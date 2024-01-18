Suspension of VA’s Cybersecurity Program: A Threat to Veterans’ Data?

At the heart of a recent cybersecurity concern lies the private information and medical records of America’s 18 million veterans. The U.S. Department of Veterans Affairs (VA) has temporarily suspended a crucial element of its cybersecurity program – the Data Loss Prevention (DLP) endpoint program. This move, which follows an incident where personal data of 1,500 veterans in North Carolina was erroneously exposed, has heightened concerns about the potential risk to the private information of veterans nationwide.

Potential Perils of the Program Pause

The DLP program, funded as part of the VA’s $6 billion information technology budget, was designed to prevent sensitive data from being shared externally from the VA network. The temporary cancellation means that over half a million computers and mobile devices, used by VA staff across the nation, are currently without any DLP capability on the endpoints. This absence could potentially increase the risk to the vast treasure trove of personal information held by the VA, including addresses, dates of birth, social security numbers, and the all-important medical records of veterans.

VA’s Assurance Amidst Concerns

VA officials have publicly acknowledged the program’s cancellation but insist that it has not compromised veteran privacy or security. They argue that the program was redundant, and other security measures are in place to safeguard the data. VA Press Secretary Terrence Hayes maintains that veteran data is protected in a myriad of ways, and fiscal responsibility is upheld without sacrificing security. Despite these reassurances, the question remains: How secure is the data in the absence of the DLP program?

A Shift Towards New Security Measures

The VA has plans to replace the DLP program within the year. However, an intriguing shift in the choice of cybersecurity tools has been observed. The original DLP endpoint contract, awarded in 2021 to cybersecurity firm Trellix, is being replaced by Microsoft security tools, bundled into its enterprise license agreement. This move mirrors a broader trend seen across federal agencies, including the Department of Defense. Critics argue that this reliance on a single vendor, such as Microsoft, could lead to competition and cybersecurity concerns. On the other hand, Microsoft representatives argue that their integrated products offer a unified and efficient security solution.

In the interim, though, the suspension of the DLP program leaves a gap in the VA’s cybersecurity armor—a reminder of the constant vigilance required to protect the private data of the nation’s veterans.