By Nick Heath, 22 January 2008 14:29
NEWS
All Whitehall staff have been banned from removing laptops containing unencrypted personal data from offices in the wake of the Ministry of Defence (MoD) data loss.
silicon.com's Full Disclosure campaign - what we are asking for...
silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.
We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.
We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below or emailing us at editorial@silicon.com.
Cabinet secretary Sir Gus O'Donnell sent an email to top civil servants on Monday night warning them that laptops and hard drives containing personal data could not be removed from government premises unless they are encrypted.
The directive is expected to result in the encryption of large amounts of data to enable officials to continue doing their jobs within the restrictions of the ban.
The ban has taken effect immediately and senior civil servants have been told to monitor compliance.
It follows Defence Secretary Des Browne's admission that three MoD laptops containing around 600,000 details of servicemen and recruits have been stolen since 2005. In addition, figures obtained by the Conservatives claim the department has lost a total of 347 laptops since 2004.
Sir Edmund Burton, chairman of the Information Advisory Council, is examining weaknesses in the MoD data security procedures and there is an ongoing cross-government review of data handling following HM Revenue and Customs' loss of 25 million child benefit claimants details in the post.
The government has suffered a catalogue of embarrassing security breaches, which includes the NHS losing hundreds of thousands of patients' records, the DVLA losing three million learner drivers' details and the loss of more than 4,000 patient details by primary care trusts in Stockport and Oldham.
Comments
There are 17 comments. Join the discussion
1. Karen Challinor
a knee jerk quick fix to paper over the inadequacies of the system and save face, in short a "look we've addressed the problem now go away and bother someone else" measure
of course if this is a short term interim measure, put in place while a thorough review of security policies and systems takes place, with a view to replacing them all with ones that are actually secure, sometime within the next 4 months or so
well then I'll take it all back, providing this actually happens of course, good intentions count for nothing
2. Joe Whitehead
About time! I hope they use something like TrueCrypt or BitLocker. Better yet, a encrypted virtual machine image. I'd much prefer these instead of just leaving encrypted archives on the drive and then decrypting them to a nonencrypted sector or some such sillyness. I can see how this might be hard for their technicians to implement correctly on the first try. Using (ATA drive's firmware) drive locking to a specific laptop sounds nice until you realize that it doesn't include hardware encryption so a really nasty bunch can read it anyways with hardware tools.
Lo-Jack for laptops, anyone? Well I'm pretty sure they already tried that one. ;)
3. Jane
Fine to ban a removal of laptops from the premises but what about the use of CDs and memory sticks.
If these are still allowed into the offices then it is a pointless ban.
4. Chris Goodman
Encryption is all very well, but as we all know, what is encrypted can be decrypted by any determined hacker.
The question is really WHY do so many individuals need a laptop in this day of networking when a desktop is invariably quicker and more secure.
My follow up question is how many desktop computers (& their hard drives) belonging to the Government have been stolen?
5. Austin Holdsworth
Why are staff holding this information on laptops anyway? Are we supposed to have blind faith and trust in faceless civil servants not to sell it or loose it?
Technologies like Citrix make it possible to access applications and sensitive data without it physically leaving the datacenter.
Encryption is better than nothing but it doesn't stop the determined hacker or willful misuse by corrupt staff.
6. anonymous
I seem to remember a few years ago that an MoD laptop was stolen from an officials car. Do these people never learn!
7. Charles Smith
Next the Civil Service might start asking why the data was needed on a laptop in the first place!
The big databases should be kept securely locked up and encrypted on a mainframe computer or proper mass storage.
The laptops should only hold relevant (encrypted) extracts of the data.
The Civil Service has a long history of safely dealing with confidential/secret files. I used to work for them and had to account for each sheet of any copy of a confidential/secret document. It is just that people have become lazy and complacent.
When the Police and legal system start sending senior managers to prison for data losses I think that we will find that security is suddenly improved.
8. anonymous
What about the thefts of laptops from supposedly secure premises?
These have been much less well reported but are far more serious - because some were targetted by people who knew what they were stealing.
Then need is to move as rapidly as practical towards copying those private sector operations that routinely refuse access to the network for any device (including laptops, USBs et al) that does not use their standard encryyption technology
9. Philip Thomas
Strange how the simplest of processes to protect data and the integrity of a companywide system can be totally overcome because of political correctness. We started out with 3270 green screens and you had absolutely no opportunity to remove any data unless you laboriously copied out the screen by hand. Then Desktop PCs made their appearance and they used to have floppy drives - then they were banned and physically removed as it was away to remove date from the office. NO-one objected except those who used to bring in games to play. Then email arrived and we had another way of removing data in droves - so security was set up to prevent this - but always at the root of the technology was good old Process. If you removed ANY data from the office it was a sackable offence unless you had the express permission of a senior manager. Then the laptops came in and suddenly it was perfectly possible to remove ALL company data in a single book sized piece of equipment. Process was still there but it became a case of "It is essential for me to take my work home because I am an important person, I need to show everyine I have to take my laptop home and do work at home, oh, and I use my mobile phone on the train because I am an important person". Pure posing. Work? Keep it in the office and if you need to take it to another office and they are not on your system, then ask yourself why you need to do this and the answer is in all probability you don't. The average worker does not NEED a laptop. It is a status symbol and should be banned.
10. anonymous
Why doesn't the DATA PROTECTION ACT make it possible for these negligent people to be prosecuted? If they were carrying data that included their own details they would, presumably, take their responsibilities a little more seriously.
11. Harry Gibson
It beggars belief that it has taken all these losses to get this reaction - what kind of high-paid idiots are running this counrty??
12. Peter Bradley
Why on earth is data being downloaded onto removable media in the first place? What reason could there be for doing this? Haven't they heard of remote access to databases? Are they incapable of setting up VPN access?
Peter
13. GALLEY SLAVE#41
Of course the BIG question is....
WHY ARE THESE PEOPLE TAKING LAPTOPS HOME?
ARE WE EXPECTED TO BELIEVE THAT THEY ARE DOING SOME HOMEWORK OR OVERTIME.
I FOR ONE DON'T THINK SO!
PLAYING COMPUTER GAMES I THINK WOULD BE CLOSER TO THE TRUTH!!
14. anonymous
Notwithstanding that these are probably good commercial products (bitlocker has UK Government approval to protect UK RESTRICTED information - a classification that the USA recognises only via a UK-US treaty), the UK has for many years operated a scheme called CAPS (CESG Assisted Products Scheme which is similar to FIPS140) which approves encryption products to protect UK classified information. There are several products available to UK Government & MOD users and over a year ago the Cabinet Office policy recommended Whole Disk Encryption over partition or volume encryption.
Also of note is that key material is not self generated, but is produced by CESG.
15. Joe Whitehead
"Also of note is that key material is not self generated, but is produced by CESG."
I presume this is to solve the "oops lost my reaalllly long key and have no backup" problem. Not to mention that it allows for them to be aware of how many volumes are actually being encrypted and where, by whom.
It's nice that you already have products for this, but I have to wonder why they're not being used - price? effort? skill? culture? There has to be a reason they weren't used, which is a reasonable assumption if this issue is this common?
16. martin anderson
So it's taken the great brains in this government ten years to work out what every bozo on the street knew they ought to do with sensitive data. It doesn't give us much confidence in their ability to manage any IT related issues does it.
17. Peter Smart
Fastening the stable door after the horses have bolted?
If the conservative figures are correct, that's aloss of 2 laptops a week!!! That is fishy.