China’s PLA Among 8 State-Sponsored Groups to Hack VA, Ex Official Says

lolloj/Shutterstock.com

Attackers had ‘unchallenged and unfettered’ access to VA systems.

China’s People’s Liberation Army attacked Veterans Affairs Department networks and infiltrated databases, the department’s former chief information security officer told lawmakers, adding details to news China had hacked VA.

Rep. Michael Coffman, R-Colo., chairman of the House Veterans Affairs Committee’ panel on Oversight and Investigations, had already named China and possibly Russia as the source of attacks on VA systems since March 2010, but did not identify the PLA as a source.

Stephen Warren, acting VA chief information officer, also declined to identify specifics about sources of the attacks at the open hearing on Tuesday.

But Jerry Davis, a Marine Gulf War veteran who served as the VA CISO from August 2010 until February 2013, said that shortly after he took the VA job, Warren told him, “’We have uninvited visitors in the network.’”  Davis said after an investigation he determined that “these attackers were a nation-state sponsored cyber espionage unit and that no less than eight different nation-state sponsored organizations had successfully compromised VA networks and data or were actively attacking VA networks.”

Davis testified these nation-state attacks “continue to this day,” enabled by weak technical controls in VA systems including lack of encryption on VA databases holding millions of veteran records and weak user authentication, which allowed “unchallenged and unfettered access and exploitation of VA systems and information by this specific group of attackers.”

Davis described VA as the worst organization in regards to information technology security he encountered in his career.  “In nearly 20 years of building and managing security programs across government and private industry, I had never seen an organization with as many unattended IT security vulnerabilities,” Davis said. This included 13,000 uncompleted IT security corrective actions.  These 13,000 securities corrective actions would require more than 100,000 sub-actions to fully remediate, Davis said.

Linda Halliday, assistant VA Inspector General for audits and evaluations, testified that the IG has identified more than 4,000 security weaknesses and vulnerabilities in VA systems.  “They get hacked a lot,” she said of VA, without identifying the source of the attacks. Warren told the hearing that probes did not mean data had been stolen and some attackers may have been lured into “honey pot” traps where they could not extract data.

Coffman said the poor security allowed attackers access to VA databases which contain personal information on millions of veterans including social security numbers and addresses.

Rep. Tim Huelskamp, R-Kan., said he was “embarrassed, shocked and surprised” by the weaknesses in VA systems. Ranking Member Rep. Ann Kirkpatrick, D-Ariz., called for correction.Veterans need to know the information they submit to VA will not be compromised under any circumstances,” she said. “It’s critical that VA’s information security is second to none.”

Rep. Robert Roe, R-Tenn., asked Halliday who bore responsibility for the security weaknesses in VA systems. She succinctly answered, “The CIO”, putting the burden of blame on former VA CIO Roger Baker who served in that post from May 2009 to February of this year, when he resigned

(Image via lolloj/Shutterstock.com)