Widespread Use of Yammer Social Network at VA Ran Afoul of Agency Rules, Watchdog Says

Updated Aug. 21 to include comment from VA

A well-meaning effort by Department of Veterans Affairs leaders to fuel productivity and cooperation through workflow tool Yammer ran afoul of department regulations and at times devolved into agency bashing and the potential for data breaches, according to an internal probe.

Steph Warren, the former VA chief information officer, endorsed a free version of Yammer in 2013, even though use of the business social network was unapproved under VA rules. He had been a registered VA Yammer user since May 2011.

In June 2013, Warren even hosted an open chat session on Yammer. He began by stating: “Before I take questions, I want to stress that I am committed to strengthening transparency as we work together to become the best and most secure IT product and service delivery organization,” according to a redacted copy of the probe that was released Thursday.

The investigation examined the department's unapproved and insecure use of Yammer, a popular collaboration forum. Anyone with an email address ending in "va.gov" could participate in the online community, including employees and contractors 

Many companies pay for an enterprise version of the service that allows tighter regulation of interoffice communications. The Obama administration has negotiated a terms of service agreement with Yammer for a service compatible with federal policies, but it is not necessarily applicable to every agency.

At VA, officials said they did not believe the advantages of administrative controls and central monitoring were worth the $30 cost per user at the time.

As of Aug. 3, about 50,000 VA email addresses were registered on Yammer, with half of those being active VA Yammer members.

Any user potentially could upload sensitive information -- a risk that became reality in at least one instance.

A member replied to another user’s post, “Please DELETE the .pdf with the IP address IMMEDIATELY! IP addresses are VA protected information and may NEVER be posted in a public place – even if only VA public. If necessary to put in an email the email should be encrypted. This is a security violation. Thank you!” The file was deleted within 24 hours.

VA guidance states that employees "should never download or share files, videos, or images to a VA computer through social networking sites," Assistant IG for Investigations Quentin Aucoin said in the probe.

Another problem with Yammer, for the government, is the ability to create private "group" pages so managers cannot screen or regulate the content of posts. Investigators were only able to examine public groups during the recent audit.

The 584 members of one public group, titled "GEEK Jokes," posted some off-color analysis and advice, including a photo article called “10 Tricks to Appear Smart in Meetings,” an illustrated photograph titled “What your style of beer says about you” and an illustration of a lunch group with text depicting this conversation: “Isn’t weed just for reggae, Like, if you want it to sound good?”

One employee, in clear violation of VA guidelines, posted a visual with screenshots detailing what he thought was a way to circumvent the department's email encryption technology. 

“Figured out how to copy the [Personal Identity Verification (PIV) Public Key Infrastructure (PKI)] Certificate to windows if a card is lost or not working[;] all the email encrypted with the certificate can still be accessed without the card,” a note describing the attachment read.

Investigators tried out the instructions and found that the process actually did not work.

Some exchanges inside the social network denigrated VA culture and policies, at a time when the department is suffering backlash amid allegations of excessive patient waits and claims backlogs: 

Here's the exchange highlighted by the IG: 

User 1: I’m beginning to suspect the reason for a lot of VA backlogs is the constant need to create new and even more complex passwords, seemingly every five minutes.

User 2: Now VOIP phones require a 12 character password and change every 90 days. Was there a risk assessment done that determined there is a high threat of someone logging into my phone?

User 3: When in doubt let’s go to the Extremes!...The mentality is Shoot First, Aim later…

The business version of the tool can be policed to avoid such rants. An administrator can also delete users who are no longer authorized employees and moderate conversations, for example.

The investigation was based on interviews with Veterans Health Administration Technology Director William Cerniuk, contractors and other employees, as well as a review of emails, Yammer posts and federal policies, among other public documents. 

“The free [version] was good enough," Cerniuk told investigators, when asked why the department didn't pay for the upgrades that would have allowed administrators greater control over the social network, according to the report.  

He acknowledged the paid model provided better security. The enhanced version "would give us the ability to manage our network directly and own it as an administrator," he said, according to the report.

Cerniuk told investigators he was concerned employees might upload information to the site that included personally identifiable information or protected health information. He did his best to examine uploads, “but obviously that’s not part of my overall job. So it’s very difficult for me to take that on as a full responsibility.”

Cerniuk was one of the first three employees to register for Yammer access and said his staff began using Yammer in early 2012.

The Office of Public and Intergovernmental Affairs, the final approving authority for all VA social media sites, such as Yammer, apparently did not sign off, however.

Megan Maloney, the office's director of digital media engagement, said the office had “not approved terms of service for the use of Yammer within the VA system,” according to the report. She said that “in order for [Yammer] to be an official VA social media channel, we need to have VA negotiated terms of service. We have negotiated nearly a dozen terms of service in the last 2 years. Yammer is not one of them.”

Reacting to a draft report, VA Chief of Staff Rob Nabors said in a July 28 letter that department officials will address the issues raised by internal investigators.

Official will determine "whether and within what parameters VA Yammer should be approved for VA use,” he said.

In addition, officials will consider appropriate administrative actions against specific VA employees who involved in the inappropriate Yammer use, "including but not limited to administrative investigations, disciplinary actions, and/or training,” Nabors said.

It is expected the Yammer matters will be handled by Oct. 1, IG officials said.

When Nextgov asked VA officials for an update on the department's use of Yammer, officials on Thursday evening said they are still considering next steps.

"We will work diligently to address the issues their report raised," a VA spokesman said in an emailed statement. "The department is reviewing whether and within what parameters VA Yammer should be approved for VA use and explore options for clarifying the parameters of appropriate use of Web-based collaboration technologies through updated policy issuances, training, and communication strategies."

As for administrative actions against personnel, VA is also still deciding what to do. "The department is reviewing all available evidence with respect to inappropriate use of VA Yammer by specific VA employees to determine appropriate administrative actions," the statement said.

(Image via Mark Van Scyoc/ Shutterstock.com)