Opinion: Cryptic Reading

Encryption is hard. Case in point: the U.S. government, which requires its agencies to encrypt all sensitive data on laptops and mobile devices. But according to the Government Accountability Office, as of last year, 70 percent of such devices didn’t encrypt — and the other 30 percent weren’t in great shape either (see story).

The GAO just released a report that audited 24 agencies and departments for their mobile encryption implementations. It included trouble spots like the Department of Veterans Affairs, which in 2006 lost a laptop containing the personal information of 26 million vets and military personnel, and the Commerce Department, which has lost more than 1,000 laptops since 2001.

You already know the headline conclusion: At the time of the audit, June to September 2007, more than two-thirds of the mobile devices in these 24 agencies weren’t using encryption at all.

But that’s not the interesting part. The GAO also found that, in many cases, even the devices believed to be encrypted had problems. Sometimes the encryption wasn’t actually installed. Or it wasn’t configured correctly. Or it hadn’t been turned on. Often, users hadn’t been trained, sensitive information hadn’t been inventoried, and crypto key control procedures hadn’t been established.

You can read the gory details by downloading the report (it’s on the Web at www.gao.gov/new.items/d08525.pdf ). The real horror stories start on page 29.

(Predownload quiz: Guess which department hadn’t installed encryption on any laptops, even though officials insisted that it had? Guess which hotshot technical agency said it had no way of telling whether encryption software had been successfully installed on a laptop? And guess which department’s employees never used encryption because no one told them it was installed?)

Even if you don’t care about the dirt turned up by the audit, you should download the report. It includes a remarkably readable crib sheet on the different types of encryption for mobile device hard disks (full disk, file, folder, virtual disk), communications (VPNs, digital signatures and certificates) and handheld devices.

It also gives a good rundown of the categories of problems the agencies ran into with their encryption efforts, as well as a table listing the actual volume pricing that government agencies are getting. (One nice non-horror story from the report: The Department of Agriculture cut its own deal for 180,000 encryption licenses at $9.63 each, way below even the best government price schedule.)

In short, it’s a useful, practical overview of the ups and downs of putting encryption on laptops, portable drives and BlackBerries. And it’s based on real-world experience — even if, for most government agencies, that experience hasn’t yet translated into success.

Why do you care? Because encryption is hard. And encryption is coming to portable devices near you. Whether because of regulations, lawsuits or common sense, soon or late you’ll be doing this in your IT shop.

The more you learn now about someone else’s foul-ups, failures and dead ends, the better you’ll be able to avoid them. And as long as your tax dollars are being spent on these mistakes, you might as well get some value from the exercise.

Besides, what other report that you browse this year will tell you how the State Department dodged its audit: “Although the inventory provided by the agency indicated that the employees were assigned to the location that we visited, they were actually assigned to posts throughout the world.”
Happy summer reading.

Frank Hayes is Computerworld’s senior news columnist. Contact him at frank_hayes@ computerworld.com.

Related content:

Data encryption fuelled by data breaches, regulations

U.K. defence department adopts encryption after data breaches

FBI in the dark about its own lost laptops

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now