Biometric devices are a growing body of new data-bearing devices being deployed across the U.S. Department of Defense. Recent Inspector General findings that identify the need for improved information security controls and recordkeeping are timely — and imperative.
Unfortunately, hardening biometric devices will be an increasing challenge given the ever-expanding capacity of storage media and expansion of edge computing. The good news is that there are measures DoD organizations can implement in the near term to reduce the risk to their biometric data.
According to the November 2023 IG report, the DoD’s use of biometric data has been extensive, particularly in areas of conflict where accurate identification of individuals is critical for security operations. The report found many of the DoD’s biometric collection devices lacked data encryption capabilities and a clear policy for the destruction or sanitization of biometric data.
Reasons provided for the DoD’s failures were mostly policy or process in nature, including:
— Current DoD biometrics policy does not specify information security standards or require encryption for biometric devices;
— Service components and agencies use a variety of different processes to sanitize data from biometric devices and dispose of them; sanitization prior to shipment is not required; and
— DoD policy does not require components to provide certification of biometric data destruction to the Defense Logistics Agency when devices are turned in for disposal.
The lack of clear processes and policies is not uncommon, as policymaking in large government organizations tends to move much slower than the emergence of new technologies. But this gap introduces risks. The leakage of sensitive data could result in harm to individuals who cooperated with the United States, tip off terrorists and insurgents that they have been identified as such, and undermine confidence in the data used to authenticate friend or foe.
“DoD-wide standards for encryption, data protection requirements for biometric devices, and better-defined documentation requirements for biometric device sanitization would mitigate these risks,” according to the IG report, which calls for the Chief of the Identity Intelligence Division within the Office of the Under Secretary of Defense for Intelligence and Security to initiate the development of revised policies.
The revised DoD Directive is projected to be approved and published by the first quarter of 2025 and is expected to include clear and specific guidance on encryption standards, data security controls and data sanitization guidelines. Best practices for IT asset disposal policies include specifying when and how data sanitization should occur.
For the most stringent data protection, immediate sanitization (before any physical transfer outside a protected area takes place) mitigates risks to end-of-life data during transport or storage.
Threats to biometric devices, data
A lack of data sanitization measures for biometric devices and device data could harm both personnel and operations. As an example, in 2021, various news outlets reported the Taliban seized U.S. military devices known as Handheld Interagency Identity Detection Equipment, or HIIDE, that were used to collect biometric and biographical information on Afghan locals. HIIDE devices that “fell into the wrong hands” meant that data for those aiding coalition forces might also be exposed, putting valuable intelligence sources at risk.
When it comes to data security, especially of highly classified data, organizations tend to focus on protecting data at rest, data in transit and data access. However, they must also consider the secure handling of end-of-life data through proper sanitization.
Near-term protection measures
What can DoD organizations do in the near term to improve protection of biometric devices and data at end-of-life? They can implement processes and tools that effectively sanitize all data before disposal, using up-to-date standards. Consider:
1) Sanitizing not-needed data in active environments. While we tend to default to encryption as the primary way to protect sensitive data, removing that data makes it unavailable to access when encryption fails, is improperly applied, or as decryption technologies advance. Data sanitization is defined as the consistently applied, disciplined process of reliably and completely removing all data from a read/write medium so it can no longer be read or recovered. Exposed or unneeded data must be sanitized regularly in order to mitigate data spills and breaches.
2) Reinforce security by erasing data from devices headed for disposal. When we think of device disposal, we typically think of the physical destruction of hardware. For permanent removal of data, however, physical destruction does not eliminate the risk posed by short- or long-term storage, chain of custody and audit trail gaps, or poorly applied destruction methods. Instead, software-based data sanitization, when applied before the physical transfer or destruction of biometric devices, ensures the data is completely gone.
3) Applying today’s standards to today’s technology. While NIST 800-88 “Guidelines for Media Sanitization” remains the most widely used data erasure standard in the United States, technology has advanced since its publication almost a decade ago. As an example, due to the increased data density of newer storage technologies, the new IEEE 2883 Standard for Sanitizing Storage renders shredding and pulverizing obsolete as acceptable sanitization methods. DoD services, agencies, components and individuals who handle data sanitization in highly sensitive contexts must be keenly aware of rapidly changing data storage technologies, then prioritize sanitization standards that address those changes.
4) Certifying for compliance. The DoD requires that no-longer-needed data be sanitized so it isn’t subject to unauthorized access. DoD organizations should insist that an approved standard be used, staff or vendors exhibit proof of training on proper methods of execution, and a documented audit trail with erasure certification be associated with each device.
IG recommendations to revisit disposal policies and documentation surrounding biometric devices are a significant step in the right direction, prompting a new look at data protection methods, including software-based data sanitization. Those charged with securing that data could benefit from near-term adoption of these measures.
Maurice Uenuma is VP & GM, Americas and security strategist at Blancco, a Joensuu, Finland-based provider of data sanitization and device diagnostics products and services.