VA IT Budget Proposes Boost for Cyber Spending


Featured eBooks

Digital First
Cybersecurity & the Road Ahead
Emerging Technology Trends

Spending on information protection encompasses more than a single budget account and is sprinkled across the department.

The Department of Veterans Affairs wants to spend at least 15 percent more on cybersecurity measures next year.

The department’s fiscal 2016 budget request proposes upping spending at the Office of Information Security by about $24 million to a total of $180 million next year, VA Chief Information Officer Steph Warren told reporters during a conference call Tuesday.

An additional $30 million in operations funding -- also slated for cyber -- would boost spending even more, he added.  

Cybersecurity spending accounts for just 6 percent of the department’s $4.13 billion IT budget request. However, spending on information protection measures encompasses more than a single budget account, Warren said, and is sprinkled across the department.

"Cybersecurity is a team sport,” he said. “We've got dollars identified in the budget that are new tools or new processes. But [for] every single VA employee -- and, more importantly, the ones out at the medical centers -- a large part of their job is doing cyber support and doing activity and actions that are necessary to secure the enterprise.”

The focus on cyber makes sense given the large target VA has proven to be for hackers.

"The threat continues to grow . . . What's coming at us keeps growing,” Warren said.

Last month, alone, there were more than 14 million attempted intrusions into VA networks, according to VA data provided to reporters. The department blocked or contained more than 672 million malware attempts.

Even medical devices at VA facilities have fallen victim to cyber infections. The department is currently quarantining 13 infected devices identified by technicians.  

The department’s cyber woes intensified in the summer of 2013 when it was revealed during congressional testimony that foreign state actors had repeatedly penetrated VA networks.

A six-month independent audit by private cyber firm Mandiant later concluded no domain controllers -- servers that help authenticate users -- had been compromised and that no data theft had taken place. The agency has made the executive summary of that assessment available to reporters as agency lawyers are still reviewing the full report.

Still, the department’s handling of IT has remained a “material weakness” on the annual Federal Information Security Management Act audit for the past 16 years.

Overall, the lion’s share of VA’s IT budget request -- 55 percent and 20 percent, respectively -- would go toward supporting VA’s medical programs and updating its benefits systems.

Correction: An earlier version of this article misstated the amount of the VA's proposed 2016 IT budget. IT is $4.13 billion.

(Image via  /

NEXT STORY: The Case for a Cyber Red Cross