Scandals start small. A botched burglary at the Watergate complex ends up toppling a president. The minor theft of portable computer equipment from a suburban Maryland home unleashes an enormous effort to secure federal data. 

By now, most people in the cybersecurity world know the story of how a data analyst at the Veterans Affairs Department in May 2006 took digitized records of active-duty troops and veterans home to work on a database — only to have burglars steal his equipment.

By the time authorities recovered the pilfered gear, which had been sold at an electronics black market near the Wheaton, Md., Metro station, it was too late to stop the firestorm of public indignation sweeping through government. The incident left in its wake destroyed careers and a blistered federal reputation for protecting the private information of citizens. 

Soon, the Office of Management and Budget stepped into the data breach fray.

A June 23, 2006, memo signed by Clay Johnson, deputy director for management at OMB, and authored by the Office of E-Government and Information Technology, directed agencies to encrypt all agency data kept on mobile devices within 45 days. 

The mandate's timing and practically impossible 45-day deadline was perceived in some corners to be mostly a bureaucratic palliative against a national embarrassment, but few could dispute its underlying logic. The lost VA information wasn't classified. Although secret data has long been shielded by stringent controls, bread-and-butter unclassified data lacked such protection. 

But in today's world, data doesn't have to be classified for its loss to be damaging to citizens. Personally identifiable information such as Social Security numbers, birth dates and names can be a gold mine for identity thieves. 

As the value of personally identifiable information has risen, so have the the possibilities for such data to leak into the cybersphere. Flash drives that store hundreds of megabytes of data sell for the price of a movie ticket. Musically inclined employees carry portable devices that often have more memory than many hard drives. "The amount of information that could be stored on mobile devices is equal to what we used to be able to put into a whole database farm," said Robert Lentz, deputy assistant secretary of Defense for information and identity assurance. 

John Grimes, chief information officer at the Defense Department, signed a follow- up memo July 3 mandating that DOD components report their encryption implementation status by Dec. 31. 

"All unclassified DOD data at rest that has not been approved for public release and is stored on mobile computing devices such as laptops and personal digital assistants or removable storage media such as thumb drives and compact disks, shall be treated as sensitive data and encrypted using commercially available encryption technology," Grimes said. 

Like it or not, the VA data leak forced federal agencies to finally confront what had for many years been a growing problem.

But to correct it, they would need to spend money. Security measures are expensive. They require new software and possibly new hardware. Federal officials like to tell one another stories of desperate agencies sealing USB ports with epoxy glue as a final measure against the onslaught of portable data devices. No one will confirm seeing it or doing it themselves, but plenty of people know a friend of a friend who vows it's true. But the truth is that pretending mobile devices don't exist isn't a solution. 

Bulls-eye DARTT

Two months after OMB issued its encryption memo, DOD put together a team to develop technical requirements for its implementation.

The group, called the DOD Data-at-Rest Tiger Team (DARTT), aimed to implement blanket purchase agreements to allow bulk buying of encryption solutions by DOD components within two months. DOD, through its Enterprise Software Initiative, attempts to aggregate technical requirements among disparate buyers for commodity purchases. 

Cryptography might evoke images of mathematicians concocting intricate algorithms, but implementing encryption software isn't the stuff of doctoral theses. It's a commodity, too. 

DOD isn't alone in buying bulk; OMB and the General Services Administration launched the governmentwide SmartBuy initiative in 2003 for enterprise software purchases. Consideration of the program when making major software purchases is mandatory for civilian agencies. As a result, the DARTT team grew to encompass 18 additional civilian agencies and NATO. DARTT participants settled on 103 joint requirements, 40 of which they graded as critical. On June 11 ESI and SmartBuy jointly announced blanket purchase agreements with 10 cybersecurity vendors. To purchase from the agreements, DOD and NATO buyers can go through the ESI office, and civilian agencies work through GSA. 

David Hollis, a DOD senior information assurance engineer and the DARTT cochairman and program manager, estimated that, as of mid-October, government buyers had achieved $8.9 million in cost avoidance by using the BPAs. Sales so far have amounted to $3.7 million, including a $1.8 million order by the Agriculture Department for 180,000 full-disk encryption licenses. 

Official estimates project cost-avoidance savings of $73 million during the five-year life span of the agreements. Cost-avoidance figures are derived by comparing sales made under the agreements to what they would have cost under the GSA schedule. 

Theoretically, vendors already offer their lowest prices on a schedule listing, but those prices are often negotiated on the assumption of lower-volume purchases, said Tom Kireilis, director of strategic solutions at GSA. 

"The schedules are really set up for single buys," he said. "You do have some volume discounts in most of the schedules, but they're looked at as individual agency purchases," whereas SmartBuy assumes governmentwide purchase volumes.

The encryption agreements come in three pricing tiers based on 10,000, 33,000 and 100,000 users. 

Individual DOD components and civilian agencies have the option of buying directly through the purchase agree ments or conducting their own competition among the selected cybersecurity companies. "They can sole-source if they want," Lentz said. "The way that the overall effort has been set up is there's a whole host of things they can do." 

Kireilis calls the SmartBuy program a three-bites-at-the-apple initiative. "The first bite is the schedule," he said. The second is ordering directly from the purchase agreements, and the third is holding a competition among the agreement holders. The latter will produce the most cost-avoidance savings, he added. "If you do an internal competition among the [agreement] holders, what will happen is the holders themselves will reduce their margins to win a particular solicitation." 

Nothing is unbreakable

The encryption purchase agreements offer two basic software methods of data cryptography: full disk or file encryption. 

Full disk, also called whole disk, encrypts everything stored on a device, including the operating system. Some solutions might bypass the operating system, but generally full disk means every bit of data. File encryption is a more precise tool because only sensitive information is subjected to encryption hassles. But for it to work, vigilant users must keep encrypting newly added sensitive data as it's transferred to their devices. 

"Generally speaking, from a risk perspective, it's a whole lot easier to just specify the hard drive and not worry about the work habits of your workers," said Eric Ouellet, a privacy and security analyst at Gartner, an information technology consulting firm. Full disk also encrypts temporary files and computers' virtual memory swap space — a good thing because sensitive data can be held there, too. But there are costs to full disk. 

An encrypted swap space can slow a computer noticeably, and encrypting the boot sector will definitely make powering up sluggish. Online estimates of increased access time range from 56 percent to 117 percent additional wait time. Full-disk encryption also requires strict encryption key management. Should the decryption key be lost, data residing on the device would also be permanently lost. Lentz said technical requirements of the purchase agreements will ensure long-term data retrieval even under less-than-ideal circumstances. 

The agreements "have been designed to be very user-friendly," he added. 

Any encryption solution could also have another drawback: It might foster a false sense of confidence among users. Full-disk encryption, for example, only works when the computer is turned off. When a user turns on the computer and decrypts the data, the data is vulnerable. 

Encryption can be broken, too. Full-disk solutions often store the encryption key on the computer, meaning an attacker could recover it. Installation of a Trusted Platform Module (TPM) chip, which can safely store secured information, mitigates that danger, and Grimes' memo requires all new computers bought by DOD to include a TPM chip. But the policy doesn't retroactively require TPM on existing devices. 

"Nothing is unbreakable, true," Lentz said. "That information could be broken. That's a risk that you run. But the reality is [that] 99.999 percent of the time, this is a very strong way to protect your data." 

JTF-GNO is watching

Additional security measures aren't necessarily popular among federal employees. 

However, security adds barriers, demands validation and prevents users from booting up their computers without first tendering a credential. 

"Learning to live with encryption and security takes time," said a federal cybersecurity official who requested anonymity. "I hate that it takes five minutes to open up my laptop [PC]…but if anything bad happens, you sure feel a lot better." 

In the military, an order is not subject to debate. When leaders say to encrypt data, the data is must encrypted. But nonmilitary life is trickier. There are already plenty of cybersecurity measures meant to prevent data leaks, and they're not always followed. 

"Yes, the effective employment of data-at-rest encryption solutions is dependent upon the individual command environment, systems administrator and user," Hollis said. Centralized monitoring of the encryption effort, which is supposed to be mostly complete by December 2008, will help ensure compliance, he said. 

The Joint Task Force-Global Network Operations sent an encryption warning order Oct. 9 and will soon send a communications tasking order requiring a copy of each DOD component's encryption-fielding plan and estimated time to implement. 

"This is probably one of the most groundbreaking security efforts that is taking place," Lentz said. "It is a monumental effort and a big milestone when it comes to security."