Concerns and allegations about the security of the data of tens of millions of veterans at the Veterans Affairs Department run deeper than just a lack of stringent controls over the agency’s systems certification process.
Lawmakers, inspector general auditors and a former VA chief information security officer say nation-state actors have been and continue to steal agency data, including emails from Secretary Eric Shinseki. And VA IT officials can’t say how much or what kind of information the hackers are taking because the bad actors are encrypting the data as it leaves the agency’s network.
“The entire veteran database in VA containing personally identifiable information on roughly 20 million veterans is not encrypted and evidence suggests that it has been repeatedly compromised since 2010 by foreign actors by China and possibly by Russia,” said subcommittee chairman Mike Coffman (R-Colo.), during a hearing Tuesday. “Recently, the subcommittee discussed VA’s authorization to operate, a formal declaration that authorizes operation of a product on VA’s network which explicitly accepts the risk to agency operations, and was told that ‘VA’s security posture was never at risk.’ In fact, VA’s security posture has been an unacceptable risk for at least three years as sophisticated actors use weaknesses in VA’s security posture to exploit the system and remove veterans’ information and system passwords. These actors have had constant access to VA systems and data, information which included unencrypted databases containing hundreds of thousands to millions of instances of veteran information such as veterans’ and dependents’ names, Social Security numbers, dates of birth, and protected health information.”
Jerry Davis, the former deputy assistant secretary for information security at VA and currently the CIO at NASA Ames in California, said during his two-year tenure he knew of at least eight nation-state sponsored organizations that successfully got into VA’s network.
Davis also alleges VA’s system security certification process, known as accreditation and authorization, is deficient, putting agency data at further risk. He alleges the agency has been rubber stamping more than 500 documents, known as an authority to operate, and he was coerced by Warren into signing more than 250 of them as a condition of him leaving the agency. Davis left in February. Auditors in VA’s inspector general office further confirmed both allegations of the nation-state attacks and an insufficient internal control process.
Linda Halliday, the assistant inspector general for audits and evaluations, said VA has a broad range of security concerns, including risk assessments and system security plans that are outdated and didn’t accurately reflect the current system environment or federal standards. She said VA, at one point, had more than 4,000 open vulnerabilities under the plans of actions and milestones (POAM) process. A security report from the end of May obtained by Federal News Radio show VA still has more than 2,500 POAMs with open vulnerabilities.
Auditors say hackers took command of a key part of VA’s network called the domain controllers.
Davis and Mike Bowman, the director of the IT and security audits division for VA’s inspector general, said controlling the domain controllers basically lets the hackers have full access to the network.
“We know that the way these individuals work that it’s a typical tactic for them if they compromise something such as a domain controller, it has file on it that is called the SAM file, security accounts manager, in that file are all the password accounts for the users in the network,” Davis said. “If they have the domain controller, they will grab the SAM file, and when they encrypt the information I know they have hit the domain controller. Guaranteed they probably took the SAM file and they will take it back, crack it later and take every password that was on that system.”
Davis said he knows of another instance in which hackers were trying to use VA networks to gain access to Defense Department computer systems. He said in January 2013 VA became aware of an incident where attackers used a spearphishing attack to gain access to a joint VA-DoD network dealing with health data.
Coffman and other committee members pushed Warren for more information about the nation-state attacks. Warren said he definitely knew of one such successful attack, but he preferred to talk about other issues during a close briefing with the subcommittee.
Warren pushed back repeatedly against the allegations that VA’s network and data are insecure.
He said auditors focus on potential risks or threats, but the existence of a risk is not the same as the removal of data from the network.
CRISP is showing real benefits
Warren readily admitted VA has cyber challenges, but he was confident in steps the agency has taken over the past few years, including putting in a continuous monitoring system, called Continuous Readiness in Information Security Program (CRISP), in place. Warren said he expects VA to fully implement CRISP later this year. He added VA has a plan in place to close long-standing IG cyber recommendations, 32 in all, by September 2014. Bowman and Halliday said 12-18 months to implement their recommendations is reasonable.
But when Rep. Tim Huelskamp (R-Kan.) pressed Warren about a letter sent to the committee from Shinseki saying VA data and systems are not at risk, Warren backed away from the blanket assessment of the security of VA systems.
“You did state there are no absolutes in your mind in security. But we do have a letter here that has a very absolute statement from your boss, the secretary, that says, ‘To be clear, VA security posture was never at risk.’ Is that a true or false statement?” Huelskamp said.
“I would tell you sir as the person who ghost wrote that memo in terms of doing the staff work for the secretary, I was not clear in my language and I take ownership of that,” Warren said.
“Is it true or false?” Huelskamp said.
“It is true with respect to the ATO process, which this memo was trying to answer. With respect to the broader question, as we’ve talked about today, there always is some risk,” Warren said.
“Is this a false statement?” Huelskamp said interrupting Warren. “Is it an inaccurate statement? A mistake?”
Coffman said he was less than satisfied with Warren’s response to this and other questions.
“I feel like the letter I received from the Secretary of Veterans Affairs directly to me, where Mr. Warren had essentially helped draft that, said the system is not at risk, I think threatened the credibility of Mr. Warren,” he said after the hearing.
Coffman asked VA to respond within 30 days with a report on how they plan on closing 32 outstanding IG recommendations. He also plans on holding a closed briefing on the nation state attacks in the coming weeks.