The Cloud May Be The Only Thing That Can Save Cybersecurity At The VA

cloud security_cropped

The Department of Veterans Affairs is on what appears to be an irreversible losing streak when it comes to its annual cybersecurity audit. Last week, VA’s Office of the Inspector General slapped the agency with a “material weakness” designation for its information security efforts—the 16th year in a row that VA has failed the annual review required by law.

Although the report gives the agency credit for some progress under newly-appointed Chief Information Officer LaVerne Council, the detailed findings reveal an agency in crisis and unable to regain control of its many geographically dispersed IT infrastructure fiefdoms.

According to the latest audit report—required under the Federal Information Security Management Act—VA is not monitoring all of its external network interconnections and internal network segments for malicious traffic or unauthorized access attempts. The agency is also unable to detect unauthorized scans of internal networks, allowing auditors to remain undetected during 4 out of 6 unannounced network scans. During one field audit, teams were able to exfiltrate 54 megabytes of data from both the Network Security Operations Center and a medical center by creating a User Datagram Protocol – Virtual Private Network tunnel.

Agency insiders, who spoke to MeriTalk on condition of anonymity because they were not authorized to comment publicly, said the agency’s cybersecurity weaknesses can be traced directly to the decision to centralize VA’s IT management and security oversight at its Washington, D.C., headquarters.

“VA does not want to admit to how bad the IT centralization has been,” said an agency source. “The 30 network administrators have more power than the secretary.  The enterprise architecture (network/systems etc..) and the people infrastructure don’t work well together. Council seems to be focusing on getting the house in order, which she might be able to do in D.C., but the field will do what it will do.”

The IG’s FISMA audit seems to support that analysis. Not only does VA not monitor all external interconnections and internal network segments for malicious traffic or unauthorized access attempts, but “some local facilities had stopped VA’s Network and Security Operations Center from periodically testing certain systems for security vulnerabilities,” the audit report states. “Consequently, the Network and Security Operations Center did not have a complete inventory of all locally hosted systems and must rely on local sites to identify systems for testing.”

A senior official on Capitol Hill said although Council has only been in the CIO post for eight months, she has not demonstrated that these longstanding issues are a priority. “The fact that many of these problems have existed for well over a decade is completely unacceptable,” the official said. “While Council hasn’t yet been with VA a year, many of these issues should be a priority, but they don’t seem to be.”

VA is the second largest cabinet agency in government and one of the only agencies with a consolidated IT appropriation. That centralization began shortly after a massive data breach in 2006 and was quickly embraced by Roger Baker when he became CIO in 2009. Baker argued that centralized control of IT at the agency gave him better visibility into the security posture of hundreds of thousands of PCs.

That was then. Today, VA suffers from a significant number of weak passwords on major databases, applications, and networking devices at most VA facilities. “Additionally, password parameter settings for network domains, databases, key financial applications, and servers were not consistently configured to enforce VA’s password policy standards,” the IG audit report states. “While some improvements have been made, we continue to identify security weaknesses that were not remedied from prior years. Many of these weaknesses can be attributed to VA’s ineffective enforcement of its agency-wide information security risk management program and ineffective communication from senior management to the individual field offices.”

According to one VA insider,the centralization effort was not supported by the agency’s frontline IT staff.  “IT should be a service that is plugged into, and that has not happened yet. IT should never  have been separated from the businesses,” the source said, referring to the agency’s medical centers and field offices. If the agency can find a way to move to the cloud faster in the midst of its current cybersecurity challenges, it would be able to reassert positive control over its many disparate networks and centers, the source added.

“In the last 20 years, they have been moving the data centers from hospitals to ‘area’ data centers, and people got higher paying jobs because they were no longer just managing one hospital or [Veterans Integrated Service Network-VISN], they were becoming area managers, so VA was creating it own ‘cloud’ outside of the hospital settings,” an agency source said. But those clouds have not been playing by the same rules. “If VA can move more of its services to a centrally-managed cloud infrastructure, security should improve.”

Dan Verton
About Dan Verton
MeriTalk Executive Editor Dan Verton is a veteran journalist and winner of the First Place Jesse H. Neal National Business Journalism Award for Best News Reporting -- the highest award in the nation for business/trade journalism. Dan earned a Master's Degree in Journalism and Public Affairs from American University in Washington, D.C., and has spent the last 20 years in the nation's capital reporting on government, enterprise technology, policy and national cybersecurity. He’s also a former intelligence officer in the United States Marine Corps, has authored three books on cybersecurity, and has testified on critical infrastructure protection before both House and Senate committees.
3 Comments
  1. Anonymous | - Reply
    Centralization of IT Security is not the problem, rather incompetence at the senior management level is the reason.
  2. Anonymous | - Reply
    Definitely a leadership issue - too much turnover at the top of VA's OIT. Running a close second is a top-heavy organization. Too many Chief of this, assistant chief of that, division chief of the other thing, supervisor of something else. Not enough hands-on workers to do the work. And the latest move is to move all of IT to a national organization, with, yup, more levels of management. Why was VA allowed to create supervisory jobs with only 3 direct reports? And dozens of this, across the country. Every few months, there is a new initiative, new direction, new focus, new action item, or whatever, and EVERYTHING comes from Council as a drop-what-you-are-doing-and-do-this priority. Way to kill what little morale may have existed.
  3. Anonymous | - Reply
    While many people look at these failures as IT failures, and many are, those of us on the inside know that's not the whole story. Anybody who works at a place like a hospital knows that the hospital does whatever it wants and the FCIO isn't going to alter their behavior. I remember an audit at my hospital that had IT brass in attendance, sadly this is practice is no longer in effect. I offer two pieces of advice, the first is to have the site's audit weigh heavily into the facility director's evaluation. The second is to have IT SESs directly participate in every audit from the time a site is put on the calendar until the IG releases its results. Require recorded weekly meetings between the SES facility director and the IT SES. Get the two sides to work together and we'll perform much better in these audits.

Leave a Reply


Popular

Recent