VA whistleblower retaliation has been a problem even at the highest levels of the agency according to a recent investigation linked to technology contract procedures.
According to FedScoop, Department of Veterans Affairs (VA) Office of Accountability and Whistleblower Protection (OAWP) completed an investigation and issued a report into alleged retaliation implicating the conduct of at least one of the agency’s former Information Technology leaders.
FedScoop received an exclusive on the OAWP report that reportedly confirmed allegations of retaliation against a whistleblower by Paul Cunningham, the former VA chief information security officer (CISO).
His subordinate, IT leader Joseph Stenaka, made protected disclosures alleging wrongdoing by Cunningham in contracting procedures for software services that apparently implicated contracting practices by the CISO.
The FedScoop story indicated Stenaka was the victim of retaliation “after he raised concerns about contract negotiations between former CISO Paul Cunningham and software company Splunk.”
Stenaka was reportedly retaliated against twice by his boss as a result of his whistleblower communications. Cunningham gave Stenaka low performance ratings and removed him from his post as executive director for information security operations within VA OIT. It appears he was demoted to a similar role within Veterans Benefits Administration.
Not only did Stenaka get a low performance rating he did not deserve, but his supervisor removed him from his post, a personnel action that could have a career-ending effect.
Fortunately, after the OAWP report was issued, it appears Stenaka was reassigned. He is presently listed by VA as the Executive Director, Information Security Operations/Deputy Chief Information Security Officer and Chief Privacy Officer with the Department of Veterans Affairs.
Stenaka also alleged retaliation against another senior VA official at the time. The other allegations were not addressed in the report given to FedScoop.
It’s been quite a few years since VA initiated policies to eliminate whistleblower retaliation problems. Wasn’t the VA Office of Accountability and Whistleblower Protection (OAWP) supposed to fix this years ago?
The reporting suggests OAWP may still have some problems in keeping reporting confidential.
Curious in this situation would be asking what steps OAWP is taking to keep whistleblower reports confidential when the agency official responsible for cyber security is the same official being complained of likely using the same cyber systems.
Is it possible in practice to keep such communications confidential from the agency’s IT leadership?
Allegations Nuts ‘n Bolts Per FedScoop
The nuts and bolts of the allegations as listed in the report per FedScoop were:
Stenaka was sanctioned after making disclosures in which he alleged that Cunningham exchanged licenses under a contract with software company Splunk for future credit without involving contracting officials, according to the OAWP.
Under federal procurement law, all agreements between federal agencies and contractors must be reviewed by a contracting officer to ensure that all legal requirements have been met.
In September 2020, Stenaka made disclosures to the chief of staff at the VA’s OIT, in which he said that Cunningham had received only “pennies on the dollar” for what the Splunk contract was worth.
Based on the article, it appears Cunningham circumvented necessary review requirements without involvement of contracting officers. Any ideas why?
FedScoop indicated the OAWP report was completed February 2022. It took eighteen months the organization to complete the investigation.
Does it seem like an 18-month turnaround is a reasonable amount of time for what seems like an obvious retaliation case? What else did VA find that was not addressed in the report?
What FedScoop did not mention was Cunningham’s retirement. It was announced by the agency the same month OAWP reportedly completed its internal investigation by a VA spokesperson to AmeriTalk. No replacement was identified at the time of retirement.
Is this justice?
It may be difficult for Congress to dig into the issues with Cunningham gone. Congress rarely calls former executives to testify about agency matters after retirement.
What is Splunk?
If you are like me, you may be wondering what Splunk actually does for the federal government. So, I took a little time to search the interwebs to learn more.
The following is an example of what I found, which is provided for illustrative purposes as to what services Splunk performs for VA.
Splunk is a software company valued at over $2 billion that has acquired multiple smaller software companies over the past decade. Many of the services appear to be cyber security focused.
VA’s website provides public access to at least two web pages for Splunk software services for security used by the agency:
An example of “Veterans Affairs” and “Splunk” contract updates in the news resulted in at least one search hit for 2020. In May 2020, FedHealthIT reported on a $37 million contract paid by VA and for Splunk Cloud SaaS licenses and support services.
There is no known connection between that May 2020 contract and the former official’s conduct reported on by FedScoop.
What Do We Know About Cunningham
To get some background on Cunningham, I thought it would be useful to see his career progression through the eyes of FedScoop given their focus and current article on retaliation.
Apparently, Cunningham went from being a thought leader to an alleged retaliatory CISO in about a decade.
It looks like Cunningham was the deputy chief cyber information security officer at Department of Energy (DOE) a decade ago. He worked to create the joint cyber security center at DOE.
MeriTalk reported on the February 2022 retirement announcement of Cunningham by a VA spokesperson.
Cunningham has served as CISO and the VA’s deputy assistant secretary since 2019. Prior to joining VA, Cunningham was CISO for the Department of Energy for seven years. Including his 22 years of service in the Navy, Cunningham will end his career with over 33 years of service to the country and in the Federal government.
Cunningham’s last year as VA CISO has centered around compliance with President Biden’s cybersecurity executive order, as well as increasing cybersecurity around telehealth as use of the service has expanded exponentially during the COVID-19 pandemic.
We now know Cunningham’s retirement also coincided with the OAWP report about retaliation.
Training for Cyber At VA
Only two years ago, Cunningham was featured for his training thoughts.
VA employees further removed from technical positions still require cyber training as well in areas like early detection and zero trust, said Paul Cunningham, chief information security officer at VA.
“We’re never going to get medical teams to be primarily cybersecurity. It’s not their mission; we shouldn’t expect it,” Cunningham said. “But we should make it very easy for them to help us as first-line defenders recognize when things are not operating correctly.”
Use of Banned Chinese Tech
In 2020, Cunningham was cited for his advocacy for VA’s approach to identify and stop using banned Chinese technology. Congress asked VA to address how it planned to stop the use of banned Chinese tech by the agency.
An audit revealed Chinese companies built in military backdoor access to hardware used by the US federal government including, apparently, equipment used by VA.
Congress was less than thrilled with the agency’s response to identify and stop using the tech:
Rep. Jim Banks, R-Ind., called the VA’s search methodology flawed. The worry is that deeper in the supply chain or even deeper in the contracts themselves, VA and its contractors could use equipment or systems from the banned Chinese companies. Federal agencies will be forbidden from working with vendors that use the banned equipment starting Aug. 13.
“The VA’s answer gives me absolutely no confidence,” Banks said at the hearing on data privacy in the VA. “I don’t believe anyone in the department actually knows what is really going on.”
VA CISO Paul Cunningham said he “stands behind” the response, which did not include a detailed accounting of the department’s or its contractor’s IT equipment. “We were answering the question that you asked,” he said.
“I think it is something we can get to and we will take appropriate action to do so,” Cunningham told FedScoop after the hearing.
Cunningham said he is confident the VA will comply with the law by the mid-August deadline. “It will take some time to go through our contracts,” he said.
VA Financial Record Data Breach Response
Later in 2020, financial records at VA were breached. The information of 46,000 veterans were hacked when “social engineering techniques” allowed malicious actors to breach VA systems.
“Anything to [bring] the risk posture down … is going to be a good thing,” Cunningham said, as the VA handles sensitive medical information and other data on benefits services and more from veterans.
In specific, the VA has been looking at “bump and go” options for user authentication, referring to physical tokens that can be used as an added layer of security, the VA CISO said.
Cunningham’s comments come after the VA recently suffered a breach in a financial system that comprised information on at least 46,000 veterans. The breach was due to unauthorized access to an application for financial assistance that veterans are entitled to, the department said when it announced the hack. The VA said malicious actors used “social engineering techniques” and exploited “authentication protocols” to gain access to the system.
Cunningham recommended adoption of multi-factor authentication to help address the risk in the future.
“If you are a radiologist, you can’t stop in the middle,” Cunningham said. That impacts the configuration of some of the auto-logout features or token-based systems the department is considering.
Transactions involving pharmaceutical requests and medical visits are another top security priority, Cunningham said. “To the greatest extent possible, we want to use multi-factor authentication,” he said of those types of transactions.
‘No Evidence’ Of Compromise In SolarWinds Breach At VA
Cunningham also provided comment on the lack of compromise of VA data systems in the SolarWinds scandal that nailed the federal government.
Within 12 hours of CISA’s emergency directive to agencies to suspend the use of SolarWinds’ Orion platform, the VA was able to remove the software from its environment, according to Cunningham. It then searched for indicators of compromise across its networks but found none.
“We installed all the indicators of compromise, we replayed our NetFlow data looking for any other indicators that show this might have happened in the past, to identify that maybe an attacker used those indicators before who received them,” he said during a House Veterans Affairs Subcommittee on Technology Modernization hearing. “There was no evidence of that.”
VA also contracted with Microsoft to evaluate any possible compromise.
On top of this, the VA contracted with Microsoft to once again look for any indicators of compromise. Cunningham said the company also found nothing.
“They agreed that there was no indicators that would show…first of all, that the malware was activated, or that it was used in a way to move data and nefarious way,” Cunningham added.
The biggest impact to VA, according to the official, was that in taking the SolarWinds software offline, there was a loss in the “operational monitoring” the Orion platform provides.
As the VA chose to be “slow and methodical” about investigating the possibility of compromise, it was without that capability for some time before bringing it back online in coordination with CISA guidance.
A Little OAWP History Tour
The OAWP was created in 2017 under the Trump administration purporting to serve the agency’s interests by holding bad agency leaders accountable while protecting whistleblowers. At least, that is the public narrative.
The office was actually created in 2014 under the Obama administration called the Office of Accountability and then rebranded under Trump. Some of you may remember President Trump created an empire around branding, versus owning, a variety of business endeavors.
Unlike some of Trump’s prior branding successes as a business owner, the OAWP did not work out as planned. What was supposed to be one of Trump’s crown jewel accomplishments turned out to be a massive flop.
By 2019, it was clear OAWP had taken the wrong path. The office charged with protecting whistleblowers instead acted like more of a fowl hunting dog flushing out prey.
In a report published October 2019, the VA Office of Inspector General (OIG) found the office “made avoidable mistakes” and that OAWP “floundered in its mission to protect whistleblowers.”
Representative Mark Takano of California, the chairman of the House Committee on Veterans’ Affairs, and Representative Chris Pappas of New Hampshire, the chairman of the Subcommittee on Oversight & Investigations, released a joint statement.
“From the outset, OAWP allowed senior leadership to personally intervene in investigations, let funds be diverted to non-OAWP projects, and struggled to properly train staff charged with conducting investigations,” they said. “This report clearly shows that the current leadership still has not fixed, or even admitted, the ongoing failures of the office.”
The retaliation against Stenaka may have stemmed from prior failures to reform the office even under the current administration.
While most readers are likely hopeful that OAWP at least confirmed retaliation transpired, one cannot help but notice the failure of the agency to address other retaliation contentions and also the lack of confidentiality in the whistleblowing process leading to the behavior targeting Stenaka by Cunningham.
Retaliation Three Administrations Deep
On the substack Stubborn Things, Jason Foster highlighted ongoing problems whistleblowers face when exposing scandals to senior leadership current employed at the agency.
As an aside, many senior leaders within Veterans Benefits Administration are the same who are known to have an axe to grind against whistleblowers over the past three administrations.
Nothing can be more clear than Foster’s coverage of whistleblower smear attempts serving to diminish or evade Congressional oversight attempts.
According to Foster’s coverage of a recent smear attempt by senior VA leadership aimed at Congress:
The documents also reveal that one senior VA official named in Senator Grassley’s letter attacked a former VA employee in the process of defending himself. Acting Undersecretary of Benefits Thomas Murphy was named in the letter as having been one of three senior officials reportedly recommended for suspension for improperly accepting gifts from stakeholders.
Shortly after reviewing the Grassley letter, Murphy fired off an email to VA Secretary Denis R. McDonough. Murphy had immediately assumed, without evidence, that a former VA employee was a source of the protected disclosures that led to his proposed suspension and the protected disclosures to Congress that led to Senator Grassley’s letter.
Remarkably, Murphy takes credit in the email for firing the employee following the disclosures that led to his own proposed suspension: “The allegations Senator Grassley mentions here are part of a long list of allegations levied by a fired former employee that [sic] claimed to be a whistleblower. I terminated her for multiple violations of VA policies.”
Murphy also blamed “the last administration” for failing to deal with the Bogue conflict issues, even though Murphy himself was Bogue’s ultimate boss at the time—and still is.
Secretary McDonough then asked his Chief of Staff to draft a reply to Murphy’s note. The initial draft, although entirely redacted in the copy produced by the VA, was apparently strongly worded. Secretary McDonough replied: “I will use this language as my reply to Tom [Murphy]. It is stark, but I trust you have given this close consideration.”
McDonough’s reply apparently prompted McDonough’s Chief of Staff to dial it back. She sent a revised version and wrote: “Is this softer while still getting the point across?”
Foster commented on the current VA leadership’s long history concerning treatment of whistleblowers:
The VA has a long record of mistreating whistleblowers that spans multiple administrations. It seems to have a particularly deep-seated culture of retaliation and ethical conflicts. As Jacqueline Garrick, founder of Whistleblowers of America testified on Capitol Hill, “Employees risk their careers to protect veterans while senior VA officials travel to Europe, attend NASCAR events and curry favor with contractors at taxpayer expense.”
Murphy has worked in senior leadership within VA for a decade. Under three presidents, Murphy has served in an acting capacity as Under Secretary for the Veterans Benefits Agency (VBA) without proper Senate confirmation within that role.
Why is that? Perhaps the reason may be the topic of a separate article.
As for whistleblowers, many of us have wondered how McDonough’s new team within OAWP would address whistleblower protections given the agency’s strong history of going nuclear against anyone brave enough to speak out against ongoing corruption, handouts, and conflict of interest challenges.
McDonough’s response to the Murphy may be instructive.
Murphy was not chastised by McDonough for engaging in improper behavior. The secretary instead told Murphy to “sit this one out” and warned him, “don’t discuss this matter with your subordinates.”
As Foster pointed out in his Substack, that was April 2021. By October 2021, VA still had not responded to Congress. That is the last time Foster wrote about the matter, perhaps because the Bogue situation was under investigation by VA OIG.
Bogue VA OIG Investigation Results
In March 2022, VA OIG issued a report addressing the Bogue situation. According to Oversight.gov, VA OIG summarized its findings as:
The OIG conducted an administrative investigation that included a congressional request to look into allegations that Charmain Bogue, former executive director of the Veterans Benefits Administration’s Education Service, committed ethical violations arising from her spouse’s consulting work for Veterans Education Success (VES). VES is a nonprofit advocacy group that regularly had business before the Education Service. The allegations also pointed to possible incomplete financial disclosures by Ms. Bogue concerning her spouse’s consulting business. In the course of their work, investigators uncovered evidence of other potential conflicts of interest and related misconduct by Ms. Bogue. As a result of the investigation, the OIG made four findings. First, Ms. Bogue participated in Education Service matters involving VES without considering whether it raised an apparent conflict of interest and acted contrary to ethics guidance she received from her supervisors. Second, Ms. Bogue sought résumé feedback from the president of VES to aid in her search for career advancement without considering whether this raised apparent conflict of interest concerns in subsequent VES matters. VES also endorsed Ms. Bogue for presidential nominee positions. Third, although Ms. Bogue provided insufficient detail about her spouse’s business in 2019 and 2020 public financial disclosures, VA ethics attorneys had found them compliant. She remedied the subsequently identified deficiency in her 2021 disclosure. Finally, the OIG found that Ms. Bogue refused to cooperate fully in the OIG’s investigation by refusing to complete her follow-up interview. Her husband and VES president also refused to participate in OIG interviews, and the OIG lacks testimonial subpoena authority over individuals who are not VA employees. Ms. Bogue resigned from VA in January 2022 and, as a result, the OIG made no recommendations. VA concurred with the OIG’s findings.
Our Hopes For Whistleblowers
One of the hopes we have as veterans is that whistleblowers be treated fairly by the agency. This fair treatment should include sheltering whistleblowers through mechanisms that encourage confidentiality.
We should also anticipate some degree of transparency, which has been a promise of the current administration and a welcomed change from the past administration.
How will this impact Stenaka in his quest for justice?
One cannot be sure. Given Cunningham’s retirement, Stenaka and Congress may be limited in some of their options.
VA provided FedScoop with a limited comment about the report.
A VA spokesperson said: “Mr. Cunningham no longer works for VA. For privacy reasons, VA does not comment on personnel matters.”
Perhaps VA OIG is investigating the matter meaning we might hear about it in 12-24 months. If not, it is possible the problems will be brushed under the carpet out of public view.