Administrative Investigation, Improper Access to the VA Network by VA Contractors from Foreign Countries, Office of Information and Technology, Austin, TX

Seven years after the 2006 data breach, VA information security employees still reacted with indifference, little sense of urgency, or responsibility concerning a possible cyber threat incident. Austin Information Technology Center (AITC) OIT employees failed to follow VA information security policy and contract security requirements when they approved VA contractor employees to work remotely and access VA’s network from China and India. One accessed it from China using personally-owned equipment (POE) that he took to and left in China, and the other accessed it from India using POE that he took with him to India and then brought back to the United States (US). After the Acting CIO learned of this improper remote access, he gave verbal instructions for it to cease; however, VA information security employees at all levels failed to quickly respond to stop the practice and to determine if there was a compromise to any VA data as a result of VA’s network being accessed internationally. Further, we found that a VA employee, as well as other VA contractor employees, improperly connected to VA’s network from foreign locations.