In early June, a former Department of Veterans Affairs IT manager told members of the House Veterans Affairs Committee that the VA’s databases have been hacked by at least eight foreign organizations — notably by organizations linked with the Chinese military, which may have viewed (or taken) veterans’ personal identifying data, like Social Security numbers.
The account of the hackings came along with details of an upcoming Inspector General report on security problems plaguing VA IT, as the agency girds for a remediation plan at the same time workers and management are scrambling to improve waiting times for veteran benefits applications.
But why would the VA be a target for hacking in the first place? For one thing, said Chris Wysopal, CTO of the applications security firm Veracode, it may partly be because the agency’s systems are vulnerable and because hackers roam around the internet looking precisely for such systems to breach. It could also be an indication of the Chinese government showing off some of its digital prowess, poking around the databases of the U.S. military, surmised Wysopal, a IT security analyst who was a member of the Boston-based hacker collective L0pht. In 1998, Wysopal and other hackers told a Senate committee that the internet could be knocked out within 30 minutes, so pervasive were vulnerabilities in its budding years.
Today, the internet could not be brought down in 30 minutes and possibly not ever, but IT security risks still loom large, said Wysopal, in a Q&A with Government Health IT — especially for government agencies and healthcare organizations.
Q: So was the VA really hacked, and by organizations linked to Russia and China?
A: It doesn’t really surprise me at all. If you have vulnerabilities and you have a sophisticated attacker and they want to get in, they will. The specific details never seem to get out. But from what we know, they’re just like any other non-classified government agency: they have web applications exposed to the internet, they have employees using email and being able to access the internet from their workstations and that type of infrastructure is highly vulnerable these days unless you take the effort to really secure it.
Q: Ascribing motives to these organizations that allegedly hacked the VA is difficult, but what are some reasons why they might have wanted to enter these databases?
A: Most healthcare data, the motive is financial. But in the case of the Department of Veterans Affairs, it could go beyond that, because you’re essentially getting information about current and former government employees in the military. It does seem to cross over that line — that this might have some espionage value for understanding the U.S. as an adversary.
Q: And this news follows reports of the Chinese military hacking U.S. corporations in pursuit of business information, like proprietary technical designs?
A: It seems that the sort of the threat model we’ve been dealing with as security professionals for the past 10 or 15 years has really been to keep criminals out and keep from stealing things that are easily monetizable, like credit card numbers and Social Security numbers. The fact that we have people going after intellectual property for military value and economic value, it’s kind of like caught us all with our pants down. That wasn’t being protected because we didn’t think that those attacks were happening. And then as those revelations have come across in really the last three to four years, we’re still sort of scrambling to protect that kind of data. Even though we’ve known about it for three or four years, it’s kind of shocking that you kind of hear new instances of this. Dedicated government organizations — not criminal organizations — are going after data which isn’t necessarily monetizable on the black market; it’s plans for fighter planes, maybe personnel information, in the case of the VA. It’s changed the threat model and I still don’t think we’ve caught up with security precautions.
Q: Why do you think the VA was vulnerable to hacking in the first place?
A: I don’t know in detail about their IT landscape. But they are required to have security controls dictated by FISMA — the Federal Information Security Management Act — that says all government organizations that have government data have to comply with a set of controls defined by NIST (the National Institute of Standards and Technology), and a standard called 800-53. Up until just this year, when the new version came out in May, revision four, that standard was getting very long in the tooth. It really wasn’t keeping up with modern security processes that even corporations are doing. It was very compliance-focused with check boxes — that you have a firewall, you have an antivirus, you configured your server properly. It really didn’t keep up with the kind of threats that we’re seeing modern attackers use, which is breaking through web applications, looking at defects at the code level for custom web applications. Those kinds of attacks aren’t really contemplated by the standards, and the same thing with phishing. Phishing attacks really go after vulnerabilities at workstations connected to the internet, and those kind of attacks weren’t really contemplated by the NIST standards. For instance, you might have JAVA running on that workstation and a known vulnerability might come out in JAVA, but if you don’t patch that workstation that day, if you’re under concerted attack, you’re going to get broken into. So I think that a lot of these breaches are due to following old standards and not being up-to-date with your security.
Q: What could the agency do to shore up systems security?
A: It’s really to look at those modern threats. The two biggest ones are breaching organizations through web applications and through phishing attacks. Short on the heels of those is going to be through mobile applications. This isn’t the old risk of not patching your mail server. Really what they need to do is look at their software supply chain, look at what software they’re purchasing, what software they’re building and make sure security testing is happening there. The other thing to look at is: I like to tell organizations to look at the 20 critical security controls that SANS has put out, and at least look at inventory, devices, software, networks. A lot of it is the basics, but it’s making sure you’re doing it for every piece of software on your networks, because the attackers will find that weak point. They’re probing and scanning constantly, and in the past people have cared only about their most important web server or their most important machines, their mail server or their firewall, and they’ve ignored all the little web applications. Scaling to every machine, every piece of software, is just the reality of today.
Q: Slightly off topic, but is it still possible to bring down the internet in 30 minutes, as you famously told a Senate committee in 1998?
A: No it’s a lot harder now. Back in ‘98, there were lots of different ways that that could happen. We were talking about routing infrastructure, the ways the different network providers connect with each other and exploiting those connections. There were also vulnerabilities in the root servers that have also been largely taken care of since then by diversifying the networks that those are on and giving them a lot more bandwidth. So thankfully we really haven’t seen that kind of outage. But it’s because people raise these issues that they get fixed.
Q: Back to the VA hacking, and to flip it around: Do you think the best and the brightest working for the U.S. government would be able to hack into the Chinese military’s systems and poke around service members PHI?
A: Sure. I think that’s totally possible. There’s stories coming out recently about some of the (National Security Agency’s) offensive capabilities and they seem very sophisticated, and then there’s some new revelations about what Edward Snowden is saying about major network connections points in China being hacked so that the networks could be compromised. There’s clearly activity going on, and the teams that are doing it are pretty sophisticated. It wouldn’t surprise me at all if they could get into healthcare data.
