Blancco Classified Data Spillage Blog Preview Image 2024

Classified Data Spillage: Considerations for Risk Mitigation and Containment

By Maurice Uenuma |

October 28, 2024

Classified data spillage has always been a concern to those in the national security community. When sensitive information spills onto an unauthorized medium or network, there can be grave consequences. 

The risk of data spillage continues to rise with the growth of data from broader collection and production, along with increased access to and use of this data for analytics and operations. Digital transformation, AI adoption, and data-driven decision-making have delivered great value to federal agencies, but these trends have made protecting classified data even more challenging than it already was.  

This situation warrants new consideration for how sensitive data can be protected against unintentional exposure, and how spillage is remediated when it occurs. Data sanitization plays an important role in this arena.

How Spillage Occurs

Data spillage is one way that unauthorized disclosure of classified information takes place. According to NIST, it is a “security incident that results in the transfer of classified information onto an information system not authorized to store or process that information.”

Blancco Classified Data Spillage Blog Embedded Image 2024

The spilled data could have been moved to an unclassified environment for nefarious purposes (e.g., espionage) or as a result of inadvertently mishandling the data (e.g., not following classification procedures). Examples of the former would include leaks such as those committed by high-profile conspirators Julian Assange and Chelsea Manning. Examples of the latter would include incidents that involve cleared personnel who physically relocate or improperly dispose of sensitive materials.

Spillage can also happen as an unintended consequence of a loss of control of classified data systems (e.g., an email server misconfiguration). The growing size and complexity of the government’s data management landscape has led to an increase in data spillage risk.

More Data to Protect… and Contain

More classified data is being shared for the benefit of national security decision making and operations. Effectively extracting value from that data means sharing data across more systems and giving access to more people. This can produce long-term national security benefits but also near-term data security challenges.

The sheer volume of classified data is a contributing factor.The rapid emergence of technologies such as artificial intelligence (AI) and internet of things (IoT), more automated data collection, and the government’s digital modernization efforts have exponentially increased the volume of sensitive data being transmitted, processed, and stored, increasing the possibility of spillage.

Some examples of this include:

  • Generative AI (GenAI) that produces sensitive or even classified information before humans can properly manage and classify the outputs.
  • Broadly deployed sensors that gather or contain classified data and transmit that data across broad networks.
  • A growing number of cleared personnel with access to classified information.
  • Large sensitive or classified data sets being fed into large language models (LLM) that may spill during the extract, transfer, load (ETL) process.

The Role of Data Sanitization

There are numerous security controls available to federal agencies to prevent data spillage and respond to it when it occurs. These include data protection measures such as access control, multi-factor authentication (MFA), encryption, data loss prevention (DLP), email security, and employee training.

Data sanitization also plays an increasingly important role. 

According to Gartner, data sanitization is the process of deliberately, permanently, and irreversibly removing or destroying the data stored on a memory device to make it unrecoverable⁠. In other words, a device that has been sanitized has no usable residual data, and even with the assistance of advanced forensic tools, the data will not ever be recovered. Data sanitization can also be performed on individual files, folders, virtual machines, and logical storage (without sanitizing the entire device or drive).

Sanitization of a device at decommissioning and ongoing data sanitization in live environments are both critical steps to reducing an organization’s data attack surface and potential risk of classified spillage. In this way, it helps to both prevent and mitigate it.

Prevention: Permanently removing classified data when it is no longer needed reduces the risk of this data ending up where it should not be. By deploying data sanitization tools, federal agencies can:

  • Remove redundant, obsolete, trivial (ROT), or dark (unused or unknown) data from storage environments.
  • Erase specific network files, folders, logical drives, or virtual environments to comply with classified data protection mandates.
  • Securely remove data from data storage drives or devices before storage or transport of those assets, including those slated for shredding or other physical destruction.
  • Integrate with data classification tools to proactively (and even automatically) identify, contain, and sanitize classified files when they are no longer needed.

Remediation: After a data spillage incident is discovered, action must be taken to ensure it is isolated and contained. Software-based data sanitization (including binary overwrite of all user-accessible and non-accessible partitions of the affected drive) can be applied to permanently remove classified data, even before physical destruction of the device or drive, as a robust risk mitigation measure. When done properly, data sanitization also provides additional assurance through erasure verification and reporting.

In its National Instruction on Classified Information Spillage,the Committee on National Security Systems (CNSS) provides the minimum actions required when responding to a spillage of classified information. According to CNSS, appropriate procedures for sanitizing or remediating the effects of a spill may include:

  • Using the operating system to delete the spilled information.
  • Re-labeling the media containing the spilled information to the appropriate classification/category and transferring the media into an appropriate environment.
  • Removing the classified information from the media by organization-approved technical means to render the information unrecoverable.
  • Erasing operating system, program files, and all data files.
  • Erasing all partition tables and drive formats.
  • Erasing and sanitizing the media.
  • Forfeiting the media.

Many of these procedures can be effectively implemented through a mature data sanitization platform and process.

To note, this guidance was issued before the recent developments in AI, IoT, etc., noted above. Likely, the emphasis on data sanitization in live environments will increase as policy is updated to better reflect—and keep pace with—the sheer volume of sensitive data being shared and processed at scale.

Data spillage is a real and growing risk to national security, demanding a measured response. There are many security controls and associated policies available to prevent spillage and remediate it when it occurs. Robust data sanitization tools are likely to become more widely used, as agencies implement these capabilities in routine end-of-life data and device management, as well as in non-routine data spillage scenarios.

Reach out if you are interested in learning how Blancco’s solutions can help you prevent data spillage.


Related Articles