VA bringing latest cyber tools to bear to improve network defenses

Steph Warren, CIO, Veterans Affairs Department

wfedstaff | April 17, 2015 11:12 pm

The Veterans Affairs Department is among the first agencies to turn on advanced cybersecurity capabilities known as Einstein 3 Accelerated. VA’s move to the Department of Homeland Security’s E3A is part of its new strategy to answer long-standing criticisms about how it protects the data of millions of veterans. Most recently, VA failed its Federal Information Security Management Act audit for the 16th straight year. “We have a very structured, layered defense in-depth in terms of how do we protect ourselves from the inside out where we start at the data layer and we go all the way out. We go out to our perimeter where we actually count on DHS to watch out back,” said Steph Warren, the VA’s chief information officer, during a recent press roundtable. DHS says the EINSTEIN 3A program can detect malicious traffic targeting federal government networks and prevent those attacks from getting inside. The agency counts on commercial Internet Service Providers (ISPs) to deliver these capabilities as a managed service. The ISPs follow DHS’ instructions to provide intrusion prevention and threat- based decision-making services on network traffic entering or leaving participating federal civilian networks. In fact, CenturyLink earlier this month became the first vendor to qualify to deliver E3A services to federal civilian agencies. DHS’s Andy Ozment, assistant secretary of the Office of Cybersecurity and Communications, said in October that Einstein 3A now is deployed and covers about 25 percent of the civilian government by people. DHS continues to work with service providers to extend the coverage to the rest of the civilian government, and with the vendors to add new types of attacks for Einstein 3 to block. “The committee remains concerned that VA is placing too much confidence in Einstein, which is able to protect against security threats from known profiles but is not always able to protect against threats from unknown profiles,” said a House Veterans Affairs Committee staff member. “Additionally, the committee shares the concerns recently outlined in a November 2014 Government Accountability Office review that details how VA’s failure to fully address known IT weaknesses puts the department’s information ‘at heightened risk of unauthorized access, modification, and disclosure.’ Further, we are deeply troubled by the fact that VA will fail its annual cybersecurity audit for the 16th straight year.” CRISP gives VA new capabilities Warren said E3A is one of several ongoing cybersecurity initiatives to better protect their data and networks. Warren told the House Veterans Affairs Committee in November he is spending an additional $60 million on cybersecurity in 2015 to improve faster. Besides more money, Warren said VA is seeing benefits from continuous monitoring. “The other thing where we are the second department to pick it up — the State Department moved out first — is the concept of continuous monitoring. In fact August of last year, we turned on continuous monitoring and we are constantly updating what is our threat boundary,” Warren said. “When we do scans across the complex, the scan results get loaded into the accreditation [system], how we control those applications and systems so we can make sure remediation of things found in near-real time is being dealt with.” VA’s continuous monitoring program, called the Continuous Readiness in Information Security Program (CRISP), has been in place for more than a year at least at the pilot stage. In February, Warren updated VA’s policy handbook detailing how the agency should conduct authorizations and accreditations (A&A) and implement continuous monitoring based on the National Institute of Standards and Technology guidance. VA’s inspector general said in its 2013 FISMA audit released in May 2014 that “VA has improved systems and data security control protections by implementing technological solutions, such as secure remote access, application filtering, and portable storage device encryption. Further, VA is deploying various software and configuration monitoring tools to VA facilities as part of its ‘Visibility to Server’ and ‘Visibility to Desktop’ initiatives. However, VA has not fully implemented the tools necessary to inventory the software components supporting critical programs and operations.” But the IG says VA needs to do more as well. The agency “lacks an effective continuous monitoring process to identify unsecure system configurations and perform automated monitoring for unauthorized software and hardware devices. In addition, VA has not defined an inventory of authorized hardware and software nor implemented processes for removing unauthorized software on its systems.” Warren said VA needs to continue to do more to secure its data and networks because the threat environment is constantly increasing and changing. “One of the things that is very important to recognize is there is the ‘How are you complying against a paper standard? And how are you doing protecting information?’ These things are measures and indicators of how an organization is doing,” he said. “We are always driving on making sure that the FISMA/FISCAM audit, the annual financial audit — that we continue to work on the things that they identify. They’re focused on are our financial systems secure and then they bound in some of these other areas. We are always looking at changing those, improving those and adding to those and improving the profile. But it’s important to recognize that compliance to a standard is very, very important, but at the end of the day, we need to deliver services and benefits to veterans.” The loss of data is unknown He said VA must weigh all the risk factors when making decisions on how best to secure the agency’s data and networks. Warren said he could make the most secure system by unplugging it and burying it in a lead box 6 feet underground, but that wouldn’t help the veterans. “My security team, my developer team, my operations team, our data is there too. It’s not this hypothetical thing,” he said. “It’s something we worry about because our information is in there, our parents’ information is in there and our siblings’ information is in there because it’s that important to us, we drive even on the standards, we drive on the outcomes and we measure the outcomes, and I can assure you none of my folks are satisfied with what we’ve done. We keep doing more. We keep adding on it. We keep pushing.” Warren said even with the IG reports and congressional investigations, no auditors have said over the last year VA has had a data breach. But in July 2013, the IG and VA’s former chief information security officer, Jerry Davis, told the House Veterans Affairs Committee of at least eight instances since 2010 in which nation state actors or other criminals found a way into VA’s system and took data. Warren said the hearing highlighted problems that happened one or two years beforehand. “When you talk about what happens is there is this progression of threats that hit desktop or a laptop or a mobile device, and where does it go to and how does it get to the data. The compromise doesn’t happen until the data actually leaves the organization or enterprise. We were upfront in terms of say, ‘Yes, there were things that came into the enterprise.’ But the ability to say, ‘Yes, veterans’ data got exfiltrated from the organization.’ All the teams said no that didn’t happen. What you run into in this community is nobody will make a definitive statement because there is always some potential of what happened or what didn’t happen. My team assures me every day there hasn’t been an exfiltration. Data hasn’t been pulled out. Data isn’t being pulled out. Even as we are dealing with a virus that hit a desktop or laptop, that we’ve tracked, we’ve quarantined and we’ve removed.” RELATED STORIES: VA’s Cyber Efforts in the Hot Seat VA fails cybersecurity audit for 16th straight year DHS says cyber initiatives healthy and growing Lawmakers, IG expose further vulnerabilities in VA’s cybersecurity VA to spend $60 million more on cyber after auditors’ continued concerns

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.