The Department of Veterans Affairs allowed contractors to access the agency’s network using personally owned laptops while traveling abroad in China and India, according to a federal inspector.
In one instance, a Chinese-born Teksystems contract employee worked on an unencrypted U.S.-bought computer that did not carry VA-sanctioned security software or settings. He then left the machine in China, VA Assistant Inspector General for Investigations James O'Neill said in a newly released redacted assessment.
"VA information security employees at all levels failed to quickly respond to stop the practice and to conduct a forensic examination to determine if there was a risk to any VA data as a result of VA’s network being accessed internationally or to mitigate or alleviate any possible compromise to the system," the 39-page blistering report on management's mishandling of the incident states.
The unidentified subcontractor used his laptop daily, from Jan. 29 to Feb. 17, 2013, to visit websites and access email. He worked on files back at his home office, VA's Austin Information Technology Center, through a local connection in his parents' house or a wireless card purchased in China, according to the report.
The employee, who holds U.S. and Canadian citizenship, provides financial support to his family in China. He was able to log in to VA’s network through a Citrix remote access tool.
Many of the names of contractors and federal employees involved in the breaches are blacked out in the report. However, the investigation singles out a few officials, including Chief Information Officer Stephen Warren and John Killian, director of VA’s Network Security Operations Center.
Since 2010, "uninvited visitors," including Chinese hackers, have toured the VA's networks, a fact which Warren was aware of, according to the new investigation and June 2013 congressional testimony.
The employee working from China in 2013 had administrator-level access to data in the "My HealtheVet” medical records system and the Veterans Benefit Administration, including agency corporate applications. The contractor at the heart of the latest report said his responsibility was restricted to maintaining the center's servers and denied having access to any personal information contained in the systems.
His work was part of a multiyear $715 million IT project awarded to prime contractor Systems Made Simple, according to the inspector.
"He did not sanitize the hard drive of the personal computer he left in China," in violation of the contract's terms, O'Neill said.
In a separate incident, an unnamed Indian citizen employed by SMS teleworked from his parents' home in India, using his own laptop brought over from the United States and a local connection. To access the VA's network, the contractor used the Citrix tool. He too did not install VA-approved security software and did not ensure the computer was encrypted.
The employee, who held a U.S. work visa, accessed the system daily from May 6 to June 3, 2013.
VA, over the years, has earned a dubious distinction for losing patient records stateside. There was a 2006 theft of VA computer equipment containing personal information on about 26.5 million veterans and active duty members. And in 2011, the theft of backup computer tapes containing sensitive health information of 4.9 million Military Health Care System TRICARE beneficiaries triggered a class action lawsuit.
In the new report, O’Neill does not mince words calling out management for negligent security practices.
"Warren’s assertion that he did not want to take any action when he learned of the foreign remote access so as to not interfere with any efforts by OIG was not credible, as OIG Hotline initially referred this matter to those within his chain of responsibility to address in early February 2013," right after the first employee returned from China, the inspector said.
Killian was instructed to shut down remote access from outside the United States in late fall or early winter 2013, but "we found that it continued after he gave those instructions," O'Neill said.
Also, Warren did not ensure VA Chief Information Security Officer Stanley Lowe and Deputy CIO Art Gonzalez performed an assessment, as directed, to find out “if there was a likely exposure of data,” he said.
New IT Chief Poised to Take Over
The report recommended VA consider taking administrative action against Office of IT employees involved in the situation and action against SMS.
On Wednesday, a department spokesman said in an email that VA officials “look forward to confirmation of LaVerne Horton Council, who President Obama nominated on March 19, to be an assistant secretary of information and technology," better known as the VA CIO.
Council, a former CIO of multinational pharmaceutical company Johnson & Johnson, would be the second top VA official recruited from the private sector in recent months. The new VA secretary, Robert McDonald, joined the department from Procter & Gamble. In response to a series of 2014 reports revealing delayed patient treatment at VA medical centers, McDonald called for a retooling of the department.
"VA has already begun work to address OIG's recommendations in addition to clarifying policy and implementing technical controls," the spokesman added.
On Jan. 15, VA issued a memo prohibiting anyone from accessing the department's network when in non-NATO countries, except nations where VA has an established presence.
"VA also blocks access to websites and network connections to certain countries, and inbound and outbound traffic is also blocked on a country-by-country basis," another department official said in an email Wednesday.
SMS could not immediately be reached.
A veteran Navy cyber official said some VA data accessed from China likely was breached, as the trip coincided with ongoing Chinese cyberspy operations.
“There were and are several espionage campaigns, especially from the Chinese government, targeting U.S. government departments,” retired Navy Intelligence Officer Tom Chapman said. “It is likely that these individuals’ credentials were compromised, since China maintains strict control of its Internet.”
Chapman, now a director at cyber firm EdgeWave, added that VA’s cyber vulnerabilities extend far beyond its telecommuting approach.
“A plethora of known issues still haven’t been fixed from five years ago,” and the “VA has many systems that cannot receive security updates or patches,” he said. “Accessing the VA system from places like India and China is a risk that should be avoided for a system that has so many weaknesses already.”
(Image via dencg/ Shutterstock.com)