Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

White House Demands Encryption for Sensitive Data 214

An anonymous reader writes "Stung by a series of data losses or disclosures at federal agencies over the past month, the White House is requiring all agencies to follow new guidelines when allowing employees to carry sensitive data on laptops or access the information from afar, according to the Washington Post. From the article: 'To comply with the new policy, agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as "non-sensitive" by an agency's deputy director. Agency employees also would need two-factor authentication -- a password plus a physical device such as a key card -- to reach a work database through a remote connection, which must be automatically severed after 30 minutes of inactivity. Finally, agencies would have to begin keeping detailed records of any information downloaded from databases that hold sensitive information, and verify that those records are deleted within 90 days unless their use is still required.'"
This discussion has been archived. No new comments can be posted.

White House Demands Encryption for Sensitive Data

Comments Filter:
  • by Pieroxy ( 222434 ) on Wednesday June 28, 2006 @03:24AM (#15619322) Homepage
    And the real question is: Why wasn't all these measures mandatory before? Did noone thought of the potential problem of a user going home with his laptop before?
    • by OpenSourced ( 323149 ) on Wednesday June 28, 2006 @04:13AM (#15619456) Journal
      Why wasn't all these measures mandatory before?

      Because most of it is unenforceable, and certainly doesn't cover the entirety of the problem. Let's check it point by point.

        1. Encrypt all data on mobile computers/devices which carry agency data unless the data
      is determined to be non-sensitive, in writing, by your Deputy Secretary or an
      individual he/she may designate in writing;


      So basically ALL data will be sensitive. We're not longer talking about CIA operatives or Pentagon generals with state secrets under the arm. It's the secretary of the editor of the "Golden Days" monthly that will access the name of one of the retirees it serves from her son-in-law's computer to see why Ms. Applewhite didn't receive her beloved issue last month. The secretary is not only not going to encrypt the data, she's blissfully unaware that her son-in-law hard disk is completely shared on eMule due to her son-in-law's imperfect grasp of eMule's share facility.

        2. Allow remote access only with two-factor authentication where one of the factors is
      provided by a device separate from the computer gaining access;


      Yeah, sure. I guess somebody is underestimating the ubiquity of data communications nowadays. Or thinking still about CIA operatives mainly.

      3. Use a "time-out" function for remote access and mobile devices requiring user re-
      authentication after 30 minutes inactivity


      Now this one is probably going to be widely enforced, it'll be simple to do.

        4. Log all computer-readable data extracts from databases holding sensitive information
      and verify each extract including sensitive data has been erased within 90 days or its
      use is still required.


      The logging will be made, usually. But how about the verification, I mean, in some places Harvest will really be plentiful, and the Laborers??? few, if any. Who's going to check all those accesses and what happened of the data? And even if they do, what about the son-in-law's shared hard drive? I mean, what about other copies that could have been done, printed, etc. from that original data. Printouts in the garbage are still one of the better ways of getting confidential data. What about flash memories in the workplace. Remember that story about the trojan-seeded flash drives scattered by the entrance of some goverment office building? Or Los Alamos missing hard drives ? The data security problem is certainly not going to be solved by a four-points note from the White House.

      Basically this not is just a paper that says that a) The White House is trying hard to address this problem. b) Now you know who to blame (usually the overworked DBA) if anything important gets copied and hits the news.

      • by arivanov ( 12034 ) on Wednesday June 28, 2006 @04:29AM (#15619490) Homepage
        Yeah, sure. I guess somebody is underestimating the ubiquity of data communications nowadays. Or thinking still about CIA operatives mainly.

        The kit in question is available from a number of vendors. I got one with me from Aladin marketed under the name of eToken, supports standard x509 certificates and if it will be bought in the quantities .gov will buy it the price will be in the sub 10$ range. It is only moderately more expensive now.

        Works with nearly all OS-es: Mac, Winhoze, Linux, *BSD. It is about one quarter the size of an average USB key and has RSA engine on board. Once you have written the private key on it there is no way to retrieve it. All RSA ops are performed on the key.

        Add to that the fact that all modern laptops and most recent desktops have TPM. You can use that for similar purposes.

        In fact, the problem is not in the tokens and dongles. There are plenty of these on the market. The problem is how to handle certificate infrastructure and trust levels on the level of millions of certificates especially revocation. Now how .gov handles that will be interesting to watch.

        • That's why the military has already rolled out their own PKI infrastructure with smart card cards and all. Creation of the cards is done by a trusted source meaning your keys are trusted. The keys on board are only available once you enter your pin and badda-bing. Pretty much gone are the days of the old Green Military ID Card.
          • by arivanov ( 12034 ) on Wednesday June 28, 2006 @07:45AM (#15620058) Homepage
            That part is easy.

            The hard part starts from there on.

            You have to revoke the certificate if GI Joe number 286456781 is dead or has gone missing in action. You have to revoke the certificate if GI Joe 286456781 is found to be really Major Razvedki Ivanov. You have to revoke the certificate if Gi Joe 286456781's wife is found to really be Major Li of the people revolution army and she has gotten hold of the card PIN along with the card by means of giving excellent head.

            Actually, revoking as such is not that hard either. May be a bit painfull in a multi-tier certificate hierarchy, but still possible.

            The hard bit is propagating the knowledge that the certificate is revoked across an infrastructure of a .mil or .gov size. The main reason is that some portions of the infrastructure are offline most of the time and some are mandated be able to work in offline mode. In practice - how the f*** do you send a revocation list to a submarine?
            • The hard bit is propagating the knowledge that the certificate is revoked across an infrastructure of a .mil or .gov size. The main reason is that some portions of the infrastructure are offline most of the time and some are mandated be able to work in offline mode.

              reminds me of a story i read, i think over at fark, a month or two ago, about an army officer who had been retired for a number of years. someone who got his SSN was able to get a military id in the guys name (despite his having been retired,

              • despite his having been retired, when i read it, he still wasnt sure how the man was issued an active ID for a retired officer

                Retired military are generally still issued a military ID, giving them access to base hospitals, the PX/BX, etc. There's a difference between someone who's simply a veteran and someone who's stayed in for 20 years and retired.
        • The kit in question is available from a number of vendors. I got one with me from Aladin marketed under the name of eToken, supports standard x509 certificates and if it will be bought in the quantities .gov will buy it the price will be in the sub 10$ range. It is only moderately more expensive now.

          Uhh, there are more than just PKI-based kits available. For example, you could go with SNK cards. In this case, the service to be accessed generates a challenge code. You then enter your pin and the challenge
      • Beware, too (Score:5, Interesting)

        by smittyoneeach ( 243267 ) * on Wednesday June 28, 2006 @05:39AM (#15619642) Homepage Journal
        the Law of Obstructive Conformity[1] which says that, given a sufficiently large ruleset, one can always locate a way to destroy any hope of mission accomplishment.

        Beset with yet another layer of Policies, Programs, and Procedures the things a bureaucracy will need are:

        feasibility studies

        staffing increases

        training

        miscellaneous budget increases

        Does anyone know the source of that quote in the Civilization IV game:

        The bureaucracy is expanding to meet the needs of an expanding bureaucracy.

        [1] I am making this up.

      • by jascat ( 602034 ) on Wednesday June 28, 2006 @05:52AM (#15619675)

        Counter-point:

        1. It sounds as though they are talking about classification here. There is a such thing as "Sensitive but Unclassified". Also, personal information gets protection under the Privacy Act of 197-something. Anyhow, it isn't as serious as you make it out. The stuff that is classified is protected at a whole different level.

        2. No, they are saying that if you're going to connect to their network, you're going to have to do it with approved systems and use their authentication and it will all probably be through an approved, encrypted VPN. I know that the DoD has made a push over the last few years to replace the ID cards with smart card IDs with PKI certs embedded on them. These tie into the PKI infrastructure that has been rolled out and although it's taken a few years to get going, we're finally seeing it become a reality...you know, where it's becoming mandatory to log on using your card, sign emails, etc etc.

        3. Well, it's all enforceable. That's the beauty of a government owned network. If they catch you not following their rules, they can fire you or even go so far as to prosecute you. Why not? You could be a terrorist! *gasp*

        4. I agree with you here. Logs are great and all, but having a great gob of logs doesn't do you much at all. I wish them luck trying to go back to find a single transaction from 89 days ago.

      • by me-g33k ( 984217 ) on Wednesday June 28, 2006 @06:16AM (#15619725) Homepage
        Actually it goes one level deeper. It's not just the access to the information but the ability to properly classify and then enforce document controls. If you think in terms of the old paper methods, there were entire sub-organizations dedicated to the publication of information and its maintenance and management. When everything started to go digital, those roles and processes seemed to have been lost in the translation. Factor in the constantly decreasing cost of storage and we see the glut of 'stuff' that exists in storage silos all over the place. Granted that Gov and Mil are usually better at classifying their information but the access vectors to this information has changed. We no longer have to walk into a public building and sign in to get paper (although a digital simulacrum pervades) it's posted and made readily available. This is in the 'finished' incarnation of the document. How about the 'in progress' work? Which is one of the locuses of the issue at hand. People taking work out of their office environments into the 'wild'. I HATE to say it but this is where DRM would be useful. Tied to roles and responsibility defined (hopefully) in a rational directory, document destruction could be automated. That leads me to another research question; Does TPM have a handshake with DRM?
      • So basically ALL data will be sensitive. We're not longer talking about CIA operatives or Pentagon generals with state secrets under the arm. It's the secretary of the editor of the "Golden Days" monthly that will access the name of one of the retirees it serves from her son-in-law's computer to see why Ms. Applewhite didn't receive her beloved issue last month. The secretary is not only not going to encrypt the data, she's blissfully unaware that her son-in-law hard disk is completely shared on eMule due

      • Why wasn't all these measures mandatory before?

        Because most of it is unenforceable, and certainly doesn't cover the entirety of the problem. Let's check it point by point.

        I disagree. I work for a rather large company in which the average employee is probably dealing with less sensitive data than the average White House employee. Yet we have a policy that requires all laptop hard disks to be encrypted (regardless of what is stored on them), all remote logins to use two-factor authentication, etc. T

      • What about using work processing software that allows for dummy terminal style work? You can do the work, but the programs are ran off a main server, which you have to VPN into (utilizing two-tier security measures - I would say go with passcode and fingerprint...but if they want to use key cards use a keycard similar to Citrix - which is a pain in the arse to use anyhow...but something with a constantly changing code).

        Getting back to the remote system....yes you can work from your nephews computer, you
      • This rule, combined with Bush's recent victories stripping government whistleblowers of protections [whistleblowers.org], lets Bush fry anyone he wants to intimidate, especially if they've been leaking.

        "These days it's all secrecy, and no privacy."
        - The Rolling Stones, from "Fingerprint File" [lyrics007.com]
      • We're not longer talking about CIA operatives or Pentagon generals with state secrets under the arm. It's the secretary of the editor of the "Golden Days" monthly that will access the name of one of the retirees it serves from her son-in-law's computer to see why Ms. Applewhite didn't receive her beloved issue last month. The secretary is not only not going to encrypt the data, she's blissfully unaware that her son-in-law hard disk is completely shared on eMule due to her son-in-law's imperfect grasp of eM

    • And the real question is: Why wasn't all these measures mandatory before? Did noone thought of the potential problem of a user going home with his laptop before?

      - Because encryption is a black art (and a dirty word) to a lot of people. I've had people tell me that they don't want to own books on crypto or have crypto software on-hand because it will make them look like they have something (evil / illegal) to hide. Makes me sad as a patriot...

      - Because it's easier to keep your head in the sand regardi
    • It is required in Sarbanes-Oxley. I know because I have to implement it. But apparently the government was exempt from those laws?
  • Oh, lookie here (Score:5, Interesting)

    by Anonymous Coward on Wednesday June 28, 2006 @03:25AM (#15619325)
    Speaking of which, you should probably get a glimpse at what Google .Gov [disa.mil] dragged up.
    • by wbren ( 682133 ) on Wednesday June 28, 2006 @04:00AM (#15619420) Homepage
      Some great nuggets of information I found in that PDF:
      • The default settings of P2P applications share all documents and media files on your machine. Which P2P apps are they talking about?
      • P2P file exchanges generally violate international copyright laws. - Stop lumping P2P with piracy, DoD!
      • Enable Wired Equivalent Privacy (WEP) on all laptops, PDAsand wireless access points. - WPA anyone?
      • THE INTERNET IS ALWAYS WATCHING - But the DoD is always watching [hiwaay.net] the Internet, so don't worry!
      • CLASSIFIED CPU's should be at least 3 feet from UNCLASSIFIED CPU's - Cooties?
      • Traveling with a government computer? Keep track of it! - Good thing you told me! I never take the time to keep track of my laptop when I travel.
      Also check out page 37 for the most hilarious picture ever included in a PDF (labeled 38 in the actual PDF).
      • "CLASSIFIED CPU's should be at least 3 feet from UNCLASSIFIED CPU's - Cooties?"

        No. RFI, couling induction and TEMPEST concerns are what I was told. Although only God knows why 3 ft is the magic number - and LCD vs tube doesn't seem to matter.

      • I think the DISA made quite a large freudian slip on page 43. Here's a screenshot [imageshack.us]. Are they trying to tell us something?
        • Don't ascribe to malice what can easily be ascribed to incompetence....

          The logo is just on a white (as opposed to transparent) background. Hence, it's a square which happens to cover most of Europe. It had to cover something since the person making the graphic didn't convert the jpg to a tiff or png that has transparent backgrounds.

          Likely just an office worker doing something quick in powerpoint without spending a lot of time finessing the thing.

          Leave it to slashdot to find something wrong with it. I'll

      • Re:Oh, lookie here (Score:5, Informative)

        by tonan ( 325152 ) on Wednesday June 28, 2006 @05:17AM (#15619584)
        I don't know how other departments and agencies deal with their networks, but all P2P software is banned from our machines (Air Force), and all known P2P/BitTorrent ports are blocked through our firewall. All client computers are scanned for illegal software (which includes Google Earth and iTunes) on a regular basis, and the local Information Protection Office will let you know if you are in violation.

        The 3-foot rule is an old EMSEC (Emmissions Security) rule that seems a bit outdated. It's supposed to prevent signal emmissions of hard-wired machines from being interfered with or being collected by other devices. I know it sounds ridiculous, but the program is is old and outdated.

        Overall, that PDF slideshow is not a very good IA training tool. They probably don't even use that anymore, or it's only used by a small group of people. The link at the end of the document brings you to a course completion page that shows the date of the program as 2004. You guys might not be able to see the site if you are not on a .mil/.gov computer.

        IA training is mandatory for all users of DoD client machines, but the DoD networks have many other safeguards to protect information. As always, a security policy is only as strong as the people abiding by it, so IA training tries to lessen the risk of information leaking out due to poor information protection by the user.
        • IA training is mandatory for all users of DoD client machines, but the DoD networks have many other safeguards to protect information. As always, a security policy is only as strong as the people abiding by it, so IA training tries to lessen the risk of information leaking out due to poor information protection by the user.

          Well, I think I'll keep a copy of this around to show people what "IA training" meant as recently as 2004. It should go a long way toward educating those who are overly enamored of the Do
      • Re:Oh, lookie here (Score:4, Insightful)

        by rahrens ( 939941 ) on Wednesday June 28, 2006 @07:05AM (#15619872)
        P2P apps are not allowed in my Agency. They probably included this as an explanation for why; specific apps are not necessary for the explanation to be valid.

        Since a LOT of people use P2P for pirating copyrighted material, that is also a valid statement. Just because its not ALWAYS used illegally, does not invalidate this statement for their purposes.

        DOD is a BIG agency, with a lot of employees. It likely that many of them have routers capable of wireless tramsmission, but not new enough to use WPA. To enable the most people to be able to connect remotely, WEP is allowed. Notice that recent loss of laptops with sensitive info did NOT include DOD, nor did they include actual CLASSIFIED material. That stuff is covered under a whole different, and MUCH stricter, set of rules!

        3 foot space? Covered adequately by other posters who know more about it than I do.

        A LOT of people lose laptops. Civilians, government workers, and military. This statement is there for obvious reasons. People always need to be reminded, plus, statements like this are needed to remind employees that their employer thinks the issue is important. You cannot just take it for granted that people will just magically understand how you think. In addition, if this is included in such a presentation as this an emnployee can't later claim that he/she wasn't told! It's therefor a CYA for the organization.

        My own agency uses a total encryption program that encrypts the entire HD. We take nothing for granted. Employees have no choice, laptops are issued this way. You don't like it, you don't get a laptop. We use a two step authentication procedure for remote connections, in fact, everything this article says the White House is demanding, my agency has been doing for over two years.

        Has it cost a lot? Yes, this stuff isn't cheap. Is it worth it? Yes, you won't see my group in the news like this!

        Does info get out in ways accessible to potential thieves? Probably, we have over 10,000 employees; it's hard to control the actions of that many people, and information can be copied in so many ways. But we do what we can; we only allow the use of encrypted laptops, desktops that are allowed home are also encrypted this way, too. As mentioned, two step authentication, firewalls, 24/7 firewall/WAN monitoring for suspicious activity. If a machine is caught broadcasting packets identified as coming from prohibited software, a technician is dispatched to remove it. User has no choice. Desktops are locked down, and special permission is required from a committee to allow local admin control for any user. Users can't even install their own local printers!

        Users are required to review an annual Information Security Awareness presentation, via the intranet, so we can monitor compliance. If you don't view it within a certain time frame, your account is automatically disabled, and you then need special permission from an Associate Commissioner to get reconnected without viewing the show! This guarantees management attention to your failure to follow security procedures!

        I have only touched on the most obvious arrangements, there are a lot of others that I can't reveal - I'd have to shoot all of you! I'm sure that there are others I don't know.

        Does all of this guarantee we won't see a breach? No, I'm sure it doesn't. But it makes it much more likely that if one occurs, the headlines will make note of an employee that broke procedure and did something to get around agency safeguards, and will eventually report his/her prosecution.

        We are not perfect, and we'll be the first to admit that. We ARE human, after all. (gasp!) BUT, just because we get our paychecks from Uncle Sugar doesn't mean we left our brains at the door.

        Some agencies use the budget Congress gives us to do our jobs, and we try to do them without being told. We even try to close the barn door BEFORE the cow gets out!

        I know that's a shock to some of you, but we really do try, and we most often get it right. You only read about it when we don't...
      • CLASSIFIED CPU's should be at least 3 feet from UNCLASSIFIED CPU's - Cooties?

        Makes it easier to see if there are any cables strung between the two computers. Also makes it more obvious if someone is taking something out of the one machine to attach to the unclassified machine (such as storage media). Assuming that someone is watching (or that there is surveilance footage being archived).

        (Both hurdles are bypassible with a little sleight-of-hand. Newer wireless protocols such as Bluetooth, WiFi, IR mak
      • The hilarity of this pdf, is that it's really a Power-Point presentation that's been transferred to PDF format - probably out of some misplaced concern for portability.
      • CLASSIFIED CPU's should be at least 3 feet from UNCLASSIFIED CPU's

        IF the government is stupid enough to mix classified and unclas machines in the same vicinity, this might have to do with RFI, as an earlier post stated. Generally speaking, the classified computers and networks are physically separate from the unclas stuff (as in, separated by a vault or a bunker).

    • Well, now I feel safe....

      From the parents PDF:


      Government Owned Equipment
      - Enable Wired Equivalent Privacy (WEP) on all laptops, PDAs and wireless access points.


      Like thats going to stop a hacker for all of a few minutes.
      Bizarre. WEPs shortcomings have been known for years.
    • Interesting stuff!
      I'm surprised they have to tell people to use strong passwords? They don't enforce this when a user changes their password?? There's a bit on P2P too - they don't block this?? I know P2P networks can be a bitch to control through the firewall but there are application layer firewalls and other intelligent devices to sort this kind of thing out.

      Interesting that classified PC's must also have removable HDD's and be clearly marked classified - shouldn't they just be physically located
      • Chances are the password policy IS enforced, but they have to mention it in the slides anyway. Most government systems actually have password requirements so stringent that I think they're counterproductive, since they're well into the "I'd better write that down or I'll never remember it" category. Technically writing it down is a violation too, but people are people.
  • Wow... (Score:3, Funny)

    by nexcomlink ( 930801 ) on Wednesday June 28, 2006 @03:27AM (#15619330) Homepage
    Why has this not been done before? But let me guess the encryption is ROT13.
  • by johnnywheeze ( 792148 ) on Wednesday June 28, 2006 @03:30AM (#15619338)
    Those people who have legitimate access to that data leaking the information? Was there a huge wave of hacker activity stealing and disseminating classified material lately? Because I must have missed it.

    Mostly I remember people INSIDE government agencies leaking this information to the press on purpose, to disclose high shenanigans and malfeasence in the Bush administration.

    This doesn't do much to stop this kind of leak, but makes it much easier to track down those who do leak information. I don't think this has as much to do with security, as it does fear and punishment.

    • Mostly I remember people INSIDE government agencies leaking this information to the press on purpose, to disclose high shenanigans and malfeasence in the Bush administration.

      You know, there was a time when doing that sort of thing was called treason...
      • by oddfox ( 685475 ) on Wednesday June 28, 2006 @04:53AM (#15619541) Homepage

        You know, there was a time when doing that sort of thing was called treason...

        Maybe if this administration was a little more well-liked [cbsnews.com] they'd be able to convince people that the leaking of it's shortcomings and bastardization of the law(s) of the land was a real threat. As it stands, the only thing these leaks are doing is proving to your average American that, hey, Bush really is the bastard the ultra-liberals decried him as in the first place.

        • by RobotRunAmok ( 595286 ) on Wednesday June 28, 2006 @05:38AM (#15619637)
          As it stands, the only thing these leaks are doing is proving to your average American that, hey, Bush really is the bastard the ultra-liberals decried him as in the first place.

          Except that the "average American" is not quite as "average" as the classist ultra-liberals envision him. What it really does is cause the "NASCAR Dads" and "Soccer Moms" to get even more disgusted with the mainstream news spigots and start seeking less-biased and more representative sources. That, of course, can only hurt the bottom lines of the Old Guard [nytimes.com].

          To successfully compete with an Internet across which one can aggregate news (and opinions) from all over the political spectrum, a traditional mainstream outlet will have to either clearly claim allegiance to one pole (e.g., Fox News) or genuinely have no political leanings or agenda (e.g., nobody right now). The days in which an outlet can pose as unbiased while actually trying to manipulate opinion with stories slanted either left or right are dwindling, or so say the accountants...
          • by lawpoop ( 604919 ) on Wednesday June 28, 2006 @07:19AM (#15619934) Homepage Journal
            "or genuinely have no political leanings or agenda (e.g., nobody right now)."

            I don't think that such a perspective is possible. First of all, I've never seen a theory or technique enumerated or even hinted at for achieving a biasless perspective. I can't help but conclude that human communication is inherenly biased. Even if there were such a technique, would human organizations be able to achieve that standard with limited time and resources?

            Let's say that you did have a biasless report on something. You still have to present the information in serial order. Which side gets to make the 'first move'? (Whose side is presented first?) Who gets the last word? Who gets more words? Who gets longer quotes?
            • I don't think that such a perspective is possible. First of all, I've never seen a theory or technique enumerated or even hinted at for achieving a biasless perspective

              I won't disagree with you.

              Of course, the logical follow-through to the argument is that all journalists are frauds at worst, and merely "pundits-in-training" at best.

              Works for me.
      • by TubeSteak ( 669689 ) on Wednesday June 28, 2006 @08:15AM (#15620256) Journal
        No. It might have qualified as sedition, under the Alien and Sedition Acts of 1798 or the Sedition Act of 1918... ... But the first was overturned by the Supreme Court and the second was repealed by Congress.

        I find that most people who throw about the word "treason" don't actually comprehend what it encompasses, nor do they understand the historical & legal background.

        To commit treason someone has to overtly and willfully cooperate with an enemy, to overthrow the gov't. Anything else gets treated as espionage, since Sedition laws are nonexistant.

        You show me how leaks to American newspapers qualify as over and willfull cooperation with "the enemy" and we can talk treason, until then, please refrain from echoing the ignorant statements of others.
        • To commit treason someone has to overtly and willfully cooperate with an enemy, to overthrow the gov't.

          To emphasize that, here is the text of Article III, Section 3:

          Section 3. Treason against the United States, shall consist only in levying war against them, or in adhering to their enemies, giving them aid and comfort. No person shall be convicted of treason unless on the testimony of two witnesses to the same overt act, or on confession in open court.

          The Congress shall have power to declare the punishme

    • > Mostly I remember people INSIDE government agencies leaking this information to the press on purpose, to disclose high shenanigans and malfeasence in the Bush administration.

      TFA (which I read for a change) says this is about the leaks of personal identity information.
    • by Savage-Rabbit ( 308260 ) on Wednesday June 28, 2006 @06:01AM (#15619692)
      Those people who have legitimate access to that data leaking the information? Was there a huge wave of hacker activity stealing and disseminating classified material lately? Because I must have missed it.

      Mostly I remember people INSIDE government agencies leaking this information to the press on purpose, to disclose high shenanigans and malfeasence in the Bush administration.

      This doesn't do much to stop this kind of leak, but makes it much easier to track down those who do leak information. I don't think this has as much to do with security, as it does fear and punishment.


      I am no Neocon and I usually don't agree with Mr Bush and his crowd on anything at all but this time I fail to see what the fuss is about. They are planning to:
      • Encrypt all sensetive data on laptops and PDAs.
      • Drastically harden authentication methods and make damn sure idle connections are severed.
      • Make damn sure sensetive information is not left lying around on hard drives all over the place thus decreasing the likelyhood of it ending up in the hands of people it wasn't intended for by accident. In short they plan to drastically improve the management of sensetive data.
      In my humble opinion these are all pretty resonable and sensetive measures for any government to take. My only question is: Why wasn't this done many years ago? These are measures major corporations have considered standard for years in order to thwart industrial espionage. I am quite frankly flabbergasted at the what the article seems to imply, which is that US officials, military bigwigs and intelligence people have been traveling all over the USA and the rest of the world for that matter carrying unencrypted sensetive data on their WinDell laptops.
    • Government information is really not very different than corporate information in that most of the security issues come from inside rather than out. People need to have access to information to do their jobs, but it's the abuse by authorized personnel that is the most common problem. Of course, what you actually ever hear about is probably only the tip of the iceberg.

      People will look at whistleblowers in different ways. In many of the recent cases regarding disclosure of questionable Bush programs, the r
  • by Anonymous Coward on Wednesday June 28, 2006 @03:36AM (#15619350)
    numerous data thefts, and we are just now getting around to requiring that we protect our data ??? Makes you wonder exactly what our homeland defense dept. is doing, when it runs Windows, does not push good requirements on computers, and does not even have a place to call them about possible terrorists. Worse, congress debated over a flag admendment and has been complaigning about part of 1 billion wasted during katrina, but does nothing about our deficts, the corruption, or even the 10s of billions wasted in iraq (where is the money that was suppose to build up their infrastructure?). God help us.
    • > Worse, congress debated over a flag admendment

      Maybe for a suitably fraudulent definition of "debated" [washingtonpost.com].
    • by jimicus ( 737525 ) on Wednesday June 28, 2006 @04:52AM (#15619539)
      Makes you wonder exactly what our homeland defense dept. is doing, when it runs Windows


      At the risk of being labelled a trolling fanboy, there is nothing intrinsically wrong with using Windows (or indeed any given operating system) for a government agency.

      What is intrinsically wrong is not taking some time to investigate the requirements of the agency and configuring things accordingly, instead just throwing a bunch of laptops onto a domain and saying "There y'go".

      It may even be the case that they did configure things accordingly with strong encryption available and everything. But maybe no effort was made to ensure it actually got used. Perhaps strong encryption was used, and effort was made to ensure it worked when accessing databases - but some other application crept in for which it was easier to do a plain-text dump of the database onto an unencrypted area of the disk.

      In any sizeable organisation, desktop IT requirements are very complicated. Just saying "They used Windows. What do you expect?" isn't particularly helpful, and doesn't cut to the root of the problem.
      • It may even be the case that they did configure things accordingly with strong encryption available and everything. But maybe no effort was made to ensure it actually got used.

        This is similar to the current implementation of CAC cards for the military. Since about two years ago every soldier, DA Civilian, and DA Contractor has had a CAC card with working crypto keys intended one day to be used for CAC Logon, Email Signing, and EFS style keys. I joined the Army in 2002 and pushing out the CAC card reader
  • by Anonymous Coward on Wednesday June 28, 2006 @03:42AM (#15619369)
    "The Bush administration is giving federal civilian agencies 45 days to implement new measures to protect the security of personal information that agencies hold on millions of employees and citizens."

    Why would this data be on a laptop in transit in the first place? 15 years ago, I would understand the need to carry a bunch of tapes from location A to location B. With recent advances in networking the utility of carrying around data in a suitcase seems quite elusive.
    • by value_added ( 719364 ) on Wednesday June 28, 2006 @04:48AM (#15619530)
      Why would this data be on a laptop in transit in the first place?

      The answer to that question would provide some relevance, context and insight as to the why the decision was made. Aside from the obvious, of course.

      I can't quote any specifics, but I remember hearing the tail end of an NPR story on the "laptop" incident mentioned in the article. Seems the person who had the laptop stolen worked for the VA and typically worked in the field and required routine access to a large database of records to verify claims or something similar. The impression I got listening to the story was that it was a case benign ignorance more than anything else. My guess is that kind of ignorance, both on the part of the laptop owner and his/her agency, wouldn't be unlike the widespread ignorance found in the private sector. I'll resist the too easy Blame Microsoft angle, but we do have a generation of computer users who grew up blissfully unconcerned with such notions of security, so it shouldn't surprise anyone when the folks in charge over-react, or hand down edicts to force everyone into line.

      Government does have a role in setting agendas (ODF is a good example), so I guess this is a good thing. At the very least, it raises awareness.
    • Why would this data be on a laptop in transit in the first place?

      Pick any very large corporation that provides any measure of benefits for employees. Chances are good, if that corp is big enough, that it's currently under some kind of audit by the Internal Revenue Service. If so, there's a strong possibility that some portion of the examination is looking at the benefits plans provided to the the employees. In that case, there is a laptop at the IRS, belonging to the Employee Plans Revenue Agent on the c

  • Not "requirements" (Score:5, Interesting)

    by Black Parrot ( 19622 ) on Wednesday June 28, 2006 @03:58AM (#15619412)
    Just "recommendations".

    Which means this is likely to have zip for effect.
  • by Opportunist ( 166417 ) on Wednesday June 28, 2006 @04:02AM (#15619431)
    ...and require that ours are kept stored for months or years, or even "forever"? Is it me or is something running very wrong here?

    As far as I know, the founding fathers tried to protect the people from their government, fearing that it might turn one day against them. I think it's time to put this in practice. Not the government has to monitor its people, it is to be done the other way around.
    • ...and require that ours are kept stored for months or years, or even "forever"? Is it me or is something running very wrong here? ...

      ... Not the government has to monitor its people, it is to be done the other way around.


      Come on now, it's way too hot outside for tinfoil apparel.

      We're talking about data that's copied off to laptops for mobile use. Copied. The concern is over some federal worker or contractor dumping some subset of sensitive data (say, YOUR information?) off to a laptop while workin
      • When I download some kind of data from the internet, it is retained and should something against me arise in some kind of aspect (say, I am (falsly) accused of being a terrorist), a peek will be taken into my download history to find incriminating news. Like, whether I exposed some unhealthy interest in fertilizers or aspirin 2 years ago.

        Now, if a gov official copies data, 90 days later nobody knows anymore what he copied. It cannot be traced. 90 days is a very short time in our judical system.
  • In related news... (Score:4, Insightful)

    by damburger ( 981828 ) on Wednesday June 28, 2006 @04:22AM (#15619480)
    "Stung by a series of U-Boat losses, the Kriegsmarine is requiring all agencies to follow new guidelines regarding the Enigma code."

    Seriously, the US government is only just figuring out what encryption is for? Exactly incompetent are they?

    And before you get comfortable laughing at these people, consider for a second how dumb you must be to let these same people hoover up all your civil liberties...
  • OMFG!!! By publishing this information the media is helping the terrorists! How will we ever win the wars on terror like this? I'm offended! There are folks that want to kill people out there!!!
  • Awesome (Score:2, Funny)

    by Anonymous Coward
    That's the most impressive thing I have heard from the U.S. Government in the last 7 years.

    It actually makes sense!

  • by jkrise ( 535370 ) on Wednesday June 28, 2006 @05:05AM (#15619562) Journal
    A. Practical Solutions:
    1. As every agent who possesses sensitive information leaves office, shoot him.
    2. Destroy his/her/it's laptop.

    B. Impractical solutions:
    1. Build a new proprietary operating system for secret agents.
    2. Build proprietary hardware for them.
    3. Build scretive, propriateary network cards, that operate on proprietary, unpublished protocols.

    If neither Plan A or B seems workable, post Ask Slashdot for ideas!
    -
  • Call it something with "entierprise".
  • by tonan ( 325152 ) on Wednesday June 28, 2006 @05:30AM (#15619618)
    Before regular users who need to abide by this policy circumvent or abuse this policy. Meaning data will still reside on laptops unencrypted because users don't see the need for additional protections. ("I keep my laptop secure!")

    You can put all the security you want on databases, firewalls, and file servers. But in the end, users still need to access that data. Therefore, accidental (or otherwise) leakage of info by a consumer of this data is the main risk of disclosure, not a hacker. We need to have better IA (Information Awareness) training first, and remind users of their duties to keep this information secure. Another layer of protection won't work if users don't understand how important it is to secure this data.
  • by Cheerio Boy ( 82178 ) on Wednesday June 28, 2006 @06:44AM (#15619803) Homepage Journal
    They need encryption for their security but we can't have it for our privacy .

    (And yes I'm well aware that nothing is forcing us in the US to hand over our encryption yet but don't worry it'll probably happen sooner than you expect.)

    One law for the king and another for the people. We can't live like that...
  • I wonder what is considered 'sensitive data' these days? Anything they choose or just certain things?
    And, will anyone in the public domain ever really know what has been encrypted and why?
  • by dpbsmith ( 263124 ) on Wednesday June 28, 2006 @07:16AM (#15619924) Homepage
    Every week or so there's a news story about someone having a laptop stolen, or being lost, with thousands of customer files on it. I keep wondering why encryption isn't being used. Under Mac OS X, you click one checkbox to enable "FileVault" and everything in your home directory is encrypted. I don't know exactly what's available in the WIndows world, but I'm sure there are tools that are just as easy to use.

    Of course, I don't use FileVault.

    Why not? Well, it's one more thing to go wrong. I'm far more worried about losing my files or losing access to them, than I am about having other people look at them. And, frankly, I've never bothered to find out exactly what happens when you use a standard backup tool on a FileVault-protected Mac (presumably all the backups are UNencrypted if you are running the backup tool from within the protected account?)

    So... I dunno. I don't understand why everyone doesn't use encryption, but I don't use encryption myself. Of course, I have reasons. Probably everyone else has reasons, too?
  • by neonprimetime ( 528653 ) on Wednesday June 28, 2006 @08:31AM (#15620388) Homepage
    White House Demands Encryption for Sensitive Data

    It still won't matter. Just look for the yellow post-it note with the password stuck on the monitor, under the keyboard, or under the mouse pad.
  • Will they be requiring key escrow as well?
  • Privacy (Score:2, Insightful)

    by bmh129 ( 928163 )
    As Jon Stewart said on the Daily Show, "It's nice to see they're protecting their privacy."
  • How about instead of getting all uppity when someone leaks that you voilated an amendment or law, you just simply STOP BREAKING THE FRAKKING LAW.

    Sorry, still on my morning caffiene high

  • I only know of a handful of whole-disk encryption products that support encrypting the operating system disk:

    - PGP sells a corporate level product called "PGP Whole Disk Encryption". [pgp.com]

    - SecureStar sells DriveCrypt Plus Pack [securstar.com]

    What else is out there that is trustworthy? (Heck, do we even trust that there aren't any weaknesses / or back doors in PGP or DCPP?)
  • I work for a large TLA. Generally, our security is pretty good. Fire up a wireless access point in the building (or try to; they won't actually connect to anything) and guys with guns and a laptop running Fedora Core and some scanning software will be walking your floor in short order. I had to carry a couple of them around yesterday while we tried to track down a signal that we finally decided was coming from outside. Last time I saw them, the guys with guns were walking the parking lot, looking for so
  • Sensitive:
    the name of the mole they have in the opposition parties headquarters.
    source and destination of slush fund money
    the memo stating that the WMDs and terrorist links were bogus and just a trumped up excuse to send billions to Haliburton
    the names of US companies sending contraband materials to Iraq, Iran and N. Korea
    the plan to use diebold to steal more elections
    what they really think about the voters

    non-sensitive information:
    your name, SSN, mother's maidenname, credit card numbers,
    phn conversations,
  • So once everyone gets a laptop with an image that has encryption turned on by default, people will feel secure about hauling their laptop around with sensitive data. They will probably even feel secure enough to leave it on the table in the coffee shop while they get a refill, "it will only take a minute."

    We all know that there are user friendly apps out there to retrieve data from encrypted files, though it will raise the bar a little.

    Using a hardware security device also could lead to a f
  • Why is my personal financial information being shared without my expressed, written permission?

    Why are financial records not given the same protections as medical records?

    I have no real problem with credit reporting agencies. These companies are in general very careful with data. I know that when I interviewed with Equifax I was very, VERY impressed by their security. Several steps to get in...everyone checked on the way out. No laptops/PDA's allowed inside, etc -- and I was just interviewing!

    The compan
    • Why are financial records not given the same protections as medical records?

      Actually, with GLB there are some very specific regulations required for Banks and Financial institutions. The downside is most banks aren't following these guidelines and the laws aren't uniformly enforced. The same thing is happening with your medical records. HIPPA rules are very specific, but the laws aren't being enforced [infoworld.com].

      You have no privacy and all of these laws are passed just to make you feel better, not to actually
  • Although this may help prevent massive loss of data as seen recently, it might also reduce transparency in government. This would be a classic security vs. convenience trade-off. but one with potentially larger implications which should be considered.
    • By law, we're supposed to protect anything that is personal info. At least in the DoD. I guess I figured wrong in thinking that other agencies would follow similar rules. Even though this stuff is supposed to apply government-wide to Freedom of Information Act-related materials: in other words, the general public is not supposed to ever see your SSN, clearance, job title, duty phone, and so on.

      There are plenty of days when I wish that natural selection would get rid of the idiots in this world at a hi
      • "By law, we're supposed to protect anything that is personal info. At least in the DoD. I guess I figured wrong in thinking that other agencies would follow similar rules."

        Yes. The problem is that other agencies were all left to their own discretion as to how to protect what. They do a remarkably non-uniform and rather spotty job of it, which is why the OMB is stepping in with more detailed guidance.

        "Even though this stuff is supposed to apply government-wide to Freedom of Information Act-related

  • As Ye Sow.... (Score:4, Interesting)

    by Steve B ( 42864 ) on Wednesday June 28, 2006 @10:21AM (#15621327)
    A comment from Rob Pegoraro [washingtonpost.com] last week:
    Yes, some of this software can be difficult to use. So is most of the junk on the average office machine, and everybody has survived that. (The selection of cryptography software might also be better if the federal government hadn't spent years trying to criminalize a free, open standard for encryption called Pretty Good Privacy. But I digress.)
    He makes a good point -- if it hadn't been for idiotic government policies in the 90s, there's a good chance data security would have been routinely and transparently built into operating systems and/or firmware as a matter of course, to the point where you'd have to consciously do something to screw it up (rather than having to consciously jump through hoops to be secure, as is the actual situation).
    • Are you saying knee-jerk reactions to any sort of liberty can come back and bite people on the ass?

      NO WAI!

      hehehehe. I think the security apathy reaches far beyond the government. I mean how many people really use PGP [or the like] nowadays anyways? Fairly low.

      Tom
      • I mean how many people really use PGP [or the like] nowadays anyways? Fairly low.

        That's my point -- the stupid government policies made it impossible to incorporate decent crypto into data structures by default. (It might not have happened anyway, or might have happened with half-assed implementations such that anyone desiring real security would have had to add it themselves anyway, but it could not happen while the old crypto rules were in place.)

  • Why in the world would you want to take home a hard disk full of sensitive information, when you can work on it while it's stored at a remote location? It's called client/server, and we handle data that way at my job, and we're not even techie IT guys - it's just more secure and even we know that. If it's not on your laptop, it ain't gonna get stolen when the laptop is! Instead it's on a server in a locked room with some security around it. You don't need to take my identity home with you so you can get

A sine curve goes off to infinity, or at least the end of the blackboard. -- Prof. Steiner

Working...