Slashdot Mirror

← Back to Stories (view on slashdot.org)

White House Demands Encryption for Sensitive Data

Posted by ryuzaki0 on from the common-sense-after-the-fact dept.

An anonymous reader writes "Stung by a series of data losses or disclosures at federal agencies over the past month, the White House is requiring all agencies to follow new guidelines when allowing employees to carry sensitive data on laptops or access the information from afar, according to the Washington Post. From the article: 'To comply with the new policy, agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as "non-sensitive" by an agency's deputy director. Agency employees also would need two-factor authentication -- a password plus a physical device such as a key card -- to reach a work database through a remote connection, which must be automatically severed after 30 minutes of inactivity. Finally, agencies would have to begin keeping detailed records of any information downloaded from databases that hold sensitive information, and verify that those records are deleted within 90 days unless their use is still required.'"

7 of 214 comments (clear)

  1. Re: Nixon parallels are staggering by Black+Parrot · · Score: 2, Informative

    > The Nixon parallels are staggering.

    Bush makes Nixon look like a choirboy.

    --
    Sheesh, evil *and* a jerk. -- Jade
  2. Re:Oh, lookie here by tonan · · Score: 5, Informative

    I don't know how other departments and agencies deal with their networks, but all P2P software is banned from our machines (Air Force), and all known P2P/BitTorrent ports are blocked through our firewall. All client computers are scanned for illegal software (which includes Google Earth and iTunes) on a regular basis, and the local Information Protection Office will let you know if you are in violation.

    The 3-foot rule is an old EMSEC (Emmissions Security) rule that seems a bit outdated. It's supposed to prevent signal emmissions of hard-wired machines from being interfered with or being collected by other devices. I know it sounds ridiculous, but the program is is old and outdated.

    Overall, that PDF slideshow is not a very good IA training tool. They probably don't even use that anymore, or it's only used by a small group of people. The link at the end of the document brings you to a course completion page that shows the date of the program as 2004. You guys might not be able to see the site if you are not on a .mil/.gov computer.

    IA training is mandatory for all users of DoD client machines, but the DoD networks have many other safeguards to protect information. As always, a security policy is only as strong as the people abiding by it, so IA training tries to lessen the risk of information leaking out due to poor information protection by the user.

  3. Re:And the real question is... by jascat · · Score: 2, Informative

    That's why the military has already rolled out their own PKI infrastructure with smart card cards and all. Creation of the cards is done by a trusted source meaning your keys are trusted. The keys on board are only available once you enter your pin and badda-bing. Pretty much gone are the days of the old Green Military ID Card.

  4. Re:Yes but what do you do about... by TubeSteak · · Score: 4, Informative

    No. It might have qualified as sedition, under the Alien and Sedition Acts of 1798 or the Sedition Act of 1918... ... But the first was overturned by the Supreme Court and the second was repealed by Congress.

    I find that most people who throw about the word "treason" don't actually comprehend what it encompasses, nor do they understand the historical & legal background.

    To commit treason someone has to overtly and willfully cooperate with an enemy, to overthrow the gov't. Anything else gets treated as espionage, since Sedition laws are nonexistant.

    You show me how leaks to American newspapers qualify as over and willfull cooperation with "the enemy" and we can talk treason, until then, please refrain from echoing the ignorant statements of others.

    --
    [Fuck Beta]
    o0t!
  5. Re:And the real question is... by Anonymous Coward · · Score: 1, Informative

    dod has rolled out a common access card with smart chip for the past 3+ years at least. recently, a cac-only login has been enforced in active directory and group policy for all of the army domains. i'm not too sure on how they manage certificates, but i can speak for how fast preemptive measures can happen. one guy in my unit had something negative appear on his clearance - someone forged his identity and opened up some credit accounts one weekend... as a result, his account was disabled by the time we got back to work on monday while they investigated the incident.

    as far as cert revocation, it's a bit naive to think that their authentication systems are offline most of the time. if any system is offline, it's because it's not mission critical. i can assure you that the cio/g6 definitely considers user authentication to be a mission critical application.

    i'm also not all that knowledgeable about submarine operations, but i do know that pretty much every unit (land, sea, air) has multiple forms of communication on board (satcom, vhf, microwave, hard line, etc.) all of which can be encrypted and all of which can be tunnelled through for secure transmissions using any protocol. communication is paramount to the military to function properly. believe me, all of your doubts have been considered.

  6. Re:And the real question is... by Dun+Malg · · Score: 2, Informative

    despite his having been retired, when i read it, he still wasnt sure how the man was issued an active ID for a retired officer

    Retired military are generally still issued a military ID, giving them access to base hospitals, the PX/BX, etc. There's a difference between someone who's simply a veteran and someone who's stayed in for 20 years and retired.

    --
    If a job's not worth doing, it's not worth doing right.
  7. Re:the real question is, of course by BenEnglishAtHome · · Score: 2, Informative

    Why would this data be on a laptop in transit in the first place?

    Pick any very large corporation that provides any measure of benefits for employees. Chances are good, if that corp is big enough, that it's currently under some kind of audit by the Internal Revenue Service. If so, there's a strong possibility that some portion of the examination is looking at the benefits plans provided to the the employees. In that case, there is a laptop at the IRS, belonging to the Employee Plans Revenue Agent on the case, that contains the W-2 records of every single employee of that corporation for the last several years. That data is being poured into spreadsheets, analyzed, and moved around every which way. The one I installed yesterday had about 3.5 uncompressed CDs worth of data just to contain the wage data of the single primary taxpayer under examination.

    Yeah, there's plenty of reason for sensitive but unclassified data to be sitting on a laptop being carried around the country by an Agent. Happens all the time, and justifiably so.

    BTW, such data is required to be kept in an EFS folder at all times. That keeps it fairly safe, I'd say. It's certainly safe from the average idiot who breaks into your trunk and steals your laptop case while you're out in the field, eating lunch at some restaurant. And that, btw, is the single most common data loss scenario I've run across in the last half-dozen years.