VA bolsters IT security

The Department of Veterans Affairs has embarked on an innovative cybersecurity approach that could serve as a model for other federal agencies.

A consortium of five high-tech companies, known as the VA Security Team (VAST), began work Aug. 1 protecting the VA's entire network, from hospitals to cemeteries to medical and insurance records.

The VA awarded the consortium a contract potentially worth $103 million over 11 years for the VA's Computer Incident Response Capability.

"We're the second-largest federal government computing enterprise," said Bruce Brody, the VA's cybersecurity chief. "The magnitude of our enterprise alone makes it a target of malicious intent."

The VA has long been a target of hackers. Since January, VA computer systems have blocked more than 2 million virus attempts. And a private auditing firm hired by the VA's inspector general easily broke into computers at the agency and gained control of the data.

In March 2001, Brody was hired as the associate deputy assistant secretary for cybersecurity to fix the problems.

Brody said VAST would be handling incident analysis, management and response for the VA's nationwide system, which will include dealing with vulnerabilities and computer forensics.

In addition, the consortium will be handling managed security services nationwide that will be "mandatory for every hospital."

SecureInfo Corp., a San Antonio-based cybersecurity company that has done similar work for the Defense Department, is leading the consortium to detect and respond to threats and real-time incidents around-the-clock.

Other consortium members include Applied Engineering Management Corp., a developer of security portals; DSD Laboratories Inc., a provider of computer forensics technology; Seidcon Inc., a company that specializes in certification and accreditation of networks; and TeamBI Solutions Inc., a security knowledge management company.

John Linton, SecureInfo's chief operating officer, said the cybersecurity system would be operating at two centers and a third backup center eventually will be operational.

"We will have skilled reactive capabilities for incident response, preventive measures, platform and standards throughout the VA to be proactive, and when [attacks] do occur, respond in real time," Linton said.

VAST also will develop a global "early warning" information sharing network, in cooperation with homeland defense, law enforcement and emergency response-related incident analysis.

"This is right in line with what we've been advocating," said Mario Correa, director of Internet and network security policy for the Business Software Alliance. "They have to look at security as an ongoing holistic process, revamp how they do business when they secure computers, use defense strategies to stop intrusions and authenticate the users."

However, the success of any cybersecurity program depends on who is managing and monitoring it, said Michael Rasmussen, director of research and information security at the Giga Information Group, an information technology consulting firm.

"To be successful at it, they need to be able to staff it correctly, pick the best technologies for the VA and show they have the process defined," he said.

Brody said the VA's cybersecurity program was the first of its kind. "I don't know of any other acquisition like this in the federal government that is able to deliver this kind of analysis and response capability," he said. "I have a feeling that within the not-too-distant future, it will be one of the models in the federal government."