Lawmakers blast VA over at-risk data

Outdated equipment, poor training and network security weaknesses continue to expose data at the Department of Veterans’ Affairs.

Speaking Wednesday at a House Veterans’ Affairs Committee hearing, officials from the Government Accountability Office (GAO) and the VA’s inspector general office detailed an agency that has repeatedly failed to secure its sensitive data. 

ADVERTISEMENT

“We continue to see systemic deficiencies,” including such basic mistakes as employees taking equipment with sensitive data home, said Sondra McCauley, the VA’s deputy assistant inspector general for audits and evaluations. 

The VA revealed on Monday it had failed its annual cybersecurity audit for 2014 — its 16th straight failure.

“I think it’s clear from the findings presented here,” said Rep. Jackie Walorski (R-Ind.). “The personal information of millions of veterans remains at risk.”

While roughly 30 percent of major government agencies failed their cybersecurity audits in fiscal year 2013, the VA’s streak is largely unmatched, said Greg Wilshusen, the GAO’s director of information security issues. 

And McCauley believes the agency has not adequately worked to improve its system.

“Until a proven process is in place,” she said, “the IT material weakness will stand.”

Rep. Tim Huelskamp (R-Kan.) peppered VA Chief Information Officer Stephen Warren for specifics on whether foreign hackers could access VA data.

Warren explained certain vulnerabilities still remain because some outdated VA software cannot be patched. If the VA were to push out those patches, it could bring the whole site down.

“We have compensating controls around that,” Warren added.

Foreign hackers did pilfer employee username and password information in 2010 and 2012, but Warren doesn’t believe they took any personal data.

A report on those incidents by cybersecurity firm Mandiant is expected in December. 

Moving forward, Warren touted an additional $60 million the VA has earmarked for its 2015 cybersecurity budget.

The agency originally allotted $156 million for cybersecurity in its budget released in March.