Chairman Mike Coffman
Good afternoon. I would like to welcome everyone to today’s hearing titled “How Secure is Veterans’ Private Information?”
Reports from VA’s Office of Inspector General, private sector consultants brought on by VA, and this Subcommittee’s own investigation have revealed tremendous problems within VA’s Office of Information and Technology.
Some of these issues have been made public in Inspector General reports which outlined mismanagement of human resources and the lack of much needed technical expertise. Other issues have been less publicized, such as those captured in the Deloitte (“deep dive” that identified gaps in OI&T’s organizational structure and a poorly executed business model.
The latter report recognized the growth of VA by thirty-three percent since 2006; growth that is mirrored by the expansion of VA’s computer network. Unfortunately, there has not been a comparable growth in the technical personnel needed to manage security of VA’s sprawling network.
These failures have created problems for both the Department and for veterans.
The Inspector General substantiated that VA was transmitting sensitive data, including personally identifiable information and internal network routing information, over an unencrypted telecommunications carrier network—both violations of federal regulation and basic IT security. The IG also noted that VA has not implemented technical configuration controls to ensure encryption of sensitive data despite VA and federal information security requirements.
Similarly, it is evident that software patches are not up to date across the network, too many users have Administrator access, security software is not up to date on older computers, and computer ports are not properly secured. There is little to no security of file transfer protocol, and web pages are vulnerable allowing unauthorized access to veterans’ unprotected personal information within the system.
While these issues alone give cause for grave concern, this Subcommittee’s investigation has identified even greater problems. The entire veteran database in VA, containing personally identifiable information on roughly 20 million veterans, is not encrypted, and evidence suggests that it has repeatedly been compromised since 2010 by foreign actors, including in China and possibly in Russia.
Recently, the Subcommittee discussed VA’s Authorization to Operate, a formal declaration that authorizes operation of a product on VA’s network which explicitly accepts the risk to agency operations, and was told that “VA’s security posture was never at risk.”
In fact, VA’s security posture has been an unacceptable risk for at least three years as sophisticated actors use weaknesses in VA’s security posture to exploit the system and remove veterans’ information and system passwords. While VA knew foreign intruders had been in the network, the Department was never sure what exactly these foreign actors took, because the outgoing data was encrypted by the trespassers.
These actors have had constant access to VA systems and data, information which included unencrypted databases containing hundreds of thousands to millions of instances of Veteran information such as veterans’ and dependents’ names, social security numbers, dates of birth, and protected health information.
Notwithstanding these problems, VA has waived or arbitrarily extended accreditation of its security systems on its network. It is evident that VA’s waivers or extensions of accreditation only “appear” to resolve material weaknesses without actually resolving those weaknesses.
VA’s IT management knowingly accepted the security risks by waiving the security requirements even though such waivers are not appropriate. This lapse in computer security and the subsequent attempts by VA officials to conceal this problem are intolerable and I look forward to a candid discussion about these issues.
I now yield to Ranking Member Kirkpatrick for her opening statement.