Full Report
The cybersecurity lead for VA.gov was fired last week. He tells WIRED that the Veterans Affairs digital hub will be more vulnerable without someone in his role.
Analysis Summary
# Incident Report: USDS Purge Leads to Loss of Key VA.gov Security Lead
## Executive Summary
The Department of Government Efficiency (DOGE), after subsuming the US Digital Service (USDS), terminated Jonathan Kamens, the full-time cybersecurity lead for the Department of Veterans Affairs digital platform, VA.gov. This abrupt administrative action, occurring sometime before February 21, 2025, immediately degraded the security posture of the primary system managing sensitive data for over 20 million veterans. While no specific breach is detailed, the incident centers on the loss of critical security oversight, increasing the probability of future compromise.
## Incident Details
- **Discovery Date:** February 21, 2025 (Date of Article Publication)
- **Incident Date:** Sometime prior to February 21, 2025 (Date of firing)
- **Affected Organization:** Department of Veterans Affairs (VA) / VA.gov
- **Sector:** Government/Healthcare/Technology Services
- **Geography:** United States (Federal Government)
## Timeline of Events
### Initial Access
- **Date/Time:** Not applicable (This is an administrative removal, not a malicious external attack).
- **Vector:** Administrative termination/Personnel move by DOGE.
- **Details:** Jonathan Kamens, the cybersecurity lead for VA.gov, was terminated as part of a broader staffing reduction/purge within the newly formed Department of Government Efficiency (DOGE) after it subsumed the US Digital Service (USDS).
### Lateral Movement
- Not applicable. The incident concerns the loss of security personnel, not network compromise.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Not a data exfiltration event, but the risk profile for millions of veterans' sensitive data (financial, educational, health records) was severely elevated due to the removal of dedicated security oversight.
### Detection & Response
- **How it was discovered:** The removal and its implications were discovered and reported publicly by WIRED following interviews with current and former VA sources.
- **Response actions taken:** The article implies that VA stakeholders became aware of the critical security gap after the termination occurred. External reporting brought the risk to public attention.
## Attack Methodology
- **Initial Access:** Personnel removal/Adversarial administrative action (within the government structure).
- **Persistence:** Not applicable.
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Not applicable.
- **Credential Access:** Not applicable.
- **Discovery:** Not applicable (External reporting/Interviews served as discovery).
- **Lateral Movement:** Not applicable.
- **Collection:** Not applicable.
- **Exfiltration:** Not applicable.
- **Impact:** Degradation of defense posture and institutional knowledge related to VA.gov security.
## Impact Assessment
- **Financial:** Not quantified, but inferred risk to the VA budget due to potential future incident remediation.
- **Data Breach:** Risk significantly amplified for sensitive veteran data (financial, educational, health care records) accessed via VA.gov, which serves over 20 million users.
- **Operational:** The continuity and quality of VA.gov cybersecurity practices are directly threatened, as the terminated individual was the only full-time staffer in that specific security oversight role.
- **Reputational:** Potential severe reputational damage to the VA and DOGE/USDS if an incident occurs due to the lack of oversight.
## Indicators of Compromise
- **Network indicators - defanged:** N/A
- **File indicators:** N/A
- **Behavioral indicators:** Loss of dedicated, full-time cybersecurity leadership for a high-value government asset.
## Response Actions
- **Containment measures:** None detailed as the incident was a personnel change.
- **Eradication steps:** None detailed.
- **Recovery actions:** Stakeholders must urgently backfill the critical security role previously held by Kamens to restore specialized oversight before an incident occurs.
## Lessons Learned
- **Key takeaways:** Centralizing or streamlining federal digital services (DOGE subsuming USDS) without adequately assessing the necessary specialized security roles can inadvertently strip critical security infrastructure from vital platforms like VA.gov.
- **What could have been done better:** DOGE/USDS leadership failed to recognize and protect the single key security role dedicated to the VA's front-end digital infrastructure before executing staffing purges.
## Recommendations
- **Prevention measures for similar incidents:** Establish clear veto or review processes for any administrative action (purges, reassignments) that directly impacts the dedicated cybersecurity leadership of critical public-facing, sensitive systems (e.g., VA benefits portals). Ensure that no essential security function is left unstaffed, especially if it is currently covered by only one individual.