Another big federal agency has apparently escaped unscathed from the SolarWinds hack.
Leaders from the Department of Veterans Affairs told Congress on Thursday they are now confident that none of their data was compromised, even though the company’s Orion system had a prominent presence throughout VA’s IT networks.
The platform that Russian government hackers managed to infiltrate with a malicious software update played a huge role in VA networks at the time of the hack, and still does, now that it’s been patched to remove the threat. According to SolarWinds, VA was using ten different instantiations of Orion to monitor all four of its internet gateways and tens of thousands of endpoints across its sprawling IT network.
Paul Cunningham, VA’s chief information security officer, said the department’s Orion systems did indeed download and install the automatically-delivered patch that contained the Russian-made backdoor. But he said he is now “very confident” that hackers never managed to make use of it on VA networks before the problem was fixed.
“The period of time between when we recognized that we had a problem and the time we were able to bring all of our SolarWinds instances down was about 12 hours. Across this complex environment, that’s really a testament to VA’s capability from an operational perspective,” he told the House Veterans Affairs Committee Thursday. “We installed all of the indicators of compromise, we replayed our NetFlow data looking for any other indicators that would identify that maybe an attacker used those vulnerabilities before we received the indicators, and there was no evidence of that.”
Cunningham said VA asked the Department of Homeland Security to take a second look. DHS cyber experts couldn’t find any indications of compromise either.
“We also asked intelligence community to come in — they said they would come back to us if they saw anything, and they didn’t come back,” he said. “We also commissioned a third party, Microsoft, to come in and look at our systems. They looked through all of our efforts, and they agreed that there were no indicators that the malware was activated or that it was used in a nefarious way.”
The Defense Department reached a similar conclusion earlier this year, saying that even though the compromised SolarWinds platform was scattered throughout its networks, it couldn’t find any evidence that hackers ever successfully leveraged it to steal data or inflict other damage.
But even if VA can breathe a sigh of relief over the specific SolarWinds incident, its overall cybersecurity posture is still fairly weak and not improving quickly enough, according to the agency’s inspector general.
VA’s OIG considers the department’s inadequate cyber controls to be a material weakness when it comes to the department’s overall financial statement. And in its latest audit of VA’s compliance with the Federal Information Security Management Act (FISMA), released last month, the IG made 26 separate recommendations.
21 of those are longstanding issues from prior years, according to Michael Bowman, the director of the OIG’s IT and security audits division.
“The FISMA audit, in addition to other reports on VA’s IT security program, shows that VA has considerable work to do in order to achieve better IT security outcomes,” he said. “The fundamental mission of providing benefits and services to veterans is dependent on the ability to deploy and secure IT systems and networks. Until processes are in place to ensure adequate IT controls are deployed across the enterprise, VA mission critical systems and sensitive veteran data will remain at risk. And while VA has made some recent improvements in information management, considerable challenges remain.”
One factor may be funding. According to the Congressional Research Service, VA spends 0.52% of its discretionary budget on cybersecurity, putting it on the low end of federal agencies’ proportional spending on IT security. By comparison, DoD allocates 1.38% of its budget toward cybersecurity. DHS spends 3.81%, and Treasury spends 3.61%.
If current trends hold, VA’s cybersecurity spending is set to fall further, to just 0.44% of its budget, based on the topline budget the Biden Administration released last month.
Cunningham acknowledged resourcing is an issue, both when it comes to direct spending on cyber defenses, and with regard to replacing older systems that are more difficult to defend.
“We have to invest in IT,” he said. “Legacy systems are probably the biggest risks that we have from a cybersecurity perspective. But we’ve been able to leverage some of the supplemental [appropriations] from the COVID response, especially when it comes to remote environments, as well as telehealth.”
Beyond additional funding, Cunningham said the department sees major promise in more information sharing — and sharing information more quickly — between VA and other federal entities.
“There’s been a lot of work on that already, but more needs to be done,” he said. “We want to be able to get to automated indicator sharing, where one site can recognize an indicator or compromise, write a code, and it’s automatically deployed across the country. On those sorts of activities, things that are found in national labs, we need to be a little more forward-thinking. We’ve partnered with Oak Ridge National Laboratory. We use that for research and development, and we are talking about ways we can share information.”