Slashdot Mirror
White House Demands Encryption for Sensitive Data
An anonymous reader writes "Stung by a series of data losses or disclosures at federal agencies over the past month, the White House is requiring all agencies to follow new guidelines when allowing employees to carry sensitive data on laptops or access the information from afar, according to the Washington Post. From the article: 'To comply with the new policy, agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as "non-sensitive" by an agency's deputy director. Agency employees also would need two-factor authentication -- a password plus a physical device such as a key card -- to reach a work database through a remote connection, which must be automatically severed after 30 minutes of inactivity. Finally, agencies would have to begin keeping detailed records of any information downloaded from databases that hold sensitive information, and verify that those records are deleted within 90 days unless their use is still required.'"
Those people who have legitimate access to that data leaking the information? Was there a huge wave of hacker activity stealing and disseminating classified material lately? Because I must have missed it.
Mostly I remember people INSIDE government agencies leaking this information to the press on purpose, to disclose high shenanigans and malfeasence in the Bush administration.
This doesn't do much to stop this kind of leak, but makes it much easier to track down those who do leak information. I don't think this has as much to do with security, as it does fear and punishment.
numerous data thefts, and we are just now getting around to requiring that we protect our data ??? Makes you wonder exactly what our homeland defense dept. is doing, when it runs Windows, does not push good requirements on computers, and does not even have a place to call them about possible terrorists. Worse, congress debated over a flag admendment and has been complaigning about part of 1 billion wasted during katrina, but does nothing about our deficts, the corruption, or even the 10s of billions wasted in iraq (where is the money that was suppose to build up their infrastructure?). God help us.
"The Bush administration is giving federal civilian agencies 45 days to implement new measures to protect the security of personal information that agencies hold on millions of employees and citizens."
Why would this data be on a laptop in transit in the first place? 15 years ago, I would understand the need to carry a bunch of tapes from location A to location B. With recent advances in networking the utility of carrying around data in a suitcase seems quite elusive.
...and require that ours are kept stored for months or years, or even "forever"? Is it me or is something running very wrong here?
As far as I know, the founding fathers tried to protect the people from their government, fearing that it might turn one day against them. I think it's time to put this in practice. Not the government has to monitor its people, it is to be done the other way around.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Why wasn't all these measures mandatory before?
Because most of it is unenforceable, and certainly doesn't cover the entirety of the problem. Let's check it point by point.
1. Encrypt all data on mobile computers/devices which carry agency data unless the data
is determined to be non-sensitive, in writing, by your Deputy Secretary or an
individual he/she may designate in writing;
So basically ALL data will be sensitive. We're not longer talking about CIA operatives or Pentagon generals with state secrets under the arm. It's the secretary of the editor of the "Golden Days" monthly that will access the name of one of the retirees it serves from her son-in-law's computer to see why Ms. Applewhite didn't receive her beloved issue last month. The secretary is not only not going to encrypt the data, she's blissfully unaware that her son-in-law hard disk is completely shared on eMule due to her son-in-law's imperfect grasp of eMule's share facility.
2. Allow remote access only with two-factor authentication where one of the factors is
provided by a device separate from the computer gaining access;
Yeah, sure. I guess somebody is underestimating the ubiquity of data communications nowadays. Or thinking still about CIA operatives mainly.
3. Use a "time-out" function for remote access and mobile devices requiring user re-
authentication after 30 minutes inactivity
Now this one is probably going to be widely enforced, it'll be simple to do.
4. Log all computer-readable data extracts from databases holding sensitive information
and verify each extract including sensitive data has been erased within 90 days or its
use is still required.
The logging will be made, usually. But how about the verification, I mean, in some places Harvest will really be plentiful, and the Laborers??? few, if any. Who's going to check all those accesses and what happened of the data? And even if they do, what about the son-in-law's shared hard drive? I mean, what about other copies that could have been done, printed, etc. from that original data. Printouts in the garbage are still one of the better ways of getting confidential data. What about flash memories in the workplace. Remember that story about the trojan-seeded flash drives scattered by the entrance of some goverment office building? Or Los Alamos missing hard drives ? The data security problem is certainly not going to be solved by a four-points note from the White House.
Basically this not is just a paper that says that a) The White House is trying hard to address this problem. b) Now you know who to blame (usually the overworked DBA) if anything important gets copied and hits the news.
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
"Stung by a series of U-Boat losses, the Kriegsmarine is requiring all agencies to follow new guidelines regarding the Enigma code."
Seriously, the US government is only just figuring out what encryption is for? Exactly incompetent are they?
And before you get comfortable laughing at these people, consider for a second how dumb you must be to let these same people hoover up all your civil liberties...
If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
The kit in question is available from a number of vendors. I got one with me from Aladin marketed under the name of eToken, supports standard x509 certificates and if it will be bought in the quantities .gov will buy it the price will be in the sub 10$ range. It is only moderately more expensive now.
Works with nearly all OS-es: Mac, Winhoze, Linux, *BSD. It is about one quarter the size of an average USB key and has RSA engine on board. Once you have written the private key on it there is no way to retrieve it. All RSA ops are performed on the key.
Add to that the fact that all modern laptops and most recent desktops have TPM. You can use that for similar purposes.
In fact, the problem is not in the tokens and dongles. There are plenty of these on the market. The problem is how to handle certificate infrastructure and trust levels on the level of millions of certificates especially revocation. Now how .gov handles that will be interesting to watch.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Before regular users who need to abide by this policy circumvent or abuse this policy. Meaning data will still reside on laptops unencrypted because users don't see the need for additional protections. ("I keep my laptop secure!")
You can put all the security you want on databases, firewalls, and file servers. But in the end, users still need to access that data. Therefore, accidental (or otherwise) leakage of info by a consumer of this data is the main risk of disclosure, not a hacker. We need to have better IA (Information Awareness) training first, and remind users of their duties to keep this information secure. Another layer of protection won't work if users don't understand how important it is to secure this data.
I am no Neocon and I usually don't agree with Mr Bush and his crowd on anything at all but this time I fail to see what the fuss is about. They are planning to:
- Encrypt all sensetive data on laptops and PDAs.
- Drastically harden authentication methods and make damn sure idle connections are severed.
- Make damn sure sensetive information is not left lying around on hard drives all over the place thus decreasing the likelyhood of it ending up in the hands of people it wasn't intended for by accident. In short they plan to drastically improve the management of sensetive data.
In my humble opinion these are all pretty resonable and sensetive measures for any government to take. My only question is: Why wasn't this done many years ago? These are measures major corporations have considered standard for years in order to thwart industrial espionage. I am quite frankly flabbergasted at the what the article seems to imply, which is that US officials, military bigwigs and intelligence people have been traveling all over the USA and the rest of the world for that matter carrying unencrypted sensetive data on their WinDell laptops.Only to idiots, are orders laws.
-- Henning von Tresckow
They need encryption for their security but we can't have it for our privacy .
(And yes I'm well aware that nothing is forcing us in the US to hand over our encryption yet but don't worry it'll probably happen sooner than you expect.)
One law for the king and another for the people. We can't live like that...
"Bah!" - Dogbert
P2P apps are not allowed in my Agency. They probably included this as an explanation for why; specific apps are not necessary for the explanation to be valid.
Since a LOT of people use P2P for pirating copyrighted material, that is also a valid statement. Just because its not ALWAYS used illegally, does not invalidate this statement for their purposes.
DOD is a BIG agency, with a lot of employees. It likely that many of them have routers capable of wireless tramsmission, but not new enough to use WPA. To enable the most people to be able to connect remotely, WEP is allowed. Notice that recent loss of laptops with sensitive info did NOT include DOD, nor did they include actual CLASSIFIED material. That stuff is covered under a whole different, and MUCH stricter, set of rules!
3 foot space? Covered adequately by other posters who know more about it than I do.
A LOT of people lose laptops. Civilians, government workers, and military. This statement is there for obvious reasons. People always need to be reminded, plus, statements like this are needed to remind employees that their employer thinks the issue is important. You cannot just take it for granted that people will just magically understand how you think. In addition, if this is included in such a presentation as this an emnployee can't later claim that he/she wasn't told! It's therefor a CYA for the organization.
My own agency uses a total encryption program that encrypts the entire HD. We take nothing for granted. Employees have no choice, laptops are issued this way. You don't like it, you don't get a laptop. We use a two step authentication procedure for remote connections, in fact, everything this article says the White House is demanding, my agency has been doing for over two years.
Has it cost a lot? Yes, this stuff isn't cheap. Is it worth it? Yes, you won't see my group in the news like this!
Does info get out in ways accessible to potential thieves? Probably, we have over 10,000 employees; it's hard to control the actions of that many people, and information can be copied in so many ways. But we do what we can; we only allow the use of encrypted laptops, desktops that are allowed home are also encrypted this way, too. As mentioned, two step authentication, firewalls, 24/7 firewall/WAN monitoring for suspicious activity. If a machine is caught broadcasting packets identified as coming from prohibited software, a technician is dispatched to remove it. User has no choice. Desktops are locked down, and special permission is required from a committee to allow local admin control for any user. Users can't even install their own local printers!
Users are required to review an annual Information Security Awareness presentation, via the intranet, so we can monitor compliance. If you don't view it within a certain time frame, your account is automatically disabled, and you then need special permission from an Associate Commissioner to get reconnected without viewing the show! This guarantees management attention to your failure to follow security procedures!
I have only touched on the most obvious arrangements, there are a lot of others that I can't reveal - I'd have to shoot all of you! I'm sure that there are others I don't know.
Does all of this guarantee we won't see a breach? No, I'm sure it doesn't. But it makes it much more likely that if one occurs, the headlines will make note of an employee that broke procedure and did something to get around agency safeguards, and will eventually report his/her prosecution.
We are not perfect, and we'll be the first to admit that. We ARE human, after all. (gasp!) BUT, just because we get our paychecks from Uncle Sugar doesn't mean we left our brains at the door.
Some agencies use the budget Congress gives us to do our jobs, and we try to do them without being told. We even try to close the barn door BEFORE the cow gets out!
I know that's a shock to some of you, but we really do try, and we most often get it right. You only read about it when we don't...
"Money is truthful. If a man speaks of his honor, make him pay cash." Notebooks of Lazarus Long, Robert A. Heinlein
I disagree. I work for a rather large company in which the average employee is probably dealing with less sensitive data than the average White House employee. Yet we have a policy that requires all laptop hard disks to be encrypted (regardless of what is stored on them), all remote logins to use two-factor authentication, etc. These are basic security rules that every company (large or small) should apply.
I think that adding an exception for non-sensitive data is stupid. All data on mobile computers/devices should be encrypted, period. If you have a laptop that could be used to store potentially confidential data (even if it does not contain confidential data right now), then there is no good reason to leave the hard disk unencrypted. Yes, this includes the secretary's laptop, USB disks, etc. And if that secretary takes the laptop that she uses at the White House and allows her son to access it (despite the user account password and disk encryption password), then she should be fired. The laptop does not belong to the secretary; it belongs to her employer and it is very likely that she had to sign a clause stating that she will not allow unauthorized persons to use her account and other credentials. Also, the laptop should not allow connections to an untrusted network.
What's wrong with that? The "ubiquity of data communications" is only true if you have a rather open environment. But if the internal network of your department or company is isolated from other networks or uses a firewalled network that severely limits both the inbound and outbound traffic, then the requirement to use two-factor authentication makes sense.
If all employees only have a limited access to the web and e-mail through filtering proxies and servers, then it is possible to check for suspicious activities such as people trying to establish reverse HTTP tunnels and other tricks. It is still possible for some covert channels to be established by insiders, but at least the risks are much lower than with a wide open network. Once you have a reasonably secure network, you should be careful about any access from the outside. If you only rely on a password or on a token that can be stolen, there is a risk that an external attacker can access the network and transfer a lot of data before the problem is detected. This is where the two-factor authentication is useful: it lowers the risks of external attacks.
In summary, these requirements make sense and are already common practice in the industry. I am wondering why such a basic policy has not been enforced much earlier.
-Raphaël
White House Demands Encryption for Sensitive Data
It still won't matter. Just look for the yellow post-it note with the password stuck on the monitor, under the keyboard, or under the mouse pad.
As Jon Stewart said on the Daily Show, "It's nice to see they're protecting their privacy."
And the real question is: Why wasn't all these measures mandatory before? Did noone thought of the potential problem of a user going home with his laptop before?
- Because encryption is a black art (and a dirty word) to a lot of people. I've had people tell me that they don't want to own books on crypto or have crypto software on-hand because it will make them look like they have something (evil / illegal) to hide. Makes me sad as a patriot...
- Because it's easier to keep your head in the sand regarding security threats then to take action? After all, if something happens you can use the "ignorance" defense and get off with a slap on the wrist.
- Because key management is hard? As in, difficult to implement correctly.
- Because on-the-fly encryption imposes a performance hit on the laptop? This is finally getting to the point where it's not as much of an obstacle as it used to be. AES encryption on notebook CPUs in the last few years can easily keep up with the hard drive without using up all of the CPU power (the drive is the bottleneck, not the encryption by the CPU). But it still cuts down on battery life.
Wolde you bothe eate your cake, and have your cake?