Feds' Laptop Security Efforts Move Slowly
U.S. government agencies are scrambling to plug one of their biggest security holes: sensitive information -- names, addresses and Social Security numbers, for example -- stored on laptops, handhelds and thumb drives.
In the last year, agencies have purchased 800,000 licenses for encryption software through the federal Data at Rest (DAR) Encryption program, which is run jointly by the General Services Administration and the U.S. Department of Defense.
"Sales have been very brisk,'' says Fred Schobert, CTO for integrated technology services at the General Services Administration's Federal Acquisition Service. "We've been somewhat overwhelmed.''
The government's fast adoption rate of encryption software comes after numerous headline-grabbing security breaches. Laptop encryption has also been on the rise among corporations, including the likes of EMC and IBM.
It's been two years since teens stole a laptop from the home of a U.S. Department of Veterans' Affairs employee's home, putting at risk for identity theft a database of 26.5 million names and Social Security numbers for 26.5 million veterans and military personnel.
But this year alone, laptops with personally identifiable information have been stolen from Bolling Air Force Base, a Marine Corps base in Okinawa, Japan and the National Institutes of Health in Bethesda, Md. In all of these cases, data that wasn't encrypted on these laptops could have been used by thieves for identity theft, according to a list of known security breaches compiled by the Privacy Rights Web site.
While sales on the DAR Encryption program are stronger than anticipated, federal officials admit they haven't secured all of their laptops, handhelds and removable drives yet.
"It was originally thought that there would be about 1 million laptops in DoD and one million in civilian agencies. We roughly came up with the number of 2 million laptops. However that number is informal. It's constantly being expanded and contracted,'' says David Hollis, program manager for the Defense Department's Data at Rest Tiger Team.
"We're not worrying about how many laptops and PDAs there are in the government. We're trying to provide an opportunity for federal, state and local governments to secure what's out there,'' Hollis said.
The Office of Management and Budget requires federal agencies to purchase encryption software for laptops, handhelds and removable storage devices.
The DAR program, which offers encryption software from 10 leading vendors, "is really one of the cornerstones of security information assurance overall in terms of the U.S. government,'' says Robert Lentz, deputy assistant secretary for Information and Identity Assurance at the Defense Department.
One reason feds are buying encryption software is that the prices are so low. On the DAR Encryption program, feds are paying only $10 to $12 per laptop for software that retails at $125 or more.
"The federal IT budget alone is around $70 billion. When you think about the scale of that budget, $12 a laptop is pretty cheap insurance,'' says Ray Bjorklund, senior vice president of Fed Sources, a McLean, Va., market research firm.
Federal officials say they have sold $17 million worth of encryption software through the DAR program to date. More significant, they say, are the total savings.
"The discounts we have achieved have resulted in a total cost avoidance of $79 million,'' Schobert said.
Federal officials say they are getting a discount of more than 80% off retail pricing for encryption software. That's one of the reasons that state and local government agencies are using the contract to buy software.
So far, 76% of sales from the DAR Encryption contracts have been from federal agencies, while 24% have been from state and local government agencies.
"Our largest purchases were made by Agriculture, IRS, Transportation, Army and Social Security Administration,'' Schobert says. "Thirty state and local government agencies have purchased off the DAR [contracts] These include . . . the New York State Power Authority, the Florida Department of Corrections and Ohio State University.''
The DAR Encryption program is the primary contract for federal agencies to purchase this type of software. Civilian agencies aren't required to use the DAR Encryption program, but military agencies are.
"From the DOD standpoint, it's mandatory,'' Lentz says. "We have made it clear to the department after this award occurred that we wanted to have all crucial mobile devices using this technology by the end of the year. This is the only vehicle they have to buy it.''
Encryption of mobile data is a serious issue for government agencies, Bjorklund says.
"As the wireless technology becomes more robust and more reliable, there is a strong likelihood that it can be used for critical command and control-type applications, and that's where the need for security becomes very, very high,'' he adds.
Federal officials are expecting strong sales to continue on the DAR Encryption program, as agencies continue to encrypt the data on their laptops and increasingly on their smartphones. GSA said the five-year DAR Encryption contracts could be worth more than $79 million when they were awarded.
"There is an opportunity for significant sales ahead,'' Schobert says. "The first year, we were in start-up mode.''
The most popular products on the DAR Encryption program are hybrid software packages that offer full disk and file folder encryption.
"The larger organizations want to buy one software product. They want full-disk encryption on their laptops, but they also want to put it on their workstations to encrypt the files they put on removable storage devices,'' Hollis says.