MSSP Alert Exclusive Interview: U.S. Congressman Frank Mrvan, Co-Sponsor of the Strengthening VA Cybersecurity (SVAC) Act
Upon taking office in 2020, Congressman Frank Mrvan, a Democrat representing Indiana’s First Congressional District, jumped right into the cybersecurity fray — with a special emphasis on cyber defense for U.S. veterans.
The freshman congressmen quickly ascended to the position of Chairman of the Technology Modernization Subcommittee within the House Veterans’ Affairs Committee. The Subcommittee on Technology Modernization has oversight and investigative jurisdiction over the Department of Veterans Affairs’ major IT projects and technology modernization programs, such as the Electronic Health Record (EHR) Modernization Project and the Financial Management Business Transformation (FMBT) Program. The subcommittee also oversees cybersecurity, data privacy and management and technology innovation with respect to the Veterans Administration (VA).
In support of cybersecurity on behalf of U.S. veterans, Mrvan, along with U.S. Rep. Nancy Mace (R-South Carolina) and Rep. Susie Lee (D-Nevada), and U.S. Rep. Andrew Garbarino (R-New York), have co-sponsored the Strengthening VA Cybersecurity (SVAC) Act of 2022. The purpose of this bipartisan legislation is to strengthen cybersecurity at the VA and protect its IT systems and devices.
A Closer Look at the Strengthening VA Cybersecurity (SVAC) Act
Specifically, the SVAC Act requires the VA to obtain an independent cybersecurity assessment of its most critical information systems, as well as it’s cybersecurity posture as a whole. The legislation mandates that the VA develop a timeline and budget to fix any weaknesses and deficiencies identified by the report. U.S. Senators Jacky Rosen (D-Nevada) and Marsha Blackburn (R-Tennessee) have introduced a companion measure in the Senate.
Furthermore, the SVAC Act of 2022 will:
- Protect against advanced cybersecurity threats, ransomware, denial of service attacks, insider threats, threats from foreign actors, phishing, credential theft and other cyber threats
- Ensure that the entire Department of Veterans Affairs’ IT is covered, including on-premises, remote, cloud-based, and mobile information systems and devices used by or in support of VA activities
- Require the Secretary of Veterans Affairs to submit a detailed report and plan of implementation to Congress within 120 days of the independent assessment
- Require the General Accounting Office (GAO) to review the VA’s plan, and evaluate if the cost estimates and timelines are realistic
On the topic of the SVAC Act, U.S. and global cybersecurity protections, and his overall concern for cybersecurity, Congressman Mrvan, from his home office in Merrillville, Indiana, provided an exclusive interview to MSSP Alert Managing Editor Jim Masters.
Full disclosure: Mrvan represents the congressional district encompassing the Northwest Indiana region where Masters resides.
MSSP Alert Interview: Congressman Mrvan Discusses His Interest in Cybersecurity, Legislative Efforts
Where did your interest in cybersecurity originate? What is it about this field that fascinates you – and keeps you up at night?
It all started with being on the VA committee, and that cybersecurity has consistently been an interest of mine. I remember (while serving previously as North Township Trustee in Northwest Indiana), we brought in members of the Department of Justice and the FBI to talk to our senior citizens about cybersecurity and how important it is to make sure you’re changing your password and pay attention to your (electronic) records.
Cybersecurity both keeps me up at night and fascinates me because it is one of the cutting edge, ever changing technologies that preserve our national security and the records of our veterans. When we boil it down to my role as Chairman of the Subcommittee on Technology Modernization for the VA, what keenly places me at high alert is the conflict between Russia and Ukraine, the other nations that are being attacked, and also the bad actors who are doing the attacking. We have to be very on-target in protecting and making sure that we have the investments in cybersecurity, and also making sure that we’re protecting the records of our veterans.
What is the back story around the Strengthening VA Cybersecurity (SVAC) Act legislation you have co-sponsored?
I introduced the Strengthening VA Cybersecurity Act to require the VA to acquire cybersecurity assessments from an independent, federally funded entity. The purpose of this bipartisan legislation is to strengthen cybersecurity at the Department of Veterans Affairs and to protect the information and technology systems and devices used at the VA. Regrettably, in 2020 there was a breach involving veterans’ records, so something needed to be done to make sure that there was an assessment and investment… that we are on the cutting edge of cybersecurity and protecting their information.
This legislation will move us right in the right direction and give the VA the tools it needs to be effective to protect against new and emerging cybersecurity threats and safeguard our veterans’ personal information. The legislation has passed the House and is moving forward in the Senate.
In addition to the SVAC legislation, how are you using the committee’s influence to enhance cybersecurity protections for the VA as well as the country’s larger cyber defense?
It’s important to remember that the VA is the largest integrated healthcare network in the United States. It is a major enterprise that provides care and benefits to millions of veterans. So, our veterans’ personal information can be appealing targets for foreign adversaries and cybercriminals, making it essential for the VA to engage in long overdue system upgrades and take proactive steps to mitigate cyber threats. The VA retains, transfers and processes massive amounts of sensitive data and information. However, the VA spends less on cybersecurity than most other (federal) agencies, leaving veterans’ sensitive information vulnerable to cybercrime.
This legislation specifically allows us to make sure that we’re creating the firewalls and putting the systems in place to be able to protect our veterans. This is a long overdue investment to protect veterans’ benefits. The bottom line is, it’s a cat-and mouse game. There’s a constant chase between bad actors who are trying to breach systems and being able to protect those systems. So once you have one level of protection, they figure out the next level. Then you have to create the next level of protection. I must continue to make sure that I leverage the chairmanship this position within the VA, and for the nation, to have our finger on the pulse of cybersecurity around the world.
How can public-private partnerships better serve U.S. cybersecurity defense, such as in collaboration with Managed Service Providers (MSPs) and Managed Security Services Providers (MSSPs)?
Neither government nor the private sector alone has the knowledge, authority or the resources to ensure security and resilience of the nation’s cybersecurity infrastructure. Therefore, I believe that public-private partnerships are important for information sharing to strengthen security. The Cybersecurity Infrastructure Security Agency (CISA) provides recommendations on best practices for these public and private partnerships. I believe it is extremely important for the federal government to develop those relationships.
As cybersecurity is a global problem, how effective is the U.S. in addressing this ongoing and seemingly escalating threat to national defense and that of our allies?
Cyberattacks are tool of war, and we have to be able to protect against it. It is a never ending mission to make sure that we are the next level of protecting everything that we can in our country, from the grid system, to our water system, to VA benefits, and to our healthcare records. Given Russia’s recent aggression and the invasion of Ukraine, it is even more important than ever to make sure that we’re strengthening America’s critical cybersecurity infrastructure. That is why I supported the Ukraine Supplemental Appropriations Act, which provided critical resources for the cybersecurity capabilities amongst our allies. I will continue supporting measures that serve and strengthen cybersecurity infrastructure domestically and for allies abroad.
What are the greatest needs for U.S. cyber defense? Talent/education, new products, partnership programs, legislation?
Since taking office, the (Biden) Administration has been actively seeking to evaluate challenges to address cybersecurity threats. I support the efforts of the administration and Department of Homeland Security Secretary Alejandro Myorkas to strengthen the protections for civilian government networks and improve resilience and security of our supply chains. I will continue to closely monitor the actions of the administration and look for opportunities, such as the SVAC legislation, to strengthen cybersecurity to protect our veterans and active duty military, as well as all Americans.
It’s good to know that our universities are robust with cybersecurity education. When you sit down with students, they talk about cybersecurity, about being involved in that type of field or profession. I think it’s vitally important that our community colleges and universities provide the resources and educational components to prepare the next generation for careers in cybersecurity.
In terms of cybersecurity, what would you say is your greatest accomplishment as Congressman?
I would say the greatest accomplishment is introducing HR 4951, the VA Electronic Health Records Transparency Act. It requires the VA to provide Congress with quarterly reports that assess the full cost performance metrics and outcomes for the Electronic Health Record Modernization (EHRM) Program. As Chairman of the Technology Modernization Subcommittee, I have I have a responsibility to ensure that the program meets the needs of our veterans. Our veterans deserve the best care and services available. The American taxpayer deserves to know that Congress is providing careful oversight of the EHRM program and its costs. I want to emphasize that with regard to electronic medical records, we want to make sure that patient safety is a major issue, that we’re on budget and on target.