Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Building the Hybrid Cloud
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal Tech Talk
- The Future of Government Data Centers
- The Future of IT: How CIOs Can Enable the Service-Oriented Enterprise
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Modern Mission Critical Series
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- The New Generation of Database
- Satellite Communications: Acquiring SATCOM in Tight Times
- Targeting Advanced Threats: Proven Methods from Detection through Remediation
- Transformative Technology: Desktop Virtualization in Government
- The Truth About IT Opex and Software Defined Networking
- Value of Health IT
- Air Traffic Management Transformation Report
- Cloud First Report
- General Dynamics IT Enterprise Center
- Gov Cloud Minute
- Government in Technology Series
- Homeland Security Cybersecurity Market Report
- National Cybersecurity Awareness Month
- Technology Insights
- The Cyber Security Report
- The Next Generation Cyber Security Experts
Shows & Panels
Encrypted laptops ease VA's concerns about data breaches
Friday - 8/3/2012, 5:17am EDT
In an organization as big as VA, quite a few laptop and even desktop computers still wind up stolen or otherwise missing every month even after the firestorm of controversy the department endured several years ago. In the department's monthly data breach report to Congress for June, VA reported 13 laptops disappeared. But the difference between now and 2006: all 13 of them had their hard drives completely encrypted.
Roger Baker, assistant secretary for information and technology, Veterans Affairs Department
"On the report that goes to the secretary every morning, we see missing laptops on a regular basis. You can imagine the level of relief that a CIO has when every one of them says, 'but the laptop was encrypted,'" he said during his monthly briefing with reporters Thursday. "Because in our world that means it's not the CIO's problem anymore. And from a cost standpoint, we're now talking about the loss of something that costs about $1,000 versus something that's going to cost us a lot of money to identify any information that might have been on it and anybody who might have been affected."
Laptops are verified
In the 2006 case, more than 26 million veterans were affected. The department eventually agreed to pay $20 million to compensate victims of identity theft.
Baker said almost as important as the fact that VA requires laptops to be encrypted by policy is the fact that the department also put tools in place to verify that they actually are.
"That enables us to see exactly what software is running and what's going on in every laptop and desktop in our organization," he said. "With those visibility tools, you can get a lot closer to absolute statements than you can by doing data calls and having to trust what you get out of 210 organizations."
But VA still is coming across some cases of laptops that have slipped through the cracks and are escaping the encryption rules. Baker offered one example of what the department refers to as a "near-miss."
No data was actually breached, but it very well could have been when an unencrypted laptop recently fell out of a vehicle's trunk that a VA clinician had failed to properly close.
"We knew there would be veterans' information on that laptop. Luckily, and I mean luckily, a military service member happened to be driving along right after that and picked it up and turned it in," he said. "That created a lot of excitement, and that's the reason we've focused on encrypting those laptops. We know they're going to be travelling and we know things are going to be happening to them. There's just no way of making an absolute assertion that nothing has happened to the information unless they're encrypted."
In the end, VA wound up not reporting that missing laptop in its monthly disclosure to Congress because its Data Breach Core Team, an independent, cross-functional review panel that reviews every potential breach incident, determined there was no serious likelihood that the laptop was ever in the hands of anyone besides VA and Defense Department personnel.
"It was a near-miss, and we learn from our near misses. To me, it's a great example of why that core team is a best practice that VA has frankly had to stand up as a result of our history. But we've learned an awful lot from that history," he said.