The Department of Veterans Affairs is still “actively monitoring” its networks for traces of foreign hackers who successfully infiltrated its computer systems in 2010, and officials acknowledge that “certain threat groups may still have access to VA systems using unauthorized user accounts,” according to the agency’s inspector general.
The attack, which made headlines in 2013 and has been attributed to state-sponsored hackers from at least eight different countries, led to an agencywide security effort that lasted more than a year, according to written testimony to be delivered Tuesday to the House Committee on Veterans Affairs by Sondra McCauley, the VA’s deputy assistant inspector general for audits and evaluations. FedScoop obtained a copy of the testimony in advance of Tuesday’s hearing.
Concerns about the continued presence of foreign hackers on VA networks comes on the heels of a Government Accountability Office report released Monday that shows VA cybersecurity officials did not retain forensic evidence related to known network intrusions, including the 2010 nation-state-sponsored attack, and allowed critical vulnerabilities in two key Web applications to go uncorrected for as long as 18 months.
The GAO report and the IG’s testimony will be the basis of Tuesday’s scheduled hearing of the House Committee on Veterans’ Affairs. Lawmakers plan to grill VA Chief Information Officer Stephen Warren and VA Chief Information Security Officer Stan Lowe on the department’s longstanding cybersecurity gaps. Warren acknowledged to reporters Friday that VA has been notified by the IG that the agency’s IT security controls remain a material weakness for the 16th consecutive year. McCauley’s testimony, however, provides the first detailed glimpse of the issues that contributed to VA’s failing evaluation.
“The financial management system uses an unsupported database with several known critical vulnerabilities that cannot be updated with security patches,” McCauley’s testimony states. In addition to software patches not being deployed in a timely manner, the IG also discovered several VA organizations were sharing the same networks and data centers with organizations that were not under VA’s central control and “often had critical or high-level vulnerabilities that weakened the overall security posture of the VA sites.”
“We continue to identify significant technical weaknesses in databases, servers, and network devices that support transmitting sensitive information among VA Medical Centers, Data Centers, and VA Central Office,” McCauley’s written testimony states. “For FY 2014 we once again found deficiencies where control activities were not appropriately designed or operating effectively. It is particularly disconcerting that a significant number of vulnerabilities we identified at VA data centers are more than 5 years old.”
McCauley also plans to tell the committee Tuesday that VA faces new, emerging security challenges that the IG has not identified in previous audits, including the movement to cloud computing and the increasing threat posed by foreign nation-state hackers. According to the IG, VA entered into a contract last year to move more than 600,000 email users to a private cloud service. But the contract did not include a clause allowing the IG to access VA systems and data, effectively blocking the IG from conducting legal oversight and investigations.
The IG is also investigating multiple whistleblower reports to the IG hotline, including accusations that VA was hosting medical devices containing sensitive patient information “that are not effectively protected from unauthorized access,” as required by VA’s Medical Device Isolation Architecture. The IG is also investigating claims that VA was misrepresenting information in preparation for the fiscal year 2014 security audit.
Sources on Capitol Hill told FedScoop that lawmakers are running out of patience with VA’s inept handling of critical security incidents that are known to have compromised veterans’ data, including a “significant” attack that occurred in 2012 and involved government-backed hackers in China and possibly Russia. According to the GAO study, although VA security operations center documented the actions it had taken to eradicate the foreign hacker threat, VA cybersecurity officials could not locate the forensics analysis report or other materials related to the incident.
“Officials explained that digital evidence was only maintained for 30 days due to storage space constraints. As a result, we could not determine the effectiveness of actions taken to address this incident,” the GAO report states. “In addition, VA has not yet addressed an underlying vulnerability that contributed to the intrusion,” GAO said. Although VA had planned to deploy a solution in February that would have corrected the weakness, it had not yet done so at the time of the GAO’s review. Auditors concluded VA’s networks remain vulnerable to similar incidents.
Meanwhile, a VA official who spoke to FedScoop on background said shortly after news broke of the nation-state hack into VA’s active directory domain controller, VA contracted with Mandiant to conduct a security audit. Mandiant, the company known for a 2013 report that documented the existence and activities of a massive Chinese government cyber espionage campaign, delivered a preliminary report to VA on Friday. The VA official said the report verifies the steps VA took in response to the attack and concludes the domain controller is no longer compromised.
As of May 2014, the 10 most prevalent critical security vulnerabilities at VA involved software patches that had not been applied, according to GAO. In some cases, these patches had been available for almost three years before being deployed. And due to multiple occurrences of each of the 10 missing patches, the total number of vulnerable systems ranged from 9,200 to 286,700, GAO said.
“At the end of our audit, VA officials told us they had implemented compensating controls, but did not provide sufficient detail for us to evaluate their effectiveness,” the GAO report stated. “Without applying patches or developing compensating controls, VA increases the risk that known vulnerabilities could be exploited, potentially exposing veterans’ information to unauthorized modification, disclosure, or loss.”
In a statement emailed to FedScoop, Warren said: “Veterans’ information is well protected because we put mitigating controls in places where we can best simultaneously protect Veterans’ information and not impede our ability to provide timely health care that they have earned and deserve.” Warren also said VA, like other large agencies, records a significant volume of threats, but VA’s “security posture is successfully keeping Veteran information safe, and as we believe that IT security is an evolving process, we’re always striving to improve.”