By Carolyn Duffy Marsan
U.S. government agencies are scrambling to plug one of their biggest
security holes: sensitive information -- names, addresses and Social
Security numbers, for example -- stored on laptops, handhelds and thumb
In the last year, agencies have purchased 800,000 licenses for
encryption software through the federal Data at Rest (DAR) Encryption
program, which is run jointly by the General Services Administration and
the U.S. Department of Defense.
"Sales have been very brisk," says Fred Schobert, CTO for integrated
technology services at the General Services Administration's Federal
Acquisition Service. "We've been somewhat overwhelmed."
The government's fast adoption rate of encryption software comes after
numerous headline-grabbing security breaches. Laptop encryption has also
been on the rise among corporations, including the likes of EMC and IBM.
It's been two years since teens stole a laptop from the home of a U.S.
Department of Veterans. Affairs employee's home, putting at risk for
identity theft a database of 26.5 million names and Social Security
numbers for 26.5 million veterans and military personnel.
But this year alone, laptops with personally identifiable information
have been stolen from Bolling Air Force Base, a Marine Corps base in
Okinawa, Japan and the National Institutes of Health in Bethesda, Md. In
all of these cases, data that wasn't encrypted on these laptops could
have been used by thieves for identity theft, according to a list of
known security breaches compiled by the Privacy Rights Web site.
While sales on the DAR Encryption program are stronger than anticipated,
federal officials admit they haven't secured all of their laptops,
handhelds and removable drives yet.
``It was originally thought that there would be about 1 million laptops
in DoD and one million in civilian agencies. We roughly came up with the
number of 2 million laptops. However that number is informal. It's
constantly being expanded and contracted,.. says David Hollis, program
manager for the Defense Department's Data at Rest Tiger Team.
``We're not worrying about how many laptops and PDAs there are in the
government. We're trying to provide an opportunity for federal, state
and local governments to secure what's out there,.. Hollis said.
The Office of Management and Budget requires federal agencies to
purchase encryption software for laptops, handhelds and removable
The DAR program, which offers encryption software from 10 leading
vendors, ``is really one of the cornerstones of security information
assurance overall in terms of the U.S. government,.. says Robert Lentz,
deputy assistant secretary for Information and Identity Assurance at the
One reason feds are buying encryption software is that the prices are so
low. On the DAR Encryption program, feds are paying only $10 to $12 per
laptop for software that retails at $125 or more.
``The federal IT budget alone is around $70 billion. When you think
about the scale of that budget, $12 a laptop is pretty cheap
insurance,.. says Ray Bjorklund, senior vice president of Fed Sources, a
McLean, Va., market research firm.
Federal officials say they have sold $17 million worth of encryption
software through the DAR program to date. More significant, they say,
are the total savings.
``The discounts we have achieved have resulted in a total cost avoidance
of $79 million,.. Schobert said.
Federal officials say they are getting a discount of more than 80% off
retail pricing for encryption software. That's one of the reasons that
state and local government agencies are using the contract to buy
So far, 76% of sales from the DAR Encryption contracts have been from
federal agencies, while 24% have been from state and local government
``Our largest purchases were made by Agriculture, IRS, Transportation,
Army and Social Security Administration,.. Schobert says. ``Thirty state
and local government agencies have purchased off the DAR [contracts]
These include . . . the New York State Power Authority, the Florida
Department of Corrections and Ohio State University...
The DAR Encryption program is the primary contract for federal agencies
to purchase this type of software. Civilian agencies aren't required to
use the DAR Encryption program, but military agencies are.
``From the DOD standpoint, it's mandatory,'' Lentz says. ``We have made
it clear to the department after this award occurred that we wanted to
have all crucial mobile devices using this technology by the end of the
year. This is the only vehicle they have to buy it...
Encryption of mobile data is a serious issue for government agencies,
``As the wireless technology becomes more robust and more reliable,
there is a strong likelihood that it can be used for critical command
and control-type applications, and that.s where the need for security
becomes very, very high,.. he adds.
Federal officials are expecting strong sales to continue on the DAR
Encryption program, as agencies continue to encrypt the data on their
laptops and increasingly on their smartphones. GSA said the five-year
DAR Encryption contracts could be worth more than $79 million when they
``There is an opportunity for significant sales ahead,.. Schobert says.
``The first year, we were in start-up mode...
The most popular products on the DAR Encryption program are hybrid
software packages that offer full disk and file folder encryption.
``The larger organizations want to buy one software product. They want
full-disk encryption on their laptops, but they also want to put it on
their workstations to encrypt the files they put on removable storage
devices,.. Hollis says.
All contents copyright 1995-2008 Network World, Inc.
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com