IMPACT OF LEGISLATION ON VETERANS ADMINISTRATION
1. Introduction.
Cyber security is a major concern among large organizations particularly those that rely on information technology to function. In most cases, large organizations invest time and money to establish technological infrastructures, which includes government services agencies and organizations. The government in general understands the need to protect the public and organizations under its umbrella from cyber attacks that poses threats such as impeding the day-to-day operations. In lieu to the apparent need for protection, the legislative branch of the federal government passed a legislation proposal pertaining to cyber security. Although, some of the issues that the legislation is hoping to address are not new, it still has significant impact to large number of organizations such as the Veterans administration. The purpose of this report is to determine whether the May 2011 Cyber Security Legislation Proposal has an apparent impact to the organization if became a law. The point of analysis will be based on Veterans Administration’s current IT infrastructure and the legislation’s imposed cyber security requirements.
The Veterans Administration is the government agency dedicated to providing benefits services to the country’s war veterans and service men. The organization’s importance was drawn from President Lincoln’s promise of providing care to the veteran’s and their family members (va.gov, N.D.). Given the primary role and intended purpose of the organization, the Federal government launched one of the most ambitious information technology consolidation and overhauling project attempted by the Federal government in October of 2005 (Walters, 2009). Because of the scale of efforts and investment poured into revolutionizing the IT infrastructure of the organization, it is only fitting that the government seek for counter measures to alleviate cyber security risks. However, related legislation proposals such as that of the White House May 2011 Cyber Security Legislative Proposal needs to be examined first before being passed to a law in order assess its impact to the organization’s current information security program.
2. Points of Analysis
The Obama administration announces the transmitted legislative proposal to the Capitol Hill in relation to the Congress’s call to address the increasing need for a stronger legislation to protect the country from cyber threats. The May 2011 Cyber Security Legislation Proposal’s objective includes safeguarding personal data, ensures reliable and secure networks and strike balance between industry innovation development and maintaining government’s role in tackling cyber security (Schmidt, 2011). The aforementioned legislative proposal when passed as a law will impose guidelines and specific requirements to the Veterans Administration. In order to assess impact to the organization, the legislative proposal will be analyzed by pointing out critical points. These points were selected because of their characteristic that can be assumed to have a more critical implication to the selected organization and the radical changes they may cause to the organization’s current cyber security infrastructure.
a. Data Breach Notification
Part of the proposed legislation’s provisions is the data breach notification, which stipulates specific guidelines in cases when the organization’s stored data was compromised due to intrusions. This provision of the proposal is intended for organizations that handle a minimum of 10,000-stored personal information annually. Furthermore, this provision requires that in the events of data security breach, the organization needs to notify the affected individuals within 60 days (Stephens, 2011). This requirement and guideline suits the Veterans administration because the organization handles vast amount of pertinent details of the listed veterans. As a government organization the Veterans administration is expected to protect the confidentiality of the veterans’ personal details particularly their financial details. However, as technology continues to evolve, cyber criminals are also innovating themselves to be equipped to break large organization’s firewalls. Having said that, the Veterans administration may not be able to let their guards down at any given time. During cases where cyber criminals were able to penetrate the organization’s system, the organization itself should mandatorily notify the victims in order to for them to take the precautionary measures to individual level. Giving early warnings and notifications to users minimizes the destructive impact of the breach to user level because lack of information on the part of the Veterans administration would result to a chain of unfortunate events on the part of the users.
b. Data center locations preventive restrictions
The legislative proposal stipulates a provision pertaining to preventing the states from adopting regulation or passing laws that allow states to put up data centers in specific states under the condition of operating the business. This is because the Federal government has long emphasized the use of cloud computing because of reduced cost and increased security (Stephens, 2011). In addition, the government also preferred cloud computing over setting up data centers because the government could also take advantage of the innovations coming from the private industry sector. This part of the legislative proposal will have an apparent impact to the Veterans administration because when the organization underwent a major technological overhaul, its collection of sensitive information are primarily stored in data centers (Department of Veterans Affairs, 2007). Furthermore, the veterans have multiple needs of navigating through the organization’s complex system of access points and overlapping processes (Office of the Secretary, 2010).
c. Missing points of the legislative proposal
Critics have stated that the cyber security legislative proposal has its drawbacks and failure of addressing key issues in cyber security as outlined by the Congress when they called for assistance (Stephens, 2011). One of the most important issues that organizations are facing on the grounds of cyber security is defining the points on winning the cyber warfare. It is apparent that the legislative proposal focuses more on imposing security without much of the consideration to take offensive actions against cyber warfare. Protecting the organization and its information assets may be sufficient to block off unwanted intruders from compromising the organization’s information infrastructure. Other security experts believe that even if the legislative proposal has outlined the roles of civilian agencies in terms of protecting the computer networks. There is still insufficient guidance provided to address the issues of formidability against cyber attackers and stronger guidance in establishing security in the national networks that host’s classified information (Stephens, 2011). Cyber criminals innovate as technology consistently evolves, preventive measures may serve as a first-aid remedy to the problem, but the real cure is still yet to come. Cyber warfare involves real-time offensive actions against cyber attackers and the proposed legislation were not able to address the need to suit-up and face the emerging battle to eliminate the cyber culprits and terrorists.
3. Research and Analysis
The discussed point of analysis has an inevitable impact to the Veterans administration because there are elements that either does not agree, lacking or aligned with the organization’s cyber security infrastructure that in return may constitute long-term consequences.
a. Impact #1
The impact of this legislation to the organization is to strengthen information dissemination and imposing preventive measures. Furthermore, cyber security breach on Veterans administration’s encompasses three levels of potential impact namely on availability, integrity and confidentiality (Department of Veterans Affairs, 2007). Therefore, the data security breach notification would help the organization to minimize impact on the three aforementioned categories.
b. Impact #2
Considering the number of veterans that the organization is serving, it is apparent that there is a need for the organization to expand its storage infrastructure and with the legislative proposal to restrict organizations in setting up data centers and use cloud computing instead would constitute a serious problem on the part of the organization. In addition, the according to the Veterans administration’s policy the organization’s operating units are the one’s responsible in controlling information system. They also restrict pick-up, delivery and transfer of such information even to authorized personnel. However, if the legislative proposal will become a law, the method of storage will depend on cloud computing as recommended by the Federal government and the Veterans administration will be restricted from utilizing and maximizing data center capacity. The organization will also have less control over its sensitive information as indicated in their electronic sanitization procedure particular in terms of destroying unused information (Department of Veterans Affairs, 2007).
c. Impact #3
The lack of sufficient guidelines that will define the actions needed to engage in cyber warfare creates a sense of vulnerability on the part of the Veterans administration. It is known that the organization still has unresolved information security issues and long-standing weaknesses (Wilshusen, 2010). Since information security remained a challenge for the organization, the proposed legislation will not be able to have a significant impact to the Veterans administration if to become a law because of the lack of clear provision to directly deflect cyber attacks. It is apparent that the cyber age opens a lot of doors for innovation, which includes bringing terrorist to the cyber world and the Veterans administration will be among the fast targets if cyber security augmentation was not as strong. For example, passwords in the organization’s network domains were not consistently configured with the prescribed policies (Wilshusen, 2010).
4. Conclusion
The May 2011 Cyber Security Legislative Proposal was the Federal government’s response to the increasing demand for a stronger legislation to fight cyber crime and establish strong security. However, the provisions and proposed guidelines in the proposal do not comply with the needs of all government organizations such as the Veterans administration. When to become a law, the proposal would not be able to provide a positive outcome in addressing cyber security in the organization level because the provisions of the proposal does not comply to the needs of the organization. For instance, the Veterans administration rely on data centers and given the need for the organization to expand its data capacity, they will not be able to do so because the proposed legislation prohibit organizations from using data centers. Therefore, the legislative proposal will not have a significant impact to Veteran’s organization’s information security.
REFERENCES
Office of the Secretary (2010). Strategic Plan FY 2010‑2014. Retrieved from Department of Veterans Affairs website: http://www.va.gov/op3/Docs/StrategicPlanning/VA_2010_2014_Strategic_Plan.pdf
Schmidt, H. A. (2011, May 12). The Administration Unveils its Cybersecurity Legislative Proposal [Web Log Post - The White House]. Retrieved from http://www.whitehouse.gov/blog/2011/05/12/administration-unveils-its-cybersecurity-legislative-proposal
Stephens, K. (2011). A Review of the Cybersecurity Legislative Proposal. mproving the Future of CyberspaceIssues, Ideas, Answers. Retrieved from http://www.nsci-va.org/WhitePapers/2011-06-15-Federal%20Cyber%20Legislative%20Proposal%20Whitepaper-K%20Stephens.pdf
Va.gov (n.d.). About VA. Retrieved May 24, 2013, from http://www.va.gov/landing2_about.htm
Walters, J. (2009). Transforming Information Technology at the Department of Veterans Affairs. Governing Magazine. Retrieved from http://www.isaca.org/knowledgecenter/cobit/documents/waltersvareport-june09.pdf
Wilshusen, G. C. (2010). Veterans Affairs Needs to Resolve Long-Standing Weaknesses (GAO-10-727T). Retrieved from United States Government Accountability Office website: http://www.gao.gov/new.items/d10727t.pdf
