Wednesday, June 28, 2006

OMB laptop security guidelines: implications for transparency in government?

Within a few years it's possible that encryption will be the norm in government data storage, and probably large organizations, too. The historical inevitability of this process was given a boost recently. The OMB has provided guidance requiring Federal agencies to take the security of desktop and laptop systems more seriously (see: OMB Sets Guidelines for Federal Employee Laptop Security)in the wake of recent disclosure of several massive losses of data which could lead to identity identity theft. Here are a few stories describing recent incidents which have prompted the concern and gained the attention of the OMB: Navy Finds Data on Thousands of Sailors on Web Site Afghan market sells US military flash drives FTC Loses Personal Data on Identity-Theft Suspects US veterans' data exposed after burglary Veterans Affairs warns of massive privacy breach Officials: Veterans Affairs Department Ignored Repeated Warnings on Data Security Latest Information on Veterans Affairs Data Security Additional background reading on the recent OBM security guidance: OMB targets desktop hole in cybersecurity Before we leap headlong into encrypting everything in the government, however, we should really ponder the technology and its other implications. Earlier this week, President Bush chastised the North Koreans, who have been preparing to test an ICBM (Intercontinental Ballistic Missile), saying that it is worrisome that a "non-transparent regime" is developing such a capability. Transparency in government is a valued characteristic of modern democratic governments. Consider, however, that even in a modern democracy there exists a tension between disclosure and transparency on the one hand, and the desire of government organizations to restrict information flow for a variety of purposes on the other. Also this week, the disclosure of further domestic spying activity highlights that very issue. More directly, even one of the agencies hit by recent data theft ran aground on the sand bar of public relations spin control run amok: Source: Theft of vets' data kept secret for 19 days. At least some organizations will opt to encrypt most data in most databases, most documents, and most filesystems, because it will be easier and cheaper to comply with directives like this by defaulting to encrypted storage for everything than it will be to analyze this mountain of content to determine if it should be encrypted or not. (Most of the stolen data that upsets people is personnel data, which is "sensitive but unclassified," for example.) Although this may help prevent massive loss of data as seen recently, it might also reduce transparency in government. It may well be legitimately more difficult and expensive to satisfy a FOIA (Freedom of Information Act) request for organizations which rely on office documents and distributed (ad-hoc) content creation and storage. Most policy setting organizations do exactly that. The recent OBM guidance is a welcome step in helping to limit the damage. (It should also be noted that encrypted storage doesn't completely solve this problem, as people tend to leave passwords laying about in plain text files to help them access their protected data, and passwords can be cracked with common tools, given sufficient CPU power and time to perform the crack.) Congress should consider the implications of encryption as a response to data theft problems upon the desirable characteristic of transparency in governance, and should attempt to mitigate the potential damage to transparency before it occurs. They might require that all encrypted archvies be searchable, for example, similar to the way email applications search encrypted mail files. Some thought on this issue would undoubtedly produce a few basic guidelines which would help preserve transparency in governance.

Technorati Tags: , , , , , , , , , , , , , , , , , ,

No comments: