Is encryption hard and expensive?
Encryption is notoriously expensive and hard to use. Is this impression just based on anecdotal evidence, or is this really the case?
One way to answer this question is to look at a recent report from the US Government Accountability Office. GAO report GAO-08-525, “Federal Agency Efforts to Encrypt Sensitive Information Are Underway, but Work Remains” has some data that the GAO got from surveying 24 major federal agencies on their use of encryption and the obstacles that keep them from using it more widely. Here’s what the agencies said about how serious various obstacles are when it comes to impeding their deployment of encryption to protect sensitive information. The number in each cell of this table is how many agencies said that a particular problem caused a certain level of difficulty.
|
Hindrance |
Little or no hindrance |
Some hindrance |
Moderate hindrance |
Great or very great hindrance |
|
Prohibitive costs |
2 |
8 |
5 |
9 |
|
Lack of user acceptance |
3 |
12 |
4 |
4 |
|
Difficulties with data backup and recovery |
5 |
10 |
6 |
3 |
|
Insufficient training |
4 |
13 |
3 |
2 |
|
Difficulties with archiving and retrieving |
5 |
12 |
3 |
3 |
|
Lack of interoperability |
3 |
6 |
7 |
5 |
|
Lack of infrastructure readiness |
7 |
2 |
9 |
6 |
|
Lack of vendor support |
8 |
8 |
6 |
1 |
|
Lack of FIPS-compliant products |
7 |
6 |
4 |
4 |
|
Lack of management acceptance |
7 |
9 |
1 |
2 |
Hindrances to Implementing Encryption at Federal Agencies (GAO-08-525).
The biggest obstacle is clearly prohibitive costs, which isn’t terribly surprising. The federal government seems to be committed to using encryption technologies like PKI. These technologies work, but they’re also extremely expensive.
When I’ve mentioned to government employees that certain technologies were better because they were cheaper to use and support, I’ve actually had them roll their eyes, saying, oh, no, not that annoying discussion of costs again! Because costs are the biggest obstacle to the use of encryption by the government, you have to wonder why they have that reaction. Federal agencies clearly understand that costs are an issue. You'd hope that they would look for technologies that can accomplish their goal of encrypting sensitive information, but can do this at a lower cost than the PKI that the government seems to like so much.
I found it somewhat surprising that the biggest obstacle after costs is lack of infrastructure readiness. In other words, lots of federal agencies can’t encrypt sensitive information because their existing networks can’t handle encrypted information. That’s not really that surprising. In any legacy system there’s often at least one component that assumes that all of the data that it’s processing is a particular format. Encryption usually changes the format of the data, which can make it impossible for such legacy systems to handle it. On the other hand, there are technologies available now that let you encrypt sensitive information while keeping its format unchanged. One has even been submitted to NIST as a new mode of AES. Maybe federal agencies just haven’t heard about this yet. It certainly sounds like it would address one of their most pressing problems.
Comments