WASHINGTON – The Department of Veterans Affairs has failed to meet cybersecurity standards in each of the last 16 years and Congress is pressing the agency to improve its performance or face the potential of a hacker invasion.
Lawmakers note that the VA’s network has been breached on several occasions over the past few years and are concerned that records of the nation’s former military personnel may be susceptible. While the agency notes that the long-standing situation has improved, it has not shown to be fully effective in addressing the system’s weaknesses, according to a critical Government Accountability Office report issued Tuesday.
Members of the House Veterans Affairs Committee were advised of the agency’s cybersecurity shortcomings during a hearing Tuesday when Greg Wilshusen, director of Information Security Issues for the GAO, maintained that the VA has failed to address vulnerabilities within its network that were identified more than a year ago after at least eight intrusions.
“VA did limit access to the affected system, but this is insufficient to prevent recurrence of such an incident,” Wilshusen said. “With respect to incident response more broadly, we found that the department’s Network and Security Operations Center did not have sufficient visibility into VA’s computer networks, limiting its ability to detect and respond to incidents. This is because VA policy does not define the NSOC’s authority to access activity logs collected at VA data centers.”
The GAO report concluded that “until VA fully addresses identified security weaknesses, its systems and the information they contain — including veterans’ personal information — will be at an increased risk of unauthorized access, modification, disclosure, or loss.”
Rep. Jeff Miller (R-Fla.), the committee chairman, chided the agency for its inaction, asserting that the cited problems “are not because of a lack of resources, as some VA senior officials want us to believe.”
“Within the past decade, Congress has provided over $28 billion to VA’s Office of Information and Technology to ensure its goals and actions are aligned with and driving the strategic goals of the agency,” Miller said. “Given the availability of resources, it is apparent that this office’s lack of success and repeated underperformance is a leadership failure.”
Meanwhile, the Office of the Inspector General supports the GAO findings.
“We continue to identify significant technical weaknesses in databases, servers, and network devices that support transmitting sensitive information among VA medical centers, data centers and VA Central Office,” said Sondra McCauley, the VA’s deputy assistant inspector general for audits and evaluations, who worked on the report. “For FY 2014 we once again found deficiencies where control activities were not appropriately designed or operating effectively. It is particularly disconcerting that a significant number of vulnerabilities we identified at VA data centers are more than five years old.”
McCauley told the committee that bringing VA cybersecurity up to speed could become even more difficult in the coming years as the agency moves toward cloud computing. The agency signed a contract with a firm in 2013 to shift about 600,000 email users into a private cloud service, but the agreement failed to include a provision providing the inspector general access to systems and data – rendering it more difficult for the office to conduct investigations.
The VA also faces increased threats from hackers outside the nation’s borders that have yet to be addressed.
McCauley acknowledged that the VA Office of Information and Technology has made some progress but stressed that “we continue to see repeat information security deficiencies in type and risk level to our reported findings in prior years and an overall inconsistent implementation of the security program.”
Despite the ongoing problems, Stephen Warren, the chief information officer for the VA’s Office of Information & Technology, assured the panel that the personal data of the nation’s veterans remains secure, noting that the agency has acquired new monitoring capabilities, increased desktop security and enhanced efficiency in detecting and combating challenges to the system.
“Before we activate systems within our network, and before any veteran’s information is put into those systems, we take steps that ensure the information is protected to the best of our ability,” Warren said.
“We have migrated from a manual, point-in-time, paper process to an electronic, automated, continuous monitoring capability with the help of the newly implemented governance, risk, and compliance (GRC) tool, which went live in August 2013. We are the first, and the largest, cabinet level government agency to have moved to continuous monitoring. This new capability allows VA to detect vulnerabilities early and respond to threats rapidly.”
Under questioning regarding date breaches, Warren told the committee that the only information obtained as a result of outside incursions in 2010 and 2012 was usernames and passwords. Those were changed immediately after the hacking was detected, Warren said.