White House Demands Encryption for Sensitive Data

An anonymous reader writes "Stung by a series of data losses or disclosures at federal agencies over the past month, the White House is requiring all agencies to follow new guidelines when allowing employees to carry sensitive data on laptops or access the information from afar, according to the Washington Post. From the article: 'To comply with the new policy, agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as "non-sensitive" by an agency's deputy director. Agency employees also would need two-factor authentication -- a password plus a physical device such as a key card -- to reach a work database through a remote connection, which must be automatically severed after 30 minutes of inactivity. Finally, agencies would have to begin keeping detailed records of any information downloaded from databases that hold sensitive information, and verify that those records are deleted within 90 days unless their use is still required.'"

And the real question is...

[Pieroxy]

And the real question is: Why wasn't all these measures mandatory before? Did noone thought of the potential problem of a user going home with his laptop before?

Re:And the real question is...

[OpenSourced]

Why wasn't all these measures mandatory before?

Because most of it is unenforceable, and certainly doesn't cover the entirety of the problem. Let's check it point by point.

  1. Encrypt all data on mobile computers/devices which carry agency data unless the data
is determined to be non-sensitive, in writing, by your Deputy Secretary or an
individual he/she may designate in writing;

So basically ALL data will be sensitive. We're not longer talking about CIA operatives or Pentagon generals with state secrets under the arm. It's the secretary of the editor of the "Golden Days" monthly that will access the name of one of the retirees it serves from her son-in-law's computer to see why Ms. Applewhite didn't receive her beloved issue last month. The secretary is not only not going to encrypt the data, she's blissfully unaware that her son-in-law hard disk is completely shared on eMule due to her son-in-law's imperfect grasp of eMule's share facility.

  2. Allow remote access only with two-factor authentication where one of the factors is
provided by a device separate from the computer gaining access;

Yeah, sure. I guess somebody is underestimating the ubiquity of data communications nowadays. Or thinking still about CIA operatives mainly.

3. Use a "time-out" function for remote access and mobile devices requiring user re-
authentication after 30 minutes inactivity

Now this one is probably going to be widely enforced, it'll be simple to do.

  4. Log all computer-readable data extracts from databases holding sensitive information
and verify each extract including sensitive data has been erased within 90 days or its
use is still required.

The logging will be made, usually. But how about the verification, I mean, in some places Harvest will really be plentiful, and the Laborers??? few, if any. Who's going to check all those accesses and what happened of the data? And even if they do, what about the son-in-law's shared hard drive? I mean, what about other copies that could have been done, printed, etc. from that original data. Printouts in the garbage are still one of the better ways of getting confidential data. What about flash memories in the workplace. Remember that story about the trojan-seeded flash drives scattered by the entrance of some goverment office building? Or Los Alamos missing hard drives ? The data security problem is certainly not going to be solved by a four-points note from the White House.

Basically this not is just a paper that says that a) The White House is trying hard to address this problem. b) Now you know who to blame (usually the overworked DBA) if anything important gets copied and hits the news.

Re:And the real question is...

[arivanov]

Yeah, sure. I guess somebody is underestimating the ubiquity of data communications nowadays. Or thinking still about CIA operatives mainly.

The kit in question is available from a number of vendors. I got one with me from Aladin marketed under the name of eToken, supports standard x509 certificates and if it will be bought in the quantities .gov will buy it the price will be in the sub 10$ range. It is only moderately more expensive now.

Works with nearly all OS-es: Mac, Winhoze, Linux, *BSD. It is about one quarter the size of an average USB key and has RSA engine on board. Once you have written the private key on it there is no way to retrieve it. All RSA ops are performed on the key.

Add to that the fact that all modern laptops and most recent desktops have TPM. You can use that for similar purposes.

In fact, the problem is not in the tokens and dongles. There are plenty of these on the market. The problem is how to handle certificate infrastructure and trust levels on the level of millions of certificates especially revocation. Now how .gov handles that will be interesting to watch.

Re:And the real question is...

[jascat]

Counter-point:

1. It sounds as though they are talking about classification here. There is a such thing as "Sensitive but Unclassified". Also, personal information gets protection under the Privacy Act of 197-something. Anyhow, it isn't as serious as you make it out. The stuff that is classified is protected at a whole different level.

2. No, they are saying that if you're going to connect to their network, you're going to have to do it with approved systems and use their authentication and it will all probably be through an approved, encrypted VPN. I know that the DoD has made a push over the last few years to replace the ID cards with smart card IDs with PKI certs embedded on them. These tie into the PKI infrastructure that has been rolled out and although it's taken a few years to get going, we're finally seeing it become a reality...you know, where it's becoming mandatory to log on using your card, sign emails, etc etc.

3. Well, it's all enforceable. That's the beauty of a government owned network. If they catch you not following their rules, they can fire you or even go so far as to prosecute you. Why not? You could be a terrorist! *gasp*

4. I agree with you here. Logs are great and all, but having a great gob of logs doesn't do you much at all. I wish them luck trying to go back to find a single transaction from 89 days ago.

Re:And the real question is...

[me-g33k]

Actually it goes one level deeper. It's not just the access to the information but the ability to properly classify and then enforce document controls. If you think in terms of the old paper methods, there were entire sub-organizations dedicated to the publication of information and its maintenance and management. When everything started to go digital, those roles and processes seemed to have been lost in the translation. Factor in the constantly decreasing cost of storage and we see the glut of 'stuff' that exists in storage silos all over the place. Granted that Gov and Mil are usually better at classifying their information but the access vectors to this information has changed. We no longer have to walk into a public building and sign in to get paper (although a digital simulacrum pervades) it's posted and made readily available. This is in the 'finished' incarnation of the document. How about the 'in progress' work? Which is one of the locuses of the issue at hand. People taking work out of their office environments into the 'wild'. I HATE to say it but this is where DRM would be useful. Tied to roles and responsibility defined (hopefully) in a rational directory, document destruction could be automated. That leads me to another research question; Does TPM have a handshake with DRM?

Oh, lookie here

Speaking of which, you should probably get a glimpse at what Google .Gov dragged up.

Re:Oh, lookie here

[wbren]

Some great nuggets of information I found in that PDF:

• The default settings of P2P applications share all documents and media files on your machine. Which P2P apps are they talking about?
• P2P file exchanges generally violate international copyright laws. - Stop lumping P2P with piracy, DoD!
• Enable Wired Equivalent Privacy (WEP) on all laptops, PDAsand wireless access points. - WPA anyone?
• THE INTERNET IS ALWAYS WATCHING - But the DoD is always watching the Internet, so don't worry!
• CLASSIFIED CPU's should be at least 3 feet from UNCLASSIFIED CPU's - Cooties?
• Traveling with a government computer? Keep track of it! - Good thing you told me! I never take the time to keep track of my laptop when I travel.

Also check out page 37 for the most hilarious picture ever included in a PDF (labeled 38 in the actual PDF).

Re:Oh, lookie here

[tonan]

I don't know how other departments and agencies deal with their networks, but all P2P software is banned from our machines (Air Force), and all known P2P/BitTorrent ports are blocked through our firewall. All client computers are scanned for illegal software (which includes Google Earth and iTunes) on a regular basis, and the local Information Protection Office will let you know if you are in violation.

The 3-foot rule is an old EMSEC (Emmissions Security) rule that seems a bit outdated. It's supposed to prevent signal emmissions of hard-wired machines from being interfered with or being collected by other devices. I know it sounds ridiculous, but the program is is old and outdated.

Overall, that PDF slideshow is not a very good IA training tool. They probably don't even use that anymore, or it's only used by a small group of people. The link at the end of the document brings you to a course completion page that shows the date of the program as 2004. You guys might not be able to see the site if you are not on a .mil/.gov computer.

IA training is mandatory for all users of DoD client machines, but the DoD networks have many other safeguards to protect information. As always, a security policy is only as strong as the people abiding by it, so IA training tries to lessen the risk of information leaking out due to poor information protection by the user.

Re:Oh, lookie here

[rahrens]

P2P apps are not allowed in my Agency. They probably included this as an explanation for why; specific apps are not necessary for the explanation to be valid.

Since a LOT of people use P2P for pirating copyrighted material, that is also a valid statement. Just because its not ALWAYS used illegally, does not invalidate this statement for their purposes.

DOD is a BIG agency, with a lot of employees. It likely that many of them have routers capable of wireless tramsmission, but not new enough to use WPA. To enable the most people to be able to connect remotely, WEP is allowed. Notice that recent loss of laptops with sensitive info did NOT include DOD, nor did they include actual CLASSIFIED material. That stuff is covered under a whole different, and MUCH stricter, set of rules!

3 foot space? Covered adequately by other posters who know more about it than I do.

A LOT of people lose laptops. Civilians, government workers, and military. This statement is there for obvious reasons. People always need to be reminded, plus, statements like this are needed to remind employees that their employer thinks the issue is important. You cannot just take it for granted that people will just magically understand how you think. In addition, if this is included in such a presentation as this an emnployee can't later claim that he/she wasn't told! It's therefor a CYA for the organization.

My own agency uses a total encryption program that encrypts the entire HD. We take nothing for granted. Employees have no choice, laptops are issued this way. You don't like it, you don't get a laptop. We use a two step authentication procedure for remote connections, in fact, everything this article says the White House is demanding, my agency has been doing for over two years.

Has it cost a lot? Yes, this stuff isn't cheap. Is it worth it? Yes, you won't see my group in the news like this!

Does info get out in ways accessible to potential thieves? Probably, we have over 10,000 employees; it's hard to control the actions of that many people, and information can be copied in so many ways. But we do what we can; we only allow the use of encrypted laptops, desktops that are allowed home are also encrypted this way, too. As mentioned, two step authentication, firewalls, 24/7 firewall/WAN monitoring for suspicious activity. If a machine is caught broadcasting packets identified as coming from prohibited software, a technician is dispatched to remove it. User has no choice. Desktops are locked down, and special permission is required from a committee to allow local admin control for any user. Users can't even install their own local printers!

Users are required to review an annual Information Security Awareness presentation, via the intranet, so we can monitor compliance. If you don't view it within a certain time frame, your account is automatically disabled, and you then need special permission from an Associate Commissioner to get reconnected without viewing the show! This guarantees management attention to your failure to follow security procedures!

I have only touched on the most obvious arrangements, there are a lot of others that I can't reveal - I'd have to shoot all of you! I'm sure that there are others I don't know.

Does all of this guarantee we won't see a breach? No, I'm sure it doesn't. But it makes it much more likely that if one occurs, the headlines will make note of an employee that broke procedure and did something to get around agency safeguards, and will eventually report his/her prosecution.

We are not perfect, and we'll be the first to admit that. We ARE human, after all. (gasp!) BUT, just because we get our paychecks from Uncle Sugar doesn't mean we left our brains at the door.

Some agencies use the budget Congress gives us to do our jobs, and we try to do them without being told. We even try to close the barn door BEFORE the cow gets out!

I know that's a shock to some of you, but we really do try, and we most often get it right. You only read about it when we don't...

Yes but what do you do about...

[johnnywheeze]

Those people who have legitimate access to that data leaking the information? Was there a huge wave of hacker activity stealing and disseminating classified material lately? Because I must have missed it.

Mostly I remember people INSIDE government agencies leaking this information to the press on purpose, to disclose high shenanigans and malfeasence in the Bush administration.

This doesn't do much to stop this kind of leak, but makes it much easier to track down those who do leak information. I don't think this has as much to do with security, as it does fear and punishment.

Re:Yes but what do you do about...

[oddfox]

You know, there was a time when doing that sort of thing was called treason...

Maybe if this administration was a little more well-liked they'd be able to convince people that the leaking of it's shortcomings and bastardization of the law(s) of the land was a real threat. As it stands, the only thing these leaks are doing is proving to your average American that, hey, Bush really is the bastard the ultra-liberals decried him as in the first place.

Re:Yes but what do you do about...

[RobotRunAmok]

As it stands, the only thing these leaks are doing is proving to your average American that, hey, Bush really is the bastard the ultra-liberals decried him as in the first place.

Except that the "average American" is not quite as "average" as the classist ultra-liberals envision him. What it really does is cause the "NASCAR Dads" and "Soccer Moms" to get even more disgusted with the mainstream news spigots and start seeking less-biased and more representative sources. That, of course, can only hurt the bottom lines of the Old Guard.

To successfully compete with an Internet across which one can aggregate news (and opinions) from all over the political spectrum, a traditional mainstream outlet will have to either clearly claim allegiance to one pole (e.g., Fox News) or genuinely have no political leanings or agenda (e.g., nobody right now). The days in which an outlet can pose as unbiased while actually trying to manipulate opinion with stories slanted either left or right are dwindling, or so say the accountants...

Re:Yes but what do you do about...

[TubeSteak]

No. It might have qualified as sedition, under the Alien and Sedition Acts of 1798 or the Sedition Act of 1918... ... But the first was overturned by the Supreme Court and the second was repealed by Congress.

I find that most people who throw about the word "treason" don't actually comprehend what it encompasses, nor do they understand the historical & legal background.

To commit treason someone has to overtly and willfully cooperate with an enemy, to overthrow the gov't. Anything else gets treated as espionage, since Sedition laws are nonexistant.

You show me how leaks to American newspapers qualify as over and willfull cooperation with "the enemy" and we can talk treason, until then, please refrain from echoing the ignorant statements of others.

the real question is, of course

"The Bush administration is giving federal civilian agencies 45 days to implement new measures to protect the security of personal information that agencies hold on millions of employees and citizens."

Why would this data be on a laptop in transit in the first place? 15 years ago, I would understand the need to carry a bunch of tapes from location A to location B. With recent advances in networking the utility of carrying around data in a suitcase seems quite elusive.

Re:Wow...

[neuro.slug]

Incorrect. Upper management thought that ROT13 was so good, they're using it twice for encryption.

Not "requirements"

[Black+Parrot]

Just "recommendations".

Which means this is likely to have zip for effect.

They delete THEIR downloads after 90 days...

[Opportunist]

...and require that ours are kept stored for months or years, or even "forever"? Is it me or is something running very wrong here?

As far as I know, the founding fathers tried to protect the people from their government, fearing that it might turn one day against them. I think it's time to put this in practice. Not the government has to monitor its people, it is to be done the other way around.

Re:5 years of "homeland" defense

[jimicus]

Makes you wonder exactly what our homeland defense dept. is doing, when it runs Windows

At the risk of being labelled a trolling fanboy, there is nothing intrinsically wrong with using Windows (or indeed any given operating system) for a government agency.

What is intrinsically wrong is not taking some time to investigate the requirements of the agency and configuring things accordingly, instead just throwing a bunch of laptops onto a domain and saying "There y'go".

It may even be the case that they did configure things accordingly with strong encryption available and everything. But maybe no effort was made to ensure it actually got used. Perhaps strong encryption was used, and effort was made to ensure it worked when accessing databases - but some other application crept in for which it was easier to do a plain-text dump of the database onto an unencrypted area of the disk.

In any sizeable organisation, desktop IT requirements are very complicated. Just saying "They used Windows. What do you expect?" isn't particularly helpful, and doesn't cut to the root of the problem.

Practical and impractical solutions....

[jkrise]

A. Practical Solutions:
1. As every agent who possesses sensitive information leaves office, shoot him.
2. Destroy his/her/it's laptop.

B. Impractical solutions:
1. Build a new proprietary operating system for secret agents.
2. Build proprietary hardware for them.
3. Build scretive, propriateary network cards, that operate on proprietary, unpublished protocols.

If neither Plan A or B seems workable, post Ask Slashdot for ideas!
-

Beware, too

[smittyoneeach]

the Law of Obstructive Conformity[1] which says that, given a sufficiently large ruleset, one can always locate a way to destroy any hope of mission accomplishment.

Beset with yet another layer of Policies, Programs, and Procedures the things a bureaucracy will need are:

feasibility studies

staffing increases

training

miscellaneous budget increases

Does anyone know the source of that quote in the Civilization IV game:

The bureaucracy is expanding to meet the needs of an expanding bureaucracy.

[1] I am making this up.

So that's how it is...

[Cheerio+Boy]

They need encryption for their security but we can't have it for our privacy .

(And yes I'm well aware that nothing is forcing us in the US to hand over our encryption yet but don't worry it'll probably happen sooner than you expect.)

One law for the king and another for the people. We can't live like that...