On Tuesday, Jerry Davis, the VA’s former CISO, told members of the House Veterans’ Affairs oversight and investigations subcommittee the sensitive personal information the department is charged with protecting remains at risk due to flawed processes and procedures, and inadequate protection.
Davis’ testimony noted that when he began his tenure as CISO with the VA, he had “never seen an organization with as many unattended IT security vulnerabilities.”
“Upon my arrival in late August 2010 I inherited the results of more than 15 continuous years of an unattended and documented material weakness in IT security controls. This material weakness included more than 13,000 uncompleted IT security corrective actions. These 13,000 security corrective actions would require more than 100,000 sub actions to fully remediate and manage IT security vulnerabilities and improve the VA security posture.”
With time and effort, the Davis’ team at the VA closed more than 10,000 corrective actions and executed 100,000 sub actions. From a compliance stance, Davis’ testimony explained, these milestones improved the VA’s security, but problems remained when it came to implementing adequate technical security controls needed to defend networks, systems and sensitive information from nation-state sponsored attackers.
Shortly after he arrived at the VA, Davis said he was told by Principle Deputy Assistant Secretary (PDAS), Stephen Warren that there were “‘uninvited visitors in the network,’” a claim that was confirmed by the VA’s Network Security Operations Center (NSOC). Staff at the NSOC told Davis that nation state-sponsored attackers hit the VA in March of 2010.
Over time, while working with the VA NSOC team and external agencies, Davis told Congress that he learned that no less than eight different nation-state sponsored organizations had “successfully compromised VA networks and data or were actively attacking VA networks; attacks that continue at VA to this very day.”
The attackers were targeting weak technical controls, such as lack of encryption on VA databases housing millions of sensitive records, Web Applications with common exploitable vulnerabilities, and poor authentication to sensitive systems. Combined, these failures contributed to the “successful unchallenged and unfettered access and exploitation of VA systems and information by this specific group of attackers.”
For his part, PDAS Warren disagreed with Davis, telling Congress that he knew of only one incident, and he would only discuss it in a closed session. Linda Halliday, an assistant inspector general, said in her testimony that investigators were seeing fewer problems with the VA’s security, but there are still 4,000 vulnerabilities and weaknesses that need to be addressed, the most common of which include weak passwords and inappropriate access.
The problems at the VA go deeper than public testimony however, according to a report from Federal News Radio. The news agency published a letter written by Davis, reporting that he was reluctant to sign documents attesting to the VA’s state of security. Further, the report says that Davis was coerced into rubber stamping 250 certifications in order to be released from the VA and take a position as CIO at NASA.
“…there is a clear and present danger and risk of exposure and compromise of sensitive data for perhaps hundreds of thousands to millions of veteran[s]; all facilitated by coercion, intimidation and an improper process executed to assess system security,” Davis wrote in a letter to Congress earlier this year.
