UK Intel Agency's Missing Laptops Might Contain Sensitive Data

superapecommando writes "GCHQ lost 35 laptops in one year, potentially containing highly sensitive data. The UK's electronic spy centre was today lambasted by MPs for having a 'cavalier' attitude to data security. The centre is responsible for tracking the electronic communications of terrorists. In a new report, the Commons Intelligence and Security Committee expressed concern that GCHQ appeared to be entirely unaware whether or not the computers, lost in 2008, contained top secret information on people posing an imminent security threat to the country."

Re:Underground?

[Anonymous Coward]

That's a great idea. You know where London 2600 is held, right? Pretty sensible place to advertise, then - and if the Security Service and Secret Intelligence Service are advertising, why not GCHQ, the great-granddaddy of the father of modern computing and cryptology?

The big challenge is that all the people with the requisite expertise in that particular field either have ethical problems with working for a government that does things that runs contrary to their personal beliefs (restrictions on free speech, mass surveillance and censorship, certain recent unpopular wars, and so on), or they don't really have anything left in the way of ethics at all (in which case, their trustworthiness is very limited, and they may already be working for organised crime or another government).

Many of the older ones have retired from doing that kind of thing and settled down, and the problem with that is that their skill set is unlikely to be current. There are of course timeless techniques, but the field also moves very quickly and rediscovers new things in different ways, so keeping current is important.

Of course, there are always new ones. Fresh talent does emerge and can probably be recruited in larval form, but not all hacking is self-taught, and the difference between a good hacker and a world-class hacker is things picked up from experience and teaching. Mentoring. But part of that is the counter-culture mindset, it's a required part of the critical thinking needed. Some people are needed to teach, and teach very very well. But the problem is that those people do not want to work for the UK government, even in a teaching capacity.

A similar problem emerges when trying to buy a covert remote intelligence tool (CRIT). What to do; license Zeus? Hardly. The Chinese did something similar, and as you no doubt heard it turned out worryingly successful with a simple black market Trojan and some very astute targeting. But you can scarcely expect that to work the same way twice. Something rather more advanced is needed, but those that have developed more advanced tools have essentially told the intelligence agencies to go screw themselves or are otherwise people it would be recommended to avoid dealing with (as above). So a tender was raised at a recent conference and there have been no decent bids (General Electric almost don't count).

Anyway. As for the story, the key word is "might". This audit is ahead of a new system proposed to modernise the key management by introducing ubiquitous security tokens, and full-disk encryption in software (TOP SECRET uses specialist hardware devices rather than hard disks right now). The problem here is a lack of yearly auditing, and unmarked, uncleared notebooks that should not have touched classified information, and probably did not if best practices from the CESG were followed, but conceivably could have done, which is unacceptable and something that needs to be addressed...

Re:Should not be a problem...

[gmccloskey]

All UK government devices storing information classified as RESTRICTED ( no US equivalent) must have two factor authentication, and full disk encryption using a FIPS140 certified product from a CESG-approved list. Anything carrying CONFIDENTIAL or SECRET has the same, plus additional techniques and handling protocols to ensure CIA (confidentiality, integrity, assurance). TOP SECRET isn't discussed in open forums.

This is a non story if they are accidental losses. All organisations, including those within and around the intelligence communities, lose assets. The real questions should be (1) was it accidental, (2) if not, who made the effort and (3) are you confident the systems in place will protect the information for long enough until its value decreases below the effort required to recover it.

  To be honest, the more pressing issue for ordinary citizens is not governments protecting or losing information about citizens, but private organisations.

Re:TrueCrpt

[Anne Thwacks]

If it is anything like the rest of the present government policies, the actual requirement is to put a tick in a box labeled "Data is secure", and then apply a signature resembling "D. Duck" at the bottom of the paper, which is then filed along with 2,000,103 other pieces of identical paper with no way of tracing which piece applies to which equipment. My Guess is that Donald Duck had best be afraid ... very afraid. As should anybody in the UK who would prefer his personal data is not on sale at a market somewhere in India at this very moment.

It is quite safe to assume any statements above about the government's supposed competence are the work of paid shills. In the last 10 years, the government has not previously shown any signs of competence.

a) "It is illegal to import a potato knowing it to be Polish" "Honest, Sir, I did not know that potato was Polish. It does not even have a Polish accent!"

b} "What will the government say if it gets out in the press?" "We will plead corporate insanity"