Slashdot Mirror
White House Demands Encryption for Sensitive Data
An anonymous reader writes "Stung by a series of data losses or disclosures at federal agencies over the past month, the White House is requiring all agencies to follow new guidelines when allowing employees to carry sensitive data on laptops or access the information from afar, according to the Washington Post. From the article: 'To comply with the new policy, agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as "non-sensitive" by an agency's deputy director. Agency employees also would need two-factor authentication -- a password plus a physical device such as a key card -- to reach a work database through a remote connection, which must be automatically severed after 30 minutes of inactivity. Finally, agencies would have to begin keeping detailed records of any information downloaded from databases that hold sensitive information, and verify that those records are deleted within 90 days unless their use is still required.'"
And the real question is: Why wasn't all these measures mandatory before? Did noone thought of the potential problem of a user going home with his laptop before?
Write boring code, not shiny code!
Speaking of which, you should probably get a glimpse at what Google .Gov dragged up.
Why has this not been done before? But let me guess the encryption is ROT13.
Those people who have legitimate access to that data leaking the information? Was there a huge wave of hacker activity stealing and disseminating classified material lately? Because I must have missed it.
Mostly I remember people INSIDE government agencies leaking this information to the press on purpose, to disclose high shenanigans and malfeasence in the Bush administration.
This doesn't do much to stop this kind of leak, but makes it much easier to track down those who do leak information. I don't think this has as much to do with security, as it does fear and punishment.
But then I call farmers for the USDA to ask them about their operations and they've been pissed about the "guvmint" not keeping their data safe (at least by their perception). Not that the farmers don't have more to bitch about but... Yay! I can placate more of them and make my life easier. I mean, other than that, why would I care?
numerous data thefts, and we are just now getting around to requiring that we protect our data ??? Makes you wonder exactly what our homeland defense dept. is doing, when it runs Windows, does not push good requirements on computers, and does not even have a place to call them about possible terrorists. Worse, congress debated over a flag admendment and has been complaigning about part of 1 billion wasted during katrina, but does nothing about our deficts, the corruption, or even the 10s of billions wasted in iraq (where is the money that was suppose to build up their infrastructure?). God help us.
Okay, is it "hand all your private keys over", or "white house uses encryption"? Who's in charge of these things?
"The Bush administration is giving federal civilian agencies 45 days to implement new measures to protect the security of personal information that agencies hold on millions of employees and citizens."
Why would this data be on a laptop in transit in the first place? 15 years ago, I would understand the need to carry a bunch of tapes from location A to location B. With recent advances in networking the utility of carrying around data in a suitcase seems quite elusive.
Just "recommendations".
Which means this is likely to have zip for effect.
Sheesh, evil *and* a jerk. -- Jade
...and require that ours are kept stored for months or years, or even "forever"? Is it me or is something running very wrong here?
As far as I know, the founding fathers tried to protect the people from their government, fearing that it might turn one day against them. I think it's time to put this in practice. Not the government has to monitor its people, it is to be done the other way around.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"Stung by a series of U-Boat losses, the Kriegsmarine is requiring all agencies to follow new guidelines regarding the Enigma code."
Seriously, the US government is only just figuring out what encryption is for? Exactly incompetent are they?
And before you get comfortable laughing at these people, consider for a second how dumb you must be to let these same people hoover up all your civil liberties...
If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
> Mostly I remember people INSIDE government agencies leaking this information to the press on purpose, to disclose high shenanigans and malfeasence in the Bush administration.
TFA (which I read for a change) says this is about the leaks of personal identity information.
Sheesh, evil *and* a jerk. -- Jade
OMFG!!! By publishing this information the media is helping the terrorists! How will we ever win the wars on terror like this? I'm offended! There are folks that want to kill people out there!!!
The Farewell Tour II
The government finally lost it's war with common sense. At least, in this case.
Great Intellect...
"You know, there was a time when doing that sort of thing was called treason..."
You mean last week when King (real name) accused the New York Times of treason for revealing the secret domestic spying on American bank transactions?
The patriot act needs to be renewed, these patriots need to be caught and punished with the full force of the law.
> The Nixon parallels are staggering.
Bush makes Nixon look like a choirboy.
Sheesh, evil *and* a jerk. -- Jade
It actually makes sense!
I think the DISA made quite a large freudian slip on page 43. Here's a screenshot. Are they trying to tell us something?
May the Maths Be with you!
How does ROT13 work with binary data, such as MS Word documents?
A. Practical Solutions:
1. As every agent who possesses sensitive information leaves office, shoot him.
2. Destroy his/her/it's laptop.
B. Impractical solutions:
1. Build a new proprietary operating system for secret agents.
2. Build proprietary hardware for them.
3. Build scretive, propriateary network cards, that operate on proprietary, unpublished protocols.
If neither Plan A or B seems workable, post Ask Slashdot for ideas!
-
If you keep throwing chairs, one day you'll break windows....
Call it something with "entierprise".
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
Before regular users who need to abide by this policy circumvent or abuse this policy. Meaning data will still reside on laptops unencrypted because users don't see the need for additional protections. ("I keep my laptop secure!")
You can put all the security you want on databases, firewalls, and file servers. But in the end, users still need to access that data. Therefore, accidental (or otherwise) leakage of info by a consumer of this data is the main risk of disclosure, not a hacker. We need to have better IA (Information Awareness) training first, and remind users of their duties to keep this information secure. Another layer of protection won't work if users don't understand how important it is to secure this data.
Government should sign up on Mozy. They offer 2 GB secure data storage for free and 30 GB for $4.95. :D
Here's the link: https://mozy.com/?ref=SV4DVI
Problem solved. Next...
Come on, there's 13 year old kids that know better.
They're feeding everyone lines.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Beset with yet another layer of Policies, Programs, and Procedures the things a bureaucracy will need are:
feasibility studies
staffing increases
training
miscellaneous budget increases
Does anyone know the source of that quote in the Civilization IV game:
The bureaucracy is expanding to meet the needs of an expanding bureaucracy.
[1] I am making this up.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Why would the government need to use encryption unless they had something to hide? Remember, only terrorists have a need for encryption.
Comment removed based on user account deletion
I am no Neocon and I usually don't agree with Mr Bush and his crowd on anything at all but this time I fail to see what the fuss is about. They are planning to:
- Encrypt all sensetive data on laptops and PDAs.
- Drastically harden authentication methods and make damn sure idle connections are severed.
- Make damn sure sensetive information is not left lying around on hard drives all over the place thus decreasing the likelyhood of it ending up in the hands of people it wasn't intended for by accident. In short they plan to drastically improve the management of sensetive data.
In my humble opinion these are all pretty resonable and sensetive measures for any government to take. My only question is: Why wasn't this done many years ago? These are measures major corporations have considered standard for years in order to thwart industrial espionage. I am quite frankly flabbergasted at the what the article seems to imply, which is that US officials, military bigwigs and intelligence people have been traveling all over the USA and the rest of the world for that matter carrying unencrypted sensetive data on their WinDell laptops.Only to idiots, are orders laws.
-- Henning von Tresckow
My employer, an insurance company, has had similar measure in place for years. It's amazing and, as an American citizen, quite distressing that the federal government hasn't been following best practices for confidential data.
"If it's real, then it gets more interesting the closer you examine it. If it's not real, just the opposite is true." -
GWB: "ya knouw, ey've heyerd 'bout a scjureytey syseym called 'ceysar eyncrypjein' - let's all use it, man"
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Comment removed based on user account deletion
They need encryption for their security but we can't have it for our privacy .
(And yes I'm well aware that nothing is forcing us in the US to hand over our encryption yet but don't worry it'll probably happen sooner than you expect.)
One law for the king and another for the people. We can't live like that...
"Bah!" - Dogbert
I wonder what is considered 'sensitive data' these days? Anything they choose or just certain things?
And, will anyone in the public domain ever really know what has been encrypted and why?
He who knows best knows how little he knows. - Thomas Jefferson
When I download some kind of data from the internet, it is retained and should something against me arise in some kind of aspect (say, I am (falsly) accused of being a terrorist), a peek will be taken into my download history to find incriminating news. Like, whether I exposed some unhealthy interest in fertilizers or aspirin 2 years ago.
Now, if a gov official copies data, 90 days later nobody knows anymore what he copied. It cannot be traced. 90 days is a very short time in our judical system.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Every week or so there's a news story about someone having a laptop stolen, or being lost, with thousands of customer files on it. I keep wondering why encryption isn't being used. Under Mac OS X, you click one checkbox to enable "FileVault" and everything in your home directory is encrypted. I don't know exactly what's available in the WIndows world, but I'm sure there are tools that are just as easy to use.
Of course, I don't use FileVault.
Why not? Well, it's one more thing to go wrong. I'm far more worried about losing my files or losing access to them, than I am about having other people look at them. And, frankly, I've never bothered to find out exactly what happens when you use a standard backup tool on a FileVault-protected Mac (presumably all the backups are UNencrypted if you are running the backup tool from within the protected account?)
So... I dunno. I don't understand why everyone doesn't use encryption, but I don't use encryption myself. Of course, I have reasons. Probably everyone else has reasons, too?
"How to Do Nothing," kids activities, back in print!
This is really a Microsoft conspiricy to justify forcing the government to buy the next version of Windows with encryption features.
In related news
They don't seem very close to me. Nixon, by and large, did sensible things that worked. He didn't underestimate foreign enemies, or tell lies to himself and believe in them. He was unlucky to get caught doing something illegal.
Bush seems to live in his own world of paranoia. He proposes completely unworkable theories and then tries to operate them. A 'war on terror' is a completely meaningless policy. He seems to have no knowledge of what is happening in the world, and is a standing joke to everyone outside America. Almost every one of his actions is illegal, in US and International law, but noone seems to be able to do anything about it.
Interestingly, the parallels with Hitler leave Bush looking worse as well. At least everything Hitler did was intended to promote Germany and the German people, and for a while was quite successful. Bush's first term was a business-crony promoting disaster, and the Americans inexplicably voted for more of the same. Now we have incompetence at every level, the world hates us, and we haven't even got France and Poland to compensate!
to the 20th centery welcome - happy i am that the money now wil be secure i am
yoda simulater ends
g day
--
Much like the broadcast networks. The more biased they became, the better for FOX News.
This space intentionally left (almost) blank.
White House Demands Encryption for Sensitive Data
It still won't matter. Just look for the yellow post-it note with the password stuck on the monitor, under the keyboard, or under the mouse pad.
Will they be requiring key escrow as well?
As Jon Stewart said on the Daily Show, "It's nice to see they're protecting their privacy."
Sorry, still on my morning caffiene high
I only know of a handful of whole-disk encryption products that support encrypting the operating system disk:
- PGP sells a corporate level product called "PGP Whole Disk Encryption".
- SecureStar sells DriveCrypt Plus Pack
What else is out there that is trustworthy? (Heck, do we even trust that there aren't any weaknesses / or back doors in PGP or DCPP?)
Wolde you bothe eate your cake, and have your cake?
I work for a federal agency and we've had most of this in place for some time.
:( if no activity.
Our VPN (AES) requires two-part authentication with user name, password, and time-key.
You get dropped faster than 30 minutes
Max session time also applies. (Not unreasonable)
Encrypting on portable devices will be new, but not difficult. All of our laptops have common access card (CAC) readers.
Validating downloaded material retention will be the most difficult since that is exclusively a policy issue.
Anyway, we have not had a problem with compromises.
What folks may not realize is that the legal definition of "sensitive" is more challenging than you realize. An awful lot of information is available through a Freedom of Information Act request, so you really can't call it sensitive. Training people to recognize the more unique forms of information that rightly deserve protection (Sensitive Security Information 49 CFR 1520) and the like that is the challenge.
Waiting for this to come across my desk...
I work for a large TLA. Generally, our security is pretty good. Fire up a wireless access point in the building (or try to; they won't actually connect to anything) and guys with guns and a laptop running Fedora Core and some scanning software will be walking your floor in short order. I had to carry a couple of them around yesterday while we tried to track down a signal that we finally decided was coming from outside. Last time I saw them, the guys with guns were walking the parking lot, looking for someone with a laptop who shouldn't be there.
We also use encrypted VPN tunnels for remote access and, by default, require all data categorized "sensitive but unclassified" and above to be kept in encrypted folders. As a nearly all-XP shop, that generally means EFS.
I would imagine that we're on par with or better than most agencies. But getting that last little bit, getting into full compliance with these requirements is almost certainly going to require whole-disk encryption.
We can do that in hardware or software. Anybody have any thoughts on the best way to implement whole disk encryption on 100,000 computers in a short time frame? That's both a serious question and a problem statement; any insight into how you do it at your big corp/gov entity would be much appreciated.
encrypt all data
two-factor authentication -- a password plus a physical device such as a key card
automatically severed
keeping detailed records of any information downloaded
verify that those records are deleted
Sounds like a DRM music download. Maybe they could take a lesson from the music/movie industry.
Actually the physical separation is much more important than just keeping people from sticking the media in the wrong drive. If that was the only issue, they could just color-code the computers and media and probably be OK.
The concern has to do with radiation produced by equipment; classified systems are shielded (sometimes) or kept in shielded rooms (more commonly, because actual shielded equipment is more expensive) with RF chokes on all the lines going in and out. The idea being that you don't want somebody to be able to listen to RF signals that your monitor on your classified system is putting out, by attaching an antenna to the building's cold-water pipe.
Where the problem gets even more complicated is that you can compromise a well-shielded system (one that doesn't radiate any information back into the power lines, etc.) if you put it close to an un-shielded (unclassified) system. The RF being produced by the shielded system will couple to the coils and whatnot in the unshielded system (which doesn't have any fancy chokes on its connections) and now you're back to radiating classified information into the building's power/water grid.
The '3 foot rule' is definitely arbitrary, but apparently it's the distance at which the people who are paid to think about these things believe that a classified system won't interact with an unclassified system and produce any significant radiation back into the building's infrastructure. If it sounds paranoid, that's because it is -- this was all Cold War era research -- but that doesn't meant it's not still true.
You're right though in saying that the artificial division between EMSEC and COMSEC and COMPUSEC is outdated and should be replaced with something more inclusive and relevant; however, the EMSEC precautions aren't completely outdated, and still exist for a reason where classified data is concerned.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Sensitive:
the name of the mole they have in the opposition parties headquarters.
source and destination of slush fund money
the memo stating that the WMDs and terrorist links were bogus and just a trumped up excuse to send billions to Haliburton
the names of US companies sending contraband materials to Iraq, Iran and N. Korea
the plan to use diebold to steal more elections
what they really think about the voters
non-sensitive information:
your name, SSN, mother's maidenname, credit card numbers,
phn conversations, bank account numbers, medical records and job history.
HTH
putting the 'B' in LGBTQ+
So once everyone gets a laptop with an image that has encryption turned on by default, people will feel secure about hauling their laptop around with sensitive data. They will probably even feel secure enough to leave it on the table in the coffee shop while they get a refill, "it will only take a minute."
We all know that there are user friendly apps out there to retrieve data from encrypted files, though it will raise the bar a little.
Using a hardware security device also could lead to a false sense of security, though it could be done properly. These days I have to log in with the aid of a credit card sized one-time key generator. That certainly would deter casual folks getting into government systems, but may be a deal where they are easy to circumvent (running a fat client for example, or an overly simple hardware connection).
The delete after six months thing sounds impossible, and poorly thought out. But some consultants will make a lot of money failing to implement it! Think of it as FDR building the highways, investing in our economy...
Caller: I need help opening a document.
Help Desk: What seems to be the problem.
C: I dunno. I just can't open it.
HD: What format is it?
C: I can't tell. The icon thingy looks wierd.
HD: Like a padlock or a safe?
C: Yes! How did you know?
HD: It's encrypted, sir.
C: How do I unencrypt it?
HD: You need your decryption keys. Do you know what those are?
C: Is that the really long number they gave me when I started?
HD: Yes sir. Do you have that?
C: Hold on. I taped it to my monitor.
HD: Stay right where you are, sir. Two gentlemen will be at your desk to *help* you.
C: Gee, thanks. Hey there they are now. Wait. Don't hand cuff me. Ouch! *beep* *beep* *click*
Here will be an old abusing of God's patience and the king's English.
Why is my personal financial information being shared without my expressed, written permission?
Why are financial records not given the same protections as medical records?
I have no real problem with credit reporting agencies. These companies are in general very careful with data. I know that when I interviewed with Equifax I was very, VERY impressed by their security. Several steps to get in...everyone checked on the way out. No laptops/PDA's allowed inside, etc -- and I was just interviewing!
The companies that I have problems with are those like Choicepoint (which, BTW has it's HQ right across the street from my office here in Alpharetta, GA). Choicepoint collects data on individuals including SSN's, DOB, account balances, etc. They are not privy to the protections of the Fair Credit Reporting Act (they aren't a credit agency). They mine the data and sell it to the highest bidder, and as we're aware they'll sell it to just about anyone with cash.
And you can't tell me it's compelling interests either that make it permissible. I think there would be a lot to gain by data mining the nation's medical records. It would make medical research much easier as it would allow us to find relationships and trends in various ailments, etc. I'm not saying that it should be allowed, only that there's a double standard involved here that I think should be eliminated. My financial records are no one's business except mine and any creditor looking to give me a loan.
Speaking of which...why do I have to sign a form allowing a lender to check my credit report...while Choicepoint can sell essentially the same information without my permission?
Although this may help prevent massive loss of data as seen recently, it might also reduce transparency in government. This would be a classic security vs. convenience trade-off. but one with potentially larger implications which should be considered.
If you mod me down, I shall become more powerful than you could possibly imagine.
Check the article again, the whole disk encryption requirement is for portable computing devices (laptops and PDAs). Anything that is reasonably expected to stay physically within the walls of your facility is probably exempt. And given what you described, you probably have a very limited number of devices that go in and out your door.
/. If the government wants us to respect the law, it should set a better example.
Why in the world would you want to take home a hard disk full of sensitive information, when you can work on it while it's stored at a remote location? It's called client/server, and we handle data that way at my job, and we're not even techie IT guys - it's just more secure and even we know that. If it's not on your laptop, it ain't gonna get stolen when the laptop is! Instead it's on a server in a locked room with some security around it. You don't need to take my identity home with you so you can get some work done on the freaking beach or while boffing your mistress, OK?
The logo is just on a white (as opposed to transparent) background. Hence, it's a square which happens to cover most of Europe. It had to cover something since the person making the graphic didn't convert the jpg to a tiff or png that has transparent backgrounds.
Likely just an office worker doing something quick in powerpoint without spending a lot of time finessing the thing.
Leave it to slashdot to find something wrong with it. I'll bet there are some typos in there somewhere.
Faster! Faster! Faster would be better!
About 80% of our computers go out the door. They are laptops issued to field agents, special agents, and officers, as well as a smattering of appraisers, engineers, analysts, and more. The whole disk encryption things is going to be very big for us. It might be easy if it gets well thought through before implementation. It might be a nightmare. I'm uneasy about the near future.
I think it's only fair though that they use my public key to encrypt as well as their own. George Bush wants to snoop around my personal rrecords, then he can bloody well allow me to do the same to him.
Salut,
Jacques
One word: Vista.
Vista comes with total encryption of the OS. Everything. The decryption key and password must be given at boot time or the boot manager can't boot the OS. You can't do that with XP. Anyway, this probably means MS will immediately sell quite a lot of Vista licenses.
Yes, you can do that with Linux but how many agenies run Linux? Also, I'm not sure that even works with Apple's OS.
If my memory serves me correctly, the "offical" job of the NSA is to secure other branches of the federal government. Oh wait...must have been checking those illegal phone records and banking transactions.
Too bad Linux, after all these years, still has no workable, viable in the real-world support for disk encryption.
As far as the two-factor authentication. That's probably not going to work either. What they will do is install some kind of card reader or fingerprint scanner or something like that on the machine. The problem is that these devices are installed into Windows. So, sure, you won't be able to log into Windows and get the data but it will still be there on the hard drive. There are dozens of ways of getting around that sort of thing.
If there is a reliable way of putting the authentication mechanism on the actual hard drive, the Fed. Gov't is a long long way from being able to enforce that kind of a requirement.
Of course, if all of the data on the hard drive is encrypted this won't do you any good. You'll still have to break the encryption. But the only reason to implement a security system that is so easy to break is to give the appearance of security so that the completely ignorant perpetrator will give up and say, "oh shoot, I don't have one of those card thingies! I guess I can't log on." Anyone who knows what they're doing won't have any problem getting around this.
Would unbiased or 'perfect' reporting or journalism be recognized if it existed?
No clear measure, no absolute rank, and no proofs.
If you could prove it 100%:
How many people would reject the truth because they could not handle it?
(at least 33% of the USA)
Democracy Now! - uncensored, anti-establishment news
How about this you VA morons, don't have a laptop out side of a secure area with sensitive or higher classification! No remoting into the system and no taking classified laptops out of a classfied area. It's that freaking easy. Sure all those servicemembers' personal info is not deemed by the government to be of such a high level of class, but it SHOULD BE. Make it so! I'm in the military and I deal with classifications all day long. The VA should adopt the standards of the rest of the military.
"It's a time machine Napoleon, I bought it online."
Normally you would need something like a 'courier card' to take that much information out of a mil site (even those deemed as sensitive). It would have to be reviewed by a security officer and signed off on. Even then, it would NEVER happen that you would take that laptop home! What kind of stupid #$%^ is that? (The guy who allowed all the info about the servicemembers brought the laptop home). The problem lies in the VA's operating procedures.
"It's a time machine Napoleon, I bought it online."
...was all of the sphincters in the NSA and KGB tightening up!
Libertas in infinitum
To think that government agencies that are already overburdened by humpty-zillion processes and procedures, have antiquated equipment and network infrastructure, etc. will ever be able to start encrypting all the data on their laptops and deploy two-factor authentication is a pipe dream. How do I know? I'm at the bottom of the food chain of a goverment land managment agency. I am unaware of any encryption that is being used on any of our laptops. There is no clear direction on what "sensitive" is, so I agree that we should just encrypt everything. I've heard that keeping a list of your co-workers birthdays with their consent is sensitive due to the Privacy Act. The laptops we have are used daily in the for collecting resouce data about everything from trees to streams to bugs. The are not state of the art and take 10 minutes to boot with all the background processes we have loaded (antivirus scanning, cisco security agent,etc.). They will be migrating us from Windows 2k to Windows XP in mid 2007 (no sense rushing things). Notice the memorandum didn't come with a check attached. I'm not whining because I know that there is a war to pay for and Katrina was expensive too but at some level these initatives take dollars in addition to memorandums. In the dozen years I've been with the outfit we have had flat or decreasing budgets every year. We have downsized from 45,000 to 32,000 employees. It will be interesting. So it goes.
The connection is killed after 30 minutes? That's generous.