Veterans Affairs officials allowed dozens of contractors, most of whom were not U.S. citizens, to telework and access the VA network from China and India because they could not identify a specific policy forbidding such risky connections, according to a heavily redacted inspector general report obtained by FedScoop.
The report, acquired through a Freedom of Information Act request, details more than a dozen cases involving foreign citizen contractors accessing sensitive parts of the VA network from high-threat locations using private, unencrypted laptops. The incidents stemmed from telework authorizations granted by VA managers from November 2011 through February 2014 — more than six months after a senior VA security official testified before the House Committee on Veterans Affairs about a major infiltration of VA networks by up to eight foreign countries.
Years after suffering a major data breach involving unidentified foreign countries, “VA information security employees still reacted with indifference, little sense of urgency, or responsibility concerning a possible cyber threat incident,” the report states.
One case involved a system administrator who had been born in China and later became a dual citizen of the U.S. and Canada. The employee worked as a subcontractor to Systems Made Simple Inc., or SMS, which administered more than 1,000 VA servers.
In a Jan. 26, 2013, email, the system administrator suddenly requested permission to telework from China because of a death in the family. However, the IG’s investigation revealed that he purchased his airline ticket on Oct. 3, 2012 — more than three months prior to his urgent telework request. VA officials granted the request because nobody could find a specific policy prohibiting access to the VA network from foreign countries deemed a high security risk.
The contractor told the IG that he used a personal laptop he purchased in the U.S. to access VA’s network and that he did not install VA-approved software, such as antivirus protection, a firewall with a VA-approved configuration or encryption. He used the laptop to log into the Citrix Access Gateway — a Web interface that permits VA employees to use nongovernment computer equipment to access the VA network. From there, he logged into his U.S.-based computer before accessing the VA network, which made his connection appear to originate from the U.S.
According to investigators, the contractor obtained Internet access from the local area connection at his parents’ house or a wireless card. “He told us that he purchased the wireless card from a store in China, using it for Internet access, as it was faster and more stable than the connection at his parents’ house,” the report states. The contractor told IG investigators he left the laptop he used in China.
As a system administrator, the contractor had access to all the Austin Information Technology Center’s Unix and Linux servers, including access to the Veterans Benefits Administration data warehouse, corporate applications, health data repository, loan guaranty service, and the My HealtheVet system.
China’s military and intelligence services tightly control and monitor Internet access to and from the country. VA security officials warned of the likelihood that U.S. government contractors and employees would receive increased attention for potential cyberespionage and that open Internet connections were highly likely to be subject to compromise.
The VA IG obtained a spreadsheet detailing at least 300 contractor employees working on the Data Center Acquisitions Transformation Twenty-One Total Technology, or DCAT, contract who had approved telework agreements in place. At least 30 of those contractors were not U.S. citizens. In addition, the IG could not find records of network access for many of them.
“They are from a number of foreign countries, such as India, Cameroon, Netherlands, Pakistan, Jamaica, etc. Considering the volume of potential teleworkers, it was quite possible that some of these contractors also accessed VA’s network internationally,” the report states.
According to investigators, VA officials often approved the telework requests “because they did not find a specific VA policy prohibiting access to VA’s network from foreign countries, even possible cyber-threat countries.” And although two VA employees from the Office of Information and Technology voiced concerns about VA contractor employees working from China and India, those concerns were ignored.
“We should not authorize this action. Why is the contractor traveling to India with a VA laptop?” wrote Gary Stevens, the former VA director of cybersecurity, in an email following a request to telework from India.
A few months prior to Stevens recommending against foreign teleworking, a senior VA manager asked if there were any restrictions on teleworking “outside of the US from the countries of India, China, Pakistan and Africa.” Two days later, the manager sent a followup email in which she assumed silence was consent.
“I have not heard anything further so I’m assuming teleworking from other countries is acceptable … We have an individual planning to travel soon and wants to insure they will be in compliance with VA rules,” the email states.
“Why not?” said one VA employee. “I’ve teleworked from Germany and Costa Rica.”
A flurry of emails followed, with one senior official stating that teleworking from foreign countries was not allowed and another responding with concern that a definitive policy memo was needed because foreign teleworking was “already happening in multiple areas throughout the organization.”
CIO in the hot seat
Once acting Chief Information Officer Stephen Warren was notified that teleworking had been approved for China and India, he issued a verbal order for it to cease, according to the IG.
During an interview with investigators on Feb. 4, 2014, Warren acknowledged that he had not ordered a forensics assessment of VA’s network to determine if there had been any compromise of systems or data because he did not want to interfere with the ongoing IG investigation.
“VA information security employees at all levels failed to quickly respond to stop the practice and to conduct a forensic examination to determine if there was a risk to any VA data as a result of VA’s network being accessed internationally or to mitigate or alleviate any possible compromise to the system,” the report states. The report also states that Warren’s explanation as to why he did not order a security assessment “was not credible” because his staff had been notified of an IG Hotline complaint nearly a year earlier.
“When he learned that VA contractor employees worked remotely from China and India, his only instructions were to cease the practice, as his focus was to determine what ‘the rules should be’ rather than was there any compromise to any VA data,” the report states, referring to Warren. “Had he and other OIT employees taken a more active approach, they would have found that at least one VA OIT employee and numerous VA contractor employees improperly accessed VA’s network from foreign countries on numerous occasions.”
VA did eventually contract with Mandiant, the company known for a 2013 report that documented the activities of a massive Chinese government cyber espionage campaign, to conduct a deep dive analysis of its domain controllers and network boundaries. Mandiant delivered its final report Jan. 10, which concluded that there are “no VA domain controllers with evidence of compromise.”