Auditors Report FBI Fails in Tracking Lost Laptops

An anonymous reader writes "The Department of Justice's Office of Inspector General is reporting that the FBI has lackluster performance when it comes to tracking data lost on missing laptops. In a recent 44-month audit (ending in Sept. 2005), the FBI reported 160 lost or stolen machines. Of those, ten were confirmed to have sensitive info. A startling 51 of these machines had unknown information — in other words the FBI never knew what they lost. Some of these machines likely contained some of the most sensitive security information the FBI has, as there were several in the bunch that belonged to members of the Counterintelligence and Counterterrorism Divisions. But the FBI was never able to properly respond to these losses because someone didn't fill out the right paperwork. The OIG has a copy of the audit (pdf) for public consumption."

I wonder if most of these end up in pawn shops

[antifoidulus]

or is there an emerging criminal organization that targets laptops for the data they contain instead of for the hardware itself. It could be much more profitable to hold the data hostage rather than flip the laptop for whatever crappy amount you could get on ebay or at the local pawn shop.

Have there been any intensive studies that attempt to show what happens to stolen laptops?

Alright....

[otacon]

Alright I can see how this could be a problem. But why is no one asking who the hell keeps losing their laptops or having their laptops stolen. I can see it happening, but those numbers seem kind of excessive, especially 10 with senstive data. For some reason I would't be surpised if they are being sold to some source. Because, I've never lost a laptop, nor has anyone I've ever known. I've broken them sure...but cmon.

Re:Alright....

[B'Trey]

160 over three and a half years? Out of some 21,000? Doesn't seem overly excessive to me.

The article also fails to differentiate between NIPR (unclassified) and SIPR (classified) laptops. Regardless of your clearance, it's illegal to put classified information on a non-classified laptop. And classified laptops can not generally be taken home unless you have a certified storage location (a safe.) If they're not locked up, they should be in your direct possession at all times. If a significant number of classified laptops are missing, then it's a serious issue both in terms of the potential damage and in terms of users violating security procedures.

Non-classified laptops missing can be serious as well, particularly in terms of individual personal data being compromised and leading to identity theft or credit fraud. But the loss of sensitive-but-unclassified info is not nearly as serious in terms of the big picture as loss of classified data.

Lost Laptops Scare Daylights Out Of My PHB's

[8127972]

That's why They've begun to issue a remote access product called the MobiKEY. It is a USB token with a smart card that creates an SSL tunnel with 2 factor authentication (some sort of PKI based scheme) to your work computer. The company that makes this has a managed service called MobiNET that helps to broker the connection so that even Joe Sixpack can connect anywhere there is a net connection. The beauty of this is that all the corporate data stays behind the co there's no data to lose. If you do lose the token, the human that has it has four attempts to guess the password before the SIM fries itself. So assuming your password isn't "password" or something stupid like that, it's secure.

Re:Lost Laptops Scare Daylights Out Of My PHB's

[hackstraw]

Lost Laptops Scare Daylights Out Of My PHB's

I'm not a PHB, but I have the strong opinion that NO, ZERO, ZIP, NADA data should be stored on ANY portable device. This includes CDs, floppys, USB sticks, laptops. Whatever.

Important data should reside on a backed up, physically secure place like a data server. Remote access to that should be through encryped and secure channels.

I'm not asking for instances of moronic behavior here, but would anybody in there right mind carry around a filing cabinet that has things like your mother's maden name, SSN, passwords, copies of keys to your house, car, safety deposit box, etc, etc, and then get concerned if you lose the thing or it gets stolen?

No sane person would do that. But apparently this is status quo with government agencies and businesses.

In a recent 44-month audit (ending in Sept. 2005), the FBI reported 160 lost or stolen machines. Of those, ten were confirmed to have sensitive info. A startling 51 of these machines had unknown information -- in other words the FBI never knew what they lost.

I just crumpled up my tinfoil hat and threw it away. I'm more scared of little sister kicking me in the balls than whatever "big brother" could do.

These guys remind me of a quote by a psychologist that said something like "We don't know what we are doing, but we are doing it very carefully".

Rummy's Reply

[Aqua_boy17]

Too bad Rumsfeld's not in a position to announce this to the public. I can hear the press conference now: "There are the ones we know we lost, then there are the ones we don't know we lost, then are are the ones we know are not lost....."

I wonder ...

[richg74]

Did they check that closet in the cellar where J. Edgar Hoover kept his frocks ?

Lost Stolen

[fluffy99]

Unlike most, I at least skimmed through the IG report. Only a handful of those laptops were confirmed as stolen, the rest are simply lost. In my experience, lost usually means: another agency or department has it and the agency that originally procured it lost track of it; it was an ancient laptop and its in the bottom of a closet somewhere; or it was scrubbed and disposed of without the proper paperwork being done. Thefts do happen, but it's just a likely that the employee took it home and his kid is playing pac-man on it.

I Know

[ReidMaynard]

A startling 51 of these machines had unknown information -- in other words the FBI never knew what they lost.

Playboy.com : Girls of the FBI

What scares me more

[Shivetya]

is that many people want the government to have even more control over our lives, mainly health care and retirement. Look, this is the FBI, if they cannot keep track of sensitive data how in hell can we trust another government organization to do better?

The problem with government entities is that Congress never writes laws that punish them. Corporations sure, if a corporation lost "sensitve customer data" you can be sure of howls in Congress and a rash of new laws punishing "evil" corporations. When its the government they turn their heads.

Accountability is the one thing the government has always lacked and the one thing they seem to want from everyone else, you, me, and any other non-government entity.

They should be held to higher standards than ANY corporation, school, or private organization. We entrust them with our lives, shouldn't they be required to prove they can handle that trust?

How does this compare?

[planetmn]

How does this compare to other agencies and companies? 160 over an almost four year period sounds like a lot, but the FBI has over 21k laptops according to the story. That's about 0.76%, or about 0.19% per year. Is this higher than what most companies lose?

The data on the laptops is more worrying. But I wonder when they use the term "sensitive" exactly what that means? Does having the name of the agent on the laptop mean it's sensitive? It'd be different if they spelled out whether the information was classified and to what level.

-dave

Re:Lost Stolen

[LilGuy]

The point is you would think an agency charged with highly sensitive information relating to national security would have their shit locked down airtight.

I've worked for some major corporations dealing with financial information that would've castrated people one by one until this was no longer a problem. I find it very hard to believe the FBI is this relaxed about the problem.

Another perspective from someone who works on this

[BenEnglishAtHome]

I've decided to comment instead of mod since I feel sure you'll get to 5 without me. This:

another agency or department has it and the agency that originally procured it lost track of it; it was an ancient laptop and its in the bottom of a closet somewhere; or it was scrubbed and disposed of without the proper paperwork being done.

is the most insightful thing anyone is going to post on this topic. I'm in the middle of assisting with inventory issues in a major TLA. "Missing" laptops (Katrina/flood losses aside) are always explainable in these ways. Last week, a laptop that had been "lost" for over 5 years was found in a cabinet during an office move. Years ago, that laptop went on a public report as "lost." Our inventory tech had to fall on his sword and file paperwork removing it from active inventory because we couldn't find it. It wasn't taken home by anyone, stolen, or improperly passed on to another agency. It was simply misplaced.

Add to this the pallets of used equipment that get diskwiped and then donated to schools, a process often involving running around, looking for every unissued piece of obsolete equipment we can find and quickly doing whatever is necessary to get it onto the pallet, and you have a situation where laptops become "lost" in too-big numbers but without any real threat to anybodys security.

I would only be concerned, really, about two classes of losses. First is the handful (less than 10) that were stolen apparently due to negligence. However, in most of those cases, the data was routinely encrypted and, again, there's no security threat. Second are the 4 laptops that went home with employees when they retired. That's just inexcuseable.

Overall, 150 or so lost laptops in an organization that size is pretty damn good performance.