Government auditors say the Veterans Affairs Department’s cybersecurity problems are mildly better, but huge concerns remain about the security of veterans’ data.
The Government Accountability Office and VA’s inspector general Tuesday told House Veterans Affairs Committee members that the agency still has too many shortcomings despite pressure from lawmakers and the ever-increasing threat of cyber attack.
“Despite progress made, the Office of Information and Technology was not fully effective in addressing systemic weaknesses or eliminating the material weakness identified in VA’s information security program for fiscal 2014,” Sondra McCauley, the deputy assistant IG for audits and evaluations at VA, wrote in her testimony before the House Veterans Affairs Committee members. “We continue to see repeat information security deficiencies in type and risk level to our reported findings in prior years and an overall inconsistent implementation of the security program.”
More specifically, GAO says VA has yet to fix the network vulnerabilities more than a year after lawmakers and a former VA cyber official made public the fact that the agency suffered at least eight nation state intrusions over the last few years. ”
The agency had planned to implement a solution in February 2014 that would have corrected the weakness, but this had not been completed at the time of our review. VA did limit access to the affected system, but this is insufficient to prevent recurrence of such an incident,” GAO’s Greg Wilshusen, director Information Security Issues, said in written testimony Tuesday. “With respect to incident response more broadly, we found that the department’s Network and Security Operations Center did not have sufficient visibility into VA’s computer networks, limiting its ability to detect and respond to incidents. This is because VA policy does not define the NSOC’s authority to access activity logs collected at VA data centers. We previously raised the issue of defining incident response roles and responsibilities at VA in an April 2014 report and recommended that VA define the incident response team’s level of authority. VA concurred with this recommendation. Implementing this recommendation should include providing the NSOC with authority to review network activity logs.”
Wilshusen told lawmakers that VA also couldn’t demonstrate the actions it took after learning of the intrusions were effective.
He said VA didn’t retain digital evidence or forensic analysis report that shows the security incident was mitigated. Wilshusen said VA also hasn’t implemented as of June 2014 a solution to address an underlying vulnerability that allowed the attacks to occur. He said they took limited other actions, but they were not sufficient to stop future attacks.
Additionally, he said VA’s NSOC didn’t have sufficient visibility into agency systems and they couldn’t ensure the attack was contained and stopped.
McCauley said auditors were very worried about the large number of vulnerabilities at data centers more than five years old.
VA chief information officer and executive in charge of OIT, Steph Warren, said the problem with the domain controllers has been fixed.
“Because this question comes up and it’s a concern not just external, but internal, we actually asked an organization called Mandiant — I think you probably have heard of them — we asked to look at those domain controllers because if there is a question we want to make sure it’s more than just my teams saying they are clean,” Warren said. “Friday they briefed us and said they are not seeing anything on those domain controllers. It was a preliminary report. They will have a final report in December. We will bring that report up and brief yourself, the staff and other members and have Mandiant there to do and basically say they are clean.”
Warren tells the committee that the only data they know of that has been stolen are user names and passwords. When VA discovered the cyber attack and theft, all employees and contractors were required to change their passwords. Warren said VA has been working to get Mandiant on board for about a year.
Despite what VA says is progress with the domain controllers, the IG had several other concerns. The IG says VA continues to have too many systems with only a temporary authority to operate instead of a final one.
The inability for VA to fully review IT systems to ensure they meet cyber requirements, known as an authority to operate (ATO), before they are put on the network has been a long- term problem. Former VA Chief Information Security Officer Jerry Davis, now the NASA Ames CIO, testified in June 2013 that VA was “rubber stamping” ATOs in an effort to get them through the process quickly.
The IG says it found VA continues to maintain production systems with a temporary ATO, and that the agency “lacks assurance that system security controls are operating effectively, which could expose veterans’ sensitive data to potential loss, fraud, or abuse.”
One of the most recent discoveries by auditors was the lack of control over audit logs across the agency. Up until earlier this summer, Warren said VA system administrators at the local level had control over whether or not to turn on audit logs.
Several committee members pressed Warren on this issue. Rep. Tim Huelskamp (R-Kan.) asked Warren, “Wouldn’t you have to have audit controls in place and turned on to know whether someone had actually manipulated the data?”
Warren said VA has audit controls turned on in many places, but Huelskamp interrupted asking if the controls were always turned on. “The audit team identified for us where they were not turned on in the past so we’ve gone in and turned them on,” he said. “And again, for the record, we’ll bring back are there any places where those controls are not turned on.”
Huelskamp responded asking, “Why would they have been turned off?”
Warren said the fact is VA still is overcoming its long history of decentralized control over IT and the audit logs were typically a locally controlled issue. “If they are turned off, we would agree you are vulnerable. You wouldn’t even know if you are vulnerable and you wouldn’t even know if anybody is manipulating data,”
Huelskamp said. “The OIG has talked about this for years. This isn’t an occurrence of a few times, it’s over the last decade. Audit controls are not always on for whatever reason.”
Despite the concerns of the auditors and lawmakers, Warren said veterans’ data is safer today than ever before.
“Since the June 4, 2013, hearing before the House Veterans Affairs Committee’s subcommittee for Oversight and Investigations, we have acquired new monitoring capabilities, increased desktop security, and enhanced our speed in detecting and combating challenges,”
Warren wrote in in his testimony. “Before we activate systems within our network, and before any Veteran’s information is put into those systems, we take steps that ensure the information is protected to the best of our ability. The process for issuing formal approval to operate systems on VA’s network — known as Authorities to Operate (ATO) — has greatly improved in the last year. We have migrated from a manual, point-in-time, paper process to an electronic, automated, continuous monitoring capability with the help of the newly implemented governance, risk, and compliance (GRC) tool, which went live in August 2013. We are the first (and the largest) cabinet level government agency to have moved to continuous monitoring. This new capability allows VA to detect vulnerabilities early and respond to threats rapidly.”
But Warren said he would move resources to make progress even faster.
“I’m disappointed that in spite of the significant effort by our employees over the past year, the OIG maintained a material weakness. I’m committed to redoubling our efforts to put in place the processes and disciplines to address these issues, building upon the extensive layered, in-depth strategy we already have in place,” he said. “To that end, after receiving the findings from our OIG last week, I’ve directed an additional $60 million to be added to our information security efforts this year. This will provide additional resources to our facilities to implement configuration management as well as vulnerability remediation. In February, we will reevaluate and if significant progress isn’t being made, additional resources will be applied.”
That’s about a 38 percent increase over and above the $160 million VA already spends a year on cybersecurity, not including staff expenses. Warren said after the hearing that he moved resources from current project upgrades to cybersecurity so he could get the money to the field where it’s needed the most.
He said he released the funds last week and the team met Tuesday to make sure dollars are getting to the right people.
A VA official, who requested anonymity because they didn’t get permission to talk to the press, said the funding will let VA field information security staff assist in efforts to remediate and remove unauthorized software. It will also provide resources to VA’s IT line staff to assist in vulnerability and patch management program reporting, tracking and remediation efforts.
The IT staff will also supplement efforts to resolve vulnerabilities in medical device protection programs, and support the National Security Operations Center (NSOC) scanning team. Additionally, the official said VA will use the money to develop a comprehensive list of approved and unapproved software, and implement a process for monitoring, preventing installation, and removing unauthorized application software on agency devices, and the operations IT staff will use that list to remediate and remove vulnerabilities and unauthorized software VA wide.
VA also plans to integrate various back end systems including active directory, HSPD-12 card management system, VA personnel accountability system, and the talent management system. The official said these reviews will work toward automating the agency’s onboarding, monitoring, and off-boarding efforts.
Additionally, Warren said VA resolved concerns about contingency planning and the segregation of duties, reduced the amount of time needed to complete a scan of its entire network to one month from one year, and implemented two- factor authentication for system administrators and strengthened passwords required to access critical systems. Auditors do not disagree with Warren’s evaluation in that VA has made some progress.
The IG says the implementation of the Continuous Readiness in Information Security Program (CRISP) in 2012 is making a difference in ensuring VA has a focused team on improving network and data security. GAO added VA has taken steps to respond to incidents and identify and mitigate vulnerabilities. But both auditors say there is so much more that VA needs to do to ensure the security of the data of veterans.
“Until a proven process is in place to address the OIG’s outstanding report recommendations and ensure control across the enterprise, the IT material weakness will stand and VA’s mission-critical systems and sensitive veterans’ data will remain at risk of attack or compromise,” McCauley wrote in her prepared testimony. “IT shortfalls mean not only exposure of millions of veterans to potential loss of privacy, identity theft, and other financial crimes, they also constitute poor financial stewardship of taxpayer dollars.”
Wilshusen said in his prepared testimony that GAO made eight recommendations, including finalizing and implementing the policy requiring source code scans on key Web applications, applying missing security patches within established time frames or document compensating controls and/or plans to migrate to newer services that support security features, scanning non-Windows (e.g., Linux) network devices in authenticated mode and identifying actions, priorities and milestones for tasks related to vulnerability remediation.
“Shortcomings in its incident response activities, vulnerabilities in key Web applications, and weaknesses in the management of security on its network devices place the sensitive personal information entrusted to the department at increased risk of unauthorized access, modification, disclosure, or loss,” Wilshusen wrote.
VA agreed with GAO’s recommendations and says it already is implementing changes to meet six of the eight.
RELATED STORIES: Lawmakers, IG expose further vulnerabilities in VA’s cybersecurity