Closing the Loop

Agencies still struggle to hold on to sensitive data.

Losing 26.5 million personal records when a Veterans Affairs Department laptop was stolen in May 2006 should have been a wake-up call for federal agencies. It was an unprecedented loss of personal information-on active-duty military personnel and veterans-and it prompted an Office of Management and Budget mandate in June 2006 requiring agencies to launch new security procedures by Aug. 7, 2006.

But by all accounts, agencies have failed to comply fully with the order. Indeed, nine months after VA's massive data breach, the agency lost another hard drive, this one containing sensitive information on physicians who have submitted bills to Medicare and Medicaid. Medical data on 535,000 VA patients was included in the hard drive that went missing from a Birmingham, Ala., facility. Dozens of agencies have lost sensitive information.

Some agencies say they lack money to secure their electronic records, but critics disagree. Like homeland security funding after the Sept. 11 terrorist attacks, money for data security has increased steadily. In fiscal 2006, agencies received $5.5 billion for cybersecurity-nearly 10 percent of the entire information technology budget. Agencies have yet to break down their IT security funding for fiscal 2007 and fiscal 2008, but security experts don't believe the percentage will shrink.

Agencies that haven't promised to pony up bigger dollar amounts for cybersecurity are encouraged to hold back on new projects to fund that critical need, according to Karen Evans, OMB administrator of e-government and information technology. Agencies are supposed to "live, eat and breathe" cybersecurity, she says. In a March 20 memorandum to chief information officers, Evans required agencies to move to a standard desktop configuration for Windows operating systems. The standard is supposed to speed up the installation of security updates. But some security experts, including Purdue University Professor Eugene Spafford, say a standard configuration could make computers more vulnerable. Some operating systems and applications lack security controls, he says.

OMB's mandate urges agencies to encrypt data on remote computers and permit access only with two modes of authentication. But implementation has been spotty. An October 2006 report by the President's Council on Integrity and Efficiency and the Executive Council on Integrity and Efficiency found that three-quarters of all agencies still are trying to assess the vulnerability of the personal information they manage.

Developing enforceable policies on the use of sensitive information remains a challenge, the report says. Agencies also have had difficulties safeguarding their systems, the report says, adding that systematically enforcing computer encryption is critical.

Critics say the new OMB guidelines fail to address conflicting goals. For one thing, it's not in the best interest of federal employees to create a culture of cybersecurity awareness, says Eric Hay, worldwide director of field engineers for Credant Technologies Inc., a Dallas-based mobile data security firm. Clamping down on information can make it difficult for employees to do their jobs when they are in the field or working across agency lines. Organizations evaluate staff performance on productivity, not security, Hay says. Employees are going to choose productivity over security, he says, so "don't let them make the choice."

Scott McNealy, chairman of the board for Sun Microsystems, says government isn't fully adopting readily available information security technology. His solution is to remove data from individual computers and store it on a mainframe server, where it is available for downloads. That way, should someone steal a laptop or other computer device, the data isn't on the hard drive. "I haven't stolen anything . . . there's no data," he says.

Despite movement toward establishing safeguards, the challenge of protecting sensitive data continues to elude agencies, security experts say. Many fear that if agencies don't work faster to tighten controls, the personal information held in their databases could go walking out the door at anytime.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Cyber Risk Report: Cybercrime Trends from 2016

    In our first half 2016 cyber trends report, SurfWatch Labs threat intelligence analysts noted one key theme – the interconnected nature of cybercrime – and the second half of the year saw organizations continuing to struggle with that reality. The number of potential cyber threats, the pool of already compromised information, and the ease of finding increasingly sophisticated cybercriminal tools continued to snowball throughout the year.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • GBC Issue Brief: The Future of 9-1-1

    A Look Into the Next Generation of Emergency Services

  • GBC Survey Report: Securing the Perimeters

    A candid survey on cybersecurity in state and local governments

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

  • eBook: State & Local Cybersecurity

    CenturyLink is committed to helping state and local governments meet their cybersecurity challenges. Towards that end, CenturyLink commissioned a study from the Government Business Council that looked at the perceptions, attitudes and experiences of state and local leaders around the cybersecurity issue. The results were surprising in a number of ways. Learn more about their findings and the ways in which state and local governments can combat cybersecurity threats with this eBook.


When you download a report, your information may be shared with the underwriters of that document.