VA Received Specific Warnings About Security

VA Received Specific Warnings About Security

Since 06-17-06

By Monisha Bansal
CNSNews.com Staff Writer

June 15, 2006

http://www.cnsnews.com/ViewSpecialReports.asp?Page=/SpecialReports/archive/200606/SPE20060615a.html

(CNSNews.com) - While Congress reviews whether the U.S. Department of Veterans Affairs took appropriate steps to protect the sensitive data that was taken home by an employee and eventually stolen in a burglary on May 3, Cybercast News Service has learned more details about the several specific warnings that were issued to the about its lax security.

The warnings from the Government Accountability Office (known as the General Accounting Office until 2004) go as far back as 1998.

On May 22, the Veterans Department disclosed that a personal laptop and a VA-owned external media drive had been stolen from the home of one of the agency's data analysts in Aspen Hill, Md. three weeks earlier. The stolen equipment contained the Social Security numbers, names and birthdates of 26.5 million veterans.

The data also included information about 2.2 million active-duty military, Guard and Reserve personnel. The agency originally said the number was 50,000.

The data analyst has since been fired for violating the agency's internal policy regarding the taking home of such data, according to Associated Press reports on Friday, and his supervisor has resigned.

"It is disturbing to learn that this individual was taking data home for three years and he wasn't part of an authorized telework (telecommuting) program. He wasn't authorized to be doing this," Robert White, a spokesman for the Committee on Government Reform, told Cybercast News Service. The committee is currently investigating the VA's actions.

In a September 1998 Government Accountability Office report, the agency documented the VA's cyber-security issues. "In our report, we noted significant problems related to the department's control and oversight of access to its systems," the GAO stated.

"VA did not adequately limit the access of authorized users or effectively manage user identifications and passwords," according to the GAO report from eight years ago. "The department also had not established effective controls to prevent individuals, both internal and external, from gaining unauthorized access to VA systems."

The same report stated that it was the responsibility of each government agency to provide for the security of its own information systems.

Another GAO report issued in September 1998 noted that "VA did not adequately limit the access granted to authorized VA users, properly manage user IDs and passwords, or routinely monitor access activity."

"As a result, VA's computer systems, programs, and data are at risk of inadvertent or deliberate misuse, fraudulent use, and unauthorized alteration or destruction occurring without detection," the GAO cautioned. "We also found that VA had not adequately protected its systems from unauthorized access from remote locations or through the VA network."

Again, in September 2000, GAO warned that VA needed to establish a program for identifying access patterns and attempts to access data from unauthorized locations, as well as establishing "terminate sessions when necessary."

"Access control and service continuity problems are placing financial and sensitive veteran medical information at risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, and/or destruction," the GAO's report in 2000 stated.

In 2002, the GAO noted that although VA had made some improvements, the department, had "not yet fully implemented a comprehensive computer security management program that includes a process for routinely monitoring and evaluating the effectiveness of security policies and controls and addressing identified vulnerabilities."

Despite the continued warnings, VA did not implement security procedures to detect and block sensitive data being accessed or downloaded to an unauthorized computer, according to cyber-security expert Ken Rutsky of the information systems company Workshare.

Such technology was easily available, Rutsky said, and if used could have prevented the security breaches at VA and the recent discovery of a hacker who stole a file containing Social Security numbers of 1,500 employees at the U.S. Department of Energy's nuclear weapons agency.

"You have to look for technologies that can both educate and enforce policy. And there are technologies to educate the user about the risk they are about to take, or enforce them by either stopping them, or create an audit trail," Rutsky told Cybercast News Service.

He added that policies must be reasonable. "Is it reasonable to say that people should not have the data on 26 million veterans on a machine that they can take home? That seems fairly reasonable to me, as a policy," he said.

But Rutsky said implementing these policies is not a matter of expense. In the VA's budget as submitted to Congress, the amount allocated for information systems for fiscal year 2007 is $1.257 billion, an amount similar to the $1.2 billion allocated for that purpose in Fiscal Years 2005 and 2006. (Click here to view the VA's information technology budget table.)

Rutsky said it would cost about $7 million to implement an effective security program across the agency.

White added that "part of any cyber-security effort is more than just putting policies in place. It's training and managerial oversight."

As part of that managerial oversight, a 1999 GAO report pointed out that "senior management's awareness, support, and involvement are essential in establishing the control environment needed to promote compliance with the entity's information security program."

Veterans Affairs Secretary Jim Nicholson echoed that warning in his testimony before the U.S. House Government Reform Committee last week. "This has been a painful lesson for us at VA, and I am committed to assuring that we have the people, adequately trained, policies and procedures in place to assure that this could not happen again," the Associated Press quoted him as saying.

But in their testimony before the Government Reform Committee Wednesday, GAO investigators said the problem was even more widespread than this particular incident.

According to the Associated Press, "They pointed to repeated occasions in the last year in which VA employees passed along veterans' medical information via unencrypted e-mail or were allowed to freely log into the VA secure network in their off-duty hours or even after they've been terminated."

The VA did not return phone calls seeking comment for this article.