U.S. Rep. Jeff Miller, chairman of the Veterans Affairs Committee (Thomas Brown / Staff)
House lawmakers are calling for sweeping reforms at the Veterans Affairs Department — including credit monitoring for all veterans and their dependents whose personal information resides in VA’s database — following recent revelations that multiple foreign attackers have penetrated VA networks, potentially stealing unspecified amounts of veterans’ personal data.
An ongoing investigation by the House Veterans Affairs Committee revealed that foreign attackers have hacked into VA networks since 2010, and clues left behind indicate it is likely that the data stolen may have contained personal information, such as names, addresses, birth dates and Social Security numbers, of an untold number of veterans and their dependents, Rep. Jeff Miller, R-Fla., said at a news conference Friday.
In a June 13 letter to VA Secretary Eric Shinseki, the committee asked why VA failed to notify Congress of the network intrusions despite a requirement in the Federal Information Security Management Act to do so.
At the news conference, Rep. Mike Coffman, R-Colo., said the committee would not have known about the security breaches had it not been for a former VA employee. “If not for that whistle-blower, we may not know that the system had been hacked today,” Coffman said.
Miller said the committee has asked Shinseki to hold VA leadership accountable for ongoing failures and unreasonable risks in cybersecurity, including a May 24 incident that resulted in the deletion of roughly 464,000 electronic files, including active loan files, according to VA.
The committee is working to determine the facts surrounding these incidents, the impact on veterans and how to prevent future problems.
Following the news conference, Miller told Federal Times the committee has revealed only a small portion of what it has learned through an ongoing investigation. “I’m hopeful, now that VA knows that this incident has occurred, that they will be more forthcoming with information to us,” he said.
The committee is also calling on VA to:
■Offer credit monitoring services to every veteran and dependent in its database.
■Implement all outstanding inspector general recommendations to improve information technology security.
■Conduct an independent review of problems, risks, mitigation plans, execution progress and verification of IT safety and security.
The committee is also demanding answers from Shinseki about his May 14 letter to the Veterans Affairs subcommittee on oversight and investigations, in which he described VA’s process for reviewing the security of its IT systems. In the letter, Shinseki said “VA’s security posture was never at risk,” despite testimony from VA officials last week that the department’s networks have been hacked, Miller said.
“It seems like everybody [at VA] gets a bonus, and nobody gets fired and if you do something wrong you don’t get fired you just get moved to another position,” Miller said. “This is an incident where somebody knew, somebody misled, it appears the secretary, and I believe that person needs to be held accountable. If it’s more than one person, absolutely, there needs to be disciplinary action up to and possibly including termination of their employment.”
The timeline and nature of the attacks is unclear, but VA auditors told the House subcommittee that, in one instance, attackers gained access to the email accounts of senior VA leaders. VA doesn’t know how the attackers accessed its network or what data was stolen because the attackers encrypted VA’s data as they siphoned it out of the network, said Michael Bowman, director of the information technology and security audit division within VA’s IG office.
Miller said the committee will conduct recorded interviews with critical VA personnel who support the department’s IT security system and meet privately with VA to discuss all current IT risks.