The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Sensitive government data could be another casualty of Afghan pullout

Placeholder while article actions load

with Aaron Schaffer

Among the many long-term costs of the rapid fall of the Afghan government and the swift withdrawal of U.S. diplomatic and military personnel, count this one: Troves of sensitive U.S. government data are surely being left behind in the nation now under Taliban control

The vast majority of classified information that lived on U.S. embassy computers was almost certainly flown out of Afghanistan or destroyed. A lot of government's highly sensitive data is also housed in computer clouds rather than on hard drives and protected with multiple security controls. 

But reams of unclassified but sensitive material will probably remain in the country, both in digital forms and on paper. 

In many cases, that’s because it was shared with the Afghan government, non-governmental organizations and other partners in the country. At least some information was also probably overlooked on old laptops, phones and removable media during the faster-than expected exit.

“There are protocols for doing this. … But whenever you have to rush things, you’re going to forget stuff,” Mark Rasch, an attorney who developed cyber forensics capabilities for the Justice Department and prosecuted cybercriminals, told me. 

The potential loss of sensitive data is an additional pain point for the withdrawal, which was replete with many of them – most notably the ongoing struggle to evacuate diplomats, U.S. citizens and Afghan allies after the Taliban took over most of Kabul. 

Some of the comparatively innocuous data left in Afghanistan can probably be woven together with other such data to reveal information that’s truly damaging to U.S. security – a process intelligence officials refer to as the mosaic effect. 

And it will surely be sought by U.S. adversaries outside Afghanistan, such as Russia and China, that are willing to pay for whatever data the Taliban can provide

“Part of any deliberation on what to provide to other countries we do security cooperation with is the potential threat of what would happen if this information leaked or got into the wrong hands,” Jason Campbell, a Rand policy researcher, told me. “That’s always part of the equation, but you rarely see it happening at such a scale as we are in Afghanistan.” 

The Pentagon declined to comment about emergency procedures. The State Department did not respond to a request for comment. 

President Biden outlined the final military objectives in Afghanistan during remarks on Aug. 16. (Video: The Washington Post)

President Biden outlined the remaining objectives in Afghanistan during remarks on Aug. 16.

A key challenge is the sheer breadth of the U.S. footprint after nearly two decades in Afghanistan. 

The 2014 Marine Corps pullout from Camp Leatherneck in Afghanistan’s Helmand province offers a glimpse of the scope. In that case, more than 7,500 computers were destroyed or removed, The Washington Post reported at the time. 

The memo directing embassy staff to destroy sensitive material came Friday, CNN reported, though the process may have begun earlier. It applied to sensitive information about U.S. programs and items that ”could be misused in propaganda efforts.”

Embassies have elaborate procedures in place for evacuating personnel and destroying sensitive documents and digital files that they regularly update based on the risk and complexity of such operations, a person with extensive experience in diplomatic security told me.

But such procedures can’t account for every piece of digital hardware left in Afghanistan after such a lengthy presence or for information shared with allies and local partners.  

Indeed, the Taliban appears to have already seized large amounts of military hardware used by Afghan forces. 

“Whenever you have a presence somewhere for that long, access to sensitive information is always a concern,” said the person who requested anonymity to describe security issues. 

The keys

An Apple foe wants to scrutinize the company’s controversial new system for spotting child pornography.

Corellium will offer $5,000 grants to support “independent public research into the security and privacy of mobile applications,” including Apple’s new system, Reed Albergotti reports

Apple’s system is designed to look for digital footprints known as hashes that identify identifying known child pornography. The scanning process takes place on phones and tablets before photos are uploaded to Apple’s iCloud service.

Corellium’s announcement comes days after Apple executive Craig Federighi defended the child sexual abuse material initiative and said independent security researchers could inspect iPhones to make sure the software was being implemented as promised. Apple spokesman Todd Wilder did not respond to a request for comment. 

Technology and privacy experts have blasted Apple’s system. They say it’s too invasive and could present foreign governments with opportunities to abuse it. Federighi said the database of images will be made up of intersecting information from child-safety groups in different jurisdictions.

T-Mobile is investigating whether hackers stole data from 100 million customers.

The telecom giant confirmed that hackers accessed some data but said it’s still investigating the full scope, CyberScoop’s Tonya Riley reports. The company closed the security hole that the hacker used and is looking into what data was taken, the company said.

The hacker appeared to have stolen data including Social Security numbers, according to Motherboard. It’s the company's fifth breach in the past four years, Tonya writes.

A cyberattack on Iran’s railroad system was probably caused by Iranian opposition hackers, researchers said.

The attack shows the damage that independent opposition hacking groups can inflict on governments, the New York Times’ Ronen Bergman reports. Indra, the group apparently behind the attack, has a history of targeting Iran-related entities and causing cyber mischief, according to cybersecurity firm Check Point.

“It is very possible that Indra is a group of hackers, made up of opponents of the Iranian regime, acting from either inside or outside the country, that has managed to develop its own unique hacking tools and is using them very effectively,” Check Point senior researcher Itay Cohen told Bergman.

Industry report

Ransomware hackers who hit Colonial Pipeline stole personal information from nearly 6,000 people, including employees and their families.

The hackers stole information including Social Security numbers during the attack that hit the company’s networks in May, CNN’s Brian Fung reports.

SEC, education company Pearson settle charges over 2018 security incident for $1 million (CyberScoop)

Government scan

State Department tries 'pushing the envelope' with Dark Web informants, cryptocurrency rewards in the millions (CNN)

The Senate’s $1 trillion infrastructure bill includes funding to secure Americans’ water systems and power grids from cyberattacks (Cat Zakrzewski)

Homeland Security Considers Outside Firms to Analyze Social Media After Jan. 6 Failure (Wall Street Journal)

Securing the ballot

Cyber leader calls for nonpartisan path to securing the vote (Associated Press)

Experts: False claims on voting machines obscure real flaws (Associated Press)

Cyber insecurity

Rural sewage plants hit by ransomware attacks in Maine (Associated Press)

Hacker Says He Found a ‘Tractorload of Vulnerabilities’ at John Deere (Motherboard)

Chat room

The cybersecurity world had a brief star turn when John Oliver highlighted ransomware on “Last Week Tonight.” Recorded Future's Allan Liska:

TechCrunch's Zack Whittaker:

NBC News's Kevin Collier:

We're not above crowing about our own brief appearance.


  • National Cyber Director Chris Inglis speaks at the CyberScape National Security event on Thursday at 11 a.m.

Secure log off