During a summit in New Orleans last week, a press aide for the Mexican government took two unattended BlackBerrys belonging to U.S. officials. The aide, Quintero Curiel, has since been fired, but questions remain. Curiel told Mexican newspapers that he thought the PDAs had been abandoned and insists he planned to return them. So his intentions may have been noble. The devices have been recovered, and disaster may have been averted.
Of course, he could be lying. Fox News reported that while Curiel "initially denied taking the devices, but after agents showed him [security camera footage of him taking them], [he] said it was purely accidental, gave them back, claimed diplomatic immunity and left New Orleans with the Mexican delegation." The two BlackBerrys that were taken can each hold around 28,000 printed pages worth of information, and all that data can be easily copied to other devices. And Curiel—an employee of the Mexican government—likely had the PDAs in his possession for more than enough time to copy and either hide or transmit all of the data they contained. No one is saying whether there was sensitive information on the devices. And no one is saying whether Curiel was working for Mexico's intelligence agency, CISEN, or spying for any other country. But if he was, it is very likely that nearly 60,000 pages worth of potentially sensitive material is now in foreign hands.
David Gewirtz, an IT expert who publishes two of the top magazines for email professionals, writes that the government's lax information security measures have worrying implications for national security.
"The thing is, those BlackBerry devices could have contained anything. They could have home addresses of relatives of key U.S. officials. They could have pictures of their kids. They could have passwords, access codes, phone numbers, directions to evacuation locations. They could have anything. And now, likely, the Mexican government (and anyone they decide to share with) has everything that was on the devices."
Part of the problem is that, in a blatant violation of best practices, the White House has no real program for distributing, tracking, or securing most of its computer equipment. That includes hard or external drives, CDs, DVDs, jump, zip, hard, or floppy disks. So it's no wonder that this same issue—the insecurity of the White House's portable electronic devices—has come up repeatedly in the legal battle surrounding several million missing White House emails. A ruling (PDF) issued by a magistrate judge on Friday points to one example of the problems caused by the White House's lack of a complete asset management system. The ruling makes several recommendations to Judge Henry H. Kennedy, the main judge in the emails lawsuit. Prominent among the magistrate judge's recommendations is the suggestion that the White House be ordered to secure portable devices that could contain versions of some of the missing emails. It's amazing that a court order would even be necessary to compel the administration to keep track of so much potentially sensitive information. But right now, it seems that the administration doesn't even know for sure which of its employees have which devices. With that kind of lax monitoring, it's no wonder that Curiel was able to slip away with the BlackBerrys.
Whether or not it was actually espionage, this incident serves as a reminder that the White House emails story isn't really about anyone trying to "stick it" to the Bush administration. Yes, federal records are the property of the people, and it would be great if millions of emails from a crucial period of American history hadn't somehow gone missing. But there is more at stake than finding out whether or not Dick Cheney really ordered the leak of Valerie Plame's covert identity. It goes beyond that—this is a national security issue. It is obvious that there has been a major failure of information security and IT professionalism in the executive branch. The Curiel episode is a frightening demonstration of the ways in which that kind of IT incompetence can lead to dangerous breaches of national security. So how do we fix the problem? Gewirtz, who has been harping on this point for a long time (and even wrote a book about the connection between the missing emails and national security), has some suggestions:
[B]oth the White House and businesses need to establish a complete end-to-end asset management policy for handheld devices. Guidelines need to be established for where these devices can be taken, when they can be removed from one's person, and how they should be handled in secured situations like that which occurred [in New Orleans].
Finally, a true rapid-response operation needs to be established so data can't fall into the wrong hands. I've recommended that no communication device be issued to White House staffers without two key features: location and destruction.
It is possible to both remotely erase certain BlackBerry devices and remotely locate them. When lost, a team ... should first trigger the remote erase and then a tracking team needs to be dispatched to recover these little mobile nightmares as quickly as possible.
We can only hope that this security breach has served as a wakeup call for the Bush administration. Next time a BlackBerry goes missing, it might not fall into the hands of a country as friendly as Mexico. That would be a preventable tragedy.