Independent assessment gives VA’s cybersecurity positive mark

Listen to Jason's story on the Federal Drive

wfedstaff |

The Veterans Affairs Department’s computers and networks got a clean bill of health from third-party experts. The analysis comes 18 months after VA came under intense scrutiny at a House Veterans Affairs Committee hearing for having major cybersecurity vulnerabilities.

VA hired Mandiant, the cybersecurity company, to examine its networks and systems, specifically looking at domain controllers and Internet gateways.

Steph Warren, VA chief information officer and the executive in charge of its Office of Information and Technology, said the report’s findings were consistent with what he said during a November hearing before the House Veterans Affairs Committee.

“They assessed where things were. They assessed the entire network in terms of looking at what the threats were, with a primary focus on our domain controllers, and they worked our perimeter. We run through Trusted Internet Connects or four gateways so they also looked at the traffic on the gateways,” Warren said Friday during a briefing with reporters. “The results of their conclusion — that final report — was that none of the domain controllers had evidence of compromise and they did not see evidence in the logs they reviewed or anything around those devices.”

VA provided reporters with a copy of the executive summary of the report. Warren said the department could not release the entire report yet as it was still going through legal review.

The executive summary states that Mandiant did not find evidence of data staging or theft, such as the loss of credentials, personal information or personal health information or VA sensitive information.

Warren said the only thing Mandiant found was one computer infected with malware that was trying to ping back to its botnet for instructions. Warren said the agency had blocked the website that the malware was trying to reach.

Questions about nation-state intrusions

The executive summary says Mandiant examined 96 percent of the 574 VA domain controllers between July and December 2014. It says the industry average is 80 percent.

The reasons VA hired Mandiant to look at its domain controllers date back to June 2013, when the House Veterans Affairs Committee held a hearing at which auditors and Jerry Davis, a former VA chief information security officer, testified about VA’s cybersecurity problems. The experts confirmed that VA’s network had been penetrated by at least eight nation-state organizations that took control of the domain controllers.

Warren said he believed VA took care of the problem, but wanted a third party to confirm that the domain controllers and network were free from nation-state actors.

Warren said, while he’s satisfied with Mandiant’s findings, he knows how quickly an organization’s cyber posture can change so VA continues to improve its data and network assurances. But he said he feels confident in what Mandiant found and that should help to alleviate concerns over VA’s networks and data-protection habits.

Warren said VA Chief Information Security Officer Stan Lowe briefed House and Senate committee staff in mid-January on Mandiant’s report.

“I understand they got the briefing, walked through the details, had some really great questions in terms of where we need to respond back and I think the team is. And as soon as we get a couple of things cleared, we’ll make sure that we get the rest of the document out there so you all can see it as well,” he said. “Again, the reason I raised it at the hearing is the question has been asked. One of the things that I’ve been very concerned about is [whether] our most vulnerable veterans [are] being driven away from the VA because of concerns about their data. Those are the folks we need to make sure are coming to the VA and that we are taking the appropriate concerns. They are the ones that need us the most and they are the ones that are most fragile.”

Lawmakers skeptical of findings

Warren added he believes the Mandiant report satisfied the concerns of members of Congress.

But some parts of the report and briefing didn’t quite hit the mark on Capitol Hill.

A House VA committee staff member, who requested anonymity, said the committee still is not convinced that the agency is doing enough to protect veterans’ data.

“Given the narrow scope of Mandiant’s review, VA’s refusal to make the full report public and the department’s glowing characterization of the review, we are concerned the VA may be understating its network security challenges,” the staff member said. “Mandiant’s review focused only on domain controllers, which could have been cleaned or rebuilt prior to the review. Further, the fact that the review only focused on domain controllers means that the rest of the more than 1 million VA network devices were not reviewed. According to the report, logging was often either turned off or overwritten because there was not enough disk space to hold it. Without the appropriate logging data, it’s difficult to understand or determine whether a system was compromised.”

One cybersecurity expert, who requested anonymity and is familiar with the Mandiant report, said the fact that the logging was turned off is akin to the company walking into a dark room and coming out saying it didn’t see anything so, in the future, please turn the lights on.

The source says Mandiant also recommended that VA keep its system logs on a separate log server and not on the actual systems because a common technique of hackers is to delete logs after the intrusion to erase tracks.

CIO on tour

Warren said Mandiant’s findings will help VA continue to make cyber improvements. He said as they implement the changes, VA has to consider all three of its customers.

“The consumer of IT services, the folks in the VA who use these tools and provide those benefits and services to veterans, how do you educate them and how do you focus on them?” Warren said. “The report hit the other two areas. What processes do you have in place as part of your operations or part of your security regime in terms of what do you do, what do you look at, what do you keep an eye on? They suggested some areas where we needed to change our tempos. The third one is on a technology standpoint, in terms of how did we need to tighten up areas in terms of how folks access systems and what they do in systems.”

He added the majority of the changes Mandiant recommended already were underway at VA.

But the report helps VA refine its procedures and processes and better align them with what Mandiant saw during its analysis.

Warren said he will expand VA’s continuous improvement effort around cyber and technology more generally in 2015.

Warren said he is starting a tour of the field offices and facilities this week to discuss cybersecurity and other technology challenges and opportunities.

He will be visiting Atlanta, Birmingham and Tuscaloosa, Alabama.

Warren said he plans to spend the last week or first week of most months in 2015 visiting field offices or facilities around the country.


RELATED STORIES:

VA to spend $60 million more on cyber after auditors continued concerns

Lawmakers, IG expose further vulnerabilities in VA’s cybersecurity

VA cyber efforts in the Hot Seat

Comments

Sign up for breaking news alerts