Part 7. Getting Laser Focused On Cybersecurity

Increasing our attention on cybersecurity at VA is an absolutely critical component of our vision and its focus on operational excellence. Our highest priority is protecting our Veterans’ personal information and ensuring our systems and services are available to care for our Veterans, their families, and care providers. Moreover, we believe that we don’t get the right to deliver on the next set of feature improvements to our product and services unless we first create and maintain a secure environment that is shielded against cyber attacks.

The digital footprint of the Department of Veterans Affairs (VA) is vast, including over 500,000 desktops at over 2,000 locations, interfacing with over 1,000 systems. The significance of size makes the tasks of security in this environment very challenging. It’s made more difficult by the diversity of systems, the age of those systems, and the fact that they don’t share a common structure or architecture. 

To address this risk and complexity, the federal government expends a lot of effort on establishing security policies, which helps establish baseline requirements for good cybersecurity practices and configurations, but policy alone is insufficient. It’s much easier to create security policies than enforce them. Policies are often created that are unrealistic to enforce. Others may not be at the right level of specificity to be actionable.  Still others may be the result of an external mandate that is not aligned with the overall risk-based priorities of the organization. As a result, there’s a temptation to conclude that because you’ve defined a comprehensive set of policies and rolled them out as requirements, you’ve solved the problem; yet policies and their enforcement are only one component of a strong cybersecurity program.

VA has many security policies that drive a great number of processes around compliance checking. Even the Federal Information Security Modernization Act (FISMA) audit, conducted each year by our Office of the Inspector General (OIG), is highly focused on whether VA is adhering to our own policies. This isn’t wrong. However, auditing compliance with security policy isn’t equivalent to auditing the organization’s security. To ensure a highly secure environment, we must complement security policy with a deep technical assessment of our security posture and engineering efforts.

We need to increase our focus on risk-based assessments of our current security posture. We must constantly assess where we feel the greatest risks are that need mitigating. These assessments should ask:

• What is your most worrisome theory of how you might be breached?
• How would threat actors get in or exploit your information and systems?
• If the breach occurs, what is the most valuable asset, intellectual property, or service that would be vulnerable and how significant is the risk?
• What precise mitigations do you need to bet on to reduce these risks?
• How good is our response and remediation capabilities?
• How will we measure our progress?

Embrace a secure framework.

Executive Order (EO) 14028 requirements provide many focus areas for improving our nation’s cybersecurity—namely, deploying secure government cloud services, implementing Zero Trust architecture government-wide, and mandating multifactor authentication and encryption. But more than simply being a federal mandate, VA embraced Zero Trust Architecture as our security framework because it is powerful. It is comprehensive yet simple to understand. At its heart, it has a simple premise: assume you’ll be breached and then ask, “What can they get their hands on?”. There should be no implicit trust by virtue of having gained access to the Intranet.

It’s easy to find recommended implementation paths for Zero Trust, but it’s not a project with a beginning and an end. Nor can you write up an execution plan that works for all organizations. Zero Trust creates a solid framework for implementing robust security in an organization, but the implementation order needs to reflect your view of the greatest risks in the organization. For us at VA, there are a number of areas we focus on:

• Get to 100% multifactor authentication (MFA) and drive MFA exemptions to zero. This means having non-name/password alternatives for people who are having issues with using the primary MFA method (PIV cards for those of us at VA).
• Get to 100% of systems using single sign-on (SSO), enabling us to manage permissions more centrally.
• Eliminate simple name and password authentications, including service accounts, and find ways to further secure and validate access granted to service accounts.
• Enforce endpoint protection on 100% of devices and ensure all devices meet baseline configuration requirements. For BYOD devices, either require that they run end point protection or assume the worst and restrict their access accordingly.
• Completely isolate the most mission-critical systems from our Intranet. This is a significant investment that takes time and focus, but the Intranet is a popular target for phishing attacks and provides too much risk of lateral movement once threats gain access.
• Challenge our defenses. Our environment is incredibly complex and has so many projects going on that the risk of vulnerabilities being inadvertently introduced is high. We must continuously and aggressively look for vulnerabilities via ongoing sweeps and red team exercises.
• Deploy great monitoring to look for indicators of compromise. The tools in this area are getting better all the time. 
• Focus on robust and rapid incident response. Measure and set goals for our response through metrics like Mean Time to Containment (MTTC) and Mean Time to Remediation (MTTR).
• Drive towards regular audits of user access lists, and ultimately, build the needed linkages to HR systems to automatically remove account access upon job change or termination.

We can and must make these multiple investments simultaneously, since most will take time to come to fruition. An example of this is achieving least privileged access, a difficult technology and business process challenge.

We must measure and track our progress relentlessly. For us, we focus on the most pressing near-term goals through our OKRs—Objectives and Key Results (OKR). We establish a set of OKRs that represent our highest priority cybersecurity efforts, drive hard to accomplish the goals we set, and edit the list as we accomplish more or the environment changes.

In my view, organizations shouldn’t be too enamored with maturity models. These models aren’t well calibrated to the degree of implementation difficulty and are generalizations, while breaches are specific. I think they’re best used as a list of potential investments to use in assessing your strategy. You still have to figure out which investments you believe will yield the greatest improvement in security per erg of energy expended.

Leverage FITARA and ATOs as hard gates

In an organization as complex as VA, people have many competing priorities and real-time distractions that divert attention from even high priorities like cybersecurity. As a result, there must be forcing functions that drive compliance. Fortunately, there are two such gates for all projects in the federal government: Federal IT Acquisition Reform Act (FITARA) compliance and the Authorization to Operate (ATO) process. All projects must pass through these two gates. We leverage FITARA to ensure all IT projects have a good plan in place for cybersecurity and that clearly articulate the people who are accountable. We use the ATO process to assess our true level of system security—and that the project maintains a high expected security level—not just that it adheres to our cybersecurity policies. In addition to reviewing compliance against cybersecurity policies, we push for a true technical assessment of the residual cyber risks of operating the system and a discussion of whether they are acceptable risks for the organization. In the end, the Authorizing Officer (AO) must feel that they are personally signing off on the risk for the entire organization and must take that responsibility seriously.

Drive clear cybersecurity responsibilities for Shadow IT

Shadow IT is inevitable in any organization, and we have much more than I’d like at VA. We can’t fully eliminate it, but it can’t be a place where cyber risk is introduced. We need to ensure a strong cybersecurity skillset in the team that owns and manages the Shadow IT system. This isn’t easy, since the organization’s non-IT businesses often own Shadow IT, and technology is not their mission. That’s what’s most scary about Shadow IT. We need to ensure that if the business is insistent on owning the system, they understand and adhere to all cybersecurity requirements in the organization. This is a great place to use FITARA and ATO as hard gates that Shadow IT systems and services must pass through. This depends on ensuring the organization’s CIO reviews all Shadow IT investments, so that they go through these gates, and that the CIO feels personally accountable for the security of the Shadow IT system, even if he or she doesn’t have day-to-day responsibilities for managing it. It’s one of the toughest mismatches between authority and accountability in the CIO role.

Build deep cyber skills within the organization

As I mentioned, in an organization as vast as VA, it’s easy to focus solely on cybersecurity policy adherence rather than the technical assessment of cyber risk. The reality is that deep technical assessment and mitigation planning necessitates strong cyber skills. Even policy adherence roles benefit from a strong technical understanding of cybersecurity. With the high demand for cybersecurity skills in the market, building these skills internally is critically important. It also represents a valuable career path for an IT professional, including veterans, who represent half the OIT team. We are working to increase our focus on building strong cyber skills and career paths in the organization, driving the effort across our cyber workforce recruitment, hiring, and retainment efforts. We believe that we have a huge opportunity to onboard smart individuals, build their cyber skills, and in so doing, build a skillset that results in a rewarding and fulfilling career for them and an enduring asset for VA.

Be paranoid, very paranoid

Security is a space where the adage that it’s impossible to prove a negative is particularly apt. There is no way to prove that your organization is secure from cyberthreats. Even if you could, cyber attacks are getting more sophisticated all the time.  I’ve read intrusion scenarios that have left me amazed at the multi-step process to exploitation—scenarios that had to be explained to me multiple times before I truly understood them. The evolving speed and rapid adoption of AI only enhances these risks by making it easier to parse through large volumes of data to find patterns and potential vulnerabilities in software code as examples. The threats to an organization will always increase, and so too must our readiness for new threats supported by our ability to remediate and recover from them.

Reflecting on all of this, not only is it impossible to prove that your organization is secure, it’s impossible to prove your organization hasn’t already been exploited. Hackers will gain entrance to an organization, insert a vulnerability, and wait to exploit it until they have all the information they need or the time is right.

The only appropriate posture under these circumstances is to assume you’ve been breached, theorize how it’s done, and work as hard and as fast as you can to close the vulnerabilities. In short, you need to be continuously paranoid about being exploited to to give your organization a good chance that you won’t be.