No quick fix for government data security
It'll take more than installing technology to cure security gaps at U.S. government agencies, experts say.
However, experts warn a quick technology fix will not cure security problems. While encryption and other security technology can help, slipshod handling of data and equipment, poor training and the slow moving government bureaucracy are seen as the main causes of vulnerability.
"The White House directive is a good first step, but we're concerned about the time frame," said John Dasher, director of product management at encryption software maker PGP. "Do they have funds budgeted and allocated? These are the nuts and bolts of the procurement process."
Companies, including PGP, are eager to sell existing encryption and other security software to the government that could be deployed in a matter of weeks. But several executives said agencies must first consider basic concepts of data security before buying software.
"I'll bet many organizations can't even tell you where sensitive data is," said Chris Voice, chief technology officer at security software maker Entrust. "Not only should certain data be stored and encrypted properly, but certain people should not have access to it to begin with it."
With personal data, such as social security numbers and addresses, thieves can open credit card accounts and wreak havoc with victims financial lives.
Pressure to meet deadlines
After calls for Veterans Affairs Secretary Jim Nicholson to resign in the wake of the stolen laptop incident, agency heads and cabinet secretaries are now hurrying to learn about their own information technology programs.
The Veterans Affairs Department laptop, which was later recovered by police, contained personal data on 26.5 million veterans.
The agency is hardly alone.
The government has been embarrassed by a spate of recently disclosed data breaches at the
"Agency executives do not know the value of the data they have in their information technology systems and they take security for granted," said Paul Kurtz, director of the Cyber Security Industry Alliance (CSIA) and a former White House computer systems security policy adviser.
Cabinet secretaries should insist on being informed of all security breaches, Kurtz said.
Government agencies also face an October deadline to comply with a 2004 White House order to adopt secure access cards to protect government buildings. The same access technology is expected to be used to secure information technology as well.
Few, if any, agencies outside the Department of Defense are expected to meet that deadline, according to industry sources.
Michael Butler, the official in charge of the program at the Pentagon, was recently assigned to the General Services Administration to help other government offices adopt secure access cards offered a more optimistic, if qualified, view.
"There are a number of agencies who intend and have systems in test today that are certainly capable of making the date," Butler said. "There is much to do."
Encryption software scrambles computer files to keep data private. One of the major criticisms of encryption technology is that it is difficult for nontechnical workers to use.
Some question whether the government's mandate to encrypt all data on laptops, BlackBerrys and other mobile devices is practical. Exceptions are allowed only if approved by deputy cabinet secretaries in writing.
"We can't be encrypting and decrypting everything," said Sarah Gates, vice president of identity management for Sun Microsystems.
Instead, private companies and government agencies should lock down data and applications on central networks and restrict the use of powerful laptops and handheld devices that run applications.
"We will have to trade some convenience for better security," Gates said.
Encryption vendors disagree. But tellingly, their most recent product and marketing efforts have focused on making the software easier for typical computer users to use.
"If we don't invest in making encryption technology transparent and easy to use, it will not be used," Entrust's Voice said. "Today, we have disk encryption products where users don't have to know it's on their laptop."
PGP claims its latest products offer similar ease of use.
Regardless of the technology approach, however, experts agree that implementation depends on the sheer will of the government officials involved.
"What we're talking about is not rocket science. All of the technology exists today," Kurtz said. "It's about telling the chief information officers to go get it done."