White House Demands Encryption for Sensitive Data

An anonymous reader writes "Stung by a series of data losses or disclosures at federal agencies over the past month, the White House is requiring all agencies to follow new guidelines when allowing employees to carry sensitive data on laptops or access the information from afar, according to the Washington Post. From the article: 'To comply with the new policy, agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as "non-sensitive" by an agency's deputy director. Agency employees also would need two-factor authentication -- a password plus a physical device such as a key card -- to reach a work database through a remote connection, which must be automatically severed after 30 minutes of inactivity. Finally, agencies would have to begin keeping detailed records of any information downloaded from databases that hold sensitive information, and verify that those records are deleted within 90 days unless their use is still required.'"

And the real question is...

[Pieroxy]

And the real question is: Why wasn't all these measures mandatory before? Did noone thought of the potential problem of a user going home with his laptop before?

Re:And the real question is...

[jascat]

Counter-point:

1. It sounds as though they are talking about classification here. There is a such thing as "Sensitive but Unclassified". Also, personal information gets protection under the Privacy Act of 197-something. Anyhow, it isn't as serious as you make it out. The stuff that is classified is protected at a whole different level.

2. No, they are saying that if you're going to connect to their network, you're going to have to do it with approved systems and use their authentication and it will all probably be through an approved, encrypted VPN. I know that the DoD has made a push over the last few years to replace the ID cards with smart card IDs with PKI certs embedded on them. These tie into the PKI infrastructure that has been rolled out and although it's taken a few years to get going, we're finally seeing it become a reality...you know, where it's becoming mandatory to log on using your card, sign emails, etc etc.

3. Well, it's all enforceable. That's the beauty of a government owned network. If they catch you not following their rules, they can fire you or even go so far as to prosecute you. Why not? You could be a terrorist! *gasp*

4. I agree with you here. Logs are great and all, but having a great gob of logs doesn't do you much at all. I wish them luck trying to go back to find a single transaction from 89 days ago.

Re:And the real question is...

[me-g33k]

Actually it goes one level deeper. It's not just the access to the information but the ability to properly classify and then enforce document controls. If you think in terms of the old paper methods, there were entire sub-organizations dedicated to the publication of information and its maintenance and management. When everything started to go digital, those roles and processes seemed to have been lost in the translation. Factor in the constantly decreasing cost of storage and we see the glut of 'stuff' that exists in storage silos all over the place. Granted that Gov and Mil are usually better at classifying their information but the access vectors to this information has changed. We no longer have to walk into a public building and sign in to get paper (although a digital simulacrum pervades) it's posted and made readily available. This is in the 'finished' incarnation of the document. How about the 'in progress' work? Which is one of the locuses of the issue at hand. People taking work out of their office environments into the 'wild'. I HATE to say it but this is where DRM would be useful. Tied to roles and responsibility defined (hopefully) in a rational directory, document destruction could be automated. That leads me to another research question; Does TPM have a handshake with DRM?

Oh, lookie here

Speaking of which, you should probably get a glimpse at what Google .Gov dragged up.

Not "requirements"

[Black+Parrot]

Just "recommendations".

Which means this is likely to have zip for effect.

Re:Yes but what do you do about...

[RobotRunAmok]

As it stands, the only thing these leaks are doing is proving to your average American that, hey, Bush really is the bastard the ultra-liberals decried him as in the first place.

Except that the "average American" is not quite as "average" as the classist ultra-liberals envision him. What it really does is cause the "NASCAR Dads" and "Soccer Moms" to get even more disgusted with the mainstream news spigots and start seeking less-biased and more representative sources. That, of course, can only hurt the bottom lines of the Old Guard.

To successfully compete with an Internet across which one can aggregate news (and opinions) from all over the political spectrum, a traditional mainstream outlet will have to either clearly claim allegiance to one pole (e.g., Fox News) or genuinely have no political leanings or agenda (e.g., nobody right now). The days in which an outlet can pose as unbiased while actually trying to manipulate opinion with stories slanted either left or right are dwindling, or so say the accountants...

Beware, too

[smittyoneeach]

the Law of Obstructive Conformity[1] which says that, given a sufficiently large ruleset, one can always locate a way to destroy any hope of mission accomplishment.

Beset with yet another layer of Policies, Programs, and Procedures the things a bureaucracy will need are:

feasibility studies

staffing increases

training

miscellaneous budget increases

Does anyone know the source of that quote in the Civilization IV game:

The bureaucracy is expanding to meet the needs of an expanding bureaucracy.

[1] I am making this up.