back to article GCHQ loses Top Secret laptops

It is the secretive heart of government information security, dispensing advice and setting standards throughout officialdom, but GCHQ's "cavalier" in-house policies have come under fire in a report revealing it lost 35 laptops. Three of the missing machines were certified to hold Top Secret material, according to the annual …

COMMENTS

This topic is closed for new posts.
  1. simbr

    So..

    what I got from this is that their new policy will tell them on a yearly basis how many have gone missing?

    1. amanfromMars 1 Silver badge

      Catch 42 if you Can Can

      Chris,

      Is this the Always Present Resident Problem for GCHQ, and their ilk in other Lands and Domains ................ "When we asked for an update on how the new arrangements were working, we were informed that stock-takes were held in December 2008 and June 2009 which “examined progress across the SIA on delivery of departmental strategic objectives, value for money, and the financial management of the Agencies, and have focused on ensuring that [the]Agencies continue to be able to deliver their CSR07 plans successfully”. We are pleased to note that these stock-takes are taking place, although we would expect to be kept updated on these as a matter of course in the future, rather than having to ask for information." ..... http://www.cabinetoffice.gov.uk/media/346792/isc-annualreport-0809.pdf

      All of which doesn't really tell anyone how the new arrangements were working, for surely the question has remained unanswered? Why would that be if that is the case?

      And have GCHQ any Internet Masters yet?

      "GCHQ recruited 410 new staff in 2007/08 against its target of 660. Talking about the shortfall, the Director of GCHQ said:

      "It is hard to find [specialist staff] from outside… It’s very difficult because I think the individuals may not be out there. We may have to grow some of them, and I think we have to encourage industry to grow some of them… We are partnering with six key relatively well-off companies within the IT sector."" ....... Of course they are out there, it is just that the Intelligence needed to find them is missing in present personnel. And that will probably definitely require that necessary individuals cold call GCHQ to generate their interest and render a possible target for investigation/Developed Vetting/cold calling.

      When such individuals would be au fait and/or expert [Subject Matter Expert] in .... well, let us call it in IT, Full Spectrum Cyber Immersion Fields .... will they fully expect/be fully expected to lead an orderly following rather follow any orderly or ordered lead.

      And whenever that is not a question, does IT create A.N.Other Problem and Catch 22 dilemma for their Securing of Sensitive and Secret InterNetional Services?

      1. John 98

        Laptops get lost

        Any sensible security policy is based on the simple fact that laptops get lost or stolen (would you sack people for being mugged or getting off a train at midnight after an extra long day without it?). So yes, asset audits for the physical kit will help, but must be combined with robust encryption and/or restrictions on what get's downloaded. You want to download this secret doc.? OK - why, when are you going to delete it again, who are you etc.? - and it's all logged.

    2. Bilgepipe
      FAIL

      No no no

      No no, the process is to identify /where they all are/ once a year. For example:

      "Where are these 35 laptops?"

      "Missing."

      "Oh, okay. See you next year."

      What can possibly go wrong?

  2. Anonymous Coward
    Paris Hilton

    Mugs

    Well that'll put the price up on ebay

  3. Anonymous Coward
    Big Brother

    Very un-Spooks

    An annual check on their location? You mean they are not equipped with GPS transceivers giving a second-by-second account of their whereabouts?

    "its sat on the desk. Its sat on the desk .... its in the GCHQ gents accessing pr0n".

    They need to speak to the BBC special effects department ....

    1. Disco-Legend-Zeke

      They Should Take Lessons...

      ...from Lower Merion School District.

      Though bedroom snaps of security wa^Honks might cross some line.

  4. Ian 62
    FAIL

    Learn from everyone else?

    In a previous lives, wearing different colours of boilersuits, I think every place I've worked at already did this.

    Either they did an IT audit each year, to find out who had lost what kit so that the IT budget could claw back some money from the department budget.

    Or, they rolled it into the PAT process. While youre checking that plug, Mr Sparks.. Take a note of what bit of kit it's attached to.

    Is this just a side effect of the civil service? No one watches the profit/loss book.. So they dont care about 'loss/lost'?

  5. Anonymous Coward
    Stop

    I have an idea

    What about employees being fined from their salary every time they lose official equipment?

    Or even better, they could hire a big burly man who owns a stick that has a nail hammered through it. Anyone who loses equipment would be granted the opportunity to be beaten in the basement until they promised never to do it again.

    Most employers I have had would react very unfavourably to the loss of a laptop - probably with a sacking...

    1. Anonymous Coward
      Stop

      No way

      I have yet to encounter an employer who would terminate for a lost laptop. Stiff talking to, maybe a salary deduction. Who are you taking about?

  6. The Original Ash

    Deterrant

    Set the identifying details of the OS to be the person who has the laptop at the time. Any loss occurs, that person is immediately outed as working for GCHQ and has to abandon their current life in the interest of self preservation.

    If releases of information from government departments can result in loss of liberty for UK citizens (DVLA & child benefits data losses anyone?) then the person who lost it can be part of those harmed. Maybe then they'll take extra care.

    1. Anonymous Coward
      Thumb Down

      you are under the illusion that..

      you can even start the OS on of these missing laptops. In actuality you wouldn't even get past the first screen, let alone find out whose laptop it was (or even what was on it). Do more research into government disk encryption standards for protectively marked material to see what I mean.

      1. Anonymous Coward
        Alert

        @AC 15:50

        Who said anything about starting the OS?

        Remove the HDD and use a standard cloning process. Put the disk back and no-one would know any different. Then at your leisure, use one of the many forensic tools to examine the clone. Data recovery and forensic people do this all the time.

        Can't read the data - not a big problem, there are various tools that can work their way through many forms of encryption. It may take a while but it can be done if you have the patience. Apparently, the Israelis are especially good at this.

        The problem is that government may have the most astonishgly high quality disk encryption standards, but what are the odds that it wasn't applied on one of the missing laptops? Considering that they have very "robust" prcedures to make sure that the laptop doesn't go missing in the first place that have not been used, I would bet not particularly high!

        1. The Other Steve

          Approximately

          "but what are the odds that it wasn't applied on one of the missing laptops?"

          ~0, this is GCHQ you're talking about.

        2. This post has been deleted by its author

        3. Mark Fawcett
          FAIL

          Fail

          "Remove the HDD and use a standard cloning process. Put the disk back and no-one would know any different."

          And you would defeat the high-security tamper-evident seals how exactly?

          "Can't read the data - not a big problem, there are various tools that can work their way through many forms of encryption. It may take a while but it can be done if you have the patience."

          Yes, and do you really think a GCHQ system rated to hold TS material would really use one of those forms of encryption? Yep, you'd be able to break it, probably after 30+ years or so, assuming you had access to government levels of crypt-analysis processing grunt...

          Cheers

          Mark

  7. Anonymous Coward
    Anonymous Coward

    Trouble recruiting? No way

    My word, struggling to recruit people? When the starting salary is 17,000 pounds?! shock horror, I don't know what the problem is...

  8. Red Bren
    Big Brother

    "Struggles to recruit net experts"

    Has the desire to know every miniscule detail about every person in the UK started to backfire on GCHQ and the Intelligence Services?

    Senior Spook A : "Why haven't you filled this vacancy for a junior spook?"

    Spook B : "None of the candidates were suitable sir."

    Spook A : "But there were hundreds of applicants! They can't all be unsuitable?"

    Spook B: "Candidate 1 used to be a Hunt Sab, Candidate 2 downloads extreme pr0n, Candidate 3 votes Lib Dem, Candidate 4 once stood near an anti-war protester..."

    Pretty much everyone has an embarrassing secret or two. When the state knows them all, how can it recruit anyone?

    1. The Other Steve
      Big Brother

      Murky past

      AIUI, it's not so much whether the vetters know your murky secrets, but whether you are prepared to cough to them, which means that if you forget to mention one that they do know about, they'll bounce you.

      Plus see ACs comment below about pernickety verifiable history. But then again, it's GCHQ, and they take their vetting process extremely seriously, so much so that if you have already been positively vetted, they'll do a refresh before you even get through the door.

      Makes it a pisser for them to get contractors in, or so I hear.

    2. Anonymous Coward
      Anonymous Coward

      Having skeletons in the closet

      When you apply for developed vetting, it is quite correct that the vetting process is very intrusive, however, having a few secrets, perhaps someone likes to dress up in women's clothing, it isn't necessarily, automatically a bar to employment.

      I think mainly, the interviewers are looking for things which for which you can be blackmailed. Years ago, I'd have said that if you were gay, you wouldn't have stood much of a chance of getting into the security services or defence sector where you would routinely handle information at secret or top secret, being gay used to be something which just wasn't the done thing, it had stigma, it was looked down upon and even at some time in the past was illegal.

      So being gay in those times would have meant you were a good candidate to be blackmailed by the Russians.

      In modern times, I doubt that being gay is so much of an issue in the intelligence/military arena, particurlarly if the person is already 'out' and it's common knowledge that the person gay, attempting to blackmail them then, isn't likely to be effective.

      1. asiaseen

        Lots of years ago

        being gay was a guarantee of getting in to the spook business. Burgess? Maclean? Blunt?

  9. Dan 10

    Four new data halls?!

    That's a serious amount of kit they are thinking of running!

  10. Anonymous Coward
    Flame

    I wonder why?

    "the difficulties GCHQ has had in recruiting and retaining skilled internet specialists in sufficient numbers – although specialist recruitment campaigns have been set up to try and address this problem."

    Apart from the piss poor starting salary, would that be because many people have found out that GCHQ treat their lower level staff like crap? Only a vicious rumour of course, one that I have heard from every former employee without fail..!

    What does AmanfromMars smoke? I am aware that English might not be their first language, but their long, rambling and inept mangling of normal written prose is hurting my eyes! It is like having a priest mumbling latin in the background, too annoying to be ignored properly!

  11. Anonymous Coward
    Anonymous Coward

    Trouble recruiting?

    It's more mundane than that even - you can only fail for an error in the paperwork.

    They want to hire people with higher degrees, so you have been living in rented accomodation for 7-8 years. If you can't remember the postcode of a flat you shared for a term as an undergrad you fail.

    I interned with a similar bunch as a student many years ago.

    The security people were out of the 1930s.

    They had no concept of a normal school - they were asking me on whether my 'house master' ever talked about politics. And whether I knew any socialists - this was in a comprehensive in Sheffield in the 80s!

    It was before electronic border records so they wanted to know the exact dates you had ever been out of the country and where you had stayed. In case on a 2 week camping holiday in France as a kid I had been recruited and trained as a KGB spy.

    Even after the wall came down you weren't allowed to visit the FORMER east germany.

    You had to fill in a form if you met or spoke to pretty much any foreigner - in a university!

  12. netean

    protected data

    What this doesn't say was how the data on the HD was protected. I work for a government agency, and all our laptops require a Smartcard to boot, have PGP encrypted hard drives and in new machines TPM support turned on.

    all the laptops do is boot into windows (2000 or xp) and the create once securely connected to our network start up our remote desktop software. No data is stored (or should be stored) on the laptop itself.

    This has been true for... years (at least 5 to my knowledge)

    So whilst it's never great to lose a laptop, I'd imagine that most government departments are similarly security focused and means there's minimal change of data being "recovered".

    1. Anonymous Coward
      FAIL

      "...minimal chance of data being recovered"

      That's assuming the smartcard wasn't in the laptop case along with a post-it note containing the password...

      How many smartcards were lost during the same period? Oh we didn't ask that or we'd lose our plausible deniability defence.

  13. This post has been deleted by its author

  14. Anonymous Coward 3
    Happy

    Re: Total Fail (15.53)

    "i'd rather work for for Microsoft."

    Oh! You bitch!

  15. Anonymous Coward
    Anonymous Coward

    GCHQ Recruitment

    The idea that the people may not be out there is partially a load of bollox.

    I once was interested in working for GCHQ but I realised just how low the salaries would be.

    Shame, I could have had quite an interesting career in the electronics side.

    That's the problem.

  16. Anonymous Coward
    Paris Hilton

    Nicely put AC 16:50!

    It ain't just the data that has gone walkabout it is also the encryption system.

    Who wants the data (see ebay) who wants the UK government encryption system details?

    Mind you, the rate at which these events occur will probably put the bidder price down a bit.

    Once was: compromise a security system = get a new security system in soonest.

    And who knows?

    Maybe the laptops were "lost" at overseas jollies (urm) conferences?

    Maybe in China, USA, Norway, Iceland, ...

    Nice innit?

  17. Anonymous Coward
    Anonymous Coward

    Not surprised

    As a previous GCHQ employee I once passed through security gates showing the guard a sausage roll instead of my ID card.

  18. John Smith 19 Gold badge
    Thumb Down

    Sounds a *bit* too reassuring to me

    Wellllllllllllllll

    We did lose 3 laptops 5 years ago.

    But they all *very* secure and we are sure if there were problems with data leakage we would have heard by now.

    And it can't happen with the new system. No siree.

    Good to know they did *finally* get round to mentioning it to eh "Oversight" committee in the end.

  19. asiaseen

    It has no evidence

    that secret material was compromised...because it has no evidence of where the laptops went.

  20. Anonymous Coward
    Joke

    I thought about GCHQ once...

    ...but then its in Cheltenham.

    It would have been moving from one webbed finger county to another. Gribbit!

  21. Etrien Dautre
    Happy

    oh, what a miss...

    next time, could you please get it lost/hit the target some closer to me? just never seen anything secret from gchq except traffic intercept.

  22. John Smith 19 Gold badge
    Thumb Down

    Precautionary principle?

    They're gone. Asses what's on them and how well it's protected. How fast to crack the security?

    Then consider what they are they going to do about it.

  23. Anonymous Coward
    Anonymous Coward

    @netean

    The question I have for you is, were your laptops categorised as "restricted", or "secret" laptops?

    I imagine not.

    Any latops so categorised are allowed to contain classified information and have the security measures in place to enable that information to be securely held.

    The laptops lost clearly were authorised to hold secret data, would have had the security software in place and quite likely, almost certainly, were holding secret data. I don't think that making an assumption that one agency's department adopts certain procedures that those procedures would be adopted in all agencies.

    For a start, you've stated your agency used PGP, without going in to much detail, that tells me you probably weren't part of MoD. One of the key things about security, is you don't disclose the measures adopted, and that includes software and algorithsm MoD Staff don't know what algorithms are employed, because a) it's kept secret, b) it's centrally controlled. One can't just go an download PGP free from the internet.

    I'm guessing, but I could be wrong, that the data on your laptop wasn't actually protectively marked, but possibly sensitive in that it would be embarrassing if the information got into the public domain (tax records for example), but not sensitive enough such as military secrets.

    1. Anonymous Coward
      Thumb Down

      @RotaCyclic

      "One of the key things about security, is you don't disclose the measures adopted, and that includes software and algorithsm MoD Staff don't know what algorithms are employed, because a) it's kept secret, b) it's centrally controlled"

      Erm..yes they do (assuming they can be bothered)..here's an example of a product and algorithm for MoD Top Secret disk encryption.

      http://www.cesg.gov.uk/find_a/caps/index.cfm?menuSelected=11&displayPage=1111&id=96

      and here's another.

      http://www.cesg.gov.uk/find_a/caps/index.cfm?menuSelected=11&displayPage=1111&id=152

      Hardly 'it's kept secret'..more like 'don't know where to look'.

    2. Anonymous Coward
      Thumb Down

      fyi - PGP

      "..you've stated your agency used PGP, without going in to much detail, that tells me you probably weren't part of MoD"

      PGP is officially a CAPS approved product for baseline..so don't assume anything.

      They may be using it legitimately and in accordance with stds for protectively marked material (albeit not C or above).

      http://www.cesg.gov.uk/find_a/caps/index.cfm?menuSelected=11&displayPage=1111&id=139

  24. Jess--

    a different idea

    cant help wondering how many of these laptops went missing on purpose with misleading information on them.

  25. Anonymous Coward
    Flame

    secure?

    in a secure environment NO laptops, PDAs, smartphones, USB sticks or phones etc are allowed to enter/leave the main premises. employees leave their in lockers on the outside of the checkin barrier.

  26. Ascylto
    FAIL

    And ...

    They want us to have

    ID CARDS!

    Hah, ha, ha, ha .....................

  27. This post has been deleted by its author

This topic is closed for new posts.

Other stories you might like