WASHINGTON – At least eight foreign-sponsored organizations have hacked into computer networks at the Veterans Affairs Department in recent years or were actively trying to do so, a former VA computer security chief told Congress on Tuesday.
Jerry Davis, who served as the VA’s chief information security officer until February 2013, said in written testimony to a House subcommittee that the VA became aware of the computer hacking in March 2010 and that attacks continue “to this very day.”
Davis said the hacking “successfully compromised VA networks and data,” but he did not indicate how the information may have been used. The intrusions raise the potential for identity theft and could complicate efforts to share data with the Pentagon, long viewed as key to quicker processing of disability claims.
“The entire veteran database in VA, containing personally identifiable information on roughly 20 million veterans, is not encrypted, and evidence suggests that it has repeatedly been compromised since 2010 by foreign actors, including in China and possibly in Russia,” said Rep. Mike Coffman, R-Colo., chairman of the House Veterans’ Affairs oversight and investigations subcommittee.
Officials with the VA’s inspector general’s office said the main threat to veterans would appear to be credit card theft. They also could not point to any specific instances in which such fraud has occurred. Investigators also said hackers had obtained access to the emails of senior VA managers, but did not know what had been done with the emails.
Linda Halliday, an assistant inspector general, said investigators were seeing fewer weaknesses with the VA’s computer security, but she told lawmakers that 4,000 weaknesses and vulnerabilities have not been addressed. She cited weak passwords and user accounts with inappropriate access as among the most common problems.
Stephen Warren, acting assistant secretary for information and technology at the VA, said the state of computer security at the VA was something he wrestled with continually, but the inspector general’s citation of security threats dealt with what could go wrong. He said that’s not the same as the removal of information from the VA’s computers.
“We’re talking about potential. We’re not talking about actuals,” Warren said in describing the computer security problem at the VA.
Warren told the hearing he disagreed with Coffman’s assessment that the VA’s computer systems had been compromised repeatedly by foreign entities. He said he knew of only one such instance. He declined to cite which country that involved, saying he would prefer to discuss it in a closed session.
At another point in the hearing, Warren said he was aware of more than one foreign entity that had attempted to hack into the VA’s systems. He said such attacks go beyond foreign governments, but through crime syndicates seeking financial gain.