[ISN] Hundreds of Laptops Missing at State Department, Audit Finds

From: InfoSec News (alerts@private)
Date: Tue May 06 2008 - 01:36:52 PDT


http://www.cqpolitics.com/wmspage.cfm?docID=hsnews-000002716318

By Jeff Stein
CQ National Security Editor
May 2, 2008

Hundreds of employee laptops are unaccounted for at the U.S. Department 
of State, which conducts delicate, often secret, diplomatic relations 
with foreign countries, an internal audit has found.

As many as 400 of the unaccounted for laptops belong to the department’s 
Anti-Terrorism Assistance Program, according to officials familiar with 
the findings.

The program provides counterterrorism training and equipment, including 
laptops, to foreign police, intelligence and security forces.

Ironically, the Anti-Terrorism Assistance Program is administered by the 
State Department’s Bureau of Diplomatic Security (DS), which is 
responsible for the security of the department’s computer networks and 
sensitive equipment, including laptops, among other duties. It also 
protects foreign diplomats during visits here.

DS officials have been urgently dispatching vans around the bureau’s 
Washington-area offices to collect and register employee laptops, said 
department sources who could not speak on the record for fear of being 
fired.

The inventory sometimes strips DS investigators of their laptops for 
“days, or weeks,” they said.

The State Department’s Inspector General launched an audit of the 
equipment about three months ago. Only the first stage, or inventory of 
equipment, has been completed.

A State Department official referred all questions regarding laptop 
losses to the Inspector General.

A senior IG official, asking not to be identified, said he could “not 
comment on ongoing work.”

Nita M. Lowey , D-N.Y., who heads a House Appropriations subcommittee 
that oversees State Department operations, said she was concerned about 
the security revelations.

“The importance of safeguarding official laptops and office equipment 
containing sensitive information is not a new concern,” she said through 
a spokesman. “I intend to review the facts about this situation.”

“Unaccounted for” does not necessarily mean the laptops have been lost. 
But they are “missing” until they have been found or otherwise accounted 
for.

Auditors found that the department had lost track of $30 million worth 
of equipment, according to one official, “the vast majority of which . .
. perhaps as much as 99 per cent,” was laptops.

Calculating that the average State Department laptop costs $3,000, 
another official said, hundreds, perhaps as many as a thousand, were 
missing. It could not be learned how many employees have been issued 
laptops.

On Feb. 6, the department’s Senior Assessment Team gathered at the State 
Department headquarters in Foggy Bottom to discuss the security of 
“personal identification information.”

The department’s official in charge of computer equipment, John 
Streufert, warned the more than two dozen officials present that the 
department did not have good records of its inventory.

A “significant deficiency” relating to laptops existed, Streufert said, 
according to a source who attended the meeting.

Mark Duda, a representative of the Inspector General’s office at the 
meeting, warned the managers that they needed to get on top of the 
equipment issue before it “blows up.” He said a scandal loomed akin to 
the one that engulfed the Veterans Administration in 2006, when news 
broke that a VA official had taken home a laptop with the personal 
records of 26 million veterans, where it was stolen.

The official who chaired the meeting, Christopher Flaggs, the 
department’s deputy chief financial officer, also warned that revelation 
of the laptop losses could develop into a “material weakness,” an 
accounting term-of-art that essentially means inventories are out of 
control.

“It’s the worst flaw you can have in management control,” one close 
observer of the State Department’s problems said.

It would have to alert the White House Office of Management and Budget 
(OMB) and Congress. There could be hearings, headlines, camera crews on 
the doorstep of State Department officials.

That’s what happened in 1999, when a laptop containing the names of 
foreign agents working for the U.S. government was stolen from the State 
Department.

The security of laptops has vexed federal officials, as well as private 
industry, for years. The CIA, FBI and other national security agencies 
have all lost significant numbers of laptops containing sensitive 
information.

More than a year ago, the administration’s Identity Theft Task Force 
warned of security vulnerabilities within the government’s Internet 
technology systems.

In May 2007, OMB had ordered all federal departments and agencies to 
“develop and implement a breach notification policy within 120 days.”

Hints of the State Department’s laptop losses first surfaced March 31 in 
an anonymous post at an obscure Web site frequented by employees of the 
Bureau of Diplomatic Security, called Dead Men Working.

“We’re not talking about a missing laptop or two,” said a poster who 
identified himself as “Steve.”

“A Department-wide audit found hundreds of laptops unaccounted for and 
identified DS, now rushing to close the barn door before the scandal 
really breaks, as having the laxest control of any bureau in the 
agency,” Steve wrote.

John Naland, a retired diplomat who is president of the American Foreign 
Service Association, said the alleged losses were worrisome, and 
perplexing.

“If the missing ones might have contained classified data, this could be 
serious,” Naland said.

“At my last overseas post, we did not have any laptops,” Naland 
continued. “But we sure did an annual serial number physical inventory 
of computers. Sometimes our initial count came up with discrepancies, 
but then we remembered that we returned one to Washington or whatever 
and that cleared up the paperwork discrepancy.”

CQ © 2007 All Rights Reserved | Congressional Quarterly Inc. 1255 22nd 
Street N.W. Washington, D.C. 20037 | 202-419-8500



_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue May 06 2008 - 01:50:31 PDT