VA comes up short on cybersecurity audit

In the past, government leaders frequently failed to take the issue of cybersecurity seriously. It took quite a while for decision-makers in every branch to realize that cybersecurity is not just a matter for the IT department to worry about, but a serious issue affecting every agency, as well as national security in general.

Yet while government leaders now largely appreciate the significance of protecting the country's digital assets, many aspects of federal cybersecurity still leave a great deal to be desired.

The latest example of these shortcomings can be found at the Veterans Affairs department. The VA inspector general recently conducted a cybersecurity audit of the department to determine whether its digital resources and networks are sufficiently protected from external threats. And, for the 16th time in as many years, the VA's cybersecurity measures failed to meet requirements, Federal News Radio reported.

VA defenses
According to the source, the VA IG determined that the VA failed to comply with the Federal Information Security Management Act in numerous capacities. 

The full details of the audit will not be available until next year. However, last year's audit found 6,000 specific cybersecurity-related vulnerabilities throughout the VA, the news source noted. At the time, the IG recommended 35 actions to help improve the VA's cybersecurity, including the adoption of high-quality identity and access management tools and the implementation of continuous monitoring. One VA official, speaking on condition of anonymity, revealed that the department will claim to have successfully embraced 18 of these 35 recommendations.

Additionally, the news source reported that the IG informed the VA that this year's cybersecurity audit found the list of vulnerabilities reduced by 21 percent. Obviously, though, this still leaves thousands of potential points of weakness for cybercriminals to exploit.

Stephen Warren, CIO for the VA, emphasized that the department is continuing to make progress.

"I was disappointed and I know the team was disappointed given the significant time and effort we applied this year," Warren said, according to the source. "But we are going to continue to drive on this. We are going to continue to push so that we move forward on the rigorous, disciplined plan the team has put together so that when the audit team shows up next year they will continue to see the constant improvement they recognized even this past audit season."

Warren also argued that the number of vulnerabilities appears greater than it really is in the context of the VA's total IT enterprise. He claimed that the VA ultimately runs between 1.2 and 1.4 million devices, with multiple services running on each gadget. In this sense, 6,000 vulnerabilities is a relatively small figure.

However, the fact remains that this still leaves many opportunities for cybercriminals or state-sponsored hackers to gain access to VA records and resources.

The human factor
Clearly, the VA has work to do in order to shore up its cybersecurity. As Federal Times contributor Aaron Boyd pointed out, though, these efforts cannot focus elusively on technology. In many cases, the VA's biggest cybersecurity troubles have been due to human errors. 

For example, the source noted that an October VA report determined that lost or stolen devices and paperwork were directly responsible for the leak of hundreds of veterans' sensitive information.

"Making sure the VA as an organization – not IT as an organization – recognizes that the practices that are used in day-to-day behavior is critical for how we protect veterans' data," said Warren in regard to that report, Federal Times noted.

To achieve true cybersecurity, the VA and every other federal agency needs to take steps to protect its systems not just from external attackers, but also insider mistakes.