Brace Yourself For The Shock News: Government Still Doesn't Protect Data Well

from the took-a-genius-to-figure-that-out dept

While we're generally suspicious of vendor-funded surveys, somehow we don't find this one too hard to believe: a new one reports that the federal government does a poor job of securing data. It says that 54 percent of government employees carry data and files home, while more than half work from home without authorization. Perhaps even more galling is the fact that the survey says fewer federal agencies are encrypting their employees' laptops now than before 26.5 million people's personal info was lost by the VA, when -- you guessed it, an employee's laptop was stolen from his home. But have no fear, the government recently released new security guidelines that are supposed to stop this sort of thing. That is, of course, if anybody bothers to follow them.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    rahrens (profile), 6 Jun 2007 @ 4:02am

    slow going

    As another idea from your took-a-genius-to-figure-that-out department, the US government, as a large bureaucracy, doesn't move fast.

    There are numerous very good reasons for that.

    First, money. Encrypting data may sound good, but practically, to do it right takes the right software, and that takes money. Given the perennial focus on budget these days, most Agencies don't have the money to buy the right stuff. Budgeting that money takes mostly two years to get the request into the budget cycle, if it is a substantial amount.

    Second, control. One may think that an Agency could control the use and configuration of its equipment, but that's not so easy. In order to control that, an Agency must have an IT department that has functional control over its equipment, and many don't. As long as organizational parts of an Agency can buy and configure their own equipment, their IT department can't control the encryption of its equipment, as the various offices can just buy a laptop and start using it. Lots of ways that an IT department can be circumvented.

    Third, culture. Every organization has a dominant culture. A given Agency's culture may or may not support such central control. If it doesn't, then the job of protecting data just got exponentially more difficult.

    It isn't always as easy as just issuing a memo.

    link to this | view in thread ]

  2. identicon
    CP Employee, 6 Jun 2007 @ 4:47am

    Re: slow going

    Bull.

    Yes, I'm the anonymous ChoicePoint employee that's responded to other items and I'd like to respond to your tacit approval of shoddy data practices by our government:

    1) I have a company owned laptop to do my work on and the entire drive is encrypted. Yes, I'm sure there was a cost involved, but as CP learned, sometimes you need to have those costs.

    2) CP does a pretty good job of monitoring EVERYTHING. All company owned equipment is scanned for vulnerabilities on a regular basis (at least weekly). Any deviations from company policy (e.g. unapproved software, missing required software), an email is sent to the employee, the employee's manager and their local IT. On a second notice, it's also sent to the head of local IT. You can't connect to the company network without being monitored and circumventing the monitoring, while possible, is a "career limiting move".

    3) Culture, bah! Culture can change. From what I hear, everything at CP used to be "just fine the way we are" pre-breach. Post-breach, everything is security, security, security, and in case you missed the memo.... security.

    You're right, it isn't always as easy as just issuing a memo. You actually have to understand that you're screwed up and that you need to fix it. CP has made a lot of changes and, in my opinion, is doing a pretty good job of being security and data conscious now.

    Now, a question. If the governments continued shoddy practices result in continued data losses, do they get to fine themselves via the FTC? (ok, ok... turning the sarcasm filter off now).

    link to this | view in thread ]

  3. identicon
    Normal Guy, 6 Jun 2007 @ 5:30am

    slow going

    I agree that most agencies could use CP or Pointsec to encrypt and some do. But we need to remember that this is not the Government overall it’s a few, unclassified security level agencies that feel that data is not as critical as say Secret and Top Secret, though it is obviously important to protect US citizen’s personal information.
    As for CP Employee that started his intelligent rebuttal with the comment "Bull" (I had a hard time being objective after that point) he is a civilian employee that has not experienced the trouble of trying to change the practices of a Federal employee with 20 to 30 years in their position. It’s not a simple task not impossible but not simple. So it takes time things are changing daily, these hard and stubborn employees are giving in to authority and the demands of security it just must not be happening fast enough for the vendors that are supplying the software or the vendors whose bid was rejected.
    It’s so easy to point out flaws and short comings from a distance, but unless you are directly involved and struggle through numerous variables that hinder change, especially when the variables differ for each entity in the government, I don’t think anyone should be so quick to conclude that just because your company laptop is able to use CP that its “Bull” that everyone else can easily implement and efficiently do their jobs with it.

    link to this | view in thread ]

  4. identicon
    Epic, 6 Jun 2007 @ 6:26am

    Why resist change?

    Using laziness and resisting change as a valid excuse for not using today's technoligies to protect data is ignorant. Telling me that because they are set in their ways and have been so for 20 to 30 years is a cop out.

    I could honestly care less what their excuse is, It is my taxes that pay their salary, making me (the American people) their boss.

    Time to get with the program and protect my data, or move out of the way for people that will.

    Technology today makes these things pretty simple. It takes little to no skill to encrypt a drive, and even less time to understand how important it is.

    While I respect and understand the investment in money and time this takes, I as an American citizen demand it.

    link to this | view in thread ]

  5. identicon
    Ajax 4Hire, 6 Jun 2007 @ 6:48am

    I am glad that AlGore's Key Escrow system

    never made it out of committee.

    This was a scare about PGP being so secure and hard to crack that the poor law-enforcement guy would be hamstrung. They used scare tactics like: "If you use PGP you must have something to hide, terrorist!"

    So the US Government tried to force a specific encrypt/decrypt scheme that required the decryption keys stored in escrow by the US Government. It was suppose to allow law-enforcement (I mean lawyers) to wire-tap subpoena encrypted streams. If you don't give the government your decryption keys then the terrorist have won!

    And the cry then as it is now: Trust the government to safeguard encryption keys?

    Trust and Government do not go together.

    link to this | view in thread ]

  6. identicon
    Patrick the InkStained, 6 Jun 2007 @ 6:49am

    No Accountability, No Results

    Spiffy new policies are irrelevant if there is no accountability. If managers were actually held strictly accountable for gross negligence then the culture would shift more quickly then one might expect. The problem, of course, is that our government leadership (an oxymoron?) seems to expect no accountability for anything (except for embarrassing press leaks; those are responded to pretty quickly). When managers know that their employer could care less about whether the job is done right, why should they bother?

    Oh yeah, I did work for a government agency for a year. And I work with large municipal clients all over the country as part of my current job, so I do know a little bit about bureaucratic culture.

    By the way, every laptop that I issue in our company has a password-protected lock on the hard drive; without the right password, the hard drive won't even spin up. This obviously won't stop someone who has access to a clean room and the determination to move the platters to a new drive, but my concern is petty data theft (not international criminal syndicates).

    link to this | view in thread ]

  7. identicon
    Army Employee, 6 Jun 2007 @ 6:53am

    FYI ...

    The Army has already implemented a policy to encrypt all hard drives and removeable media (except when you burn a CD). You plug in a USB stick, everything gets encrypted.

    And this gem, "It says that 54 percent of government employees carry data and files home, while more than half work from home without authorization," needs to be looked at in a different light. Everyone is quick to dredge up the old "lazy government worker" adage, but now that there is proof that over half of us (myself included) do extra work at home, it's called "unauthorized"

    Use a little critical thinking here, folks.

    link to this | view in thread ]

  8. identicon
    Max, 6 Jun 2007 @ 7:20am

    Duh

    What exactly does the federal government do well? Nothing.

    link to this | view in thread ]

  9. identicon
    CP Employee, 6 Jun 2007 @ 12:29pm

    Re: slow going

    Umm... CP = ChoicePoint. CP is not the software we use.

    Sorry that you had a problem with "Bull". I was frustrated with the seeming blind acceptance that the Government just moves too slow to be able to do anything to protect themselves. In what I see now as an obviously bad manner, I was venting some of that in my post.

    I have dealt with securing data previously, with both small and large firms, but (you are correct) not with the government. Additionally, I am now dealing with it from a user standpoint, so I have seen both sides of the implementation.

    With the selection ChoicePoint made, my drive is encrypted, but the only change to my daily procedure was a single new password that had to be typed when I boot my laptop everyday. Everything else is being handled through the system and network management tools. Whether it's scans of my laptop to find vulnerabilities or verification that I have rebooted in the last few days to receive the latest patches, none of the security procedures get in the way of my day to day work.

    In the end, I know that all it takes is a marginally competent IT staff to secure an organization. Any group that fails to do so is simply admitting that they are not even marginally competent - at least in my book.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 7 Jun 2007 @ 1:17pm

    Put it in the PORN folder dummies!

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 7 Jun 2007 @ 1:27pm

    Put it in the PORN folder dummies!

    link to this | view in thread ]

  12. identicon
    Korb, 7 Jun 2007 @ 1:28pm

    There are trees on mars!

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.