Faulty and improper security practices among the Veterans Affairs Department's senior ranks have exposed VA's most sensitive systems and databases to 'unchallenged and unfettered access' by nearly a dozen state-sponsored attackers, according to scathing testimony from VA's former chief security officer. (Staff)
Foreign attackers have repeatedly penetrated Veterans Affairs Department networks for at least the past three years, potentially gaining access to millions of unencrypted veterans records and other sensitive databases, according to House lawmakers and VA inspector general auditors.
The timeline and nature of the attacks is unclear, but VA auditors told a House subcommittee last week that, in one instance, attackers gained access to email accounts of VA senior leaders. VA doesn’t know how the attackers accessed its network or what data was stolen because the attackers encrypted VA’s data as they siphoned it out of the network, said Michael Bowman, director of the information technology and security audit division within VA’s IG office.
Bowman and his staff cited a host of security vulnerabilities that have plagued VA for the past decade, including weak computer passwords, missing software patches and inactive user accounts. While the department has made some strides to fix those security issues, security management documentation for a number of VA systems is outdated and not properly tracked.
Rep. Mike Coffman, R-Colo., chairman of the Veterans Affairs subcommittee on oversight and investigations, said its investigation had identified greater problems.
“The entire veteran database in VA, containing personally identifiable information on roughly 20 million veterans, is not encrypted, and evidence suggests that it has repeatedly been compromised since 2010 by foreign actors, including in China and possibly in Russia,” Coffman said.
When asked about the state-sponsored attacks, VA’s acting chief information officer, Stephen Warren, denied VA’s network had been continuously compromised and said he was aware of one instance sometime last year when such an attack had been successful.
“The state of security and the work we need to do is something that I wrestle with all the time,” Warren said. “Am I satisfied with where we are? No, I’m not. Can we do better in terms of fixing the things that partners in the IG and audit community have identified? Yes, and we are dedicated to doing more.”
Warren said VA is already seeing improvement through a program launched in 2012 called the Continuous Readiness in Information Security Program (CRISP). The program is intended to continuously monitor systems to ensure updated software, such as antivirus software, is installed, and to ensure nonmedical laptops are encrypted.
But the program has not been around long enough to demonstrate lasting improvements, according to the auditors.
Warren insisted that veterans’ data was never at risk because of VA officials’ failure to properly document the security of its systems. This further infuriated lawmakers.
“Mr. Warren, please be reminded that, during the course of this oversight hearing and committee investigation, it is a federal crime to ... knowingly and willfully to falsify, conceal or cover up a material fact,” Coffman said.
Warren said there will always be the potential for attackers to steal and misuse veterans’ personal data, but that is not the same as evidence suggesting that intruders compromised veterans’ personal data and used it maliciously.
Lawmakers, however, reiterated that VA isn’t certain what data and how much was accessed by attackers. There’s also the concern attackers could use VA’s networks as a conduit to access other departments’ systems and networks.
Lawmakers also challenged Warren’s agreement with a May 14 letter to the subcommittee from Secretary Eric Shinseki that said, “VA’s security posture was never at risk.”
VA’s former chief security officer, Jerry Davis, testified that VA’s network should be classified as a compromised network. Upon arriving at VA in August 2010, Davis said he was informed of a “serious network compromise” in March of that year, when state-sponsored attackers had successfully burrowed into VA’s networks. Davis said at least eight organizations had successfully compromised VA networks and data or were actively attacking VA networks. Davis said six of the eight organizations were alleged to have ties to China, while the others may have been backed by Russia, Chechnya or Iran.
Davis said those attacks continue today, and a lack of enforced security measures, vulnerable website applications and lax restrictions for accessing sensitive systems has “contributed to the successful, unchallenged and unfettered access and exploitation of VA systems and information by this specific groups of attackers.”
While at VA, Davis was charged with reviewing security of VA systems and recommending whether those systems were secure and should be authorized to operate inside VA. In 2010, nearly 600 systems were in operation on which authority to operate (ATO) had expired. Davis said he was advised that VA had no plans in place to bring those systems into compliance, but under his watch, Davis’ security team worked to take thousands of security corrective actions, he said.
Davis claims Warren, who was VA’s principal deputy assistant secretary at the time, “made a concerted effort to circumvent my authority and influence my decision” to deny ATOs for several hundred VA systems. Davis said he was pressured to sign off on more than 260 systems or risk not getting a transfer date to be released from VA to his new position at NASA. That was until VA’s Office of General Counsel stepped in, and Davis was released to begin his new role as chief information officer at NASA Ames Research Center.