Defending Data at the Department of Veterans Affairs

In 2013, there was a supposed leak of data patient records at the Department of Veterans Affairs (VA), causing Congress to try to crack down on securing VA data. Instead of actually passing laws to improve the infrastructure, Congress simply berated the organization and willed them to improve security. However, “In the specific case of VA, there is no evidence that any patient record was exfiltrated” (Geer and Levin 1). Even though there was no evidence that the VA was actually hacked, Geer and Levin argue that this supposed attack points to a larger issue of federal inaction when hacks do, in fact, occur. They argue for a layered defense of cybersecurity, America should no longer be on the defense and wait for cyberattacks to occur and instead, pass specific laws and regulations from Congress. Additionally, companies need to implement a “reform that emphasizes openly architected, standards-based, and modular IT solutions instead of the public sector’s naive penchant for closed, tightly integrated, and custom solutions that only a couple of vendors can service and secure. Surprisingly, open source and open standards are not just more economical, they are more secure” (Geer and Levin 2). By using the example of the VA as a model of inaction, the US government can effectively adapt policy and learn from the mistakes of this misinformation to prepare for future attacks.