GAO: VA in danger of cyber attack

Thursday - 5/20/2010, 2:41pm EDT

Gregory Wilshusen, director of Information Technology security issues, GAO

Click to hear the interview

Download mp3

We've been telling you about IT security and the Department of Veterans Affairs here at DorobekInsider.

As you probably know, a laptop was recently stolen from a contractor working at the VA.

There was also, of course, the more famous case involving the theft of a laptop and external hard drive from a VA employee back in 2006.

On Tuesday, we talked with NextGov's Alan Holmes about the issue, and on Thursday morning, The Federal Drive told you about testimony by the Government Accountability Office on Capitol Hill.

In addition, In Depth with Francis Rose brought you the testimony of VA CIO Roger Baker, who spoke before the House Veterans Affairs Subcommittee on Oversight and Investigations on Wednesday.

During that hearing, lawmakers also heard from the Inspector General's Office at the VA and the Government Accountability Office.

The GAO's latest report shows a lot of vulnerabilities still exist when it comes to keep the VA safe from hackers and other IT security issues.

Gregory Wilshusen is director of Information Technology security issues at GAO and explains that the agency has taken some action during the past few years:

"VA has taken some steps to improve the security over its systems and laptops and, indeed, VA has encrypted most, if not all, of their laptops that it owns. They've also issued a number of policies and procedures; however, they still have a long way to go."

He says the GAO has identified several things that need to be done, because there are still thousands of vulnerabilities that exist.

"First, VA needs to aggressively mitigate those known vulnerabilities to make sure that they have the appropriate resources there to correct them. Once they get those, they would make a great deal of progress. One of the issues that was identified during the course of the audits over the last few years is that, even when VA closes out some of these vulnerabilities, they've not actually effectively implemented a safeguard to mitigate that vulnerability."

The VA also needs to put automated mechanisms in place that monitor systems and networks, Wilshusen says. This would make it easier for them to find vulnerabilities and get rid of weakness as they occur or are discovered.

"It's important to keep monitoring the security over their systems because, as we know from previous discussions on information security, there are new threats and vulnerabilities that arise every day. So, [the] VA needs to be vigilant in aggressively monitoring the security over their systems."

There also needs to be more oversight, Wilshusen adds. Accountability is key to keeping things secure, plus it's part of the law.

"After that May 2006 incident, Congress passed a law called the Veterans Benefit Health Care and IT Act. That gave greater authority to the VA's chief information officer to implement and enforce security controls across the department. Prior to then, much of VA's information security responsibilities were de-centralized. That [law] has helped to bring greater centralization to the security over VA's systems, which is important, because security is only as strong as the weakest link."

So, the CIO has more control, which has been positive, but the vulnerabilities are still there.

Why?

"It's a very dynamic environment and it's a large, complex computing environment at the VA. It's, by some measures, the second largest federal department, and it has over 400,000 users that they have to account for. . . . There are new vulnerabilities that are being identified every day. [This] creates challenges for agencies."

VA CIO Roger Baker has been at the helm for about a year now, but Wilshusen says there was a lot of turnover in the position before that, which led to disorganization. Now that some stability exists in the CIO's office, Wilshusen says things might start to improve.

"We do follow up on all of our recommendations. Some of [those] that we make were implemented by VA, others are being addressed. We will go back this year to verify whether or not they've actually fully implemented our recommendations. I might just add, too, that VA is not alone. Even though they have had these long-standing weaknesses, many federal agencies experience significant weaknesses in all these controls, as well."

Check out all of Federal News Radio's coverage of cybersecurity issues here.