WASHINGTON—A data breach exposed the personal information of more than 46,000 veterans this summer, the VA recently revealed.

Hackers gained access to VA’s Financial Services Center (FSC), diverting payments meant for community care providers. According to VA information released in September, the hackers were able to gain access by using “social engineering techniques and exploiting authentication protocols.” VA shut down access to the FSC until their Office of Information Technology could complete a full review.

Cybersecurity has been identified as a long-standing weakness at VA, with previous data breaches resulting in millions of veterans’ data being exposed. The most famous incident occurred in 2006 when a laptop and hard drive containing information on 26 million veterans were stolen from a VA employee’s home.

Department of Veterans Affairs Information Security Incidents by Threat Vector Category, Fiscal Year 2018. Source: GAO analysis of office of Management and Budget data for fiscal year 2018 | GAO-200266T

Information on the latest data breach came just a few days before the release of a new report from the Government Accountability Office (GAO) on VA’s continuing IT issues. The report states that, despite spending $4 billion a year on IT, VA still does not have the infrastructure necessary to fully support its most critical services like providing healthcare and disability benefits. Combined with a lack of IT management and oversight, this contributes to VA’s vulnerability to cyberthreats.

“The risks to IT systems supporting the federal government and the nation’s critical infrastructure are increasing, including insider threats from witting or unwitting employees, escalating and emerging threats from around the globe, and the emergence of new and more destructive attacks,” the report states.

GAO has regularly informed VA of its cybersecurity risk. In a 2016 report, GAO highlighted challenges VA faced in safeguarding its IT systems. A 2018 report looking at government cybersecurity as a whole labeled VA as having significant weaknesses in its attempt to secure its systems. And in July 2019, GAO reported that the department had fully met only one of the five foundational practices for establishing a cybersecurity risk management program—that of establishing the role of a cybersecurity risk executive.

According to that 2019 report, while VA had put someone in charge of cybersecurity, it had not fully developed a cybersecurity risk management strategy; documented risk-based cybersecurity policies; conducted an agencywide risk assessment; or established coordination between cybersecurity and enterprise risk management.

Cyber-Related Threats

“The lack of key cybersecurity management elements at VA is concerning given that agencies’ systems are increasingly susceptible to the multitude of cyber-related threats that exist,” the report concluded.

VA has downplayed the impact of this latest data breach, noting that only 13 community care providers had been affected, with a total of six payments being diverted.

Legislators on both the House and Senate Veterans’ Affairs committees have written separate letters to VA Secretary Robert Wilkie calling for answers about how VA plans to shore up its cybersecurity, however.

The House letter, crafted by the Republicans on that committee, was relatively reserved in tone with legislators applauding VA for its quick actions to investigate the breach but requesting a staff-level briefing on the incident.

“Data breaches of any kind are concerning, but particularly so when the targeted data is in trust by the U.S. government and where it affects veterans,” the House letter states.

The Senate letter—this one crafted by the Democrats on that committee—was sterner. It included a list of cybersecurity-related questions the legislators wanted answers to.

“It appears the department remains in a reactive posture, waiting for cybersecurity or business vulnerabilities to arise,” the letter notes. “This most recent data breach is unacceptable. It also exposes the fact that VA has not taken the necessary steps to ensure oversight, accountability, and security of the vast financial and other personal data it collects and processes to perform its critical services for America’s veterans.”

Another report released in September suggests that the continued inability for VA to fully address cybersecurity is an issue that’s echoed throughout the highest levels of the government. This report, titled “Cybersecurity: Clarity of Leadership Urgently Needed to Fully Implement National Strategy” notes that a lack of direction from the White House has hampered departments’ ability to meet their security goals.

“GAO and others have reported on the urgency and necessity of clearly defining a central leadership role in order to coordinate the government’s efforts to overcome the nation’s cyber-related threats and challenges,” the report states. Investigators contend that, since the elimination of the White House cybersecurity coordinator position in May 2018, it remains unclear which officials maintains ultimate responsibility for not only coordination the execution of the National Cyber Strategy but holding federal agencies accountable.