Recent allegations of a female agent in Columbia losing her handbag containing a USB key full of potentially secret information has cropped up on all the press wires. Newswire stories are appearing simply mixed up and redrafted (here, here and here) are floating the opinion that somehow a handbag was left on a bus from the airport and the data was lost in 2006. Other press sources such as The Times throw a little more light on the matter quoting the shadow home secretary in a small chance to make a political quip. A little inter-service squabbling can be found as some news sources quote MI6, others are quoting it as a SOCA problem.
What astounds me is that the IT Security press are jumping on the "She should have had an Encrypted USB stick" and some are even mentioning products. No, they are missing the point. If the story facts as we have them are true (and that's something I seriously doubt) then the problem is not about secure storage but about security controls on the information in the first place.
- That information should have been protectively marked (it sounds like SECRET from the press reports) . There are plenty of rules about couriering protectively marked documentation - these should have been enforced.
- The quantity of information should not have been made available to an individual agent - who, after all, according to the press stories isn't a sworn in employee of HMG and could have sold it.
- For what operational reason would an individual be travelling with this amount of data? Why not send it by secure comms? It's cheaper and the data receipt would have been repudiable.
I hope no one died because of the information loss.
No comments:
Post a Comment
Thanks for adding a comment; I moderate all posts.