Watchdog: VA Still Not Doing Enough to Address IT Vulnerabilities

The Phoenix VA Health Care Center.

The Phoenix VA Health Care Center. Ross D. Franklin/AP File Photo

VA information security weaknesses are again in the crosshairs of the House Veterans Affairs Committee.

The Department of Veterans Affairs information security weaknesses are again in the crosshairs of the House Veterans' Affairs Committee.

Ahead of congressional testimony before the committee Tuesday, a Government Accountability Office report and prepared testimony by VA officials and the agency’s internal inspector general detail how the agency has failed to fully address a slew of previously identified vulnerabilities.

One of the most damning findings from auditors concerns the steps VA took to handle a network intrusion in 2012, shortly before the Office of Information Technology disclosed that external espionage groups had been infiltrating VA networks since 2010.

While the agency analyzed the incident and documented the actions it took, it was unable to produce a forensic analysis report of the incident to show its actions were effective, according to GAO.

In addition, VA still “has not addressed an underlying vulnerability” that allowed the intrusion to take place, according to GAO, meaning increased odds of a similar event occurring through the same kind of attack.

The GAO report also suggests VA’s policies hinder its Network and Security Operations Center – or NSOC – from policing activity logs on the agency’s networks. In turn, that prevents the agency from knowing whether incidents have been appropriately addressed.

The issues were not limited to the 2012 network intrusion, either. The security center later identified vulnerabilities in two key Web applications used by the agency, according to GAO. But VA “did not develop plans of action and milestones for correcting the vulnerabilities.”

In other words, the agency knew about the flaws, yet did next to nothing to mitigate them.

Employee Laptops a Major Source of Vulnerabilities

Employee-used workstations and laptops were the source of other major vulnerabilities VA didn’t properly address.

According to GAO, “10 critical software patches,” available for up to 31 months, were not applied to workstations despite VA policies mandating such patches be applied within 30 days.

“There were multiple occurrences of each missing patch, ranging from about 9,200 to 286,700, and each patch was to address an average of 30 security vulnerabilities,” the report stated.

VA decided not to apply three of the 10 patches until it could test their impact on its applications. However, VA did not document compensating controls or plans to migrate to systems that support up-to-date security features.

“Until VA fully addresses previously identified security weaknesses, its information is at heightened risk of unauthorized access, modification and disclosure and its systems at risk of disruption,” the report stated.

In prepared testimony, Sondra McCauley, VA’s deputy assistant inspector general, noted IT controls have appeared as a “material weakness” in annual Federal Information Security Management Act audits for the past 15 years.

“It is particularly disconcerting that a significant number of vulnerabilities we identified at VA data centers are more than five years old,” McCauley said. “In addition, inconsistent application of vendor patches designed to address such weaknesses jeopardize the data integrity and confidentiality of VA’s financial and sensitive information.”

VA CIO: Human Error Contributes to Vulnerabilities

Prepared remarks by Stephen Warren, VA's chief information officer, focused on the department’s positives in 2014.

The department, he said, became the first cabinet-level agency to employ continuous monitoring, improved its posture relative to FISMA auditing and improved its cybersecurity efforts.

Warren, who heads VA's IT efforts, said VA’s biggest vulnerability “is not technical,” but rather that physical exposure of VA data “is the most significant risk facing our information security posture.”

Phishing links, lost electronic devices and mailing sensitive records to the wrong individual account for a large portion of human-based risks at VA, which employs some 300,000 people.

“Over 98 percent of the sensitive data exposure at VA is due to paper or human error-based incidents," Warren testified. "Network and system safeguards are not technical absolutes – we must constantly remain vigilant in preventing human error."

Moving forward, the OIG statement notes emerging IT security concerns at VA, including VA’s implementation of production systems with temporary authorities to operate; VA’s cloud computing use; personally identifiable information transferred over unsecure Internet connections and foreign hackers.

“IT shortfalls mean not only exposure of millions of veterans to potential loss of privacy, identity theft, and other financial crimes, they also constitute poor financial stewardship of taxpayer dollars,” McCauley said.

Data Breaches on the Rise Across Federal Networks

The GAO report is particularly enlightening considering the depth and breadth of VA’s IT failings in the past, having once had to pay $20 million to veterans for exposing them to identity theft in 2006 via a stolen laptop.

VA systems contain personally identifiable information, or PII, for close to 20 million veterans, and while the agency offers free credit monitoring for veterans in the event of a data breach, that’s a reactive measure.

Still, VA’s troubles are indicative of agencies across government. According to an April GAO report, data breaches reported across the federal government have increased in recent years, reaching 25,566 incidents in 2013.

When breaches do occur, agencies are only able to demonstrate they took the correct steps in response to a cyber-incident about 65 percent of the time