On the heels of another Veterans Affairs Department inspector general report showing departmental cybersecurity practices falling short, House Veterans Affairs Committee lawmakers are pressing for more answers about just how secure the data of millions of veterans are in the agency’s network.
A committee staff member said lawmakers are conducting an analysis of the IG’s report, a redacted version of which was posted online April 15, and are asking for further details by April 29.
The IG found VA allowed 14 contractors to access its network and data from outside the United States in countries ranging from China to India to Costa Rica between October 2011 and February 2014. The contractors either received permission to telework or accessed the network without proper authorization during vacation or business travel.
The IG concluded VA suffered from a lack of policy prohibiting the access of agency networks from outside the U.S., the inability of some OIT employees to enforce the cease and desist order from Stephen Warren, VA’s CIO, and from an underwhelming response by the CIO’s office to ensure the networks and data were safe when they found out there were potential problems.
“We found that seven years after the 2006 data breach, VA information security employees still reacted with indifference, little sense of urgency, or responsibility concerning a possible cyber threat incident,” the VA IG wrote in the report. “Austin Information Technology Center (AITC) OIT employees failed to follow VA information security policy and
contract security requirements when they approved VA contractor employees to work remotely and access VA’s network from China and India. One accessed it from China using personally-owned equipment (POE) that he took to and left in China, and the other accessed it from India using POE that he took with him to India and then brought back to the United States. After the Acting CIO learned of this improper remote access, he gave verbal instructions for it to cease; however, VA information security employees at all levels failed to quickly respond to stop the practice and to determine if there was a compromise to any VA data as a result of VA’s network being accessed internationally.”
The committee sent VA’s Office of IT six questions:
Does a policy exist and is it implemented that denies connections from foreign countries by default and only explicitly allows those connections that can be validated as authentic? If not, when will one be developed and implemented?
Does Network Security Operations Center (NSOC) at VA provide real-time monitoring for foreign connections to VA internal resources? If not, who does and/or when will NSOC provide this service?
Does NSOC compare foreign connections to the network with users? If not, when will they?
Does VA OIT conduct a forensic examination of every device upon a user returning from a foreign country? This includes phones, iPad’s (or similar devices), and computers?
If not, when will such a policy be implemented?
Does VA OIT have a policy that provides employees traveling out of country with a clean (free of VA data) “loaner” computer so the employees regular working laptop (filled with VA data) won’t be compromised? This would be most appropriate for employees just checking emails or providing a presentation. If not, when will such a policy be implemented (or why won’t one be implemented)?
What is VA OIT’s procedures for validating who is actually logged into any given VA resource from a foreign country?
These questions follow several dozen sent by the committee over the last 18 months asking for more assurances that VA is protecting veterans’ data.
FedScoop first reported the details of the IG report..
This IG report comes as VA seemed to be recovering from damning testimony in June 2013 by the OIG and former chief information security officer Jerry Davis that the agency suffered from at least eight successful nation state attacks between 2010 and 2012.
VA reported in January that Mandiant, a cybersecurity vendor, had reviewed its networks and found no evidence of nation states accessing or taking over the network domain controllers.
The department recently made a redacted version of that Mandiant report public.
Warren also promised to add $60 million to the cyber budget to further protect networks after auditors continued concerns.
But this latest IG report raises alarm bells for members of Congress and other experts.
“This report is disturbing. Yet again VA OIT leadership completely missed the boat on a critical security issue,” said a source with knowledge of VA. “Instead of trying to find a policy on telework access from foreign countries, they should have been looking for the policy that restricts access to VA internal resources from foreign countries and foreign
IP address. The policy should deny by default any access to internal resources from a foreign IP address unless explicitly allowed. The VA Office of Information Security should be looking at foreign connections to internal resources in real time 24 hours a day 365 days a year. Connections to internal resources from foreign IP addresses, especially from high risk countries, must be authenticated and validated that it originated from an authorized user.”
The source, who requested anonymity in order to talk about the report, added VA should have required users to have “clean” devices when going overseas, and when they return from overseas, officials should conduce forensics analysis against those laptops or tablets or smartphones.
“In reviewing the IG report, it is easily assumed that when those users connected to VA resources in the manner that they did, they more than likely let prying eyes easy connect to those resources as well,” the source said. “The VA network will continue to have a significant problem in regaining control of the network. It is a tragedy that Veterans have to continue to be faced with the fact that VA OIT cannot sufficiently protect Veterans’ personal data.”
A VA spokesperson said in an email that the agency takes the protection of veterans’ data seriously.
“VA agreed with OIG that the department needed to immediately create and implement policy to prohibit employees or contractors from connecting to the VA network and has already begun work to address OIG’s recommendations in addition to clarifying policy and implementing technical controls,” the spokesperson said. “When issues of protecting Veteran
information are brought to the attention of VA leadership, whether due to evolving technical challenges or when individuals show poor judgment, we take the necessary and appropriate action to ensure our workforce understands and honors our obligations as stewards of Veteran information.”
The IG pointed out that VA did create a policy in January 2014 prohibiting access to VA’s network from non-NATO countries except those where VA has an established presence.
VA also blocks access to websites and network connections to certain countries, and inbound and outbound traffic is also blocked on a country-by-country basis.
Once again, VA has some difficult questions to answer about whether OIT is doing enough, taking all necessary actions and pulling out all the stops to protect veterans data.
Few would argue the challenge is great considering VA is a worldwide organization with more than 200,000 employees and tens of thousands devices. But lawmakers and other experts continue to see these reports where what many call good cyber hygiene isn’t happening and actions to fix the problems aren’t coming quickly enough.
This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.