Wave Systems Corp. (fka WAVXQ)

[goin fishn]

Govt IT employee comments on FDE and developing policy:

From Bruce Scneier's blog, scroll down to bottom

http://www.schneier.com/blog/archives/2007/01/us_government_t.html


I am a GOVie implementing an in-house answer to the whole-disk encryption requirement list. Bear in mind that my opinions posted here are not spoken on behalf of my employer :).

I appreciate your insight into the technical deficiencies of the requirements list.

I guess I should explain our intentions. It's been said that no solution offers 100% coverage. This is especially true where physical access to a machine can be gained by an adversary (as in a laptop's hard disk). What we're trying to do is
minimize the risk.

I think you're running into the classic butting heads of policy versus reality. Policy states that our secure laptops are not to be carried in the same container as our CAC. Policy also states that our CAC PIN is not to be written down (let alone written down and taped onto our CAC).

Reality dictates that there are probably violators out there, true. The risk is minimized through policy, though. The intersection of people that carry their laptops and CACs in the same container is very small. The intersection of that small group with people that write their PIN on their CAC is even smaller. The intersection of this very, very small group with people whose laptops get stolen is hopefully 0, or somewhere very close to it. Further, the intersection of those stolen laptops with thieves that care about the CAC + PIN is even smaller -- they're probably most interested in the value of the machine. This is what I mean by risk minimization. It's still possible for someone to get the laptop + CAC + pin, but the chances of them doing this successfully and know what they've got are very, very, very, (did I mention very?) small, because most .GOV workers follow policy.

It's true that an adversary could print up a fake CAC with a custom applet on it that grabs the user's PIN. The user will know something is up, though: they won't be able to sign in to the laptop, they won't be able to VPN back to home base, etc, because the fake CAC won't have their key in its private memory. They'll call their help desk (hopefully) and their CAC will be determined dead, it will be revoked, and added to the certificate revocation list. A new card will be issued, with a new PIN. It's hard for a laptop's disk encryption scheme to actually obey the CRL, as it has to decrypt the hard disk before OS services are available, so the adversary could still steal the laptop and use the original CAC to decrypt it, I suppose. Of course, the adversary could also rig up a custom laptop with custom ccid reader and custom CAC, and leave the old CAC plugged in somewhere, allowing the new laptop to do a kind of man-in-the-middle...

Still, anyone capable of performing this type of "fake CAC" feat has significant resources behind them. They aren't your common thief, they likely know what they're trying to get (nation-state actor or something like it). Laptop hard disk encryption is not meant to protect against this kind of adversary. Data that must be protected against this kind of adversary should be classified at a sufficient level, as in SECRET or above (technically the classification is a measure of damage that the data could do to the US if it is leaked, but if a resourceful actor is attempting to gain the data, it is highly probable that this is the case). Classified data is not allowed on a laptop used in an unclassified environment (e.g. outside of a classified facility, like your home or starbuck's). In order for such an actor to gain access to such a device, they would have to have a security clearance, would have to get past armed guards, etc...insider threat and armed enemy combatants are also threats that this solution is not meant to protect against.

A different variety of safeguards are put into place on machines with classified data. The protection provided is commensurate with the security classification of the data on the device. Laptop disk encryption is meant for unclassified data, where harm will not cause significant damage to operations of the US government. As such, it does not require the more stringent safeguards, and disk encryption should suffice.

I hope this provides a little more insight into the rationale behind the list, and I hope that it dispels the idea that we're trying for a total solution. We recognize the problems, we're just trying to make it very unlikely for petty theft ala the VA laptop case to put unclassified but for "for official use" data at risk in the future.

Cheers, and thanks for the input,
Reid