Missing laptop, missing policy

Share this article:

Let's rewrite the laptop story. Let's see what Good Government might have done, beginning with the laptop and then looking at the larger issues of federal IT security and identity theft.

In Good Government, the civil servant's agency would have instituted some or all of the following practices:

  • Disk encryption: Good Government would have encrypted everything on every laptop's hard drive so that even if a computer were stolen, no one could read what was on it without knowing the decryption password.
  • Remote zeroization: The laptop would have had a program on it that covertly "phoned home" whenever the thief or new owner connected to the internet.
  • Digital rights management (DRM): The sensitive file on the laptop would have had a DRM application so that it could only be read, or printed, or forwarded, or downloaded by an authorized user.
  • Telecommuting: The department would have established a secure virtual private network (VPN) allowing workers at home to work on files stored on the department's servers. Even in the office they would not have the data on their desktop, but would access it from a secure file server.
  • Two-factor authentication: The DRM and telecommuting would have allowed access only after the user had proved identity through the use of two- or three-factor authentication, such as a secure token.

These and other best practices would have been adopted by the U.S. Department of Veterans Affairs and all other federal agencies because in Good Government there would have been a powerful and independent office of a federal CIO with the authority to require the departments to institute security procedures. Instead, today in the real world of Bad Government, the leaders of the Office of Management and Budget (OMB) jealously guard the authority to regulate federal information security policies, but have so few people dedicated to the task that OMB can not realistically stay current with technology, develop policies, and engage in oversight to ensure the implementation of IT security policy.

Because it is not just from federal government computers that identities are stolen, Good Government would have instituted effective laws to protect citizens and corporations from cybercrime and identity fraud. First, the Congress would have passed legislation similar to Japan's, mandating IT security standards and third-party audits for any company that stores personal data on 5,000 or more individuals. Such standards would involve encryption and multi-factor authentication. Second, Congress would have passed a law requiring notification of citizens when their identity data may have been stolen. Over 30 states have already passed such laws, but in the real world of Bad Government, many in the Congress are instead actually trying to pass federal legislation that would water down the state notification laws. Finally, Congress would have required the use of two-factor authentication for online banking, as Hong Kong has, or for any significant new credit-related action, such as applying for a credit card or getting a mortgage.

Good Government solves problems, not through big bureaucracy or unnecessary regulation, but through smart adoption of technology. Unfortunately, we have Bad Government, which does little or nothing.

Richard Clarke served three U.S. presidents as an intelligence and terrorist expert. His latest books are Against All Enemies and The Scorpion's Gate. He is chairman of Good Harbor Consulting.

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

TOP COMMENTS

More in News

FBI to open Malware Investigator portal to security researchers

The portal is a virus analysis tool that examines suspicious files and shares information about them.

Android bug allowing SOP bypass farther reaching than initially thought

Researchers found that 42 out of the top 100 apps in the Google Play store with 'browser' in their names were vulnerable.

SUPERVALU and AB Acquisition LLC report being breached again

SUPERVALU and AB Acquisition LLC report being breached ...

The breaches involved different malware and both companies are investigating whether payment card information was stolen.