Following a slew of high-profile data breaches, U.S. government agencies have largely failed to roll out planned encryption deployments, leaving about 70 percent of their systems with unencrypted sensitive data, the Government Accountability Office stated in a recent report.
The report, highlighted in a statement released by the House Committee on Homeland Security on Monday, found that the lack of a specific requirement to encrypt sensitive data has led to spotty information security. The White House's Office of Management and Budget recommended in 2006 that all agencies encrypt data on laptop computers and mobile devices. In 2007, the OMB made encryption for such devices a requirement.
"Encryption is not an option, it is a mandate," Rep. Bennie G. Thompson, D-MS, chairman of the House Committee on Homeland Security, said in the statement. "Unfortunately, Im not surprised that despite mandates by OMB, the Federal government is only 30 percent of the way there."
In the past two years, U.S. agencies have suffered a number of high-profile breaches that have caused potential privacy headaches. In 2006, the Department of Veterans Affairs lost a laptop and external hard drive, later recovered, with sensitive information on nearly 26.5 million members of the military. The potential breach was only exceptional in its sheer size; numerous other agencies -- including the Transportation Security Administration (TSA), Department of the Navy and the Department of Agriculture -- have also lost data on storage devices or through hacks.
In 2006, the OMB instructed U.S. federal agencies to alert the U.S. Computer Emergency Readiness Team (US-CERT) within one hour to any breach involving personally identifiable information, even if the possibility of a breach is only suspected. Using US-CERT data, the GAO report found that attacks on federal systems had jumped more than 250 percent between 2005 and 2007, with 13,029 incidents reported last year.
All major agencies have begun deploying encryption technology, but the GAO report recommends that the White House clarify rules on the types of sensitive data that need to be protected using encryption technology.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos