The Department of Veterans Affairs released a new cybersecurity strategy ahead of Veteran’s Day as a way to better protect the personal information and data of US veterans as well as stop the potential corruption of critical data.
The VA said cybercriminals and others have long sought access to veterans’ data for a variety of scams and exploitation, prompting the department to make changes to how it protects the data of veterans.
In 2006, the organization was forced to deal with a massive data breach affecting the sensitive information of 26.5 million veterans as well as their spouses and family members.
Just last month, the Justice Department sentenced a former medical records technician for the US Army after he was caught accessing personal information from US veterans and using the data to steal millions from benefits sites.
As a civilian medical records technician and administrator with the US Army at the 65th Medical Brigade, Yongsan Garrison in South Korea, 40-year-old Fredrick Brown admitted to stealing names, Social Security numbers, military ID numbers, dates of birth and contact information for thousands of military members between July 2014 and September 2015. US Attorney Ashley Hoff noted that many of the veterans targeted in the scheme were disabled or elderly because they received more service-related benefits.
The Department of Veterans Affairs said it developed an entirely new strategy to protect veteran data using new frameworks that outline ways they can protect the VA’s most critical business functions and assets while also making them more resilient.
“As we continue to rapidly advance technology across VA, this strategy provides an agile framework to address the challenges of today and adapt to the technologies and threats of tomorrow,” said Secretary of Veterans Affairs Denis McDonough.
“This comprehensive approach practices accountability and transparency, while remaining hypervigilant of cyber threats — charting a course for success at the individual and enterprise levels.”
On top of securing and protecting the data of the VA and veterans, the new plan includes measures to protect information systems and assets, use innovative measures to strengthen the organization’s cybersecurity, partner with other organizations on best practices and use risk management frameworks to bolster their cybersecurity goals.
The VA added that the new strategy takes into consideration, among other things, “Executive Orders, technological advancements, innovations and world events that have impacted the way VA delivers services.”
Andrew Barratt, vice president at cybersecurity firm Coalfire, said that the VA provides additional assistance to a number of the company’s employees.
“We’re pleased to see the VA take steps to formalize a refreshed strategy committing to protecting Veterans’ data. Like many cybersecurity strategies it is high level in nature and focuses on five critical goals,” Barratt said.
“What is interesting is that the blueprint says it requires ‘commitment’ in order to successfully innovate in a meaningful way. This will require budgetary commitment to cyber technology. Without this, the challenge will fall on to the hands of the many existing staff tasked with managing the already stretch VA resources.”
Coalfire’s John Dickson added that it’s less about what strategies the VA announces or plans to implement, and more about resource allocation and sustained executive focus on cybersecurity.
“Given the 2006 public security breach, other organizational security ‘near misses,’ and the VA’s historical approach to cybersecurity this is one case where actions most certainly speak louder than words,” Dickson said.
