Warren: Cyber won't suffer in VA budget crunch

Despite a looming $2.5 billion shortfall, efforts to maintain cybersecurity at the Department of Veterans Affairs won't face budget cuts, according to the agency's top tech official.

"I don't see there being any impact on what we're doing from a cybersecurity standpoint. This is an area where the deputy secretary is very engaged," Steph Warren, acting head of the Office of Information and Technology, said on a July 1 call with reporters.

Deputy Secretary Sloan Gibson warned Congress in a June 25 hearing of the House Veterans’ Affairs Committee that the department was facing a budget gap, and sought to tap other funding pipelines, including the $10 billion Veterans Choice fund.

The VA was the first large agency to adopt Einstein 3 network protection tools offered by the Department of Homeland Security. The agency has been publicly releasing reports on attempted attacks and breaches for a few months.

In May 2015, the agency blocked more than 330 million intrusion attempts, 550 million pieces of malware, and more than 73 million suspicious or malicious emails.

According to Warren, malware attempts are trending down from a peak in March, as a result of the wider use of Einstein 3. As other agencies register malware profiles with DHS under Einstein, the fewer unknown modes of attack have a chance of getting through the net.

At the same time, the massive theft of Office of Personnel Management data from government systems, including a trove of extremely sensitive security clearance forms, has the VA, like other organizations, looking for other ways to protect their systems.

The VA is in the midst of conducting the "cybersecurity sprint" ordered by the Office of Management and Budget in the wake of the attack. One tricky aspect is implementing two-factor authentication for access to agency systems. Warren said his office has been working with medical staff on how to add this extra security step to the clinical environment, "without doing harm to patients and patient care."

One area of concern is the use of private social media accounts by federal employees and contractors. The VA uses a service to approve websites for access on agency networks. At the same time, there are potential risks associated with images and links inside social media sites, which has led to a review of VA policy on Internet use.

"We need to push the threat further away from our boundaries," Warren said. Curtailing private use of the Internet is "on the table as we talk about strengthening our protections," he said. A final decision is being tabled until new Assistant Secretary for OI&T LaVerne Council, who was recently confirmed by the Senate, is sworn in to her new job on July 7.

Deputy IG retires

In other VA news, Deputy Inspector General Richard Griffin announced his retirement after a federal career spanning 43 years. The news of Griffin's departure was welcomed by VA critics in Congress and among government watchdog groups, who saw Griffin's reports and investigations as timid.

Inside the VA, a group of whistleblowers who reported rigged wait lists for appointments in Phoenix, the over-prescription of opiates at a Wisconsin medical center, and other problems, cheered the news on their Facebook page, VA Truth Tellers. Griffin's departure was one of the goals of the internal whistleblowers, who long complained of inaction on the part of the OIG.

Danielle Brian, executive director of the Project on Government Oversight said, "Instead of being a champion of whistleblowers, Mr. Griffin was part of the VA’s toxic culture of intimidation and retaliation."

In a VA press release, Griffin thanked OIG staff, saying, "Your collective effort and hard work have resulted in a remarkable record of performance and outstanding achievements."