When a laptop PC with unencrypted data was stolen from the car of a National Institutes of Health researcher earlier this year, it was evidence that agencies continue to expose people’s data to theft two years after the Veterans Affairs Department’s dramatic security breach.
The NIH incident showed that some agencies still lag in implementing the Office of Management and Budget’s policy for securing laptops and other mobile computing devices to prevent unauthorized access to personal data stored on them. The stolen NIH laptop contained 3,000 medical-research participants’ personal data, including medical records and Social Security numbers belonging to 1,200 of them.
Agencies trying to meet OMB’s data encryption mandate are struggling in the face of limited resources, internal resistance to change and the challenge of applying uniform standards in organizations where various nonstandard encryption solutions are already deployed, said Ed Meagher, deputy chief information officer at the Interior Department.
Encryption software scrambles stored data so that only an authorized user can access it. However, its use is only one of several requirements that OMB mandated in 2006 to protect mobile data. OMB’s policy memo also required the use of automatic timeout functions, two-factor user authentication for remote access to data and the logging of data extracts when they contain personal data. Agencies must also erase personal data within 90 days unless they certify a need to retain it longer.
“We’re making up for decades of inattention to security, and now we’re trying to catch up very quickly, and it’s not pretty,” Meagher said.
Meagher endorses OMB’s multilayered approach to securing data on mobile devices as necessary medicine. A single requirement, such as mandatory encryption, would not sufficiently reduce security risks, and it might even shift the risk elsewhere, he said. But the logic behind OMB’s policy doesn’t make meeting the new requirements any easier.
“To the end user, it looks like it’s all coming at once, and for reasons that they may not understand or accept, you’re upsetting the normal course of things,” Meagher said.
OMB directed agencies to encrypt mobile data after the theft of a VA computer that put the personal data of millions of veterans at risk. The missing laptop was later recovered. After that incident, VA became one of the first agencies to secure its laptop PCs using whole-disk encryption, a technique that prevents unauthorized users from doing anything more than turning on the encrypted computer.
Before the VA incident, some agencies had been encrypting some of their data, but few organizations followed a consistent policy or used a standard tool, Meagher said.
Since OMB issued its encryption policy, agencies have raised several issues that need to be addressed, said Karen Evans, OMB’s administrator for e-government and information technology.
“Some of these considerations include accurately reflecting the costs within their system budget justifications, properly training users while a solution is deployed, [and determining] how encryption keys will be managed and how encryption will be deployed across the agency infrastructure,” Evans said.
Each of those concerns can be addressed with appropriate implementation planning, she added.
To help agencies with encryption solutions, OMB has worked with the General Services Administration’s SmartBuy governmentwide data-at-rest program to promote uniform software management practices, Evans said.
Interior has not implemented agencywide encryption yet. However, it hopes to have the funds appropriated in fiscal 2009 and complete implementation by the end of fiscal 2009, Meagher said. Interior will use the SmartBuy program.Challenges
Meagher cited a list of challenges that agencies face as they deploy an encryption solution.
First, agencies must have an accurate accounting of laptops and know whether sensitive data is stored on them. Many agencies lack the data standards and controls that would allow them to make that determination easily.
“It would be wonderful if we had command of our data so that we can say what is sensitive and what is not with a high degree of assurance,” Meagher said. “Since we don’t, you default to encrypting everything.”
Second, encryption sometimes slows a computer’s performance. Four- or five-year-old laptops running without encryption might perform well for many tasks. However, when agencies encrypt older laptops, performance can suffer. Because organizations might need to buy new, better-performing laptops when they add encryption software, the cost of safeguarding data and complying with OMB’s policy can escalate, Meagher said.
Some agencies that have installed nonstandard encryption software must remove it and reconfigure their settings after they have selected a new encryption product from the SmartBuy contract. That change alone could trigger a flood of trouble calls to an agency’s help desk as employees adjust to the new software.
“It’s people’s perception that your encryption software broke my computer or made it worse,” Meagher said. Those calls go away in time, he added.
Employees also call help desks when they lose their encryption keys. Scale that to the 30,000 laptops that must be encrypted, and it can become an issue, Meagher said.
A third encryption challenge is key management. Every file or disk that agencies encrypt has a unique key to unscramble the data. Administrators must manage backup copies of those keys.
“Keys are at risk of loss, theft and difficult key recovery. It makes for complex key management,” and Tom Kireilis, who oversees SmartBuy as director of strategic solutions at GSA’s Federal Acquisition Service.
The federal government deployed encryption before the private sector adopted it, and as a result, federal employees experienced early difficulties that earned encryption a reputation as something that gets in the way, said Edy Almer, senior product manager at Symantec’s endpoint and security management group.
“I don’t think you need to educate your users that it is good for them,” Almer said. “You just need to help them avoid the pain. As an administrator, if I get in the way of my users, I get resistance.”Designed to be easy
Although encryption often imposes significant financial and management challenges on agencies, getting employees to accept and use it doesn’t have to be difficult, Almer said. Encryption can be nearly transparent to users, he added.
For example, administrators can deploy Symantec’s software to work as a background task without requiring users to define keys or use a special key sequence to initiate encryption. Employees also can use its single sign-on capability so they have no new passwords to remember.
NIH, an agency of the Health and Human Services Department, has encrypted about 14,000 laptops. Those that are not yet encrypted are not circulating, said John “Jack” Jones, NIH’s chief information officer and acting director of the Center for IT.
NIH also has about 4,000 Apple laptops, but the agency has restricted the use of sensitive information on them until appropriate encryption is available.
The encryption software that NIH uses causes laptops to take about 20 percent longer to boot up, but Jones said most users hardly remember the encryption software is present once they start working.
“You don’t notice it happening behind h e cenes,” Jones said. “It’s like the operating system function that doesn’t really intrude on the user that much.”
NIH doesn’t have answers yet to all the challenges. One problem occurs when NIH employees travel to deliver conference presentations. NIH requires them to carry their presentation files on an encrypted flash drive even if the drive contains no sensitive or personal information.
However, not all conference laptops are able to read and decrypt flash drives. NIH is considering solutions such as thumb drives that load their own software when plugged in or create a partition between sensitive and nonsensitive information.
NIH’s laptop theft in February has increased staff members’ awareness of information security and how to reduce their risk of exposing sensitive data, Jones said.
“The most important element in any security system is the people doing it,” he said. “If you don’t have their support in making security work, no amount of technology can overcome thoughtlessness and carelessness on their part.”
Jones said the stolen laptop incident also has prompted employees who don’t typically talk with one another about sensitive information and the procedures for safeguarding it to begin talking about it, which makes his job easier.