The private information and medical records of America's 18 million veterans has been put at risk by the temporary removal of one element of the cybersecurity program at the U.S. Department of Veterans Affairs, according to current and former officials and contractors.
If the so-called Data Loss Prevention (DLP) endpoint program had not been canceled, it could have prevented the accidental disclosure of the personal data of 1,500 veterans in North Carolina last year, according to five current or former officials of Veterans Affairs.
Data Loss Prevention endpoint is just one part of the cybsercurity program within the department's overall annual $6 billion information technology budget. What it does is to stop sensitive data from being intentionally or accidentally sent outside—for instance in an email, a printed document or on a flash drive.
"The nightmare scenario is someone walking out the door with everything," said one of the VA officials. All those who spoke to Newsweek did so on condition of anonymity because they are bound by non disclosure agreements or fear retaliation.
Veterans Affairs did not dispute that the DLP endpoint program had been canceled, but said in a statement to Newsweek that it was redundant with other security processes and that this had no adverse impact on veteran privacy or security.
VA Press Secretary Terrence Hayes said it "takes the privacy of the Veterans, their families, caregivers, and survivors that we serve extremely seriously, and we will continue to do everything in our power to protect it."
VA finished stripping the program from its computers in September 2023. It scanned the content of emails, documents, and local directories looking for sensitive data such as credit card or social security numbers, or health records. It monitored the clipboard for data being cut and pasted between applications, and it scanned screenshots.
Depending on how they are configured, DLP programs either flag sensitive data for further review, or prevent the email from being sent, the document from being saved, or the clipboard from being pasted altogether. The programs also monitor user behavior, looking for anomalous activity that might create a data loss risk, or indicate the presence of a malicious insider.
VA officials plan to replace the program this year, according to talking points prepared for Chief Information Security Officer Lynette Sherrill to deliver at a congressional briefing later this month. But in the meantime, the department has no DLP capability on what geeks call its endpoints, meaning more than half a million desktop and laptop computers and mobile devices used by VA staff all over the country.
"VA has no endpoint DLP Solution," read the talking points. The department "is piloting tools currently available to VA as possible endpoint DLP solutions." The talking points state that the department will "refresh" DLP to take account of new federal requirements and provide "governance, integration, and end user awareness."
The talking points state that VA data storage and cloud assets are protected by separate DLP programs, but a department official told Newsweek those are only deployed to about 10 percent of VA data centers.
The official noted other programs continue to provide some protection against data loss by monitoring VA email as it leaves the department's network or limiting users' ability to access sensitive data.
Without DLP capability on the endpoints, three serving and former VA officials and two contractors told Newsweek, department staff could, accidentally or maliciously, copy, print, or even download to removable media like thumb drives potentially unlimited amounts of sensitive data from the massive troves of Veterans' personal information the department possesses.
"Very Dangerous" Gap
There is evidence of the adverse impact the cancelation created, one VA official said, pointing to an incident in July 2023, after VA had canceled the program, when the Charles George VA Medical Center in Asheville, NC, revealed that an email attachment containing personal data and health information on more than 1,540 veterans had "inadvertently" been sent to three people.
"That would have been flagged or even blocked by a fully functional DLP capability," said the official, whose conclusions were echoed by four current or former colleagues.
The Veterans Administration did not respond directly to the request for comment on whether the data release was a result of canceling the DLP endpoint program.
Worse than such inadvertent or careless disclosures of small sets of data, these current and former officials and contractors said, the removal of the DLP program puts at risk the vast troves of personal information the VA holds on all veterans — including addresses, dates of birth and social security numbers. In addition, the VA holds banking details on the more than 5 million veterans who receive disability or other monetary benefits.
VA is also the largest single healthcare provider in the U.S. and it possesses the medical records on 9 million veterans enrolled as patients. Medical records are especially prized by criminal hackers and other online crooks and fetch a premium on the dark web markets where they trade hacked data sets.
"All of that data is now at much greater risk," a former VA official told Newsweek, "They've created this huge gap" in the mechanisms designed to protect it.
Hayes denied that a gap had been created. "We protect Veterans' data in many ways – across multiple environments," he said.
"We constantly review and amend our contracts to be good stewards of taxpayer money, while never sacrificing the security of those we serve," he said.
Microsoft "from Soup to Nuts"
The DLP endpoint contract, according to procurement and other internal documents reviewed by Newsweek, was awarded in 2021 via a competitive offering. The winning product, from the cybersecurity firm now called Trellix, was chosen after an independent technical assessment found it "best of breed."
But in January 2023, Sherrill, the department's CISO, asked a fellow VA executive what they thought about going "all-in" on Microsoft products "from soup to nuts," according to a text message seen by Newsweek.
And now, say current and former officials, DLP is the first of three standalone, competitively awarded security programs that is to be scrapped and replaced with Microsoft security tools that the Redmond, Washington-based tech giant bundles into its product plan for big customers, called an enterprise license agreement (ELA).
In March 2022, the department signed a new such agreement, buying Microsoft products for VA's 600,000 endpoints and their users. The three-year, $1.6 billion deal includes a suite of security tools.
Like many of Microsoft's big federal contracts, it was a brand-name sole-source procurement and after the expanded license had been bought, the department started looking at other contracts that could be scrapped in favor of Microsoft's bundled security tools.
The pattern of shifting from standalone programs to going all-in on Microsoft has been seen elsewhere in the federal government, including at the Department of Defense, where Newsweek reported last year that it had raised concerns.
"It doesn't give the taxpayer value because there's no competition, and it creates a potential single point of cybersecurity failure," said consultant Roger Cressey, a former White House official who was focused on the cyber threat more than two decades ago, and has continued to work on cyber issues since.
"The danger of that is, when a Microsoft product sneezes, the government catches a cybersecurity cold, and our national security is put at risk," said Cressey, whose consulting clients include competitors of Microsoft.
But Microsoft's Federal Security Chief Technology Officer Steve Faehl said that using a variety of different competitively awarded vendors' tools can lead to a hodge-podge of different solutions, often with overlapping capabilities, that have to be engineered to work together. That also incurs large integration costs for the U.S. government whereas Microsoft security tools are pre-integrated, he said.
"Using our products as standalone products to put next to other standalone products, you're going to have about the same success that you had previously. But if you do go all in on the Microsoft ecosystem you can get to this unified capability," Faehl said.
Going all in on Microsoft raises competition concerns as well, however.
Competition in federal contracting is a legal requirement, said John Weiler, CEO of the IT Acquisition Advisory Council, a non-profit that works to improve the way the federal government buys computer goods and services.
"When additional products are bundled into ELAs, and then used instead of competitively awarded standalone contracts, that is abuse. ELAs should not be used to circumvent the requirement for open competition in law and policy," he said.
VA press secretary Hayes' statement said the VA used ELAs "when appropriate. By doing so, we can ensure that we receive innovative and best-in-class products and services from our suppliers at the best value for the government," he said.
Micorosoft's Faehl rejected the notion that bundling was anti-competitive.
"Our ecosystem is open and interoperable ... We know Microsoft isn't going to meet 100 percent of the requirements. So the best thing that we can do is make it really easy to add someone else in really fast to bolster those capabilities." Smaller companies could be more agile and Microsoft's ecosystem could leverage new capabilities they offered at "speed and scale," Faehl said.
Shaun Waterman can be reached on LinkedIn at www.linkedin.com/in/shaunwaterman/. Follow him on X at @WatermanReports, and Reddit at u/WatermanReports.
Uncommon Knowledge
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
