Was VA Secretary Misled About Breaches?Lawmakers Hint Top VA IT Officials Didn't Disclose All to Shinseki
The chairman of the House Veterans Affairs Committee suggests that Veterans Affairs Secretary Eric Shinseki might have been misled about the lack of security of VA IT systems and says those who withheld information about breaches of department computers should be disciplined, and perhaps fired.
See Also: Threat Intelligence - Hype or Hope?
Shinseki, in a May 14 letter to a committee member, wrote, "To be clear, VA's security posture was never at risk." Testimony at a June 4 hearing of the committee's Oversight and Investigation subcommittee revealed multiple breaches of VA systems since 2010.
"I don't know what it takes to get fired at the Department of Veterans Affairs," Rep. Jeff Miller, the Florida Republican who chairs the House VA committee, said at a June 14 press conference. "It seems everybody gets a bonus ... and if you do something wrong, you don't get fired; you just get moved to another position.
"This is an incident where somebody knew, somebody misled, it appears, the secretary, and I believe that person needs to be held accountable. If it's more than one person, absolutely, there needs to be disciplinary action up to and possibly including termination of employment."
Letter Sent to Shinseki Seeks Answers
Miller and Rep. Mike Michaud, the Maine Democrat who serves as the ranking minority member of the committee, sent a letter on June 13 to Shinseki, asking the secretary to explain the apparent discrepancy of his statement with the testimony of VA Acting Chief Information Office Stephen Warren, who at the June 4 hearing acknowledged that breaches of department systems had occurred. They also asked why the VA didn't notify Congress of the breaches, as required by law.
In their letter, Miller and Michaud asked Shinseki if he was informed of the risks to VA networks, including breaches by multiple actors, prior to June 4. If so, they asked, why did his letter to subcommittee Chairman Mark Coffman indicate that VA's security posture was never at risk?
"If Secretary Shinseki is at all concerned about the integrity of his department, he will, in fact, discipline those responsible who misled him and gave him wrong information," Coffman, R-Colo., said at the press briefing. "He did mislead Congress by virtue of the facts he was given."
The VA media relations office has not responded to a June 14 query from Information Security Media Group seeking answers to the committee leaders' questions.
Miller called on VA to provide free credit protection services to all 20 million-plus veterans as well as their dependents because the breaches likely exposed personally identifiable information. He said he didn't know how much such protection would cost, but suggested some of the costs to pay for it could come from withholding VA executives' bonuses.
Coffman said "the truth came out" about the breaches because of a whistleblower, former VA Chief Information Security Officer Jerry Davis, who the congressman did not identify by name at the press conference. "If not for that whistleblower, we may not have known that the system had been hacked today," he said.
Davis, now CIO at NASA's Ames Research Center, testified at the June 4 hearing that eight different nation-state-sponsored organizations had successfully compromised VA networks and data, or were actively attacking VA networks, and these attacks continue. Coffman at the hearing identified some of the intruders as Chinese and perhaps Russians [see VA Systems Hacked from Abroad].
Michaud and Rep. Ann Kirkpatrick, the Arizona Democrat who serves as the subcommittee's ranking member, also attending the briefing, noting that safeguarding VA systems is not a partisan affair. But their criticism of VA actions and statements regarding the breaches were a bit more reserved than those of their Republican colleagues, emphasizing that they want to seek the facts behind the hacks. "Making sure our veterans are protected and get the services they need is not a partisan issue; it's a national responsibility but we need to do it very carefully," Kirkpatrick said.