The Department of Veterans Affairs (VA) has taken on the ambitious goal of eliminating, by the end of 2017, material cybersecurity weaknesses that have dogged the agency for more than 15 years, according to VA CIO LaVerne Council.
Council, who has been in her position since last July, recently told Federal News Radio that the VA’s enterprise cybersecurity team is implementing a plan to correct all 30 material weaknesses that its overseers have found for nearly 17 years.
As Federal News Radio reported: “VA’s inspector general highlighted material weaknesses in the agency’s cybersecurity for a 16th straight year in 2014. The IG hasn’t yet released its results for 2015.”
Moving to Address Weaknesses
Maria Horton, founder and CEO of EmeSec, which offers information assurance and cybersecurity consulting services to federal agencies and the private sector, told FedTech that it’s not surprising the VA has had such persistent cybersecurity weaknesses. Horton, who was previously CIO of the Bethesda Naval Hospital (now Walter Reed National Military Medical Center), said the VA, as the second largest federal civilian agency, has “a number of issues that require hands-on implementation internally.”
CIOs who are in charge of an agency’s cybersecurity program, Horton said, need to not only look at requirements, legislation and regulations related to compliance but also implement all of those. That often takes one to five years, she said, adding that it depends on the state and age of an agency’s hardware and software, as well as which systems it is upgrading.
More important, Horton said changing the direction and culture of an agency often takes a long time—typically three to five years.
Council is trying to speed things up. She started an enterprise cybersecurity team shortly after taking the reins as CIO last summer and sent an enterprise integrated security strategy to Congress in September. Council told Federal News Radio that the team “set the priorities for which material weaknesses to address first.”
Beyond just setting its priorities, the VA has started to tackle its weaknesses, changing rules on who has elevated system privileges across the department and putting two-factor authentication in place. While these are cybersecurity basics, Horton said they are absolutely necessary.
“If the VA is not doing access control, and identity and authentication correctly at this point in time, they have no ability to be able to control who does and doesn’t touch the information in the system,” Horton said. She compared it to homeowners making sure they lock their doors and windows. “That’s a very simplistic analogy, but the reality is, you need to be doing that first and doing that well before you can move to implementing more complicated strategies to protect your information and data.”
Modernizing Legacy Systems and the Cloud
Horton explained that because the VA is second only to the Defense Department in size, it has held on to many legacy IT systems. “Even today they have some items and applications that only function on Internet Explorer.”
If Horton were asked to make recommendations to the VA’s cybersecurity program, she said she would advise the department to use IT outsourcing and cloud services. These items are already on the agency’s agenda, she added.
“I would recommend that VA as a whole could benefit from services by leveraging cloud service providers for some of the capabilities that would update them and allow to reach their beneficiaries much quicker,” she said.
The challenge in taking those steps and in updating legacy systems, Horton observed, is that they could disrupt the VA’s operations, especially if employees have been trained to work on legacy systems. Modernization could lead to job cuts or require employees to be retrained or reassigned.
“There is no technology silver bullet,” she said. “You still have to have people and processes. And when the people and the processes are not necessarily performing in an optimal manner, the technology that you do have will most likely not work in an optimal manner as well.”
Younger veterans are more likely to access VA services online and via mobile devices, Horton pointed out, adding that veterans rightly expect faster service and more direct attention. These realities are forcing the VA to change how it does business, which is exposing some material cybersecurity weaknesses.
The VA needs to map how and where veterans are accessing its IT systems and services and look at where people are accessing data and on which devices, she said. Those are going to be the points that attackers will try to exploit.
“So that’s the next level in their overall strategy in protecting that information,” she said. “If you don’t understand how well your endpoints are being protected, you are going to have difficulty in even finding people who sneak in at those endpoints.”
The department’s CIO, Horton said, “has an opportunity to be a bright shining star if she can get her handle on these access controls and look at some cloud opportunities that remove some of the legacy systems for her.”