A cybersecurity ‘awakening’ at the VA

What:	VA data breach
When:	May 2006
Why it matters:	A VA employee’s laptop was stolen. It contained personal data on 26.5 million veterans. While the information was recovered, the incident highlighted data security challenges and led to major cybersecurity changes at the VA and across government.

Nearly two decades ago, a breach involving the personal data of more than 26 million veterans served as a cybersecurity wake up call for the Department of Veterans Affairs and the rest of the federal government.

The 2006 VA data breach wasn’t your classic cybersecurity incident as we think about them today. In this case, a Department of Veterans Affairs employee took home a laptop and external hard drive containing the personal data on nearly all living veterans

Burglars broke into the employee’s home and stole the devices, whisking away an unencrypted hard drive containing sensitive information — names, dates of birth, and social security numbers — on 26.5 million veterans.

Law enforcement would go on to recover the devices. Federal investigators determined that none of the sensitive data was improperly accessed.

But while it didn’t result in a data loss, or involve nation-state hackers or ransomware gangs, the theft became a landmark cybersecurity incident. For the VA and other agencies, it highlighted the need for stronger cybersecurity practices at a time when large-scale data breaches were just starting to become a challenge.

Cyber experts and former officials say it also started to shift the focus at the VA and across government from a focus on compliance to security and real-time monitoring of vulnerabilities.

“It caused, many years later, ripples that changed the way the federal government looked at cybersecurity as, ‘We don’t need to be compliant. We need to be secure. And then demonstrate compliance with FISMA and all those things,’” John Pescatore, director of emerging security trends at the SANS Institute, said in an interview. “We need to make sure the mission and the data is secure first.”

The incident also led to Congress passing landmark cybersecurity legislation that set more stringent security standards for the VA. The legislation also consolidated power for the VA’s IT environment under the chief information officer.

Roger Baker, who served as VA CIO from 2009 through 2013, said the VA’s information security program has improved in large part thanks to the empowerment of the agency’s CIO.

“I wish that the rest of the federal government had learned many of the lessons that VA has gone through as a result of empowering the CIO,” Baker said in an interview. “It would help us a lot, especially from a cyber standpoint.”

‘America is watching’

The 2006 incident also revealed startling lapses in internal breach notification processes at the VA.

The VA employee’s laptop was stolen from their home on May 3, 2006. But while the employee immediately notified their superiors about the data theft, the VA secretary was not informed about the incident until nearly two weeks later.

Congress and veterans impacted by the incident were not notified until a week after that, nearly three full weeks after the burglary.

The VA inspector general’s office found cybersecurity officials acted “with indifference and little sense of urgency” regarding what was considered one of the largest personal data breaches in the history of the computer age.

The IG’s report also criticized the employee for using “extremely poor judgment when he decided to take personal information pertaining to millions of veterans out of the office and store it in his house, without encrypting or password protecting the data.”

By late June 2006, law enforcement had recovered the stolen laptop and external hard drive. FBI and OIG investigators quickly conducted a forensics examination and determined that no files on the hard drive were compromised after the burglary.

By then, however, Congress was already in the midst of a sweeping investigation. During a July 2006 hearing held by the Senate Committee on Veterans Affairs, then-Chairman Larry Craig (R-Idaho) said the VA incident has had “far reaching implications.”

“America, I believe, is watching VA and what VA does to learn from and correct its mistakes, because the issue of data security is a problem not only across government, but within the private sector as well,” Craig said. “I think what happened at VA should be an awakening to all of government. There is not a single American who does not expect and, frankly, does not deserve assurances from their government, one of the world’s largest custodians of sensitive personal information. They deserve a vigilant security program to protect that information.”

Then-VA Secretary John Nicholson told lawmakers the incident had helped accelerate a plan to consolidate the agency’s IT budget and authorities under the CIO. The reorganization moved more than 5,000 people and approximately $400 million in spending directly under the CIO’s purview, Nicholson said.

“This process was and, of course, still is underway and will greatly facilitate control, training, responsibility and accountability,” he said. “This consolidation of IT has been accelerated as a result of this incident.”

‘Managing to an edge’

In December 2006, Congress passed the Veterans Benefits, Health Care, and Information Technology Act. The law strengthened security procedures at the VA and required the agency to report its progress to Congress.

It also accelerated the IT reorganization mentioned by Nicholson. It elevated the CIO role to an assistant secretary position, giving the role the authority to oversee the VA’s entire IT program. The law also required all users of VA systems to comply with security policies and practices established by the CIO.

“The VA is the only place that I’m aware of that has anything near that level of authority,” Baker said.

When he took over as VA CIO in 2009, Baker said the authorities enabled him to move quickly to set IT and cybersecurity priorities. Despite the law, however, he said the VA CIO still needs the backing of the agency’s top leader, pointing to one of his moves to cancel 200 underperforming programs.

“You don’t do that without a cabinet secretary who’s willing to stand behind you and say, ‘This is what we’re doing,’” Baker said.

Nearly 20 years later, no other federal agency CIO has the same level of authorities as at the VA. Baker believes the 2006 incident was a missed opportunity to empower top IT officials across government.

“If we’ve got the right solution at VA, we need to apply that across the organization,” Baker said. “The fact that other CIOs don’t have the kind of power that the VA CIO has … is only causing much more severe cyber issues, because you don’t have the hammer to make things happen.”

But even with increased authorities, Baker said the CIO’s role to compel cybersecurity compliance is still limited by the realities of the mission.

“The CIO’s role is to protect the information while coming right up to the edge of making certain that it doesn’t impact medical care,” he said. “This is where Congress and I got crosswise, and Congress and later CIOs got crosswise. There was a testimony after I left where one of my successors was asked, ‘Why can’t you secure all the enterprise? Why can’t you secure the information?’ And the answer is pretty simple: Because medical care is more important.”

Security over compliance

While the 2006 VA incident didn’t lead to empowered CIOs across government, it did set in motion major changes to governmentwide cybersecurity policies and practices.

The breach, for instance, highlighted some immediate gaps in agency information security policies during a time when laptops and mobile devices were starting to become more common in the workplace.

The VA laptop and hard drive were unencrypted. The data on the hard drive wasn’t password protected. Both issues meant thieves could have easily accessed the sensitive data.

In June 2006, the Office of Management and Budget directed agencies to ensure they were encrypting devices taken out of the workplace and protecting data access with two-factor authentication.

“It really started to push all of the federal government to get a real head start on securing laptops better and supporting work at home,” Pescatore said.

Congress also mandated that all VA laptops be encrypted going forward. The law required the VA to report on how it was complying with that requirement.

When he entered the job as VA CIO, Baker said the agency was doing manual data calls to gauge compliance with the encryption policy. And those data calls showed 99% compliance.

But when Baker’s team adopted a new process for monitoring the status of encryption electronically, it revealed that only 85% of the agency’s laptops were encrypted.

“That’s why we implemented visibility to every device,” Baker said. “I want to know exactly what’s running on every device. I want to know what software we’ve got. I want to know whether it’s up to specs on its patches or not.”

The concept of real-time visibility into network vulnerabilities became a governmentwide imperative when the Department of Homeland Security launched its Continuous Diagnostics and Mitigation program in 2012.

“The VA event pointed to the need for knowing when data was being accessed and monitoring and making sure they were secure and patched,” Pescatore said. “CDM wasn’t the most successful program ever made, because it took years to get going, but it did help lots of smaller government agencies get the support they needed to buy some tools.”

The VA’s lagging breach notification process also came under scrutiny in the wake of the 2006 incident. In September of that year, OMB issued breach notification guidance for incidents involving potential identity theft. It required agency personnel in most cases to immediately notify management when a breach occurs.

In the years since the 2006 VA data breach, the federal government has experienced several major cyber incidents. And unlike the 2006 case, those incidents — such as the 2015 Office of Personnel Management hack or the 2020 SolarWinds campaign — did result in the loss of personal information or the exploitation of sensitive government data.

The cybersecurity landscape has also changed dramatically. In 2006, there was no federal government tally of annual cyber incidents. In fiscal 2023, the White House reported that agencies experienced more than 32,000 incidents, nearly a 10% increase over the prior year. The vast majority of those incidents were negligible, with only 11 of them deemed to cross the threshold for “major” cyber incidents.

Pescatore said that over the last two decades, agencies have become more nimble and focused in how they address cybersecurity. OMB in particular has moved quickly to address governmentwide concerns, while the Cybersecurity and Infrastructure Security Agency was established in 2018 to help oversee cybersecurity on the civilian side of government.

But cybersecurity remains on the Government Accountability Office’s high-risk list due to persistent gaps in information security programs.

“We see OMB move faster with those directives, which get immediate movement from department heads and agency heads,” Pescatore said. “So that caused some faster movement on number of things. And in a number of areas we’re still lacking.”

Join Federal News Network in celebrating our 25th anniversary as we recount 25 years of major federal moments that forever changed the government, and helped shape today’s federal workforce.