Flea-market secrets

MOST PEOPLE THINK OF military procurement in terms of $640 toilet seats and $436 hammers, but the phrase “military grade” actually implies something else: a product that meets the most demanding specifications in the market. “Military-grade security,” for example, typically means the best available technology to protect data from being stolen.

The news from Bagram air base in Afghanistan, however, is giving military-grade security a bad name. Times staff writer Paul Watson reported this week that shopkeepers at local bazaars have been selling portable storage devices containing sensitive military files. The pen-shaped devices, also known as USB flash drives, have apparently been stolen by workers at the base and spirited past guards.

Among the files contained on some drives were documents that named militants targeted for attack, identified Afghan officials suspected of corruption and revealed the Social Security numbers of nearly 700 members of the armed services. Officials have launched a criminal probe into the stolen drives, and the investigation could result in the arrests of a few light-fingered workers.

But that won’t stop the problem. No matter how secure, the base will always be vulnerable to the theft of information, no matter how it’s stored. But the importance and sensitivity of this information, as well as its easy portability, demand that the military take some basic steps to protect it.

The drives are on the bases because they fill a need. For some conscientious soldiers, the devices are an inexpensive and reliable way to make a backup copy of important information. For others, they provide an easy way to move records from one posting to the next. In fact, having mobile personnel keep data on a USB drive may be less risky than trying to link all military computers to a central data storage center, which would become a prime target for attack and a potentially catastrophic failure point. So trying to stop people from using USB drives would only generate a different set of problems.

The answer, in military and civilian settings where security is important, is to change the way people use the devices. Simply put, they have to start acting as if every USB drive were heading to a nearby flea market. And that means encrypting every potentially sensitive file as a matter of routine. It’s not very difficult to do; in fact, many of the drives sold today come with a built-in ability to protect their contents. What’s not easy is persuading people to take the extra steps required to use encryption, particularly when they’re pressed for time.

Again, these are issues the military is well-equipped to handle. Sensitive documents have been spilling out of U.S. bases ever since the first one was built, and each new form of data has generated a new kind of leak. But there are new kinds of ways to protect against such leaks, and the military should use them.