Gallery

The Government's laughable security strategy

Posted on 29 Mar 2010 at 16:49

Davey Winder despairs of the Government's repeated security blunders - and offers a few obvious tips

The concept isn’t particularly difficult to grasp: sensitive and confidential data with a restricted classification should never have been put on a USB stick and carried around in a trouser pocket or briefcase in the first place.

I fully appreciate that if this particular data had been encrypted its loss would never have been discovered, because whoever picked up the Memory Stick would most likely have reformatted it and used it for something else instead of first trying to sell it to a newspaper then turning it in to the police.

But merely encrypting your data and believing that you’ve thereby made everything secure is rather like believing that turning off the stopcock is a fix for the leak in your water pipe.

To be sure, I think that encrypting all your data is a common-sense precaution, but that needs to be viewed within a broader context and as part of a more mature strategy.

Whenever data is moved between government departments, the transfer should form part of an end-to-end encrypted process, but that data should only be moved via the most secure of transport media, and I don’t believe that a USB Memory Stick falls into that category.

The Government seems to have learned almost nothing since the very public fiasco of the data CDs containing the banking details of some 25 million child-benefit claimants

The Government seems to have learned almost nothing since the very public fiasco of the data CDs containing the banking details of some 25 million child-benefit claimants that were lost in the post a couple of years ago.

Surely it isn’t asking too much to expect those who maintain government data to realise that the safest place to keep it is the server where it lives (and where it’s hopefully firewalled up the wazoo)? Surely the sensible security strategy would be not to move the data at all, at least not physically, but just to enable strictly vetted remote access to that server instead?

You may be tempted to think that there really is no need, that these examples of government slip-ups are few and far between and nothing to worry about in the overall scheme of things – but could I bring to your attention yet another recent security blunder?

The Ministry of Defence has launched an investigation into a laptop with “secret data” that’s been stolen from its Whitehall headquarters. These files were, I’m led to believe, fully encrypted – so why bring it up at all?

Since yet again, it highlights that governmental security strategy is like Swiss cheese: smelly and full of holes. You see, not only did the thieves get away with the laptop, but also with the hardware token or key used to decrypt the files.

When I told my wife – a former ballet dancer, and no security expert – about this, she immediately observed that keeping the key with the lock is rather stupid. Next, someone will be revealing that Whitehall security mandarins stick their passwords on Post-it notes on their monitors (as if anyone would do that).

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site