So..
what I got from this is that their new policy will tell them on a yearly basis how many have gone missing?
It is the secretive heart of government information security, dispensing advice and setting standards throughout officialdom, but GCHQ's "cavalier" in-house policies have come under fire in a report revealing it lost 35 laptops. Three of the missing machines were certified to hold Top Secret material, according to the annual …
Chris,
Is this the Always Present Resident Problem for GCHQ, and their ilk in other Lands and Domains ................ "When we asked for an update on how the new arrangements were working, we were informed that stock-takes were held in December 2008 and June 2009 which “examined progress across the SIA on delivery of departmental strategic objectives, value for money, and the financial management of the Agencies, and have focused on ensuring that [the]Agencies continue to be able to deliver their CSR07 plans successfully”. We are pleased to note that these stock-takes are taking place, although we would expect to be kept updated on these as a matter of course in the future, rather than having to ask for information." ..... http://www.cabinetoffice.gov.uk/media/346792/isc-annualreport-0809.pdf
All of which doesn't really tell anyone how the new arrangements were working, for surely the question has remained unanswered? Why would that be if that is the case?
And have GCHQ any Internet Masters yet?
"GCHQ recruited 410 new staff in 2007/08 against its target of 660. Talking about the shortfall, the Director of GCHQ said:
"It is hard to find [specialist staff] from outside… It’s very difficult because I think the individuals may not be out there. We may have to grow some of them, and I think we have to encourage industry to grow some of them… We are partnering with six key relatively well-off companies within the IT sector."" ....... Of course they are out there, it is just that the Intelligence needed to find them is missing in present personnel. And that will probably definitely require that necessary individuals cold call GCHQ to generate their interest and render a possible target for investigation/Developed Vetting/cold calling.
When such individuals would be au fait and/or expert [Subject Matter Expert] in .... well, let us call it in IT, Full Spectrum Cyber Immersion Fields .... will they fully expect/be fully expected to lead an orderly following rather follow any orderly or ordered lead.
And whenever that is not a question, does IT create A.N.Other Problem and Catch 22 dilemma for their Securing of Sensitive and Secret InterNetional Services?
Any sensible security policy is based on the simple fact that laptops get lost or stolen (would you sack people for being mugged or getting off a train at midnight after an extra long day without it?). So yes, asset audits for the physical kit will help, but must be combined with robust encryption and/or restrictions on what get's downloaded. You want to download this secret doc.? OK - why, when are you going to delete it again, who are you etc.? - and it's all logged.
An annual check on their location? You mean they are not equipped with GPS transceivers giving a second-by-second account of their whereabouts?
"its sat on the desk. Its sat on the desk .... its in the GCHQ gents accessing pr0n".
They need to speak to the BBC special effects department ....
In a previous lives, wearing different colours of boilersuits, I think every place I've worked at already did this.
Either they did an IT audit each year, to find out who had lost what kit so that the IT budget could claw back some money from the department budget.
Or, they rolled it into the PAT process. While youre checking that plug, Mr Sparks.. Take a note of what bit of kit it's attached to.
Is this just a side effect of the civil service? No one watches the profit/loss book.. So they dont care about 'loss/lost'?
What about employees being fined from their salary every time they lose official equipment?
Or even better, they could hire a big burly man who owns a stick that has a nail hammered through it. Anyone who loses equipment would be granted the opportunity to be beaten in the basement until they promised never to do it again.
Most employers I have had would react very unfavourably to the loss of a laptop - probably with a sacking...
Set the identifying details of the OS to be the person who has the laptop at the time. Any loss occurs, that person is immediately outed as working for GCHQ and has to abandon their current life in the interest of self preservation.
If releases of information from government departments can result in loss of liberty for UK citizens (DVLA & child benefits data losses anyone?) then the person who lost it can be part of those harmed. Maybe then they'll take extra care.
you can even start the OS on of these missing laptops. In actuality you wouldn't even get past the first screen, let alone find out whose laptop it was (or even what was on it). Do more research into government disk encryption standards for protectively marked material to see what I mean.
Who said anything about starting the OS?
Remove the HDD and use a standard cloning process. Put the disk back and no-one would know any different. Then at your leisure, use one of the many forensic tools to examine the clone. Data recovery and forensic people do this all the time.
Can't read the data - not a big problem, there are various tools that can work their way through many forms of encryption. It may take a while but it can be done if you have the patience. Apparently, the Israelis are especially good at this.
The problem is that government may have the most astonishgly high quality disk encryption standards, but what are the odds that it wasn't applied on one of the missing laptops? Considering that they have very "robust" prcedures to make sure that the laptop doesn't go missing in the first place that have not been used, I would bet not particularly high!
This post has been deleted by its author
"Remove the HDD and use a standard cloning process. Put the disk back and no-one would know any different."
And you would defeat the high-security tamper-evident seals how exactly?
"Can't read the data - not a big problem, there are various tools that can work their way through many forms of encryption. It may take a while but it can be done if you have the patience."
Yes, and do you really think a GCHQ system rated to hold TS material would really use one of those forms of encryption? Yep, you'd be able to break it, probably after 30+ years or so, assuming you had access to government levels of crypt-analysis processing grunt...
Cheers
Mark
Has the desire to know every miniscule detail about every person in the UK started to backfire on GCHQ and the Intelligence Services?
Senior Spook A : "Why haven't you filled this vacancy for a junior spook?"
Spook B : "None of the candidates were suitable sir."
Spook A : "But there were hundreds of applicants! They can't all be unsuitable?"
Spook B: "Candidate 1 used to be a Hunt Sab, Candidate 2 downloads extreme pr0n, Candidate 3 votes Lib Dem, Candidate 4 once stood near an anti-war protester..."
Pretty much everyone has an embarrassing secret or two. When the state knows them all, how can it recruit anyone?
AIUI, it's not so much whether the vetters know your murky secrets, but whether you are prepared to cough to them, which means that if you forget to mention one that they do know about, they'll bounce you.
Plus see ACs comment below about pernickety verifiable history. But then again, it's GCHQ, and they take their vetting process extremely seriously, so much so that if you have already been positively vetted, they'll do a refresh before you even get through the door.
Makes it a pisser for them to get contractors in, or so I hear.
When you apply for developed vetting, it is quite correct that the vetting process is very intrusive, however, having a few secrets, perhaps someone likes to dress up in women's clothing, it isn't necessarily, automatically a bar to employment.
I think mainly, the interviewers are looking for things which for which you can be blackmailed. Years ago, I'd have said that if you were gay, you wouldn't have stood much of a chance of getting into the security services or defence sector where you would routinely handle information at secret or top secret, being gay used to be something which just wasn't the done thing, it had stigma, it was looked down upon and even at some time in the past was illegal.
So being gay in those times would have meant you were a good candidate to be blackmailed by the Russians.
In modern times, I doubt that being gay is so much of an issue in the intelligence/military arena, particurlarly if the person is already 'out' and it's common knowledge that the person gay, attempting to blackmail them then, isn't likely to be effective.
"the difficulties GCHQ has had in recruiting and retaining skilled internet specialists in sufficient numbers – although specialist recruitment campaigns have been set up to try and address this problem."
Apart from the piss poor starting salary, would that be because many people have found out that GCHQ treat their lower level staff like crap? Only a vicious rumour of course, one that I have heard from every former employee without fail..!
What does AmanfromMars smoke? I am aware that English might not be their first language, but their long, rambling and inept mangling of normal written prose is hurting my eyes! It is like having a priest mumbling latin in the background, too annoying to be ignored properly!
It's more mundane than that even - you can only fail for an error in the paperwork.
They want to hire people with higher degrees, so you have been living in rented accomodation for 7-8 years. If you can't remember the postcode of a flat you shared for a term as an undergrad you fail.
I interned with a similar bunch as a student many years ago.
The security people were out of the 1930s.
They had no concept of a normal school - they were asking me on whether my 'house master' ever talked about politics. And whether I knew any socialists - this was in a comprehensive in Sheffield in the 80s!
It was before electronic border records so they wanted to know the exact dates you had ever been out of the country and where you had stayed. In case on a 2 week camping holiday in France as a kid I had been recruited and trained as a KGB spy.
Even after the wall came down you weren't allowed to visit the FORMER east germany.
You had to fill in a form if you met or spoke to pretty much any foreigner - in a university!
What this doesn't say was how the data on the HD was protected. I work for a government agency, and all our laptops require a Smartcard to boot, have PGP encrypted hard drives and in new machines TPM support turned on.
all the laptops do is boot into windows (2000 or xp) and the create once securely connected to our network start up our remote desktop software. No data is stored (or should be stored) on the laptop itself.
This has been true for... years (at least 5 to my knowledge)
So whilst it's never great to lose a laptop, I'd imagine that most government departments are similarly security focused and means there's minimal change of data being "recovered".
This post has been deleted by its author
It ain't just the data that has gone walkabout it is also the encryption system.
Who wants the data (see ebay) who wants the UK government encryption system details?
Mind you, the rate at which these events occur will probably put the bidder price down a bit.
Once was: compromise a security system = get a new security system in soonest.
And who knows?
Maybe the laptops were "lost" at overseas jollies (urm) conferences?
Maybe in China, USA, Norway, Iceland, ...
Nice innit?
Wellllllllllllllll
We did lose 3 laptops 5 years ago.
But they all *very* secure and we are sure if there were problems with data leakage we would have heard by now.
And it can't happen with the new system. No siree.
Good to know they did *finally* get round to mentioning it to eh "Oversight" committee in the end.
The question I have for you is, were your laptops categorised as "restricted", or "secret" laptops?
I imagine not.
Any latops so categorised are allowed to contain classified information and have the security measures in place to enable that information to be securely held.
The laptops lost clearly were authorised to hold secret data, would have had the security software in place and quite likely, almost certainly, were holding secret data. I don't think that making an assumption that one agency's department adopts certain procedures that those procedures would be adopted in all agencies.
For a start, you've stated your agency used PGP, without going in to much detail, that tells me you probably weren't part of MoD. One of the key things about security, is you don't disclose the measures adopted, and that includes software and algorithsm MoD Staff don't know what algorithms are employed, because a) it's kept secret, b) it's centrally controlled. One can't just go an download PGP free from the internet.
I'm guessing, but I could be wrong, that the data on your laptop wasn't actually protectively marked, but possibly sensitive in that it would be embarrassing if the information got into the public domain (tax records for example), but not sensitive enough such as military secrets.
"One of the key things about security, is you don't disclose the measures adopted, and that includes software and algorithsm MoD Staff don't know what algorithms are employed, because a) it's kept secret, b) it's centrally controlled"
Erm..yes they do (assuming they can be bothered)..here's an example of a product and algorithm for MoD Top Secret disk encryption.
http://www.cesg.gov.uk/find_a/caps/index.cfm?menuSelected=11&displayPage=1111&id=96
and here's another.
http://www.cesg.gov.uk/find_a/caps/index.cfm?menuSelected=11&displayPage=1111&id=152
Hardly 'it's kept secret'..more like 'don't know where to look'.
"..you've stated your agency used PGP, without going in to much detail, that tells me you probably weren't part of MoD"
PGP is officially a CAPS approved product for baseline..so don't assume anything.
They may be using it legitimately and in accordance with stds for protectively marked material (albeit not C or above).
http://www.cesg.gov.uk/find_a/caps/index.cfm?menuSelected=11&displayPage=1111&id=139
This post has been deleted by its author