In Laptop Age, Security Breach Concerns Are Up

A 14-hour plane flight ahead of him and a schedule jammed with sensitive meetings on the other end, a senior White House official slipped a disk filled with classified data into his laptop computer to review en route.

A mid-level CIA officer, driving from an audience with a foreign intelligence contact, murmured his impressions of the meeting into a hand-held device that he later downloaded into his computer at agency headquarters.

A State Department official, eager to get home and hug his new baby, left a portable hard drive in his desktop computer instead of locking it in the safe behind his desk.

Each of these situations really occurred, and each was a violation of the federal government’s rules for protecting classified data. And all three illustrate a problem of increasing concern in Washington: For U.S. officials operating in the laptop age, the pressure to make every moment count can lead to mistakes that undermine careers and, in some cases, put sensitive information generated by the world’s most powerful government at risk.

Take Martin S. Indyk, the U.S. ambassador to Israel. The State Department has suspended his security clearance--and his key role in Middle East peace talks--for suspected security violations. His crime? He allegedly drafted classified memos on an unclassified laptop computer during a flight and took classified documents home to prepare for meetings.

But, although Indyk’s public chastisement is highly unusual, his alleged transgressions are not, according to current and former senior and mid-level officials at agencies throughout the U.S. government. With government officials traveling more than ever, competing in a world where it is now possible to write, communicate and analyze 24 hours a day, security procedures are regularly ignored, these authorities said.

“People knowingly violate the rules. They put the information at great risk, especially if they do it repeatedly over a long period of time,” said Jerry Rubino, director of security and emergency planning at the Department of Justice.

Rubino said Justice logs dozens of internal security violations a week, most of them minor, such as leaving sensitive documents on a desktop overnight.

Audits conducted last year by the General Accounting Office and agency inspectors general show that 22 of the largest federal agencies have significant computer security weaknesses. Among the common problems cited were poor controls over system access, data access and software development.

“Throughout the government, everyone’s computer has the ability to download onto disks,” said a senior White House official who deals with classified information every day. “When I write a classified document or memo, I put it on a disk and give it to my secretary to process,” said the official, who was willing to discuss the problem only on condition of anonymity. “We use disks. That’s how documents are moved around. And that means people can walk away with the disks. That’s a fact.”

The government’s defense against such security threats consists of a hodgepodge of constantly evolving regulations, which vary significantly from agency to agency and quickly become outmoded. Current and former officials insisted that following the rules to the letter would sharply limit the productivity of the people who engage in some of government’s most sensitive work.

“Let’s be honest. Any foreign ambassador who is working hard and has a lot of foreign contacts--how is he going to do his work if he doesn’t have these aids?” asked Myles Frechette, ambassador to Colombia from 1994 to 1997.

“Obviously, in the age of information, getting your information to Washington fast is a real premium,” Frechette said. “What is needed are procedures that allow you to do your job, rather than procedures that force you to spend your travel time reading magazines or something. That produces mediocrity.”

Ever since there were governments there have been government secrets, and people careless enough--or motivated enough--to divulge them. But when 70,000 pages of classified material can be downloaded on a computer tape the size of a thin paperback novel, the risk of theft rises exponentially.

“All high-level officials know that a laptop is not a secure system and that they are pushing the envelope when they put sensitive material on the laptop. But everyone does it,” said Melvin Goodman, professor of international security at the National War College and a former senior analyst in Soviet affairs at the CIA and the State Department. “There’s too much intelligence out there and it’s too easy to pocket in this high-tech age.”

The National Security Agency, the spy service charged with protecting the U.S. government’s communications and listening to those of its foreign adversaries, is racing to develop new encryption software to protect data on laptops and other portable computing devices.

The agency also is developing biometric technology to prevent unauthorized access to computers. The technology verifies the identity of a computer user by reading his fingerprints, voice or face or scanning the retina and iris of his eye.

This kind of improvement is the information security equivalent of an arms race.

“Don’t you think the opposition has the latest technology money can buy? Certainly, the drug cartels do,” said Paul Boudreaux, technical director in the NSA’s Laboratory for Physical Sciences.

But in most agencies, nothing prevents someone from downloading classified material onto a disk and walking out the door, or copying classified material onto an unclassified computer.

“Currently, I’m unaware of a technology fix to that particular problem,” said a senior State Department security official who requested anonymity.

Although each agency has its own security office and set of regulations, enforcement mostly comes down to the honor system.

Throughout the government, officials who have access to classified material are issued separate desktop computers for classified and unclassified work. Classified laptops use a special software template that designates when a document was classified and by whom.

Although security officers make unscheduled checks of offices throughout the Pentagon and State Department, many officials leave portable hard drives containing classified data in their computers or sensitive files on their desks instead of locking them in safes overnight.

Even when officials are cited for security infractions, they rarely are subjected to punishment. Infractions do go in personnel records. But, unless there is a clear pattern of repeated violations, they generally are ignored, security officials said.

In the wake of a series of embarrassing security lapses at the State Department, Secretary of State Madeleine Albright has vowed to clamp down. The department is reviewing all of its security procedures and has tightened rules on building access. According to spokesman Andy Koss, the department has even taken the unprecedented step of suspending all promotions for several weeks while officials check for security violations.

Retired State Department officials who have traditionally retained their security clearances suddenly have been barred from entering the building without an escort, Koss said. Many who still bank at credit union offices located there are furious.

At some agencies, security is tighter and a higher priority than at others. At the CIA, for example, officials submit to polygraph tests every three to five years. But officials at other agencies with access to the same classified material do not take polygraph tests.

Pentagon officials have started conducting spot checks of laptops carried by some of the thousands of people who enter and leave the building each day. They currently are drafting new security regulations to govern the use of Palm Pilots, two-way pagers and laptops.

Pentagon officials who travel are almost always accompanied by military aides for whom security is a top priority. The officials are rated on attention to security issues in their promotion performance reviews, and they know that technical violations are “career-enders,” said Kurt Campbell, who in May left a job as a deputy assistant Defense secretary.

“This is much more serious than driving fast on the Beltway,” said Ben Venzke, director of intelligence production at iDefense, an intelligence computer security firm in Alexandria, Va. “Our government is losing extremely sensitive information. . . . I don’t know if there’s going to be any simple answer to it, but it’s extremely serious.”

Times staff writer Paul Richter contributed to this story.