For two hours yesterday, members of the House Veterans' Affairs Committee poked and prodded a slew of Department of Veterans Affairs officials over glaring information security weaknesses that potentially put millions of veterans’ personal information at risk of exposure.
The hearing revolved around data breaches purportedly by foreign entities, VA’s perceived lack of action in patching various software and making security fixes recommended by the Government Accountability Office, and the government’s overall issues improving its security posture before one congresswoman summed up the situation with a simple question.
“Are veterans’ information in my district secure today?’" asked Jackie Walorski, a first-term Republican from Indiana.
She directed her question to VA Chief Information Officer Stephen Warren, the highest-ranking VA official at the hearing.
“Every day, I get a new patch,” Warren said. “We will never be patched. Every day, industry is finding new ways that things can be exploited.”
Walorski also asked how long it would take to patch VA systems enough to prohibit foreign adversaries from accessing records, and how VA could conceivably ever connect with Defense Department systems if its systems remain so vulnerable.
There were no easy answers and none that could fully placate committee members.
Warren later clarified his remarks to state that he feels VA’s domain controllers are secure, in accordance with a recently completed third-party audit of its systems.
Auditors: VA Lax in Patching Software
Yet, Warren’s statement illustrates how challenging it is for large government organizations to protect their networks against intruders and respond appropriately when problems occur. Most of government is little more than marginally better in responding to cyberincidents.
And as Warren alluded, VA has 300,000 employees who could accidentally click one phishing email and contribute to a major network problem.
VA, however, hasn’t helped the situation – either on its backend systems or in the public spotlight. It has failed to adhere to countless recommendations by GAO, the VA inspector general or repeated criticism by committee members themselves.
For example, VA failed to implement “10 critical software patches” that had been available for up to 31 months, despite the agency itself mandating they be implemented within 30 days. Multiple occurrences of each missing patch – from 9,200 to 286,700 workstations – were documented, and each patch addressed an average of 30 security vulnerabilities.
“The bottom line is that once you identify patches, you need to apply them,” said Greg Wilshusen, director of information security issues for GAO. “They didn’t address priorities they were supposed to address.”
VA Fails FISMA Compliance
VA also failed to fully comply with the Federal Information Security Management Act – as it has failed to do for the past decade and a half. Sondra McCauley, VA’s deputy assistant inspector general, suggested VA’s continuing issues are likely to persist.
“The ongoing concern, from year to year, is we continue to issue recommendations for improvement, and many [issues] just continue to carry forward,” she said. “There are 35 from last year; most of them will carry forward into the report for fiscal 2014. We continue to see deficiencies across control areas.”
Warren said his team worked hard to address IG recommendations.
"I'm disappointed that in spite of the significant efforts by our employees over the past year that the OIG maintained an IT material weakness,” Warren said. “I'm committed to redoubling our efforts to put in place the processes and disciplines to address these issues, building upon the extensive layered, in-depth strategy that we already have in place."
CIO Pumps More Funding Into Cyber
To attempt to right the ship, Warren announced he directed an additional $60 million “to be added to our information security efforts this year.”
“This will provide additional resources to our facilities, to implement configuration management, as well as vulnerability remediation,” Warren said. “In February, we’ll re-evaluate and if significant progress is not being made, additional resources will be applied. We believe we are taking responsible action to deal with these persistent threats.”
Among the 24 largest federal agencies, VA is one of seven to report IT security as a material weakness in fiscal 2013. Across the board, 11 other agencies reported significant deficiencies. Wilshusen said IT security has been a “governmentwide risk area” since 1997.
“It’s a problem that touches beyond VA and extends to many other agencies,” he said.
VA, however, is among the largest agencies in government and directly responsible for the well-being of nearly 20 million veterans.
Committee members appeared far from satisfied with the answers they received.
“The findings presented here continue to reinforce the fact that the personally identifiable information of millions of veterans still remains at risk,” Walorski said.