anybody's laptop is stolen, we have a backup system. It's automatic, the users only know it's there when they need it.''

But analysts and security consultants say that this is not the norm in corporate America or government. American security is stuck in the paper age, said Steve Aftergood, director of the Project on Government Security at the Federation of American Scientists in Washington.

Secrets in the spotlight

``Our security procedures are still predicated on protecting hard copy documents,'' Aftergood said. ``They don't seem to be adequate to ensure the protection of electronic information.

``It's because it's an extremely difficult job,'' Aftergood said. ``Back in the good old days, (spy) Aldrich Ames physically had to carry shopping bags of classified documents out the door of the CIA. Nowadays one can transmit 10 times the amount of information on a tiny cartridge.

``People who came up in the world of traditional secrecy markings have to make a certain mental adjustment in dealing with classified information in electronic form,'' Aftergood said. Sometimes they don't, but mostly because of ``sloppiness and incompetence'' not spying, he said.

While lost government secrets are in the spotlight, the same thing ``happens every day in the corporate world,'' said Richard Heffernan, president of a Branford, Conn., consulting firm that specializes in information security.

Heffernan, who has consulted with about half of the Fortune 500 companies, said: ``I don't think I've ever been to a company that's not had some sort of inadvertent disclosure of important information by employees'' via computer files.

The problem, experts say, is as serious as computer viruses and hacking.

Contact Therese Poletti at tpoletti@sjmercury.com or (408) 271-3718 and Seth Borenstein at sborenstein@krwashington.com.

© 2000 Mercury Center. The information you receive online from Mercury Center is protected by the copyright laws of the United States. The copyright laws prohibit any copying, redistributing, retransmitting, or repurposing of any copyright-protected material.