Letter to the editor
I would like to respond to Federal Computer Week's Sept. 25 article ["VA systems called 'open door'"] concerning the results of an audit performed
by PricewaterhouseCoopers last year.
The article accurately covered the case as presented by VA's inspector
general, but the office withheld some significant information. It gave the
impression that someone sitting at a home computer could easily gain access
to Veterans Benefits Administration systems. In fact, PricewaterhouseCoopers'
personnel were given access to the system as directed.
That being said, there is no dispute that we have a lot of problems,
which we are trying to address.
K. Adair Martinez was not in his position of VBA chief information officer
at the time of the audit. Since her arrival at VBA, she has made network
security a top priority and has been most supportive of the Network Intrusion
Detection and Prevention pilot project under way at the Hines (Illinois)
Benefits Delivery Center and Chicago Regional Office.
I am encouraged by the attention given to security by VA's new CIO,
Edward Meagher, as reported in recent articles in Federal Computer Week.
But as of yet, resources have been slow in coming from VA.
At a time when there has been a tremendous downsizing of personnel,
we are only able to muster six technicians, including myself, to work on
network security. Two of these folks are limited to anti-virus activities,
and the rest of us have to divide our time between security and supporting
the wide-area network environment.
The VA (and Congress) must realize that security is a 24/7 proposition
and allow VBA to acquire the resources necessary to staff the security effort
that is required.
Although the tools we are working with will allow a wide range of automated
responses to perceived intrusion threats, trained personnel must be quickly
available to evaluate any threat and deal with it to prevent a serious impact
on the ability of VBA to do its mandated business.
The article made reference to susceptibility to fraud, but actual occurrences
of fraud have involved claims examiners and others who had legitimate access
to the systems they attempted to defraud. This is very much akin to having
a bank teller or store cashier raid the cash drawer to which they would
normally have access. The fraud cases cannot be detected through network
security but must be dealt with by better supervision and auditing methods
to detect and rectify such cases.
Although PricewaterhouseCoopers did not mention it, VBA has an exemplary
record in dealing with e-mail virus attacks. The response to the first major
attack (the "Melissa' virus) took some time to address. This was the first
emergency nationwide distribution of Network Associates Inc.'s anti-virus
updates. Learning quickly from the experience, the next attacks required
only a couple of hours for this process to occur. These viruses were a nuisance
but did no real damage to VBA.
We would like to extend this to the entire realm of network security,
a challenging task given the new "open" environments of today, but not an
impossible task if we are allocated the appropriate resources.
Network security and support team
Systems Implementation Division, Hines Benefits Delivery Center