The Department of Veterans Affairs is defending its embattled cyber protection program, arguing the agency is not using the tools it needs to protect cyber criminals and cyber attacks.
The Cyber Protection Force, which oversees cybersecurity for nearly 3,000 federal agencies, was formed by Congress in 2016 to coordinate the department’s cybersecurity efforts.
In a letter to the House Committee on Veterans’ Affairs, Deputy Secretary of Veterans’ Services Michael D. Gorton says the force is not a cybersecurity watchdog agency and that the cyber protection effort is in fact being overseen by the Federal Information Processing Agency.
“We are an agency with a mission to protect the security and integrity of our systems and networks,” Gortons letter said.
“In the past year, the Cyber Protection Team has taken unprecedented steps to safeguard critical systems and their data.”
Gortons warning came as the cyber threat landscape in the U.S. continues to evolve.
Cyber attacks have become more sophisticated and deadly.
For instance, in December, a Russian hacker claimed responsibility for a breach at the U-2 spy plane, the Uighur Airlines plane used to carry Chinese military personnel and equipment to the Chinese border.
And in January, a hacker claimed to have compromised the personal information of more than 600,000 veterans and active-duty military personnel.”VA is committed to making the cyber threats facing our nation more challenging and resilient,” GORTON wrote in the letter.
“This means, as a result of our efforts, the cyber security of the UAS and military aviation has been strengthened, with the goal of making it harder for cyber criminals, hackers, and others to access our networks and cause harm.”
The VA’s cyber threat threat management office, which is led by VA Chief Information Officer Joe R. Sowers, also wrote in a letter that the agency has not made the cyber attacks a priority, even though the agency’s cybersecurity is the departments top concern.
“VA does not view cyber attacks as an emergency,” the letter said, “but as a threat to our nation.”
But the cyberthreats the VA is dealing with have nothing to do with cybersecurity, according to former Homeland Security Secretary Michael Chertoff, who served in the Obama administration and has criticized VA cyber policies.
“There are no cyber threat intelligence or cybersecurity teams in the Department of Veteran Affairs,” Chertof told The Hill.
“The VA has no cybersecurity teams.”
According to Chertofs letter to lawmakers, VA officials have been working with other federal agencies to develop cybersecurity tools and strategies.
But the department does not have the capacity to develop these tools and policies, Chertoft said.
“The cybersecurity team is an outgrowth of the Office of the Inspector General, and it’s been working in partnership with the IG,” Cher toff said.
Chertoff said the VA has been using cyber-security tools for years.
The Office of Inspector General reviews the Department’s cybersecurity strategy and performs oversight on how the department is using cyber threats.
“If you look at the VA’s budget and the agency budget, you can see it’s a very large amount of money,” Chertos letter to Congress said.
The VA is working to implement cyber security policies to protect its networks, said Chertoffe, who also served as Undersecretary for Cybersecurity.
But Chertofen, who joined the department in 2014, said the department has not implemented the cyber policy that was developed by Chertofd and that VA is still struggling to meet the cybersecurity goals that were outlined in the Cyber Threat Strategy.
“At the end of the day, I think we need to continue to do this,” Cheroff said, adding that the VA needs to focus on protecting its own systems.
“We need to make sure that the infrastructure that we’re building and the people who work in that infrastructure is secure.”
Cher toff says the VA did not inform Congress of its cyber threat strategy until the summer of 2017, when a leaked Department of Defense cybersecurity plan was leaked to the public.
“When they did that, the inspector general was appalled,” Cher T toff told The New York Times.
“I think it was a big mistake.
It’s an enormous failure on the part of the department.”
C Chertofeff also noted that the department did not have any cybersecurity tools to begin with, which ChertoFos letter said was an oversight.
“They didn’t even have a cybersecurity team in place at the time,” Cher-toff told the Times.