U.S. House of Representatives Committee on Veterans' Affairs

11/20/2024 | Press release | Distributed by Public on 11/20/2024 09:46

TM Chairman Rosendale Opens Hearing on VA Cybersecurity, Protecting Veterans’ Data

TM Chairman Rosendale Opens Hearing on VA Cybersecurity, Protecting Veterans' Data

Today, Rep. Matt Rosendale (R-Mont.), the Chairman of the House Committee on Veterans' Affairs Subcommittee on Technology Modernization, delivered the following opening remarks, as prepared, at the start of the subcommittee's oversight hearing entitled, ""VA Cybersecurity: Protecting Veteran Data from Evolving Threats.":

Good morning.

The Subcommittee will come to order.

I want to welcome our witnesses to discuss VA cybersecurity.

The healthcare industry is a constant target and frequent victim of cyberattacks.

That includes VA.

According to the Department of Health and Human Services, over 519 million health records have been exposed in data breaches over the last 15 years.

Last year, there were on average two data breaches every day exposing 500 or more medical records.

And just one cyberattack, on Change Healthcare, exposed over 100 million Americans' records. Some of them are veterans.

Basic math tells us that many of the people in this room, or watching this hearing, have had their healthcare data stolen by a cyber-criminal.

Unfortunately, these crimes are profitable and they are becoming more sophisticated.

We have a special responsibility to protect the billions of medical, personal, and financial records that VA and their contractors hold for millions of veterans and their family members.

No organization that is connected to the internet is ever completely safe from cyberattacks.

But we expect VA to understand their vulnerabilities and maintain every possible defense.

And when breaches happen, we expect VA to detect them immediately, contain the damage, and notify the affected individuals.

Congress has consistently provided the cybersecurity resources that VA requests.

The Office of Information and Technology budget is roughly flat this year, overall, but cybersecurity is slated for a $110 million increase, to $707 million.

Today we are going to review whether those resources are being used effectively.

According to VA's Office of Inspector General, improvement in cybersecurity has been painfully slow.

OIG's Federal Information Security Modernization Act (FISMA) audit repeats most of the same findings year after year.

VA has been aware of some of these deficiencies for years, but unable or unwilling to fix them.

In the most recent FISMA report, for 2023, OIG's auditor made 25 recommendations, and Mr. DelBene disputed 10 of them.

I want to understand the disagreements and make sure the vulnerabilities are being addressed, and not swept under the rug.

We will also review the MITER Corporation's cybersecurity assessment of key VA systems.

Congress commissioned MITER to do this assessment in the Strengthening VA Cybersecurity Act of 2022, to look deeper than the FISMA audit.

MITER uncovered a whole host of problems.

So many problems-apparently-that VA withheld the report from the Committee until I personally got involved and was able to obtain access after discussions with Secretary McDonough.

I absolutely understand the sensitivity of the information. That is inherent in the subject matter we discuss on this panel.

While I have no intention of discussing the specific vulnerabilities in this public forum, I want to reiterate that security is no excuse for avoiding accountability.

I will leave it to Mr. Powner, from MITER, to summarize his report and his findings appropriately.

In short, the report found that despite some incremental improvements, VA's cybersecurity approach remains inadequate and unfocused.

There are gaps in governance, processes, communication, and staffing.

Cutting-edge cybersecurity tools are not configured properly, and too many aspects of the Department's cyber-incident responses remain manual.

And the rapid, uncoordinated expansion of cloud computing has created cybersecurity gaps.

Mr. DelBene and his team have a great deal of work to do to close out MITER's findings.

Finally, I want to review VA's progress to reach a Zero Trust cybersecurity posture.

Zero Trust means no user or system is trusted by default.

Instead, everyone must be authenticated.

Experts have described Zero Trust as a never-ending journey and constant evolution.

That may be true, but I expect it to produce tangible benefits that protect veterans' data along the way.

This cannot be another government perpetual-motion machine that the contractors use to extract an unending flow of taxpayer dollars.

We need to see results and ensure accountability for everyone involved.

We need to know what specific, measurable goals that VA is working on today that will make veterans data safer tomorrow.

With that, I yield to Ranking Member Cherfilus-McCormick for her opening statement.