The House Veterans Affairs Committee is turning up the heat on the Veterans Affairs Department and how it protects the data of millions of veterans.
Chairman Jeff Miller (R-Fla.) announced today the committee is requiring VA to take several steps to both improve the security of veterans’ data and reassure former service members, and their families, that the agency is protecting their information.
Miller and Rep. Mike Michaud (D-Maine) also sent a letter to VA Secretary Eric Shinseki seeking answers to questions that went unanswered at a recent hearing, including why VA didn’t notify Congress after multiple nation state attacks and data breaches as required under the Federal Information Security Management Act (FISMA).
The committee is acting more assertive in trying to get answers from VA after a June 4 hearing presented evidence that multiple state actors have infiltrated the agency’s network.
“Our hearing was significant because it was the first time, the very first time, that we were able to get VA to admit its network had been breached, despite repeated requests by our committee for information, despite the fact the IG had said they have problems with their IT systems,” Miller said during a press briefing on Capitol Hill Friday. “This goes directly against a letter that was given to Mr. [Rep. Mike] Coffman when he sent an inquiry to the secretary as to how safe the IT system was in the Department of Veterans Affairs. I’ll just highlight the one line specifically the secretary sent back in his response, ‘To be clear, VA security posture was never at risk.’ We, in fact, know that’s not a truthful statement.”
Additionally, the hearing showed VA’s efforts to implement network security improvements and ensure the viability of its computer systems continues to be lacking after more than a decade.
“The clues [the state actors] left behind, however, indicate that the data taken contained the personally identifiable information, such as names, birth dates, and Social Security numbers, of an untold number of our veterans and their dependents,” Miller said.
A VA spokesman said the agency is aware of one data breach incident in which data was stolen.
“VA immediately investigated the incident and we believe that no veteran personal information had been exposed to unauthorized individuals. Whenever VA believes that a veteran’s data is potentially put at risk, we offer credit monitoring,” the spokesman said in an email statement. “Out of an abundance of caution, VA Acting Assistant Secretary for OI&T Stephen Warren has referred the matter to our Data Breach Core Team (DBCT) to conduct an independent review of the incident and provide credit monitoring as necessary if the DBCT determines that personal information has been exposed.”
Miller said the committee has asked Shinseki to offer credit monitoring services to every veteran and dependent in its database — more than 20 million in all.
VA had to offer similar services in 2006 when an employee lost a laptop containing the data of 26 million veterans.
“We’re talking about personally identifiable information again, including social securities, birth dates, names, addresses and telephone numbers. VA should do that. People will ask how will they do that?” Miller said. “Certainly there is money that VA can use. I think one of the best ways is probably to look at the money they have been using for bonuses for executives around VA to provide this credit monitoring.”
Coffman (R-Colo.), the chairman of the subcommittee on investigations, which held the cybersecurity hearing, added VA had both a moral and legal obligation to notify veterans, their families and lawmakers.
“The fact is that we don’t know what they took but I believe [VA] had a responsibility to the men and women who served this country to notify them at the point that they knew they were hacked to watch their own financial affairs to make sure nothing was to occur,” Coffman said. “And they failed to be honest with Congress.”
In addition to the credit monitoring services, the committee is conducting interviews with staff who support VA’s networks and systems.
The interviews will include a classified briefing, which Stephen Warren, VA’s acting assistant secretary in the Office of Information and Technology and chief information officer, requested at the hearing earlier this month.
Miller also is encouraging Shinseki to “hold VA leadership accountable for the ongoing failures and unreasonable risks in IT security.”
“If Secretary Shinseki is at all concerned about the integrity of his department, he will, in fact, discipline those responsible who misled him to give him the wrong information where in fact he did mislead Congress by virtue of the facts that were given,” Coffman said.
Miller also wants Shinseki to explain the inconsistencies between VA’s testimony that exposed the nation state attacks, and a May 14 letter that proclaimed VA’s security posture was never at risk.
“Finally, we are asking VA to implement all outstanding inspector general recommendations related to IT security and to conduct an independent review of problems, risks, mitigation plans, execution progress and verification of eventual IT safety and security,” Miller said. “The breach in security of our veterans’ most sensitive data and VA’s conflicting statements as to whether or not its network was hacked are issues the committee does not take lightly.”
The Democrats on the committee, Michaud, the ranking member of the full committee, and Rep. Ann Kirkpatrick (D-Ariz.), the ranking member of the investigations subcommittee, both preached the need to get all the facts first before making any decisions about discipline or blame.
“At this point in time I’d like to get more information from the secretary to better understand what had occurred and what plans the Department of Veterans [Affairs] has to solve these problems,” Michaud said. “When we get the questions from our veterans, we will need to also be able to provide our veterans with complete and honest answers.”