Shows & Panels
- AFCEA Answers
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Connected Government
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Cyber Imperative
- Cyber Solutions for 2013 and Beyond
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Mission-critical Apps in the Cloud
- The Path from Legacy Systems
- The Real Deal on Digital Government
- The Reality of Continuous Monitoring... Is Your Agency Secure?
- Veterans in Private Sector: Making the Transition
Shows & Panels
Encrypted laptops ease VA's concerns about data breaches
Friday - 8/3/2012, 5:17am EDT
In an organization as big as VA, quite a few laptop and even desktop computers still wind up stolen or otherwise missing every month even after the firestorm of controversy the department endured several years ago. In the department's monthly data breach report to Congress for June, VA reported 13 laptops disappeared. But the difference between now and 2006: all 13 of them had their hard drives completely encrypted.
Roger Baker, assistant secretary for information and technology, Veterans Affairs Department
"On the report that goes to the secretary every morning, we see missing laptops on a regular basis. You can imagine the level of relief that a CIO has when every one of them says, 'but the laptop was encrypted,'" he said during his monthly briefing with reporters Thursday. "Because in our world that means it's not the CIO's problem anymore. And from a cost standpoint, we're now talking about the loss of something that costs about $1,000 versus something that's going to cost us a lot of money to identify any information that might have been on it and anybody who might have been affected."
Laptops are verified
In the 2006 case, more than 26 million veterans were affected. The department eventually agreed to pay $20 million to compensate victims of identity theft.
Baker said almost as important as the fact that VA requires laptops to be encrypted by policy is the fact that the department also put tools in place to verify that they actually are.
"That enables us to see exactly what software is running and what's going on in every laptop and desktop in our organization," he said. "With those visibility tools, you can get a lot closer to absolute statements than you can by doing data calls and having to trust what you get out of 210 organizations."
But VA still is coming across some cases of laptops that have slipped through the cracks and are escaping the encryption rules. Baker offered one example of what the department refers to as a "near-miss."
No data was actually breached, but it very well could have been when an unencrypted laptop recently fell out of a vehicle's trunk that a VA clinician had failed to properly close.
"We knew there would be veterans' information on that laptop. Luckily, and I mean luckily, a military service member happened to be driving along right after that and picked it up and turned it in," he said. "That created a lot of excitement, and that's the reason we've focused on encrypting those laptops. We know they're going to be travelling and we know things are going to be happening to them. There's just no way of making an absolute assertion that nothing has happened to the information unless they're encrypted."
In the end, VA wound up not reporting that missing laptop in its monthly disclosure to Congress because its Data Breach Core Team, an independent, cross-functional review panel that reviews every potential breach incident, determined there was no serious likelihood that the laptop was ever in the hands of anyone besides VA and Defense Department personnel.
"It was a near-miss, and we learn from our near misses. To me, it's a great example of why that core team is a best practice that VA has frankly had to stand up as a result of our history. But we've learned an awful lot from that history," he said.