The Department of Veterans Affairs database has been hacked by at least eight foreign organizations, including the Chinese military. Testimony revealed an agency struggling to manage security across its vast IT systems, leading to breaches. A former VA information security officer said he encountered 15 years of unattended security vulnerabilities and eight foreign groups had compromised VA networks. The VA is working to standardize security through encryption and monitoring initiatives, but government watchdogs say there is still significant work to be done to protect veterans' sensitive information from unauthorized access.

1. VA hacked by foreign orgs, security needs standardization
June 05, 2013 | AnthonyBrino,Associate Editor
RelatedNews
VA compromise bill wouldbolstertelemedicine,schedulingsoftware
iEHR redefined:DOD'stop3 tacticsin VA turf war detente
GAO: DoD,VA missEHR interoperabilitybyamile
AllscriptsbringsCSCandHP to DoD EHR fight
MHS CIOtalksEHR procurement
The Departmentof VeteransAffairsdatabase hasbeenhackedbyatleasteightforeignorganizations,
includingthe Chinese military,the House Veterans'Affairsoversightandinvestigationssubcommittee
learnedTuesday.
TestimonyfromVA inspectorgeneral officialsandaformerVA informationsecurityofficialshow an
agencystrugglingtomanage securityfora vast IT systemat clinics,officesanddatacentersacross the
country — leadingtodata breacheslike the well-knownstolenlaptopin2006 and to attacks by
nefariousforeigngroups.
A rankingVA official toldsubcommittee membersthatthe agencyisinthe midstof a wide-ranging
securitystandardizationplan — intendingtoencryptall butcertainexemptcomputersbythe endof
June,forinstance.Butagencywatchdogsand a formerIT securityofficial saidthere’salotof workleft
to do.
In August2010, JerryDavis,a formerMarine andGulf War veteran,tookoveras the VA’schief
informationsecurityofficer,and“inheritedthe resultsof more than15 continuousyearsof an
unattendedanddocumentedmaterial weaknessinITsecuritycontrols,”ashe toldthe subcommittee.
“In nearly20 yearsof buildingandmanagingsecurityprogramsacrossgovernmentandprivate industry,
I had neverseenanorganizationwithasmanyunattendedITsecurityvulnerabilities,”Davissaid,noting
some 13,000 corrective actionswaitingtobe completedashe arrived.
Those notwithstanding,the “mostconcerningissue”forDavisarose froma conversationwiththenVA
principal deputyassistantsecretaryStephenWarren,whoapparentlytoldhimnotlongafterarrivingat
the VA:“We have uninvitedvisitors inthe network.”
Davisthenlearnedthatthe VA NetworkSecurityOperationsTeamfirstnoticed“seriousnetwork
compromises”inMarch 2010 from“nationstate-sponsoredattackers.”ByDavis’estimate,eight
differentforeignorganizationshad“successfully compromisedVA networksanddataor were actively
attackingVA networks,”andmaystill be doingsotoday.

2. There isn’ttoomuch knownaboutthe nature of the foreignattacks;manylikelyoriginatedfromthe
Chinese militaryandsome mayhave come fromRussian-linkedorganizations,ashypothesizedby
subcommittee chairmanMike Coffman,aRepublicanfromColoradowhoconvenedthe hearing.It’salso
not clearwhat,if any, veteraninformationwastaken,butCoffmansaiditwaspossible thatpersonal
data such as Social Securitynumberswere viewed.
Davis,wholeftthe VA to become CIOat the NASA AmesResearchCenterearlierthisyear,citedseveral
contributingfactorsthatenabledthe hackings:lackof encryptioninVA databases,webapplications
with“commonexploitable vulnerabilities”andweakauthenticationinsensitivesystems.
Davissaidhe startedtryingto counterthe attacks andseal up securitygapsthroughseveral initiatives
for webapplicationsecurity,software assurance andcontinuingmonitoring,andthe VA eventuallyfixed
about10,000 problemsidentifiedinthe 13,000 securitycorrective actions.
But Davisalsotoldthe subcommitteehe encounteredorganizational problems.Hisoffice wasaskedto
attestthat VA systemswere adequatelysecure,althoughthe processesnecessarytoensure that,Davis
said,were “completelyfaultyandimproperandthe implementationof the processexposedVeteran
systemsandVA informationtofurtherriskof compromise.”
Daviswenton,“It was confirmedtome by the VA informationsecuritystaff chargedwithexecutingthe
processthat itwas flawed,providednovalue andthatprovidingapositive attestationtothe adequacy
of securitycontrolswouldseriouslycompromise the integrityof the VA securityprogram.”
Davissuggestedthatthe subcommitteetrytohave the greaterVA networkdesignatedasa
“compromisedenvironment,”toensure “reclamationof control.”He alsorecommendedthatVA
networksbe movedintoa“full continuousmonitoringanddiagnosticsprogramwithnearreal time
situational awarenessof itssecurityposture,”andthatorganizational reportingforthe deputyassistant
secretaryof informationsecurity(wherehe washousedasCISO) be streamlineddirectlytothe assistant
secretaryforthe Office of InformationTechnologyorthe Office of the Secretary.
[See also:Q&A:Why IT securitygrowsmore complex.]
AlsotestifyingwasStephenWarren,whofirstalertedDavistothe problemsandwhoisnow the acting
VA CIO.
Warren broadlyaddressedsome of the securityconcerns,outliningseveralplansthe agencyhasto
standardize securityacrossitsITsystems,andalsosaidthere wasn’tany evidenceof information
actuallybeingtakenbyforeignhackers.(Coffman,though,respondedtothatbysayingthat absence of
evidence doesn’tnecessarilymeaninformationwasn’tstolen.)
Emphasizingthe agency’sbidtowardcorrectingsecurityproblems,Warrenalsosaidthatofficialsare
“fosteringaculture change”and focusingonencryption.Over98percentof the VA’s non-medical
laptopsare encrypted,he said.Bythe endof thismonth,the agencyexpectstocomplete the encryption
of all laptopsexceptthose withspecificwaivers(certainmedical andresearchlaptops,service laptops
not connectedtothe VA networkand laptopsgiventoveteransforrehabilitation).

3. Warren alsosaidthe VA is increasingcontinuousmonitoringof the sortDavisrecommended,withthe
“VisibilityintoEverything”initiative thatallowsVA ITtosee and manage all of itsdevicesandnetwork
componentsinnearreal time.
As part of that culture change,though,officialsfromthe VA Office of the InspectorGeneral saidthe
agencyhas a lot more workto do. LindaHalliday,assistantinspectorgeneral forauditsandevaluations,
toldthe subcommittee that“VA continuestoface significantchallengesimplementingeffective access
controls,configurationmanagementcontrols,andcontingencyplanningtoprotectmission-critical
systemsfromunauthorizedaccess,alteration,ordestruction.”
Several investigationsbythe OIGhave “disclosedapatternof ineffective informationsecuritycontrols
that expose VA’smission-critical systemsandsensitive datatounnecessaryrisk,”Hallidaysaid.
Duringfiscal year2012, the VA OIG conductedan extensive review of VA ITand issetto release its
findingsthismonth,Hallidaysaid.Amongsome of the findings:keydatabaseswere nottimelypatched
or securelyconfiguredtomitigate knownandunknown informationsecurityvulnerabilities,and
baseline configurationswereinconsistentlyimplementedtomitigatesignificantsystemsecurityrisks
and vulnerabilitiesacrossthe facilities.
In a reviewof the VA’scompliance withthe FederalInformationSecurityManagementAct,Hallidaysaid
the OIG foundthat passwordstandardswere notconsistentlyimplementedandenforcedacross
multiple VA systems,andthatmulti-factorauthenticationforremote accesshadnotbeenimplemented
agency-wide.The FISMA compliance auditalsofoundinconsistentreviewsof networksandapplication
useraccess that resultedin“numerousgeneric,system, andinactiveuseraccounts”thatwere not
removedordeactivatedfromthe system, aswell as“outdatedsecuritymanagementdocumentation.”
“More importantly,we continuetoidentifysignificanttechnicalweaknessesindatabases,servers,and
networkdevicesthatsupporttransmittingsensitive informationamongVA’sMedical Centers,data
centersandVA central office,”Hallidaysaid, blamingthose problemson“inconsistentenforcement.”