Report: Major ‘Security Weaknesses’ Still Plague Veterans Affairs Computers

Government watchdog warns of more cyber attacks until issues are corrected

Phoenix VA Health Care Center / AP
December 3, 2014

Systemic "security weaknesses" continue to plague the Department of Veterans Affairs (VA) two years after a major security breach and could lead to the unauthorized access and disclosure of even more personal information, according to a government oversight report.

The VA has failed to address "underlying" security vulnerabilities in its systems that have led to multiple high-profile breaches that exposed the personal information of thousands of veterans, according to a recent Government Accountability Office (GAO) report, which warns that security breaches are likely to continue until the VA fixes these issues.

"Until VA fully addresses previously identified security weaknesses, its information is at heightened risk of unauthorized access, modification, and disclosure, and its systems at risk of disruption," the report warns.

New warnings of major security gaps at the VA come less than a year after similar cyber security issues led to the exposure of information belonging to thousands of veterans.

The government watchdog is now warning that these types of security breaches will persist unless the VA fully corrects "an underlying vulnerability" that led to the initial disclosures.

The "VA has not addressed an underlying vulnerability that allowed the incident to occur," according to the GAO.

"Specifically, the department has taken some steps to limit access to the affected system, but, at the time of GAO's review, VA had not fully implemented a solution for correcting the associated weakness," the report warns. "Without fully addressing the weakness or applying compensating controls, increased risk exists that such an incident could recur.

Although the VA has implemented some corrective measures, "these actions were not fully effective," according to the report.

The VA also could not provide investigators with logs detailing how a 2012 breach occurred and is not properly retaining information about its networks, the report states.

"VA could not produce a report of its forensic analysis of the incident or the digital evidence collected during this analysis to show that the response had been effective," it says. "VA's procedures do not require all evidence related to security incidents to be kept for at least 3 years, as called for by federal guidance."

"As a result, VA cannot demonstrate the effectiveness of its incident response and may be hindered in assisting in related law enforcement activities," the report states.

VA officials also did not provide proper access to the National Security Operations Center (NSOC), which sought to investigate and help correct the breach, according to the GAO report.

"VA's policies did not provide the NSOC with sufficient authority to access activity logs on VA's networks, hindering its ability to determine if incidents have been adequately addressed," the report says. "In an April 2014 report, GAO recommended that VA revise its incident response policies to ensure the incident response team had adequate authority, and VA concurred."

The VA’s efforts to fix vulnerabilities identified in "two key web applications were insufficient" as well.

"The NSOC identified vulnerabilities in these applications through testing conducted as part of the system authorization process, but VA did not develop plans of action and milestones for correcting the vulnerabilities, resulting in less assurance that these weaknesses would be corrected in a timely and effective manner," according to the GAO.

These are not the only security failures taking place at the VA.

Security weaknesses were found in VA’s workstation, which include laptop computers. These issues "had not been corrected" at the time of the GAO’s investigation, despite solutions being available in some cases.

"Specifically, 10 critical software patches had been available for periods ranging from 4 to 31 months without being applied to workstations, even though VA policy requires critical patches to be applied within 30 days," according to the GAO.

"There were multiple occurrences of each missing patch, ranging from about 9,200 to 286,700, and each patch was to address an average of 30 security vulnerabilities," the report found. "VA decided not to apply 3 of the 10 patches until it could test their impact on its applications; however, it did not document compensating controls or plans to migrate to systems that support up-to-date security features."