Congress turns up heat on VA data breaches

The congressional investigation into the Department of Veterans Affairs IT security protocols has ramped up after VA officials gave inconsistent explanations for at least nine state-sponsored data breaches since 2010 that potentially put at risk the private information of more than 20 million veterans and their families.

The House Veterans Affairs Committee has directed six formal inquiries to VA's Office of Information and Technology since Oct. 23, totaling more than 100 predominantly yes-or-no questions concerning routine IT security practices and standards mandated by federal law, including the Federal Information Security Management Act (FISMA).

Rep. Mike Coffman (R-Colo.), chairman of the Subcommittee on Oversight and Investigations, demanded VA responses to all six inquiries by Nov. 14.

VA's recent track record for responding to congressional inquiries has been poor. According to one Capitol Hill official familiar with the investigation, VA has 111 outstanding information requests dating back to June 2012.

The latest batch stems from revelations that multiple actors have compromised VA computer networks since March 2010, with VA officials unable to determine what information was exposed because the agency failed to comply with FISMA.

Some of the apparently-breached systems contained unencrypted personally identifiable information regarding veterans and their dependents. Committee Chairman Jeff Miller (R-Fla.) and ranking Democrat Mike Michaud of Maine called that a "disturbing revelation" in a letter to VA Secretary Eric Shinseki after a June 4 hearing that saw VA officials provide conflicting information about the degree and nature of the breaches.

A source within VA OIT told FCW that no veteran's personally identifiable information, such as names or Social Security numbers, was exfiltrated during any intrusion attempts.

The source, who spoke on condition of anonymity, said the only compromised data appears to be "domain server information" that resulted in "somebody swiping IP [addresses] and passwords for system administrators, which resulted in immediate shutdown."

"There are intrusions and there are intrusion attempts. Not all intrusion attempts result in a breach of data," the source said, attributing some of Congress' renewed investigatory vigor to a miscommunication of definitions.

"This is no repeat of the 2006 incident," the source added. In that incident, someone stole a VA laptop from a VA employee's home. The theft potentially exposed personal information, cost the agency tens of millions of dollars and led to the creation of the VA's Data Breach Core Team, which investigates data breaches and determines whether the agency will offer credit monitoring services to veterans in suspected breaches. The agency offered credit monitoring to 16,000 veterans in 2012, but a breach of every veterans' personal data could cost the agency hundreds of millions of dollars in credit monitoring alone, the source said.

Congress' dogged interest has created a "stressed environment" within OIT, where only about 20 of its 8,000 employees are compiling responses to the inquiries, according to the source. Many questions posed by Congress to VA contain sub-questions or require documentation, "making it more like 500 or 600 questions." The source said the agency is tackling the easier questions first in an effort to respond by the approaching deadline.

The source said the inquiries have added turmoil to a department that recently returned half its workforce from government shutdown and has a history of well-documented problems.

"It's another full-time job for a lot of folks, and the anticipation in submitting these questions is that it will beget more and they'll come back until they get a 'gotcha,'" the source said.

The Hill official familiar with the probe says the intention is not to burden the agency but to get answers to questions that should not be unfamiliar to any large IT organization. "These inquiries aren't meant to create extra work for VA. They are meant to make sure the agency is adhering to the laws, standards and guidelines they should already be doing," the Hill source said.

VA did not respond to multiple requests for comment.