TechWeb

VA Had Many Security Warnings Before Its 26.5 Million-Person Breach

May 28, 2006 (08:05 PM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=188500807


Much of last week's howling outrage over the theft of a laptop containing personal data on millions of veterans and spouses focused on the Veterans Affairs Department's poor IT security record. The political grandstanding and indignation last week were on the mark, but we should be long past the need to chastise organizations for poor security practices. It's time for execution and enforcement.

A VA analyst took home electronic data from the office to do after-hours work on his personal computer. The data included names, Social Security numbers, and dates of birth on 26.5 million people. The laptop and an external hard drive the analyst was using, along with the data, were stolen in a May 3 burglary.

The VA ran afoul of standard security practices on many levels. The analyst was authorized to access the sensitive information, which was required for a policy-related project, but not to remove it from the office. Yet that policy was little known or largely ignored. The unidentified analyst had been taking data home as part of his work routine since 2003, unbeknownst to his supervisors, the VA inspector general's investigation found.

VA Secretary James Nicholson has plenty of company in the

VA Secretary James Nicholson has plenty of company in the "mad as hell" club


Photo by AP Photo/Charles Dharapak
What's more, the VA has a policy of encrypting sensitive data to mitigate damage in the event of a breach, but the missing data wasn't encrypted. And top brass wasn't informed until two weeks after the theft, VA Secretary James Nicholson said last week.

This confluence of sloppy security practices opened the floodgates last week on the VA and Nicholson, who at one point had to excuse himself from the shellacking he was taking at a House hearing to endure another one in the Senate. Nicholson vacillated between taking responsibility for the data breach and expressing anger. "As a veteran myself, I have to tell you I'm outraged. Frankly, I'm mad as hell," Nicholson told the House Committee on Veterans' Affairs. He won't be the only one when taxpayers find out that the gaffe will cost them at least $100 million to notify affected veterans and provide them with credit-checking services.

With the VA having done wrong by 26.5 million veterans and their relatives, members of Congress were in speech-making mode last week. Sen. Larry Craig, R-Idaho, wondered whether the VA really needs to retain all the data it has. "But I also know that when Americans contact their government or veterans file a claim, they expect in this day and age that [the government] will have their information," said Craig, chairman of the Senate's Committee on Veterans' Affairs.

"I hope what took place at the VA a few weeks ago is only an isolated incident of bad judgment by a dedicated employee seeking to do a little work at home on his own time," Craig said. "But we must not ignore the fact that at this time getting that information to his or her home was very easy. That cannot be tolerated."

That's really what this breach is all about: Companies and organizations can't rely too much on the good judgment of employees or their ability to follow policies. They need security systems that back them up when judgment and policies fail. As data is increasingly mobile--laptops, memory sticks, personal devices like iPods--the risk of loss is too great to ignore.

VA Ignored Risks
The VA failure is the largest since last summer's hack of credit card processor CardSystems, according to the Privacy Rights Clearinghouse, though that was a clear case of targeted data theft. Investigators so far don't suspect the VA loss was anything but a home burglary. Yet what's stunning about the VA case is the amount of data that one person could access and remove without requiring encryption or interacting with a supervisor. A March blunder by Fidelity Investments, in which an employee's laptop containing the names, addresses, Social Security numbers, birth dates, and other employment-related information of 196,000 participants in Hewlett-Packard retirement plans was stolen, pales in comparison with the VA mess.

The VA hadn't taken the risks related to mobile data and data security seriously enough, according to the VA's inspector general and the Government Accountability Office, which for years has criticized the agency's IT security policies and practices. "Our Federal Information Security Management Act reviews have identified significant information security vulnerabilities since fiscal 2001 that place VA at risk of denial-of-service attacks, disruption of mission-critical systems, and unauthorized access to sensitive data," George Opfer, inspector general for the Veterans Affairs Department, testified last week.




In fiscal 2004, an inspector general report made 16 recommendations on ways the VA could improve the security of its IT operations, including centralizing IT security programs, implementing an effective patch management program, and addressing unauthorized access and misuse of sensitive information (see box). None of the recommendations has been addressed, Opfer testified.

In response to the breach, the VA is requiring all employees to complete cybersecurity-awareness and privacy-awareness courses by June 30. It's also conducting a review of what sensitive data employees need access to and putting them through background checks depending on their access levels.

Data Moves, So Protect It
There are many steps organizations can take to prevent data loss of the kind the VA suffered. Foremost is encryption, which VA policy requires but wasn't done in this case. Encryption can take place on PCs and memory sticks, within back-end databases, and even as data passes through a network. M-Systems offers encryption for data stored on its USB-pluggable storage devices and memory sticks. Ingrian Networks' i110 DataSecure Platform centrally manages encryption keys from a network appliance. Microsoft's Exchange Hosted Services include encryption for securing data sent in E-mail.

There's a risk with encryption: improperly managing the keys used to decrypt data. "If you don't manage encryption properly, it's a good way to lose your data forever," warns Burton Group analyst Trent Henry. Most encryption software offers an administrative interface that IT pros can use to safely store and retrieve keys.

Encryption is embraced by companies in financial services, health care, and other tightly regulated industries. But most companies still find excuses (it's overkill, or too expensive, or too hard to use) for not deploying it widely or not enforcing encryption policies. Yet it costs much less to encrypt data than to respond to a breach, Gartner analyst Avivah Litan testified last week. A reasonable up-front cost for the systems, services, processes, and procedures to encrypt 100,000 or more customer records is about $500,000, she said.

Encryption isn't the only way for companies to ensure that data doesn't disappear with a lost or stolen mobile device. Another is never to put data on the device in the first place. If employees must work remotely, Secure Sockets Layer VPN software can give them network access to sensitive data. Companies also can deploy software and network appliances that block data from being copied to external devices or E-mailed outside the network. Technology exists for real-time analysis of outbound data content. Workshare, one of dozens of vendors that offer this sort of software and appliances, last week launched a risk assessment appliance and PC-based software to prevent data leakage.

It doesn't seem like data security is getting better, but it has improved over the past several years, Burton's Henry contends. State disclosure laws make it embarrassing and expensive for companies that don't protect their data. "It's just that it's still easy to make mistakes, and those mistakes are broadcast loudly," he says. "Even though there's been a flurry of data-breach activity, this has brought about a conversation about this topic, which is the precursor to further improvement."

That's a conversation more government agencies must have. Within companies, the risk of having to issue a security breach notice has helped IT managers get a bigger budget, says Ohio State University law professor Peter Swire. "Now there needs to be a continued pressure to upgrade security in federal agencies," he says.

Might the legal environment change to turn up that pressure? A high-profile data breach that affects the nation's veterans could be just the thing to shake Congress out of its foot-dragging on data privacy and breach-notification legislation. Last week, the House Energy and Commerce Committee and the House Financial Services Committee each proposed data privacy and protection legislation to the speaker of the House, who will decide which version the House moves forward. It's not clear what the timeframe is for a full House vote, however, and this proposed legislation, as well as bills in the Senate, has been around for months. Fewer than one in five of 1,150 U.S. adults surveyed by the Cyber Security Industry Alliance say they think existing laws can protect them from fraud, identity theft, and other Internet crimes. More than two-thirds want Congress to pass stronger legislation.

Agencies and businesses shouldn't need new laws or more embarrassing breaches to realize what's at stake. Like the VA analyst, thousands of employees are carting their work home with them every night. IT teams must address that risk--and their organizations must give them the support to create the systems and policies to reduce it.