VA Computers Remain Unencrypted, Years After Breach

Top 10 Open Government Websites

Following a high-profile data breach six years ago, the U.S. Department of Veterans Affairs spent almost $6 million on encryption software for its PCs and laptops. But an investigation by the department's inspector general determined that the encryption software has been installed on only 16% of its computers.

In the spring of 2006, an unencrypted external hard drive with personal information on 26 million veterans was stolen from the home of a VA employee. The department was forced to notify veterans and provide credit monitoring, at a cost of $20 million. In response to the security lapse, VA secretary James Nicholson mandated that all of the department's PCs and laptops be protected by encryption software.

The VA, in a deal with federal contractor Systems Made Simple, spent $2.4 million in 2006 for 300,000 licenses of GuardianEdge encryption software. The department spent an additional $1.2 million between 2007 and 2011 on maintenance agreements for 300,000 licenses, plus $2.3 million in 2011 for additional licenses and a two-year extended maintenance agreement. GuardianEdge was acquired by Symantec in 2010.

[ Hackers infiltrate a critical U.S. infrastructure, heightening need for tighter security. Read more at DOD: Hackers Breached U.S. Critical Infrastructure Control Systems. ]

But an anonymous tip, left 12 months ago on the VA's complaint hotline, alleged that the software was not being widely deployed, prompting an investigation. The IG found that the encryption software was installed on only 40,000 computers.

The IG report faulted the VA's Office of IT for inadequate planning and management of the project, citing a failure to allow time to test the software on VA's computers and to monitor the software's installation and activation. The agency encountered incompatibilities between the encryption software and its desktop PCs, causing it to postpone the software installation until it could standardize its PCs.

As a result, 335,000 licenses remain inactive, leaving an equal number of agency PCs unprotected. "Veterans' data remained at risk due to unencrypted computers," according to the Oct. 11 report.

By way of explanation, the VA's Office of IT, which has more than 5,000 employees, pointed to conflicting priorities, including the department's transition from Windows XP to Windows 7 and a "cultural transformation" tied to the implementation of its Continuous Readiness in Information Security Program.

As recently as August, the Office of IT had not provided a timeframe for completing installation of the encryption software, and it was still assessing whether the encryption software would be compatible with the agency's PC operating systems. The VA now plans to include the encryption software as part of its Windows 7 rollout, with completion targeted for September 2013, according to the IG.

Cybersecurity, continuity planning, and data records management top the list in our latest Federal IT Priorities Survey. Also in the new, all-digital Focus On The Foundation issue of InformationWeek Government: The FBI's next-gen digital case management system, Sentinel, is finally up and running. (Free registration required.)