The Veterans Affairs Department has done little over the last two months to satisfy House lawmakers’ concerns about the security of the data of more than 20 million veterans.
The department also is under pressure for more details about the extent of “repeated compromises” of VA’s network by nation states.
The rising tensions between the House Veterans Affairs committee’s majority and VA come as a report surfaced showing veterans are at a higher risk of identity theft than the average citizen.
Federal News Radio obtained a December 2012 report by ID Analytics showing veterans near military bases in Alaska, New York, Colorado, Ohio and Kentucky have a higher risk ratio for identity theft than non-veterans in the same areas. ID Analytics focuses on consumer risk management through the use of analytics and real-time insight into consumer behavior,
A House Veterans Affairs Committee staff member said the committee knew about the report and it is one of the main reasons for the continued pressure on the department to answer questions about how it’s protecting the veterans’ data.
The committee’s frustration with VA’s answers boiled over at a July 12 briefing with House and Senate Veterans Affairs committee staff members, VA IT executives and Homeland Security Department.
Stephen Warren, VA’s acting assistant secretary for Information and Technology and chief information officer, failed to provide answers to satisfy some staff members, multiple sources confirmed.
“The meeting was of little to no value and did not serve its intended purpose,” said a House Veterans Affairs Committee staff member. “DHS and Warren spent the bulk of the hour long meeting providing a broad 40-minute overview of nationwide cybersecurity challenges.” Sources confirm Eric Hannel, the subcommittee on oversight and investigations staff director, walked out of the meeting with about 10 minutes left after his questions to VA officials about how they are protecting agency networks were repeatedly not answered to his satisfaction.
The House VA Committee staff member would not confirm Hannel walked out of the meeting.
But they say one of the most important questions they wanted Warren to answer during the meeting was, “How many times has VA’s system been hacked within the last year?”
The staff member said Warren would not answer the question directly.
An internal memo written by Matt Santos, a congressional relations officer at VA, obtained by Federal News Radio, stated, “Before Mr. Warren could complete his presentation HVAC staffer Eric Hannel abruptly began asking pointed questions regarding vulnerabilities in public facing websites that contain Veteran [personally identifiable information] PII, numbers of applications scanned for vulnerabilities, and Windows 7 patches. Most notably, Mr. Hannel claimed that he can use tools ‘available on the Internet’ to get behind VA’s websites to access PII for millions of Veterans. Mr. Warren requested clarity regarding the vulnerabilities to allow VA to fix existing problems Mr. Hannel had recognized. Mr. Hannel would not give any details but repeatedly requested that Mr. Warren admit that he knows the vulnerabilities. The exchange ended with Mr. Hannel walking out of the room claiming that VA had ‘wasted’ his time by hiding the truth.”
The House VA committee staff member said the committee had someone at the meeting the entire time.
A VA spokesperson wouldn’t comment on the meeting or the ID Analytics report, but said in an email, “The Department of Veterans Affairs treats the protection of Veteran and other sensitive information with the utmost care. Over the past decade, VA created an information protection program in response to both exposures and increasing cyber risks from all fronts, internal and external. VA has embarked on a cultural transformation with respect to protecting VA information. This transformation is similar to how healthcare accrediting bodies have shifted away from predictable audit schedules and pre-defined checklists toward longitudinal reviews of how policy is defined, supported, communicated, implemented, monitored and improved.”
Senate Veterans Affairs Committee staff members also attended the briefing.
A spokesman for the majority side said, “We are trying to put together something with [ranking member] Sen. [Richard] Burr’s staff to get more information from VA on cybersecurity.”
The spokesman wouldn’t offer more details about the committee’s plans.
The briefing with both committees came after Warren asked for a closed door meeting to discuss the nation state attacks first exposed at the June 4 hearing before the House VA committee.
This was at least the third meeting this year between VA and the House committee staff about the agency’s cybersecurity challenges.
The House committee staff member said lawmakers still are waiting for a response from the agency to a June 13 letter sent to VA Secretary Eric Shinseki asking three questions about what lawmakers believe is VA’s inability to be forthcoming about the cyber attacks.
“VA leadership recognizes that information security goes beyond information technology and has put measures in place to protect Veteran information and ensure that every VA employee and contractor is trained in their role in protecting that data,” the VA spokesperson said. “All organizations, including federal agencies, face constantly evolving cybersecurity threats. VA aggressively combats such threats through a multi-layer approach of technical controls, managerial controls, internal reviews, deployment of continuous monitoring tools, outside reviews from VA’s independent Office of Inspector General and collaboration with U.S.-Computer Emergency Readiness Team (US-CERT). VA, and all federal agencies, report cybersecurity incidents to the US-CERT in accordance with US-CERT guidelines.”
The committee and former VA officials allege that the agency isn’t doing enough to protect veterans’ data.
Before the June 4 hearing, letters to the Hill obtained by Federal News Radio allege VA is shortcutting its accreditations and authorizations (A&A), which previously were known as certifications and accreditations (C&A), process for its IT systems. VA’s former Chief Information Security Officer Jerry Davis alleges the agency’s process is flawed and is putting data and systems at a higher risk.
The ID Analytics report supports the allegations that veterans data is at greater risk.
The report reviewed two databases containing the personal information of more than 20 million veterans. Sources say VA has been receiving reports from ID Analytics since it lost the laptop with the data of 26 million veterans in 2006.
An email to ID Analytics asking for comment on the report was not immediately returned.
The reports showed veterans “have substantially higher alert rates than the non- veteran population. This indicates a higher level of activity in the marketplace for the veteran population, which could indicate higher risk of identity misuse.”
ID Analytics found credit card fraud is the most common way the criminals use the stolen identity.
ID Analytics also recommended VA take eight steps including reviewing log files to see if employees are stealing identities and selling them to criminals, investigate VA facilities within 20 miles of reported misuse and compare the data of veterans who say they were victims of identity theft with data provided in the report, and provide any matches with a higher degree of protection.
The company suggested to VA that it consider offering “individualized assistance to affected veterans,” which could include credit monitoring, identity monitoring, fraud alerts or credit freezes.
The House committee staff member didn’t say what the next steps chairman Jeff Miller (R-Fla.) would take to ensure VA is doing more to protect the data of veterans.