Brace Yourself For The Shock News: Government Still Doesn't Protect Data Well
from the took-a-genius-to-figure-that-out dept
While we’re generally suspicious of vendor-funded surveys, somehow we don’t find this one too hard to believe: a new one reports that the federal government does a poor job of securing data. It says that 54 percent of government employees carry data and files home, while more than half work from home without authorization. Perhaps even more galling is the fact that the survey says fewer federal agencies are encrypting their employees’ laptops now than before 26.5 million people’s personal info was lost by the VA, when — you guessed it, an employee’s laptop was stolen from his home. But have no fear, the government recently released new security guidelines that are supposed to stop this sort of thing. That is, of course, if anybody bothers to follow them.
Comments on “Brace Yourself For The Shock News: Government Still Doesn't Protect Data Well”
slow going
As another idea from your took-a-genius-to-figure-that-out department, the US government, as a large bureaucracy, doesn’t move fast.
There are numerous very good reasons for that.
First, money. Encrypting data may sound good, but practically, to do it right takes the right software, and that takes money. Given the perennial focus on budget these days, most Agencies don’t have the money to buy the right stuff. Budgeting that money takes mostly two years to get the request into the budget cycle, if it is a substantial amount.
Second, control. One may think that an Agency could control the use and configuration of its equipment, but that’s not so easy. In order to control that, an Agency must have an IT department that has functional control over its equipment, and many don’t. As long as organizational parts of an Agency can buy and configure their own equipment, their IT department can’t control the encryption of its equipment, as the various offices can just buy a laptop and start using it. Lots of ways that an IT department can be circumvented.
Third, culture. Every organization has a dominant culture. A given Agency’s culture may or may not support such central control. If it doesn’t, then the job of protecting data just got exponentially more difficult.
It isn’t always as easy as just issuing a memo.
Re: slow going
Bull.
Yes, I’m the anonymous ChoicePoint employee that’s responded to other items and I’d like to respond to your tacit approval of shoddy data practices by our government:
1) I have a company owned laptop to do my work on and the entire drive is encrypted. Yes, I’m sure there was a cost involved, but as CP learned, sometimes you need to have those costs.
2) CP does a pretty good job of monitoring EVERYTHING. All company owned equipment is scanned for vulnerabilities on a regular basis (at least weekly). Any deviations from company policy (e.g. unapproved software, missing required software), an email is sent to the employee, the employee’s manager and their local IT. On a second notice, it’s also sent to the head of local IT. You can’t connect to the company network without being monitored and circumventing the monitoring, while possible, is a “career limiting move”.
3) Culture, bah! Culture can change. From what I hear, everything at CP used to be “just fine the way we are” pre-breach. Post-breach, everything is security, security, security, and in case you missed the memo…. security.
You’re right, it isn’t always as easy as just issuing a memo. You actually have to understand that you’re screwed up and that you need to fix it. CP has made a lot of changes and, in my opinion, is doing a pretty good job of being security and data conscious now.
Now, a question. If the governments continued shoddy practices result in continued data losses, do they get to fine themselves via the FTC? (ok, ok… turning the sarcasm filter off now).
slow going
I agree that most agencies could use CP or Pointsec to encrypt and some do. But we need to remember that this is not the Government overall it’s a few, unclassified security level agencies that feel that data is not as critical as say Secret and Top Secret, though it is obviously important to protect US citizen’s personal information.
As for CP Employee that started his intelligent rebuttal with the comment “Bull” (I had a hard time being objective after that point) he is a civilian employee that has not experienced the trouble of trying to change the practices of a Federal employee with 20 to 30 years in their position. It’s not a simple task not impossible but not simple. So it takes time things are changing daily, these hard and stubborn employees are giving in to authority and the demands of security it just must not be happening fast enough for the vendors that are supplying the software or the vendors whose bid was rejected.
It’s so easy to point out flaws and short comings from a distance, but unless you are directly involved and struggle through numerous variables that hinder change, especially when the variables differ for each entity in the government, I don’t think anyone should be so quick to conclude that just because your company laptop is able to use CP that its “Bull” that everyone else can easily implement and efficiently do their jobs with it.
Re: slow going
Umm… CP = ChoicePoint. CP is not the software we use.
Sorry that you had a problem with “Bull”. I was frustrated with the seeming blind acceptance that the Government just moves too slow to be able to do anything to protect themselves. In what I see now as an obviously bad manner, I was venting some of that in my post.
I have dealt with securing data previously, with both small and large firms, but (you are correct) not with the government. Additionally, I am now dealing with it from a user standpoint, so I have seen both sides of the implementation.
With the selection ChoicePoint made, my drive is encrypted, but the only change to my daily procedure was a single new password that had to be typed when I boot my laptop everyday. Everything else is being handled through the system and network management tools. Whether it’s scans of my laptop to find vulnerabilities or verification that I have rebooted in the last few days to receive the latest patches, none of the security procedures get in the way of my day to day work.
In the end, I know that all it takes is a marginally competent IT staff to secure an organization. Any group that fails to do so is simply admitting that they are not even marginally competent – at least in my book.
Why resist change?
Using laziness and resisting change as a valid excuse for not using today’s technoligies to protect data is ignorant. Telling me that because they are set in their ways and have been so for 20 to 30 years is a cop out.
I could honestly care less what their excuse is, It is my taxes that pay their salary, making me (the American people) their boss.
Time to get with the program and protect my data, or move out of the way for people that will.
Technology today makes these things pretty simple. It takes little to no skill to encrypt a drive, and even less time to understand how important it is.
While I respect and understand the investment in money and time this takes, I as an American citizen demand it.
I am glad that AlGore's Key Escrow system
never made it out of committee.
This was a scare about PGP being so secure and hard to crack that the poor law-enforcement guy would be hamstrung. They used scare tactics like: “If you use PGP you must have something to hide, terrorist!”
So the US Government tried to force a specific encrypt/decrypt scheme that required the decryption keys stored in escrow by the US Government. It was suppose to allow law-enforcement (I mean lawyers) to wire-tap subpoena encrypted streams. If you don’t give the government your decryption keys then the terrorist have won!
And the cry then as it is now: Trust the government to safeguard encryption keys?
Trust and Government do not go together.
No Accountability, No Results
Spiffy new policies are irrelevant if there is no accountability. If managers were actually held strictly accountable for gross negligence then the culture would shift more quickly then one might expect. The problem, of course, is that our government leadership (an oxymoron?) seems to expect no accountability for anything (except for embarrassing press leaks; those are responded to pretty quickly). When managers know that their employer could care less about whether the job is done right, why should they bother?
Oh yeah, I did work for a government agency for a year. And I work with large municipal clients all over the country as part of my current job, so I do know a little bit about bureaucratic culture.
By the way, every laptop that I issue in our company has a password-protected lock on the hard drive; without the right password, the hard drive won’t even spin up. This obviously won’t stop someone who has access to a clean room and the determination to move the platters to a new drive, but my concern is petty data theft (not international criminal syndicates).
FYI ...
The Army has already implemented a policy to encrypt all hard drives and removeable media (except when you burn a CD). You plug in a USB stick, everything gets encrypted.
And this gem, “It says that 54 percent of government employees carry data and files home, while more than half work from home without authorization,” needs to be looked at in a different light. Everyone is quick to dredge up the old “lazy government worker” adage, but now that there is proof that over half of us (myself included) do extra work at home, it’s called “unauthorized”
Use a little critical thinking here, folks.
Duh
What exactly does the federal government do well? Nothing.
Put it in the PORN folder dummies!
Put it in the PORN folder dummies!
There are trees on mars!