Slashdot Mirror
White House Demands Encryption for Sensitive Data
An anonymous reader writes "Stung by a series of data losses or disclosures at federal agencies over the past month, the White House is requiring all agencies to follow new guidelines when allowing employees to carry sensitive data on laptops or access the information from afar, according to the Washington Post. From the article: 'To comply with the new policy, agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as "non-sensitive" by an agency's deputy director. Agency employees also would need two-factor authentication -- a password plus a physical device such as a key card -- to reach a work database through a remote connection, which must be automatically severed after 30 minutes of inactivity. Finally, agencies would have to begin keeping detailed records of any information downloaded from databases that hold sensitive information, and verify that those records are deleted within 90 days unless their use is still required.'"
And the real question is: Why wasn't all these measures mandatory before? Did noone thought of the potential problem of a user going home with his laptop before?
Write boring code, not shiny code!
Speaking of which, you should probably get a glimpse at what Google .Gov dragged up.
Why has this not been done before? But let me guess the encryption is ROT13.
Those people who have legitimate access to that data leaking the information? Was there a huge wave of hacker activity stealing and disseminating classified material lately? Because I must have missed it.
Mostly I remember people INSIDE government agencies leaking this information to the press on purpose, to disclose high shenanigans and malfeasence in the Bush administration.
This doesn't do much to stop this kind of leak, but makes it much easier to track down those who do leak information. I don't think this has as much to do with security, as it does fear and punishment.
numerous data thefts, and we are just now getting around to requiring that we protect our data ??? Makes you wonder exactly what our homeland defense dept. is doing, when it runs Windows, does not push good requirements on computers, and does not even have a place to call them about possible terrorists. Worse, congress debated over a flag admendment and has been complaigning about part of 1 billion wasted during katrina, but does nothing about our deficts, the corruption, or even the 10s of billions wasted in iraq (where is the money that was suppose to build up their infrastructure?). God help us.
"The Bush administration is giving federal civilian agencies 45 days to implement new measures to protect the security of personal information that agencies hold on millions of employees and citizens."
Why would this data be on a laptop in transit in the first place? 15 years ago, I would understand the need to carry a bunch of tapes from location A to location B. With recent advances in networking the utility of carrying around data in a suitcase seems quite elusive.
Just "recommendations".
Which means this is likely to have zip for effect.
Sheesh, evil *and* a jerk. -- Jade
...and require that ours are kept stored for months or years, or even "forever"? Is it me or is something running very wrong here?
As far as I know, the founding fathers tried to protect the people from their government, fearing that it might turn one day against them. I think it's time to put this in practice. Not the government has to monitor its people, it is to be done the other way around.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"Stung by a series of U-Boat losses, the Kriegsmarine is requiring all agencies to follow new guidelines regarding the Enigma code."
Seriously, the US government is only just figuring out what encryption is for? Exactly incompetent are they?
And before you get comfortable laughing at these people, consider for a second how dumb you must be to let these same people hoover up all your civil liberties...
If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
OMFG!!! By publishing this information the media is helping the terrorists! How will we ever win the wars on terror like this? I'm offended! There are folks that want to kill people out there!!!
The Farewell Tour II
> The Nixon parallels are staggering.
Bush makes Nixon look like a choirboy.
Sheesh, evil *and* a jerk. -- Jade
It actually makes sense!
A. Practical Solutions:
1. As every agent who possesses sensitive information leaves office, shoot him.
2. Destroy his/her/it's laptop.
B. Impractical solutions:
1. Build a new proprietary operating system for secret agents.
2. Build proprietary hardware for them.
3. Build scretive, propriateary network cards, that operate on proprietary, unpublished protocols.
If neither Plan A or B seems workable, post Ask Slashdot for ideas!
-
If you keep throwing chairs, one day you'll break windows....
Before regular users who need to abide by this policy circumvent or abuse this policy. Meaning data will still reside on laptops unencrypted because users don't see the need for additional protections. ("I keep my laptop secure!")
You can put all the security you want on databases, firewalls, and file servers. But in the end, users still need to access that data. Therefore, accidental (or otherwise) leakage of info by a consumer of this data is the main risk of disclosure, not a hacker. We need to have better IA (Information Awareness) training first, and remind users of their duties to keep this information secure. Another layer of protection won't work if users don't understand how important it is to secure this data.
Beset with yet another layer of Policies, Programs, and Procedures the things a bureaucracy will need are:
feasibility studies
staffing increases
training
miscellaneous budget increases
Does anyone know the source of that quote in the Civilization IV game:
The bureaucracy is expanding to meet the needs of an expanding bureaucracy.
[1] I am making this up.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
I am no Neocon and I usually don't agree with Mr Bush and his crowd on anything at all but this time I fail to see what the fuss is about. They are planning to:
- Encrypt all sensetive data on laptops and PDAs.
- Drastically harden authentication methods and make damn sure idle connections are severed.
- Make damn sure sensetive information is not left lying around on hard drives all over the place thus decreasing the likelyhood of it ending up in the hands of people it wasn't intended for by accident. In short they plan to drastically improve the management of sensetive data.
In my humble opinion these are all pretty resonable and sensetive measures for any government to take. My only question is: Why wasn't this done many years ago? These are measures major corporations have considered standard for years in order to thwart industrial espionage. I am quite frankly flabbergasted at the what the article seems to imply, which is that US officials, military bigwigs and intelligence people have been traveling all over the USA and the rest of the world for that matter carrying unencrypted sensetive data on their WinDell laptops.Only to idiots, are orders laws.
-- Henning von Tresckow
They need encryption for their security but we can't have it for our privacy .
(And yes I'm well aware that nothing is forcing us in the US to hand over our encryption yet but don't worry it'll probably happen sooner than you expect.)
One law for the king and another for the people. We can't live like that...
"Bah!" - Dogbert
Every week or so there's a news story about someone having a laptop stolen, or being lost, with thousands of customer files on it. I keep wondering why encryption isn't being used. Under Mac OS X, you click one checkbox to enable "FileVault" and everything in your home directory is encrypted. I don't know exactly what's available in the WIndows world, but I'm sure there are tools that are just as easy to use.
Of course, I don't use FileVault.
Why not? Well, it's one more thing to go wrong. I'm far more worried about losing my files or losing access to them, than I am about having other people look at them. And, frankly, I've never bothered to find out exactly what happens when you use a standard backup tool on a FileVault-protected Mac (presumably all the backups are UNencrypted if you are running the backup tool from within the protected account?)
So... I dunno. I don't understand why everyone doesn't use encryption, but I don't use encryption myself. Of course, I have reasons. Probably everyone else has reasons, too?
"How to Do Nothing," kids activities, back in print!
White House Demands Encryption for Sensitive Data
It still won't matter. Just look for the yellow post-it note with the password stuck on the monitor, under the keyboard, or under the mouse pad.
As Jon Stewart said on the Daily Show, "It's nice to see they're protecting their privacy."
Actually the physical separation is much more important than just keeping people from sticking the media in the wrong drive. If that was the only issue, they could just color-code the computers and media and probably be OK.
The concern has to do with radiation produced by equipment; classified systems are shielded (sometimes) or kept in shielded rooms (more commonly, because actual shielded equipment is more expensive) with RF chokes on all the lines going in and out. The idea being that you don't want somebody to be able to listen to RF signals that your monitor on your classified system is putting out, by attaching an antenna to the building's cold-water pipe.
Where the problem gets even more complicated is that you can compromise a well-shielded system (one that doesn't radiate any information back into the power lines, etc.) if you put it close to an un-shielded (unclassified) system. The RF being produced by the shielded system will couple to the coils and whatnot in the unshielded system (which doesn't have any fancy chokes on its connections) and now you're back to radiating classified information into the building's power/water grid.
The '3 foot rule' is definitely arbitrary, but apparently it's the distance at which the people who are paid to think about these things believe that a classified system won't interact with an unclassified system and produce any significant radiation back into the building's infrastructure. If it sounds paranoid, that's because it is -- this was all Cold War era research -- but that doesn't meant it's not still true.
You're right though in saying that the artificial division between EMSEC and COMSEC and COMPUSEC is outdated and should be replaced with something more inclusive and relevant; however, the EMSEC precautions aren't completely outdated, and still exist for a reason where classified data is concerned.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
/. If the government wants us to respect the law, it should set a better example.
Why in the world would you want to take home a hard disk full of sensitive information, when you can work on it while it's stored at a remote location? It's called client/server, and we handle data that way at my job, and we're not even techie IT guys - it's just more secure and even we know that. If it's not on your laptop, it ain't gonna get stolen when the laptop is! Instead it's on a server in a locked room with some security around it. You don't need to take my identity home with you so you can get some work done on the freaking beach or while boffing your mistress, OK?