Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/19/2012
01:02 PM
50%
50%

VA Computers Remain Unencrypted, Years After Breach

Report faults IT managers for 6-year delay in adopting security measures.

Top 10 Open Government Websites
Top 10 Open Government Websites
(click image for larger view and for slideshow)
Following a high-profile data breach six years ago, the U.S. Department of Veterans Affairs spent almost $6 million on encryption software for its PCs and laptops. But an investigation by the department's inspector general determined that the encryption software has been installed on only 16% of its computers.

In the spring of 2006, an unencrypted external hard drive with personal information on 26 million veterans was stolen from the home of a VA employee. The department was forced to notify veterans and provide credit monitoring, at a cost of $20 million. In response to the security lapse, VA secretary James Nicholson mandated that all of the department's PCs and laptops be protected by encryption software.

The VA, in a deal with federal contractor Systems Made Simple, spent $2.4 million in 2006 for 300,000 licenses of GuardianEdge encryption software. The department spent an additional $1.2 million between 2007 and 2011 on maintenance agreements for 300,000 licenses, plus $2.3 million in 2011 for additional licenses and a two-year extended maintenance agreement. GuardianEdge was acquired by Symantec in 2010.

[ Hackers infiltrate a critical U.S. infrastructure, heightening need for tighter security. Read more at DOD: Hackers Breached U.S. Critical Infrastructure Control Systems. ]

But an anonymous tip, left 12 months ago on the VA's complaint hotline, alleged that the software was not being widely deployed, prompting an investigation. The IG found that the encryption software was installed on only 40,000 computers.

The IG report faulted the VA's Office of IT for inadequate planning and management of the project, citing a failure to allow time to test the software on VA's computers and to monitor the software's installation and activation. The agency encountered incompatibilities between the encryption software and its desktop PCs, causing it to postpone the software installation until it could standardize its PCs.

As a result, 335,000 licenses remain inactive, leaving an equal number of agency PCs unprotected. "Veterans' data remained at risk due to unencrypted computers," according to the Oct. 11 report.

By way of explanation, the VA's Office of IT, which has more than 5,000 employees, pointed to conflicting priorities, including the department's transition from Windows XP to Windows 7 and a "cultural transformation" tied to the implementation of its Continuous Readiness in Information Security Program.

As recently as August, the Office of IT had not provided a timeframe for completing installation of the encryption software, and it was still assessing whether the encryption software would be compatible with the agency's PC operating systems. The VA now plans to include the encryption software as part of its Windows 7 rollout, with completion targeted for September 2013, according to the IG.

Cybersecurity, continuity planning, and data records management top the list in our latest Federal IT Priorities Survey. Also in the new, all-digital Focus On The Foundation issue of InformationWeek Government: The FBI's next-gen digital case management system, Sentinel, is finally up and running. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
10/22/2012 | 4:27:07 PM
re: VA Computers Remain Unencrypted, Years After Breach
Perhaps caused by competing priorities with other more pressing IT matters and under budget constraints, but with the DVA CIO (Assistant Secretary DVA) being in office since 2009 the question is still why? Certainly the cost of repairing the damage seems to outweigh the cost of prevention and with automated software rollouts (certainly in place for 300,000+ machines) having 555 a month (40,000 / 72) seems difficult to defend. Then again, isn't this why we even read the discussion of CIO value which populates the IW columns lately? And we cannot overlook the difference between a government appointee and a private sector CIO.
PJS880
50%
50%
PJS880,
User Rank: Ninja
10/22/2012 | 12:49:07 AM
re: VA Computers Remain Unencrypted, Years After Breach
6 million dollar after a breech and they have the licenses for the encryption software, what seems to be the problem with the IT departments priorities? Seriously 6 years, I can understand the difficult transition from upgrading and updating PC's from XP to 7, but reevaluating the origin of why this software was purchased to begin with might make it a priority for the IT department. If I was in charge of that project and 6 years later only 16% of the systems machine are completed , I wouldn't expect to be managing any future projects. Hopefully by 2013 the VA will be up to par with the install of the encryption software on all the devices along with the Windows 7 updates.

Paul Sprague
InformationWeek Contributor
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8344
PUBLISHED: 2020-09-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-8347
PUBLISHED: 2020-09-24
A reflective cross-site scripting (XSS) vulnerability was reported in Lenovo Enterprise Network Disk prior to version 6.1 patch 6 hotfix 4 that could allow execution of code in an authenticated user's browser if a crafted url is visited, possibly through phishing.
CVE-2020-8348
PUBLISHED: 2020-09-24
A DOM-based cross-site scripting (XSS) vulnerability was reported in Lenovo Enterprise Network Disk prior to version 6.1 patch 6 hotfix 4 that could allow execution of code in an authenticated user's current browser session if a crafted url is visited, possibly through phishing.
CVE-2020-15850
PUBLISHED: 2020-09-24
Insecure permissions in Nakivo Backup & Replication Director version 9.4.0.r43656 on Linux allow local users to access the Nakivo Director web interface and gain root privileges. This occurs because the database containing the users of the web application and the password-recovery secret value i...
CVE-2020-15851
PUBLISHED: 2020-09-24
Lack of access control in Nakivo Backup & Replication Transporter version 9.4.0.r43656 allows remote users to access unencrypted backup repositories and the Nakivo Controller configuration via a network accessible transporter service. It is also possible to create or delete backup repositories.