It is the secretive heart of government information security, dispensing advice and setting standards throughout officialdom, but GCHQ's "cavalier" in-house policies have come under fire in a report revealing it lost 35 laptops. Three of the missing machines were certified to hold Top Secret material, according to the annual …
what I got from this is that their new policy will tell them on a yearly basis how many have gone missing?
Catch 42 if you Can Can
Is this the Always Present Resident Problem for GCHQ, and their ilk in other Lands and Domains ................ "When we asked for an update on how the new arrangements were working, we were informed that stock-takes were held in December 2008 and June 2009 which “examined progress across the SIA on delivery of departmental strategic objectives, value for money, and the financial management of the Agencies, and have focused on ensuring that [the]Agencies continue to be able to deliver their CSR07 plans successfully”. We are pleased to note that these stock-takes are taking place, although we would expect to be kept updated on these as a matter of course in the future, rather than having to ask for information." ..... http://www.cabinetoffice.gov.uk/media/346792/isc-annualreport-0809.pdf
All of which doesn't really tell anyone how the new arrangements were working, for surely the question has remained unanswered? Why would that be if that is the case?
And have GCHQ any Internet Masters yet?
"GCHQ recruited 410 new staff in 2007/08 against its target of 660. Talking about the shortfall, the Director of GCHQ said:
"It is hard to find [specialist staff] from outside… It’s very difficult because I think the individuals may not be out there. We may have to grow some of them, and I think we have to encourage industry to grow some of them… We are partnering with six key relatively well-off companies within the IT sector."" ....... Of course they are out there, it is just that the Intelligence needed to find them is missing in present personnel. And that will probably definitely require that necessary individuals cold call GCHQ to generate their interest and render a possible target for investigation/Developed Vetting/cold calling.
When such individuals would be au fait and/or expert [Subject Matter Expert] in .... well, let us call it in IT, Full Spectrum Cyber Immersion Fields .... will they fully expect/be fully expected to lead an orderly following rather follow any orderly or ordered lead.
And whenever that is not a question, does IT create A.N.Other Problem and Catch 22 dilemma for their Securing of Sensitive and Secret InterNetional Services?
No no no
No no, the process is to identify /where they all are/ once a year. For example:
"Where are these 35 laptops?"
"Oh, okay. See you next year."
What can possibly go wrong?
Laptops get lost
Any sensible security policy is based on the simple fact that laptops get lost or stolen (would you sack people for being mugged or getting off a train at midnight after an extra long day without it?). So yes, asset audits for the physical kit will help, but must be combined with robust encryption and/or restrictions on what get's downloaded. You want to download this secret doc.? OK - why, when are you going to delete it again, who are you etc.? - and it's all logged.
Well that'll put the price up on ebay
An annual check on their location? You mean they are not equipped with GPS transceivers giving a second-by-second account of their whereabouts?
"its sat on the desk. Its sat on the desk .... its in the GCHQ gents accessing pr0n".
They need to speak to the BBC special effects department ....
They Should Take Lessons...
...from Lower Merion School District.
Though bedroom snaps of security wa^Honks might cross some line.
Learn from everyone else?
In a previous lives, wearing different colours of boilersuits, I think every place I've worked at already did this.
Either they did an IT audit each year, to find out who had lost what kit so that the IT budget could claw back some money from the department budget.
Or, they rolled it into the PAT process. While youre checking that plug, Mr Sparks.. Take a note of what bit of kit it's attached to.
Is this just a side effect of the civil service? No one watches the profit/loss book.. So they dont care about 'loss/lost'?
I have an idea
What about employees being fined from their salary every time they lose official equipment?
Or even better, they could hire a big burly man who owns a stick that has a nail hammered through it. Anyone who loses equipment would be granted the opportunity to be beaten in the basement until they promised never to do it again.
Most employers I have had would react very unfavourably to the loss of a laptop - probably with a sacking...
I have yet to encounter an employer who would terminate for a lost laptop. Stiff talking to, maybe a salary deduction. Who are you taking about?
Set the identifying details of the OS to be the person who has the laptop at the time. Any loss occurs, that person is immediately outed as working for GCHQ and has to abandon their current life in the interest of self preservation.
If releases of information from government departments can result in loss of liberty for UK citizens (DVLA & child benefits data losses anyone?) then the person who lost it can be part of those harmed. Maybe then they'll take extra care.
you are under the illusion that..
you can even start the OS on of these missing laptops. In actuality you wouldn't even get past the first screen, let alone find out whose laptop it was (or even what was on it). Do more research into government disk encryption standards for protectively marked material to see what I mean.
Who said anything about starting the OS?
Remove the HDD and use a standard cloning process. Put the disk back and no-one would know any different. Then at your leisure, use one of the many forensic tools to examine the clone. Data recovery and forensic people do this all the time.
Can't read the data - not a big problem, there are various tools that can work their way through many forms of encryption. It may take a while but it can be done if you have the patience. Apparently, the Israelis are especially good at this.
The problem is that government may have the most astonishgly high quality disk encryption standards, but what are the odds that it wasn't applied on one of the missing laptops? Considering that they have very "robust" prcedures to make sure that the laptop doesn't go missing in the first place that have not been used, I would bet not particularly high!
"but what are the odds that it wasn't applied on one of the missing laptops?"
~0, this is GCHQ you're talking about.
That's not going to cut it.
Explain how you make a clone of a hard disk that won't even identify itself to the BIOS (or permit read/write commands of any description), until the decryption password has been entered?
Before you ask, this technology is pretty old hat - it's been around since 2005, at least (I bought a notebook in November 2005, and the drive included this feature), and the technology prevents you from accessing or copying a disk without the proper password. Simply removing the disk from the laptop doesn't help you - the protection mechanism is on the disk itself, and even if you tear the thing apart and try to extract the data from the platters with another drive assembly, you will find the data is all encrypted. The BIOS in the notebook is simply smart enough to figure out that the drive is protected, and prompts the user for a password so it can pass the password on to the drive. If the drive fails to initialise, the BIOS assumes the password is incorrect, so it prompts the user again, until the drive successfully initialises. Either way, you will not get access to any data on the drive until you have supplied the correct password.
That was just the first generation of the technology. Subsequent drives certainly include the ability to "pair" drives and computers, and any attempt to access a drive from a computer that isn't paired to the drive will result in, at best, no joy - or at worst, erasure of the secure drive decryption key store - rendering the drive unusable until a secure erase command has been completed. Application of this technology isn't just useful in government laptops - people like Rupert Murdoch like the idea of drive-pairing when it comes to assembling Sky+/SkyHD boxes - as it makes removing content from the drive a little bit more difficult.
"Remove the HDD and use a standard cloning process. Put the disk back and no-one would know any different."
And you would defeat the high-security tamper-evident seals how exactly?
"Can't read the data - not a big problem, there are various tools that can work their way through many forms of encryption. It may take a while but it can be done if you have the patience."
Yes, and do you really think a GCHQ system rated to hold TS material would really use one of those forms of encryption? Yep, you'd be able to break it, probably after 30+ years or so, assuming you had access to government levels of crypt-analysis processing grunt...
Trouble recruiting? No way
My word, struggling to recruit people? When the starting salary is 17,000 pounds?! shock horror, I don't know what the problem is...
"Struggles to recruit net experts"
Has the desire to know every miniscule detail about every person in the UK started to backfire on GCHQ and the Intelligence Services?
Senior Spook A : "Why haven't you filled this vacancy for a junior spook?"
Spook B : "None of the candidates were suitable sir."
Spook A : "But there were hundreds of applicants! They can't all be unsuitable?"
Spook B: "Candidate 1 used to be a Hunt Sab, Candidate 2 downloads extreme pr0n, Candidate 3 votes Lib Dem, Candidate 4 once stood near an anti-war protester..."
Pretty much everyone has an embarrassing secret or two. When the state knows them all, how can it recruit anyone?
AIUI, it's not so much whether the vetters know your murky secrets, but whether you are prepared to cough to them, which means that if you forget to mention one that they do know about, they'll bounce you.
Plus see ACs comment below about pernickety verifiable history. But then again, it's GCHQ, and they take their vetting process extremely seriously, so much so that if you have already been positively vetted, they'll do a refresh before you even get through the door.
Makes it a pisser for them to get contractors in, or so I hear.
Having skeletons in the closet
When you apply for developed vetting, it is quite correct that the vetting process is very intrusive, however, having a few secrets, perhaps someone likes to dress up in women's clothing, it isn't necessarily, automatically a bar to employment.
I think mainly, the interviewers are looking for things which for which you can be blackmailed. Years ago, I'd have said that if you were gay, you wouldn't have stood much of a chance of getting into the security services or defence sector where you would routinely handle information at secret or top secret, being gay used to be something which just wasn't the done thing, it had stigma, it was looked down upon and even at some time in the past was illegal.
So being gay in those times would have meant you were a good candidate to be blackmailed by the Russians.
In modern times, I doubt that being gay is so much of an issue in the intelligence/military arena, particurlarly if the person is already 'out' and it's common knowledge that the person gay, attempting to blackmail them then, isn't likely to be effective.
Lots of years ago
being gay was a guarantee of getting in to the spook business. Burgess? Maclean? Blunt?
Four new data halls?!
That's a serious amount of kit they are thinking of running!
I wonder why?
"the difficulties GCHQ has had in recruiting and retaining skilled internet specialists in sufficient numbers – although specialist recruitment campaigns have been set up to try and address this problem."
Apart from the piss poor starting salary, would that be because many people have found out that GCHQ treat their lower level staff like crap? Only a vicious rumour of course, one that I have heard from every former employee without fail..!
What does AmanfromMars smoke? I am aware that English might not be their first language, but their long, rambling and inept mangling of normal written prose is hurting my eyes! It is like having a priest mumbling latin in the background, too annoying to be ignored properly!
It's more mundane than that even - you can only fail for an error in the paperwork.
They want to hire people with higher degrees, so you have been living in rented accomodation for 7-8 years. If you can't remember the postcode of a flat you shared for a term as an undergrad you fail.
I interned with a similar bunch as a student many years ago.
The security people were out of the 1930s.
They had no concept of a normal school - they were asking me on whether my 'house master' ever talked about politics. And whether I knew any socialists - this was in a comprehensive in Sheffield in the 80s!
It was before electronic border records so they wanted to know the exact dates you had ever been out of the country and where you had stayed. In case on a 2 week camping holiday in France as a kid I had been recruited and trained as a KGB spy.
Even after the wall came down you weren't allowed to visit the FORMER east germany.
You had to fill in a form if you met or spoke to pretty much any foreigner - in a university!
What this doesn't say was how the data on the HD was protected. I work for a government agency, and all our laptops require a Smartcard to boot, have PGP encrypted hard drives and in new machines TPM support turned on.
all the laptops do is boot into windows (2000 or xp) and the create once securely connected to our network start up our remote desktop software. No data is stored (or should be stored) on the laptop itself.
This has been true for... years (at least 5 to my knowledge)
So whilst it's never great to lose a laptop, I'd imagine that most government departments are similarly security focused and means there's minimal change of data being "recovered".
"...minimal chance of data being recovered"
That's assuming the smartcard wasn't in the laptop case along with a post-it note containing the password...
How many smartcards were lost during the same period? Oh we didn't ask that or we'd lose our plausible deniability defence.
£38,000 top end for someone with CISSP certification they really haven't a clue
and good luck getting past HR :-) if you make it that far enjoy your recruitment days, you'll be happier jamming nails your eyes.
Then wait to find out 8 months later whether you have the job or not. oh wait isn't the vetting process getting overloaded better make that 10 months, Oh what you've got another job how'd that happen then.
i'd rather work for for Microsoft.
Re: Total Fail (15.53)
"i'd rather work for for Microsoft."
Oh! You bitch!
The idea that the people may not be out there is partially a load of bollox.
I once was interested in working for GCHQ but I realised just how low the salaries would be.
Shame, I could have had quite an interesting career in the electronics side.
That's the problem.
Nicely put AC 16:50!
It ain't just the data that has gone walkabout it is also the encryption system.
Who wants the data (see ebay) who wants the UK government encryption system details?
Mind you, the rate at which these events occur will probably put the bidder price down a bit.
Once was: compromise a security system = get a new security system in soonest.
And who knows?
Maybe the laptops were "lost" at overseas jollies (urm) conferences?
Maybe in China, USA, Norway, Iceland, ...
As a previous GCHQ employee I once passed through security gates showing the guard a sausage roll instead of my ID card.
Sounds a *bit* too reassuring to me
We did lose 3 laptops 5 years ago.
But they all *very* secure and we are sure if there were problems with data leakage we would have heard by now.
And it can't happen with the new system. No siree.
Good to know they did *finally* get round to mentioning it to eh "Oversight" committee in the end.
It has no evidence
that secret material was compromised...because it has no evidence of where the laptops went.
I thought about GCHQ once...
...but then its in Cheltenham.
It would have been moving from one webbed finger county to another. Gribbit!
oh, what a miss...
next time, could you please get it lost/hit the target some closer to me? just never seen anything secret from gchq except traffic intercept.
They're gone. Asses what's on them and how well it's protected. How fast to crack the security?
Then consider what they are they going to do about it.
The question I have for you is, were your laptops categorised as "restricted", or "secret" laptops?
I imagine not.
Any latops so categorised are allowed to contain classified information and have the security measures in place to enable that information to be securely held.
The laptops lost clearly were authorised to hold secret data, would have had the security software in place and quite likely, almost certainly, were holding secret data. I don't think that making an assumption that one agency's department adopts certain procedures that those procedures would be adopted in all agencies.
For a start, you've stated your agency used PGP, without going in to much detail, that tells me you probably weren't part of MoD. One of the key things about security, is you don't disclose the measures adopted, and that includes software and algorithsm MoD Staff don't know what algorithms are employed, because a) it's kept secret, b) it's centrally controlled. One can't just go an download PGP free from the internet.
I'm guessing, but I could be wrong, that the data on your laptop wasn't actually protectively marked, but possibly sensitive in that it would be embarrassing if the information got into the public domain (tax records for example), but not sensitive enough such as military secrets.
"One of the key things about security, is you don't disclose the measures adopted, and that includes software and algorithsm MoD Staff don't know what algorithms are employed, because a) it's kept secret, b) it's centrally controlled"
Erm..yes they do (assuming they can be bothered)..here's an example of a product and algorithm for MoD Top Secret disk encryption.
and here's another.
Hardly 'it's kept secret'..more like 'don't know where to look'.
fyi - PGP
"..you've stated your agency used PGP, without going in to much detail, that tells me you probably weren't part of MoD"
PGP is officially a CAPS approved product for baseline..so don't assume anything.
They may be using it legitimately and in accordance with stds for protectively marked material (albeit not C or above).
a different idea
cant help wondering how many of these laptops went missing on purpose with misleading information on them.
in a secure environment NO laptops, PDAs, smartphones, USB sticks or phones etc are allowed to enter/leave the main premises. employees leave their in lockers on the outside of the checkin barrier.
They want us to have
Hah, ha, ha, ha .....................
GCHQ are being a bit thick.
There is no problem with supply of adequate people. However, there is a problem with the supply of adequate people who are willing to work for a pittance - when the competition are still offering 500 EUR / day contracts - even in this depressed economy. Knowing this, who would work for 17K?
It's a bit like petrol, really: There's still loads of it out there, but not if you're only willing to pay 10p a litre for it. You're swimming in it if you're willing to pay the going rate, though.
The clearance required to work at GCHQ also represents another problem for people like me: I have dual nationality (UK and NZ, and I have every intention of making use of the latter), and I would have to give up any and all claim to NZ nationality (and my NZ passport) as a prerequisite to working for GCHQ (or, indeed, working for anyone who requires DV clearance.)
I've been cleared to SC level on more than one occasion, however I refuse to even consider a job that requires me to give up any non-British nationality. That job is for someone a bit thicker, and more desperate, than myself.