The Veterans Affairs Department already is facing more than 1 billion attempted cyber attacks a month. But as the complexity and volume of cyber threats increases across the government, VA IT officials are starting to prepare for a worst case scenario.
At VA, or for that matter any agency, a doomsday or worst case scenario would occur if there are so many cyber attacks, so many attempts to penetrate the networks and steal the data, that the infrastructure would either shutdown completely or the bad actors would get through and have free will inside their network.
Now VA is pretty far from facing that kind of attack or consequences, but IT officials see the rate and volume of attacks building monthly and must prepare for the what-if scenarios.
Steph Warren, the VA chief information officer, said attacks against VA’s networks increased to more than 1 billion in March and just under 1 billion in April after being at 300 million as of November.
Warren said while the number of attacks did decrease in April as compared to March, the signs are clear that any IT networks no matter the organization must prepare for the future.
Warren said Tuesday in a call with reporters that VA sits at an elevated state of cybersecurity, so he asked his security team what would happen if they had to go to severe or even critical because of cyber attacks.
“They will look at all the different controls, all of the additional enhancements we would put in place as we cross those thresholds. The team has already had its first meeting on that last week, and then we are having an internal cybersecurity summit on the [June] 3, 9 and 10 starting with the internal IT workforce across the leadership to make sure what the boundaries are,” he said. “Then, we will bring the customers in to talk about what are the potential mission impacts as we continue to strengthen and build on the protections we have. The team is working through that and once they are done, they will lay out to core leadership where do we need to take this so that we are prepared for whatever happens out in the environment as that level of risk goes up, as the threats continue to increase, what are the additional protections we can put in place recognizing we are an organization that has the day-to-day operational mission.”
Understanding the mission impact
Warren said the cyber summit may begin with just IT and cyber experts, but it will include the business folks because really any decision his office makes must be based on mission needs.
“Having the team sit down and ask, if we cross the threshold that requires us to go to severe, what would we be doing, what systems would we be tamping down, what controls would we be putting in place, what additional things would we be blocking, and it was more than just the IT folks saying, ‘OK, flip the switch,'” he said. “It’s laying those things out, sitting down with the mission folks and saying if we cross the threshold to the next infocom level, and that would be mean we would do this and this and this and this and this, what is the mission impact? What do we need to do today to ameliorate the potential mission impact?”
Warren said the goal of this effort is to understand both intended and unintended consequences to the mission and veterans’ services should VA have to move its cyber posture to critical or severe.
There are things the VA can do today to better let the department withstand the volume and complexity of attacks as they grow. Warren said one area VA continues to spend a lot of time and money on is the continued implementation of cyber tools and services from the Homeland Security Department, including the Einstein 3 program. He said those new tools were part of the reason for the slight overall decrease in overall cyber attacks from March to April.
VA continues to be under a heavy scrutiny for its efforts around protecting its networks and the data of millions of veterans from its overseers on Capitol Hill and from its inspector general.
Just last week, the VA IG reported the agency failed its Federal Information Security Management Act audit for the 16th year in a row.
VA has done several things since November to try to build confidence in its cyber efforts, including placing 170 contractors across 140 sites to reduce the number of severe and critical vulnerabilities in their systems. Warren said VA has decreased the number of overall vulnerabilities by 67 percent since November.
But one major problem has been the turnover in the cyber operations roles.
High turnover in operational role
By one count as many as six people over the last two years were brought in or promoted to run VA’s cyber operations. But all executives eventually left after a short time and now Dan Galick is the latest person to whom VA has given the reins.
Each of the previous cyber operations executives left after a short amount of time — some just four months, while others after year or so — and that lack of consistency damages the ability of CRISP to have its intended impact.
When asked about the turnover in VA’s cyber operational roles, Warren said there have been different stages of the program and CRISP needed leaders with different skill sets.
Warren said the Continuous Readiness in Information Security Program (CRISP), or any program for that matter, must be based on a set of processes and procedures and not a person or personality.
“There is heavy senior leadership engagement on this. The deputies are involved. All of the senior executives are involved. We basically amped it up so giving Dan support such that as things need to execute, they execute,” he said. “When we put him in place, one of the things we did was we made sure that we went around the table and said to all my deputies, ‘You basically are giving Dan the authority to succeed, and you are allocating one of your key individuals to be on Dan’s team because we are trying to make sure the individual in the role has the authority, has the resources to make it happen.'”
The broad support is important, but one source says that the lack of integration among IT domains is the real problem. The source, who has knowledge of VA’s cybersecurity infrastructure, says the agency has thrown money at the problem, but the issue is a lack of comprehensive cyber strategy to bring all the pieces and parts together.
“What you see here is lack of programmatic focus. The agency has not fully grasped that security has to be managed as an integrated program across all IT domains,” said the source, who requested anonymity. “There continues to be too much focus on addressing each domain individually and not on integrating the components that make up the entirety of the information technology program. Remember the saying that ‘The whole is greater than the sum of its parts?’ Well this is a perfect example of that VA needs a holistic approach to getting healthy. The security program needs to be fully integrated into all primary domains such as IT operations, enterprise architecture, application development, etc. and across all VA business units. When security is fully integrated, and the integration is managed, then it’s really sort of ‘invisible.’ VA’s problem is that they don’t know what a holistic program looks like. A well thought out and implemented framework informs the security strategy and feeds the security ecosystem.”
Digital services growing
Along with a focus on straight cybersecurity, VA also is ramping up its product development team. This effort has cyber underpinnings, but really is about how the agency meets its mission.
VA is doing two big things. First, Warren said Greg Ambrose is coming over to VA from the State Department to be the deputy CIO for product development.
Warren said Ambrose will replace Lorraine Lanfried, who left last July. Ambrose will join VA at end of May and brings a background in project management and acquisition management. Ambrose also will help VA continue its move to agile development.
Along those same lines, Warren said VA’s digital service team has grown to 12 people and has a goal of 25 by the end of the year and 75 by the end of fiscal 2016. Warren recently had the digital services team come out to a VA developer conference in Dallas.
“They are starting out on MyVA,” he said. “The whole reason why I had them come out to our developer conference is because we need to embed them and make them a part of our other work that is taking place in terms of helping us make sure the knowledge they are bringing to the table, the speed to market, the flexibility of their infrastructure stack, how do we take advantage of that as we continue to evolve major systems at the VA. The intent is not just MyVA, but getting them integrated in with the rest of our team. I tried very, very hard to make sure it’s not just an ‘us and them.’ They are part of the team and we look at them as a resource. One of the things that we talked about, and we’ve all agreed that it’s not the intent, is there is a management style called, ‘management by seagull,’ where you come in, make a lot of noise and crap all over the place and then you leave. We’ve all committed the DSE folks are not seagulls. They are coming in, they are making long-term changes, they are owning those changes and we, as a team, are supporting those changes going forward.”
Warren said the digital services team is bringing in new experiences and skillsets for them to integrate into how VA is building services for veterans.