Veterans Affairs Maintains Weak Security for Vets' Private Data

WASHINGTON – The Department of Veterans Affairs has failed to meet cybersecurity standards in each of the last 16 years and Congress is pressing the agency to improve its performance or face the potential of a hacker invasion.

Lawmakers note that the VA’s network has been breached on several occasions over the past few years and are concerned that records of the nation’s former military personnel may be susceptible. While the agency notes that the long-standing situation has improved, it has not shown to be fully effective in addressing the system’s weaknesses, according to a critical Government Accountability Office report issued Tuesday.

Members of the House Veterans Affairs Committee were advised of the agency’s cybersecurity shortcomings during a hearing Tuesday when Greg Wilshusen, director of Information Security Issues for the GAO, maintained that the VA has failed to address vulnerabilities within its network that were identified more than a year ago after at least eight intrusions.

“VA did limit access to the affected system, but this is insufficient to prevent recurrence of such an incident," Wilshusen said. "With respect to incident response more broadly, we found that the department's Network and Security Operations Center did not have sufficient visibility into VA's computer networks, limiting its ability to detect and respond to incidents. This is because VA policy does not define the NSOC's authority to access activity logs collected at VA data centers.”

The GAO report concluded that “until VA fully addresses identified security weaknesses, its systems and the information they contain -- including veterans' personal information -- will be at an increased risk of unauthorized access, modification, disclosure, or loss.”

Rep. Jeff Miller (R-Fla.), the committee chairman, chided the agency for its inaction, asserting that the cited problems “are not because of a lack of resources, as some VA senior officials want us to believe.”

“Within the past decade, Congress has provided over $28 billion to VA’s Office of Information and Technology to ensure its goals and actions are aligned with and driving the strategic goals of the agency,” Miller said. “Given the availability of resources, it is apparent that this office’s lack of success and repeated underperformance is a leadership failure.”

Meanwhile, the Office of the Inspector General supports the GAO findings.

“We continue to identify significant technical weaknesses in databases, servers, and network devices that support transmitting sensitive information among VA medical centers, data centers and VA Central Office,” said Sondra McCauley, the VA’s deputy assistant inspector general for audits and evaluations, who worked on the report. “For FY 2014 we once again found deficiencies where control activities were not appropriately designed or operating effectively. It is particularly disconcerting that a significant number of vulnerabilities we identified at VA data centers are more than five years old.”