U.S. Government to Encrypt All Laptops
This is a good idea:
To address the issue of data leaks of the kind we’ve seen so often in the last year because of stolen or missing laptops, writes Saqib Ali, the Feds are planning to use Full Disk Encryption (FDE) on all Government-owned computers.
“On June 23, 2006 a Presidential Mandate was put in place requiring all agency laptops to fully encrypt data on the HDD. The U.S. Government is currently conducting the largest single side-by-side comparison and competition for the selection of a Full Disk Encryption product. The selected product will be deployed on Millions of computers in the U.S. federal government space. This implementation will end up being the largest single implementation ever, and all of the information regarding the competition is in the public domain. The evaluation will come to an end in 90 days. You can view all the vendors competing and list of requirements.”
Certainly, encrypting everything is overkill, but it’s much easier than figuring out what to encrypt and what not to. And I really like that there is a open competition to choose which encryption program to use. It’s certainly a high-stakes competition among the vendors, but one that is likely to improve the security of all products. I’ve long said that one of the best things the government can do to improve computer security is to use its vast purchasing power to pressure vendors to improve their security. I would expect the winner to make a lot of sales outside of the contract, and for the losers to correct their deficiencies so they’ll do better next time.
Side note: Key escrow is a requirement, something that makes sense in a government or corporate application:
Capable of secure escrow and recovery of the symetric [sic] encryption key
I wonder if the NSA is involved in the evaluation at all, and if its analysis will be made public.
McGavin • January 3, 2007 2:10 PM
“I wonder if the NSA is involved in the evaluation at all, and if its analysis will be made public.”
Probably for the former question.
Probably not the full story for the latter question. Not to protect the vendors, but to protect the techniques used to find the problems.