A brief digest from the E-Scrap Conference & Trade Show 2019

Orlando, FL – What happens to our beloved tech devices when they die? Wouldn’t it be great if the answer was as simple and pleasant as “they go to Tech Heaven?” Unfortunately, the truth is: it depends. The end-of-life journey for connected devices can best be described as three possible scenarios – the good, the bad, and the ugly. The “good” happens when discarded electronics are properly disposed of, recycled, and reused to create new components for innovative gadgets. The “bad” occurs when our treasured doohickeys are improperly dumped in landfills or warehouses, where they slowly leak toxic chemicals that pollute our ecosystem and poison our water supply. And the “ugly” can befall our junked technology when equipment is sold on the black market, and hacked by malicious actors to retrieve our sensitive personal data.

Perhaps the most astounding aspect of the e-scrap issue is the general lack of awareness, both on the consumer side and the corporate side, of the myriad threats facing us all. I attended the E-Scrap Conference to listen and learn from leaders in the e-recycling industry about the current state of e-scrap management, the challenges they are facing, and what lies ahead.

As connected devices continue to proliferate every aspect of our lives, the e-recycling industry has continued to adapt and innovate, in an attempt to keep pace with the ever-changing landscape of e-scrap. “What has really happened and evolved, is that technology now contains data,” according to Kevin Dillon, co-founder of ERI, the largest fully integrated IT and electronics asset disposition company in North America. “Ten years ago, if one was talking about data on a device, [they were] specifically focused on a computer or a laptop. Now, with the evolution of smartphones, smart technology, you’re talking about Smart TV’s!” He adds, “There’s pretty much that [kind of] artificial intelligence in virtually every type of electronic device. That needs to be managed properly and appropriately.”

E-recycling has grown to a $22B industry, but the journey has just begun. “I would say it’s still in its infancy,” Dillon continues. “ When I first started out, a lot of the companies [handling e-scrap] were garbage companies and scrap metal organizations.” It was only after the myriad dangers associated with improper e-disposal became known to government and corporate security advocacy groups, that the movement to establish e-recycling as a distinct, specialized practice gained traction. “[The e-scrap industry] changes at the speed of the electronics industry,” according to William Johnson, chief lobbyist for the Institute of Scrap Recycling Industries (ISRI). “It went from more of a pure ‘recycling’ industry to [IT Asset Disposition]”

Still, as Dillon points out, “It’s easy to get permitted to be a recycler, but it’s tough to actually do the recycling and do the work [properly].” He adds, “It’s an industry that continues to evolve as new technology comes into the marketplace… [we] need to be nimble and quick, and have the ability to properly de-manufacture and recycle all the devices.”

E-scrap touches on two primary areas: Consumer Data Protection and Corporate Digital Asset Security.  On the consumer side, the problem seems to be cost and inconvenience. “They don’t understand the [risks],” says Darrell Kendall, executive director at The Recycling Industry Operating Standards (RIOS). “All they know is ‘I’ve got a piece of crap TV that I’m trying to get rid of, and now I have to pay to get rid of it? That’s not fair!’” These factors seem to be the primary barrier to behavioral modification and the widespread adoption of responsible e-recycling habits. As Rike Sandlin, founder of Rivervista Partners puts it, “You want to recycle your TV, until I tell you it’s going to cost you $25 to do that.” He continues, “[It’s] the same way you’re very concerned about data security and privacy until your phone requires two-step authentication. Now, you don’t care about data security, and you turn it off because you don’t want to be inconvenienced!” Yet, there is light at the end of the tunnel, even for lazy, stingy consumers like myself. Retailers have stepped up their “buy back” game, offering free disposal of old devices, and even discounts for trading in old gadgets. As Dillon from ERI points out, “Best Buy is the largest collector in the U.S. of electronic devices. So, they are really the most progressive, innovative [retail] organization… they’re serving as a model for everyone.”

The e-recycling landscape is vast, to put it lightly. “There are not just consumer products,” Dillon continues. “There’s the business enterprise equipment, there’s the material that’s in the data centers, there’s all the networking equipment, there are the cell phone towers… everything and anything powered by a circuit board are legally defined as an electronic device.” So where does the impetus lie for these initiatives? Dillon says that “corporations have the responsibility to make sure their items – the data – are being properly destroyed and do not end up in landfills.” But for many companies, especially SMEs, it may not be that simple. Many smaller businesses do not have enough resources to employ dedicated IT or Sustainability personnel. As Sandlin notes, “It’s really a question of finding the right partner to work with through looking at certification programs, doing some audits and due diligence, to make sure you have a great [e-recycling provider.]”

The surge in digitization replacing paper as the primary method for conducting business has left many companies struggling to catch up. Most businesses have well-established procedures for disposing of paper documents safely and securely, but as Dillon points out, “they might have to update some current policies and procedures so that they treat hard drives as a commodity, and not focus on the scrap value of the items, but rather the [value of] the PII of their customers.”

Obviously, the landscape of corporate responsibility as it relates to e-disposal has changed immensely. Jason Hogg, CEO of AON Cyber Solutions articulates it as follows: “The proper disposal of connected devices is a critical component of a best-in-class cyber resilience strategy.  These devices could easily contain customer data, IP, or even access points back into an enterprise.  Increasingly, we see disposal becoming an issue beyond just a cyber threat.  There are critical compliance and regulatory considerations when adopting an appropriate hygiene plan. Consequently, the environmentally thoughtful destruction of devices, where data storage components are permanently destroyed and critical alloys and materials are recycled is a must.”

So, what about government legislation? If the ramifications of improper e-disposal are so dire, what regulations are in place to defend against them? Currently, there is proposed federal legislation to ban the export of discarded electronic devices overseas, but many industry experts oppose this measure, claiming that it is misguided. As Johnson from ISRI explains, “The legislation is not focused on national security, data destruction, or cybersecurity. Instead, it is focused on counterfeiting. The newest version [of the bill] only requires registration with the Dept. of Commerce, which achieves nothing!”

Sensitive government data seems to be properly protected. According to Johnson, “The 2012 NDAA already addresses this issue with regard to military equipment and systems by requiring [the Dept. of Defense] to establish ‘trusted supply chains and 100% testing.’” However, Dillon warns, “E-waste has hit the level of National Security because the items are being exported, and essentially, the ‘thugs’ and ‘terrorists’ have the ability to figure out sensitive customer information [contained] on these electronic devices.” Currently, most regulations in the U.S. that compel organizations to use certified e-disposal companies are only imposed at the state level. According to Johnson, “They need to use a certified company at the state level. You don’t see that [requirement] as it goes down from the state level to the city and county governments.” He continues, “They’ll put the equipment out for bid, and the [lowest] bidder wins. There’s no requirement that you have any sort of certification.”

It’s imperative that a tidal shift in the regulations and requirements take place immediately, whereby state and local municipalities are held to the same standard as the federal government. To ensure proper e-disposal, recycling companies should be certified (either SERI/R2 or E-Stewards), and follow the N.I.S.T. standards, which are the “highest of government security clearance for erasing the hard drive,” according to Dillon from ERI. This will provide significant measures to shore up not only consumer data and proprietary corporate knowledge but also sensitive PHI/PII.

So, how do we make this shift happen? There are several challenges to overcome. For one, manufacturers are not prioritizing end-of-life concerns. “Number one [priority] is always going to be the marketability and scalability of their products, and making sure their products create a return customer,” says Mike Cheslock, co-founder of E-Reuse Services.  “So, when you ask them to change something to make it more recyclable, that’s (maybe) ten steps down the list of things they’re focused on.” The real solution is going to be conveying the all-important, and 100% true, a concept that proper e-recycling is actually beneficial to enterprises’ bottom lines. Once they see the value-add proposition inherent in proper e-disposal, the industry will hit its “big bang.”

Gary Berman, Cybersecurity Reporter

Cyber Defense Magazine

Gary Berman is a contributing reporter for Cyber Defense Magazine. He was the victim of a series of insider hacks for several years until he made the pivot from victim to advocate. He is creator and CEO of The CyberHero Adventures: Defenders of the Digital Universe, a groundbreaking comic series that distills complex cybersecurity information into entertaining and educational superhero stories, making cyber hygiene accessible for non-technical people.

 

Olivier Vallez, JD, MBA – Lead Writer/Cybersecurity Reporter

Cyber Defense Magazine

Olivier Vallez is a contributing writer for Cyber Defense Magazine, covering various cybersecurity topics and events. He is the Head of Business Development at The CyberHero Adventures: Defenders of the Digital Universe, a groundbreaking comic platform that distills complex cybersecurity information into fun and engaging superhero stories, and makes cyber hygiene easy-to-understand for non-technical people.