Official describes rampant computer hacking at VA

Apple CEO Tim Cook, center, flanked by Apple chief financial officer Peter Oppenheimer, left, and Phillip A. Bullock, Apple's head of Tax Operations, testifies on Capitol Hill in Washington, Tuesday, May 21, 2013, before the Senate Homeland Security and Governmental Affairs Permanent subcommittee on Investigations hearing to examine the methods employed by multinational corporations to shift profits offshore and how such activities are affected by the Internal Revenue Code. Apple, the world's most valuable company, based in Cupertino, Calif., holds a billion dollars in an Irish subsidiary as a tax strategy, according to a report issued this week by the subcommittee. (AP Photo/J. Scott Applewhite)

WASHINGTON (AP) — At least eight foreign-sponsored organizations have hacked into computer networks at the Veterans Affairs Department in recent years or were actively trying to do so, a former VA computer security chief told Congress on Tuesday.

Jerry Davis, who served as the VA’s chief information security officer until February 2013, testified at a House subcommittee hearing that the VA became aware of the computer hacking in March 2010 and that attacks continue “to this very day.”

Davis said the hacking “successfully compromised VA networks and data,” but he did not indicate how the information may have been used. The intrusions raise the potential for identity theft and could complicate efforts to share data with the Pentagon, long viewed as key to quicker processing of disability claims.

“The entire veteran database in VA, containing personally identifiable information on roughly 20 million veterans, is not encrypted, and evidence suggests that it has repeatedly been compromised since 2010 by foreign actors, including in China and possibly in Russia,” said Rep. Mike Coffman, R-Colo., chairman of the House Veterans’ Affairs oversight and investigations subcommittee.

Officials with the VA’s inspector general’s office said the main threat to veterans would appear to be credit card theft. They also could not point to any specific instances in which such fraud has occurred. Investigators also said hackers had obtained access to the emails of senior VA managers, but did not know what had been done with the emails.

Linda Halliday, an assistant inspector general, said investigators were seeing fewer weaknesses with the VA’s computer security, but she told lawmakers that 4,000 weaknesses and vulnerabilities have not been addressed. She cited weak passwords and user accounts with inappropriate access as among the most common problems.

Stephen Warren, acting assistant secretary for information and technology at the VA, said the state of computer security at the VA was something he wrestled with continually, but the inspector general’s citation of security threats dealt with what could go wrong. He said that’s not the same as the removal of information from the VA’s computers.

“We’re talking about potential. We’re not talking about actuals,” Warren said in describing the computer security problem at the VA.

Warren told the hearing he disagreed with Coffman’s assessment that the VA’s computer systems had been compromised repeatedly by foreign entities. He said he knew of only one such instance. He declined to cite which country that involved, saying he would prefer to discuss it in a closed session.

At another point in the hearing, Warren said he was aware of more than one foreign entity that had attempted to hack into the VA’s systems. He said such attacks go beyond foreign governments, but through crime syndicates seeking financial gain.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s