By James Walkinshaw
In IT, as in life, the greatest risks and opportunities are in the shadows.
Bipartisan legislation is quietly on its way to President Biden’s desk that could reduce cybersecurity risk at the Department of Veterans Affairs (VA) and create the opportunity for Congress to tackle a growing government-wide problem: the proliferation of IT devices and systems being used without proper approval, commonly known as Shadow IT.
Senators Jacky Rosen, D-Nev., and Marsha Blackburn, R-TN, introduced the Strengthening VA Cybersecurity Act of 2022 earlier this year in the Senate and Rep. Frank Mrvan, D-Ind., chairman of the House Veterans Affairs Committee’s Technology Modernization Subcommittee, introduced the House version.
“This bipartisan bill would help us understand the VA’s cyber vulnerabilities and ensure we protect our veterans’ personal information from malicious cyberattacks,” said Sen. Rosen when the bill was introduced.
Among the bill’s requirements is that VA enter into an agreement with a federally funded research and development center to examine the effectiveness of VA’s information security systems, including the use of “shadow information technology.”
Shadow IT sounds ominous, but its origins are innocent. Federal employees and contractors who want to do their jobs effectively and efficiently often find that bypassing agency systems and restrictions on network access allow them to work and collaborate faster.
Examples of shadow IT include a Federal employee using a non-approved VOIP tool to meet with a colleague, downloading a non-approved file sharing service to send a large file, transferring data with a personal flash drive, or running an out-of-compliance hardware-based server.
From the perspective of the employee using Shadow IT, the path of least resistance can lead to efficiencies. But from the perspective of an enterprise charged with protecting the health records, data, and personal information of millions of veterans, Shadow IT poses real risks. Large enterprises require layers of financial, security, and operational controls to protect data and operational stability. Without full visibility and awareness of operations, Federal agencies cannot fully mitigate their cybersecurity risk and ensure the ongoing stability of their networks.
“We must do everything we can to protect our veterans’ personal information and medical records,” said Senator Rosen in a recent statement. “I’m glad Congress has passed our bipartisan legislation to protect the sensitive data for veterans across Nevada and our country, and I look forward to it becoming law soon.”
Measuring the extent of Shadow IT is notoriously hard, but well worth the effort. Modern monitoring platforms and continuous awareness can root out Shadow IT, helping agencies meet growing cybersecurity challenges and identify the inadequate or overly-cumbersome systems pushing their employees to adopt Shadow IT work arounds.
While the legislation from Sen. Rosen and Chairman Mrvan is an important start, it would apply only to the Department of Veterans Affairs. As the Shadow IT risk grows across the Federal government, Congress should consider requiring each agency to conduct evaluations to determine the extent of both the problem and the opportunity to improve their cybersecurity posture and operational efficiencies.
It’s time to bring Shadow IT into the light.
James Walkinshaw is the former Chief of Staff to Rep. Gerald E. Connolly, D-Va., and currently serves as an advisor to MeriTalk.