Audit: Sensitive Virginia State Police Data at Risk

Print Friendly, PDF & Email

By Kathryn Watson |, Virginia Bureau

ALEXANDRIA, Va. — The Virginia State Police’s aging IT network that covers sensitive data like the Virginia Criminal Information Network is failing — and it has been for about a decade.

new audit from the Virginia Auditor of Public Accounts elevated concerns over the VSP’s network to the level of a risk alert, something not unheard of, but definitely not common, to emphasize how serious the “deficiencies related to the state police’s information technology environment” are.


VSP Seal

IT ISSUES: The Virginia State Police have some network issues they really need to work out, a new audit finds

“We worry about the integrity of the data in their systems.”


“It’s something we’ve been addressing for a while now with the state police in our audits,” Laurie Hicks, audit director for local government and judicial systems, told “We worry about the integrity of the data in their systems.”

In 2012, the state police had two network outages on two different days, one five hours and one 12 hours, during which troopers couldn’t access the criminal database to do simple tasks like look up possible arrest warrants from a traffic stop. Those outages haven’t happened like that again — but they could.

“In its current state, state police does not have the staff, hardware, or software to adequately secure the data that the agency is charged with protecting,” the latest state audit released this week reads. “These cumulative weaknesses, exemplified by several of the recommendations identified during our audit, significantly raise that mission critical data will be compromised, incorrect, or unavailable.”


Could Virginia’s contract with Northrop Grumman be at fault?


But as the audit points out, it isn’t entirely VSP’s fault. The department is in the middle of unresolved — and costly — differences between it and Virginia Information Technologies Agency, which has a troubled contract with Northrop Grumman to manage state agencies’ IT networks. And so far, all proposals from VITA have either been technologically inadequate or far too expensive, the audit finds.

It is, in a sense, a damned-if-you-do, damned-if-you-don’t situation for the state police, who recognize the issues with they’re current IT system, but face concerns about handing over the management of sensitive data to a company that has missed deadlines, overrun costs and experienced technical issues.

Virginia’s attorney general has even said there is some information the state police should manage themselves, even though state agencies are required to hand over the management of their IT networks to VITA and by extension, Northrop Grumman. VSP, VITA and Northrop Grumman are expending a “tremendous” amount of time and money to come up with an agreement, something that’s escaped them all for years, the state auditor’s office said.

Meanwhile, the state police are still shelling out tens of thousands of dollars a month in legacy fees to support the older systems, according to a July 2014 story in the Richmond Times-Dispatch.

Col. Steve Flaherty, superintendent of the Virginia State Police, said they’re doing all they can.

“With regard to the four information technology findings, the department is actively pursuing opportunities to comply with the Commonwealth’s Information Security Standards,” the superintendent wrote in the response to the audit.

— Kathryn Watson is an investigative reporter for, and can be found on Twitter @kathrynw5.