Oversight

Congress turns up heat on VA data breaches

wounded veteran

The congressional investigation into the Department of Veterans Affairs IT security protocols has ramped up after VA officials gave inconsistent explanations for at least nine state-sponsored data breaches since 2010 that potentially put at risk the private information of more than 20 million veterans and their families.

The House Veterans Affairs Committee has directed six formal inquiries to VA's Office of Information and Technology since Oct. 23, totaling more than 100 predominantly yes-or-no questions concerning routine IT security practices and standards mandated by federal law, including the Federal Information Security Management Act (FISMA).

Rep. Mike Coffman (R-Colo.), chairman of the Subcommittee on Oversight and Investigations, demanded VA responses to all six inquiries by Nov. 14.

VA's recent track record for responding to congressional inquiries has been poor. According to one Capitol Hill official familiar with the investigation, VA has 111 outstanding information requests dating back to June 2012.

Download

Questions for VA

The latest batch stems from revelations that multiple actors have compromised VA computer networks since March 2010, with VA officials unable to determine what information was exposed because the agency failed to comply with FISMA.

Some of the apparently-breached systems contained unencrypted personally identifiable information regarding veterans and their dependents. Committee Chairman Jeff Miller (R-Fla.) and ranking Democrat Mike Michaud of Maine called that a "disturbing revelation" in a letter to VA Secretary Eric Shinseki after a June 4 hearing that saw VA officials provide conflicting information about the degree and nature of the breaches.

A source within VA OIT told FCW that no veteran's personally identifiable information, such as names or Social Security numbers, was exfiltrated during any intrusion attempts.

The source, who spoke on condition of anonymity, said the only compromised data appears to be "domain server information" that resulted in "somebody swiping IP [addresses] and passwords for system administrators, which resulted in immediate shutdown."

"There are intrusions and there are intrusion attempts. Not all intrusion attempts result in a breach of data," the source said, attributing some of Congress' renewed investigatory vigor to a miscommunication of definitions.

"This is no repeat of the 2006 incident," the source added. In that incident, someone stole a VA laptop from a VA employee's home. The theft potentially exposed personal information, cost the agency tens of millions of dollars and led to the creation of the VA's Data Breach Core Team, which investigates data breaches and determines whether the agency will offer credit monitoring services to veterans in suspected breaches. The agency offered credit monitoring to 16,000 veterans in 2012, but a breach of every veterans' personal data could cost the agency hundreds of millions of dollars in credit monitoring alone, the source said.

Congress' dogged interest has created a "stressed environment" within OIT, where only about 20 of its 8,000 employees are compiling responses to the inquiries, according to the source. Many questions posed by Congress to VA contain sub-questions or require documentation, "making it more like 500 or 600 questions." The source said the agency is tackling the easier questions first in an effort to respond by the approaching deadline.

The source said the inquiries have added turmoil to a department that recently returned half its workforce from government shutdown and has a history of well-documented problems.

"It's another full-time job for a lot of folks, and the anticipation in submitting these questions is that it will beget more and they'll come back until they get a 'gotcha,'" the source said.

The Hill official familiar with the probe says the intention is not to burden the agency but to get answers to questions that should not be unfamiliar to any large IT organization. "These inquiries aren't meant to create extra work for VA. They are meant to make sure the agency is adhering to the laws, standards and guidelines they should already be doing," the Hill source said.

VA did not respond to multiple requests for comment.

The 2014 Federal 100

Get to know the 100 women and men honored this year for going above and beyond in federal IT.

Reader comments

Tue, Nov 5, 2013

This is in response to the post asking how much evidence is there with respect to anyone suffering substantive harm. The mere asking of that question, IMO, shows a real lack of knowledge of cyber theft. Tying actual identity theft to the individual/entity that actually performed the data breach is very difficult and if the actor is indeed a foreign nation then it’s nearly impossible. If this poster is a government employee that individual seriously needs to reconsider their commitment of service to the nation’s citizens and, more importantly, the veterans of this country. The real issue is whether or not the VA systems were breached, if they were than how many breaches and what data was actually taken. These are simple questions and if VA officials needed more time to gather information then go back to the office, cull through the data and answer the questions. If you want to act like Stephen Warren and Stan Lowe try and avoid answering questions than expect a massive amount of detail questions that are designed to get to the root of the problem. As they say, we can either do it the easy way or the hard way, but either way it’s going to get done. Now to the facts; Jerry Davis indicated that there were eight or nine intrusions, either Jerry was correct or he wasn’t, but it shouldn’t take the VA five months to prove he was wrong if in fact he was. Additionally, ignoring Congress is arrogant, you might not like or agree with our elected officials but they are the only individuals that represent the citizens and veterans of this country so please, do all of us a favor and either answer the questions in a timely manner or find a new line of work. And stop patronizing us by stating what an honor it is to serve veterans, just do it!!! Personally your honor is not what I looking for, it’s how you perform your service in an honorable way is what counts. Finally, I didn’t have a choice with respect to the VA storing my private information so please respect my instance on protecting it and you can start by answering our questions.

Tue, Nov 5, 2013

How much evidence is there that data breaches of these sorts actually result in any harm to anyone? I see many reports of data breaches, but few (perhaps no) reports of anyone suffering substantive harm.

Tue, Nov 5, 2013

This story is missing soooooooo much! Why don't you dig deeper into the core root causes and stop just giving us surface level stories. Push for job loss to those managing this chaotic government agency.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above