The issue of cybersecurity is splashed across media headlines seemingly almost every day -- headlines sounding the alarm about the vulnerabilities and challenges facing government, corporations, and personal computer networks we rely heavily on across the globe. The Colonial Pipeline ransomware attack brought home the issue and just how far reaching the fallout was felt by Americans dependent on gas products for their livelihood.
The VA is not immune to cybersecurity attacks, as seen over the years. As recent as September 2020, hackers breached the VA health care computer systems and exposed information on about 46,000 veterans. The breach shut down the department’s finance office as hackers attempted to divert veteran disability and other payments for financial gain.
Earlier in 2015, a massive Office of Personnel Management data breach exposed Social Security numbers, family and health information, and fingerprints for over 21.5 million employees, including currently serving servicemembers and veterans. In 2012, VA inadvertently exposed veterans’ personal information online, and in 2006, the burglary of a VA employees’ home included the theft of a laptop housing the personal information of millions of veterans and servicemembers.
On May 21, VA’s chief information and security officials attempted to allay lawmakers concerns during a House Veterans’ Affairs Committee hearing on cybersecurity. The technology modernization subcommittee lawmakers held the hearing to learn more about current cybersecurity efforts and other technological challenges facing the VA given the significant number of information technology (IT) modernization projects underway within the department.
The most notable is the Cerner joint VA-DoD electronic health record (EHR) modernization project. VA Secretary Denis McDonough implemented a strategic review early after taking office in February because of problems in rolling out the Cerner system at the Mann-Grandstaff VA Medical Center in Spokane, Wash. The review should be completed in June.
While VA officials sought to ease member concerns by conveying how serious the department is about protecting veterans’, employees, and department assets, the threats to VA’s network remain an ongoing challenge.
“The COVID-19 pandemic fueled the adversaries with new content and topics to leverage in their attacks, such as phishing campaigns disguised as informational updates,” Paul Cunningham, the VA’s deputy assistant secretary and chief information security officer, told lawmakers. “Fortunately, the VA workforce is trained on identifying such attacks, and the department had tools in place for reporting and responding to those threats.”
How Big Are VA’s IT Security Challenges?
The VA Office of the Inspector General (OIG) pointed to 21 consecutive years of audits where the VA was repeatedly charged with many of the same discrepancies year after year. The OIG provided VA with 26 recommendations to address problem areas, but many have yet to be resolved.
While the OIG acknowledged recent improvements in information management, many of VA’s ongoing problems in implementing adequate security controls are due in part to the aging and outdated IT infrastructure maintained by the department.
Solutions Congress May Want to Consider
“Relative to other agencies, VA spends more on cybersecurity, but less as a percent of its overall budget,” said Chris Jaikaran, an expert in cybersecurity policy at the Congressional Research Service (CRS). “Most federal agencies spend less than 1% of their budgets on cybersecurity. VA spends almost twice as much as other federal agencies on protecting its internal networks.”
CRS offered these options for lawmakers to consider. Congress may choose to:
- Shift VA’s cybersecurity activities to an agency with more expertise in this area.
- Create new technical capabilities within the department.
- Accelerate the plan for the VA to move toward implementing the next generation of cybersecurity services.
- Create new statutory requirements for reporting VA’s cybersecurity efforts.
- Target specific systems like the VA-DoD EHR for adopting the next generation of cybersecurity services.
Lawmakers were left with more questions than answers from the hearing but assured VA officials discussions on these issues would continue. Any follow-on hearings will be laser-focused on VA’s progress, including incremental improvement over time on the OIG recommendations.