House lawmakers lose patience with VA, introduce prescriptive cyber bill

Thursday - 4/3/2014, 3:23pm EDT

Jason Miller, Executive Editor, Federal News Radio

Download mp3

The House Veterans Affairs Committee no longer is waiting for the Veterans Affairs Department to fix what lawmakers and outside auditors believe are systemic cybersecurity problems.

Rep. Jackie Walorski (R-Ind.) introduced the Veterans Information Security Improvement Act (H.R. 4370) yesterday that would explicitly require VA to take steps to repair operational and procedure holes in its network and computer security processes.

"Is legislation needed? I honestly, having sat on this committee, think that it's a directive that has to be implemented at this point because there is no voluntary compliance," Walorski said March 25 at the hearing about the draft version of this cyber bill. "The mere suggestion from Congress, asking and asking and asking, and then having your department [the Government Accountability Office] follow up and the reports that continually come back with vulnerabilities, vulnerabilities and vulnerabilities, our veterans deserve more."

Rep. Jackie Walorski (R-Ind.) (Official photo)

Walorski said there is an "urgency" today more than ever to fix VA's cybersecurity weaknesses.

The bill would require VA's secretary to take specific steps to:

  • Help the agency reclaim, secure and safeguard its network, including domain controllers;

  • Improve how VA defends its workstations from critical security vulnerabilities;

  • Upgrade or phase out unsupported and outdated operating systems;

  • Improve how VA secures its Web applications from vulnerabilities;

  • Enhance protections for the department's electronic health record system, VISTA, from anonymous user access;

  • Ensure compliance with federal information security laws, Office of Management and Budget guidance, and National Institute of Standards and Technology standards.

"I think these actions identified in the directive are intended to address known vulnerabilities that exist in VA now," said Greg Wilshusen, GAO's director of information security issues, at the same March 25 hearing. "To the extent they take those actions on a risk-based basis, it should help VA improve its security."

Wilshusen said GAO currently is reviewing VA's IT security and will look at the extent to which long-standing vulnerabilities continue to exist, how much risk do veterans' data face because of these cyber weaknesses, and the steps VA has taken to mitigate those risks and vulnerabilities. He said the evaluation is just getting started.

A VA official said the agency "is currently reviewing draft legislative language recently received from the House Veterans Affairs committee. VA will communicate its views on the legislation with the committee once this review is complete."

Brutal and ugly

One former VA official called the legislation a "brutal" and "ugly" bill that should be a signal to any chief information security officer that it may be time to get a new job when Congress is telling you how to secure your systems.

House lawmakers want to be more prescriptive in the steps VA takes to secure its computers and networks after a series of hearings and reports over the last year show continued vulnerabilities in the agency's networks and systems. Additionally, committee members have made it clear they are less than satisfied with the agency's response to a series of questions posed last winter about the steps the Office of Information and Technology is taking to improve network and operational security.

"VA takes seriously its obligation to properly safeguard any personal information within our possession. VA has in place a strong, multi-layered defense to combat evolving cybersecurity threats," a VA spokeswoman said by email. "VA is committed to protecting veteran information, continuing its efforts to strengthen information security, and putting in place the technology and processes to ensure veteran data at VA are secure."

This saga started in June with revelations from former VA Chief Information Security Officer Jerry Davis that VA's network has been breached by foreign actors and the agency was "rubber stamping" security certifications.

The committee followed the hearing by answering dozens of "yes or no" questions to VA about the department's cybersecurity practices.

As of January, the committee said VA has only provided a preliminary response to the committee's first letter from Oct. 22. The committee said VA did not sufficiently answer all of the questions posed in that letter, and it has not responded to the committee's other eight letters regarding VA IT security procedures. VA was given two weeks to respond to each of the letters, which were sent between Oct. 23 and Nov. 18.

New requirements for CIO, CISO

Despite assurances from VA, cyber weaknesses and data breaches continue at what some would call an alarming rate.

"Our work has shown that the Department of VA continues to face long-standing challenges in its information security program. From fiscal year 2007 through 2013, we noted that VA has had weaknesses in each of the five major security categories that we track over that period of time, in each year," Wilshusen said. "These include those controls that protect, limit and detect unauthorized access to its systems. Controls such as configuration management, which are intended to ensure only authorized programs are in operation, are current and apply appropriate patches, segregation of duties, contingency planning, which is intended to ensure that disruptions in service are minimized and prevented to the extent possible, and importantly security management. These are the controls that establish the governance and ensure the controls are tested and known weaknesses are remediated in a timely manner."

He added these weaknesses have persisted at VA since the 1990s.

The 28-page bill would require VA to require its CIO and chief information security officer to meet certain experience, training and certification requirements.

The bill puts specific timeframes around cyber activities such as giving the agency 90 days from when the bill becomes law to upgrade or phase out unsupported operating systems, or 45 days to implement an automated patching tools and processes to ensure the agency applies these cyber upgrades within 48 hours of the patch becoming available.

VA also would have to establish and ensure the use of standard secure configurations for each operating system, employ system scanning tools that check daily for software, version, patch levels and configuration files, and deploy security content automation protocol tools that are validated by NIST and automatically evaluates the system's vulnerability management, measurement and policy compliance.

"This bill also directs the Secretary of Veterans Affairs to submit to the Committee on Veterans' Affairs of the House of Representatives a biannual report, including a description of the actions taken by the secretary to implement and comply with the directive," a Hill staff member familiar with the bill said. "In addition, the Inspector General of the Department of Veterans Affairs shall submit to the congressional veterans committees an annual report that includes a comprehensive assessment of the adequacy and effectiveness of the implementation by the secretary of Veterans Affairs. Finally, on a monthly basis, the secretary shall submit to the congressional veterans' committees reports on security vulnerabilities discovered."

Reaction to the bill is mixed.

Bruce Brody, a former VA chief information security officer, said the legislation will not get to the root of the problem at VA.

"The VA's information security problems are not the result of technology, policy, procedure or any other cybersecurity process. It's culture, plain and simple," he said. "The VA could solve their information security problems overnight by holding the bonuses of all senior executives in check until such time as the systems over which they have responsibility are determined to be secure by competent authority. Seriously, the VA's security posture would be the model of government overnight if those individuals responsible for securing the VA's system were actually held accountable financially."

But a government security expert, who requested anonymity because they didn't get permission to speak to the press, said it's a valiant effort to focus on real information security.

The source said the bill gets to the heart of issues that have hampered VA from seriously making information security measurably better. The source said the key to this bill is that it focuses on the basics.

"The bill moves all security resources to the Office of Information Security. This gives greater control over security activities and aligns resources under one office," the expert said. "It puts all individuals with security responsibilities on the same sheet of music, focused on solving the most pressing issues in a coordinated fashion. Today it's done in an ad hoc and disconnected manner, evident by close to 15 years of material weaknesses and data breaches."

But Brody said the centralized security approach has been tried before, not to great success.

"About 10 years ago, the CIO decided that centralization would address the problems, but his lack of CIO experience led him to centralize by decentralizing. That didn't work," he said. "A few years later, the next CIO put a CISO in place that mistakenly elevated compliance as the information security priority, and brought in an expensive contractor on a sole-source contract. Compliance is now as elusive as security in the VA, and that contractor remains embedded. And on it goes — the current CISO is apparently performing so questionably as to stimulate Congress to legislate the roles and functions of the position."

But the security expert said centralizing security and adding prescriptive technical controls and incident management requirements are a good thing.

The source said pressing VA to use and report on tried and tested controls such as those from SANS top 20 Critical Controls, NIST 800-53 and NSA methodologies on how to operate on a compromised network is something that all agencies should look to adopt in some fashion.

"This is one of the strongest and technically focused information bills to ever hit the government," the expert said. "If VA is serious about improving information security controls and thus better protecting veterans' information, then this bill should be embraced and moved forward as rapidly as possible."

RELATED STORIES:

VA's security shortcuts put millions of veterans' data at risk, former VA cyber official alleges

VA Cyber Efforts in the Hot Seat

VA's Warren given CIO title as House ramps up cyber investigation