VA CIO Reveals Biggest Security Concern
Steph Warren Tells What Keeps Him Up at NightWhat cybersecurity issue keeps Steph Warren, CIO of the Department of Veterans Affairs, up at night? He tells me it's the potential long-term harm that data breaches and other incidents can have on public faith in e-commerce.
See Also: How to Take the Complexity Out of Cybersecurity
"If people stop going to the Internet because they don't think it's safe, all the things we're trying to do to enable delivery of service benefits are going to be impacted. We count on that tool; it is a tremendous saver of resources," Warren said in response to a question I asked him during a recent media roundtable to provide an update on various VA IT initiatives.
"It used to be when folks went to mainline businesses on the Internet, they were safe," he said. "The security concerns arose when consumers visited websites offering deals that 'seemed too good to be true.'
"The challenge now is that all those commerce sites are under threat. We've got to figure out how digital commerce can still be done safely, how you can do it with credit tools that don't put your bank account or identities at risk."
Warren says there's a lot at risk if cyberthreats continue to grab headlines.
"I think we are coming into a pretty critical time period," he says. "If the public loses confidence in whether they can safely do ... digital commerce, we've got a serious problem because it's been an engine of innovation and change," he says. "We have got to get our arms around it."
ID Theft Awareness
For its part, the VA has been ramping up efforts to help make veterans more aware of identity theft and fraud risks so that they can avoid falling victim to cybercrimes, Warren says.
That includes providing tips to veterans about how they can protect themselves against ID theft - like using stronger passwords and encrypted e-mail and monitoring their credit card statements. The agency is providing extensive advice for vets on its new VA ID theft website.
The VA offers free credit monitoring to vets when the department experiences breaches of any size that expose sensitive information. But Warren admits that only about 4 percent of vets accept the offer, and he's hoping to get more takers.
Wake-Up Call
The VA grabbed headlines back in May 2006 when the agency reported a breach stemming from a stolen unencrypted laptop that contained information on more than 26 million individuals. Although the device was eventually recovered and the FBI determined that no personal information was inappropriately accessed, the VA agreed to pay $20 million to settle a lawsuit filed by veterans over the incident (see VA Breach: Assessing The Impact).
In the wake of that incident, the VA launched a massive encryption campaign. Today, 100 percent of the VA's more than 430,000 desktop and laptop computers are encrypted, Warren says.
In addition to using encryption to prevent breaches, the VA has been ramping up its efforts to thwart hackers.
At a hearing last year, a member of Congress said hackers from other nations had repeatedly breached VA computers since 2010 (see: VA Systems Hacked From Abroad).
Warren admits that VA systems are "always under threat." But so far, he says, no data has been seized by hackers. "No data has been exfiltrated ... or pulled out, even as viruses hit laptops or desktops."
The VA defends itself against 55,000 new malware variants per day that are tracked and blocked, he says.
The agency's cybersecurity strategy relies heavily on continuous monitoring of network traffic.
"We're constantly updating threats ... with remediation in near real time," he says. The VA uses the Department of Homeland Security's Einstein 3 intrusion detection system to block sites and stop downloads that pose potential threats.
Medical Devices
In another security move, the 600,000 medical devices in use at the VA healthcare facilities are segregated away from the rest of the enterprise. Warren explains they're run on "an isolation architecture ... to better control access" and help keep those devices away from malware and other threats.
The need to segment medical devices from other network systems was one of several security steps stressed at last week's medical device cybersecurity workshop hosted by the Food and Drug Administration (see Medical Device Hacks: The Dangers).
And Warren says the VA must always look for more ways to improve security.
"We have to keep doing more, and that's what we do. We don't rest on our laurels. The threat environment keeps increasing, the sophistication of the threats keep growing," he says. "As a large institution we're always under threat."