TNR/Nimitz Tech Collab

November 21, 2024

NIMITZ TECH NEWS FLASH

"VA Cybersecurity: Protecting Veteran Data from Evolving Threats"

House Veterans Affairs Committee, Technology Modernization Subcommittee Hearing

November 20, 2024 (recording linked here)

HEARING INFORMATION

Witnesses and Written Testimony (linked):

  • The Honorable Kurt DelBene: Assistant Secretary for Information and Technology and Chief Information Officer, U.S. Department of Veterans Affairs

  • Ms. Lynette Sherrill: Deputy Assistant Secretary for Information Security and Chief Information Security Officer, U.S. Department of Veterans Affairs, Office of Information and Technology

  • Mr. Jeff Spaeth: Deputy Chief Information Security Officer and Executive Director of Information Security Operations, U.S. Department of Veterans Affairs, Office of Information and Technology

  • Mr. Michael Bowman: Director, Information Security Audits, U.S. Department of Veterans Affairs, Office of Inspector General

  • Mr. David Powner: Executive Director, Center for Data-Driven Policy, MITRE

Photo Credit: Just_Super / Getty Images

HEARING HIGHLIGHTS

Persistent Cybersecurity Vulnerabilities at the VA

The hearing revealed longstanding issues with basic cybersecurity practices, such as weak passwords, unpatched systems, and excessive access permissions. Office of Inspector General (OIG) reports identified recurring vulnerabilities, many of which have persisted for over a decade. The VA’s decentralized structure and vast network of over 1,500 locations make it challenging to apply consistent security controls. Despite some incremental improvements, systemic weaknesses remain a significant concern.

Contractor and Third-Party Cybersecurity Risks

The VA’s reliance on external contractors like Change Healthcare and Optum for critical services, such as billing and data management, introduced additional cybersecurity risks. The February 2024 breach at Change Healthcare highlighted gaps in contractor oversight and security measures. The hearing underscored the need for stricter enforcement of security baselines, improved communication during incidents, and better integration of contractors into the VA’s cybersecurity framework to protect veterans' sensitive data.

Transition to Modern IT and Zero Trust Architecture

The VA is working to modernize its IT systems, including the ongoing transition from the VISTA system to Oracle’s Cerner for electronic health records (EHR). This transition increases the "surface area" for cybersecurity threats, requiring more robust protections. The VA’s implementation of a zero-trust architecture, which assumes no inherent trust across any system, is a critical initiative to enhance cybersecurity. However, this approach is resource-intensive and complex, requiring sustained investment and skilled personnel to fully implement.

IN THEIR WORDS

“Veterans represent a pillar of American democracy for many, making them open to additional threats from those that seek to sow discord and gain access to the U.S. system. As such, cybersecurity must be at the forefront of all veterans’ minds.”

- Ranking Member Cherfilus-McCormick

“No organization that is connected to the internet is ever completely safe from cyber attacks, but we expect the VA to understand their vulnerabilities and maintain every possible defense. When breaches happen, we expect the VA to detect them immediately, contain the damage, and to notify the affected individuals.”

- Chairman Rosendale

OPENING STATEMENTS FROM THE SUBCOMMITTEE

  • Chairman Matt Rosendale welcomed the witnesses to discuss cybersecurity at the Department of Veterans Affairs (VA), mentioning the critical need to protect veterans’ medical and personal data from cyberattacks. He noted the alarming frequency of data breaches in healthcare, including VA systems, sharing that over 519 million health records have been exposed over the past 15 years. Despite Congress allocating resources for cybersecurity, Chairman Rosendale expressed frustration at the slow progress in addressing long-standing vulnerabilities and disagreements over audit findings. He called for accountability, improvement in governance, and measurable progress in achieving a zero-trust cybersecurity posture to protect veterans’ data effectively.

  • Ranking Member Sheila Cherfilus-McCormick underscored the importance of cybersecurity in protecting veterans’ sensitive information and pointed to systemic issues that persist despite incremental increases in funding. She drew attention to the risks posed by claim sharks, phishing attempts, and breaches involving VA contractors, urging the VA to adopt a holistic approach to cybersecurity. The Ranking Member called for partnerships with agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to address resource gaps and stressed the need for Congress to provide sufficient funding to implement necessary cybersecurity solutions.

SUMMARY OF WITNESS STATEMENTS

  • Assistant Secretary Kurt DelBene discussed the VA’s cybersecurity practices, including the deployment of defense-in-depth strategies, partnerships with federal agencies, and the adoption of a zero-trust cybersecurity approach. While noting progress in safeguarding veterans’ data, he acknowledged challenges in recruiting and retaining qualified personnel due to competitive salary limitations. He then noted ongoing efforts to address vulnerabilities identified in audits, implement multi-factor authentication, and secure IT systems, calling for increased resources to strengthen the VA's cybersecurity posture.

  • Mr. Michael Bowman detailed the Office of Inspector General’s (OIG) findings from the Federal Information Security Modernization Act (FISMA) audits, which revealed recurring vulnerabilities in the VA’s IT security program. Despite incremental improvements, all 25 recommendations from the most recent audit were repeat findings. The VA disputed 10 of them. Mr. Bowman praised the VA’s responsiveness to facility-level inspections but urged the department to proactively address systemic weaknesses and implement corrective actions to better protect sensitive veteran information.

  • Mr. David Powner provided an overview of MITRE’s independent cybersecurity assessment, which identified high, moderate, and low-risk vulnerabilities in the VA’s systems. He commended the VA for remediating many findings but noted systemic issues in risk management, cloud security, and incident response. Mr. Powner made recommendations to improve VA’s cybersecurity program, such as enhancing risk management frameworks, reducing shadow IT, and configuring security solutions more effectively. He acknowledged the VA’s progress and expressed confidence that continued oversight and commitment would strengthen the department’s cybersecurity posture.

SUMMARY OF Q and A

  • Chairman Rosendale questioned Mr. Bowman about the VA’s long-standing cybersecurity issues. Mr. Bowman confirmed that most of the 25 recommendations from the 2023 FISMA audit had remained unresolved for over a decade, despite slight modifications. He also noted that the VA generally did not disprove OIG’s findings and pointed to high-risk vulnerabilities in areas such as access control, configuration management, and database security. Mr. Powner added that MITRE’s findings aligned with OIG’s, though MITRE provided deeper insights into shadow IT and detection capabilities. Both experts agreed that addressing the combined recommendations would significantly enhance VA cybersecurity.

  • Ranking Member McCormick asked Mr. DelBene about the adequacy of the $707 million cybersecurity budget. Mr. DelBene explained that the budget was insufficient to meet the VA’s needs, with staffing shortages and a lack of funding for tools like logging capabilities hindering progress. He credited anti-phishing initiatives for reducing email-based attacks but deferred providing detailed answers on the rise in equipment theft incidents.

  • Rep. Keith Self raised concerns about VA contractors’ cybersecurity practices and the fragmented Electronic Health Records (EHR) system. Mr. DelBene assured him that the VA enforced strict security baselines with contractors and noted that consolidating the EHR system would reduce vulnerabilities.

  • Rep. Tim Kennedy referenced cybersecurity breaches at VA facilities and asked about their financial and personal impact. Mr. DelBene acknowledged that costs were difficult to quantify but stressed that better cybersecurity hygiene, such as encryption, could prevent many incidents. Rep. Kennedy mentioned over 1,000 privacy-related incidents in one quarter. Mr. DelBene clarified that they were not necessarily cyber breaches but could involve other privacy issues, such as mailing errors. Both agreed on the need for better funding and staffing to protect veterans' sensitive data effectively.

  • Rep. Morgan Luttrell expressed frustration with the VA’s reactive approach and repeated findings in OIG reports over the past decade. Mr. DelBene defended the VA’s efforts, describing a risk-based approach to cybersecurity and acknowledging that while additional funding would help significantly, it would not eliminate all risks. Rep. Luttrell restated the ongoing challenge of securing the VA’s extensive systems and urged a proactive mindset, especially given the sensitive nature of veterans’ data.

  • Chairman Rosendale noted the 62% increase in cybersecurity funding since 2023 and called for accountability rather than continuous budget requests. He pressed Mr. DelBene for data on the costs of cyber breaches and the effectiveness of the requested funding increases. Mr. DelBene explained the challenges of providing a definitive number but agreed to provide further information. The Chairman reiterated the importance of protecting veterans’ data and called for detailed estimates to justify the VA’s budget requests.

  • Mr. Powner clarified that MITRE’s assessments were not audits but independent evaluations with a focus on deep technical testing. He revealed that out of 442 findings, only 26 were pre-identified by the VA, suggesting a significant gap in internal awareness. Mr. Powner defended MITRE’s methodology and the value of their findings, particularly in addressing systemic vulnerabilities. Mr. DelBene acknowledged the importance of external assessments but maintained that the VA’s risk-based strategy allowed for prioritizing the most critical threats.

  • Ranking Member Cherfilus-McCormick questioned the witnesses on contractor security and repeated findings in FISMA audits. Mr. Bowman attributed recurring issues to the VA’s large, decentralized structure, which complicates the consistent application of cybersecurity controls. He noted incremental improvements, such as a reduction in legacy vulnerabilities, but outlined the persistent challenges in securing a system as extensive as the VA’s. The Ranking Member raised concerns about audit overload on the VA’s staff, to which Mr. DelBene responded by advocating for automation and increased accountability for system owners.

  • Rep. Self asked about the qualifications and background of MITRE’s team responsible for conducting their assessment. He then asked Mr. DelBene about how much money they believe they will return to Congress to ask for in the budget for FY 26. Mr. DelBene did not provide an answer.

  • Rep. Kennedy brought up the vulnerability of the VA’s healthcare system to ransomware attacks and other breaches, stressing that veterans expect their data to be secure. Mr. DelBene articulated ongoing efforts, such as increased logging and monitoring, to mitigate risks but reiterated that achieving complete security is impossible. He agreed to provide further data on breach costs and funding requirements, stating that sustained investment over multiple years would be necessary to address the VA’s cybersecurity needs comprehensively.

  • Chairman Rosendale questioned the lack of a formal cybersecurity risk strategy at the VA, asking how risk management decisions were made without such a strategy. Mr. Powner explained that while the VA had tools and processes for assessing risks, a comprehensive strategy would ensure consistent assessments across the organization. Mr. DelBene stood behind the VA’s approach of prioritizing critical systems with sensitive veteran data, focusing on high-value targets for hackers. Ms. Lynette Sherrill elaborated on the VA’s layered defenses and efforts to secure vulnerable systems like medical devices but acknowledged the need to mature these strategies further.

  • Chairman Rosendale then criticized the VA’s 95% compliance benchmark, questioning why the most basic cybersecurity measures, such as password complexity and access control audits, were not consistently implemented. Mr. DelBene admitted gaps in coverage, citing the VA’s decentralized structure and large scale, but argued that focusing resources on the highest risks was necessary. He spoke on efforts to improve multi-factor authentication and automate access controls to reduce human error, but he again noted the challenges of achieving 100% compliance in a system as expansive as the VA.

  • Ranking Member Cherfilus-McCormick asked about plans for additional independent reviews of other critical systems, such as the EHR and Veterans Benefits Management System (VBMS). Mr. DelBene expressed interest in conducting more reviews but highlighted cost constraints, suggesting a risk-based approach to selecting systems for assessment. Mr. Bowman outlined the value of site-specific security inspections in supplementing enterprise-wide FISMA audits and mentioned the importance of facilities proactively addressing vulnerabilities rather than waiting for external audits.

  • Rep. Self raised concerns about whether the VA’s incremental improvements in cybersecurity could keep up with rapidly evolving threats. Both Mr. Bowman and Mr. Powner discussed the need for continuous monitoring, faster remediation, and proactive measures like endpoint detection and response. Mr. Powner called for streamlining processes, reducing reliance on outdated plans of action, and updating the FISMA framework to better align with modern cybersecurity challenges.

  • Chairman Rosendale questioned why previously identified vulnerabilities, such as weak passwords and unpatched systems, persisted despite repeated findings in OIG reports. Mr. DelBene acknowledged recurring issues but argued that thematic problems, rather than specific systems, were often the focus of findings. He pointed out that the VA prioritized addressing the most critical risks, but some lower-priority issues remained unresolved due to resource constraints.

  • Mr. Bowman explained discrepancies in vulnerability scans conducted by OIG, clarifying that some scans were conducted outside the pre-approved scope, leading to gaps in the VA’s ability to detect malicious traffic. He noted improvements in 2024, with the VA demonstrating better detection capabilities during similar tests. Chairman Rosendale stressed the importance of unannounced testing to mimic real-world attack scenarios and identify vulnerabilities effectively.

  • Ranking Member Cherfilus-McCormick asked about steps the VA takes to improve veterans’ cyber hygiene. Mr. DelBene detailed measures such as multi-factor authentication for VA systems, protections against phishing and man-in-the-middle attacks, and outreach programs to educate veterans on cybersecurity best practices. Ms. Sherrill explained that during cyber incidents, the VA communicates with veterans service organizations (VSOs), Congress, and local medical centers to ensure consistent messaging and support.

  • The Ranking Member then inquired about future-proofing VA’s cybersecurity efforts. Mr. DelBene spoke on the importance of training a skilled cybersecurity workforce capable of anticipating emerging threats and leveraging technologies like AI. He described the ongoing implementation of a zero-trust framework, which assumes no default trust within systems, to strengthen defenses. He acknowledged the challenges of adapting to new and unexpected attack methods but focused on logical decision-making and risk assessment to mitigate vulnerabilities.

NIMITZ REPORT COLLAB

This week, we combined efforts with the Nimitz Report to bring you coverage of this hearing on both veterans affairs and technology issues. If you are interested in receiving these updates for all things veterans affairs, please click the subscribe link below:

The Nimitz ReportYour exclusive access to veterans affairs policy

ADD TO THE NIMITZ NETWORK

Know someone else who would enjoy our updates? Feel free to forward them this email and have them subscribe here.