The Bush administration is slammed in a GAO report finding that 70 percent of laptops, notebook PC and mobile devices used by federal agencies in the executive branch are not encrypted or secure. The damaging GAO report on laptop encryption comes two years after the Department of Veterans Affairs reported a laptop stolen containing the names and Social Security numbers of 26 million U.S. veterans, the second-largest data breach on record.
The Government Accountability Office slammed the Bush administration in a
report released July 29 saying 70 percent of laptops, notebook PCs and mobile
devices used by federal agencies in the executive branch are not encrypted or
The GAO report comes more than two years after the Department of Veterans Affairs
reported a laptop stolen and the names and Social Security numbers of 26
million veterans were exposed, in the second-largest data breach on record.
Today only 30 percent of federal agency laptops and mobile devices are using
encryption to protect data, according to the report (PDF).
At a request by Congress, the GAO studied encryption efforts at 24 major
federal agencies and found that 70 percent of them had not yet installed
encryption technology to protect sensitive information. In addition, the GAO
reported widespread uncertainty among the agencies about encryption
requirements, particularly regarding portable media. The report covered July to
September of 2007.
"As a result, federal information may remain at increased risk of
unauthorized disclosure, loss and modification," the GAO reported.
The OMB (Office of Management and Budget) has
policy in place requiring federal agencies to encrypt
all data on mobile computers and devices that carry agency data and use
products that have been approved by the NIST (National Institute of Standards
and Technology) cryptographic validation program.
Additionally, NIST guidance recommends that agencies adequately plan for the
selection, installation, configuration and management of encryption
"While all agencies have initiated efforts to deploy encryption
technologies, none had documented comprehensive plans to guide encryption
implementation activities such as installing and configuring appropriate
technologies in accordance with federal guidelines, developing and documenting
policies and procedures for managing encryption technologies, and training
users," the GAO said.
The GAO report comes after a series of embarrassing security gaffes by
federal agencies that began with a VA employee violating agency policy by
taking home a laptop that contained personal data on more than 26 million
veterans. The laptop was subsequently stolen in a home burglary.
Law enforcement officials eventually recovered the laptop and the FBI and
the VA Office of the Inspector General ultimately determined that the thief had
not compromised the data on the laptop. The Navy, the Department of Agriculture
and the Department of Commerce later reported security breaches of their own.
"Encryption is not an option, it is a mandate," U.S. House Committee
on Homeland Security Chairman Bennie Thompson, D-Miss., said in a statement. "Unfortunately,
I'm not surprised that despite mandates by OMB, the federal government is only
30 percent of the way there. This administration regularly falls short when it
comes to addressing our information security weaknesses."
Rep. Zoe Lofgren, D-Calif., also issued a statement expressing
disappointment at the state of the government's efforts to secure data.
"The GAO report clearly illustrates that federal agencies lag far
behind the private sector in protecting and encrypting data," Lofgren
said. "As one of Silicon Valley's elected
representatives, I'm concerned that our government is not moving fast enough in
its efforts to secure its systems and procedures. While we've seen some
improvement, the executive branch still has quite a way to go to secure its
systems and data."