The 168 words that Stephen Warren added to his opening remarks just an hour before testifying on Capitol Hill Monday may have only lasted 58 seconds, but they succeeded in putting the beleaguered chief information officer of the Department of Veterans Affairs back in control of his relationship with Congress.
The last time Warren appeared before the committee, he sat stiffly and silently, resigned to his role as VA’s sacrificial lamb before a Congress demanding accountability for a major security breach involving state-sponsored hackers from at least eight nations. That was 17 months ago, and the experience was not a good one.
But a lot has changed since June 2013, not the least of which seems to be Warren’s strategy for communicating with an adversarial Congress. When he sat down in front of the committee Monday to answer for two scathing cybersecurity audits by the General Accountability Office and the VA’s inspector general, Warren presented a fundamentally different posture. He was no longer the defeated, crestfallen IT executive in charge of a lumbering bureaucracy but a veteran called to service by the sacrifice of his own blood.
Warren began by characterizing his own “personal obligation” to serving veterans.
“A veteran for me is my grandfather, William, who was wounded in the trenches in World War I but went on to serve in the English Channel and Mediterranean in World War II; my father, Steve, [and] my father-in-law, Grenville, both deceased; my brother-in-law, Ted, Navy retired; and my brother, Alex, Army National Guard separated; my nephews, Michael and Duncan, presently serving on active duty,” he said.
Known more for his stone-faced, intellectual approach to managing VA’s technology enterprise, Warren revealed a different side of his persona when he told the story of his brother, Chuck, an Army National Guard veteran who was killed in action in 2005 while serving in Baghdad. “And his widow, Carol, along with his two orphans, my nephew Jackson and my niece Maddy — a niece who will never meet her father. They, as well as the many friends I served with in the Air Force, shape my decisions and actions as I endeavor to find that appropriate balance of risk between information protection and the delivery of care, services and benefits to our nations’ veterans,” Warren said.
The approach worked. In less than a minute, Warren effectively stripped Republicans of their ability to depict him as an uncaring bureaucrat unaffected by the suffering of the nation’s veterans.
“I think it was an effort to shield himself,” an official close to Warren said. “He didn’t practice those last 30 seconds, and I learned of its existence when he emailed it at 12:30.”
But Warren still had a lot to answer for, including preliminary findings of an IG audit first reported by FedScoop that show VA continues to deal with significant cybersecurity vulnerabilities that have gone unaddressed for years. Another major concern expressed by lawmakers involves the likelihood that foreign-state-sponsored hackers who infiltrated VA networks in 2010 may still have access.
Under questioning from the committee, Warren found himself in the unenviable position of having to explain the process and risks involved in deploying software patches across the VA enterprise to lawmakers who were clearly struggling to come up with meaningful questions on the most basic cybersecurity issues raised in the IG report. In fact, the committee failed to ask a single question of Stan Lowe, VA’s chief information security officer, during the entire two-and-a-half hour hearing.
At one point, Warren tried to explain to lawmakers that given the constant nature of emerging threats and vulnerability discovery, an organization as large as VA will never be fully patched. Given the IG’s findings that some systems had gone unpatched for more than a year, some committee members incorrectly interpreted that statement to mean VA was acknowledging it could not secure veterans’ information.
A source familiar with VA’s information security architecture said the IG’s criticisms of VA’s lack of software patching needs to be taken in context. “The number and age of so many vulnerability patches not yet applied needs to be shown against the impact to mission delivery if they were applied,” the source told FedScoop in an email. “Many VA applications that use Oracle, Java, and Adobe were written years ago in such a way that the version available at that time was hard-coded into the application. Pushing updated versions would cause massive disruptions to all manner of VA service delivery. By some estimates, to completely fix these systems would require they be taken off line for weeks, if not months and that is something VA can’t do. ”
Meanwhile, Warren confirmed that cybersecurity firm Mandiant had notified the agency last week that the domain controllers believed to have been compromised in 2010 by nation-state hackers are now secure. But a VA official, who spoke to FedScoop on background, acknowledged that VA disagrees with the IG’s findings on the number and extent of foreign hacker intrusions.
“Since 2010, we have had fewer than 100 targeted incidents,” the official said, pointing out that the agency blocks more than 12 million intrusion attempts every year. “Only two resulted in data coming out. However, our cybersecurity team conducted forensics and is reasonably confident that no veteran data was exposed.”
“The staff have conducted thorough analysis and believe the breach incidents involved a very small number of systems infected, far less than indicated in today’s testimony,” the source told FedScoop. “The fact that VA continues to look for evidence of threats and compromises is part of the normal course of business and shows that we are taking our cybersecurity responsibility seriously.”