The U.S. Government Accountability Office (GAO) released a report today, “VA Needs to Address Long-Standing Challenges“, that summarizes the numerous reasons the U.S. Department of Veteran Affairs (VA) must attend to long-term information security shortfalls.
Though the VA has been dealing with cybersecurity challenges since as far back as 1997, its recent struggles with keeping veterans’ data secure have drawn heavy attention from the GAO, which said that the number of information security incidents reported by VA has more than doubled over the last several years. This is not the first, nor the last time that the VA’s security efforts will be critiqued. But the GAO did this report to review the difficulties that the VA has experienced in effectively implementing information security and the legislative work being done to shore up those areas of need.
From fiscal years 2007 to 2013, the VA has experienced control weaknesses in the areas of access control, configuration management, segregation of duties, contingency planning and security management. For instance, the VA reported 4,834 information security incidents to US-CERT in 2007 and 11,382 incidents in 2013. The types of attacks included unauthorized access, denial-of service attacks installation of malicious code; improper usage of computing resources; and scans, probes, and attempted access, among others.
Gregory C. Wilshusen, GAO Director of Information Security Issues, offered this testimony before the Subcommittee on Oversight and Investigations, Committee on Veterans’ Affairs and the House of Representatives:
Specifically regarding VA, we found that the department generally established computer matching agreements for its matching activities and conducted cost-benefit analyses of proposed matching programs. However, the completeness of these analyses varied in that they did not always include key costs and benefits needed to determine the value of a computer matching program. We noted that VA’s guidance for developing cost-benefit guidance did not call for including key elements. We recommended that VA revise its guidance on cost-benefit analyses and ensure that its data integrity board review the analyses to make sure they include cost savings information. VA concurred and described steps it would take to implement our recommendations.
The Subcommittee is also considering draft legislation that is intended to improve VA’s information security and would the governance of the VA’s information security program and security controls for its information systems.
The bill would mandate the Secretary of Veterans Affairs to improve the information security program’s transparency and coordination while improving security in these areas:
- The department’s critical network infrastructure
- Computers and servers
- Operating systems
- Web applications
- The Veterans Health Information Systems and Technology Architecture system,
According the report, the draft bill identifies specific security-related actions and activities that VA is required to perform. Read the full report here.