By Joel Rothstein
The White House has set an early August deadline for government
agencies to encrypt sensitive data after the embarrassing theft of
millions of veterans' personal information, but experts warn a quick
technology fix will not cure security problems.
While encryption and other security technology can help, slipshod
handling of data and equipment, poor training and the slow moving
government bureaucracy are seen as the main causes of vulnerability.
"The White House directive is a good first step, but we're concerned
about the time frame," said John Dasher, director of product
management at encryption software maker PGP Corp. "Do they have funds
budgeted and allocated? These are the nuts and bolts of the
procurement process."
Companies, including PGP, are eager to sell existing encryption and
other security software to the government that could be deployed in a
matter of weeks. But several executives interviewed by Reuters said
agencies must first consider basic concepts of data security before
buying software.
"I'll bet many organizations can't even tell you where sensitive data
is," said Chris Voice, chief technology officer at security software
maker Entrust Inc.. "Not only should certain data be stored and
encrypted properly, but certain people should not have access to it to
begin with it."
With personal data, such as social security numbers and addresses,
thieves can open credit card accounts and reek havoc with victims
financial lives.
PRESSURE TO MEET DEADLINES
After calls for Veterans Affairs Secretary Jim Nicholson to resign in
the wake of the stolen laptop incident, agency heads and cabinet
secretaries are now hurrying to learn about their own information
technology programs.
The VA laptop, which was later recovered by police, contained personal
data on 26.5 million veterans.
And the VA is hardly alone.
The government has been embarrassed by a spate of recently disclosed
data breaches at the Energy Department, Agriculture Department, FBI,
and even the Federal Trade Commission -- the agency responsible for
protecting Americans from fraud and identity theft.
"Agency executives do not know the value of the data they have in
their information technology systems and they take security for
granted," said Paul Kurtz, director of the Cyber Security Industry
Alliance (CSIA) and a former White House computer systems security
policy adviser.
Cabinet secretaries should insist on being informed of all security
breaches, Kurtz said.
Government agencies also face an October deadline to comply with a
2004 White House order to adopt secure access cards to protect
government buildings. The same access technology is expected to be
used to secure information technology as well.
Few, if any, agencies outside the Department of Defense are expected
to meet that deadline, according to industry sources.
Michael Butler, the official in charge of the program at the Pentagon,
was recently assigned to the General Services Administration to help
other government offices adopt secure access cards offered a more
optimistic, if qualified, view.
"There are a number of agencies who intend and have systems in test
today that are certainly capable of making the date," Butler told
Reuters. "There is much to do."
IS ENCRYPTION THE ANSWER?
Encryption software scrambles computer files to keep data private. One
of the major criticisms of encryption technology is that it is
difficult for non-technical workers to use.
Some question whether the government's mandate to encrypt all data on
laptops, Blackberries and other mobile devices is practical.
Exceptions are allowed only if approved by deputy cabinet secretaries
in writing.
"We can't be encrypting and decrypting everything," said Sarah Gates,
vice president of identity management for Sun Microsystems Inc.
Instead, private companies and government agencies should lock down
data and applications on central networks and restrict the use of
powerful laptops and hand-held devices that run applications.
"We will have to trade some convenience for better security," Gates
said.
Encryption vendors disagree. But tellingly, their most recent product
and marketing efforts have focused on making the software easier for
typical computer users to use.
"If we don't invest in making encryption technology transparent and
easy to use, it will not be used," Entrust's Voice said. "Today we
have disk encryption products where users don't have to know it's on
their laptop."
PGP claims its latest products offer similar ease of use.
Regardless of the technology approach, however, experts agree that
implementation depends on the sheer will of the government officials
involved.
"What we're talking about is not rocket science. All of the technology
exists today," said Kurtz. "It's about telling the chief information
officers to go get it done."
Copyright 2006 Reuters Limited.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. And, discuss this and other topics in our forum at
http://telecom-digest.org/forum (or)
http://telecom-digest.org/chat/index.html
For more news and headlines, please go to:
http://telecom-digest.org/td-extra/newstoday.html
Joel Rothstein (reuters@telecom-digest.org)