Risk
10/19/2012
01:02 PM
50%
50%

VA Computers Remain Unencrypted, Years After Breach

Report faults IT managers for 6-year delay in adopting security measures.

Top 10 Open Government Websites
Top 10 Open Government Websites
(click image for larger view and for slideshow)
Following a high-profile data breach six years ago, the U.S. Department of Veterans Affairs spent almost $6 million on encryption software for its PCs and laptops. But an investigation by the department's inspector general determined that the encryption software has been installed on only 16% of its computers.

In the spring of 2006, an unencrypted external hard drive with personal information on 26 million veterans was stolen from the home of a VA employee. The department was forced to notify veterans and provide credit monitoring, at a cost of $20 million. In response to the security lapse, VA secretary James Nicholson mandated that all of the department's PCs and laptops be protected by encryption software.

The VA, in a deal with federal contractor Systems Made Simple, spent $2.4 million in 2006 for 300,000 licenses of GuardianEdge encryption software. The department spent an additional $1.2 million between 2007 and 2011 on maintenance agreements for 300,000 licenses, plus $2.3 million in 2011 for additional licenses and a two-year extended maintenance agreement. GuardianEdge was acquired by Symantec in 2010.

[ Hackers infiltrate a critical U.S. infrastructure, heightening need for tighter security. Read more at DOD: Hackers Breached U.S. Critical Infrastructure Control Systems. ]

But an anonymous tip, left 12 months ago on the VA's complaint hotline, alleged that the software was not being widely deployed, prompting an investigation. The IG found that the encryption software was installed on only 40,000 computers.

The IG report faulted the VA's Office of IT for inadequate planning and management of the project, citing a failure to allow time to test the software on VA's computers and to monitor the software's installation and activation. The agency encountered incompatibilities between the encryption software and its desktop PCs, causing it to postpone the software installation until it could standardize its PCs.

As a result, 335,000 licenses remain inactive, leaving an equal number of agency PCs unprotected. "Veterans' data remained at risk due to unencrypted computers," according to the Oct. 11 report.

By way of explanation, the VA's Office of IT, which has more than 5,000 employees, pointed to conflicting priorities, including the department's transition from Windows XP to Windows 7 and a "cultural transformation" tied to the implementation of its Continuous Readiness in Information Security Program.

As recently as August, the Office of IT had not provided a timeframe for completing installation of the encryption software, and it was still assessing whether the encryption software would be compatible with the agency's PC operating systems. The VA now plans to include the encryption software as part of its Windows 7 rollout, with completion targeted for September 2013, according to the IG.

Cybersecurity, continuity planning, and data records management top the list in our latest Federal IT Priorities Survey. Also in the new, all-digital Focus On The Foundation issue of InformationWeek Government: The FBI's next-gen digital case management system, Sentinel, is finally up and running. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
10/22/2012 | 4:27:07 PM
re: VA Computers Remain Unencrypted, Years After Breach
Perhaps caused by competing priorities with other more pressing IT matters and under budget constraints, but with the DVA CIO (Assistant Secretary DVA) being in office since 2009 the question is still why? Certainly the cost of repairing the damage seems to outweigh the cost of prevention and with automated software rollouts (certainly in place for 300,000+ machines) having 555 a month (40,000 / 72) seems difficult to defend. Then again, isn't this why we even read the discussion of CIO value which populates the IW columns lately? And we cannot overlook the difference between a government appointee and a private sector CIO.
PJS880
50%
50%
PJS880,
User Rank: Ninja
10/22/2012 | 12:49:07 AM
re: VA Computers Remain Unencrypted, Years After Breach
6 million dollar after a breech and they have the licenses for the encryption software, what seems to be the problem with the IT departments priorities? Seriously 6 years, I can understand the difficult transition from upgrading and updating PC's from XP to 7, but reevaluating the origin of why this software was purchased to begin with might make it a priority for the IT department. If I was in charge of that project and 6 years later only 16% of the systems machine are completed , I wouldn't expect to be managing any future projects. Hopefully by 2013 the VA will be up to par with the install of the encryption software on all the devices along with the Windows 7 updates.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2004-2771
Published: 2014-12-24
The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

CVE-2014-3569
Published: 2014-12-24
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshak...

CVE-2014-4322
Published: 2014-12-24
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or c...

CVE-2014-6132
Published: 2014-12-24
Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3 through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 allows remote authenticated users to inject arbitrary web script or HTML vi...

CVE-2014-6153
Published: 2014-12-24
The Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3.x through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.