Stolen VA laptop caught in safety net

Department’s mobile data security policies and practices prevented information breach

Agencies lag on security

Some agencies have not yet established security policies as the Office of Management and Budget directed them to do after a well-publicized security incident at the Veterans Affairs Department in 2006. VA computer equipment and data on 25.6 million veterans and their families was stolen. Government auditors released these figures in February to show the actions that agencies have taken to implement the security policies that OMB mandated after the 2006 laptop PC theft.


Encrypt mobile data:

Done: 22 agencies

Not done: 2 agencies


Add two-factor authentication:

Done: 14 agencies

Not done: 10 agencies


Add time-out function:

Done: 15 agencies

Not done: 9 agencies


Log computer extracts:

Done: 11 agencies

Not done: 13 agencies


Source: Government Accountability Office

The Veterans Affairs Department lost another laptop PC, but the department was better prepared this time.

When an employee at VA’s Austin Corporate Data Center in Texas had his laptop stolen from his apartment last month, the department’s revamped security policies and new security technologies were put to the test. Unlike what happened when a VA laptop was stolen in 2006, data on the newly missing laptop was protected by encryption, and VA officials knew exactly what equipment was missing.

“The safety net held,” said Adair Martinez, VA’s deputy assistant secretary for information protection and risk management. “Even though it can be hard to carry out some of the controls we require, the reward is that government information can’t be violated.”

In May 2006, when another employee had a laptop stolen that contained millions of veterans’ records, VA quickly established new policies, procedures and technology fixes to tighten data security. Experts say this latest VA incident shows that the department learned from its experience.    

VA protected the laptop with GuardianEdge full-disk encryption. No one lacking proper authentication could do more than turn on the computer. The encryption software would block unauthorized users from accessing the data, Martinez said.    

In the latest incident, the employee immediately reported the theft to VA and the Austin police department. Because VA followed information technology security policies and procedures, officials could determine that no sensitive data resided on the laptop.

VA had maintained its asset management inventory processes, so officials knew what equipment was missing. Employees are required to bring their laptops into their office’s IT shop at least every 30 days to receive software updates. Technicians upgrade Microsoft Windows, antivirus, intrusion-detection and encryption software during those updates, Martinez said.

On the evening of the theft, Austin police recovered the laptop in a raid on a convenience store suspected of involvement in drug activity. Police noticed the VA insignia flashing on a laptop running in the back of the store. Believing it might be stolen government property, the police took possession of it and notified the Homeland Security Department, which contacted VA and returned it. The only damage was a broken lock. The employee whose laptop was stolen had permission to bring the laptop home, where he had locked it down to furniture.

After the 2006 incident, OMB directed agencies to encrypt mobile data, implement a timeout function that requires reauthentication, and establish policies for logging computer-readable extracts from databases holding sensitive information.   

“Agencies are encrypting all data — data at rest, data that is mobile,” said Karen Evans, OMB’s administrator for e-government and IT. “We also are using two-factor authentication, which makes sure only authorized people are on your network.”

Data security policies and procedures are needed, but encrypting the data is what protected VA, said Alan Paller, research director at the SANS Institute. VA should be commended for having accomplished that, he said. “Encrypting data is the only defense against attacks right now.” 

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.