Slashdot Mirror
White House Demands Encryption for Sensitive Data
An anonymous reader writes "Stung by a series of data losses or disclosures at federal agencies over the past month, the White House is requiring all agencies to follow new guidelines when allowing employees to carry sensitive data on laptops or access the information from afar, according to the Washington Post. From the article: 'To comply with the new policy, agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as "non-sensitive" by an agency's deputy director. Agency employees also would need two-factor authentication -- a password plus a physical device such as a key card -- to reach a work database through a remote connection, which must be automatically severed after 30 minutes of inactivity. Finally, agencies would have to begin keeping detailed records of any information downloaded from databases that hold sensitive information, and verify that those records are deleted within 90 days unless their use is still required.'"
And the real question is: Why wasn't all these measures mandatory before? Did noone thought of the potential problem of a user going home with his laptop before?
Write boring code, not shiny code!
Speaking of which, you should probably get a glimpse at what Google .Gov dragged up.
Why has this not been done before? But let me guess the encryption is ROT13.
Those people who have legitimate access to that data leaking the information? Was there a huge wave of hacker activity stealing and disseminating classified material lately? Because I must have missed it.
Mostly I remember people INSIDE government agencies leaking this information to the press on purpose, to disclose high shenanigans and malfeasence in the Bush administration.
This doesn't do much to stop this kind of leak, but makes it much easier to track down those who do leak information. I don't think this has as much to do with security, as it does fear and punishment.
numerous data thefts, and we are just now getting around to requiring that we protect our data ??? Makes you wonder exactly what our homeland defense dept. is doing, when it runs Windows, does not push good requirements on computers, and does not even have a place to call them about possible terrorists. Worse, congress debated over a flag admendment and has been complaigning about part of 1 billion wasted during katrina, but does nothing about our deficts, the corruption, or even the 10s of billions wasted in iraq (where is the money that was suppose to build up their infrastructure?). God help us.
"The Bush administration is giving federal civilian agencies 45 days to implement new measures to protect the security of personal information that agencies hold on millions of employees and citizens."
Why would this data be on a laptop in transit in the first place? 15 years ago, I would understand the need to carry a bunch of tapes from location A to location B. With recent advances in networking the utility of carrying around data in a suitcase seems quite elusive.
Just "recommendations".
Which means this is likely to have zip for effect.
Sheesh, evil *and* a jerk. -- Jade
...and require that ours are kept stored for months or years, or even "forever"? Is it me or is something running very wrong here?
As far as I know, the founding fathers tried to protect the people from their government, fearing that it might turn one day against them. I think it's time to put this in practice. Not the government has to monitor its people, it is to be done the other way around.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"Stung by a series of U-Boat losses, the Kriegsmarine is requiring all agencies to follow new guidelines regarding the Enigma code."
Seriously, the US government is only just figuring out what encryption is for? Exactly incompetent are they?
And before you get comfortable laughing at these people, consider for a second how dumb you must be to let these same people hoover up all your civil liberties...
If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
> Mostly I remember people INSIDE government agencies leaking this information to the press on purpose, to disclose high shenanigans and malfeasence in the Bush administration.
TFA (which I read for a change) says this is about the leaks of personal identity information.
Sheesh, evil *and* a jerk. -- Jade
OMFG!!! By publishing this information the media is helping the terrorists! How will we ever win the wars on terror like this? I'm offended! There are folks that want to kill people out there!!!
The Farewell Tour II
The government finally lost it's war with common sense. At least, in this case.
Great Intellect...
> The Nixon parallels are staggering.
Bush makes Nixon look like a choirboy.
Sheesh, evil *and* a jerk. -- Jade
It actually makes sense!
I think the DISA made quite a large freudian slip on page 43. Here's a screenshot. Are they trying to tell us something?
May the Maths Be with you!
A. Practical Solutions:
1. As every agent who possesses sensitive information leaves office, shoot him.
2. Destroy his/her/it's laptop.
B. Impractical solutions:
1. Build a new proprietary operating system for secret agents.
2. Build proprietary hardware for them.
3. Build scretive, propriateary network cards, that operate on proprietary, unpublished protocols.
If neither Plan A or B seems workable, post Ask Slashdot for ideas!
-
If you keep throwing chairs, one day you'll break windows....
Call it something with "entierprise".
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
Before regular users who need to abide by this policy circumvent or abuse this policy. Meaning data will still reside on laptops unencrypted because users don't see the need for additional protections. ("I keep my laptop secure!")
You can put all the security you want on databases, firewalls, and file servers. But in the end, users still need to access that data. Therefore, accidental (or otherwise) leakage of info by a consumer of this data is the main risk of disclosure, not a hacker. We need to have better IA (Information Awareness) training first, and remind users of their duties to keep this information secure. Another layer of protection won't work if users don't understand how important it is to secure this data.
Come on, there's 13 year old kids that know better.
They're feeding everyone lines.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Beset with yet another layer of Policies, Programs, and Procedures the things a bureaucracy will need are:
feasibility studies
staffing increases
training
miscellaneous budget increases
Does anyone know the source of that quote in the Civilization IV game:
The bureaucracy is expanding to meet the needs of an expanding bureaucracy.
[1] I am making this up.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Comment removed based on user account deletion
I am no Neocon and I usually don't agree with Mr Bush and his crowd on anything at all but this time I fail to see what the fuss is about. They are planning to:
- Encrypt all sensetive data on laptops and PDAs.
- Drastically harden authentication methods and make damn sure idle connections are severed.
- Make damn sure sensetive information is not left lying around on hard drives all over the place thus decreasing the likelyhood of it ending up in the hands of people it wasn't intended for by accident. In short they plan to drastically improve the management of sensetive data.
In my humble opinion these are all pretty resonable and sensetive measures for any government to take. My only question is: Why wasn't this done many years ago? These are measures major corporations have considered standard for years in order to thwart industrial espionage. I am quite frankly flabbergasted at the what the article seems to imply, which is that US officials, military bigwigs and intelligence people have been traveling all over the USA and the rest of the world for that matter carrying unencrypted sensetive data on their WinDell laptops.Only to idiots, are orders laws.
-- Henning von Tresckow
My employer, an insurance company, has had similar measure in place for years. It's amazing and, as an American citizen, quite distressing that the federal government hasn't been following best practices for confidential data.
"If it's real, then it gets more interesting the closer you examine it. If it's not real, just the opposite is true." -
GWB: "ya knouw, ey've heyerd 'bout a scjureytey syseym called 'ceysar eyncrypjein' - let's all use it, man"
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Comment removed based on user account deletion
They need encryption for their security but we can't have it for our privacy .
(And yes I'm well aware that nothing is forcing us in the US to hand over our encryption yet but don't worry it'll probably happen sooner than you expect.)
One law for the king and another for the people. We can't live like that...
"Bah!" - Dogbert
I wonder what is considered 'sensitive data' these days? Anything they choose or just certain things?
And, will anyone in the public domain ever really know what has been encrypted and why?
He who knows best knows how little he knows. - Thomas Jefferson
When I download some kind of data from the internet, it is retained and should something against me arise in some kind of aspect (say, I am (falsly) accused of being a terrorist), a peek will be taken into my download history to find incriminating news. Like, whether I exposed some unhealthy interest in fertilizers or aspirin 2 years ago.
Now, if a gov official copies data, 90 days later nobody knows anymore what he copied. It cannot be traced. 90 days is a very short time in our judical system.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Every week or so there's a news story about someone having a laptop stolen, or being lost, with thousands of customer files on it. I keep wondering why encryption isn't being used. Under Mac OS X, you click one checkbox to enable "FileVault" and everything in your home directory is encrypted. I don't know exactly what's available in the WIndows world, but I'm sure there are tools that are just as easy to use.
Of course, I don't use FileVault.
Why not? Well, it's one more thing to go wrong. I'm far more worried about losing my files or losing access to them, than I am about having other people look at them. And, frankly, I've never bothered to find out exactly what happens when you use a standard backup tool on a FileVault-protected Mac (presumably all the backups are UNencrypted if you are running the backup tool from within the protected account?)
So... I dunno. I don't understand why everyone doesn't use encryption, but I don't use encryption myself. Of course, I have reasons. Probably everyone else has reasons, too?
"How to Do Nothing," kids activities, back in print!
to the 20th centery welcome - happy i am that the money now wil be secure i am
yoda simulater ends
g day
--
This space intentionally left (almost) blank.
White House Demands Encryption for Sensitive Data
It still won't matter. Just look for the yellow post-it note with the password stuck on the monitor, under the keyboard, or under the mouse pad.
Will they be requiring key escrow as well?
They'd have to implement a special extension for binary files. I think applying NOT to everything would be appropriately secure.
As Jon Stewart said on the Daily Show, "It's nice to see they're protecting their privacy."
Sorry, still on my morning caffiene high
I only know of a handful of whole-disk encryption products that support encrypting the operating system disk:
- PGP sells a corporate level product called "PGP Whole Disk Encryption".
- SecureStar sells DriveCrypt Plus Pack
What else is out there that is trustworthy? (Heck, do we even trust that there aren't any weaknesses / or back doors in PGP or DCPP?)
Wolde you bothe eate your cake, and have your cake?
I work for a federal agency and we've had most of this in place for some time.
:( if no activity.
Our VPN (AES) requires two-part authentication with user name, password, and time-key.
You get dropped faster than 30 minutes
Max session time also applies. (Not unreasonable)
Encrypting on portable devices will be new, but not difficult. All of our laptops have common access card (CAC) readers.
Validating downloaded material retention will be the most difficult since that is exclusively a policy issue.
Anyway, we have not had a problem with compromises.
What folks may not realize is that the legal definition of "sensitive" is more challenging than you realize. An awful lot of information is available through a Freedom of Information Act request, so you really can't call it sensitive. Training people to recognize the more unique forms of information that rightly deserve protection (Sensitive Security Information 49 CFR 1520) and the like that is the challenge.
Waiting for this to come across my desk...
I work for a large TLA. Generally, our security is pretty good. Fire up a wireless access point in the building (or try to; they won't actually connect to anything) and guys with guns and a laptop running Fedora Core and some scanning software will be walking your floor in short order. I had to carry a couple of them around yesterday while we tried to track down a signal that we finally decided was coming from outside. Last time I saw them, the guys with guns were walking the parking lot, looking for someone with a laptop who shouldn't be there.
We also use encrypted VPN tunnels for remote access and, by default, require all data categorized "sensitive but unclassified" and above to be kept in encrypted folders. As a nearly all-XP shop, that generally means EFS.
I would imagine that we're on par with or better than most agencies. But getting that last little bit, getting into full compliance with these requirements is almost certainly going to require whole-disk encryption.
We can do that in hardware or software. Anybody have any thoughts on the best way to implement whole disk encryption on 100,000 computers in a short time frame? That's both a serious question and a problem statement; any insight into how you do it at your big corp/gov entity would be much appreciated.
encrypt all data
two-factor authentication -- a password plus a physical device such as a key card
automatically severed
keeping detailed records of any information downloaded
verify that those records are deleted
Sounds like a DRM music download. Maybe they could take a lesson from the music/movie industry.
Actually the physical separation is much more important than just keeping people from sticking the media in the wrong drive. If that was the only issue, they could just color-code the computers and media and probably be OK.
The concern has to do with radiation produced by equipment; classified systems are shielded (sometimes) or kept in shielded rooms (more commonly, because actual shielded equipment is more expensive) with RF chokes on all the lines going in and out. The idea being that you don't want somebody to be able to listen to RF signals that your monitor on your classified system is putting out, by attaching an antenna to the building's cold-water pipe.
Where the problem gets even more complicated is that you can compromise a well-shielded system (one that doesn't radiate any information back into the power lines, etc.) if you put it close to an un-shielded (unclassified) system. The RF being produced by the shielded system will couple to the coils and whatnot in the unshielded system (which doesn't have any fancy chokes on its connections) and now you're back to radiating classified information into the building's power/water grid.
The '3 foot rule' is definitely arbitrary, but apparently it's the distance at which the people who are paid to think about these things believe that a classified system won't interact with an unclassified system and produce any significant radiation back into the building's infrastructure. If it sounds paranoid, that's because it is -- this was all Cold War era research -- but that doesn't meant it's not still true.
You're right though in saying that the artificial division between EMSEC and COMSEC and COMPUSEC is outdated and should be replaced with something more inclusive and relevant; however, the EMSEC precautions aren't completely outdated, and still exist for a reason where classified data is concerned.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Sensitive:
the name of the mole they have in the opposition parties headquarters.
source and destination of slush fund money
the memo stating that the WMDs and terrorist links were bogus and just a trumped up excuse to send billions to Haliburton
the names of US companies sending contraband materials to Iraq, Iran and N. Korea
the plan to use diebold to steal more elections
what they really think about the voters
non-sensitive information:
your name, SSN, mother's maidenname, credit card numbers,
phn conversations, bank account numbers, medical records and job history.
HTH
putting the 'B' in LGBTQ+
So once everyone gets a laptop with an image that has encryption turned on by default, people will feel secure about hauling their laptop around with sensitive data. They will probably even feel secure enough to leave it on the table in the coffee shop while they get a refill, "it will only take a minute."
We all know that there are user friendly apps out there to retrieve data from encrypted files, though it will raise the bar a little.
Using a hardware security device also could lead to a false sense of security, though it could be done properly. These days I have to log in with the aid of a credit card sized one-time key generator. That certainly would deter casual folks getting into government systems, but may be a deal where they are easy to circumvent (running a fat client for example, or an overly simple hardware connection).
The delete after six months thing sounds impossible, and poorly thought out. But some consultants will make a lot of money failing to implement it! Think of it as FDR building the highways, investing in our economy...
Caller: I need help opening a document.
Help Desk: What seems to be the problem.
C: I dunno. I just can't open it.
HD: What format is it?
C: I can't tell. The icon thingy looks wierd.
HD: Like a padlock or a safe?
C: Yes! How did you know?
HD: It's encrypted, sir.
C: How do I unencrypt it?
HD: You need your decryption keys. Do you know what those are?
C: Is that the really long number they gave me when I started?
HD: Yes sir. Do you have that?
C: Hold on. I taped it to my monitor.
HD: Stay right where you are, sir. Two gentlemen will be at your desk to *help* you.
C: Gee, thanks. Hey there they are now. Wait. Don't hand cuff me. Ouch! *beep* *beep* *click*
Here will be an old abusing of God's patience and the king's English.
Why is my personal financial information being shared without my expressed, written permission?
Why are financial records not given the same protections as medical records?
I have no real problem with credit reporting agencies. These companies are in general very careful with data. I know that when I interviewed with Equifax I was very, VERY impressed by their security. Several steps to get in...everyone checked on the way out. No laptops/PDA's allowed inside, etc -- and I was just interviewing!
The companies that I have problems with are those like Choicepoint (which, BTW has it's HQ right across the street from my office here in Alpharetta, GA). Choicepoint collects data on individuals including SSN's, DOB, account balances, etc. They are not privy to the protections of the Fair Credit Reporting Act (they aren't a credit agency). They mine the data and sell it to the highest bidder, and as we're aware they'll sell it to just about anyone with cash.
And you can't tell me it's compelling interests either that make it permissible. I think there would be a lot to gain by data mining the nation's medical records. It would make medical research much easier as it would allow us to find relationships and trends in various ailments, etc. I'm not saying that it should be allowed, only that there's a double standard involved here that I think should be eliminated. My financial records are no one's business except mine and any creditor looking to give me a loan.
Speaking of which...why do I have to sign a form allowing a lender to check my credit report...while Choicepoint can sell essentially the same information without my permission?
No conspiracy needed. Using Windows allows the government to avoid training users, which would be horrendously expensive. It is easier to order new Dells/HPs/Gateways, install the standard image, and press on.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Although this may help prevent massive loss of data as seen recently, it might also reduce transparency in government. This would be a classic security vs. convenience trade-off. but one with potentially larger implications which should be considered.
If you mod me down, I shall become more powerful than you could possibly imagine.
/. If the government wants us to respect the law, it should set a better example.
Why in the world would you want to take home a hard disk full of sensitive information, when you can work on it while it's stored at a remote location? It's called client/server, and we handle data that way at my job, and we're not even techie IT guys - it's just more secure and even we know that. If it's not on your laptop, it ain't gonna get stolen when the laptop is! Instead it's on a server in a locked room with some security around it. You don't need to take my identity home with you so you can get some work done on the freaking beach or while boffing your mistress, OK?
The logo is just on a white (as opposed to transparent) background. Hence, it's a square which happens to cover most of Europe. It had to cover something since the person making the graphic didn't convert the jpg to a tiff or png that has transparent backgrounds.
Likely just an office worker doing something quick in powerpoint without spending a lot of time finessing the thing.
Leave it to slashdot to find something wrong with it. I'll bet there are some typos in there somewhere.
Faster! Faster! Faster would be better!
About 80% of our computers go out the door. They are laptops issued to field agents, special agents, and officers, as well as a smattering of appraisers, engineers, analysts, and more. The whole disk encryption things is going to be very big for us. It might be easy if it gets well thought through before implementation. It might be a nightmare. I'm uneasy about the near future.
I think it's only fair though that they use my public key to encrypt as well as their own. George Bush wants to snoop around my personal rrecords, then he can bloody well allow me to do the same to him.
Salut,
Jacques
Would unbiased or 'perfect' reporting or journalism be recognized if it existed?
No clear measure, no absolute rank, and no proofs.
If you could prove it 100%:
How many people would reject the truth because they could not handle it?
(at least 33% of the USA)
Democracy Now! - uncensored, anti-establishment news
...was all of the sphincters in the NSA and KGB tightening up!
Libertas in infinitum
Simple. The VA is NOT a part of the military, and does not adhere to military rules regarding security. Nor is my agency; we're civilian, and civilian rules apply, even if they are insufficient. Civilian agencies operate under different conditions, and many allow such information to be moved about, although anybody with any sense would requuire complete HD encryption for that level of sensitivity.
But you are right, the problem lay with the VA's operating procedures, or lack of adherance to same. And the employee paid for it with his job. He is now a FORMER employee, thanks I am sure to his boss's lack of oversight, and the lack of IT secuity in VA procedures. Not all his fault, but in such cases where upper management is shown to be idiots, somebody has to pay the piper, and it's usually the little guy that's caught with his pants firmly around his ankles!
"Money is truthful. If a man speaks of his honor, make him pay cash." Notebooks of Lazarus Long, Robert A. Heinlein
To think that government agencies that are already overburdened by humpty-zillion processes and procedures, have antiquated equipment and network infrastructure, etc. will ever be able to start encrypting all the data on their laptops and deploy two-factor authentication is a pipe dream. How do I know? I'm at the bottom of the food chain of a goverment land managment agency. I am unaware of any encryption that is being used on any of our laptops. There is no clear direction on what "sensitive" is, so I agree that we should just encrypt everything. I've heard that keeping a list of your co-workers birthdays with their consent is sensitive due to the Privacy Act. The laptops we have are used daily in the for collecting resouce data about everything from trees to streams to bugs. The are not state of the art and take 10 minutes to boot with all the background processes we have loaded (antivirus scanning, cisco security agent,etc.). They will be migrating us from Windows 2k to Windows XP in mid 2007 (no sense rushing things). Notice the memorandum didn't come with a check attached. I'm not whining because I know that there is a war to pay for and Katrina was expensive too but at some level these initatives take dollars in addition to memorandums. In the dozen years I've been with the outfit we have had flat or decreasing budgets every year. We have downsized from 45,000 to 32,000 employees. It will be interesting. So it goes.
The connection is killed after 30 minutes? That's generous.