UK Intel Agency's Missing Laptops Might Contain Sensitive Data

superapecommando writes "GCHQ lost 35 laptops in one year, potentially containing highly sensitive data. The UK's electronic spy centre was today lambasted by MPs for having a 'cavalier' attitude to data security. The centre is responsible for tracking the electronic communications of terrorists. In a new report, the Commons Intelligence and Security Committee expressed concern that GCHQ appeared to be entirely unaware whether or not the computers, lost in 2008, contained top secret information on people posing an imminent security threat to the country."

Re:

[deepershade]

This is about the UK. What's a US citizen got to do with it?

Re:

[Tim C]

Don't care? Don't read it. This site may be based in the US and heavily biased towards it, but it has an international readership.

Re:

[lorg]

Why not? Perhaps you should. You think they only contain secrets relevant to the UK? How can you be sure.

If a spy agency, any, loose data/intel it is probably a concern to more then the people in the country where the agency belongs since spying is a global business.

But in most industries...

[infolation]

'lost laptop' translates as 'executive perk'.

Intel... igence?

[dolmen.fr]

I did not understood the relation between Intel and UK MP's until I thought the word may have been abbreviated.

Lack of information

[EdZ]

I've always wondered whether these 'lost laptops' are simply the personal laptops of employees, that should never have been anywhere near anything to do with GCHQ, and GCHQ is just being overly cautious (does not know what, if any, data accidentally ended up on a personal laptop, so assume the worst). Or it could just be garden variety incompetence. Except for the unlikely event of an intelligence service disclosing far more information than would be prudent, there's little to tell either way.

What do they mean by lost?

[ThePangolino]

What do they mean by lost? Is it lost like "Lost in space", "Just lost The Game" or "Sorry, I *lost* my homework"?

Re:

[mSparks43]

The world would be a much safer place if all these secret agencies *lost* their funding.

Re:

[RockDoctor]

The world would be a much safer place if all these secret agencies *lost* their funding.

Oh man, are you so dead. Dead, diced, buried in soft peat for 18 years and finally DNA tested to reveal that you were an Albanian illegal immigrant all along. Remember that family you used to have? Well don't worry about them, the remaining ones don't remember you.
As they say in Texas "Dead man walking!"

Re:

[mSparks43]

Way to prove my point?

Re:

[Xest]

If it's anything like the rest of public sector from when I worked in it for a while some years ago, then "lost" means "I left my laptop perfectly visible in the back seat of my car which I left parked outside on the street overnight in a not exactly crime-free part of town".

So if they want to find them, eBay, or the house with the dodgy people in down the street are probably the best places to look.

Highly sensitive data?

[maxwell demon]

Well, surely it has been appropriately encrypted with strong encryption and protected with a strong password. After all, those people are not completely incompetent, are they?

Re:

[fluch]

After all, those people are not completely incompetent, are they?

In the UK? You should reconsider your rhetorical question...

Re:

[gmccloskey]

This would be the UK that led the development of modern computing with the work of Alan Turing, led the development of the use of computers in industrial and military environments (Bletchley Park) and which dramatically shortened the second world war. This would be the UK that invented public key cryptography before the NSA. This would be the UK which developed working, scalable MIMD parallel processing (transputer) in the early 90s. Then there was the matter of Boole, who did some minor mathematical work.

Re:

[jabithew]

Yes [bbc.co.uk], that [bbc.co.uk] UK [bbc.co.uk].

Re:

[JohnBailey]

Well, surely it has been appropriately encrypted with strong encryption and protected with a strong password. After all, those people are not completely incompetent, are they?

Considering who you are talking about.. the answer can be summed up as.. BWHAAAA!!!

Re:

[Fred_A]

After all, those people are not completely incompetent, are they?

<deep>I find your faith disturbing...</deep>

Re:Highly sensitive data?

[Shimbo]

Well, surely it has been appropriately encrypted with strong encryption and protected with a strong password. After all, those people are not completely incompetent, are they?

Well, GCHQ workers *invented* public key encryption, so they are obviously not all completely incompetent. Big organisations lose laptops. It's more that they don't have the paperwork to prove nothing secret hit these machines. It's sloppy but hardly unexpected.

Re:

[johnw]

Well, GCHQ workers *invented* public key encryption...

And the story told by one of the inventors is that he made the crucial breakthrough whilst mulling the problem over in his head at home. So strict was the security in those days that he wasn't even allowed to write down his idea on a piece of paper outside the office, and he worried dreadfully that he might forget the details before he got back into the office and was able to record it.

Clearly if they're now leaving laptops lying around, things aren't quite so strict.

Re:

[TheLink]

Yeah, nowadays the GCHQ bunch would probably post it on Twitter.

Should not be a problem...

[fluch]

This should not be a problem IF the hard drives are full disk encrypted. Now the "if" in the previous sentence is the crucial point...

Re:

[gmccloskey]

All UK government devices storing information classified as RESTRICTED ( no US equivalent) must have two factor authentication, and full disk encryption using a FIPS140 certified product from a CESG-approved list. Anything carrying CONFIDENTIAL or SECRET has the same, plus additional techniques and handling protocols to ensure CIA (confidentiality, integrity, assurance). TOP SECRET isn't discussed in open forums.

This is a non story if they are accidental losses. All organisations, including those within and

Re:

[Tim C]

This is correct; I also have reason to have some understanding of correct handling and storage procedures for materials covered by the GPMS [cabinetoffice.gov.uk] and those laptops should be encrypted. If not then someone will be facing a shitstorm for it.

Re:

[BiggerIsBetter]

That kind of gives the impression that GCHQ are trying to recruit hackers from the counter culture by advertising in tube stations.

And on Slashdot, apparently.

Re:

[Anonymous Coward]

That's a great idea. You know where London 2600 is held, right? Pretty sensible place to advertise, then - and if the Security Service and Secret Intelligence Service are advertising, why not GCHQ, the great-granddaddy of the father of modern computing and cryptology?

The big challenge is that all the people with the requisite expertise in that particular field either have ethical problems with working for a government that does things that runs contrary to their personal beliefs (restrictions on free speech

Re:

[jabithew]

Yeah. They are. Been on the Tube recently?

A job for Jack Bower?

[Galik]

Where is Jack Bower when you need him?

Re:

[Anonymous Coward]

He's probably being interrogated and tortured by Jack Bauer as to why the former is attempting to steal the latter's identity.

...and by extension,everyone else's communications

[D4C5CE]

The centre is responsible for tracking the electronic communications of terrorists

...which is hardly feasible without having access to everyone's communications, since those deserving of surveillance don't tend to identify themselves by stating e.g. "This is a terrorist communication:" at the start of everything they say.

GCHQ appeared to be entirely unaware whether or not the computers [...] contained [...] information on people posing an imminent security threat [...]

Quite a few others should also/rather

Re:

[drinkypoo]

The centre is responsible for tracking the electronic communications of terrorists

...which is hardly feasible without having access to everyone's communications

Try "known or suspected terrorists" in the sentence in place of simply "terrorists" and all will be made right. Or as right as it gets.

Quite a few others should also/rather want to know whether the computers contained information on people under an imminent security threat; information compiled by none less than the officials on a mission to protect them.

Well, that's not their mission, but I guess it's not impossible. Usually if it does contain such information, it's on employees of the division in question, though not always.

Big Deal

[Czmyt]

They look downright responsible compared to the US Department of Homeland Security who supposedly lost over 1,000 laptops in a single year (2008).

Re:

[dbcad7]

Yeah, but were they "homeland security laptops" or passengers laptops at the airport ?.. and "lost" is more likely "stole".. If indeed it was government equipment, the number would not be that high.. because first the person it was assigned to would have to repay the government at the inflated price the government bought it for, and second they would be looking at jeopardizing their cushy gub'ment job.

Re:

[Czmyt]

Government equipment, not passenger equipment:
http://biggovernment.com/tshepherd/2010/02/24/dept-of-homeland-security-loses-over-1000-computers-in-one-year/ [biggovernment.com]

Re:

[account_deleted]

Comment removed based on user account deletion

TrueCrpt

[rlp]

Why didn't the UK mandate TrueCrypt (or equivalent) on laptops holding sensitive data?

Re:

[gmccloskey]

They have - by mandating that appropriate controls are implemented, including full disk encryption. See http://www.cabinetoffice.gov.uk/spf/sp4_isa.aspx [cabinetoffice.gov.uk] - specifically requirement #40.

Truecrypt is not a product tested and approved by http://www.cesg.gov.uk/ [cesg.gov.uk] so it can't be used for UK government business. If someone is willing to pony up the accreditation fees, and it passes, then it can be used.

These new UK gov regulations are interesting - they make specific nominated individuals in every government organi

Re:

[Anne Thwacks]

If it is anything like the rest of the present government policies, the actual requirement is to put a tick in a box labeled "Data is secure", and then apply a signature resembling "D. Duck" at the bottom of the paper, which is then filed along with 2,000,103 other pieces of identical paper with no way of tracing which piece applies to which equipment. My Guess is that Donald Duck had best be afraid ... very afraid. As should anybody in the UK who would prefer his personal data is not on sale at a market s

Re:

[VoiceOfDoom]

If someone is willing to pony up the accreditation fees

....twenty thousand quid. Not surprisingly, the list of CAPS-approved [cesg.gov.uk] products is quite short and the suppliers that *are* accredited are a) making a mint and b) not inclined to improve their clunky, difficult-to-administer products in any way since all UK Govt clients are locked in to using them anyway.

Re:

[rlp]

Not surprisingly, the list of CAPS-approved products is quite short

PGP Whole Disk Encryption is on the 'CAPS-approved' list.