Agency Wasn’t Harmed by 2020 SolarWinds Hack
WASHINGTON — Although no data was stolen from VA’s computer systems during the 2020’s SolarWinds hack, cybersecurity remains a long-standing material weakness for the VA, agency overseers pointed out.
Furthermore, the department’s increasing reliance on telehealth makes securing its systems more important than ever, according to testimony at a congressional hearing last month.
As early as January 2019, hackers apparently linked to the Russian government began infiltrating the systems of SolarWinds—a company that designs software for large businesses to manage their IT systems. Their clients included several large corporations and government agencies, including VA. The hackers inserted malicious code into the updates of SolarWinds’ software. Beginning in fall 2020, word began circulating of possibly compromised systems. But it was not until December 2020 that the extent of the hack was recognized, and it was revealed that U.S. agencies were among the victims.
“The malware was downloaded as it was vendored. The vendor didn’t know the malware was there, and so neither did we,” explained Paul Cunningham, VA’s chief information security officer, speaking at a House VA Subcommittee on Technology Modernization hearing. “Within 12 hours, we were able to bring down all SolarWinds [software] so they were not on the network, as a precautionary measure. That period of time between recognizing the problem and when we were able to bring it down—12 hours across this complex environment—is really a testament to VA’s capabilities from an operational perspective.”
VA technical staff replayed their network data flow, looking for indicators that this might have happened before and to determine whether the hackers were able to use the exploits before VA caught on. They found no evidence that occurred.
“We invited the Department of Homeland Security to come in and look at our system,” Cunningham said. “They found nothing.”
VA also commissioned Microsoft to examine their network, and the investigators agreed there were no indicators showing the malware was activated or used to move data.
VA’s system is still vulnerable, however, according to the VA Office of the Inspector General. The OIG released its 2020 Federal Information Security Modernization Act (FISMA) audit in April, listing a number of material weaknesses in VA’s systems.
“These conclusions are repeats from prior years,” explained Michael Bowman, director of the OIG Information, Technology and Security Audits Division. “VA continues to face significant challenges in complying with FISMA requirements. This is due in part to maintaining an aging and outdated IT infrastructure. [Our report] contained 26 recommendations. Most of these recommendations have been repeated for many years because VA has not adequately addressed our security concerns.”
Latest Patches
OIG investigators regularly found that VA systems had not installed the latest patches designed to secure its software. They also discovered VA facilities and staff were lax in their password security.
“OIG has seen many examples of VA systems using default usernames and passwords or easily guessed passwords,” Bowman said. “This is a well-known vulnerability that allows malicious users to gain access to mission critical systems.”
As for why VA has been so slow in addressing these security concerns, Bowman places the blame on the department’s sheer size.
“VA is a large and decentralized organization—over 400,000 employees and 300,00 contractors,” Bowman noted. “It has millions of computer endpoints that it has to monitor every day. Because it’s decentralized, it’s difficult to roll out a security posture across the enterprise.”
He explained that, when OIG conducts audits, they frequently target large data centers. Investigators would see improvements at those centers over time. But when they would visit a new facility—one that they had never audited before—they would find the same security weaknesses or new ones.
To roll out security improvements across such a sprawling department requires considerable focus from VA leaders, and the turnover at the top IT positions has not allowed for that, Bowman told the subcommittee.
“If you look at the CIO position and how often VA gets a new CIO—the consequence of that is VA changes its priorities,” he declared. “You may have a CIO who focuses on IT security and then that position turns over, and the next CIO may focus on the CERNER EHR implementation. If you don’t have consistent leadership, you don’t get to see initiatives from cradle to grave.”
Cunningham—the latest person in the role of CIO—agreed.
“I think long-term strategies for cybersecurity are always a challenge. It’s very dynamic. Changes in leadership do change priorities,” he said. “[As well as] directions from Congress on what the priorities are.”
VA does attempt to address OIG’s recommendations, Cunningham said.
“All the findings from the OIG are reviewed and shared to the over 400 information security officers out in the field,” he explained. “How these are implemented is related to humans and the vast network that we have. It does get complicated to ensure that a zero-tolerance level is maintained. We work every day to drive down those risks.”
