Foreign governments are hacking into Department of Veterans Affairs computers and gaining access to sensitive personal information about millions of veterans, VA employees and their families, the agency's former head of cyber security are testifying today in a congressional hearing.
At least eight different state-sponsored organizations have breached the security of VA data networks since at least March 2010, said Jerry Davis, who until February was the chief information security officer at VA.
"I learned that these attackers were a nation-state sponsored cyber espionage unit and that no less than eight different nation-state sponsored organizations had successfully compromised VA networks and data, or were actively attacking VA networks, attacks that continue at VA to this very day," David said in written testimony.
Davis is scheduled to testify in front of the House Veterans Affairs Subcommittee on Oversight and Investigations this afternoon. He did not identify the nation-state, but congressional sources told The Washington Examiner the list includes the Chinese.
Hacking VA computers would give foreign governments access to personal information, including medical records, home addresses, family members and past duty stations of veterans.
The hearing is scheduled to focus on an Inspector General report issued in March that found private information for thousands of veterans, including their Social Security numbers, birth dates and medical records, were routinely transmitted over an unencrypted Internet-accessible network.
Linda Halliday, assistant inspector general at VA, said lax security in that area could make veterans vulnerable to identity theft and other types of fraud.
As deputy assistant secretary for information security, Davis was the top civil service technology security officer at VA, a position he took over in August 2010 after 20 years in the field. He said he had never seen an organization with so many vulnerabilities.
He recounted a conversation with Stephen Warren, now acting assistant secretary for information and technology, in which Warren said, "we have uninvited visitors in the network."
Those visitors were organizations sponsored by foreign governments, Davis said.
Lack of basic security controls, such as encryption of data, make VA an easy target, he said. Davis said he tried to correct the problems, but met with resistance from upper management at the agency.
Cyber attacks from the Chinese government are expected to top the agenda when President Obama meets this week with Chinese President Xi Jinping. Recent government reports accuse China of hacking U.S. government systems to obtain technology, weapons and defense secrets.
Warren does not directly address Davis' allegations of government hacking in his statement to the committee. After a stolen laptop led to millions of veterans' personal records being compromised in 2006, VA launched a series of initiatives to improve data security, Warren said.
That includes better technology security training for VA workers and encryption of non-medical VA laptops.
The 2006 breach was caused by the theft of a VA employee's laptop, which contained personal information on about 26 million veterans and military personnel.
It led to a class action lawsuit that was settled for $20 million, and to other costs, including notifying veterans that raised the total tab for correcting the problem to almost $50 million.
The March audit showed sensitive VA data was being transmitted without encryption over unsecure networks, a problem that has not been fixed, said Halliday, the assistant IG.
Aside from putting veterans at risk for such things as identity theft, failure to fix the security issues leaves VA vulnerable to "malicious users" who could use the information to "disrupt mission-critical systems essential to providing health care services to veterans," she said.
"Our findings have disclosed a pattern of ineffective information security controls that expose VA's mission-critical systems and sensitive data to unnecessary risk," Halliday said.
UPDATE: VA doesn't know what was stolen by hackers
A foreign government hacked into Department of Veterans’ Affairs computers and stole data on as many as 20 million veterans, then covered its tracks by encrypting files before exporting them, according to congressional testimony today.
As a result, VA officials do not know what was stolen, a top VA official told the House Veterans’ Affairs Subcommittee on Oversight and Investigations. Potentially, the breach could be complete personal and medical records on everyone in the VA’s files, said Rep. Mike Coffman, R-Colo., the subcommittee chairman.
“These actors have had constant access to VA systems and data, information which included unencrypted databases containing hundreds of thousands to millions of instances of veteran information such as veterans’ and dependents’ names, Social Security numbers, dates of birth and protected health information,” Coffman said.
China and possibly Russia were identified by Coffman as likely culprits in the attempts to steal VA data.
At least eight foreign governments have hacked or attempted to penetrate VA’s computer network since March 2010, Jerry Davis, the former chief security officer at the agency, told the committee.
Stephen Warren, acting assistant secretary for information and technology at VA, initially downplayed the hacking by foreign governments. He said he was aware of only one incident in which a foreign government penetrated VA’s network security. That happened last year, he said.
But under grilling from Rep. Tim Huelskamp, R-Kansas, Warren later admitted he was aware of other incidents in which “multiple state actors” have attempted to access VA records.
Warren clarified that his earlier statement referred to one “published” incident and corrected his testimony.
Because the data thieves encrypted the files they stole, VA officials cannot determine what was taken, he said.
Warren would not disclose the foreign governments that have tried to breach VA databases, saying he would brief members of the committee privately. That didn’t sit well with Rep. David Roe, R-Tenn.
“Why is that classified?” Roe said. “Why wouldn’t that be public? When people are trying to steal from you, we ought to let people know who is trying to steal our own veterans’ information. Why are we hiding that?”
Mark Flatten is a member of The Washington Examiner Watchdog investigative reporting team. He can be reached at firstname.lastname@example.org.