A sustainable look at secure device destruction
GettyImages/ JoKMedia
Connecting state and local government leaders
While many agencies routinely destroy decommissioned IT equipment, environmentally friendly options can extend device life and purge non-classified data from solid state drives.
Government officials know they need to be more environmentally friendly when disposing of solid-state drives (SSDs), but the No. 1 approach for decommissioning drives remains physical destruction, a new study shows.
The most notable takeaway from “The Price of Destruction,” a recent report by Blancco, which found that 71% of U.S. public sector respondents said their agency has a plan to reduce the environmental impact of destroying information technology equipment, but only 22% of them are actively implementing those plans, said Alan Bentley, the company’s president of global sales.
“There’s a big delta around understanding they need to do it and actually doing anything about it,” Bentley said. “What the difference seems to be is they don’t understand the process.”
The study, conducted in December 2021 and January, gathered data from 596 respondents in nine countries, with 110 of them in the United States.
Strict data privacy and security laws are one factor driving SSD destruction. The majority of respondents were well informed of data protection laws, the report found, with 69% of U.S. respondents saying they know them in detail. According to the survey, 88% of respondents said they are aware of and know in at least some detail the regulations in National Security Agency/Central Security Service (NSA/CSS) Policy Manual 9-12, which advocates a non-reuse approach for devices that contain classified information.
Because most policies permit agencies to physically destroy drives and the data they hold, and because most people know they are allowed to do it that way, that’s the option they take, Bentley said. In fact, the report found that 46% respondents globally consider destruction to be the most secure method, but there are other data sanitization practices that also allow for the reuse or recycling of devices, especially when they contain non-classified data.
The National Institute of Standards and Technology’s Special Publication 800-88 Rev. 1 provides nondestructive methodologies for secure data sanitization, according to the report. An example is cryptographic erasure, or sanitizing the cryptographic keys used to encrypt the data.
One nondestructive method that 78% of respondents said they use is reformatting, but that is ineffective, Bentley said, because data can still be retrieved from a reformatted drive.
Additionally, 38% of all respondents said they believed that physical destruction was cheaper than reuse-friendly data sanitization methods, but the data shows that the opposite is true. In the United States, the average yearly number of SSDs destroyed was 1,316, with the total cost for destroying and replacing reaching $11.5 million to $12.2 million.
“If you just average that out, there’s a lot of government organizations and a high percentage of them are physically destroying perfectly reusable drives, that comes with a cost not just to physically destroy it, but also to replace it. And it also comes with an environmental cost,” Bentley said.
The increase in awareness about climate change is fueling government efforts to be more environmentally and fiscally responsible with IT equipment disposition, he said. That’s where many agency plans originate – and one reason why they haven’t implemented them yet: they’re new.
“Implementation of plans, especially in the public sector is complicated. It requires lots of different people in lots of departments to be on the same page, so it’s a lot easier to come up with a plan than it is to necessarily implement the plan,” Bentley said.
Still, he’s optimistic about the future of data sanitization, calling it a “growing fix,” rather than a growing problem. That’s because previously, the entire focus was on physical destruction with little to no concern about cost or the environment. Now, that’s shifting, especially as government leaders apply pressure.
“If it means you have to rewrite the policy, rewrite the policy. But nobody is going to rewrite the policy that’s been in place for a few years unless someone tells them to,” Bentley said.
Stephanie Kanowitz is a freelance writer based in northern Virginia.