The Department of Veterans Affairs is on what appears to be an irreversible losing streak when it comes to its annual cybersecurity audit. Last week, VA’s Office of the Inspector General slapped the agency with a “material weakness” designation for its information security efforts—the 16th year in a row that VA has failed the annual review required by law.
Although the report gives the agency credit for some progress under newly-appointed Chief Information Officer LaVerne Council, the detailed findings reveal an agency in crisis and unable to regain control of its many geographically dispersed IT infrastructure fiefdoms.
According to the latest audit report—required under the Federal Information Security Management Act—VA is not monitoring all of its external network interconnections and internal network segments for malicious traffic or unauthorized access attempts. The agency is also unable to detect unauthorized scans of internal networks, allowing auditors to remain undetected during 4 out of 6 unannounced network scans. During one field audit, teams were able to exfiltrate 54 megabytes of data from both the Network Security Operations Center and a medical center by creating a User Datagram Protocol – Virtual Private Network tunnel.
Agency insiders, who spoke to MeriTalk on condition of anonymity because they were not authorized to comment publicly, said the agency’s cybersecurity weaknesses can be traced directly to the decision to centralize VA’s IT management and security oversight at its Washington, D.C., headquarters.
“VA does not want to admit to how bad the IT centralization has been,” said an agency source. “The 30 network administrators have more power than the secretary. The enterprise architecture (network/systems etc..) and the people infrastructure don’t work well together. Council seems to be focusing on getting the house in order, which she might be able to do in D.C., but the field will do what it will do.”
The IG’s FISMA audit seems to support that analysis. Not only does VA not monitor all external interconnections and internal network segments for malicious traffic or unauthorized access attempts, but “some local facilities had stopped VA’s Network and Security Operations Center from periodically testing certain systems for security vulnerabilities,” the audit report states. “Consequently, the Network and Security Operations Center did not have a complete inventory of all locally hosted systems and must rely on local sites to identify systems for testing.”
A senior official on Capitol Hill said although Council has only been in the CIO post for eight months, she has not demonstrated that these longstanding issues are a priority. “The fact that many of these problems have existed for well over a decade is completely unacceptable,” the official said. “While Council hasn’t yet been with VA a year, many of these issues should be a priority, but they don’t seem to be.”
VA is the second largest cabinet agency in government and one of the only agencies with a consolidated IT appropriation. That centralization began shortly after a massive data breach in 2006 and was quickly embraced by Roger Baker when he became CIO in 2009. Baker argued that centralized control of IT at the agency gave him better visibility into the security posture of hundreds of thousands of PCs.
That was then. Today, VA suffers from a significant number of weak passwords on major databases, applications, and networking devices at most VA facilities. “Additionally, password parameter settings for network domains, databases, key financial applications, and servers were not consistently configured to enforce VA’s password policy standards,” the IG audit report states. “While some improvements have been made, we continue to identify security weaknesses that were not remedied from prior years. Many of these weaknesses can be attributed to VA’s ineffective enforcement of its agency-wide information security risk management program and ineffective communication from senior management to the individual field offices.”
According to one VA insider,the centralization effort was not supported by the agency’s frontline IT staff. “IT should be a service that is plugged into, and that has not happened yet. IT should never have been separated from the businesses,” the source said, referring to the agency’s medical centers and field offices. If the agency can find a way to move to the cloud faster in the midst of its current cybersecurity challenges, it would be able to reassert positive control over its many disparate networks and centers, the source added.
“In the last 20 years, they have been moving the data centers from hospitals to ‘area’ data centers, and people got higher paying jobs because they were no longer just managing one hospital or [Veterans Integrated Service Network-VISN], they were becoming area managers, so VA was creating it own ‘cloud’ outside of the hospital settings,” an agency source said. But those clouds have not been playing by the same rules. “If VA can move more of its services to a centrally-managed cloud infrastructure, security should improve.”