VA spruces up security act

Only 18 months ago, the Department of Veterans Affairs received a failing grade for its cybersecurity efforts.

Reports from the inspector general's office criticized the agency for failing to protect its computer environment. Congress was up in arms over disclosures that it was a cakewalk to hack the VA's systems. And VA officials did not even know how many renegade gateways had been set up to get into the VA computer system.

In a remarkably short period of time, the VA has cleaned up its act.

"When I got here, this place — cybersecurity — was pretty chaotic," said Bruce Brody, the VA's cybersecurity chief since March 2001. "There was nothing but bad news."

But Brody had some strong supporters who resolved to fix the problem. Backed by VA Secretary Anthony Principi, who has promised to create one VA, and chief information officer John Gauss, Brody has made changes that are becoming the model for other agencies facing cybersecurity threats.

"With the support of the secretary and the leadership of the CIO and his team, we have come a long way," Brody said. "But much remains to be done, and we are working very hard to do it."

It is no easy task. There are more than 200 unauthorized and unprotected gateways into the VA's central cyber infrastructure, built by employees in the field with no authority to do so. It was "uncontrolled," Brody said. And VA officials had no idea how big VA cyberspace was.

"They sprouted like a thousand flowers booming," Brody said. "There was no consistent security policy. Wherever someone wanted a gateway, there was a gateway."

The VA launched the Enterprise Cyber Security Infrastructure Project to find the gateways and secure them. In the next two years, the VA will create standardized hardened gateways that will be centrally managed and monitored by VA security operations centers.

In October, the VA will begin closing down the unauthorized gateways. In the meantime, the cybersecurity office is requiring tighter firewalls and periodic testing to make sure hackers cannot get in.

"By September 2004, there will only be a single-digit number of exit gateways...and no other external connections," Brody said.

Gateways aren't the only problem within the VA, although it has been one of the biggest headaches. The agency has worked to develop a cutting-edge enterprise architecture plan and standardize programs throughout its network, which reaches more than 160 hospitals. Last month, the VA awarded a contract to manage its nationwide security services around the clock. It is putting a national virtual private network in place in October. The VPN will enable the agency to encapsulate, encrypt and then send data to a specific destination.

"Veterans records are more secure than they have been in the past," Brody said. "They are not as secure as they will be in the future."

Matt Roland of Gartner Inc., a market research firm, said that good information technology security is a property of an environment, not the property of a product or technology.

"A lot of organizations focused on deploying firewalls and antivirus software," he said. "Now there is an increased emphasis on establishing management processes around these technologies."

It appears the VA has turned a corner. In August, Principi consolidated IT management and budget functions under the CIO, a move that Congress has sought for seven years. The order also consolidates cybersecurity functions, which includes centralizing the $50 million cybersecurity budget in Brody's office.

Art Wu, staff director of the House Veterans' Affairs Committee's Oversight and Investigations Subcommittee, said the VA's actions should "expedite and facilitate VA's compliance under" the Government Information Security Reform Act.

The VA is "definitely on the right track," according to Shannon Kellogg, vice president for information security programs at the IT Association of America.

The agency is looking at security in a "holistic fashion, a multi-tiered process," and that makes all the difference, Kellogg said.

***

Tightening up

The Department of Veterans Affairs has done the following to protect its systems:

* Launched the Enterprise Cyber Security Infrastructure Project to find unauthorized gateways to the agency's systems and shut them down.

* Required tighter firewalls and periodic security testing to ensure hackers cannot get in.

* Awarded a contract in August for around-the-clock nationwide managed security services.

* Built a national virtual private network.

* Centralized the $50 million cybersecurity budget in the VA cybersecurity chief's office.