House lawmakers press VA for more details, assurances after cyber attacks

Friday - 6/14/2013, 12:33pm EDT

Jason Miller, executive editor, Federal News Radio

Download mp3

Rep. Jeff Miller (F-Fla.), chairman of the Veterans Affairs Committee at the podium as Reps. Mike Michaud (D-Maine) and Ann Fitzpatrick (D-Ariz.) look on. (Photo: Jason Miller)

The House Veterans Affairs Committee is turning up the heat on the Veterans Affairs Department and how it protects the data of millions of veterans.

Chairman Jeff Miller (R-Fla.) announced today the committee is requiring VA to take several steps to both improve the security of veterans' data and reassure former service members, and their families, that the agency is protecting their information.

Miller and Rep. Mike Michaud (D-Maine) also sent a letter to VA Secretary Eric Shinseki seeking answers to questions that went unanswered at a recent hearing, including why VA didn't notify Congress after multiple nation state attacks and data breaches as required under the Federal Information Security Management Act (FISMA).

The committee is acting more assertive in trying to get answers from VA after a June 4 hearing presented evidence that multiple state actors have infiltrated the agency's network.

"Our hearing was significant because it was the first time, the very first time, that we were able to get VA to admit its network had been breached, despite repeated requests by our committee for information, despite the fact the IG had said they have problems with their IT systems," Miller said during a press briefing on Capitol Hill Friday. "This goes directly against a letter that was given to Mr. [Rep. Mike] Coffman when he sent an inquiry to the secretary as to how safe the IT system was in the Department of Veterans Affairs. I'll just highlight the one line specifically the secretary sent back in his response, 'To be clear, VA security posture was never at risk.' We, in fact, know that's not a truthful statement."

Additionally, the hearing showed VA's efforts to implement network security improvements and ensure the viability of its computer systems continues to be lacking after more than a decade.

"The clues [the state actors] left behind, however, indicate that the data taken contained the personally identifiable information, such as names, birth dates, and Social Security numbers, of an untold number of our veterans and their dependents," Miller said.

A VA spokesman said the agency is aware of one data breach incident in which data was stolen.

"VA immediately investigated the incident and we believe that no veteran personal information had been exposed to unauthorized individuals. Whenever VA believes that a veteran's data is potentially put at risk, we offer credit monitoring," the spokesman said in an email statement. "Out of an abundance of caution, VA Acting Assistant Secretary for OI&T Stephen Warren has referred the matter to our Data Breach Core Team (DBCT) to conduct an independent review of the incident and provide credit monitoring as necessary if the DBCT determines that personal information has been exposed."

Miller said the committee has asked Shinseki to offer credit monitoring services to every veteran and dependent in its database — more than 20 million in all.

VA had to offer similar services in 2006 when an employee lost a laptop containing the data of 26 million veterans.

"We're talking about personally identifiable information again, including social securities, birth dates, names, addresses and telephone numbers. VA should do that. People will ask how will they do that?" Miller said. "Certainly there is money that VA can use. I think one of the best ways is probably to look at the money they have been using for bonuses for executives around VA to provide this credit monitoring."

Coffman (R-Colo.), the chairman of the subcommittee on investigations, which held the cybersecurity hearing, added VA had both a moral and legal obligation to notify veterans, their families and lawmakers.

"The fact is that we don't know what they took but I believe [VA] had a responsibility to the men and women who served this country to notify them at the point that they knew they were hacked to watch their own financial affairs to make sure nothing was to occur," Coffman said. "And they failed to be honest with Congress."

In addition to the credit monitoring services, the committee is conducting interviews with staff who support VA's networks and systems.

The interviews will include a classified briefing, which Stephen Warren, VA's acting assistant secretary in the Office of Information and Technology and chief information officer, requested at the hearing earlier this month.

Miller also is encouraging Shinseki to "hold VA leadership accountable for the ongoing failures and unreasonable risks in IT security."

"If Secretary Shinseki is at all concerned about the integrity of his department, he will, in fact, discipline those responsible who misled him to give him the wrong information where in fact he did mislead Congress by virtue of the facts that were given," Coffman said.