VA Computers Still Unencrypted More than Half a Decade After Breach

Anthony Freed
By | October 22, 2012

Posted in: Network Security Trends

While lawmakers entertain notions of broadening government powers regarding private sector security through an expansion of regulatory mandates, some government agencies continue to demonstrate that they can't even effectively administer their own cybersecurity prescriptions. A report released by the U.S. Department of Veterans Affairs (VA) own inspector general has revealed that after more than six year and six million dollars in spending, the department has still only installed encryption software on a fraction of the agency's computers.

The deployment of the encryption software was ordered by then VA secretary James Nicholson following a 2006 event that compromised the personal information of more than 26 million veterans. The breach occurred after an unencrypted external hard drive was stolen from the home of a VA employee, which prompted the agency to offer credit monitoring services to all those exposed at a cost of more than $20 million dollars.

Despite the bad publicity and subsequent directive to secure data on the VA's computers, the inspector general's report indicates that the Office of Information Technology (OIT) "had not installed and activated all of the 300,000 Guardian Edge encryption software licenses purchased in 2006" and furthermore "had not installed and activated an additional 100,000 licenses purchased in 2011."

In total, the investigation found that the OIT had in fact only completed the installation of 65,000 out of the total 400,000 licenses purchased, protecting a mere 16% of systems under the VA's control, and the reasons cited for the failure to deploy the software are attributed to a lack of adequate management for the endeavor.

"OIT did not install and activate all of the licenses due to inadequate planning and management of the project. Specifically, OIT did not allow time to test the software to ensure compatibility with VA computers, ensure sufficient human resources were available to install the encryption software on VA computers, and adequately monitor the project to ensure encryption of all VA laptop and desktop computers," the report states.

The investigation was initiated after the an anonymous tip was submitted to the VA's hotline over a year ago which asserted that the department was not complying with the directive to protect the personal data of millions of former military personnel, which the inquiry confirmed. In addition, the investigation found that even on systems where the encryption software had been installed, data may still be at risk of compromise.

"Given changes in VA technology since 2006, the Department lacks assurance the remaining software licenses are compatible to meet encryption needs in the current computer environment," the report noted.

The investigators indicate that the Assistant Secretary for Information Technology has acknowledged the findings and "provided an appropriate action plan" which includes a thorough analysis "to determine whether the software is compatible with VA’s operating systems."

The action plan will result in either the completion of the software deployment on all unprotected systems or to the termination of the project altogether, in which case its back to square one for the department.

You May Also Be Interested In: