Since taking the job of Department of Veterans Affairs chief information security officer in March 2013, I have had the honor of working alongside some of the best minds in the country to improve and evolve the way VA protects the veteran information we hold. Social Security numbers, addresses, health information like lab results and long-term diagnoses, and financial information — it’s a lot of data that represents the lives of nearly nine million Veterans.
At VA, on Capitol Hill and in the media, we often say we take the responsibility of protecting this veteran information seriously. And we do. We are in fact enthusiastic about the commitment and we challenge ourselves to maintain the best defense in the business.
I left the Navy in 1993 after a decade of service and joined the list of veterans in my family. My grandfather served in World War I. My father served in World War II, Korea and Vietnam. My brother, my sister — both are Veterans. When our defenses fail, my family and I are the potential victims, along with all others who have served and trusted VA with their personal information. About 120,000 Veterans work at VA; in fact 52 percent of VA’s IT security employees are veterans. Many have family who also served, and all share the same dedication to our mission. It’s difficult to describe the bond veterans share, but I think it’s easy to understand. Veterans are our customers and also our extended family.
We’ve worked hard to transform the way we protect our extended family’s personal information. What was once a simpler security system is now a complex, layered defense in which we’ve placed multiple security controls and made them redundant and resilient. If one fails or becomes vulnerable to exploitation, others are in place to maintain security. We call the approach “defense-in-depth,” and our safeguards aren’t limited to software and hardware but extend into policy, process, our handling of paper records, and our fostering a culture of security among all of our employees and contractors.
The veteran information we hold is invaluable, and the threats against its security are ever more sophisticated. We stay determined to protect that information. We’re not content to keep pace with recommended cybersecurity requirements. We push ourselves to be leaders in the field. The VA is one of the first agencies to continuously monitor across our systems, and that gives us an edge in rapid response to threats. We were one of the first federal departments to use the Department of Homeland Security’s Einstein 3 system, an important part of our “perimeter defense” that has detected and blocked attempted attacks before they reached the VA network. We’ve tightened control of how our own people access our network as well as the Internet. We are taking a proactive approach to information security, and looking to the future by testing and piloting new security tools that help us more effectively and seamlessly integrate information security into everything we do. These are all parts of our information security process — and it is a process. There is no end state. New threats continue to emerge, and we will continue to adjust, update, enhance and improve as we monitor the shifting cybersecurity landscape.
When a breach occurs, and it’s possible that a veteran’s information has been mishandled, we react immediately. We don’t wait. It’s our responsibility, and the well-being of our families is potentially at risk. It is important to note that the only completely secure system is one that isn’t turned on. In today’s environment, even with all of the protections and resiliency we have put in place, a breach can still occur. In light of this truth, response and remediation to incidents are equally important as the defense itself. Our incident resolution process is now considered the gold standard across the federal government. We have a Data Breach Core Team that analyzes every reported incident, and if there’s any risk of identity theft the team requires that VA offer free credit monitoring services to the affected veterans. Any veteran who receives the offer of credit monitoring is strongly encouraged to accept the service — it is free, and it can help prevent or remediate identity theft.
We also believe in supporting openness and transparency in the federal government by responding quickly to Freedom of Information Act requests. In its 2015 “Grading the Government” report, the organization Cause of Action, which evaluates Cabinet-level department response times to FOIA requests, gave VA a grade of A. Of the 15 agencies evaluated, VA is one of only two that received an A grade. That’s because we believe that privacy and records management and the timely release of relevant information go hand-in-hand, as we work hard to help our customers, Congress and the general public access VA information as needed.
No organization can be completely immune to security incidents — the threat landscape is too vast and sophisticated. At VA, we recognize that, but we diligently work to keep up with those rapid changes, improve our systems and processes, and establish our department as a cybersecurity leader.