Cyber Eye: Hiding data in plain sight is a risky strategy
In Edgar Allan Poe's short story 'The Purloined Letter,' the document in question remains hidden in plain sight until detective C. Auguste Dupin discovers it.
Almost 160 years later, no security experts advocate hiding in plain sight as a viable policy. But until recently that was the Defense Department's policy for video feeds from unmanned surveillance planes in Bosnia.
A satellite TV viewer in northwest England picked up the video feeds while receiving free-to-air commercial broadcasts. He watched a security alert at U.S. Army headquarters in Kosovo and followed along as a spy plane covered a NATO border patrol. The aircraft type was identified on the screen.
The Pentagon said that the information was not classified or harmful'compromised information never is, according to DOD. But Richard Peale, chairman of the Defense Policy Board, told the BBC that plans are under way to encrypt such information.
The open channel apparently was in use because of the limited number of secure military satellite channels. That's understandable, especially if the data being transmitted is not highly sensitive. But why does DOD place a lower value on intelligence supporting ground troops in Kosovo than HBO puts on 'The Karate Kid'?
The key to securing information is to pay attention to details. If you don't want others to have access to your data, protect it. Don't assume they won't find it or won't find it useful. Lack of attention to known problems is what made it possible for script kiddies to deface at least 14 Web sites in the .mil domain so far this year, six of them in the first three weeks of June.
Does a defaced Web site or the ability to watch a military surveillance video represent a national security risk? Probably not. But how can we know for sure how far the compromise has gone? At the very least, it represents a breach in the first lines of information defense.
When security holes are found in military systems, DOD commonly says no classified data was compromised. That's because everyone pays attention to such stuff. Not all data requires the same level of security, but any data requiring security deserves adequate attention.
Attention, like hardware, money and staff, is a finite commodity, and there never seems to be enough to go around. It must be carefully apportioned by priority. Letting public exposure set your priorities for you is a dangerous game.
Exposure of a vulnerable Web site or an unencrypted video stream will almost certainly result in paying it more attention than it would have taken to protect in the first place. That's not smart use of a limited resource.