Veterans Affairs computers vulnerable to hackers

The Associated Press

WASHINGTON (September 21, 2000 6:14 p.m. EDT http://www.nandotimes.com) - Department of Veterans Affairs computers are vulnerable to hackers and dishonest agency workers, putting veterans' information as well as VA funds at risk, department officials said Thursday.

The VA's top technical officials and their internal watchdog office told the House Veterans Affairs' oversight subcommittee that when the department contracted a security company to see whether their defenses were enough, the hackers had no trouble breaking in to the system with simple tools, taking total control of it.

Michael Slachta Jr., an assistant inspector general at VA, said that the hackers "owned the system," while the department didn't even know its systems were attacked.

To stunned legislators, Slachta testified that the hackers had access to the confidential data of veterans, including their personal histories, and medical and financial information. They could also get into VA's internal data and business systems.

Slachta said the testing was just done on Veterans Benefits Administration computers, but the hackers got access to the VA's "backbone," giving them free rein over all of VA's systems, including the Veterans Health Administration, which holds sensitive medical records for VA hospitals.

"I was chagrined at how fast we got in," Slachta said in an interview with The Associated Press. He said he didn't like divulging so many details of the VA's security scheme, but "it's important that this comes out and be corrected."

Money as well as information was up for grabs through the security holes. The officials testified that in two case, VA employees used the weaknesses to write themselves more than $1.2 million in fraudulent benefit checks. They said "dozens" more fraud cases are under investigation.

Lawmakers called the news frightening, and called for changes.

"I think we in Congress and the VA have something that we need to get a handle on right away," said Rep. Corrine Brown, D-Fla., ranking member of the subcommittee. "We've got to make sure that this is tightened up, there's no question about it."

"I find this revelation extremely scary," said subcommittee Chairman Terry Everett, R-Ala.

House Majority Leader Dick Armey placed the blame on the Clinton administration.

"These studies make me ask again, how can this administration talk about protecting privacy when their own departments and agencies put some of our most private information at risk?" Armey said.

The VA officials said some of the security holes have been repaired since the tests occurred in December 1999 and January 2000, but that there's still a lot of work to do.

"They have corrected the major weaknesses that we have identified, and are in the process of completing our recommendations by the end of this year," Slachta said. "But I haven't verified that."

A report released by a House subcommittee on technology, using information from the General Accounting Office, gave the federal government a "D-" overall for information security. Previously, the Environmental Protection Agency has been singled out in a GAO report for lax computer protection systems.

Everett directly asked Robert P. Bubniak, the acting deputy assistant secretary for information technology at the department the question that would be on the minds of veterans who take advantage of VA services.

"How can you reassure veterans and their families that hackers and other unauthorized VA employees have not intruded into their personal financial and medical information maintained by the VA?" he said.

Said Bubniak: "I cannot."

http://www.nandotimes.com/noframes/story/0,2107,500260392-500401764-502416389-0,00.html

-- Martin Thompson (mthom1927@aol.com), September 22, 2000