Risk
10/19/2012
01:02 PM
50%
50%

VA Computers Remain Unencrypted, Years After Breach

Report faults IT managers for 6-year delay in adopting security measures.

Top 10 Open Government Websites
Top 10 Open Government Websites
(click image for larger view and for slideshow)
Following a high-profile data breach six years ago, the U.S. Department of Veterans Affairs spent almost $6 million on encryption software for its PCs and laptops. But an investigation by the department's inspector general determined that the encryption software has been installed on only 16% of its computers.

In the spring of 2006, an unencrypted external hard drive with personal information on 26 million veterans was stolen from the home of a VA employee. The department was forced to notify veterans and provide credit monitoring, at a cost of $20 million. In response to the security lapse, VA secretary James Nicholson mandated that all of the department's PCs and laptops be protected by encryption software.

The VA, in a deal with federal contractor Systems Made Simple, spent $2.4 million in 2006 for 300,000 licenses of GuardianEdge encryption software. The department spent an additional $1.2 million between 2007 and 2011 on maintenance agreements for 300,000 licenses, plus $2.3 million in 2011 for additional licenses and a two-year extended maintenance agreement. GuardianEdge was acquired by Symantec in 2010.

[ Hackers infiltrate a critical U.S. infrastructure, heightening need for tighter security. Read more at DOD: Hackers Breached U.S. Critical Infrastructure Control Systems. ]

But an anonymous tip, left 12 months ago on the VA's complaint hotline, alleged that the software was not being widely deployed, prompting an investigation. The IG found that the encryption software was installed on only 40,000 computers.

The IG report faulted the VA's Office of IT for inadequate planning and management of the project, citing a failure to allow time to test the software on VA's computers and to monitor the software's installation and activation. The agency encountered incompatibilities between the encryption software and its desktop PCs, causing it to postpone the software installation until it could standardize its PCs.

As a result, 335,000 licenses remain inactive, leaving an equal number of agency PCs unprotected. "Veterans' data remained at risk due to unencrypted computers," according to the Oct. 11 report.

By way of explanation, the VA's Office of IT, which has more than 5,000 employees, pointed to conflicting priorities, including the department's transition from Windows XP to Windows 7 and a "cultural transformation" tied to the implementation of its Continuous Readiness in Information Security Program.

As recently as August, the Office of IT had not provided a timeframe for completing installation of the encryption software, and it was still assessing whether the encryption software would be compatible with the agency's PC operating systems. The VA now plans to include the encryption software as part of its Windows 7 rollout, with completion targeted for September 2013, according to the IG.

Cybersecurity, continuity planning, and data records management top the list in our latest Federal IT Priorities Survey. Also in the new, all-digital Focus On The Foundation issue of InformationWeek Government: The FBI's next-gen digital case management system, Sentinel, is finally up and running. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
PJS880
50%
50%
PJS880,
User Rank: Ninja
10/22/2012 | 12:49:07 AM
re: VA Computers Remain Unencrypted, Years After Breach
6 million dollar after a breech and they have the licenses for the encryption software, what seems to be the problem with the IT departments priorities? Seriously 6 years, I can understand the difficult transition from upgrading and updating PC's from XP to 7, but reevaluating the origin of why this software was purchased to begin with might make it a priority for the IT department. If I was in charge of that project and 6 years later only 16% of the systems machine are completed , I wouldn't expect to be managing any future projects. Hopefully by 2013 the VA will be up to par with the install of the encryption software on all the devices along with the Windows 7 updates.

Paul Sprague
InformationWeek Contributor
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
10/22/2012 | 4:27:07 PM
re: VA Computers Remain Unencrypted, Years After Breach
Perhaps caused by competing priorities with other more pressing IT matters and under budget constraints, but with the DVA CIO (Assistant Secretary DVA) being in office since 2009 the question is still why? Certainly the cost of repairing the damage seems to outweigh the cost of prevention and with automated software rollouts (certainly in place for 300,000+ machines) having 555 a month (40,000 / 72) seems difficult to defend. Then again, isn't this why we even read the discussion of CIO value which populates the IW columns lately? And we cannot overlook the difference between a government appointee and a private sector CIO.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: You are infected!  @malwareunicorn to the rescue...  
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.