Justice IG report: Protect laptop data
Portable drives can help the Justice Department protect laptop data
- By Michael Arnone
- Oct 10, 2005
Processing Classified Information on Portable Computers in the Department of Justice
Justice Department field agents and analysts are keeping classified information secure by using their wits and their training
and by carrying two laptop computers each. One is strictly for processing classified data. The other is for handling unclassified data and using unclassified applications, such as word processors and Web browsers.
Justice employees use the decades-old setup to prevent the accidental shift of classified information to an unclassified environment or the Internet. It works, but it's bulky and inconvenient.
Justice's Office of the Inspector General investigated how the department uses laptops to process classified information. At the suggestion of the department's information technology and security staff, the IG also evaluated governmentwide policy on IT security certification for all computer systems.
Justice increasingly relies on laptops to process classified information. But the department's rules governing those resources do not encourage "innovative practices to improve the use of portable computers for processing classified information while adequately safeguarding classified information," the IG's office concluded in a July report.
The report states that Justice's chief information officer should alter Standard 1.6, which dictates the departmentwide IT security management controls for all desktop and laptop computers that handle classified information. The IG said the rules should allow the creation of new, accredited computer configurations that permit the introduction of security-enhancing safeguards.
Some of the recommendations the report suggests aren't new, such as encrypting data and limiting the data kept on classified hard drives. But others would be new for Justice, including the use of small removable hard drives.
"The use of removable hard drives that can process both unclassified and classified information in the same computer shell is an area that the department should consider," the report states. Justice should consider authorizing the use of removable hard drives and developing appropriate security policies for them, it adds.
Justice organizations are open to the idea of using removable hard drives, but some worry that employees might not always follow security procedures. IT security experts don't agree on whether the recommendations would help or damage the security of Justice's classified information.
A pocket-sized solution
The policy recommendation on removable hard drives is the IG's principal improvement to Justice's management of classified information on laptops. Measuring roughly 2 inches by 3 inches, each drive weighs about 2 ounces and fits into the Type II PC card slots found on most laptops.
Justice's IG consulted the CIA, the National Security Agency, the Defense Department's National Reconnaissance Office and the Energy Department about their policies on removable hard drives. The first three agencies use laptops with two removable hard drives, one each for classified and unclassified information.
NSA officials told the IG's office that a computer's shell does not retain data once users remove the hard drive, adding that no data remains in the computer's RAM when users turn the machine off. Thus, Standard 1.6 should state that the shell of the computer becomes unclassified when someone removes the classified hard drive, according to the report.
In addition to halving the number of laptops that Justice employees must carry to handle classified information, removable hard drives would provide a number of benefits, the report states. For example, storing classified data would be easier.
Justice policies require computers that handle classified data to be double-wrapped in paper to show tampering, the report states. Users must unhook all peripheral devices and place the computer in a specially designed, secure container when they are not using the computers. All devices that could possibly store classified information must have warning labels on them stating so.
If the department used removable hard drives, only the drives would have to be double-wrapped instead of the whole laptop. That arrangement would improve security, the IG's office said, because the small drives are easier to secure and are less conspicuous than textbook-sized laptops.
Removable hard drives would also save Justice money because the drives are cheaper than new computers, according to the report. The IG's office shopped for 5G drives and found at least two manufacturers that sell models for less than $200. The drives could hold a multiuser operating system, application software and 4.1G of memory.
For roughly $400 per user, the report states, "this computer configuration would allow both unclassified and classified information processing on the same computer."
The IG office asked three Justice organizations the Drug Enforcement Administration, the FBI and the Executive Office for U.S. Attorneys (EOUSA) whether they authorize their employees to use separate hard drives, and if not, whether they would consider doing so.
None of those agencies authorizes the use of removable hard drives, the report states. The FBI said the idea has merit, but it would have to evaluate the specifics through the certification and accreditation process. EOUSA expressed interest in pursuing the idea as long as employees understood the security requirements. The DEA had a mixed reaction, saying that the idea could save money, but the risk of failing to switch hard drives when necessary could outweigh those benefits.
Paul Martin, Justice's deputy IG, said the report speaks for itself and declined to comment.
IT security experts have mixed opinions about the IG's recommendations. Bruce Schneier, chief technology officer at Counterpane Internet Security, said the report was well-conceived. He liked the idea of removable hard drives and the suggestion to install tracking devices in laptops to help find lost and stolen computers.
Peter Lindstrom, research director at Spire Security, had more reservations about the report's implications. "I don't see a clear positive or negative impact on security at all, but it seems to have a pretty positive impact on costs and on [Justice employees'] shoulders as well because they only have to carry one laptop," he said.
Schneier and Lindstrom said they were amazed that Justice had not already made such changes. Lindstrom said he was disappointed that Justice didn't think of the idea on its own.
The department is starting to understand that its employees need to do both classified and unclassified work on their computers, Schneier said. But if those recommendations are an improvement, he added, "it must be an absolute mess out there."
Frying pan to fire?
Lindstrom and Schneier disagree on whether removable hard drives present a definite security improvement or add as many problems as they solve.
Because it's so easy to make a mistake, "maintaining two sets of policies, switching back and forth, is a losing proposition over time," Lindstrom said. "I'm not sure that a user in the normal course of business would shift back and forth between their behavior around classified and unclassified information. You're better off configuring the system to force that behavior."
Schneier disagreed, saying a hardware solution is the best solution because hardware is more reliably secure than software. That's why Justice's current system of securing and storing classified information has worked so well for decades, he said.
"The best way to make sure classified information doesn't get taken out of the building is not to take it out of the building" and keep it locked in a safe when not in use, Schneier said.
Schneier said running two removable hard drives with separate operating systems and applications on the same computer shell is a great idea, especially if Justice follows the IG's suggestion to bar access to unclassified information and the Internet while the classified drive is in use.
"That's the best separation you can do," Schneier said. "You might as well share a screen, keyboard and CPU."
Schneier said he wondered whether laptops enabled for such configurations are available and how much they cost. He could see Justice's proposed practices spreading to DOD and other countries.
On the other hand, Lindstrom isn't sold on the idea of two hard drives. To make the system work, Justice would presumably have to buy laptops that don't have hard drives, he said. That would force users to use the security settings on each removable drive. But if the removable drives supplemented the laptop's drive, users could accidentally transfer classified information to the unprotected drive, he said.
"As soon as you mount drives at the same time, the fact that they are physical devices doesn't matter anymore" because the two are logically connected, Lindstrom said. That gives attackers ways to crack the unclassified applications to access the classified drive.
Logical security is the best way to protect data, Lindstrom said. Justice could encrypt all data and set up a host intrusion-
prevention system and digital rights management system, he said. Instead of worrying about where to put data, the department should protect its data regardless of its location, Lindstrom said.
By using only one hard drive with adequate security protections, Lindstrom said, Justice could potentially save even more money by not implementing the IG's recommendations.