US Mobile Security, Part 1: How Great Is the Risk?

Last week, Maryland police arrested two teenagers for the theft of a laptop and hard drive loaded with sensitive data for millions of veterans and military personnel. The equipment contained the names, Social Security numbers and birth dates of millions of up to 26.5 million veterans discharged since 1975 — the U.S. government’s worst datasecurity breach to date.

The computer was stolen during a May 3 burglary of aVeterans Affairs employee’s Aspen Hill, Md., home. Both the laptop and hard drive were turned into the FBI in June by an unidentified person in response to a US$50,000 reward offer, according to authorities.

Lucky This Time

The suspects apparently did not target the home, nor did they realize what the hard drive contained until the case was publicized. “While this arrest is good news, we were lucky that the data belonging to veterans was not accessed and misused,” said Congressman Steve Buyer (R-Ind.), chairman of the House Veterans Affairs Committee, in a statement. “The vulnerability is real, and with the help of Congress, the VA must move forward with information security reform.”

Backtrack some 45-plus days to June 23. Responding to the recent spate of U.S. government data security breaches, Clay Johnson III, the deputy director of the Office of Management and Budget, issued a memorandum to the heads of all U.S. government departments and agencies regarding “the protection of sensitive agency information.”

In short, the OMB’s “Memo M-06-16” gave all government agency heads 45 days to conduct assessments of their mobile data and network remote-access provisions to ensure that they were in full compliance with a checklist of both existing National Institute of Standards (NIS) regulations and new security recommendations. Not surprisingly, the weeks leading up to the OMB’s deadline were hectic ones, not only for government agency managers and their IT security staffs, but for the security vendors who serve them.

With its 45-day limit having passed on August 7, the OMB is now working with the Inspectors General to evaluate department and agency security assessments to verify that the memo’s guidelines have been met.

Mobile Security Wake-Up Call

While the OMB’s memorandum was a quick and decisive response to recent breaches of security within the U.S. government, its focus may have been far too narrow, according to Kirk Nahra, a partner at Washington law firm Wiley, Rein & Fielding.

“This is a perfect example of both good news and bad news in how the government — and many private companies — react to security issues,” Nahra told the E-Commerce Times. “This memorandum is primarily a reactive step in connection with specific problems that have arisen. In the sense that it is a prompt and aggressive reaction, it is good news. Security programs need to be re-evaluated constantly.

“The bad news is that there wasn’t any overall effort to review security practices or look ahead to other kinds of potential problems,” Nahra added. “The GAO, for example, has been identifying specific shortcomings with numerous government agencies on information security issues for several years now, without any significant resources being devoted to fixing this problem. It often takes an incident like the VA incident — which was bad and obviously could have been much worse — to prompt action.”

The VA laptop and hard drive theft was one of a recent string of data breaches suffered by U.S. government departments. The Internal Revenue Service, the Social Security Administration and the U.S. Department of Energy have also been the targets of network and systems incursions during the first half of 2006.

Seventy-seven percent of all reported information loss is the result of lost or stolen computing equipment, according to statistics compiled by the Privacy Rights Clearinghouse, based on data breaches that have occurred since February 2005. A Baseline magazine report found that laptop theft accounted for 59 percent of all computer attacks in government agencies, corporations and universities in 2003.

However, U.S. government agencies are certainly not alone in facing a large and growing number of data breaches resulting from the theft of laptops, PDAs and cell phones.

In fact, data losses due to equipment theft have been greater than those attributed to malicious network attacks and software exploits. One out of every 10 laptops is stolen, according to statistics gathered by San Francisco-based IT security systems provider Vontu.

More than 600,000 laptop thefts occurred in 2003, totaling an estimated $720 million in physical losses and $5.4 billion in lost proprietary information, according to a 2004 Safeware Insurance report.

“The trend toward mobility is the No. 1 factor heightening the risk of data loss as businesses increasingly use notebook computers, PDAs, smartphones and portable storage media to work outside the office,” said Bob Egner, vice president of product management for Ill.-based Pointsec Mobile Technologies.

“In the past, from the bad guy’s perspective, he could grab a laptop, resell it, and make a quick $500 for the equipment. Now, with personal information or potentially classified information, the bad guy can make a lot more money on a simple theft. He can now sell the information off the computer, not just the computer itself. The data has become more valuable,” Egner told the E-Commerce Times.

Who Ya Gonna Call?

Pointsec focuses specifically on the government IT security market. According to company statistics, Pointsec’s solutions secure some 100,000 endpoints in over 100 government agencies. “In addition, we have begun receiving a large number of calls from agencies who have not yet implemented a solution and are eager to get security in place as soon as possible,” Egner noted.

Along with the necessity of meeting stringent, legally mandated security requirements, the government IT security market is characterized by the need for scalability, Egner explained. “Government agencies typically have much larger install bases, and the products they choose need to easily scale to their size.”

Entrust similarly has a long history of providing IT security solutions to U.S. government agencies. The company’s offerings include critical authentication and information protection for the Departments of Justice, State, Agriculture, Energy and Labor, as well as NASA and the FBI, said Eric Skinner, vice president of product management and alliances at Dallas, Texas-based Entrust.

Like a number of its counterparts, Entrust’s U.S. Federal Accounts Team began gearing up in the wake of OMB Memo M-06-16 for a possible rush of requests from U.S. government accounts for rapid-response security assessments.

Apparently, it was a good thing they did. Asked what effect the OMB’s memo has had, Skinner said, “Entrust has seen a dramatic increase in interest from its broad base of U.S. government customers. These agencies are clearly taking the OMB directive seriously.”

In like fashion, Vontu launched a Federal Risk Assessment Program for compliance with OMB M-06-16 on July 7, which has resulted in increased interest in Vontu solutions from government agencies, Kit Robinson, a Vontu director, told the E-Commerce Times.

Vontu’s FRA program enables government agencies to measure their level of data loss risk attributable to sensitive, unencrypted data that could be exposed in three key areas: on laptops or desktops that could be lost or stolen; on open file shares and servers; and exiting the network via e-mail, Web mail, instant messaging, file transfers or other Internet protocols.