NASA, the US National Aeronautics and Space Administration, is forbidding staff from removing laptop computers until all of them have been protected with laptop encryption. The order follows an announcement that NASA lost another computer on October 31.
According to the BBC, NASA has ordered staff not to remove agency-issued laptops from facilities until they are protected with encryption software. The straw that broke the camel's back is an October 31 incident: a laptop computer was stolen from an employee's car in Washington, D.C. The computer contained sensitive, personally identifiable information (PII). The report did not specify what it could be, although PII can range anything from names and addresses to SSNs, credit card numbers, and various forms of financial information. Password protection was used to secure the content, but as is common knowledge among geeks and technologists, password protection does not feature the same level of security as encryption. The fact that this is lost on rocket scientists would tickle me silly if it were not so sad. NASA is alerting its employees that they should take care not to be phished. A full review of the lost data could take up to 60 days.
According to the BBC, NASA has ordered staff not to remove agency-issued laptops from facilities until they are protected with encryption software. The straw that broke the camel's back is an October 31 incident: a laptop computer was stolen from an employee's car in Washington, D.C. The computer contained sensitive, personally identifiable information (PII). The report did not specify what it could be, although PII can range anything from names and addresses to SSNs, credit card numbers, and various forms of financial information.
Password protection was used to secure the content, but as is common knowledge among geeks and technologists, password protection does not feature the same level of security as encryption. The fact that this is lost on rocket scientists would tickle me silly if it were not so sad.
NASA is alerting its employees that they should take care not to be phished. A full review of the lost data could take up to 60 days.
Reading the actual agency-wide message, it's quite clear that NASA is not actually forbidding staff from taking home their agency laptops. If you read the fine print (spaceref.com, my emphasis): The Administrator and the Chief Information Officer (CIO) have directed that, effective immediately, no NASA-issued laptops containing sensitive information can be removed from a NASA facility unless whole disk encryption software is enabled or the sensitive files are individually encrypted. This applies to laptops containing PII, International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) data, procurement and human resources information, and other sensitive but unclassified (SBU) data. As long as the laptop doesn't contain information such as the above, it should be fine. The problem in this era of terabytes, though, is whether one can be absolutely sure that he or she is not carrying sensitive information. Such pragmatic concerns are what led certain IT security advocates to deploy full disk encryption software on all laptops, regardless of who's using for which purpose, if there is even a remote chance of sensitive data ending up in them (because an organization handles sensitive data). NASA appears to be playing a page from that book: Center CIOs have been directed to complete the whole disk encryption of the maximum possible number of laptops by November 21, 2012. NASA plans to complete the laptop encryption effort by December 21, 2012, after which time no NASA-issued laptops without whole disk encryption software, whether or not they contain sensitive information, shall be removed from NASA facilities. So, for the time being, the US's premier (and only) space agency will allow unencrypted laptops to be taken in and out of facilities but all of it ends 10 days before the end of the year. Why ten days? Who knows -- maybe they like the fact that the dates are all ones and twos: 12/21/2012. (It's a stupid suggestion because, among other things, there's an errant zero in the mix). While one congratulates NASA for the above, one has to wonder what took them so long? I mean, they had that situation over a year ago, in March 2011 and another earlier this year. I guess that saying about good and bad things coming in three must be true.
Reading the actual agency-wide message, it's quite clear that NASA is not actually forbidding staff from taking home their agency laptops. If you read the fine print (spaceref.com, my emphasis):
The Administrator and the Chief Information Officer (CIO) have directed that, effective immediately, no NASA-issued laptops containing sensitive information can be removed from a NASA facility unless whole disk encryption software is enabled or the sensitive files are individually encrypted. This applies to laptops containing PII, International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) data, procurement and human resources information, and other sensitive but unclassified (SBU) data.
As long as the laptop doesn't contain information such as the above, it should be fine. The problem in this era of terabytes, though, is whether one can be absolutely sure that he or she is not carrying sensitive information.
Such pragmatic concerns are what led certain IT security advocates to deploy full disk encryption software on all laptops, regardless of who's using for which purpose, if there is even a remote chance of sensitive data ending up in them (because an organization handles sensitive data).
NASA appears to be playing a page from that book:
Center CIOs have been directed to complete the whole disk encryption of the maximum possible number of laptops by November 21, 2012. NASA plans to complete the laptop encryption effort by December 21, 2012, after which time no NASA-issued laptops without whole disk encryption software, whether or not they contain sensitive information, shall be removed from NASA facilities.
So, for the time being, the US's premier (and only) space agency will allow unencrypted laptops to be taken in and out of facilities but all of it ends 10 days before the end of the year. Why ten days? Who knows -- maybe they like the fact that the dates are all ones and twos: 12/21/2012. (It's a stupid suggestion because, among other things, there's an errant zero in the mix).
While one congratulates NASA for the above, one has to wonder what took them so long? I mean, they had that situation over a year ago, in March 2011 and another earlier this year.
I guess that saying about good and bad things coming in three must be true.
Related Articles and Sites:http://www.bbc.co.uk/news/technology-20343745http://science.slashdot.org/story/12/11/15/1513227/nasa-to-encrypt-all-of-its-laptops