Editor’s note: This story has been updated June 23, 2016, to include VA comment on when the threat occurred.
The Department of Veterans Affairs experienced and addressed a ransomware threat, its CIO told Senate lawmakers Wednesday.
Asked about VA’s cyberdefenses against attacks like ransomware at a hearing before the Senate Committee on Veterans’ Affairs, CIO Laverne Council said “we had to interface with it — you weren’t aware of it because we were able to address it from an IT perspective and correct it quickly.”
Ransomware — a type of malware that encrypts the contents of a victim’s hard drive or server while hackers demand payment for the decrypt key — has been on the rise in 2016, with some of the biggest instances in hospitals and medical facilities.
Council, who officially took over as VA CIO in July 2015, didn’t disclose specifics about the threat, such as when or where in VA’s networks it occurred, but she did say ‘it did try to come into the environment’ and ‘we were well prepared for it.” She added that her team immediately alerted the appropriate authorities at the Department of Homeland Security, ‘as we normally would when one of those things happens.’
A VA spokesperson said the incident occurred in March 2016.
VA continues to use resources from agencies like DHS and the National Institute of Standards and Technology to keeps its information as secure as possible.
“We’ve been very collaborative with them,’ Council told the committee. ‘DHS has been doing penetration tests for us and giving us feedback on where our opportunities are, and we want to leverage whatever they’re doing, real-time.”
‘I’m real pleased that they’ve been there for us,’ she said.
Federal information security officials told FedScoop earlier this month that in no scenario is it acceptable to give into the demands of a hacker during a ransomware attack. DHS and the FBI have issued guidance on how federal agencies and private citizens should respond if they are faced with ransomware. The FBI in particular is against the paying of this type of ransom.
“Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom,’ FBI Cyber Division Assistant Director James Trainor said in a release in April. ‘Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
One of Council’s first major initiatives after her confirmation as CIO last year was to create an enterprise cybersecurity strategy for the department. Through that, her office began to shore its basic cyber hygiene, as well explore cybersecurity in evolving domains, like the medical field and the Internet of Things.
Council testified Wednesday that the VA is on track to correct 100 percent of the material cybersecurity weaknesses reported by its inspector general in a 2015 Federal Information Security Management Act audit by the end of 2017 — about 30 percent of which, she said, her office will address by the end of this year.