[ISN] Feds encrypt 800,000 laptops; 1.2 million to go

From: InfoSec News (alerts@private)
Date: Fri May 23 2008 - 00:12:41 PDT


http://www.networkworld.com/news/2008/052008fedlaptops.html

By Carolyn Duffy Marsan 
Network World
05/22/2008

U.S. government agencies are scrambling to plug one of their biggest 
security holes: sensitive information -- names, addresses and Social 
Security numbers, for example -- stored on laptops, handhelds and thumb 
drives. 

In the last year, agencies have purchased 800,000 licenses for 
encryption software through the federal Data at Rest (DAR) Encryption 
program, which is run jointly by the General Services Administration and 
the U.S. Department of Defense.

"Sales have been very brisk," says Fred Schobert, CTO for integrated 
technology services at the General Services Administration's Federal 
Acquisition Service. "We've been somewhat overwhelmed."

The government's fast adoption rate of encryption software comes after 
numerous headline-grabbing security breaches. Laptop encryption has also 
been on the rise among corporations, including the likes of EMC and IBM.

It's been two years since teens stole a laptop from the home of a U.S. 
Department of Veterans. Affairs employee's home, putting at risk for 
identity theft a database of 26.5 million names and Social Security 
numbers for 26.5 million veterans and military personnel. 

But this year alone, laptops with personally identifiable information 
have been stolen from Bolling Air Force Base, a Marine Corps base in 
Okinawa, Japan and the National Institutes of Health in Bethesda, Md. In 
all of these cases, data that wasn't encrypted on these laptops could 
have been used by thieves for identity theft, according to a list of 
known security breaches compiled by the Privacy Rights Web site. 

While sales on the DAR Encryption program are stronger than anticipated, 
federal officials admit they haven't secured all of their laptops, 
handhelds and removable drives yet.

``It was originally thought that there would be about 1 million laptops 
in DoD and one million in civilian agencies. We roughly came up with the 
number of 2 million laptops. However that number is informal. It's 
constantly being expanded and contracted,.. says David Hollis, program 
manager for the Defense Department's Data at Rest Tiger Team.

``We're not worrying about how many laptops and PDAs there are in the 
government. We're trying to provide an opportunity for federal, state 
and local governments to secure what's out there,.. Hollis said.

The Office of Management and Budget requires federal agencies to 
purchase encryption software for laptops, handhelds and removable 
storage devices.

The DAR program, which offers encryption software from 10 leading 
vendors, ``is really one of the cornerstones of security information 
assurance overall in terms of the U.S. government,.. says Robert Lentz, 
deputy assistant secretary for Information and Identity Assurance at the 
Defense Department.

One reason feds are buying encryption software is that the prices are so 
low. On the DAR Encryption program, feds are paying only $10 to $12 per 
laptop for software that retails at $125 or more.

``The federal IT budget alone is around $70 billion. When you think 
about the scale of that budget, $12 a laptop is pretty cheap 
insurance,.. says Ray Bjorklund, senior vice president of Fed Sources, a 
McLean, Va., market research firm.

Federal officials say they have sold $17 million worth of encryption 
software through the DAR program to date. More significant, they say, 
are the total savings.

``The discounts we have achieved have resulted in a total cost avoidance 
of $79 million,.. Schobert said.

Federal officials say they are getting a discount of more than 80% off 
retail pricing for encryption software. That's one of the reasons that 
state and local government agencies are using the contract to buy 
software.

So far, 76% of sales from the DAR Encryption contracts have been from 
federal agencies, while 24% have been from state and local government 
agencies.

``Our largest purchases were made by Agriculture, IRS, Transportation, 
Army and Social Security Administration,.. Schobert says. ``Thirty state 
and local government agencies have purchased off the DAR [contracts] 
These include . . . the New York State Power Authority, the Florida 
Department of Corrections and Ohio State University...

The DAR Encryption program is the primary contract for federal agencies 
to purchase this type of software. Civilian agencies aren't required to 
use the DAR Encryption program, but military agencies are.

``From the DOD standpoint, it's mandatory,'' Lentz says. ``We have made 
it clear to the department after this award occurred that we wanted to 
have all crucial mobile devices using this technology by the end of the 
year. This is the only vehicle they have to buy it...

Encryption of mobile data is a serious issue for government agencies, 
Bjorklund says.

``As the wireless technology becomes more robust and more reliable, 
there is a strong likelihood that it can be used for critical command 
and control-type applications, and that.s where the need for security 
becomes very, very high,.. he adds.

Federal officials are expecting strong sales to continue on the DAR 
Encryption program, as agencies continue to encrypt the data on their 
laptops and increasingly on their smartphones. GSA said the five-year 
DAR Encryption contracts could be worth more than $79 million when they 
were awarded.

``There is an opportunity for significant sales ahead,.. Schobert says. 
``The first year, we were in start-up mode...

The most popular products on the DAR Encryption program are hybrid 
software packages that offer full disk and file folder encryption.

``The larger organizations want to buy one software product. They want 
full-disk encryption on their laptops, but they also want to put it on 
their workstations to encrypt the files they put on removable storage 
devices,.. Hollis says.

All contents copyright 1995-2008 Network World, Inc.


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Fri May 23 2008 - 00:21:07 PDT