The Department of Veterans Affairs is requesting a $107 million increase to its FY2023 cybersecurity budget, providing greater funding to all areas of its broader information security program with a special focus on implementing zero trust precautions.
VA has sought to bring its overall IT systems in line with contemporary cybersecurity standards, part of a broader push across the federal government to implement measures like zero trust and protect against large spillover breaches like the 2021 SolarWinds attack, as well as mitigate the growing threat of ransomware attacks.
The latter is a special priority for VA in particular, with ransomware attackers increasingly focusing their efforts on health IT systems and hospitals networks whose shutdown leaves particular risk to human life — and who therefore have a greater incentive to comply with attackers’ demands.
The Biden White House released Executive Order on Improving the Nation’s Cybersecurity in May 2021 following the discovery of the SolarWinds hack where malicious actors backed by the Russian state gained access to a wide array of servers within the U.S. government. The attackers went undetected for months, successfully using various forms of spillover breach and interconnected access to expand the scope of infiltration.
As a result, there has been a movement across government away from an exclusive focus on perimeter security toward identity and access credential-based protection designed to limit the damage from system breaches and prevent attackers from infiltrating deeper into an organization’s network.
VA officials have discussed the need for revamped zero trust security both within the agency and across government more broadly, with director of enterprise security architecture Royce Allen noting that abiding by older cybersecurity models is a liability under the current threat environment.
“We must focus on a practice of continuum, verifying identity, authorization and authentication about data uses and our devices. That’s why we do what we do and why zero trust is critical,” Allen said in earlier remarks to GovCIO Media & Research.
Much of VA’s cybersecurity focus rests on its rapidly modernizing health IT systems, with newly released budget documents outlining that “Modernizing VHA’s medical equipment, while improving its safety, cybersecurity and compatibility with VA’s electronic health record (EHR), requires deliberate systems engineering and extensive collaboration across VA lines of business and VHA clinical programs.”
This includes measures to protect both medical devices and patient information contained within the agency’s modernizing electronic health records system that is currently under its first wave of on-site rollouts.
Device security appears to be a particular focus of new funding allocations, with budgetary documents disclosing that “VA currently uses approximately 1,034,513 discrete medical devices across the enterprise to deliver healthcare to Veterans. Approximately 109,028 medical devices/clinical systems communicate on the VA information technology network and VHA - 342 Medical Services must be specially managed and routinely updated to address known and emerging cybersecurity risks.”
Over 10% of the requested VA cyber budget increase, totaling nearly $13 million, would go toward privacy and records management. The agency has requested a similar $13 million increase to CRISP (Continuous Readiness in Information Security Protection) operations “designed to reduce systemic information security risks across VA programs and systems to comply with federal security and privacy regulations.” This represents a near 25% increase from 2022 CRISP budget, bringing its proposed total funding to $60 million in fiscal year 2023.
Though the most substantial increase to the VA’s cybersecurity budget has been requested for overall information security operations, a rise of $43 million that makes up nearly half of the total fiscal year 2023 increase. It appears a considerable amount of this will be dedicated toward zero trust security reforms, falling under VA’s particular emphasis on what the agency has categorized as “Emerging Readiness Initiatives.”
The agency’s budgetary documents outlined that “adaptation and implementation of this new security posture provides a robust and strategic approach for addressing systemic deficiencies for VA (e.g., enterprise security governance, foundational capability gaps, lack of data and identity governance). This posture initiates a paradigm shift across existing VA security resources from the current compliance-mindset to a mindset that assumes breach and embraces adoption of zero trust capabilities as a first step.”