Serious doubts remain about VA's ability to secure veterans' data

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.federalnewsradio.com/538/3415141/Serious-doubts-remain-about-VAs-ability-to-secure-veterans-data

The Veterans Affairs Department has done little over the last two
months to satisfy House lawmakers' concerns about the security of the
data of more than 20 million veterans.

The department also is under pressure for more details about the
extent of "repeated compromises" of VA's network by nation states.

The rising tensions between the House Veterans Affairs committee's
majority and VA come as a report surfaced showing veterans are at a
higher risk of identity theft than the average citizen.

Federal News Radio obtained a December 2012 report by ID Analytics
showing veterans near military bases in Alaska, New York, Colorado,
Ohio and Kentucky have a higher risk ratio for identity theft than
non-veterans in the same areas. ID Analytics focuses on consumer risk
management through the use of analytics and real-time insight into
consumer behavior,

A House Veterans Affairs Committee staff member said the committee
knew about the report and it is one of the main reasons for the
continued pressure on the department to answer questions about how
it's protecting the veterans' data.

The committee's frustration with VA's answers boiled over at a July 12
briefing with House and Senate Veterans Affairs committee staff
members, VA IT executives and Homeland Security Department.

Stephen Warren, VA's acting assistant secretary for Information and
Technology and chief information officer, failed to provide answers to
satisfy some staff members, multiple sources confirmed.

"The meeting was of little to no value and did not serve its intended
purpose," said a House Veterans Affairs Committee staff member. "DHS
and Warren spent the bulk of the hour long meeting providing a broad
40-minute overview of nationwide cybersecurity challenges."

Sources confirm Eric Hannel, the subcommittee on oversight and
investigations staff director, walked out of the meeting with about 10
minutes left after his questions to VA officials about how they are
protecting agency networks were repeatedly not answered to his
satisfaction.

The House VA Committee staff member would not confirm Hannel walked
out of the meeting.

But they say one of the most important questions they wanted Warren to
answer during the meeting was, "How many times has VA's system been
hacked within the last year?"

The staff member said Warren would not answer the question directly.

An internal memo written by Matt Santos, a congressional relations
officer at VA, obtained by Federal News Radio, stated, "Before Mr.
Warren could complete his presentation HVAC staffer Eric Hannel
abruptly began asking pointed questions regarding vulnerabilities in
public facing websites that contain Veteran [personally identifiable
information] PII, numbers of applications scanned for vulnerabilities,
and Windows 7 patches. Most notably, Mr. Hannel claimed that he can
use tools 'available on the Internet' to get behind VA's websites to
access PII for millions of Veterans. Mr. Warren requested clarity
regarding the vulnerabilities to allow VA to fix existing problems Mr.
Hannel had recognized. Mr. Hannel would not give any details but
repeatedly requested that Mr. Warren admit that he knows the
vulnerabilities. The exchange ended with Mr. Hannel walking out of the
room claiming that VA had 'wasted' his time by hiding the truth."

The House VA committee staff member said the committee had someone at
the meeting the entire time.

A VA spokesperson wouldn't comment on the meeting or the ID Analytics
report, but said in an email, "The Department of Veterans Affairs
treats the protection of Veteran and other sensitive information with
the utmost care. Over the past decade, VA created an information
protection program in response to both exposures and increasing cyber
risks from all fronts, internal and external. VA has embarked on a
cultural transformation with respect to protecting VA information.
This transformation is similar to how healthcare accrediting bodies
have shifted away from predictable audit schedules and pre-defined
checklists toward longitudinal reviews of how policy is defined,
supported, communicated, implemented, monitored and improved."

Senate Veterans Affairs Committee staff members also attended the briefing.

A spokesman for the majority side said, "We are trying to put together
something with [ranking member] Sen. [Richard] Burr's staff to get
more information from VA on cybersecurity."

The spokesman wouldn't offer more details about the committee's plans.

The briefing with both committees came after Warren asked for a closed
door meeting to discuss the nation state attacks first exposed at the
June 4 hearing before the House VA committee.

This was at least the third meeting this year between VA and the House
committee staff about the agency's cybersecurity challenges.

The House committee staff member said lawmakers still are waiting for
a response from the agency to a June 13 letter sent to VA Secretary
Eric Shinseki asking three questions about what lawmakers believe is
VA's inability to be forthcoming about the cyber attacks.

"VA leadership recognizes that information security goes beyond
information technology and has put measures in place to protect
Veteran information and ensure that every VA employee and contractor
is trained in their role in protecting that data," the VA spokesperson
said. "All organizations, including federal agencies, face constantly
evolving cybersecurity threats. VA aggressively combats such threats
through a multi-layer approach of technical controls, managerial
controls, internal reviews, deployment of continuous monitoring tools,
outside reviews from VA's independent Office of Inspector General and
collaboration with U.S.-Computer Emergency Readiness Team (US-CERT).
VA, and all federal agencies, report cybersecurity incidents to the
US-CERT in accordance with US-CERT guidelines."

To that end, Santos wrote that VA told the committee that it would be
among the first to implement the Einstein 3 cyber program provided by
DHS.

The committee and former VA officials allege that the agency isn't
doing enough to protect veterans' data.

Before the June 4 hearing, letters to the Hill obtained by Federal
News Radio allege VA is shortcutting its accreditations and
authorizations (A&A), which previously were known as certifications
and accreditations (C&A), process for its IT systems. VA's former
Chief Information Security Officer Jerry Davis alleges the agency's
process is flawed and is putting data and systems at a higher risk.

The ID Analytics report supports the allegations that veterans data is
at greater risk.

The report reviewed two databases containing the personal information
of more than 20 million veterans. Sources say VA has been receiving
reports from ID Analytics since it lost the laptop with the data of 26
million veterans in 2006.

An email to ID Analytics asking for comment on the report was not
immediately returned.

The reports showed veterans "have substantially higher alert rates
than the non- veteran population. This indicates a higher level of
activity in the marketplace for the veteran population, which could
indicate higher risk of identity misuse."

ID Analytics found credit card fraud is the most common way the
criminals use the stolen identity.

ID Analytics also recommended VA take eight steps including reviewing
log files to see if employees are stealing identities and selling them
to criminals, investigate VA facilities within 20 miles of reported
misuse and compare the data of veterans who say they were victims of
identity theft with data provided in the report, and provide any
matches with a higher degree of protection.

The company suggested to VA that it consider offering "individualized
assistance to affected veterans," which could include credit
monitoring, identity monitoring, fraud alerts or credit freezes.

The House committee staff member didn't say what the next steps
chairman Jeff Miller (R-Fla.) would take to ensure VA is doing more to
protect the data of veterans.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.