By Sandra Basu
WASHINGTON — Responding to reports that VA computers have been repeatedly hacked since 2010 by foreign entities, a VA official defended the agency’s efforts to protect data about millions of veterans and more than 300,000 VA employees.
“We are committed to information security and, although work remains, VA has made significant improvements in the last few years and strives to meet the highest standards in protecting sensitive information,” VA’s Office of Information and Technology Acting Assistant Secretary Stephen Warren told lawmakers last month.
Warren made his comments at a hearing of the House Committee on Veterans’ Affairs subcommittee, where lawmakers questioned the security of electronic data in the VA. House Committee on Veterans’ Affairs Subcommittee on Oversight and Investigations Chairman Rep. Mike Coffman (R-CO) noted that a subcommittee investigation found that, since 2010, VA computers have been repeatedly hacked by foreign attackers from China and possibly Russia.
“The entire veteran database in VA contain personally identifiable on roughly 20 million veterans that is not encrypted, and evidence suggests that it has repeatedly been compromised since 2010 by foreign actors including China and possibly Russia,” Coffman said at the beginning of the hearing.
Also testifying about the problem was Jerry Davis, who served as VA deputy assistant secretary of Information and Technology from August 2010 to February 2013. He told lawmakers that at least eight different nation-state sponsored organizations successfully compromised VA networks and data or were actively attacking VA networks. The attacks continue to this day, Davis reported.
“These groups of attackers were taking advantage of weak technical controls within the VA network,” he said in written testimony. “Lack of controls such as encryption on VA databases holding millions of sensitive records, Web applications containing common exploitable vulnerabilities and weak authentication to sensitive systems contributed to the successful unchallenged and unfettered access and exploitation of VA systems and information by this specific group of attackers.”
He told lawmakers that in nearly 20 years of building and managing security programs across government and private industry, he had “never seen an organization with as many unattended IT security vulnerabilities [as VA].”
Linda Halliday, VA assistant IG for Audits and Evaluations told lawmakers that, for more than 10 consecutive years, independent public accounting firms under contracts with the OIG identified information technology security controls as a material weakness at VA.
In its FY 2012 annual assessment, Halliday said that IG found password standards were inconsistently implemented and enforced across multiple VA systems and that security management documentation, including the risk assessments and system security plans, were outdated and did not accurately reflect the current system environment or federal standards.
When asked how well VA facilities are able to protect sensitive veteran data, she said that the IGs office continues “to find information security vulnerabilities at almost every VA medical center” which is visited.
“We visit 20 to 30 a year as part of our FISMA [Federal Information Security Management Act] work, and we consistently find problems. The types of vulnerabilities include weak passwords, missing software patches, lack of software updates, excessive permissions and unnecessary user accounts left on the system,” she said.
VA Addresses Security
Meanwhile, Coffman wanted to know why Warren had not told the subcommittee that VA has had “serious and continuous compromises” of systems and data by nation-states sponsored actions.
Warren said it was not a true statement that VA has been “continually compromised by foreign nation-states.” He initially acknowledged a single instance, but later in the hearing clarified that he was aware of more than one foreign entity that has tried to attack the system.
Warren told lawmakers that improvements have been made to security. He said that in 2012, VA instituted a program called the Continuous Readiness in Information Security Program (CRISP) to ensure continuous monitoring year-round and establish a team responsible for resolving the IT material weakness.
Warren also said that VA was expected to have completed its efforts to encrypt its laptops by the end of last month.
“Currently, over 98% of VA’s nonmedical IT laptops are encrypted. VA has around 2,500 unencrypted laptops remaining and, with the exception of laptops with specific waivers (specific medical uses, research laptops using software where encryption would disable the device, service/maintenance laptops that do not connect to VA’s network or store sensitive information, and laptops purchased by VA and given to Veterans as part of a rehabilitation program) the department expects to complete encryption of all laptops by June 30, 2013,” he said in written testimony.
He also explained that the agency has improved its security posture by ensuring that more than 98% of VA staff have received the mandatory information security training to protect the data of veterans and their families.
Lawmakers seemed unpersuaded.
Rep. David Roe (R-TN) wanted to know whether Warren, who is a veteran, is concerned about the privacy of his own data in the VA system.
Warren said he was not and that it would be a disservice to tell veterans that their data is at a disproportionate risk and therefore should not coming to the VA for services or benefits.
“I would hate the potential to drive folks away from the services and the benefits, not only that they have earned, but they need,” he said.
Still, Warren acknowledged there is no way to completely guarantee the security of electronic data.
“If you ask me today if I can guarantee that everything is perfect and wonderful, I could not give you that guarantee because the technology constantly changes,” he said.