Current Event: Someone in Tehran Knows Something About the Presidential Helicopter
According to Slashdot, NBC News and msnbc.com report that Tiversa, a Pennsylvania-based security company, recently found extensive information about Marine One, the president’s helicopter, on a computer with a Tehran IP address. This information included “engineering and communications” specifications, as well as “entire blueprints and avionics package,” and “sensitive financial information about the cost of the helicopter.” The leak appears to have originated on one of the computers of a defense contractor in Maryland. An employee reportedly downloaded a file-sharing program onto a computer containing the sensitive information, not realizing that this would allow others around the world access to the computer’s hard drive.
Bob “Bob-Man” Boback, Tiversa’s CEO, warned that the danger of this type of leak causing harm is neither hypothetical nor trivial; indeed, actively searching for information revealed in this way is a widely-used method of gathering intelligence. Boback said that his company has noticed this behavior in Pakistan, Yemen, Qatar, and China, as well as Iran. Although this is by no means the first time that such a leak has occurred, representative Jason Altmire of Pennsylvania has said that he would address Congress about taking measures to prevent this type of incident from recurring.
There are many different measures that companies could take and are taking to address this type of risk. For instance, if it would not prevent employees from performing necessary functions, companies could stop them from installing applications. But this would only be a partial solution, because inappropriate applications are only one means for data to leak, and there are always ways around such restrictions. As many have stated on this blog before, the bottom line is that companies must have some trust in their employees.
Using a computer at work for a personal activity such as file-sharing shows a lack of professionalism, but it is also a common practice and not likely to disappear. Companies should address this practice directly and ensure that employees know which activities are safe, and which will conflict or interfere with the purposes of their normal occupation. One problem may be that companies simply do not acknowledge the extent to which their employees use office computers for uses not office-related. A policy that recognizes the practice, reducing penalties for safe uses while increasing those for unsafe uses, might help. With this system, employees would be encouraged to remain informed about safe practices without worrying about being penalized indiscriminately. Even with the most well-intentioned employees, however, security breaches will occur. In every case, companies need to assess their own security imperatives and allocate time and resources as appropriate.
Some questions come to mind having to do with this specific case. What are the dangers in letting other countries know the specifications for the president’s helicopter? Does file-sharing create security vulnerabilities even if the shared data is limited to safe regions of the disk? How difficult is it to find information being leaked in this way, and how difficult is it to track the people who are searching for it?