Former employees at the U.S. Agency for International Development were told they would not be required to physically turn in their work devices. | -People Image Studio/Shutterstock
The U.S. government decided not to have recently fired workers return federally issued electronics, instead noting they will be “remotely sanitized,” despite the potentially sensitive information the laptops, tablets and phones may contain.
Multiple news agencies reported that on April 24, former U.S. Agency for International Development workers got an email letting them know that there would be no physical collection of government-issued devices, and that the IT equipment would instead be wiped remotely and “marked as disposed.”
The email noted that the decision was made “to simplify processes and to reduce burden.” State Department officials did not respond to requests for comment from The Verge or The New York Times.
ITAD companies have been warning of the risks of improper disposal for years, especially when it comes to companies that handle sensitive information.
Kyle Marks, founder of ITAD consulting firm Retire-IT, told E-Scrap News that “flat out, the USAID approach to ITAD is reckless, both from a data security perspective and environmental perspective.”
Marks has long advocated for more stringent data management practices in the ITAD sector. A recent court case in which an ITAD company employee contracted by the federal government admitted to stealing and reselling devices that were slated for sanitization and destruction, plus a recent audit that highlighted weaknesses in the federal ITAD systems at the FBI and the Nuclear Regulatory Commission, make the decision even more shocking, he said.
“If this weren’t the government – if this were a private company – it wouldn’t be tolerated,” Marks said, calling the situation a cautionary tale and a “reckless gamble – and it is not going to go well.”
Remote wipes are a “useful defense layer” but should be looked at as an emergency measure, such as for a device that is left behind in a hotel room or stolen, Marks said.
“They are not sufficient for secure ITAD or for compliance,” he said, and they’re also not 100% reliable. They require an internet connection and administrative access to the device. And in a case like this that concerns employees who have already been laid off and then have been given advance notice of the remote wipes, Marks said “you’ve lost the element of surprise.”
Anyone who wanted to take data with them has been given plenty of time to do so, he said, adding that it’s not only data but also access credentials that could be a problem.
“You have personal records, you have diplomatic records, you have financial records, you have all kinds of things that are at risk,” he said. As citizens and as people potentially put at risk, “we should be embarrassed and concerned.”
Bob Johnson, a principal advocate at Privata Vox, a global data security consulting company, said there have been plenty studies that show a significant percentage of secondhand “wiped” hard drives and SSDs still have sensitive data on them, because DIY sanitization is not always effective.
“In all of the studies conducted by NAID over the years, including the most recent examining more than 250 secondhand devices, a significant percentage of those bearing residual data showed telltale signs that someone had ineffectively attempted to wipe them,” he said.
Marks recommends abiding by the concept of “zero trust,” and a 2021 executive order also directed federal agencies to do the same.
“The concept can be boiled down into one statement: Never trust, always verify,” he said. Not only is the federal government now not following that order, but “they’re doing the exact opposite,” Marks said.
It was not made clear in the email if the decision affected former workers who were still stationed abroad, or only those in the U.S. A majority of USAID’s 10,000 employees are posted internationally, The Verge reported.
The Verge further reported that earlier, overseas employees were told they would be sent shipping labels to return the devices but never received them, while a U.S.-based employee described being told to turn in a laptop in person in late February and saw “computers dumped in giant rolling garbage bins.”
The New York Times noted that the email specified that devices will not be marked as disposed until they have been remotely wiped but also didn’t give a specific date when the remote sanitization would happen and did not say that employees must then dispose of the devices themselves.
“The email also says that the administration will reach out to U.S.A.I.D. contractors who were fired weeks ago to let them know how to wipe their devices remotely,” the outlet reported.
Johnson said that It is “a virtual certainty, given the number of employees involved, that some small percentage won’t even try” to wipe the devices, and combine that with the sheer amount of devices and the fact that “many of these USAID employees are going to be angry about the layoffs,” he anticipates many devices will likely end up on the secondhand market.
“When that happens, tracing them back to the federal government will be easy,” Johnson said. “Given their history, the federal government seems to have a high tolerance for embarrassing data security breaches so maybe they really don’t care, but they certainly should.”
While there’s “never a perfect solution,” especially with the amount and varied locations of the devices, Johnson said securely shipping the devices to a qualified ITAD provider, or finding a qualified ITAD provider locally, would be one possibility, or arranging for onsite physical destruction of the devices.
“In any case, there should be a verifiable, third-party process and chain of custody that ensures the devices are properly sanitized,” he said.
Marks said the chain of events in this situation has made the entire process “far more complicated and more expensive to do it right – and more risky.”
He would recommend a much more tightly controlled process, one that maintains a chain of custody the entire way, no matter where the device is coming from.
“First off, if somebody has to manage it – you just don’t send out an e-mail to everybody and say, ‘Do this,'” Marks said. “You need somebody to manage it, you need to compile a complete inventory of every asset, by person, by location and including what data might exist and whether or not there’s any security measures,” such as encryption or mobile device management.
Second, Marks said he does not recommend letting people know exactly when a remote wipe or lockdown will occur, but rather simply doing it and then instructing people on how to return the device, whether that’s via pickup, mail-in programs or any other traceable method.
“You can do box programs, you can do pickups, but you cannot ask an employee or an ex-employee to do the right thing,” he said. “You have no control.”
Each device that enters the return system should have a manifest tied to it, he said, and all manifests should be tracked in a system to ensure all devices were collected.
“Is this free? No,” Marks said. “But it’s a fraction of the cost of a breach or a national security incident.”