Contracts featuring automation, built-in security can boost agencies’ cyber defenses, VA officials say

An enhanced focus on automating legacy systems, prioritizing built-in security requirements in vendor contracts and carefully adopting mature artificial intelligence tools can help federal agencies bolster their overall cyber resilience, several officials from the Department of Veterans Affairs said on Tuesday.

During a discussion on the future of federal cybersecurity hosted by the Center for Strategic and International Studies, Amber Pearson — VA’s deputy chief information security officer — said the department oversees “34% of IT assets across the entire federal civilian space” and heavily relies on the Cybersecurity and Infrastructure Security Agency “to inform our enterprise cybersecurity implementation.”

“Security has to move at the speed of innovation,” Pearson said, noting that a number of agencies — including VA — still use outdated systems and need to “start looking at where we modernize, where we actually need to increase that rigor and look for those opportunities around automation.”

The White House and CISA, in particular, have placed a greater emphasis over the past year on pushing federal agencies and private sector technology firms to prioritize security in the development and procurement of new systems and tools. 

CISA has released public guidance and launched a public service campaign urging companies to build “secure-by-design” products. The Biden administration’s national cybersecurity strategy, released in March 2023, also advocated for the adoption of secure-by-design principles, and a subsequent June 2023 memo from the Office of Management and Budget on the White House’s cyber priorities for the fiscal year 2025 budget said “agency investments should lead to durable, long-term solutions that are secure by design.”

When it comes to updating the department’s legacy healthcare systems and technologies, Pearson said, however, that innovative tools can also “create new and unpredictable pathways that bad actors can use to access VA’s IT systems and data.”

She added that combating cyber threats in the healthcare space — “especially around our medical device community” — requires enhanced partnerships with other agencies “and then also down to the contracts to updating our [Federal Acquisition Regulation] language, and so that way we can really enforce some of those security requirements at the vendor level.”

Beyond its ongoing engagement with CISA, Pearson said VA is working with the Office of the National Cyber Director, the Department of Health and Human Services and the Food and Drug Administration “to really make sure that we're taking a look at those contracts and ensuring those security requirements are built in.”

“We want to make sure that those things are being looked at at the contract level as we start procuring and modernizing most of our modern technologies around the health space,” she stressed. 

But even with vendor contracts prioritizing enhanced security standards, the introduction of emerging technologies — including those using AI and machine learning — presents a host of potential benefits and challenges for VA and other federal agencies as they look to modernize their systems. 

Jeff Spaeth, deputy CISO and executive director of information security operations at VA, said generative AI tools will allow nefarious actors to better hone their phishing campaigns and other cyber attacks, “which may bypass your normal phishing analysis or quarantining of those messages.”

But he said implementing some of the same AI tools as they become more mature can also allow agencies “to either identify or immediately put those types of preventative detections and blocks in place quickly.” 

And given persistent cyber workforce gaps across the federal government — a September 2022 report from a federal working group said there were almost 40,000 cyber jobs to fill in the public sector as of that April — Spaeth added that the adoption of AI “may be able to mitigate some of that shortage of staff, just because we'll be able to enhance the staff’s capability of using those technologies to offset some of the lack of numbers.”