Brace Yourself For The Shock News: Government Still Doesn't Protect Data Well
from the took-a-genius-to-figure-that-out dept
While we're generally suspicious of vendor-funded surveys, somehow we don't find this one too hard to believe: a new one reports that the federal government does a poor job of securing data. It says that 54 percent of government employees carry data and files home, while more than half work from home without authorization. Perhaps even more galling is the fact that the survey says fewer federal agencies are encrypting their employees' laptops now than before 26.5 million people's personal info was lost by the VA, when -- you guessed it, an employee's laptop was stolen from his home. But have no fear, the government recently released new security guidelines that are supposed to stop this sort of thing. That is, of course, if anybody bothers to follow them.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
slow going
There are numerous very good reasons for that.
First, money. Encrypting data may sound good, but practically, to do it right takes the right software, and that takes money. Given the perennial focus on budget these days, most Agencies don't have the money to buy the right stuff. Budgeting that money takes mostly two years to get the request into the budget cycle, if it is a substantial amount.
Second, control. One may think that an Agency could control the use and configuration of its equipment, but that's not so easy. In order to control that, an Agency must have an IT department that has functional control over its equipment, and many don't. As long as organizational parts of an Agency can buy and configure their own equipment, their IT department can't control the encryption of its equipment, as the various offices can just buy a laptop and start using it. Lots of ways that an IT department can be circumvented.
Third, culture. Every organization has a dominant culture. A given Agency's culture may or may not support such central control. If it doesn't, then the job of protecting data just got exponentially more difficult.
It isn't always as easy as just issuing a memo.
[ link to this | view in chronology ]
Re: slow going
Yes, I'm the anonymous ChoicePoint employee that's responded to other items and I'd like to respond to your tacit approval of shoddy data practices by our government:
1) I have a company owned laptop to do my work on and the entire drive is encrypted. Yes, I'm sure there was a cost involved, but as CP learned, sometimes you need to have those costs.
2) CP does a pretty good job of monitoring EVERYTHING. All company owned equipment is scanned for vulnerabilities on a regular basis (at least weekly). Any deviations from company policy (e.g. unapproved software, missing required software), an email is sent to the employee, the employee's manager and their local IT. On a second notice, it's also sent to the head of local IT. You can't connect to the company network without being monitored and circumventing the monitoring, while possible, is a "career limiting move".
3) Culture, bah! Culture can change. From what I hear, everything at CP used to be "just fine the way we are" pre-breach. Post-breach, everything is security, security, security, and in case you missed the memo.... security.
You're right, it isn't always as easy as just issuing a memo. You actually have to understand that you're screwed up and that you need to fix it. CP has made a lot of changes and, in my opinion, is doing a pretty good job of being security and data conscious now.
Now, a question. If the governments continued shoddy practices result in continued data losses, do they get to fine themselves via the FTC? (ok, ok... turning the sarcasm filter off now).
[ link to this | view in chronology ]
slow going
As for CP Employee that started his intelligent rebuttal with the comment "Bull" (I had a hard time being objective after that point) he is a civilian employee that has not experienced the trouble of trying to change the practices of a Federal employee with 20 to 30 years in their position. It’s not a simple task not impossible but not simple. So it takes time things are changing daily, these hard and stubborn employees are giving in to authority and the demands of security it just must not be happening fast enough for the vendors that are supplying the software or the vendors whose bid was rejected.
It’s so easy to point out flaws and short comings from a distance, but unless you are directly involved and struggle through numerous variables that hinder change, especially when the variables differ for each entity in the government, I don’t think anyone should be so quick to conclude that just because your company laptop is able to use CP that its “Bull” that everyone else can easily implement and efficiently do their jobs with it.
[ link to this | view in chronology ]
Re: slow going
Sorry that you had a problem with "Bull". I was frustrated with the seeming blind acceptance that the Government just moves too slow to be able to do anything to protect themselves. In what I see now as an obviously bad manner, I was venting some of that in my post.
I have dealt with securing data previously, with both small and large firms, but (you are correct) not with the government. Additionally, I am now dealing with it from a user standpoint, so I have seen both sides of the implementation.
With the selection ChoicePoint made, my drive is encrypted, but the only change to my daily procedure was a single new password that had to be typed when I boot my laptop everyday. Everything else is being handled through the system and network management tools. Whether it's scans of my laptop to find vulnerabilities or verification that I have rebooted in the last few days to receive the latest patches, none of the security procedures get in the way of my day to day work.
In the end, I know that all it takes is a marginally competent IT staff to secure an organization. Any group that fails to do so is simply admitting that they are not even marginally competent - at least in my book.
[ link to this | view in chronology ]
Why resist change?
I could honestly care less what their excuse is, It is my taxes that pay their salary, making me (the American people) their boss.
Time to get with the program and protect my data, or move out of the way for people that will.
Technology today makes these things pretty simple. It takes little to no skill to encrypt a drive, and even less time to understand how important it is.
While I respect and understand the investment in money and time this takes, I as an American citizen demand it.
[ link to this | view in chronology ]
I am glad that AlGore's Key Escrow system
This was a scare about PGP being so secure and hard to crack that the poor law-enforcement guy would be hamstrung. They used scare tactics like: "If you use PGP you must have something to hide, terrorist!"
So the US Government tried to force a specific encrypt/decrypt scheme that required the decryption keys stored in escrow by the US Government. It was suppose to allow law-enforcement (I mean lawyers) to wire-tap subpoena encrypted streams. If you don't give the government your decryption keys then the terrorist have won!
And the cry then as it is now: Trust the government to safeguard encryption keys?
Trust and Government do not go together.
[ link to this | view in chronology ]
No Accountability, No Results
Oh yeah, I did work for a government agency for a year. And I work with large municipal clients all over the country as part of my current job, so I do know a little bit about bureaucratic culture.
By the way, every laptop that I issue in our company has a password-protected lock on the hard drive; without the right password, the hard drive won't even spin up. This obviously won't stop someone who has access to a clean room and the determination to move the platters to a new drive, but my concern is petty data theft (not international criminal syndicates).
[ link to this | view in chronology ]
FYI ...
And this gem, "It says that 54 percent of government employees carry data and files home, while more than half work from home without authorization," needs to be looked at in a different light. Everyone is quick to dredge up the old "lazy government worker" adage, but now that there is proof that over half of us (myself included) do extra work at home, it's called "unauthorized"
Use a little critical thinking here, folks.
[ link to this | view in chronology ]
Duh
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]