Laptop security needs to be a priority, officials say

With three occurrences of laptops containing sensitive data stolen from federal agencies in two years, the problem of laptop security deserves more attention, according to federal information technology experts. On July 17, Thomas Pickard, the acting director of the Federal Bureau of Investigation, disclosed that 184 of the bureau's laptops were missing. At least one and possibly as many as four of the laptops contained classified information. Over the past two years, the Departments of Energy and State have made similar admissions. "We have not addressed this as a policy issue governmentwide," said John Gilligan, deputy chief information officer of the Air Force, co-chair of the federal CIO Council's Subcommittee on Security, Privacy and Critical Infrastructure. "There needs to be an oversight process." In January 2000, the State Department disclosed that a classified laptop loaded with information about arms control was missing from a conference room. The ensuing furor resulted in an FBI investigation and the firing of two high-level diplomats. A subsequent audit of the department's laptops revealed that while all of its 60 remaining laptops were accounted for, 15 of its 1,913 unclassified laptops were missing. "Today's technology enables laptop computers to store vast amounts of information," wrote David Carpenter, the assistant secretary of the Bureau of Diplomatic Security and director of the Office of Foreign Missions at State, in an internal memo dated May 18, 2000, which outlined the department's laptop security concerns. He reminded State employees that "classified laptop computers, or their removable hard drives, must be protected in the same manner as other classified items." This means classified laptops are "only authorized for use in controlled access areas where classified operations occur." He also cautioned other laptop users: "[Sensitive but unclassified] laptops also require physical protection and laptop users should always consider where laptops are taken, used and stored." On May 31, 2000, Energy Department scientists at the Los Alamos National Laboratory in New Mexico reported the disappearance of two computer hard drives filled with classified information on weapons of mass destruction. The hard drives were designed to be inserted into laptops used by the mobile Nuclear Emergency Search Team (NEST) when disarming nuclear weapons. The hard drives were discovered two weeks later in the team's office, lodged behind a copy machine. Gilligan, Energy's CIO at the time, said the department learned from its scare. Securing classified data on laptops begins with encryption, he said. "For classified information you need very strong encryption of everything on a computer," he said. "This means you literally encrypt everything on a hard drive." Gilligan said all agency-specific information is sensitive and urged agencies to consider encryption for all laptops containing sensitive data.