Short of strip searching employees every time they walk out the door, there's probably nothing Boeing could have done to prevent the alleged data theft that has a former employee facing criminal charges, security expert Bruce Schneier says.
Gerald L. Eastman, 45, was accused last week of 16 felony counts of first-degree computer trespass for putting highly sensitive files onto a USB thumb drive and trying to leak them to newspaper reporters, the Seattle Times reported. Eastman allegedly stole documents that could cost Boeing US$5 billion to US$15 billion in potential damages if they fell into the wrong hands.
If a company hires an untrustworthy employee, there is almost nothing it can do to prevent theft, Schneier argues. "What's done in African mines is they do full-body cavity strip searches every time they leave. That works," Schneier says.
Implementing new data policies probably won't prevent theft, he says. The only real solution is to hire trustworthy people, because companies simply have to rely on the people who have access to their data, he says.
"I'm not convinced [Boeing] did anything wrong ... that any policy would have fixed it save strip searches," he says.
Even that might not work, he notes. A strip search would turn up a USB drive, but an employee can easily e-mail classified documents to himself. "Since the beginning of time, your employees could steal your data," Schneier says. "Modern technology makes it easier to take lots and lots of data ... [but] in a sense it's not a technology problem, it's a human problem."
Schneier says the alleged Boeing theft itself was not particularly egregious.
But these thefts are probably more common than people think, with most going undiscovered, says John Jefferies, vice president of marketing at RedCannon Security, which says its products can prevent such thefts.
"These flash drives are just so much easier to steal and nobody's doing anything to manage or control them, encrypt the drives," he says. "It's just fortuitous that they caught this guy. I think Lockheed Martin probably has this problem too. That's why I say it's just the tip of the iceberg."
RedCannon says it can restrict the types of USB drives that are plugged into computers, monitor what data is pulled from a hard drive, and remotely destroy content if the thumb drive is inserted into an Internet-connected computer. As an extra safeguard, the vendor says its products can set USB devices to stop working when they are not inserted into a computer connected to the Internet.
This isn't Boeing's first data-security problem. Last December, a Boeing laptop containing the names, salary information, Social Security numbers, home addresses, phone numbers and birth dates of 382,000 current and former employees was stolen from an employee's car.