House shines security spotlight on VA
House shines security spotlight on VA
System execs find themselves on the defensive after IG reveals network breaches
By Tony Lee Orr
Lawmakers told the Veterans Affairs Department late last month that they plan to shine a white-hot light on VA computer security practices.
'I think VA has had its chance, and, in the next Congress, the committees of jurisdiction should actively intervene in these programs to straighten them out,' said Rep. Terry Everett (R-Ala.), chairman of the House Veterans Affairs Subcommittee on Oversight and Investigations.
Acting VA CIO Robert Bubniak, center, along with VBA CIO Adair Martinez and VHA CIO Gary Christopherson field lawmakers' questions.
'It is time to move beyond oversight,' he said. 'This is an expression of 'no confidence.' '
What drew the tough stance was testimony from the department's inspector general revealing VA had so poorly protected systems that an IG team breached them and accessed millions of veterans' records.
'I find this revelation extremely scary. The fact that the VA's computer system has been at risk to hacking and continues to be susceptible to unauthorized penetration is frightening and demands immediate attention from the highest levels,' Everett said.
Although VA officials acknowledge that they still have security work to do, the compromised Veterans Benefits Administration systems have been upgraded and are no longer at risk, said Allen Gohrband, VA's associate deputy assistant secretary for information technology policy and program assistance.
The team of contractors hired by the IG last year conducted penetration tests and succeeded in taking over VBA's systems, said Michael Slachta Jr., VA's assistant inspector general for auditing.
Slachta testified that the hired hackers accessed sensitive financial and medical data for roughly 3.2 million veterans via computers at a VBA regional office in Hines, Ill., near Chicago.
The IG team, which from December 1998 to January 1999 tested VA's nationwide network, had no difficulty breaking in, Slachta said. He called the hacking techniques they used to breach the network unsophisticated.
When the testing occurred, Gohrband said, VA systems employees knew they were being studied and attacked. But inadequate architecture and administration failures couldn't stop the intrusions, he said.
VA officials are counting on the systems software and hardware upgrades, coupled with more prevalent monitoring by IT personnel, to prevent future break-ins, Gohrband said.
He described one technique the hacker team used as social engineering: The contractors would simply ingratiate themselves with VBA employees and gather information from those employees' desks to break passwords and learn other system details.
Rep. Corinne Brown (D-Fla.) and Rep. Terry Everett (R-Ala.), center, question VA systems officials as their staff directors look on.
Apart from the IG tests, VA officials said they were aware they had security problems.
For instance, hackers had defaced some of the department's public Web sites and reactions to virus attacks were 'sluggish,' said Robert P. Bubniak, VA's acting chief information officer and principal deputy assistant secretary for information and technology.
The IG review found what has become a litany of security woes at many VA sites: poor password selection, inadequate security training, a lack of management oversight of user activities and a failure to update user access privileges.
A measure to speed productivity actually helped three VA employees embezzle $1.3 million by exploiting the system control weaknesses created by the software workarounds, Slachta said.
At some regional offices single users were given multiple passwords under multiple identification numbers allowing multiple yet simultaneous access, he said. The move defeated controls intended to promote separation of duties and prevent fraud and abuse, Slachta said.
General Accounting Office auditors testified that the problems result from the lack of comprehensive, coordinated security management.
Until VA develops and implements such a plan, it will have limited assurance that financial information and sensitive medical records are adequately protected from misuse, unauthorized disclosure or destruction, said Joel C. Willemssen, director of GAO's Civil Agencies Information Systems Accounting and Information Management Division.
'We are now acutely aware that an underlying cause of our present security posture is that we had not instituted a management approach that proactively attacks risk at its roots,' he told the subcommittee.
'Instead, there was a tendency to react to individual audit findings, with little ongoing attention to systematic causes of weaknesses,' he said. 'Since we strengthened central security management in 1999, improvements have been pursued within a risk management framework and will continue to be pursued that way.'Defenses work
VA officials maintain that the upgrades are working to keep outsiders on the outside.
VA spokesman Steve Westerfeld said the department is 'unaware of any successful hacking attempt' at the Hines office since the upgrades. The new detection tools spotted two hack attempts in recent months and allowed VA to thwart both tries, he said.
VA now faces the same security problem confronted by agencies governmentwide: How to get all workers'the federal Dilberts'to safeguard the nation's information.
'We are at the point now that we need to ensure that VA sites are following up on security,' Gohrband said. That is a people problem'a cultural problem, he said. 'We are going to have a higher level of management attention.'
The House Government Reform Subcommittee on Government Management, Information and Technology gave VA a D on its computer security efforts earlier last month, when Rep. Steve Horn (R-Calif.) announced that the government overall had earned a D minus for its security practices [GCN, Sept. 25, Page 1
Bubniak did not find fault with the ranking.
'VA does not underestimate the challenges we face to achieve adequate security in all six of the general control areas against which GAO measures any agency's security,' Bubniak said. 'We accept Congressman Horn's grade of a D as a rebuke and a wake-up call.'Mark A. Kellner, a free-lance reporter in Los Angeles, contributed to this report.