By Michael Arnone
Oct. 10, 2005
Justice Department field agents and analysts are keeping classified
information secure by using their wits and their training - and by
carrying two laptop computers each. One is strictly for processing
classified data. The other is for handling unclassified data and using
unclassified applications, such as word processors and Web browsers.
Justice employees use the decades-old setup to prevent the accidental
shift of classified information to an unclassified environment or the
Internet. It works, but it's bulky and inconvenient.
Justice's Office of the Inspector General investigated how the
department uses laptops to process classified information. At the
suggestion of the department's information technology and security
staff, the IG also evaluated governmentwide policy on IT security
certification for all computer systems.
Justice increasingly relies on laptops to process classified
information. But the department's rules governing those resources do
not encourage "innovative practices to improve the use of portable
computers for processing classified information while adequately
safeguarding classified information," the IG's office concluded in a
The report states that Justice's chief information officer should
alter Standard 1.6, which dictates the departmentwide IT security
management controls for all desktop and laptop computers that handle
classified information. The IG said the rules should allow the
creation of new, accredited computer configurations that permit the
introduction of security-enhancing safeguards.
Some of the recommendations the report suggests aren't new, such as
encrypting data and limiting the data kept on classified hard drives.
But others would be new for Justice, including the use of small
removable hard drives.
"The use of removable hard drives that can process both unclassified
and classified information in the same computer shell is an area that
the department should consider," the report states. Justice should
consider authorizing the use of removable hard drives and developing
appropriate security policies for them, it adds.
Justice organizations are open to the idea of using removable hard
drives, but some worry that employees might not always follow security
procedures. IT security experts don't agree on whether the
recommendations would help or damage the security of Justice's
A pocket-sized solution
The policy recommendation on removable hard drives is the IG's
principal improvement to Justice's management of classified
information on laptops. Measuring roughly 2 inches by 3 inches, each
drive weighs about 2 ounces and fits into the Type II PC card slots
found on most laptops.
Justice's IG consulted the CIA, the National Security Agency, the
Defense Department's National Reconnaissance Office and the Energy
Department about their policies on removable hard drives. The first
three agencies use laptops with two removable hard drives, one each
for classified and unclassified information.
NSA officials told the IG's office that a computer's shell does not
retain data once users remove the hard drive, adding that no data
remains in the computer's RAM when users turn the machine off. Thus,
Standard 1.6 should state that the shell of the computer becomes
unclassified when someone removes the classified hard drive, according
to the report.
In addition to halving the number of laptops that Justice employees
must carry to handle classified information, removable hard drives
would provide a number of benefits, the report states. For example,
storing classified data would be easier.
Justice policies require computers that handle classified data to be
double-wrapped in paper to show tampering, the report states. Users
must unhook all peripheral devices and place the computer in a
specially designed, secure container when they are not using the
computers. All devices that could possibly store classified
information must have warning labels on them stating so.
If the department used removable hard drives, only the drives would
have to be double-wrapped instead of the whole laptop. That
arrangement would improve security, the IG's office said, because the
small drives are easier to secure and are less conspicuous than
Removable hard drives would also save Justice money because the drives
are cheaper than new computers, according to the report. The IG's
office shopped for 5G drives and found at least two manufacturers that
sell models for less than $200. The drives could hold a multiuser
operating system, application software and 4.1G of memory.
For roughly $400 per user, the report states, "this computer
configuration would allow both unclassified and classified information
processing on the same computer."
The IG office asked three Justice organizations =97 the Drug Enforcement
Administration, the FBI and the Executive Office for U.S. Attorneys
(EOUSA) =97 whether they authorize their employees to use separate hard
drives, and if not, whether they would consider doing so.
None of those agencies authorizes the use of removable hard drives,
the report states. The FBI said the idea has merit, but it would have
to evaluate the specifics through the certification and accreditation
process. EOUSA expressed interest in pursuing the idea as long as
employees understood the security requirements. The DEA had a mixed
reaction, saying that the idea could save money, but the risk of
failing to switch hard drives when necessary could outweigh those
Paul Martin, Justice's deputy IG, said the report speaks for itself
and declined to comment.
IT security experts have mixed opinions about the IG's
recommendations. Bruce Schneier, chief technology officer at
Counterpane Internet Security, said the report was well-conceived. He
liked the idea of removable hard drives and the suggestion to install
tracking devices in laptops to help find lost and stolen computers.
Peter Lindstrom, research director at Spire Security, had more
reservations about the report's implications. "I don't see a clear
positive or negative impact on security at all, but it seems to have a
pretty positive impact on costs - and on [Justice employees']
shoulders as well because they only have to carry one laptop," he
Schneier and Lindstrom said they were amazed that Justice had not
already made such changes. Lindstrom said he was disappointed that
Justice didn't think of the idea on its own.
The department is starting to understand that its employees need to do
both classified and unclassified work on their computers, Schneier
said. But if those recommendations are an improvement, he added, "it
must be an absolute mess out there."
Frying pan to fire?
Lindstrom and Schneier disagree on whether removable hard drives
present a definite security improvement or add as many problems as
Because it's so easy to make a mistake, "maintaining two sets of
policies, switching back and forth, is a losing proposition over
time," Lindstrom said. "I'm not sure that a user in the normal course
of business would shift back and forth between their behavior around
classified and unclassified information. You're better off configuring
the system to force that behavior."
Schneier disagreed, saying a hardware solution is the best solution
because hardware is more reliably secure than software. That's why
Justice's current system of securing and storing classified
information has worked so well for decades, he said.
"The best way to make sure classified information doesn't get taken
out of the building is not to take it out of the building" and keep it
locked in a safe when not in use, Schneier said.
Schneier said running two removable hard drives with separate
operating systems and applications on the same computer shell is a
great idea, especially if Justice follows the IG's suggestion to bar
access to unclassified information and the Internet while the
classified drive is in use.
"That's the best separation you can do," Schneier said. "You might as
well share a screen, keyboard and CPU."
Schneier said he wondered whether laptops enabled for such
configurations are available and how much they cost. He could see
Justice's proposed practices spreading to DOD and other countries.
On the other hand, Lindstrom isn't sold on the idea of two hard
drives. To make the system work, Justice would presumably have to buy
laptops that don't have hard drives, he said. That would force users
to use the security settings on each removable drive. But if the
removable drives supplemented the laptop's drive, users could
accidentally transfer classified information to the unprotected drive,
"As soon as you mount drives at the same time, the fact that they are
physical devices doesn't matter anymore" because the two are logically
connected, Lindstrom said. That gives attackers ways to crack the
unclassified applications to access the classified drive.
Logical security is the best way to protect data, Lindstrom said.
Justice could encrypt all data and set up a host intrusion- prevention
system and digital rights management system, he said. Instead of
worrying about where to put data, the department should protect its
data regardless of its location, Lindstrom said.
By using only one hard drive with adequate security protections,
Lindstrom said, Justice could potentially save even more money by not
implementing the IG's recommendations.
8 ways to improve security
The Justice Department's inspector general has suggested the following
eight changes for improving the security of laptop PCs that process
1. Alter Standard 1.6 - the departmentwide security management
controls for all desktop and laptop machines that store, process or
transmit national security information - to allow the creation of
new accredited computer configurations that permit the introduction
of security-enhancing safeguards.
2. Consider using removable hard drives and define them as
classifiable devices rather than the computer shell on which users
process data. Justice should create appropriate security policies
3. Modify user profiles to forbid access to unclassified hard drives
and the Internet when using a classified drive.
4. Change Standard 1.6 to support mandatory encryption of classified
5. Keep only a minimal amount of classified data on hard drives, in
accordance with National Security Agency practices.
6. Develop a warning system to alert systems administrators if a
computer processing classified information connects to the
7. Install tracking devices in laptop PCs to more easily locate lost
or stolen computers.
8. Create new labels for computers that process both classified and
- Michael Arnone
InfoSec News v2.0 - Coming Soon!