THE MORE LEGISLATION ON THE VA SECURITY PROGRAM THE BETTER
CSIA 412
DAVID MURILLO
June 15, 2014
THE MORE LEGISLATION ON THE VA SECURITY PROGRAM THE BETTER
INTRODUCTION
The Department of Veteran Affairs has a long standing history of completely dismissing government security regulations and guidance at its worst, or either marginally making an effort to comply at its best. Throughout its history, the VA has proven that it cannot fully be trusted to safeguard the privacy of its patients and the networks that their information is kept on. That lack of security cannot be continued to be tolerated for the millions of men and woman veterans that the Department of Veteran Affairs is entrusted to serve. These men and woman have served their country with honor. Often their sacrifice has left them with physical and mental problems that have them looking to the VA for help. Their Personal Identifiable Information (PII), including access to their medical records and access to the military record are all things millions of veterans have had compromised either due to lack of proper network safeguards or poor security practices within the department.
It is my belief that the Department of Veteran Affairs would greatly benefit from the May 2011 Cybersecurity Legislative proposal; more specifically, if their network security systems would be fully subjected to government and Department of Homeland Security oversight and control. I believe without further,more direct accountability, the VA will continue to struggle in securing its networks and securing the privacy of the veterans it has committed to serve.
POINTS OF ANALYSIS
To help guide my view and show the reasoning behind it, I will select three points of analysis selected from the May 2011 Cyber Security Legislative Proposalthat would impose neededcyber security requirements for the Department of Veteran Affairs.
Point of Analysis 1:“National Data Breaching reporting would become mandatory” (May 2011 Cybersecurity Legislative proposal).
In May of 2006, an employee of the Department of Veteran Affairs illegally took home a laptop and external hard drive that contained the personal identifiable information of millions of veterans. Eventually both devices were stolen, and even though the employee immediately notified the VA of what had happened, the VA took several days before notifying congress and veterans of the breach. The National Data Breaching reporting proposal would make it mandatory for all government organizations tofully disclose and report data loss to the consumer. This is extremely important because it lays out a very specific requirement that, in itself, requires the creation of a step by step process of accountability that the VA has lacked until then.
Point of Analysis 2: “The Administration proposal would update the Federal Information Security Management Act (FISMA) and formalize DHS’ current role in managing cybersecurity for the Federal Government’s civilian computers and networks, in order to provide departments and agencies with a shared source of expertise” (May 2011 Cybersecurity Legislative proposal).
The VA needs help plain and simple. For the last three decades they have had multiple issues securing their networks and holding their employers responsible. This legislation would make turning over all oversight and regulatory changes to the Department of Homeland Security. This drastic measure would be hugely inappropriate for the majority of all local and federal organizations that due a wonderful job of securing its networks; but in the case of the VA would not only be appropriate, but long overdue.
Point of Analysis 3.
“The Administration proposal requires DHS to work with the industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators.” (May 2011 Cybersecurity Legislative proposal)
VA has not kept up with industry standards. By allowing the Department of Homeland Security to take charge of their networks it will insure that it works hand and hand with the latest industry standards, practices and IT professionals.
RESEARCH AND ANALYSIS
In this section, I will go further into depth through my research on of the Department of Veteran Affairs network security policies and the possible outcomes if the proposed legislation highlighted if the three points of analysis were to, in fact, become reality. It is my goal to show that all of the proposed regulations would greatly improve their network security and the information it contains. For example point of analysis 1 will coincide with Impact 1, etc.
Impact 1.
According to the Department of Veterans AffairsOffice of Inspector General’s Review of Issues Related to the Loss ofVA Information Involving the Identityof Millions of Veterans, there was a clear lack of urgency from all those in authority and of those responsible to track and inform the chain of command of the breach. The proposed legislation would simply put, create a step by step standard operating procedure that clearly mandates who is required to inform, what information loss constitutes a loss, and finally, the time limit in which the first/next step of the notification must take place. This requirement would be federally mandated; making it a crime if it is later determined that it was not completed due to negligence.
Impact 2.
According to the Testimony before the Subcommittee on Oversight and Investigations, Committee on Veterans’ Affairs, U.S. House of Representatives, the United States Government Accountability Office has been tracking network security issues dating back all the way to 1997. In fact the report goes on to detail about the multiple issues the VA has had implementing the controls and initiatives the GOA has outlined for them to help further harden their networks. The damning report specifically states that their “IT security and control weaknesses remained pervasive and continued to place VA’s program and financial data at risk”. Though the VA has made great strides towards securing its networks, it is nowhere near as protected as the Government mandates. This long history of lack of security further strengthens my resolve that the VA would greatly benefit from a complete DHS oversight of all security measures. I believe if the current VA network security was placed under that of the DHS’s and they fully cooperated, that great improvement would be made to secure the information of the millions of Veterans it serves.
Impact 3.
According to Department of Veterans Affairs Strategic Plan the time table allotted to “start” coming into full government compliance of their IT networks is between Fiscal year 2010-2014. A full four years is set aside for implementation, while every day that passes is another day that a veteran’s medical and military record is put at risk. This proposal insures that the VA would be working side by side with the best industry professionals and be held to the latest industry standards.
CONCLUSION
It is my belief that the Department of Veteran Affairs is ill equipped to fully secure their cyber security networks and the information it contains.Bye fully cooperating with the Department of Homeland Security the VA can finally start making real progress in mitigating their long history of security weakness and start reversing their poor security practices. By no means do I believe that handing over control to the DHS will be easy, seamless or even a fix all. But I do believe with the proper government oversight, fiscal budget and infinite pool of IT professionals- that the VA networks can become secure much quicker and more efficiently than according to their current Strategic Plans.
Though all persons deserve to have their privacy secured, the fact that the VA is responsible for the care and protection of so many Americans who have sacrificed so much, I think drastic measures are necessary to speed up the accountability and security of their networks.
REFERENCES
Department of Veterans AffairsOffice of Inspector General.Review of Issues Related to the Loss ofVA Information Involving the Identityof Millions of VeteransReport. Retrieved from
Department of Veterans Affairs Strategic Plan. Retrieved from
May 2011 Cybersecurity Legislative proposal
TestimonyBefore the Subcommittee on Oversight and Investigations, Committee on Veterans’ Affairs, U.S. House of Representatives. Retrieved from
1