Official describes rampant computer hacking at VA

WASHINGTON (AP) -- At least eight foreign-sponsored organizations, mostly connected to the Chinese military, have hacked into computer networks at the Veterans Affairs Department in recent years or were actively trying to do so, a former VA computer security chief told Congress on Tuesday.

Jerry Davis, who served as the VA's chief information security officer until February 2013, testified at a House subcommittee hearing that the VA became aware of the computer hacking in March 2010 and that attacks continue "to this very day."

Davis said the hacking "successfully compromised VA networks and data," but he did not indicate to lawmakers how the information may have been used. The intrusions raise the potential for identity theft and could complicate efforts to share data with the Pentagon, long viewed as key to quicker processing of disability claims.

"The entire veteran database in VA, containing personally identifiable information on roughly 20 million veterans, is not encrypted, and evidence suggests that it has repeatedly been compromised since 2010 by foreign actors, including in China and possibly in Russia," said Rep. Mike Coffman, R-Colo., chairman of the House Veterans' Affairs oversight and investigations subcommittee.

Officials with the VA's inspector general's office said the main threat to veterans would appear to be credit card theft. They could not point to any specific instances in which such fraud has occurred because of foreign agents. While foreign hackers had obtained access to the emails of senior VA managers, investigators did not know what had been done with the emails.

Davis, who now works at NASA, singled out China's military as responsible for hackings at the VA. In talking to a reporter after the hearing, he said six of the eight foreign-sponsored organizations he spoke of during the hearing were connected in some way to the People's Liberation Army. Davis said the data the foreign hackers accessed included such things as Social Security numbers and dates of birth. He said officials know that some information was encrypted and removed from the VA's computers. Officials should assume that if such information was accessed, then it went out as well.

When asked by a reporter if the information removed included such things as Social Security numbers, he replied "it's the safe bet."

Linda Halliday, an assistant inspector general, said investigators were seeing fewer weaknesses with the VA's computer security, but she told lawmakers that 4,000 weaknesses and vulnerabilities have not been addressed. She cited weak passwords and user accounts with inappropriate access as among the most common problems.

Stephen Warren, acting assistant secretary for information and technology at the VA, said the state of computer security at the VA was something he wrestled with continually, but the inspector general's citation of security threats dealt with what could go wrong. He said that's not the same as the removal of information from the VA's computers.

"We're talking about potential. We're not talking about actuals," Warren said in describing the computer security problem at the VA.

Warren told lawmakers he disagreed with Coffman's assessment that the VA's computer systems had been compromised repeatedly by foreign entities. He said he knew of only one such instance. He declined to cite which country that involved, saying he would prefer to discuss it in a closed session.

At another point in the hearing, Warren said he was aware of more than one foreign entity that had attempted to hack into the VA's systems. He said such attacks go beyond foreign governments, but through crime syndicates seeking financial gain.