After theft, NASA orders laptops encrypted, but is that enough?
After an agency laptop PC was stolen from an employee’s car on Halloween, NASA is requiring that all laptops containing sensitive information be protected by full-disk encryption as soon as possible. The agency has ordered CIOs at its facilities to have as many laptops as possible encrypted by Nov. 21, and all of them protected by Dec. 21, according to a notice from NASA headquarters.
After Dec. 21, no laptop without full-disk encryption will be allowed out of a NASA facility if it carries sensitive data, including personally identifiable information, International Traffic in Arms Regulations and Export Administration Regulations data, procurement and HR information, or other sensitive but unclassified data, NASA said.
The stolen laptop was password-protected but not encrypted and contained personally identifiable information, or PII, “for a large number of NASA employees, contractors, and others,” NASA said.
To meet this rather rapid turnaround, the agency’s Information Technology and Communications Division will have to hustle. IT staff won’t have time to physically replace drives with ones that do the encryption on the hardware level, so they will have to use software to do the job. Software encryption is measurably slower than its hardware counterpart, but most users shouldn’t notice the difference.
Disk encryption, which encrypts every bit of data on a hard drive, is a good additional level of defense. However, unless biometric or smart-card authentication is used on the device, it is simply one more password for a hacker or thief to crack. NASA is acting on the assumption that the documents on the laptop may be compromised because they were protected only with a password. Adding data encryption raises the bar, but users open their encrypted drives with passwords, so that would just mean two passwords to crack.
Disk encryption is definitely a valuable weapon in an IT administrator’s arsenal. But it needs to be supported with biometric or smart-card authentication and remote device management to make it as effective as possible.
Nevertheless, encrypting laptops is a good step. Lost laptops have long been a bane of agency IT administrators. Earlier this year, NASA’s inspector general reported that the agency had lost 48 laptops from 2009 to 2011, including one -- unencrypted -- that held control codes for the International Space Station.
After the latest incident, NASA also instructed its employees to use a loaner laptop when teleworking or traveling if their regular laptop contains sensitive information, to purge any unnecessary information from their laptops and to keep sensitive data out of smart phones or other mobile devices.