I feel the need to rant again because of the stupidity endemic in our current government. I don't think it is a political disagreement just another example of incompetence. This article here relates how information obtained from RIPA (the Regulation of Investigatory Powers) does not require encryption as it is handled and passed around. According to our government, who of course excel in every area of IT, it would be "impractical" to require this burden and the existing systems of "physical security", "security procedures", "staff vetting" and "training" are considered suitable for the job. This again clearly demonstrates that the government have no idea what they are talking about. Most security leaks appear to be related to a common theme: humans make mistakes. They leave stuff lying around, they get their properties burglarled, things get dropped, mislaid and criminals who want this information often obtain it without any input from employees of these systems. In which cases none of the so-called adequate measures does anything. The only way to prevent accidental disclosure of information is to make it exceedingly hard to do (i.e. encryption or inability to move the data outside of a closed network). People disboey procedures to save themselves time, they often ignore the fit-for-purpose hardware and transport stuff around in the Demilitarised Zone and as for staff training and vetting, it doesn't really add security, it is small and cheap operation that actually adds very little benefit.
They also miss an important point that actually encryption is extremely simple even using free tools. Even if what they used was not US Military Spec, it would be better than nothing!
Maybe one day the government will emply someone who actually knows about the departments they are managing. I won't hold my breath!
No comments:
Post a Comment