China and seven other foreign countries, as well as non-state actors, are hacking into Department of Veterans Affairs computer systems and potentially stealing veterans' personal information, current and former officials said.
Jerry L. Davis, former deputy assistant secretary for information security at the VA, also cast doubt on VA Secretary Eric Shinseki's previous assurance to Congress that VA computer systems were never at risk from attacks.
"I would say that is not an accurate statement," Davis said when asked about Shinseki's testimony by Rep. Tim Huelskamp, R-Kansas, a member of the House Veterans Affairs Subcommittee on Oversight and Investigations.
Officials estimated on Tuesday that some 20 million veterans are in the VA's system, but the VA does not know how many veterans' records have been compromised by hackers.
Davis left the VA in February 2013 after more than two years, but not before VA officials tried to pressure him to sign off on a project indicating the information systems under his authority were all secured. No one threatened him, but he said it was made clear he would not be given a release freeing him up to take on a new job unless all the systems were cleared, he said in response to lawmakers' questions.
"The … process that was taking place at the very end was not the process we had done in the two-and-a-half years I had been there," he said. It was revised, so that controls on a system had to be certified within two weeks. His team working in the field warned him that the process was not working, he said.
Davis said Stephen Warren, acting assistant secretary for the VA's Office of Information and Technology, wanted all the authorizations signed "by the time I left."
He said he refused.
Past breaches to the VA's system have exposed millions of veterans to identity theft and financial crimes since information gleaned from the records may include Social Security numbers, dates of birth and more, according to the VA's Office of the Inspector General
Linda A. Halliday, assistant inspector general for audits and evaluations, said her office found a number of issues, including key databases that were not timely patched or secured. The VA also did not change control policies and procedures for authorizing, testing and approving system changes.
The inspector general substantiated allegations that the VA was transmitting sensitive data over an unencrypted telecommunications network. This included electronic health records and internal Internet protocol addresses being moved among certain VA medical centers and community-based outpatient clinics.
Lawmakers were visibly frustrated at times with the VA officials who were called in to give testimony, including Stephen W. Warren, acting assistant secretary for the VA's Office of Information and Technology, and Stan Lowe, recently named deputy assistant secretary for information security.
Subcommittee Chairman Rep. Mike Coffman, R-Colo., and Huelskamp both reminded Warren he was under oath. Huelskamp took exception when Warren seemed to claim that there was only one "state actor" hacking the VA's system, when investigators said there are eight.
Warren conceded there are multiple countries in addition to other syndicates that sell information and regularly working to access the VA system. He said he would identify the countries in classified testimony but doing so in public could jeopardize his clearance.
Warren defended the VA system against the IG report, saying the critical review frequently used words such as "could," "might," potential," and "possible."
"Whenever a review takes place the focus is on what could happen," he said. "The existence of a risk is not the same as removal of information from the network."
To date, the most serious breach of VA data occurred when a VA laptop containing information on 19 million active duty troops and vets was stolen. Though eventually recovered, the VA agreed to pay out a pool of $20 million to those whose dates of birth and Social Security numbers were on the laptop.
Davis testified that in 20 years of overseeing and building IT security programs he had never seen one with as many unattended security vulnerabilities as the VA had when he joined it in August 2010. He said he found "15 continuous years of an unattended and documented material weakness in IT security controls," including more than 13,000 uncompleted IT security corrective actions that would require more than 100,000 sub-actions to make them secure.
But by the time he was getting close to leaving they had resolved more than 10,000 of the 13,000 corrective actions, he said.
But of greater concern to him was learning from Warren about the hacks into the system.
Warren told Davis that "we have uninvited visitors in the network," and he soon learned they were foreign governments, including China, where the culprit group is linked to the People's Liberation Army.