The Department of Veterans Affairs (VA) is making progress on improving cybersecurity, but with past weaknesses and upcoming modernization efforts, the department needs to address outstanding issues and set a solid security foundation, witnesses testified to the House Veterans Affairs Subcommittee on Technology Modernization on November 14.
While VA ranks near the median when it comes to cybersecurity, the department has been slow to close out some recommendations from the agency’s inspector general and the Government Accountability Office (GAO).
“In fiscal year 2016, we recommended 74 actions for the department to take to improve its cybersecurity program and remedy known control deficiencies with selected high-impact systems. However, as of October 2019, over 3 years later, VA had implemented only 32 (or 43 percent) of the 74 recommendations,” noted testimony from GAO. Additionally, VA’s financial reporting system has been identified as a material weakness for the 17th year in a row.
The lack of resolved recommendations for GAO reports can be attributed to incomplete documentation, said Greg Wilhausen, director of IT and Cybersecurity at GAO.
“One of the issues we’ve identified in reviewing evidence that VA has provided to us over the years is that often, it doesn’t seem like it’s validating the effectiveness of its corrective actions,” said Wilhausen. “For example, VA asserted that it has implemented 39 of the 42 recommendations that currently are open, but when we reviewed the evidence provided, it wasn’t sufficient enough for us to confirm the implementation of that recommendation so we could close it … As the folks implementing the corrective actions, it [should] probably be reviewed so that those actions are confirmed by an independent party or another group within the organization,” he added.
Members of Congress focused their concerns on the cybersecurity threats to VA’s supply chain, especially on the medical side.
“Hackers can be virtually anyone, but when we talk about corrupting the supply chain, we are almost always talking about China. China is embedded in almost every aspect of the IT supply chain, and none of our other strategic adversaries come even close,” said Rep. Jim Banks, R-Ind.
Another key aspect identified by witnesses and members of Congress is VA’s cybersecurity workforce. Successful efforts to bring in cyber talent were lauded, but the misclassification of cyber workers prompted some concerns, as roughly 45 percent of workers were misclassified, a situation VA is currently working to fix.
To a lesser extent, the hearing also touched on the reduction of security incidents at VA (2,808 incidents in FY17 vs. 1,776 incidents in FY18), the large amount (42 percent) of incidents that were not placed into a threat vector category, and the slightly decreased budget request on cybersecurity ($381 million in FY19 vs $362 million in the FY2020 budget request).