Lots of excuses, little use of encryption on government mobile computers

Generally available encryption technologies could help some notoriously data-leaky federal agencies protect sensitive information - if they used it.

Of 24 major federal agencies watchdogs at the Government Accountability Office reviewed through September 2007, 70% had not yet installed encryption software on laptops or hand-held mobile computers where such security technology could do the most good.  Further, the GAO said that of six agencies that had employed encryption, its implementation was weak and procedures for managing these technologies, and training of personnel in the proper use of installed encryption products was lacking. Not a pretty picture.

As a result of these weaknesses, federal information, such as medical records, social security numbers and other personal data may remain at increased risk of unauthorized disclosure, loss, and modification, the GAO concluded.

Keep in mind though that government regulations do not require its agencies to deploy encryption to keep data secure but as the GAO stated, federal agencies are responsible for safeguarding it in the best ways possible.

There are indeed regulations defining an information security controls over federal agency information and information systems. In addition, other laws frame practices for protecting specific types of sensitive information. The Office of Management and Budget is responsible for establishing government-wide policies and for providing guidance to agencies on how to implement the provisions of the Federal Information Security Management Act (FISMA), the Privacy Act, and other federal information security and privacy laws.

The need for encryption and stronger security in general however is growing as the number of security incidents reported by federal agencies to the US Computer Emergency Readiness Team (US-CERT ) has increased dramatically over the past 3 years, growing from 3,634 incidents reported in fiscal year 2005 to 13,029 incidents in fiscal year 2007 (about a 259 % increase).  The GAO pointed to three severe breaches as examples of ways encryption could have prevented some highly public data leakage:

  • Department of Defense: In February 2008, a laptop computer containing personally identifiable information for as many as 4,000 participants in the Marine Corps community services' New Parent Support Program was stolen.
  • Department of Energy: In December 2007, a hacker gained access to an Energy computer by embedding a program in an e-mail sent to staff, that let the hacker copy and retrieve information.
  • Transportation Security Administration: In May 2007, an external hard drive, discovered missing from a controlled area at agency headquarters human capital office, contained personal data for 100,000 archived employment records of individuals employed by the agency from January 2002 until August 2005.

Interestingly the GAO said that all 24 agencies it examined reported myriad hindrances with implementing encryption. The most challenging conditions were:

  • Prohibitive costs. Nine agencies reported that the cost of acquiring and implementing encryption was their greatest hindrance, and 13 agencies cited this condition as somewhat of a problem. However a government-wide initiative known as SmartBUY has been established to counter that problem, the GAO stated.
  • User acceptance and training. Some encryption technologies can be burdensome to users and can require specialized training on encryption concepts and proper installation, maintenance, and use of encryption products, the GAO said. Sixteen agencies reported facing somewhat of a hindrance or a moderate hindrance in obtaining user acceptance of encryption implementations and in training personnel. Four agencies reported a great or very great impediment from lack of user acceptance, and 2 agencies reported a great problem from insufficient training.
  • Data backup, recovery, archiving, and retrieval. Agencies must establish policies and procedures for management of encryption keys, which are necessary to recover data from back-ups in the event of a service interruption or disaster, or to retrieve data in archived records, perhaps many years in the future. For example, if the key is not properly backed up and is on a server that has been destroyed in a fire or the key used to encrypt archived records changes over time, data encrypted with the key may be irretrievably lost. Sixteen agencies reported facing somewhat of a barrier or a moderate hindrance with backup and recovery, and 15 agencies reported the same level of burden with data archiving and retrieval, the GAO said.
  • Interoperability. Key systems and technologies of different agencies need to be compatible with each other for cross-agency collaboration. Five agencies reported that lack of interoperability was a great or very great hindrance, and 13 reported somewhat of a barrier or a moderate difficulty.
  • Infrastructure considerations. Six agencies reported facing a great or very great hindrance in readying their IT infrastructure for encryption and 11 reported this was somewhat of a problem or a moderate obstacle.

Ultimately the GAO said it was recommending that OMB clarify government-wide encryption policy to address agency efforts to plan for and implement encryption technologies. The GAO said it is also making recommendations to selected agencies to properly install and configure FIPS-compliant encryption technologies, to develop policies and procedures to manage encryption, and to provide encryption training to personnel.

The 24 major federal agencies included in the GAO report were the Agency for International Development; the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Environmental Protection Agency; the General Services Administration; the National Aeronautics and Space Administration; the National Science Foundation; the Nuclear Regulatory Commission; the Office of Personnel Management; the Small Business Administration; and the Social Security Administration.

Layer 8 in a box

Check out these related stories:

NASA Looking For a Few Cool (and Green) Aircraft

Researchers get $2.6M to cultivate energy-efficient virtualized data center

Watchdogs question US Post Office outsourcing system

NASA satellite fleet figures out why Northern Lights dance

Researchers tout new-fangled network worm weapon

FTC hammers invention, patent promoters with $10M settlement

IBM: We could make 157 Airbus airliners out of our recycled products

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)