VA still lags on encryption

More than six years after the Veterans Administration (VA) suffered one of the worst data breaches in history, it is still a long way from closing off the vulnerability that made the breach possible: lack of encryption.

It was on May 3, 2006, that a laptop and external hard drive containing an unencrypted national database with names, Social Security numbers, dates of births, and some disability ratings for 26.5 million veterans, active-duty military personnel and spouses was stolen from a VA analyst's Maryland home

The laptop was returned almost two months later by an unknown person, but the VA still spent about $20 million to notify those whose information had been compromised and for credit monitoring.

Three months later, in August, the VA secretary ordered the agency's Office of Information Technology (OIT) to upgrade all VA lap and desktop computers with enhanced data security encryption software.

But today, more than 80% of the VA's computers are unencrypted, even though the agency spent $5.9 million for 300,000 Guardian Edge (now owned by Symantec) encryption software licenses in 2006, and another 100,000 licenses in 2011.

The VA, in a statement, contends that 99% of its laptops now carry the encryption software.

But a report issued last month by the VA's Office of the Inspector General (OIG) found that as of this past July, the VA had, "installed and activated only a small portion, about 65,000 (16%), of the total 400,000 licenses procured, [even though]our annual Federal Information Security Management Act reviews have repeatedly identified the need for VA to address information security weaknesses, including inadequate implementation and enforcement of oversight controls over access to information systems."

The number could be even less than 65,000. The report said it could include duplicate counts "when computers are turned off, reimaged, then turned on again or when computers are upgraded and not scrubbed."

"[The 65,000 is]Ã'Â the number of computers that had logged into the Guardian Edge/Symantec server within the previous 90 days," the report said.

This, the report said, was due to inadequate planning and management of the project, which included the fact that the VA bought the software without knowing if it was compatible with their computers, and failed to allow time to test the software to ensure compatibility.

Not surprisingly, the report's conclusion was not reassuring. "Veterans' personally identifiable information remains at risk of inadvertent or fraudulent access or use," it said.

[See also: The 15 worst data security breaches of the 21st Century]

"[The VA] has successfully encrypted over 99% of our laptop computers. We have begun deploying Windows 7 with Symantec Full Disk Encryption across the VA enterprise," a statement provided by spokeswomanÃ'Â Josephine Schuda said.Ã'Â "The rate of deployment will be approximately 2% per week, with expected completion of September 30, 2013. We are committed to installing and activating all of the purchased encryption licenses."

The statement said there was an issue with using encryption on desktop computers. "The encryption software had a significantly detrimental effect on computers used by clinicians in their care of patients," it said. "However, improvements in software and hardware since that time have reduced much of that impact, and we have begun rolling out encryption to all of VA's desktops."

But some security experts say that since 2006, a much better option has come on the market. Lark Allen, executive vice president of Wave Systems, said all the major computer manufacturers have been offering self-encrypting drives (SEDs) as an option for about five years. For about the same price as software, he said, they make encryption vastly easier for both IT departments and end users.

"Software encryption is very complex to install," Allen said. "It's almost like the encryption has to hack the OS to get it to work correctly. When you start it up, the software must come up first so you can authenticate yourself, and then it unlocks the rest of the system. It has to make sure it takes control before the OS boots. It almost operates like malware put into the system."

Installation is very slow as well, he said -- somewhere between three and 48 hours for a 500G hard drive. He said an automotive company found it was taking a week to install it on a single laptop. "And if you're doing things like running antivirus or copying large files, the performance degrades dramatically," he said.

He said a user frustrated by the slow pace could disable it to get the computer to work faster, but that means the information is no longer encrypted.

A self-encrypting drive "encrypts as you image the drive," he said. "The OS has no knowledge that it's been encrypted, and the user doesn't notice anything either. And it's always on -- a user can't disable it."

While it makes the most financial sense to buy the self-encrypting drive with a new computer, the turnover rate is usually about three years, so Allen said the VA could have solved the problem by now simply by including self-encrypting drives with every new computer it bought.

The VA said it has considered and rejected that option. While self-encrypting drivesÃ'Â are "excellent for consumer use, [they are] very difficult to manage in an enterprise environment, especially one centered around patient care and safety."

"Encryption software gives the VA better control over its IT devices than encrypted drives would," the statement said.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssymantecsecuritydata breachsoftwareencryptiondata protectionData Protection | Data Privacy

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place