Closing the Loop

Agencies still struggle to hold on to sensitive data.

Losing 26.5 million personal records when a Veterans Affairs Department laptop was stolen in May 2006 should have been a wake-up call for federal agencies. It was an unprecedented loss of personal information-on active-duty military personnel and veterans-and it prompted an Office of Management and Budget mandate in June 2006 requiring agencies to launch new security procedures by Aug. 7, 2006.

But by all accounts, agencies have failed to comply fully with the order. Indeed, nine months after VA's massive data breach, the agency lost another hard drive, this one containing sensitive information on physicians who have submitted bills to Medicare and Medicaid. Medical data on 535,000 VA patients was included in the hard drive that went missing from a Birmingham, Ala., facility. Dozens of agencies have lost sensitive information.

Some agencies say they lack money to secure their electronic records, but critics disagree. Like homeland security funding after the Sept. 11 terrorist attacks, money for data security has increased steadily. In fiscal 2006, agencies received $5.5 billion for cybersecurity-nearly 10 percent of the entire information technology budget. Agencies have yet to break down their IT security funding for fiscal 2007 and fiscal 2008, but security experts don't believe the percentage will shrink.

Agencies that haven't promised to pony up bigger dollar amounts for cybersecurity are encouraged to hold back on new projects to fund that critical need, according to Karen Evans, OMB administrator of e-government and information technology. Agencies are supposed to "live, eat and breathe" cybersecurity, she says. In a March 20 memorandum to chief information officers, Evans required agencies to move to a standard desktop configuration for Windows operating systems. The standard is supposed to speed up the installation of security updates. But some security experts, including Purdue University Professor Eugene Spafford, say a standard configuration could make computers more vulnerable. Some operating systems and applications lack security controls, he says.

OMB's mandate urges agencies to encrypt data on remote computers and permit access only with two modes of authentication. But implementation has been spotty. An October 2006 report by the President's Council on Integrity and Efficiency and the Executive Council on Integrity and Efficiency found that three-quarters of all agencies still are trying to assess the vulnerability of the personal information they manage.

Developing enforceable policies on the use of sensitive information remains a challenge, the report says. Agencies also have had difficulties safeguarding their systems, the report says, adding that systematically enforcing computer encryption is critical.

Critics say the new OMB guidelines fail to address conflicting goals. For one thing, it's not in the best interest of federal employees to create a culture of cybersecurity awareness, says Eric Hay, worldwide director of field engineers for Credant Technologies Inc., a Dallas-based mobile data security firm. Clamping down on information can make it difficult for employees to do their jobs when they are in the field or working across agency lines. Organizations evaluate staff performance on productivity, not security, Hay says. Employees are going to choose productivity over security, he says, so "don't let them make the choice."

Scott McNealy, chairman of the board for Sun Microsystems, says government isn't fully adopting readily available information security technology. His solution is to remove data from individual computers and store it on a mainframe server, where it is available for downloads. That way, should someone steal a laptop or other computer device, the data isn't on the hard drive. "I haven't stolen anything . . . there's no data," he says.

Despite movement toward establishing safeguards, the challenge of protecting sensitive data continues to elude agencies, security experts say. Many fear that if agencies don't work faster to tighten controls, the personal information held in their databases could go walking out the door at anytime.