Slashdot Log In
White House Demands Encryption for Sensitive Data
Posted by
ScuttleMonkey
on Wed Jun 28, 2006 03:21 AM
from the common-sense-after-the-fact dept.
from the common-sense-after-the-fact dept.
An anonymous reader writes "Stung by a series of data losses or disclosures at federal agencies over the past month, the White House is requiring all agencies to follow new guidelines when allowing employees to carry sensitive data on laptops or access the information from afar, according to the Washington Post. From the article: 'To comply with the new policy, agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as "non-sensitive" by an agency's deputy director. Agency employees also would need two-factor authentication -- a password plus a physical device such as a key card -- to reach a work database through a remote connection, which must be automatically severed after 30 minutes of inactivity. Finally, agencies would have to begin keeping detailed records of any information downloaded from databases that hold sensitive information, and verify that those records are deleted within 90 days unless their use is still required.'"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
And the real question is... (Score:5, Interesting)
Re:And the real question is... (Score:5, Insightful)
Because most of it is unenforceable, and certainly doesn't cover the entirety of the problem. Let's check it point by point.
1. Encrypt all data on mobile computers/devices which carry agency data unless the data
is determined to be non-sensitive, in writing, by your Deputy Secretary or an
individual he/she may designate in writing;
So basically ALL data will be sensitive. We're not longer talking about CIA operatives or Pentagon generals with state secrets under the arm. It's the secretary of the editor of the "Golden Days" monthly that will access the name of one of the retirees it serves from her son-in-law's computer to see why Ms. Applewhite didn't receive her beloved issue last month. The secretary is not only not going to encrypt the data, she's blissfully unaware that her son-in-law hard disk is completely shared on eMule due to her son-in-law's imperfect grasp of eMule's share facility.
2. Allow remote access only with two-factor authentication where one of the factors is
provided by a device separate from the computer gaining access;
Yeah, sure. I guess somebody is underestimating the ubiquity of data communications nowadays. Or thinking still about CIA operatives mainly.
3. Use a "time-out" function for remote access and mobile devices requiring user re-
authentication after 30 minutes inactivity
Now this one is probably going to be widely enforced, it'll be simple to do.
4. Log all computer-readable data extracts from databases holding sensitive information
and verify each extract including sensitive data has been erased within 90 days or its
use is still required.
The logging will be made, usually. But how about the verification, I mean, in some places Harvest will really be plentiful, and the Laborers??? few, if any. Who's going to check all those accesses and what happened of the data? And even if they do, what about the son-in-law's shared hard drive? I mean, what about other copies that could have been done, printed, etc. from that original data. Printouts in the garbage are still one of the better ways of getting confidential data. What about flash memories in the workplace. Remember that story about the trojan-seeded flash drives scattered by the entrance of some goverment office building? Or Los Alamos missing hard drives ? The data security problem is certainly not going to be solved by a four-points note from the White House.
Basically this not is just a paper that says that a) The White House is trying hard to address this problem. b) Now you know who to blame (usually the overworked DBA) if anything important gets copied and hits the news.
Parent
Re:And the real question is... (Score:5, Insightful)
The kit in question is available from a number of vendors. I got one with me from Aladin marketed under the name of eToken, supports standard x509 certificates and if it will be bought in the quantities .gov will buy it the price will be in the sub 10$ range. It is only moderately more expensive now.
Works with nearly all OS-es: Mac, Winhoze, Linux, *BSD. It is about one quarter the size of an average USB key and has RSA engine on board. Once you have written the private key on it there is no way to retrieve it. All RSA ops are performed on the key.
Add to that the fact that all modern laptops and most recent desktops have TPM. You can use that for similar purposes.
In fact, the problem is not in the tokens and dongles. There are plenty of these on the market. The problem is how to handle certificate infrastructure and trust levels on the level of millions of certificates especially revocation. Now how .gov handles that will be interesting to watch.
Parent
Re:And the real question is... (Score:4, Interesting)
The hard part starts from there on.
You have to revoke the certificate if GI Joe number 286456781 is dead or has gone missing in action. You have to revoke the certificate if GI Joe 286456781 is found to be really Major Razvedki Ivanov. You have to revoke the certificate if Gi Joe 286456781's wife is found to really be Major Li of the people revolution army and she has gotten hold of the card PIN along with the card by means of giving excellent head.
Actually, revoking as such is not that hard either. May be a bit painfull in a multi-tier certificate hierarchy, but still possible.
The hard bit is propagating the knowledge that the certificate is revoked across an infrastructure of a
Parent
Re:And the real question is... (Score:3, Informative)
Retired military are generally still issued a military ID, giving them access to base hospitals, the PX/BX, etc. There's a difference between someone who's simply a veteran and someone who's stayed in for 20 years and retired.
Beware, too (Score:5, Interesting)
Beset with yet another layer of Policies, Programs, and Procedures the things a bureaucracy will need are:
feasibility studies
staffing increases
training
miscellaneous budget increases
Does anyone know the source of that quote in the Civilization IV game:
The bureaucracy is expanding to meet the needs of an expanding bureaucracy.
[1] I am making this up.
Parent
Re:And the real question is... (Score:4, Interesting)
Counter-point:
1. It sounds as though they are talking about classification here. There is a such thing as "Sensitive but Unclassified". Also, personal information gets protection under the Privacy Act of 197-something. Anyhow, it isn't as serious as you make it out. The stuff that is classified is protected at a whole different level.
2. No, they are saying that if you're going to connect to their network, you're going to have to do it with approved systems and use their authentication and it will all probably be through an approved, encrypted VPN. I know that the DoD has made a push over the last few years to replace the ID cards with smart card IDs with PKI certs embedded on them. These tie into the PKI infrastructure that has been rolled out and although it's taken a few years to get going, we're finally seeing it become a reality...you know, where it's becoming mandatory to log on using your card, sign emails, etc etc.
3. Well, it's all enforceable. That's the beauty of a government owned network. If they catch you not following their rules, they can fire you or even go so far as to prosecute you. Why not? You could be a terrorist! *gasp*
4. I agree with you here. Logs are great and all, but having a great gob of logs doesn't do you much at all. I wish them luck trying to go back to find a single transaction from 89 days ago.
Parent
Re:And the real question is... (Score:4, Interesting)
Parent
Why we need it... (Score:3, Funny)
Re:And the real question is... (Score:3, Insightful)
I disagree. I work for a rather large company in which the average employee is probably dealing with less sensitive data than the average White House employee. Yet we have a policy that requires all laptop hard disks to be encrypted (regardless of what is stored on them), all remote logins to use two-factor authentication, etc. T
Re:And the real question is... (Score:3, Insightful)
- Because encryption is a black art (and a dirty word) to a lot of people. I've had people tell me that they don't want to own books on crypto or have crypto software on-hand because it will make them look like they have something (evil / illegal) to hide. Makes me sad as a patriot...
- Because it's easier to keep your head in the sand regardi
Oh, lookie here (Score:5, Interesting)
Re:Oh, lookie here (Score:5, Funny)
- The default settings of P2P applications share all documents and media files on your machine. Which P2P apps are they talking about?
- P2P file exchanges generally violate international copyright laws. - Stop lumping P2P with piracy, DoD!
- Enable Wired Equivalent Privacy (WEP) on all laptops, PDAsand wireless access points. - WPA anyone?
- THE INTERNET IS ALWAYS WATCHING - But the DoD is always watching [hiwaay.net] the Internet, so don't worry!
- CLASSIFIED CPU's should be at least 3 feet from UNCLASSIFIED CPU's - Cooties?
- Traveling with a government computer? Keep track of it! - Good thing you told me! I never take the time to keep track of my laptop when I travel.
Also check out page 37 for the most hilarious picture ever included in a PDF (labeled 38 in the actual PDF).Parent
Re:Oh, lookie here (Score:2)
No. RFI, couling induction and TEMPEST concerns are what I was told. Although only God knows why 3 ft is the magic number - and LCD vs tube doesn't seem to matter.
Freudian Slip (Score:2)
Re:Oh, lookie here (Score:5, Informative)
The 3-foot rule is an old EMSEC (Emmissions Security) rule that seems a bit outdated. It's supposed to prevent signal emmissions of hard-wired machines from being interfered with or being collected by other devices. I know it sounds ridiculous, but the program is is old and outdated.
Overall, that PDF slideshow is not a very good IA training tool. They probably don't even use that anymore, or it's only used by a small group of people. The link at the end of the document brings you to a course completion page that shows the date of the program as 2004. You guys might not be able to see the site if you are not on a
IA training is mandatory for all users of DoD client machines, but the DoD networks have many other safeguards to protect information. As always, a security policy is only as strong as the people abiding by it, so IA training tries to lessen the risk of information leaking out due to poor information protection by the user.
Parent
3-foot rule (Score:4, Interesting)
The concern has to do with radiation produced by equipment; classified systems are shielded (sometimes) or kept in shielded rooms (more commonly, because actual shielded equipment is more expensive) with RF chokes on all the lines going in and out. The idea being that you don't want somebody to be able to listen to RF signals that your monitor on your classified system is putting out, by attaching an antenna to the building's cold-water pipe.
Where the problem gets even more complicated is that you can compromise a well-shielded system (one that doesn't radiate any information back into the power lines, etc.) if you put it close to an un-shielded (unclassified) system. The RF being produced by the shielded system will couple to the coils and whatnot in the unshielded system (which doesn't have any fancy chokes on its connections) and now you're back to radiating classified information into the building's power/water grid.
The '3 foot rule' is definitely arbitrary, but apparently it's the distance at which the people who are paid to think about these things believe that a classified system won't interact with an unclassified system and produce any significant radiation back into the building's infrastructure. If it sounds paranoid, that's because it is -- this was all Cold War era research -- but that doesn't meant it's not still true.
You're right though in saying that the artificial division between EMSEC and COMSEC and COMPUSEC is outdated and should be replaced with something more inclusive and relevant; however, the EMSEC precautions aren't completely outdated, and still exist for a reason where classified data is concerned.
Parent
Re:Oh, lookie here (Score:4, Insightful)
Since a LOT of people use P2P for pirating copyrighted material, that is also a valid statement. Just because its not ALWAYS used illegally, does not invalidate this statement for their purposes.
DOD is a BIG agency, with a lot of employees. It likely that many of them have routers capable of wireless tramsmission, but not new enough to use WPA. To enable the most people to be able to connect remotely, WEP is allowed. Notice that recent loss of laptops with sensitive info did NOT include DOD, nor did they include actual CLASSIFIED material. That stuff is covered under a whole different, and MUCH stricter, set of rules!
3 foot space? Covered adequately by other posters who know more about it than I do.
A LOT of people lose laptops. Civilians, government workers, and military. This statement is there for obvious reasons. People always need to be reminded, plus, statements like this are needed to remind employees that their employer thinks the issue is important. You cannot just take it for granted that people will just magically understand how you think. In addition, if this is included in such a presentation as this an emnployee can't later claim that he/she wasn't told! It's therefor a CYA for the organization.
My own agency uses a total encryption program that encrypts the entire HD. We take nothing for granted. Employees have no choice, laptops are issued this way. You don't like it, you don't get a laptop. We use a two step authentication procedure for remote connections, in fact, everything this article says the White House is demanding, my agency has been doing for over two years.
Has it cost a lot? Yes, this stuff isn't cheap. Is it worth it? Yes, you won't see my group in the news like this!
Does info get out in ways accessible to potential thieves? Probably, we have over 10,000 employees; it's hard to control the actions of that many people, and information can be copied in so many ways. But we do what we can; we only allow the use of encrypted laptops, desktops that are allowed home are also encrypted this way, too. As mentioned, two step authentication, firewalls, 24/7 firewall/WAN monitoring for suspicious activity. If a machine is caught broadcasting packets identified as coming from prohibited software, a technician is dispatched to remove it. User has no choice. Desktops are locked down, and special permission is required from a committee to allow local admin control for any user. Users can't even install their own local printers!
Users are required to review an annual Information Security Awareness presentation, via the intranet, so we can monitor compliance. If you don't view it within a certain time frame, your account is automatically disabled, and you then need special permission from an Associate Commissioner to get reconnected without viewing the show! This guarantees management attention to your failure to follow security procedures!
I have only touched on the most obvious arrangements, there are a lot of others that I can't reveal - I'd have to shoot all of you! I'm sure that there are others I don't know.
Does all of this guarantee we won't see a breach? No, I'm sure it doesn't. But it makes it much more likely that if one occurs, the headlines will make note of an employee that broke procedure and did something to get around agency safeguards, and will eventually report his/her prosecution.
We are not perfect, and we'll be the first to admit that. We ARE human, after all. (gasp!) BUT, just because we get our paychecks from Uncle Sugar doesn't mean we left our brains at the door.
Some agencies use the budget Congress gives us to do our jobs, and we try to do them without being told. We even try to close the barn door BEFORE the cow gets out!
I know that's a shock to some of you, but we really do try, and we most often get it right. You only read about it when we don't...
Parent
Re:Oh, lookie here (Score:2)
From the parents PDF:
Like thats going to stop a hacker for all of a few minutes.
Bizarre. WEPs shortcomings have been known for years.
Re:Oh, lookie here (Score:2)
I'm surprised they have to tell people to use strong passwords? They don't enforce this when a user changes their password?? There's a bit on P2P too - they don't block this?? I know P2P networks can be a bitch to control through the firewall but there are application layer firewalls and other intelligent devices to sort this kind of thing out.
Interesting that classified PC's must also have removable HDD's and be clearly marked classified - shouldn't they just be physically located
Wow... (Score:3, Funny)
Re:Wow... (Score:5, Funny)
Parent
Re:Wow... (Score:3, Funny)
Be careful where you point that joke. My .sig at work over the last few years has been:
..and I still get email from people to tell me that their computer was able to read my email, so Outlook must support this "ROT-26" encryption thing. And they aren't joking.
Yes but what do you do about... (Score:5, Insightful)
Mostly I remember people INSIDE government agencies leaking this information to the press on purpose, to disclose high shenanigans and malfeasence in the Bush administration.
This doesn't do much to stop this kind of leak, but makes it much easier to track down those who do leak information. I don't think this has as much to do with security, as it does fear and punishment.
Re:Yes but what do you do about... (Score:2)
You know, there was a time when doing that sort of thing was called treason...
Re:Yes but what do you do about... (Score:5, Insightful)
You know, there was a time when doing that sort of thing was called treason...
Maybe if this administration was a little more well-liked [cbsnews.com] they'd be able to convince people that the leaking of it's shortcomings and bastardization of the law(s) of the land was a real threat. As it stands, the only thing these leaks are doing is proving to your average American that, hey, Bush really is the bastard the ultra-liberals decried him as in the first place.
Parent
Re:Yes but what do you do about... (Score:5, Interesting)
Except that the "average American" is not quite as "average" as the classist ultra-liberals envision him. What it really does is cause the "NASCAR Dads" and "Soccer Moms" to get even more disgusted with the mainstream news spigots and start seeking less-biased and more representative sources. That, of course, can only hurt the bottom lines of the Old Guard [nytimes.com].
To successfully compete with an Internet across which one can aggregate news (and opinions) from all over the political spectrum, a traditional mainstream outlet will have to either clearly claim allegiance to one pole (e.g., Fox News) or genuinely have no political leanings or agenda (e.g., nobody right now). The days in which an outlet can pose as unbiased while actually trying to manipulate opinion with stories slanted either left or right are dwindling, or so say the accountants...
Parent
Re:Yes but what do you do about... (Score:4, Insightful)
I don't think that such a perspective is possible. First of all, I've never seen a theory or technique enumerated or even hinted at for achieving a biasless perspective. I can't help but conclude that human communication is inherenly biased. Even if there were such a technique, would human organizations be able to achieve that standard with limited time and resources?
Let's say that you did have a biasless report on something. You still have to present the information in serial order. Which side gets to make the 'first move'? (Whose side is presented first?) Who gets the last word? Who gets more words? Who gets longer quotes?
Parent
Re:Yes but what do you do about... (Score:5, Informative)
I find that most people who throw about the word "treason" don't actually comprehend what it encompasses, nor do they understand the historical & legal background.
To commit treason someone has to overtly and willfully cooperate with an enemy, to overthrow the gov't. Anything else gets treated as espionage, since Sedition laws are nonexistant.
You show me how leaks to American newspapers qualify as over and willfull cooperation with "the enemy" and we can talk treason, until then, please refrain from echoing the ignorant statements of others.
Parent
Uhm... (Score:2)
TFA (which I read for a change) says this is about the leaks of personal identity information.
Data management.... (Score:4, Insightful)
I am no Neocon and I usually don't agree with Mr Bush and his crowd on anything at all but this time I fail to see what the fuss is about. They are planning to:
- Encrypt all sensetive data on laptops and PDAs.
- Drastically harden authentication methods and make damn sure idle connections are severed.
- Make damn sure sensetive information is not left lying around on hard drives all over the place thus decreasing the likelyhood of it ending up in the hands of people it wasn't intended for by accident. In short they plan to drastically improve the management of sensetive data.
In my humble opinion these are all pretty resonable and sensetive measures for any government to take. My only question is: Why wasn't this done many years ago? These are measures major corporations have considered standard for years in order to thwart industrial espionage. I am quite frankly flabbergasted at the what the article seems to imply, which is that US officials, military bigwigs and intelligence people have been traveling all over the USA and the rest of the world for that matter carrying unencrypted sensetive data on their WinDell laptops.Parent
5 years of "homeland" defense (Score:3, Insightful)
Re: 5 years of "homeland" defense (Score:2)
Maybe for a suitably fraudulent definition of "debated" [washingtonpost.com].
Re:5 years of "homeland" defense (Score:5, Insightful)
At the risk of being labelled a trolling fanboy, there is nothing intrinsically wrong with using Windows (or indeed any given operating system) for a government agency.
What is intrinsically wrong is not taking some time to investigate the requirements of the agency and configuring things accordingly, instead just throwing a bunch of laptops onto a domain and saying "There y'go".
It may even be the case that they did configure things accordingly with strong encryption available and everything. But maybe no effort was made to ensure it actually got used. Perhaps strong encryption was used, and effort was made to ensure it worked when accessing databases - but some other application crept in for which it was easier to do a plain-text dump of the database onto an unencrypted area of the disk.
In any sizeable organisation, desktop IT requirements are very complicated. Just saying "They used Windows. What do you expect?" isn't particularly helpful, and doesn't cut to the root of the problem.
Parent
the real question is, of course (Score:4, Insightful)
Why would this data be on a laptop in transit in the first place? 15 years ago, I would understand the need to carry a bunch of tapes from location A to location B. With recent advances in networking the utility of carrying around data in a suitcase seems quite elusive.
Re:the real question is, of course (Score:4, Insightful)
The answer to that question would provide some relevance, context and insight as to the why the decision was made. Aside from the obvious, of course.
I can't quote any specifics, but I remember hearing the tail end of an NPR story on the "laptop" incident mentioned in the article. Seems the person who had the laptop stolen worked for the VA and typically worked in the field and required routine access to a large database of records to verify claims or something similar. The impression I got listening to the story was that it was a case benign ignorance more than anything else. My guess is that kind of ignorance, both on the part of the laptop owner and his/her agency, wouldn't be unlike the widespread ignorance found in the private sector. I'll resist the too easy Blame Microsoft angle, but we do have a generation of computer users who grew up blissfully unconcerned with such notions of security, so it shouldn't surprise anyone when the folks in charge over-react, or hand down edicts to force everyone into line.
Government does have a role in setting agendas (ODF is a good example), so I guess this is a good thing. At the very least, it raises awareness.
Parent
Re:the real question is, of course (Score:3, Informative)
Pick any very large corporation that provides any measure of benefits for employees. Chances are good, if that corp is big enough, that it's currently under some kind of audit by the Internal Revenue Service. If so, there's a strong possibility that some portion of the examination is looking at the benefits plans provided to the the employees. In that case, there is a laptop at the IRS, belonging to the Employee Plans Revenue Agent on the c
Not "requirements" (Score:5, Interesting)
Which means this is likely to have zip for effect.
They delete THEIR downloads after 90 days... (Score:5, Insightful)
As far as I know, the founding fathers tried to protect the people from their government, fearing that it might turn one day against them. I think it's time to put this in practice. Not the government has to monitor its people, it is to be done the other way around.
Re:They delete THEIR downloads after 90 days... (Score:3, Interesting)
Come on now, it's way too hot outside for tinfoil apparel.
We're talking about data that's copied off to laptops for mobile use. Copied. The concern is over some federal worker or contractor dumping some subset of sensitive data (say, YOUR information?) off to a laptop while workin
In related news... (Score:4, Insightful)
Seriously, the US government is only just figuring out what encryption is for? Exactly incompetent are they?
And before you get comfortable laughing at these people, consider for a second how dumb you must be to let these same people hoover up all your civil liberties...
THE TERRORISTS JUST WON!!!!!! (Score:2, Funny)
Awesome (Score:2, Funny)
It actually makes sense!
Practical and impractical solutions.... (Score:5, Funny)
1. As every agent who possesses sensitive information leaves office, shoot him.
2. Destroy his/her/it's laptop.
B. Impractical solutions:
1. Build a new proprietary operating system for secret agents.
2. Build proprietary hardware for them.
3. Build scretive, propriateary network cards, that operate on proprietary, unpublished protocols.
If neither Plan A or B seems workable, post Ask Slashdot for ideas!
-
Only a matter of time... (Score:3, Insightful)
You can put all the security you want on databases, firewalls, and file servers. But in the end, users still need to access that data. Therefore, accidental (or otherwise) leakage of info by a consumer of this data is the main risk of disclosure, not a hacker. We need to have better IA (Information Awareness) training first, and remind users of their duties to keep this information secure. Another layer of protection won't work if users don't understand how important it is to secure this data.
So that's how it is... (Score:5, Insightful)
(And yes I'm well aware that nothing is forcing us in the US to hand over our encryption yet but don't worry it'll probably happen sooner than you expect.)
One law for the king and another for the people. We can't live like that...
Why doesn't everyone (including me!) encrypt? (Score:4, Interesting)
Of course, I don't use FileVault.
Why not? Well, it's one more thing to go wrong. I'm far more worried about losing my files or losing access to them, than I am about having other people look at them. And, frankly, I've never bothered to find out exactly what happens when you use a standard backup tool on a FileVault-protected Mac (presumably all the backups are UNencrypted if you are running the backup tool from within the protected account?)
So... I dunno. I don't understand why everyone doesn't use encryption, but I don't use encryption myself. Of course, I have reasons. Probably everyone else has reasons, too?
It still won't matter (Score:3, Insightful)
It still won't matter. Just look for the yellow post-it note with the password stuck on the monitor, under the keyboard, or under the mouse pad.
As Ye Sow.... (Score:4, Interesting)
Re: Nixon parallels are staggering (Score:2, Informative)
Bush makes Nixon look like a choirboy.