Cybersecurity’s not done until the paperwork is finished
Connecting state and local government leaders
The VA has been dinged – again – by the GAO because of incomplete follow-through in its cybersecurity operations, showing that it takes more than mere box-checking to make regulators happy.
The Veterans Affairs Department has been dinged once again by the Government Accountability Office for lack of follow-through in its cybersecurity operations. In a recent report, VA Needs to Address Identified Vulnerabilities, the GAO warned that unless VA’s security weaknesses are fully addressed, “its information is at heightened risk of unauthorized access, modification and disclosure, and its systems at risk of disruption.”
The problem cited in the report is not so much that VA is doing a bad job securing its networks and systems, but that it has not properly documented security activities and has not developed action plans and milestones for correcting problems.
Documentation and planning are more than busywork. Although it is true that checking boxes and creating reports will not by themselves improve IT security, without them it can be difficult if not impossible to assure what has been done, that it has been done properly and that it can be repeated if necessary.
These processes can make the difference between constantly fighting brushfires and being able to effectively protect an agency enterprise and improve its security posture.
To quote a rule well-known to every government worker: The job’s not finished until the paperwork is done.
Because of its size and the amount of personal and other sensitive information it maintains, the VA is a high-value target. In January, a defect in VA’s web-based eBenefits system exposed personal data of thousands of veterans and their dependents. And in 2010, a nation-state-sponsored attack took advantage of weak technical controls to gain “unchallenged and unfettered access” to VA systems, the GAO said.
These were fairly recent hits, but the fact remains that development of an effective information security program has been a major management challenge for the department since the late 1990s.
This does not mean that VA has no information security. VA’s Network Security Operations Center in 2012 responded to an attack by outsiders, analyzing the scope of the incident and documenting its responses. Even so, “VA could not provide sufficient documentation to demonstrate that these actions were effective,” GAO said.
This problem is not limited to VA. A recent governmentwide review by GAO found that agencies were not able to document effectiveness of their incident response about 65 percent of the time.
In the case of the 2012 VA incident cited, forensics analysis data was not available because of a lack of storage space. The department’s incident response policies also did not provide the incident response team with access to systems logs needed to fully assess the extent of the breach, which raises questions about the effectiveness of the response.
The problems are part of a vicious circle in government cybersecurity. Incident response teams are stretched thin, and their top priority is responding to the problem at hand. Documentation and policy enforcement often take a back seat. But without effective documentation and policies, it can be hard to move beyond crisis management to effectively managing risk.
As I have said before, regulatory compliance does not equal security, but it can provide an essential baseline for achieving more effective security.