Mr Ainsworth
Had all the information but it was on a USB stick - and guess what ?
The UK Ministry of Defence has told parliament that it has lost or had stolen some 87 USB sticks holding "protectively marked" - ie classified - material since 2003. However, almost all the devices were marked at the lowest grade of classification, and even the remaining few are unlikely to have contained information of any …
"almost all the devices were marked at the lowest grade of classification, and even the remaining few are unlikely to have contained information of any significance."
And therefore there was no need for the information to be classified in the first place.
Such losses emphasise the urgent need for a root and branch re-examination of the British classification system in tandem with a review of the Official Secrets Act with a view to greatly reducing the number of classified documents and releasing as many as possible into the public domain. Anything over twenty years old should be automatically released.
Oh, Top Secret is definitely not the highest category. In a further byzantine twist to this bizarre system, there are further compartments of classification, adjuncts to top secret that require more strenuous background checks. Thus there are secrets held within secrets. And you wonder why the government can't do joined up thinking?
The description of the different types of information that is stored at different protective marking levels in this article is complete rubbish.
Restricted is a classification which is overused, I agree with that, however, restricted is also used at times, 'correctly' for genuninly sensitive information which should not fall in to the hands of the public or the enemy and such disclosure most definitely would be harmful to the interests of the state. Trust me, I know.
Second, confidential information does have to be treated differently, as your article states but this most definitely is not worthless information marked at this level. Your article states that anything useful starts at Top-Secret. This is completely untrue. Really useful/valuable information starts at a lower level and I'm not going to disclose the kind of information that is held at different levels and why it is held at different levels.
I have never seen such rubbish written about the different security classifications and I've worked in side the armed forces for a number of years on the development of classified projects.
"Oh, Top Secret is definitely not the highest category. In a further byzantine twist to this bizarre system, there are further compartments of classification, adjuncts to top secret that require more strenuous background checks. Thus there are secrets held within secrets. And you wonder why the government can't do joined up thinking?"
Resolving that joined up thinking Omission, would then surely Default to Secret Secret Intelligence Circles ..... Round Tables/Star Chambers/Call IT what you Will/Like.
And Re Top Secret Leakage. There is no such Thing for IT is Considerate Placement and a Deliberate Refined Host Act.
Raw GBIrish for Obama's Training Schedule. And a little something QuITe Important to the Presidential Guard.
Has Uncle Sam contracted that out to the Private Sector for the Lowest Price? Wow, that's a Fundamental 404 Error Inviting 419 Vulnerability, which may also be AI Virtual Invulnerability too, in the Right Hearts and Minds ......Magic Slow Hands.
And just as a Matter of [Sensitive] Interest, are any missing Sticks, Atomic and RadioProActive.
"And therefore there was no need for the information to be classified in the first place.
Such losses emphasise the urgent need for a root and branch re-examination of the British classification system in tandem with a review of the Official Secrets Act with a view to greatly reducing the number of classified documents and releasing as many as possible into the public domain. Anything over twenty years old should be automatically released."
Thats like saying you should not be so worried about security on your PC. It is marked for a reason but is not critical. The system actually works pretty well from my experience and there really is no need for change, this stuff is confidential for a reason.
Anything over 20 years should be released? So stuff like how the Harrier was designed and built? Plans to defend the country and tactical nuances? Details on other kit aboard our (admittedly aging) Navy. Information on other countries and their forces? Intelligence data gathered on people and places, every photo, conversation.
Please be sensible about what you say.
In the security sheet that I read, the security marking was dependent on the level of harm it would cause the nation if the information got into open circulation. From memory, it went something like this:
Restricted - minor harm
Confidential - significant harm
Secret - serious harm
Top Secret - exceptionally grave harm
At MAFF/Defra, I saw very few security marked files, nothing higher than "restricted" and most of it to do with staff appraisal and wages. The overarching restriction was commercial confidentiality.
Most of the senior staff in our division were of the opinion that a security marking would only encourage an interloper to read a file where otherwise they might not. My preferred marking to dissuade the curious was "PLEASE FILE".
Is how Lewis' 'forces background' definition of the various classifications varies from that in industry. The idea that lower levels of protective marking aren't really important is just wrong.
Were the defence industry to lose anywhere near as much classified stuff as the MoD, govt and armed forces; they'd all be forced out of business.
Still, 'do as we say, not as we do' eh MoD
How much of the lost data encrypted? If it's all solidly encrypted, then the losses probably don't mean much, but if the data was stored in the clear...
Whilst I'd *expect* the MoD to have encrypted it, I'd have expected the same from many other government data breaches; clearly that hasn't happened.
This post has been deleted by its author
@Frank Gerlach
Modern high-grade encryption is a totally superior kettle of fish to the Enigma machines of WWII. The cyphers are almost certainly unbreakable even by intelligence agencies unless someone obtains the key, which will certainly not be found on the data medium. (I'm assuming some degree of competence. After the Inland Revenue CDROM fiasco, that may be a poor assumption).
Also if an encrypted USB key, even a trivially encrypted one, is merely lost rather than stolen by a spy (and provided neither it nor anything visible inside it are labelled "TOP SECRET" in plaintext), it's most likely that a person who finds it will just wipe it and re-use it.
I disagree. Even if secrecy were not involved and this was all unclassified data, there's still no excuse in losing it. The point is, data (of all types) is continually being lost. Losing Top Secret data is pretty bad, but then so is losing unclassified information. Unclassified information could potentially become Top Secret once it's been classified, but point is, something in the department is broken and staff are unknowingly putting data at risk. USB sticks and PDAs are in common use in the MoD, namely because the desktop/email systems are too locked down and staff's own home PCs or PDAs get the job done quicker. Staff don't realise they are breaking the law.
The good news (I hope) is that the MoD will be unearthing more of these events as it undertakes their action plan in response to the Burton review of April 2008. The bad news is that the press will now run riot over anything the MoD subsequently releases and forums will go wild...
Burton Review:
http://www.mod.uk/NR/rdonlyres/3E756D20-E762-4FC1-BAB0-08C68FDC2383/0/burton_review_rpt20080430.pdf
MoD's response and action plan here:
http://www.mod.uk/NR/rdonlyres/F0437ECE-F5E6-4246-B4A8-8E63B789C915/0/burton_action_plan20080625.pdf
Line #15 in the Burton Review says it all:
"15. Outside MOD HQ, with a few notable exceptions, there is very limited understanding of the Department’s obligations under the Data Protection Act."
and
"31 a. Too large and unwieldy. JSP 440, the Department’s chief document on security, runs to hundreds of pages. System and Security Operating procedures are commonly 90-100 pages. The language used is often specialist and impenetrable to lay readers."
Something VERY definitve and conclusive is being done about data protection issues by the MoD. The MoD now have a Head of Data Protection and Information Assurance (as of January 2008).
I know it's too much, too little and probably too late, but I fully support the actions of the MoD in resolving this problem. Just wish they could do it a little quicker... :)
... what about the dozens of laptops government employees lose each year?
You can bet that if the civil service admits to losing X amount of kit, the true figure is probably double or triple that.
The figures released today are from just one department: multiply them across all government departments and agencies and you have a very substantial amount of data that has been mislaid, stolen or just gone missing.
All this from the government that wants all your phone and email records in a database. The same government that wants your personal info entered into its ID card system.
It beggars belief.
Aux armes, citoyens! Aux armes!
Re:
so a "Classified" project would be one which doesn't appear on official MOD websites, and only gives a few thousand results on google? or would that be "Highly Classified"?
A remark like that shows a lack of knowledge about classified material. You are assuming that because a project is classified that nothing is known about it, not even its name is released to the public. This is simply not true.
The name, scope and function of a classified project may very well be known to the public and available on internet sites, on some large government projects where funding runs in to billions of dollars/pounds then it will be extremely hard to hide such expenditure from the public scrutiny and that of parliament.
The purpose of classifying projects is not to hide all information about the project from the public, elements such as design documentation, implementation information is classified and protected, there is no need for total secrecy governing all aspects of the project.
>How much of the lost data encrypted? If it's all solidly encrypted, then the losses probably >don't mean much, but if the data was stored in the clear...
>Whilst I'd *expect* the MoD to have encrypted it, I'd have expected the same from many >other government data breaches; clearly that hasn't happened.
There is a whole set of rules which come into effect if data is encrypted.
The protective marking governs how the data is handled. If data is encrypted then fairly obviously it does not need to be handled in quite the same way as non-encrypted data.
You can handle protectively marked data differently if it is encrypted, however, how differently depends on the classification of the information and the Algorithm in use, suffice to say the algorithms used are not commerically available.
If for example you were to carry off premises, a laptop which had SECRET information on it that was encrypted to the best method available, you would be able to handle it as RESTRICTED (i.e. in a locked container) provided it was powered off and that the physical authentication factor was transported seperately to the encrypted medium and also transported in a locked container, ideally the token and the medium would travel by diferent routes.
If you cant handle something as if it was RESTRICTED or less, then you typically need to transport it with at least an armed guard, which is quite an expensive process. This is why it's even more shocking that a Top Secret document was found on a train, because it should not have left a government facility without an armed guard, let alone in someone's briefcase.
There is a document which gives details about the protective Marking System and what it all means here, who can access it and how you should store it: http://www.cps.gov.uk/legal/section14/chapter_i.html it's by no means the only source of this information available to you with google.
In addition, there is another classification label that UK gov and MoD now put on documents called "PROTECT" which is stuff thats not important enough to be restricted, but that they would still like to control access to and keep from prying eyes none the less, it was added fairly recently to stop people from blanketly marking things as RESTRICTED, I've only seen a couple of documents that use this marking. It's effectively the same as marking it as commercialy sensitive or personell related.
Also the reason that there are likely to be less USB keys reported as stolen is that there was at one time a policy banning their use on some sites, after it was realised that usb keys are difficult to destroy and easy to lose.
I bet they are not lost, just put on ebay :)
on the other hand, forget about the data that was on them, how much is all these lost USB sticks, Laptops, etc. Cost us tax payers to replace
I think that people that work within the Goverment, MOD, etc that is Tax payer funded should have to pay to replace the item they have lost out of the their wages, instead of the Tax payers have to pay for it out of their pockets then maybe the government can lower taxes :D
I bet non go missing then!!
Posting of Friday 18th July 2008 23:05 GMT says:
>If you cant handle something as if it was RESTRICTED or less, then you
>typicallyneed to transport it with at least an armed guard, which is quite an
>expensive process.
Oh yeah? As the CPS manual to which you helpfully provide a link says,
you can send SECRET documents in the Royal Mail, as long as you use
Special Delivery. I've never yet seen the postie turn up with an armed guard.
Most of what the govt. produces is "secret" in that they don't want anyone to know anything about what's going on. So many of the USBs will contain boring and pointless documents.
Also, losing so many documents is part of a secrecy strategey.
Some of the 'lost' disks/USBs/Laptops should have been deliberately 'lost' and contain disinformation. It's the "Raiders of the Lost Ark" principle - lose so many USBs that no-one knows which one contains the really useful information. If not, then they need to sack the head of the secret services and employ me instead.
Any seriously secret data would be encrypted - so no problem. If it wasn't, then see suggestion in previous paragraph. I'm available to start on Monday.
"I'm not going to disclose the kind of information that is held at different levels and why it is held at different levels."
It seems to me that anyone genuinely involved in secret stuff would not being going around posting about this on The Register, or indeed anywhere, even using an anonymous account. You would have nothing to gain, and quite a lot to lose.