Slashdot Mirror
Auditors Report FBI Fails in Tracking Lost Laptops
An anonymous reader writes "The Department of Justice's Office of Inspector General is reporting that the FBI has lackluster performance when it comes to tracking data lost on missing laptops. In a recent 44-month audit (ending in Sept. 2005), the FBI reported 160 lost or stolen machines. Of those, ten were confirmed to have sensitive info. A startling 51 of these machines had unknown information — in other words the FBI never knew what they lost. Some of these machines likely contained some of the most sensitive security information the FBI has, as there were several in the bunch that belonged to members of the Counterintelligence and Counterterrorism Divisions. But the FBI was never able to properly respond to these losses because someone didn't fill out the right paperwork. The OIG has a copy of the audit (pdf) for public consumption."
or is there an emerging criminal organization that targets laptops for the data they contain instead of for the hardware itself. It could be much more profitable to hold the data hostage rather than flip the laptop for whatever crappy amount you could get on ebay or at the local pawn shop.
Have there been any intensive studies that attempt to show what happens to stolen laptops?
Monstar L
Alright I can see how this could be a problem. But why is no one asking who the hell keeps losing their laptops or having their laptops stolen. I can see it happening, but those numbers seem kind of excessive, especially 10 with senstive data. For some reason I would't be surpised if they are being sold to some source. Because, I've never lost a laptop, nor has anyone I've ever known. I've broken them sure...but cmon.
In a world of acronyms, the words are the real victims.
"So what we suggest is having an encryption solution (and) having a tracking and recovery solution so that if you do get into trouble you can do something after the fact." - CEO of some company that will *gladly* sell you this.
What's so fuddy about that? If you have sensitive data on a laptop, you better encrypt it. Sounds like common sense to me.
And I'm *not* in the portable encryption business.
Is it an unspeakable crime to sell useful services and advocate for wider adoption of those services?
is that many people want the government to have even more control over our lives, mainly health care and retirement. Look, this is the FBI, if they cannot keep track of sensitive data how in hell can we trust another government organization to do better?
The problem with government entities is that Congress never writes laws that punish them. Corporations sure, if a corporation lost "sensitve customer data" you can be sure of howls in Congress and a rash of new laws punishing "evil" corporations. When its the government they turn their heads.
Accountability is the one thing the government has always lacked and the one thing they seem to want from everyone else, you, me, and any other non-government entity.
They should be held to higher standards than ANY corporation, school, or private organization. We entrust them with our lives, shouldn't they be required to prove they can handle that trust?
* Winners compare their achievements to their goals, losers compare theirs to that of others.
How does this compare to other agencies and companies? 160 over an almost four year period sounds like a lot, but the FBI has over 21k laptops according to the story. That's about 0.76%, or about 0.19% per year. Is this higher than what most companies lose?
The data on the laptops is more worrying. But I wonder when they use the term "sensitive" exactly what that means? Does having the name of the agent on the laptop mean it's sensitive? It'd be different if they spelled out whether the information was classified and to what level.
-dave
/., where "Apple and Google provide Iran with nukes" will be refuted with "But Microsoft is a convicted monopolist"
when you have lots of contractors and sub contractors thing's are easy to get missed placed or used with out filling out the need forums.
Like that one contractor that used a FIB agent login to get about the long time it was taking him to get the ok do to simile stuff like add a printer for the new systems that he was setting up. That was all ready running late and over budget.
The company that makes this has a managed service called MobiNET that helps to broker the connection so that even Joe Sixpack can connect anywhere there is a net connection.
Well, I can't comment on how well that product works, but securing network connections doesn't address the issue of securing the data that exists on the laptop.
IIRC, the Veterans Affairs laptop that went missing a few months ago contained a database of records that the VA employee used to perform her claim administration work while visiting vets in their homes. Granted, an encrypted connection to the home office would be the way to go, but hardly feasible in such a case, especially given that much of the country is still on dial-up, if at all.
Lost Laptops Scare Daylights Out Of My PHB's
I'm not a PHB, but I have the strong opinion that NO, ZERO, ZIP, NADA data should be stored on ANY portable device. This includes CDs, floppys, USB sticks, laptops. Whatever.
Important data should reside on a backed up, physically secure place like a data server. Remote access to that should be through encryped and secure channels.
I'm not asking for instances of moronic behavior here, but would anybody in there right mind carry around a filing cabinet that has things like your mother's maden name, SSN, passwords, copies of keys to your house, car, safety deposit box, etc, etc, and then get concerned if you lose the thing or it gets stolen?
No sane person would do that. But apparently this is status quo with government agencies and businesses.
In a recent 44-month audit (ending in Sept. 2005), the FBI reported 160 lost or stolen machines. Of those, ten were confirmed to have sensitive info. A startling 51 of these machines had unknown information -- in other words the FBI never knew what they lost.
I just crumpled up my tinfoil hat and threw it away. I'm more scared of little sister kicking me in the balls than whatever "big brother" could do.
These guys remind me of a quote by a psychologist that said something like "We don't know what we are doing, but we are doing it very carefully".
Of course, one is too many, if it has the wrong/right data on it. But this left me with a lot more questions than answers.
.76% (160) in 44 months is .21% per year. Is an annual disappearance rate of 2/1000 laptops high? What's the benchmark for the private sector, and how much lower should the tolerance be for the FBI or similar organizations? I gave up after following numerous Google and Ask links; all I found were USAToday-type figures, which didn't give rates and often didn't seem credible. (One link cited an "FBI statistic" that one in 8 laptops will be stolen ... I wondered if they were just trying to make themselves look good!)
... uh, I mean ... there were these three big guys ...") than "I lost my laptop". The audit points out the the reporting of losses and thefts didn't seem to follow required procedures, including 38 that were reported more than 10 days after loss. There's a lot of ass-covering that can go on in 10 days, I suspect.
TFA mentions that the FBI has "more than 21,000 laptops at any given time". The loss or theft of
How much should we care about the distinction between lost and stolen? I note that the loss rate has gone down while the theft rate has gone up, although about three fourths of the disappearances are classified as losses. I'll bet it's more socially acceptable in the FBI (as elsewhere) to say "my laptop was stolen" ("it broke
Also, the audit says the FBI had a total of 26,166 laptops. Assuming this does not contradict "21,000 at any one time", that seems to mean that the FBI turns over about a quarter of its laptops in three and a half years. (Rough math seems appropriate because "more than" isn't very precise.) That actually seems like a slow replacement cycle, compared with large corporate environments, but the replacement rate isn't particularly relevant here. What might be relevant is an audit of what happens to an FBI laptop when it is taken out of service. If these aren't securely managed, then we have a bigger security threat, by far, from replacement of laptops than we do from lost or stolen ones. Five thousand routine disposals vs. 160 "non-routine disposals". (I'm kind of surprised some bureaucrat didn't categorize them that way.) If the procedures aren't tight, I'd be a lot more worried about those.
As an aside, I'm shocked -- shocked! -- to see that TFA has several plugs for commercial "solutions" to the problem.
This isn't always pratical. For example, FEMA collects personal data on laptops after hurricanes and other disasters. Often there's no network to connect to. Last week I was at an airport for three hours - Only signal I could get was a 10kb Wifi connection.