GAO: Most sensitive data on government laptops still unencrypted
Watchdog agency says only 30% of such info was encrypted as of last September
IDG News Service - Despite a series of high-profile data breaches at federal agencies in recent years, only about 30% of the sensitive information stored on laptops and mobile devices used by federal workers was encrypted as of last September, according to a report issued by the Government Accountability Office.
The GAO, which released the report to the public today (download PDF), examined the use of encryption technology at 24 major agencies. The federal watchdog defined several types of data as sensitive, including medical records, other personal information, law enforcement records and information deemed to be essential for homeland security purposes.
"While all agencies have initiated efforts to deploy encryption technologies, none had documented comprehensive plans to guide encryption implementation activities," the GAO said in the report. "As a result, federal information may remain at increased risk of unauthorized disclosure, loss, and modification."
The report follows a string of security mishaps involving government-issued laptops. The biggest occurred in May 2006, when the Department of Veterans Affairs reported that a laptop and hard drive containing the personal information of 26.5 million military veterans and active-duty personnel had been stolen from the home of an agency employee. Law enforcement officers recovered the hardware the following month, and the VA began encrypting the data on all of its PCs, handheld devices and smart phones later that year.
But the VA has had plenty of company. Last year, for example, the GAO reported that 490 laptops were lost or stolen from the Internal Revenue Service between early 2003 and mid-2006. Many of those laptops likely contained the personal data of U.S. taxpayers, according to a separate report by an auditor at the IRS.
In another example, the Department of Commerce reported in September 2006 that 1,137 of its laptops had been lost or stolen since 2001, with 249 of them containing some personal data.
The GAO's new report notes that several laws, including the Federal Information Security Management Act of 2002, require agencies to protect their data. In addition, the White House Office of Management and Budget (OMB) first recommended in 2006, then required in May of last year, that agencies encrypt all sensitive data stored on mobile computers.
Following the lead of the VA, federal agencies have been increasing their encryption efforts. But two members of the House Homeland Security Committee said this week that they're disappointed with the progress being made by agencies, based on the GAO's findings.
"Encryption is not an option, it is a mandate," Rep. Bennie Thompson (D-Miss.) said in a statement. "Unfortunately, I'm not surprised that despite mandates by OMB, the federal government is only 30% of the way there." Thompson, the Homeland Security Committee's chairman, added that investing properly in cybersecurity now "will keep us from paying dearly in the long run."
- The Pivotal Big Data Suite- Reducing the Risks of Big Data The explosion of big data and the rapid evolution of big data tools and technologies is challenging IT to meet the demands of...
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!