VA CIO: OPM Breach Is a Lesson for All Employees

The Department of Veterans Affairs is using the recent massive breach of Office of Personnel Management records as a lesson to its employees in cyber hygiene, according to VA Chief Information Officer Steph Warren. 

In a call with reporters Wednesday, Warren said his department has been using the OPM breach as a case study, educating all VA staff about using strong passwords, protecting wireless networks and avoiding harmful files when using social media platforms to access web content.

VA officials in 2013 admitted their own networks had been breached by hackers from a foreign nation, believed to be China.

Warren mentioned during the call that he was personally affected by the OPM breach. 

Early in June, and in the days and weeks since the breach was reported, VA convened cyber summits to discuss strategies for "raising our threat level," Warren said, including changing boundary system protections, restricting employee social media use and minimizing traffic between data enclaves.

"One of the largest vectors that we've seen is individuals downloading files or clicking on attachments in emails or opening emails in their personal webmail set up," Warren said. While existing desktop protections allow VA to track those events, "we need to push the threat further away from our boundary, [and] push it off the desktop," he added. 

In the month of May, a DHS cyber program helped VA drastically reduce malicious attempts on its network, Warren said. VA blocked about 336 million intrusion attempts, and more than 574 million instances of malware in May, according to the agency's latest report to Congress. In April, its cyber defense blocked 308 million intrusion attempts and 956 million attempts to install malware. 

VA defends against 55,000 new malware variants every day, and the department says it has reduced the overall number of critical or high vulnerabilities by 71 percent between November 2014 and May 2015. 

A drop-off in malware attempts can be attributed in part to EINSTEIN 3, DHS technology designed to detect and prevent cyber threats, Warren said. VA has been using EINSTEIN 3 since last year, but as more federal groups sign on to use the system, the more effective it becomes because threat information can be shared, he added. 

The department is "not complacent about the fact that the numbers have come down," he said, noting that the sophistication of cyberattacks hasn't diminished. Current cyber-protection systems, he said, are "probably knocking down the easy ones."

In May, Warren told reporters during a media call that “if the volume of threats continues to ramp up . . .any agency will run into the point where we may get overwhelmed.”