The U.S. State Department said this week that the U.S. Federal Bureau of Investigation is leading an investigation into the disappearance two months ago of a State Department laptop computer that might have contained classified information. A department spokeswoman could not confirm whether any sensitive data that might have been stored on the missing laptop was encrypted.
According to the spokeswoman, State Department regulations prohibit processing classified information on computers that are not designed to handle sensitive data. But she could not confirm that the policies cover the encryption of specific files.
Last month, a laptop containing sensitive data about Northern Ireland was stolen from an agent of Britain's MI5 internal security bureau while he was buying a train ticket at London's Paddington station. The machine was never recovered, but the information it contained was understood to be heavily encrypted and believed to be secure.
In the U.S. case, the laptop was reported missing from the State Department's Bureau of Intelligence and Research. The bureau, which handles highly classified reports, was criticized last year by the department's inspector general for lax handling of "sensitive compartmented information" that the laptop reportedly held.
In response to this and other recent security breaches at the department, Secretary of State Madeleine Albright asked the Assistant Secretary for Diplomatic Security (DS), David Carpenter, to conduct a thorough review of security at the department. Carpenter has put together a team of senior security experts from various government agencies. The review, which began in March, is expected to be completed shortly.
"The safeguarding of sensitive information is the personal responsibility of every employee in the bureau," said State Department spokesman James Rubin in a statement on Monday. "It is crucially important to U.S. national security that our employees take this responsibility and take the necessary steps to protect the information."
The spokeswoman added that the DS information security staff is currently conducting a training and awareness program throughout the State Department. She noted that each office in the department assigns a staff member to serve as a unit security officer to ensure security policies are observed.
"We are committed to improving our security," said the spokeswoman. "As there is a possibility that classified information may have been compromised, this matter is now the subject of a joint FBI and DS investigation."
"The missing laptop is the latest in a long string of security failures at the State Department," said Rep. Benjamin Gilman (R-N.Y.), who heads the House International Relations Committee, in a statement on Monday. "It is obvious that the department lacks a professional environment that is sensitive to security concerns."
Gilman was referring to a number of recent security breaches. Last year, for example, FBI agents found a Russian diplomat, whom they believe was a spy, inside the State Department. They also discovered a listening device in a conference room that the man may have been monitoring.
"Such security lapses are not acceptable," said Gilman, who says he will hold hearings next month to probe the department's security. "Whatever changes are necessary at the State Department to better protect our nation's secrets should be undertaken."
Arjen K. Lenstra, a cryptographer and vice president of the emerging technology group at Citibank Corp., said he believes most people at the State Department do not encrypt data on their laptops because it is a cumbersome process. He said he was uncertain about Citibank's official policy on laptop encryption, but noted that employees are encouraged not to let the machines out of their sight.
"Laptops are stolen all over the place, it is a risky business," said Lenstra. "I keep my laptop at home - it's too insecure to travel with."
Lenstra noted that passwords that keep thieves from accessing a computer hard disk are easily broken, and a thief can also remove the hard disk to access the data later. Even if the data is encrypted, Lenstra pointed out, most people select short, obvious passwords that can be cracked by password programs. "Users always make this stuff insecure," he said.
Lenstra added that only people using long passwords have a chance of keeping the data secure, but Microsoft Windows systems do not support the generation of long passwords.
"Unless the data is encrypted on the disk with a strong password," said Lenstra, "there is no way you can protect yourself."