Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
VA Revamping Cybersecurity Strategy
New CIO Assembles Enterprise Team to Develop a PlanWith the federal government clearly in the bullseye of hackers, the Department of Veterans Affairs is revamping its cybersecurity strategy under its new CIO, LaVerne Council, who took over the job last month.
Last week, Council formed an Enterprise Cybersecurity Strategy Team that's charged with delivering an enterprise cybersecurity strategic plan, a VA spokesman tells Information Security Media Group. The VA's Veterans Health Administration is the United States' largest integrated healthcare system, with more than 1,700 sites of care serving almost 9 million veterans each year.
"The plan will help VA achieve transparency and accountability while securing veteran information," the spokesman says. The team is led by Susan McHugh-Polley, a VA senior executive program manager, and comprises an undisclosed number of leaders, subject matter experts and support staff from areas throughout VA's information and technology division.
"The team's scope includes management of current cybersecurity efforts as well as development and review of VA's cybersecurity requirements and operations holistically - from desktop to software to network protection," the spokesman says. Upon completion, a summary of the plan will be made available once it has been presented to Congress.
Council was unavailable for comment on the new project.
The move to reassess VA's cybersecurity efforts come at a time when several other federal government units have been hit with sophisticated cyberattacks, including the Internal Revenue Service, the Office of Personnel Management and, most recently, the Pentagon.
The VA also has been seeing a dramatic rise in cyberthreats this year, the VA's former acting CIO, Steph Warren, noted at recent monthly media briefings before Council took over as CIO last month. Warren served as acting CIO for about two years after the departure of former CIO, Roger Baker. Warren continues to serve as the VA's deputy CIO.
In other leadership changes, Stanley Lowe, deputy assistant secretary for information security, on Aug. 6 announced to his team that he is retiring effective Aug. 22 after 25 years in federal service, according to a memo the VA shared with ISMG.
Details about the transition of the information security leadership at VA will be revealed in the coming weeks, he noted in his memo.
Protecting Vets' Data
While it's yet to be determined how the VA's cybersecurity strategy might change once the new team assembles a refreshed plan, it's been using a defense-in-depth approach to protect the data the department holds on veterans.
"While the defense-in-depth approach protects from inbound threats and contains other data exposing incidents, VA relies on employees to protect veteran information they handle and transmit," explains a report issued in June by the VA that summarizes information security activity.
The VA's defense-in-depth strategy includes using the Department of Homeland Security's Einstein 3 intrusion protection system as its perimeter defense.
That system has been helping VA to fend off a rising flood of threats facing the department, Warren said.
For instance, information security activity reports from the VA for May and June illustrate the volume of cyberthreats being contained and blocked each month at the VA - and how those incidents are soaring:
- Suspicious/malicious email blocked/contained: 73.9 million in May vs. 103.1 million in June.
- Intrusion attempts blocked/contained: 336.4 million in May vs. 389.3 million in June.
- Malware blocked/contained: 574.7 million in May vs. 680.2 million in June.
Team Effort
At a July 1 media briefing, Warren said that he had being pulling together in recent months leadership from the VA's cybersecurity, IT services and operations areas "to talk about what we need to do to in this increasing threat environment, in terms of raising our game, adding more protection."
The group met three times in June, including meeting with VA business and administrative managers, he noted. Among the topics that were part of those discussions were "how do we change boundary protections to tighten things down even further; social media ... and locking it down further; and reconfiguring systems to further minimize access points," Warren said.
A VA information security fact sheet issued in July also provides a look at other key elements of the VA's cybersecurity efforts.
For instance, the VA says it:
- Has 587 information security professionals;
- Allocated $200 million in 2014 for information security;
- Monitors 4.5 million emails per day, with more than 75 percent blocked due to malware and other malicious activity;
- Tracks and defends against 55,000 new malware variants per day;
- Safeguards 750,000 connected network devices;
- Has encrypted 100 percent of the 438,394 desktops and laptops on the VA network.