Slashdot Mirror

← Back to Stories (view on slashdot.org)

White House Demands Encryption for Sensitive Data

Posted by ryuzaki0 on from the common-sense-after-the-fact dept.

An anonymous reader writes "Stung by a series of data losses or disclosures at federal agencies over the past month, the White House is requiring all agencies to follow new guidelines when allowing employees to carry sensitive data on laptops or access the information from afar, according to the Washington Post. From the article: 'To comply with the new policy, agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as "non-sensitive" by an agency's deputy director. Agency employees also would need two-factor authentication -- a password plus a physical device such as a key card -- to reach a work database through a remote connection, which must be automatically severed after 30 minutes of inactivity. Finally, agencies would have to begin keeping detailed records of any information downloaded from databases that hold sensitive information, and verify that those records are deleted within 90 days unless their use is still required.'"

5 of 214 comments (clear)

  1. Oh, lookie here by Anonymous Coward · · Score: 5, Interesting

    Speaking of which, you should probably get a glimpse at what Google .Gov dragged up.

    1. Re:Oh, lookie here by tonan · · Score: 5, Informative

      I don't know how other departments and agencies deal with their networks, but all P2P software is banned from our machines (Air Force), and all known P2P/BitTorrent ports are blocked through our firewall. All client computers are scanned for illegal software (which includes Google Earth and iTunes) on a regular basis, and the local Information Protection Office will let you know if you are in violation.

      The 3-foot rule is an old EMSEC (Emmissions Security) rule that seems a bit outdated. It's supposed to prevent signal emmissions of hard-wired machines from being interfered with or being collected by other devices. I know it sounds ridiculous, but the program is is old and outdated.

      Overall, that PDF slideshow is not a very good IA training tool. They probably don't even use that anymore, or it's only used by a small group of people. The link at the end of the document brings you to a course completion page that shows the date of the program as 2004. You guys might not be able to see the site if you are not on a .mil/.gov computer.

      IA training is mandatory for all users of DoD client machines, but the DoD networks have many other safeguards to protect information. As always, a security policy is only as strong as the people abiding by it, so IA training tries to lessen the risk of information leaking out due to poor information protection by the user.

  2. Yes but what do you do about... by johnnywheeze · · Score: 5, Insightful

    Those people who have legitimate access to that data leaking the information? Was there a huge wave of hacker activity stealing and disseminating classified material lately? Because I must have missed it.

    Mostly I remember people INSIDE government agencies leaking this information to the press on purpose, to disclose high shenanigans and malfeasence in the Bush administration.

    This doesn't do much to stop this kind of leak, but makes it much easier to track down those who do leak information. I don't think this has as much to do with security, as it does fear and punishment.

  3. Re:And the real question is... by arivanov · · Score: 5, Insightful
    Yeah, sure. I guess somebody is underestimating the ubiquity of data communications nowadays. Or thinking still about CIA operatives mainly.

    The kit in question is available from a number of vendors. I got one with me from Aladin marketed under the name of eToken, supports standard x509 certificates and if it will be bought in the quantities .gov will buy it the price will be in the sub 10$ range. It is only moderately more expensive now.

    Works with nearly all OS-es: Mac, Winhoze, Linux, *BSD. It is about one quarter the size of an average USB key and has RSA engine on board. Once you have written the private key on it there is no way to retrieve it. All RSA ops are performed on the key.

    Add to that the fact that all modern laptops and most recent desktops have TPM. You can use that for similar purposes.

    In fact, the problem is not in the tokens and dongles. There are plenty of these on the market. The problem is how to handle certificate infrastructure and trust levels on the level of millions of certificates especially revocation. Now how .gov handles that will be interesting to watch.

    --
    Baker's Law: Misery no longer loves company. Nowadays it insists on it
    http://www.sigsegv.cx/
  4. So that's how it is... by Cheerio+Boy · · Score: 5, Insightful

    They need encryption for their security but we can't have it for our privacy .

    (And yes I'm well aware that nothing is forcing us in the US to hand over our encryption yet but don't worry it'll probably happen sooner than you expect.)

    One law for the king and another for the people. We can't live like that...

    --

    "Bah!" - Dogbert