No quick fix for government data security
The White House has set an early August deadline for government agencies to encrypt sensitive data after the embarrassing theft of millions of veterans' personal information, but experts warn a quick technology fix will not cure security problems.
While encryption and other security technology can help, slipshod handling of data and equipment, poor training and the slow moving government bureaucracy are seen as the main causes of vulnerability.
"The White House directive is a good first step, but we're concerned about the time frame," said John Dasher, director of product management at encryption software maker PGP Corp. "Do they have funds budgeted and allocated? These are the nuts and bolts of the procurement process."
Companies, including PGP, are eager to sell existing encryption and other security software to the government that could be deployed in a matter of weeks. But several executives interviewed by Reuters said agencies must first consider basic concepts of data security before buying software.
"I'll bet many organizations can't even tell you where sensitive data is," said Chris Voice, chief technology officer at security software maker Entrust Inc.. "Not only should certain data be stored and encrypted properly, but certain people should not have access to it to begin with it."
With personal data, such as social security numbers and addresses, thieves can open credit card accounts and reek havoc with victims financial lives.
After calls for Veterans Affairs Secretary Jim Nicholson to resign in the wake of the stolen laptop incident, agency heads and cabinet secretaries are now hurrying to learn about their own information technology programs.
The VA laptop, which was later recovered by police, contained personal data on 26.5 million veterans.
And the VA is hardly alone.
The government has been embarrassed by a spate of recently disclosed data breaches at the Energy Department, Agriculture Department, FBI, and even the Federal Trade Commission--the agency responsible for protecting Americans from fraud and identity theft.
"Agency executives do not know the value of the data they have in their information technology systems and they take security for granted," said Paul Kurtz, director of the Cyber Security Industry Alliance (CSIA) and a former White House computer systems security policy adviser.
Cabinet secretaries should insist on being informed of all security breaches, Kurtz said.
Government agencies also face an October deadline to comply with a 2004 White House order to adopt secure access cards to protect government buildings. The same access technology is expected to be used to secure information technology as well.
Few, if any, agencies outside the Department of Defense are expected to meet that deadline, according to industry sources.
Michael Butler, the official in charge of the program at the Pentagon, was recently assigned to the General Services Administration to help other government offices adopt secure access cards offered a more optimistic, if qualified, view.
"There are a number of agencies who intend and have systems in test today that are certainly capable of making the date," Butler told Reuters. "There is much to do."
Encryption software scrambles computer files to keep data private. One of the major criticisms of encryption technology is that it is difficult for non-technical workers to use.
Some question whether the government's mandate to encrypt all data on laptops, Blackberries and other mobile devices is practical. Exceptions are allowed only if approved by deputy cabinet secretaries in writing.
"We can't be encrypting and decrypting everything," said Sarah Gates, vice president of identity management for Sun Microsystems Inc.
Instead, private companies and government agencies should lock down data and applications on central networks and restrict the use of powerful laptops and hand-held devices that run applications.
"We will have to trade some convenience for better security," Gates said.
Encryption vendors disagree. But tellingly, their most recent product and marketing efforts have focused on making the software easier for typical computer users to use.
"If we don't invest in making encryption technology transparent and easy to use, it will not be used," Entrust's Voice said. "Today we have disk encryption products where users don't have to know it's on their laptop."
PGP claims its latest products offer similar ease of use.
Regardless of the technology approach, however, experts agree that implementation depends on the sheer will of the government officials involved.
"What we're talking about is not rocket science. All of the technology exists today," said Kurtz. "It's about telling the chief information officers to go get it done."