Strengthening Data at Rest Protections: Lessons from Recent Espionage Cases

Strengthening Data at Rest Protections: Lessons from Recent Espionage Cases

By Tom Ricoy, CTO and President of Government Programs, Cigent

The recent conviction of U.S. Navy sailor Jinchao Wei, also known as Patrick Wei, for espionage and export violations underscores a persistent vulnerability in U.S. national security. Arrested in August 2023 while reporting for duty on the USS Essex, Wei was found guilty of selling sensitive military information to Chinese intelligence and now faces a potential life sentence. His case is not an anomaly. Since August 2023, the Navy has disclosed three espionage cases involving sailors, including Wenheng Zhao, sentenced in January 2024 to 27 months in prison for transmitting classified information to a Chinese intelligence officer. 

Together, these cases expose a critical gap: inadequate protection of data at rest (DAR), which is data stored on a device that is powered off or not yet authenticated. This gap continues to allow classified and sensitive information to be stolen through physical or digital means outside traditional facilities, making such data a prime target for espionage. 

A Persistent Pattern of Data at Rest Exploitation

Espionage and data breaches involving DAR have plagued U.S. government and military systems for years, often exploiting insufficient encryption and erasure protocols. Historical cases like Edward Snowden’s 2013 leak of classified NSA documents demonstrate how insiders can access and remove vast amounts of data without robust DAR safeguards, leading to assumptions that all accessible data was compromised and setting back intelligence efforts significantly. Similarly, Chelsea Manning’s 2010 disclosure of military cables via removable media exposed troop movements and diplomatic secrets, a breach facilitated by lax controls on data storage devices. More recent examples include the 2020 SolarWinds hack, which penetrated U.S. federal networks and potentially exposed resting data across agencies, and the 2015 Office of Personnel Management (OPM) breach, where unencrypted personnel files of millions were stolen, illustrating the risks when DAR is not adequately secured. In military contexts, the 2024 discovery of compromised credentials from U.S. defense contractors via infostealers further demonstrates how resting data on endpoints can be a gateway for adversaries.

The Role of CSfC in Closing the Gap

Addressing this challenge starts with the adoption of the NSA’s Commercial Solutions for Classified (CSfC) Data at Rest program. CSfC for DAR calls for using two independent layers of encryption built from commercial products. Those products typically include cryptographic modules validated to FIPS 140-2 or FIPS 140-3 and devices evaluated against the Common Criteria Protection Profile. The aim is strong protection using technology agencies can buy, deploy, and maintain at scale.
Although rollout has begun across the Department of Defense (DoD), progress remains uneven, particularly in edge environments such as laptops, tactical servers, and vehicles. These environments often house sensitive data outside of traditional facilities, making them prime targets for espionage. CSfC solutions are proven, effective, and non-disruptive to operations, yet they are not yet universally deployed. Closing this gap is essential to preventing the next headline-making breach.

Beyond Encryption: Visibility and Sanitization

Encryption alone cannot solve the DAR challenge. Two additional measures are vital: visibility into data access and verifiable sanitization.

Access visibility: The inability to determine the scope of prior insider incidents forced officials to assume the worst, delaying remediation and damaging intelligence operations. Today, technologies exist to generate tamper-proof access logs, stored securely and immune to user manipulation. These logs provide forensic clarity and can help security teams detect abnormal access patterns before damage is done.

Sanitization: The secure destruction of data is equally critical. While NSA policy requires physical destruction of classified drives, situations such as equipment reuse, embassy evacuations, or battlefield abandonment often demand alternatives. Unfortunately, standard erasure tools for solid-state drives are often unreliable; controller-managed wear leveling, remapped blocks, and overprovisioned areas can leave residual data even after an erase. Certified sanitization solutions that verify the complete removal of data are necessary to ensure that information does not fall into an adversary’s hands.

Expanding Protections Across Government

The path forward is clear. The DoD should expand CSfC adoption to cover not only classified data but also Controlled Unclassified Information (CUI) and other sensitive categories. Incorporating DAR protections into the Cybersecurity Maturity Model Certification (CMMC) would strengthen security across the Defense Industrial Base, where supply chain vulnerabilities remain a frequent point of exploitation. Extending these standards to federal civilian agencies, the Intelligence Community, Congress, and the White House would create a consistent defense posture across government.

A Call to Action

The risks of inaction are evident in every breach and espionage case of the past two decades. As adversaries grow more capable and insiders more emboldened, securing data at rest is not optional; it is fundamental. Robust, layered, and verifiable protections must be treated as a cornerstone of national security. The United States cannot afford to leave this gap open any longer.