Dormant, Shelved Encryption Licenses: Veterans Affairs Department Only Activates 16.25% Of Procured Licenses.

According to a government report, the Veterans Affairs Department (VA) has installed and activated only 65,000 licenses.  Let me repeat that: only 65,000 licenses.  Only?  65,000 licenses are a lot of licenses.  Well, it turns out that these figures represent 16.25% of all encryption licenses that were procured after VA’s massive 2006 data breach.

Things like these don’t happen with AlertBoot Mobile Security, which provides on-demand encryption procurement: encryption licenses are purchased on an “as necessary” basis.  Need eleven licenses?  You can get that.  Need them for a 4-month period only, or maybe just a month?  You can get that, too.

VA Purchased a Total of 400,000 Licenses at a Cost of $5.9 Million

The report by the OIG, the Office of the Inspector General, notes in a October 11, 2012 report that (from, my emphases):

The [VA] department has installed and activated only 65,000 of the Guardian Edge encryption licenses it bought since a massive data breach in 2006 involving records of 26.5 million active duty troops, veterans. and their family members.

That amounts to just 16.25 percent of licenses procured, auditors say. The VA initially purchased 300,000 encryption licenses in 2006 and bought another 100,000 licenses in 2011, spending about $5.9 million total in license fees and maintenance agreements, according to the report.

The remaining 335,000 licenses have generated “about $5.1 million in questioned costs” and their inactive status means “veterans’ personally identifiable information remains at risk of inadvertent or fraudulent access,” says the report.

I’m not sure if I can agree with the last statement regarding a heightened risk of veterans’ personal information.  Based on what I’ve read before, all VA laptops were encrypted as of February 2012, and its CIO has even boasted of their best practices, which, regardless of the OIG’s report, are still very good best practices.

So, the fact that there are extra licenses lying around shouldn’t be taken as signs that veterans should be expecting another data breach because a laptop computer was lost or stolen.

On the other hand, who the heck has $5.1 million dollars to blow, probably recurring on an annual basis?  That money could certainly be funneled towards more constructive uses.

Signs of Inadequate Planning

The OIG pointed out that (, my emphases):

This large-scale failure is “due to inadequate planning and management” specifically by OIT forgetting to include time to test software for compatibility with VA computers, not maintaining a sufficient workforce to install the encryption, and inadequately monitoring its systems to verify that encryption was present on VA laptops and desktops.

OIT officials told auditors the main reason for the lack of protection is incompatibility issues between different VA computers and the encryption software. “OIT discontinued installation of the encryption software until OIT could upgrade and standardize VA’s computer equipment,” says the OIG.

To play contrarian, and to defend the VA, testing can only do so much.  Of course, you can’t defend a massive failure of software deployment; the numbers above definitely point to little to no testing.  But, testing cannot reveal all the different ways that encryption fails to work on a particular computer.

Here, at AlertBoot, we’ve seen a lot.  I don’t want to say “we’ve seen it all” because I’m of the opinion that there’s more where these failures come from, and then some.  Generally, they fall into three categories:

  • Faulty hardware.  It literally could be anything but the monitor.  Incompatible hard drives and CPUs.  Faulty motherboards that work as long as encryption is not used.  There are other hardware issues that don’t readily come to mind.  There are probably issues that we’ve been unable to resolve or identify, but the client decided that they’d just get a new laptop computer, which represented a much needed upgrade anyway.

  • Operating system incompatibility.  Which operating system is running on your computer makes a difference.  I’m not referring to Mac vs. Windows vs. Linux vs. SomethingElse.  I’m also talking about versions within the same OS.  What works under Win 7 might not under Win XP and viceversa.  If an organization keeps precise and accurate track of every endpoint’s details, this won’t be a problem.

    I don’t think that that has ever happened.  There’s always some device that goes unnoticed or undocumented or both.

  • Software incompatibility.  Software incompatibilities are less of a problem in modern settings, but they still occur.  For example, it’s suggested that you don’t run two different antivirus packages on the same computer, not because it’s going to slow down your device to a crawl, but because there’s a chance that they’ll attack each other as virus-laden programs.  Likewise, the use of encryption with different security programs, including antivirus software, can cause problems.

Testing is great when you start out, but problems will crop up as your company’s or organization’s computer devices and software start to go through that period of upgrades and replacements.

A Better Model: On Demand, As You Need It

Most encryption software providers work like traditional software companies: there are requirements for a pre-determined license period as well as minimum license purchase requirements (such as in lots of 100).  When managed irresponsibly, you can a situation such as the on the VA is facing, although you can also arrive to such a state while trying to be responsible.

This is why we at AlertBoot have created and advocate the use of a model where encryption licenses are acquired “on-demand” and “as you need it.”  On-demand because you can sign up to encrypt your computer at any time you want, just like ordering a movie on Netflix.

As you need it because you can get as many (or as little) licenses as you require.  Are you looking to encrypt one computer?  You can do that, without paying for an extra 99 licenses, if you’re using AlertBoot.  Would you like to add another 7 licenses one week from now?  Very do-able.  No other encryption provider allows this flexibility, as far as we know.

Plus, you can sign up for encryption on a month-to-month basis or on an annual basis (which comes with a discount).

Related Articles and Sites:

Comments (0)

Let us know what you think