secure laptop

After theft, NASA orders laptops encrypted, but is that enough?

After an agency laptop PC was stolen from an employee’s car on Halloween, NASA is requiring that all laptops containing sensitive information be protected by full-disk encryption as soon as possible. The agency has ordered CIOs at its facilities to have as many laptops as possible encrypted by Nov. 21, and all of them protected by Dec. 21, according to a notice from NASA headquarters.

After Dec. 21, no laptop without full-disk encryption will be allowed out of a NASA facility if it carries sensitive data, including personally identifiable information, International Traffic in Arms Regulations and Export Administration Regulations data, procurement and HR information, or other sensitive but unclassified data, NASA said.

The stolen laptop was password-protected but not encrypted and contained personally identifiable information, or PII, “for a large number of NASA employees, contractors, and others,” NASA said.

To meet this rather rapid turnaround, the agency’s Information Technology and Communications Division will have to hustle. IT staff won’t have time to physically replace drives with ones that do the encryption on the hardware level, so they will have to use software to do the job. Software encryption is measurably slower than its hardware counterpart, but most users shouldn’t notice the difference.

Disk encryption, which encrypts every bit of data on a hard drive, is a good additional level of defense. However, unless biometric or smart-card authentication is used on the device, it is simply one more password for a hacker or thief to crack. NASA is acting on the assumption that the documents on the laptop may be compromised because they were protected only with a password. Adding data encryption raises the bar, but users open their encrypted drives with passwords, so that would just mean two passwords to crack.

Disk encryption is definitely a valuable weapon in an IT administrator’s arsenal. But it needs to be supported with biometric or smart-card authentication and remote device management to make it as effective as possible.

Nevertheless, encrypting laptops is a good step. Lost laptops have long been a bane of agency IT administrators. Earlier this year, NASA’s inspector general reported that the agency had lost 48 laptops from 2009 to 2011, including one -- unencrypted -- that held control codes for the International Space Station.

After the latest incident, NASA also instructed its employees to use a loaner laptop when teleworking or traveling if their regular laptop contains sensitive information, to purge any unnecessary information from their laptops and to keep sensitive data out of smart phones or other mobile devices.

About the Author

Greg Crowe is a former GCN staff writer who covered mobile technology.

Reader Comments

Mon, Nov 19, 2012 woody weaer usa

"NASA is acting on the assumption that the documents on the laptop may be compromised because they were protected only with a password." No, they are acting on OMB guidance M-6-16 which requires it and does not require the controls recommended here. Before telling others what to do, the author should read the literature of controls for NASA. This is not corporate america, the same rules do not apply.

Mon, Nov 19, 2012

Honestly if it was that confidential what the h... is she or he leaving it in the car for. It the users again that fail to think. Really need to think before you leave any electronic device in a vehicle, unless you are in a Armored vehicle. Sorry, but here is your sign, as those comedians say.

Mon, Nov 19, 2012 Gene Washington DC

Remember that NNSA owns the word "Encryption." I bet their software encryption will be very hard for any hacker to get past.... time will tell.

Mon, Nov 19, 2012 Shawn Richimond, VA

Last time I checked, Hackers were not trolling parking lots looking for laptops sitting in people's cars. Still NASA should have known better to use encryption on all laptops.

Mon, Nov 19, 2012

I will comment that there are two types of encryption available--first, most laptops sold in the last few years have native hard drive encryption available on the drive and configurable from the BIOS. This is significantly harder to crack than "just another password". Secondly, use of dual-encryption via TrueCrypt, again, is significantly more secure than "just another password". Whether NASA is aware of and will use such secure methods, I can't say, but they *are* both available and relatively quick to implement.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above