Slashdot Mirror
White House Demands Encryption for Sensitive Data
An anonymous reader writes "Stung by a series of data losses or disclosures at federal agencies over the past month, the White House is requiring all agencies to follow new guidelines when allowing employees to carry sensitive data on laptops or access the information from afar, according to the Washington Post. From the article: 'To comply with the new policy, agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as "non-sensitive" by an agency's deputy director. Agency employees also would need two-factor authentication -- a password plus a physical device such as a key card -- to reach a work database through a remote connection, which must be automatically severed after 30 minutes of inactivity. Finally, agencies would have to begin keeping detailed records of any information downloaded from databases that hold sensitive information, and verify that those records are deleted within 90 days unless their use is still required.'"
Those people who have legitimate access to that data leaking the information? Was there a huge wave of hacker activity stealing and disseminating classified material lately? Because I must have missed it.
Mostly I remember people INSIDE government agencies leaking this information to the press on purpose, to disclose high shenanigans and malfeasence in the Bush administration.
This doesn't do much to stop this kind of leak, but makes it much easier to track down those who do leak information. I don't think this has as much to do with security, as it does fear and punishment.
"The Bush administration is giving federal civilian agencies 45 days to implement new measures to protect the security of personal information that agencies hold on millions of employees and citizens."
Why would this data be on a laptop in transit in the first place? 15 years ago, I would understand the need to carry a bunch of tapes from location A to location B. With recent advances in networking the utility of carrying around data in a suitcase seems quite elusive.
...and require that ours are kept stored for months or years, or even "forever"? Is it me or is something running very wrong here?
As far as I know, the founding fathers tried to protect the people from their government, fearing that it might turn one day against them. I think it's time to put this in practice. Not the government has to monitor its people, it is to be done the other way around.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Why wasn't all these measures mandatory before?
Because most of it is unenforceable, and certainly doesn't cover the entirety of the problem. Let's check it point by point.
1. Encrypt all data on mobile computers/devices which carry agency data unless the data
is determined to be non-sensitive, in writing, by your Deputy Secretary or an
individual he/she may designate in writing;
So basically ALL data will be sensitive. We're not longer talking about CIA operatives or Pentagon generals with state secrets under the arm. It's the secretary of the editor of the "Golden Days" monthly that will access the name of one of the retirees it serves from her son-in-law's computer to see why Ms. Applewhite didn't receive her beloved issue last month. The secretary is not only not going to encrypt the data, she's blissfully unaware that her son-in-law hard disk is completely shared on eMule due to her son-in-law's imperfect grasp of eMule's share facility.
2. Allow remote access only with two-factor authentication where one of the factors is
provided by a device separate from the computer gaining access;
Yeah, sure. I guess somebody is underestimating the ubiquity of data communications nowadays. Or thinking still about CIA operatives mainly.
3. Use a "time-out" function for remote access and mobile devices requiring user re-
authentication after 30 minutes inactivity
Now this one is probably going to be widely enforced, it'll be simple to do.
4. Log all computer-readable data extracts from databases holding sensitive information
and verify each extract including sensitive data has been erased within 90 days or its
use is still required.
The logging will be made, usually. But how about the verification, I mean, in some places Harvest will really be plentiful, and the Laborers??? few, if any. Who's going to check all those accesses and what happened of the data? And even if they do, what about the son-in-law's shared hard drive? I mean, what about other copies that could have been done, printed, etc. from that original data. Printouts in the garbage are still one of the better ways of getting confidential data. What about flash memories in the workplace. Remember that story about the trojan-seeded flash drives scattered by the entrance of some goverment office building? Or Los Alamos missing hard drives ? The data security problem is certainly not going to be solved by a four-points note from the White House.
Basically this not is just a paper that says that a) The White House is trying hard to address this problem. b) Now you know who to blame (usually the overworked DBA) if anything important gets copied and hits the news.
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
The kit in question is available from a number of vendors. I got one with me from Aladin marketed under the name of eToken, supports standard x509 certificates and if it will be bought in the quantities .gov will buy it the price will be in the sub 10$ range. It is only moderately more expensive now.
Works with nearly all OS-es: Mac, Winhoze, Linux, *BSD. It is about one quarter the size of an average USB key and has RSA engine on board. Once you have written the private key on it there is no way to retrieve it. All RSA ops are performed on the key.
Add to that the fact that all modern laptops and most recent desktops have TPM. You can use that for similar purposes.
In fact, the problem is not in the tokens and dongles. There are plenty of these on the market. The problem is how to handle certificate infrastructure and trust levels on the level of millions of certificates especially revocation. Now how .gov handles that will be interesting to watch.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
At the risk of being labelled a trolling fanboy, there is nothing intrinsically wrong with using Windows (or indeed any given operating system) for a government agency.
What is intrinsically wrong is not taking some time to investigate the requirements of the agency and configuring things accordingly, instead just throwing a bunch of laptops onto a domain and saying "There y'go".
It may even be the case that they did configure things accordingly with strong encryption available and everything. But maybe no effort was made to ensure it actually got used. Perhaps strong encryption was used, and effort was made to ensure it worked when accessing databases - but some other application crept in for which it was easier to do a plain-text dump of the database onto an unencrypted area of the disk.
In any sizeable organisation, desktop IT requirements are very complicated. Just saying "They used Windows. What do you expect?" isn't particularly helpful, and doesn't cut to the root of the problem.
They need encryption for their security but we can't have it for our privacy .
(And yes I'm well aware that nothing is forcing us in the US to hand over our encryption yet but don't worry it'll probably happen sooner than you expect.)
One law for the king and another for the people. We can't live like that...
"Bah!" - Dogbert
P2P apps are not allowed in my Agency. They probably included this as an explanation for why; specific apps are not necessary for the explanation to be valid.
Since a LOT of people use P2P for pirating copyrighted material, that is also a valid statement. Just because its not ALWAYS used illegally, does not invalidate this statement for their purposes.
DOD is a BIG agency, with a lot of employees. It likely that many of them have routers capable of wireless tramsmission, but not new enough to use WPA. To enable the most people to be able to connect remotely, WEP is allowed. Notice that recent loss of laptops with sensitive info did NOT include DOD, nor did they include actual CLASSIFIED material. That stuff is covered under a whole different, and MUCH stricter, set of rules!
3 foot space? Covered adequately by other posters who know more about it than I do.
A LOT of people lose laptops. Civilians, government workers, and military. This statement is there for obvious reasons. People always need to be reminded, plus, statements like this are needed to remind employees that their employer thinks the issue is important. You cannot just take it for granted that people will just magically understand how you think. In addition, if this is included in such a presentation as this an emnployee can't later claim that he/she wasn't told! It's therefor a CYA for the organization.
My own agency uses a total encryption program that encrypts the entire HD. We take nothing for granted. Employees have no choice, laptops are issued this way. You don't like it, you don't get a laptop. We use a two step authentication procedure for remote connections, in fact, everything this article says the White House is demanding, my agency has been doing for over two years.
Has it cost a lot? Yes, this stuff isn't cheap. Is it worth it? Yes, you won't see my group in the news like this!
Does info get out in ways accessible to potential thieves? Probably, we have over 10,000 employees; it's hard to control the actions of that many people, and information can be copied in so many ways. But we do what we can; we only allow the use of encrypted laptops, desktops that are allowed home are also encrypted this way, too. As mentioned, two step authentication, firewalls, 24/7 firewall/WAN monitoring for suspicious activity. If a machine is caught broadcasting packets identified as coming from prohibited software, a technician is dispatched to remove it. User has no choice. Desktops are locked down, and special permission is required from a committee to allow local admin control for any user. Users can't even install their own local printers!
Users are required to review an annual Information Security Awareness presentation, via the intranet, so we can monitor compliance. If you don't view it within a certain time frame, your account is automatically disabled, and you then need special permission from an Associate Commissioner to get reconnected without viewing the show! This guarantees management attention to your failure to follow security procedures!
I have only touched on the most obvious arrangements, there are a lot of others that I can't reveal - I'd have to shoot all of you! I'm sure that there are others I don't know.
Does all of this guarantee we won't see a breach? No, I'm sure it doesn't. But it makes it much more likely that if one occurs, the headlines will make note of an employee that broke procedure and did something to get around agency safeguards, and will eventually report his/her prosecution.
We are not perfect, and we'll be the first to admit that. We ARE human, after all. (gasp!) BUT, just because we get our paychecks from Uncle Sugar doesn't mean we left our brains at the door.
Some agencies use the budget Congress gives us to do our jobs, and we try to do them without being told. We even try to close the barn door BEFORE the cow gets out!
I know that's a shock to some of you, but we really do try, and we most often get it right. You only read about it when we don't...
"Money is truthful. If a man speaks of his honor, make him pay cash." Notebooks of Lazarus Long, Robert A. Heinlein