Methods for Preventing Flash Memory Theft
ALEX CHADWICK, host:
One more interview on this now: Howard Schmidt was a Special Advisor to the Bush administration on cyber security issues, and formerly Chief Security Officer for Microsoft and Ebay, and was in the air force for 15 years.
Howard Schmidt, you must have faced similar issues in private industry and when you worked for the government--trade secrets and software, that sort of thing on these flash drives. How do you maintain security in an era of these kinds of memory storage devices?
Mr. HOWARD SCHMIDT (Former Chief Security Officer at Microsoft, Cyber Security Advisor to President Bush): Well, I think first and foremost there's got to be recognition of the critical nature of the data that's stored on these systems. You know, as the corporal talked about earlier, people use them for storing pictures on, but more commonly they're used for data related to your work. So consequently, that's got to be understood that that's very critical data, whether it's classified or unclassified data. In a corporate world, there were normally policies that either permitted or prohibited the use of them, and things such as the correct storage of them, reporting of what's data's on there, if it's stolen, etc.
CHADWICK: You used to be Chief of Security for Microsoft?
Mr. SCHMIDT: That's correct.
CHADWICK: They're developing software all the time with enormous amounts of money riding on it. What did you do about flash drives when you were there at Microsoft?
Mr. SCHMIDT: The flash drives per se were not that popular at that time. But currently, what most people do is they say okay, if you're going to use this device irrespective of what the data is, you must store data on those things in encrypted format. The same thing goes for other types of removable media, whether it's CD or DVD's--the same, same policy should apply.
CHADWICK: Everything would be encrypted. Would that really truly make the data safe then?
Mr. SCHMIDT: If you use, you know, something pretty robust like PGP, have a strong password, don't store it in plain text on the device. Yeah, that's a pretty secure way of doing it.
CHADWICK: What is PGP?
Mr. SCHMIDT: PGP stands for pretty good privacy. It was the center of a lot of controversy a few years ago, because it effectly was the most robust encryption algorithm out there at the time that was basically available. It was an open source programs, and it eventually migrated into a commercial product which still is sort of the standard that many of us go by when we talk about good data encryption.
CHADWICK: So why wouldn't the U.S. Military be requiring that kind of encryption at a base like Bagram in Afghanistan when clearly the data and the storage devices are vulnerable?
Mr. SCHMIDT: People may need access to the data other than a single person. The ability to use, say, encrypt something and then you have to give the password or the pass phrase to someone else, becomes sort of a weakness. So consequently, often times people depend on physical security of the device, of it sort of compensating for not using an encryption. You just need to make sure that you have maintained physical control out of it, and lock it up when you're not using it.
CHADWICK: But the L.A. Times this week quotes a, one of these merchants at the bazaar--the market across the street from Bagram Air Base--as saying if the American's look under our hats for these things, we will hide them in our shoes. We're poor, we have to make money. These things are tiny. I mean, is there any way, really, to prevent people from smuggling these off of an air base?
Mr. SCHMIDT: Well, yeah, the only way to do it is just not use them. Or restrict them to certain machines and have full accountability. For example, when we used to deal with the paper world, you know we would have certain documents you would check out, and then you would check it back in, you were done with it. Those same sort of things could apply would reduce that. It's so difficult now to control all the portable devices that there's really got to be special emphasis paid to it that the critical nature of what you've got on there. There are giant file cabinets that has all kinds of information on those things that need to be protected just as much as you would lock something in a safe at your home or at your work environment.
CHADWICK: Howard Schmidt, former Chief of Cyber Security for the Bush Administration, also former Chief Security Officer for Microsoft and Ebay. Howard Schmidt, thank you for speaking with us on DAY TO DAY.
Mr. SCHMIDT: Good talking with you.