Risk
10/19/2012
01:02 PM
50%
50%

VA Computers Remain Unencrypted, Years After Breach

Report faults IT managers for 6-year delay in adopting security measures.

Top 10 Open Government Websites
Top 10 Open Government Websites
(click image for larger view and for slideshow)
Following a high-profile data breach six years ago, the U.S. Department of Veterans Affairs spent almost $6 million on encryption software for its PCs and laptops. But an investigation by the department's inspector general determined that the encryption software has been installed on only 16% of its computers.

In the spring of 2006, an unencrypted external hard drive with personal information on 26 million veterans was stolen from the home of a VA employee. The department was forced to notify veterans and provide credit monitoring, at a cost of $20 million. In response to the security lapse, VA secretary James Nicholson mandated that all of the department's PCs and laptops be protected by encryption software.

The VA, in a deal with federal contractor Systems Made Simple, spent $2.4 million in 2006 for 300,000 licenses of GuardianEdge encryption software. The department spent an additional $1.2 million between 2007 and 2011 on maintenance agreements for 300,000 licenses, plus $2.3 million in 2011 for additional licenses and a two-year extended maintenance agreement. GuardianEdge was acquired by Symantec in 2010.

[ Hackers infiltrate a critical U.S. infrastructure, heightening need for tighter security. Read more at DOD: Hackers Breached U.S. Critical Infrastructure Control Systems. ]

But an anonymous tip, left 12 months ago on the VA's complaint hotline, alleged that the software was not being widely deployed, prompting an investigation. The IG found that the encryption software was installed on only 40,000 computers.

The IG report faulted the VA's Office of IT for inadequate planning and management of the project, citing a failure to allow time to test the software on VA's computers and to monitor the software's installation and activation. The agency encountered incompatibilities between the encryption software and its desktop PCs, causing it to postpone the software installation until it could standardize its PCs.

As a result, 335,000 licenses remain inactive, leaving an equal number of agency PCs unprotected. "Veterans' data remained at risk due to unencrypted computers," according to the Oct. 11 report.

By way of explanation, the VA's Office of IT, which has more than 5,000 employees, pointed to conflicting priorities, including the department's transition from Windows XP to Windows 7 and a "cultural transformation" tied to the implementation of its Continuous Readiness in Information Security Program.

As recently as August, the Office of IT had not provided a timeframe for completing installation of the encryption software, and it was still assessing whether the encryption software would be compatible with the agency's PC operating systems. The VA now plans to include the encryption software as part of its Windows 7 rollout, with completion targeted for September 2013, according to the IG.

Cybersecurity, continuity planning, and data records management top the list in our latest Federal IT Priorities Survey. Also in the new, all-digital Focus On The Foundation issue of InformationWeek Government: The FBI's next-gen digital case management system, Sentinel, is finally up and running. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
PJS880
50%
50%
PJS880,
User Rank: Ninja
10/22/2012 | 12:49:07 AM
re: VA Computers Remain Unencrypted, Years After Breach
6 million dollar after a breech and they have the licenses for the encryption software, what seems to be the problem with the IT departments priorities? Seriously 6 years, I can understand the difficult transition from upgrading and updating PC's from XP to 7, but reevaluating the origin of why this software was purchased to begin with might make it a priority for the IT department. If I was in charge of that project and 6 years later only 16% of the systems machine are completed , I wouldn't expect to be managing any future projects. Hopefully by 2013 the VA will be up to par with the install of the encryption software on all the devices along with the Windows 7 updates.

Paul Sprague
InformationWeek Contributor
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
10/22/2012 | 4:27:07 PM
re: VA Computers Remain Unencrypted, Years After Breach
Perhaps caused by competing priorities with other more pressing IT matters and under budget constraints, but with the DVA CIO (Assistant Secretary DVA) being in office since 2009 the question is still why? Certainly the cost of repairing the damage seems to outweigh the cost of prevention and with automated software rollouts (certainly in place for 300,000+ machines) having 555 a month (40,000 / 72) seems difficult to defend. Then again, isn't this why we even read the discussion of CIO value which populates the IW columns lately? And we cannot overlook the difference between a government appointee and a private sector CIO.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1978
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Simple PHP Agenda 2.2.8 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator via a request to auth/process.php, (2) delete an administrator via a request to auth/admi...

CVE-2015-0741
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Prime Central for Hosted Collaboration Solution (PC4HCS) 10.6(1) and earlier allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCut04596.

CVE-2015-0742
Published: 2015-05-21
The Protocol Independent Multicast (PIM) application in Cisco Adaptive Security Appliance (ASA) Software 9.2(0.0), 9.2(0.104), 9.2(3.1), 9.2(3.4), 9.3(1.105), 9.3(2.100), 9.4(0.115), 100.13(0.21), 100.13(20.3), 100.13(21.9), and 100.14(1.1) does not properly implement multicast-forwarding registrati...

CVE-2015-0746
Published: 2015-05-21
The REST API in Cisco Access Control Server (ACS) 5.5(0.46.2) allows remote attackers to cause a denial of service (API outage) by sending many requests, aka Bug ID CSCut62022.

CVE-2015-0915
Published: 2015-05-21
Cross-site scripting (XSS) vulnerability in RAKUS MailDealer 11.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted attachment filename.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.