The Veterans Affairs Department is refuting claims by Rep. Jackie Walorski (R- Ind.) that it sustained another nation state attack in September 2014.
VA Chief Information Officer Steph Warren said House Veterans Affairs Committee lawmakers informed his office of a potential breach and the agency immediately took steps to review and analyze the information.
“I’m a little perplexed, because I have been going back and forth with the committee, and specifically with one of the staffers where the comment was made they were aware of and we’ve been pursuing information about it. The reason we are pursuing information about it is because if we have a weakness that we need to fix, I want to fix it. I want to take on where we have gaps in what we do,” Warren said, during a briefing with reporters after Walorski made the claim during a committee hearing Thursday. “As of right now, again with the conversations not just conversations within the organization, we’ve had conversations with the National Security Council, we’ve head conversations with the Homeland Security Department, we’ve had conversations with the FBI and the counter intelligence and cyber crimes area, and we’ve asked specifically, are you aware of and they’ve all come back and said, ‘No,’ Warren said. “So we will continue to work with individuals on the committee to run down the details. I’ll be blunt right now, we haven’t seen anything and we haven’t got anybody who can say, ‘This is what happened. This is where the vector was, and these are the activities that took place.’ We are drawing a blank. We keep pursuing getting the details, because we really want to know, because if we’ve got an area where there is a weakness, we want to find it, we want to fill it and we want to make sure we continue to do the stewardship and guardianship. As of right now, we are coming up dry when we ask for who says and the specifics and the details. And those are not only at the unclassified level, but at the classified level. We’ve rung every door bell that we can find and we keep getting the answer back, ‘We have no idea what you are talking about, and we have nothing nor have we briefed anything that you were involved in that nature.”
But Warren’s claim that VA has no evidence about another nation state attack is in direct opposition to statements made by Walorski at a hearing on legislation the committee is considering and other experts familiar with the classified report issued to VA.
FBI notified agency of breach
The congresswoman said Thursday that a state actor penetrated VA’s network in September 2014.
“This was substantiated by another government entity, after which the committee briefed Secretary [Bob] McDonald. VA was not aware of the intrusion, which by all accounts was then not detected by VA’s CRISP, Einstein 3 or by any active review being conducted by a third party contractor,” Walorski said.
Additionally, a source with knowledge of the latest attack against VA said the agency was notified around Jan. 15 by a third party.
“The attacker was able to access information systems, acquire and exfiltrate information,” said the source, who requested anonymity in order to talk about the classified report. “The notification of the breach to VA officials took place before the Mandiant report, a report that indicated that VA did not have a compromised environment, was released. VA officials elected to release the Mandiant report anyway, ignoring the fact that that their systems were not secure and attackers continue to have unfettered access to VA systems that host highly sensitive Veteran personal data. VA attempted a haphazard response to the attack, but did not have the capability or skill set to know how to identify the attack vector, the attackers or conduct post-mortem activities as a means to mitigate future incidents. Because of the potential embarrassment to VA officials within OIT, VA has attempted to obfuscate and cover up the attack. VA systems hosting Veteran data particularly health care information, remain at high risk.”
The committee alerted VA of the breach in the midst of a third party contractor, Mandiant, review, which eventually found no evidence that the agency lost any data to or that a nation state remained in their networks or took over the domain controllers. Despite the concerns over the breach, VA decided to issue the Mandiant report.
A committee staff member, who requested anonymity, said the FBI congressional liaison confirmed to staff on Feb. 4 “that a security incident involving VA’s computer network occurred in September 2014. According to the liaison, the Department of Homeland Security was to notify VA officials of the incident.”
The staff member said they passed along all of the information they had to VA officials, who said they could not confirm that an incident had occurred.
Warren said VA stood up a data breach team to ensure they knew exactly what happened. “We called people. We had classified and unclassified briefings. The team has run the logs and they’ve run all of the track record on this. But they keep coming back with, ‘Yeah, we don’t see anything,'” Warren said. “I believe our review of the notification and all the work taking place will probably in next month’s activity report. I know Stan met with the cyber crime folks yesterday morning and they reaffirmed, ‘We have nothing on you all. We have nothing from that time frame. We haven’t briefed anything.’ They were going to go back and double check. As of right now, we are not aware of anything substantiated that took place.”
This latest disagreement over cybersecurity is part of the ongoing debate between the committee and VA.
House lawmakers exposed VA’s problems with nation state actors getting into their network during a hearing in June 2013. During the hearing, lawmakers said VA suffered from at least nine nation state attacks starting in 2010.
Over the last 18 months, VA and committee members have spared over the health of the agency’s computer networks and data.
During the most recent hearing, Walorski and other members pressed VA Chief Information Security Officer Stan Lowe on the security of the agency’s network.
Rep. Tim Huelskamp (R-Kan.) asked Lowe if the IT system at VA is secure today?
“It’s as secure as we can possibly make it,” Lowe said. “There is nobody that sits in my position that can definitively state their system is completely secure because there are too many unknowns. Based on the information I have today, we are secure as we can be.”
Two competing bills
Lowe referred back to the Mandiant report during the hearing and said the remediation activities were effective.
Walorski said over the three years she’s been on the committee, VA IT security has been a challenge, specifically whether the agency lost control of its domain controllers in 2010.
“This HR 1017 comes from feedback the committee received from a members only briefing in December 2013 which the VA, the VA’s Office of Inspector General and the Government Accountability Office all attended. At this briefing, the committee provided an overview of VA’s information security vulnerabilities using VA’s own internal documents and previous testimony from VA’s IG. The committee has had numerous meetings, sent letters and held a hearing in November 2014 to address IT security weaknesses,” Walorski said. “Unfortunately, VA’s lack of cooperation has been a long-standing issue that continues to this day. Independent information security experts verified HVAC’s findings about the VA’s critical network vulnerabilities.”
The source with knowledge of the latest VA data breach said Walorski’s bill is important because it seeks to strengthen the agency’s program in light of all the recent health care related cyber attacks.
“Health care information has become the most sought after information by attackers in today’s cyber battle grounds,” the source said. “The value of health information is out pacing that of credit card information or other types of personal information.”
While Walorski’s bill is more prescriptive, Rep. Ann Kirkpatrick’s (D-Ariz.) VA Cybersecurity Protection Act is more focused on strategy and reporting back to Congress on VA’s progress to continue to improve its network security.
“I believe legislation is necessary to ensure that VA takes appropriate measures to safeguard veterans’ personal information,” said Kirkpatrick, who introduced the bill Feb. 26. “This bill offers common sense steps to do just that. First, it requires the VA to report quarterly to Congress on actions and plans to address known information security vulnerabilities and provide a time table for addressing them. Second, it mandates a report on VA’s actions to hold employees accountable for data breaches. The report would include VA’s proposed reorganization of its IT security infrastructure. Third, it requires the VA to develop an information security strategic plan that protects veterans’ information and anticipates future cybersecurity threats. It requires the VA to recruit and train employees with skills and expertise in information and security, and to update VA information technology. This bill is not creating requirements that are so rigid that the VA is unable to perform vital services such as referring patients to other health-care providers or granting them the benefits they deserve.”