A retired Japanese Coast Guard boat (Takachiho) was sold to a pro-North Korean organization without having assurances that navigational data was deleted. The decommissioned patrol boat could have had as many as 6,000 locations recorded over the 250 days of use. The boat was presumably sold to be turned into scrap, Weapons and radio equipment were removed but no procedures were in place to ensure that navigational data were securely deleted. It is unknown if navigational data were recovered from vessels disposed of through past sales.
Why was the navigational data on the Japanese Coast Guard vessel not securely deleted?
In all probability there were no policies that would have helped to identify the presence of navigational data and the necessity to securely delete it. The presence of a data disposal policy could have ensured this deletion. Further if policies such as a very targeted “Decommissioned boat data policy” that mandated the erasing of all data from boats about to decommissioned, or a “Sale of decommissioned boat policy” that mandated a check of data saved on the boats systems and its deletion, were in place, and if these policies where strictly enforced, such a lapse could have been avoided.
How could the lost navigational data compromise national security?
In the given scenario, North Korea now has data on geographical locations and routes of the Japanese Coast Guard. This type of information is classified and in the wrong hands can make the Japanese Coast Guards sitting ducks to attacks from an enemy state and result in a grave compromise of national security.
How could the Japanese Coast Guard write an effective data disposal policy?
The Japanese Coast Guard could have written an effective data disposal policy that identified the different types of data, their access control labels, and location, stated their retention period, and mandated the enforcement of the policy in defined situations (for instance, when a boat is about to get decommissioned and when a decommissioned boat is to be sold). It could further spell out the technical methods to securely and completely wipe out all paper and digital data.
Is a self-assessment of effective security policy a good predictor of actual security? Why or why not?
Self-assessment of security policies is not as effective as a third-party assessment and can lead to a false sense of security. Weaknesses in policy can be blind-spots for those who created it and for those who are enforcing it. Additionally, self-assessments may not be entirely honest and can become an exercise in checking all the right boxes on paper in order to cover up shortcomings and lapses and brush issues under the carpet and save one’s job.
A third-party assessment would be an outsider’s view, have a broader outlook, and be more unbiased and honest than a self-assessment.