[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]





                        FAILURE OF VA'S INFORMATION 
                                MANAGEMENT

========================================================================


                                HEARING

                               before the

                              COMMITTEE ON
                           VETERANS' AFFAIRS


                        HOUSE OF REPRESENTATIVES


                       ONE HUNDRED NINTH CONGRESS

                             SECOND SESSION

                               __________

                              MAY 25, 2006

                               __________

       Printed for the use of the Committee on Veterans' Affairs


                           Serial No. 109-48


                               __________


                     U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2007
28-124.PDF

For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001





                     COMMITTEE ON VETERANS' AFFAIRS

                     STEVE BUYER, Indiana, Chairman

MICHAEL BILIRAKIS, Florida               LANE EVANS, Illinois, Ranking
TERRY, Alabama                           BOB FILNER, California
CLIFF STEARNS, Florida                   LUIS, V. GUTIERREZ, Illinois
DAN BURTON, Indiana                      CORRINE BROWN, Florida
JERRY MORAN, Kansas                      VIC SNYDER, Arkansas
RICHARD H. BAKER, Louisiana              MICAHEL H. MICHAUD, Maine
HENRY E. BROWN, Jr., South Carolina      STEPHANIE HERSETH, South 
JEFF MILLER, Florida                       Dakota
JOHN BOOZMAN, Arkansas                   TED STRICKLAND, Ohio
JEB BRADLEY, New Hampshire               DARLENE HOOLEY, Oregon
GINNY BROWN-WAITE, Florida               SILVESTRE REYES, Texas
MICHAEL R. TURNER, Ohio                  SHELLEY BERKLEY, Nevada
JOHN CAMPBELL, California                TOM UDALL, New Mexico
                                         JOHN T. SALZAR, Colorado


                    JAMES M. LARIVIERE, Staff Director

                                 (ii)



                             C O N T E N T S

                               May 25, 2006
                                                                  Page
Failure of VA's Information Management............................    1

                               OPENING STATEMENT

Hon. Steve Buyer, Chairman........................................    1
Prepared statement of Chairman Buyer..............................   66
Hon. Ted Strickland...............................................    4
Prepared statement of Mr. Strickland..............................   68
Hon. Bob Filner...................................................    4

                           STATEMENTS FOR THE RECORD

Hon. Michael Bilirakis............................................   70
Hon. Luis V. Gutierrez............................................   74
Hon. Cliff Stearns................................................   76
Hon. Corrine Brown of Florida.....................................   78
Hon. Richard H. Baker.............................................   81
Hon. Michael H. Michaud...........................................   82
Hon. Jeff Miller of Florida.......................................   83
Hon. Stephaine Herseth............................................   87
Hon. John Boozman.................................................   89
Hon. Tom Udall....................................................   91
Hon. John T. Salazar..............................................   93
Hon. Terry Everett................................................   95 




                                   WITNESSES

Nicholson, Hon. R. James, Secretary, U.S. Department of 
  Veterans Affairs................................................     6
Prepared statement of Secretary Nicholson.........................
Opfer, Hon. George J., Inspector General, U.S. Department of
  Veterans Affairs................................................    21
Prepared statement of Mr. Opfer...................................   101
Pratt, Stuart, President and Chief Executive Officer, Consumer 
  Data Industry Association.......................................    54
Prepared statement of Mr. Pratt...................................   107


                                    (iii)
                                    
                                    

                            WITNESSES (CONTINUED)


Hoffman, Dennis, Vice President of Information Security,
  EMC Corporation.................................................    56
Prepared statement of Mr. Hoffman.................................   110
Litan, Avivah, Vice President and Distinguished Analyst,
  Gartner, Incorporated...........................................    59
Prepared statement of Ms. Litan...................................   116

                         INFORMATION FOR THE RECORD

Kappelman, Leon A., Ph.D., Professor of Information Systems,
  Directory Emritus, Information Systems Research Center,
  Fellow, Texas Center for Digital Knowledge, Associate
  Directory, Center for Quality & Productivity, Information
  Technology & Decision Sciences department, College of
  Business Administration, University of North Texas,
  statement of....................................................   122
VA's Statement on the incident of May 3, 2006.....................   124 
VA's Notification to Veterans.....................................   126
VA's FAQ's on the incident of May 3, 2006.........................   128
Secretary Principi's Memorandum for Under Secretaries, Assistant
  Secretaries, Deputy Assistant Secretaries, and other Key
  Officials, dated March 16, 2004.................................   132
VA's Memorandum dated April 7, 2004...............................   133

                  POST-HEARING QUESTIONS FOR THE RECORD

Responses of the U.S. Department of Veterans Affairs to Post-
  Hearing Questions for the Record from Chairman Buyer,
  Hon. Terry Everett, Hon. Jeb Bradley, Hon. Ginny Brown-
  Waite, and Hon. John Campbell...................................   139
Responses of the U.S. Department of Veterans Affairs to Post-
  Hearing Questions for the Record from Hon. Lane Evans,
  Ranking Democractic Member and Hon. Luis V. Gutierrez...........   233
  

                                     (iv)
                                      


 
                    FAILURE OF VA'S INFORMATION MANAGEMENT

                               ____________


                         THURSDAY, MAY 25, 2006

                                                House of Representatives,
                                           Committee on Veterans Affairs,
                                                         Washington, D.C.



The Committee met, pursuant to call, at 9:05 a.m., in Room 334, Cannon 
House Office Building, Hon. Steve Buyer [Chairman of the Committee] 
presiding.

Present:  Representatives Buyer, Bilirakis, Stearns, Moran, Brown of 
South Carolina, Miller, Boozman, Brown-Waite, Campbell, Filner, 
Gutierrez, Brown of Florida, Michaud, Herseth, Strickland, Hooley, 
Reyes, Berkley, Udall, and Salazar.

The Chairman.  The House Committee on Veterans' Affairs dated May 25, 
2006, will come to order.  If somebody will get the door for us, please.

By way of housekeeping, we only have the Secretary for about 45 minutes, 
and then there's a hearing on the Senate side that starts at 10:00 
o'clock.  He will be taking Mr. McLean with him.  Others of his staff 
will remain, and step forward at the table when the Secretary leaves.

I will give an opening, and then I'm going to yield to Mr. Strickland 
for an opening, and then we are going to immediately go to questions.  
What I would propose is, because we only have him for 45 minutes, is 
that I do a unanimous consent that each member may have three minutes to 
do questions, so we try to give quick latitude to all the members.  Any 
objections?

[No response.]

All right.  And hearing no objections, so ordered.

The purpose of this hearing is to learn more about the recent loss of 
personal data belonging to as many as 26.5 million veterans and some 
spouses experienced by the Department of Veterans Affairs.  We have a 
meltdown in VA's information Management.  According to VA, this meltdown 
has resulted in a catastrophic failure to safeguard sensitive personal 
data.  Last Monday, the Department of Veterans' Affairs released a 
statement acknowledging that a data analyst took home electronic data 
which he was authorized to access at work, but not authorized to bring 
home.  The burglary of his home and the theft of his computer resulted 
in the loss of that data.  This serious incident was not communicated to 
this Committee until Monday, May 22nd, 19 days after the theft, and one 
hour prior to its release to the public.

We must answer some pressing questions, which include: how did this 
breach of information Management happen, what will we do to protect 
veterans from identity theft, what policies and regulations are in place 
in the department that should have stopped the mismanagement of 
information, and what is the VA doing to eliminate the vulnerabilities 
associated with the security of sensitive information? And there are 
many others from my colleagues.

And let me be clear.  We are here today to inform America's veterans and 
their families what the government is doing to protect them against 
fraud and ease their efforts to protect themselves.  Our veterans and 
their families must be assured of how you, Mr. Secretary, will safeguard 
the information they place in your hands.  Whether or not any identity 
fraud results from the theft of this computer carried home by this VA 
employee, what is clear is that damage has been done.

Speaking as one of those millions of veterans such as even yourself, Mr. 
Secretary, the prospect of fraud, theft, of the awful prospect of 
repairing damaged credit, is bad enough.  For that stress to be caused 
by our own Federal Government is deeply disturbing, and I know everyone 
here agrees it is intolerable.  There will unfortunately be a certain 
percentage of the 26.5 million veterans that will have to deal with 
identity theft in the normal cause of life.  And now some of them will 
blame the VA.  So that's going to be a challenge for you.

Beyond the very personal dimension: this incident has implications 
regarding the larger picture of control over VA information technology.  
Over the last seven years we've seen compelling evidence of information 
security problems at the VA, and I refer to the Committee hearings which 
I've chaired.  On May 11th of 2000, the GAO stated that computer 
security, quote: 	"..is critical to VA's ability to safeguard its 
assets, maintain the confidentiality of sensitive information, and 
	ensure the reliability of its financial data.  The VA IG 
acknowledged the department-wide weaknesses in information 	security 
systems that continue to make VA's program and financial data vulnerable 
to error and fraud," end quote.

At a September 21, 2000 hearing, GAO stated, quote, "Serious computer 
security problems persisted throughout the department and VHA, because 
VA had not yet fully implemented an integrated security management 
program, and VHA had not effectively managed computer security at its 
medical facilities," end quote.

At the April 4, 2001 hearing, the IG continued to, I quote, "identify 
significant information security vulnerabilities that place the 
department's data systems at risk of unauthorized access and 
disclosure."  The IG testified that, quote, "many of these 
vulnerabilities exist in violation of VA policy," end quote.

At a March 13, 2002 hearing, the IG repeated findings of the 
vulnerabilities of VA's information technology.

Then almost four years ago today, on May 20th and May 21st, a WISHTV 8 
I-Team led by Karen Hensel in Indianapolis, Indiana, went to Goodwill 
and bought three computer hard drives.  Two of those hard drives she 
learned were never cleansed, and they contained hospital patient records 
from the Roudebush VA Hospital in Indianapolis.  The names of veterans, 
their Social Security numbers, home address, phone numbers, pages and 
pages of government credit card numbers, information regarding veterans' 
arrest records, whether they were receiving drug and alcohol counseling, 
whether they were disabled.  There was one of the veterans was blind, 
disabled, and living alone and was a combat veteran.  It discussed his 
case.  One of the patients was HIV.  A hundred twenty of those computers 
were sold at a surplus sale without ever having been cleansed.

So we went through all the hearings on that.  "Oh, the controls are 
going to be in place, we assure the Committee."

At the September 26, 2002 hearing, the IG testimony stated that, quote, 
"Penetration testing completed during the past two years verified that 
the VA's information system could be exploited to gain access to 
sensitive veteran health and benefit information."

At a March 17, 2004 hearing, the VA testified that, quote, "there was a 
glide path in place for the meeting, the 2004, April 2004 deadline for 
the beginning of the VETSNET deployment.  VETSNET has been in 
development for a decade.  I've been told that VETSNET will not deploy 
in 2006 and maybe not even now till 2007."

As Chairman of the Subcommittee on oversight and investigations, and now 
the Chairman of this Committee, I have led a bipartisan effort to 
centralize VA's IT infrastructure and control over its IT systems.  Last 
November, this House voted unanimously, 408 to zero, to centralize IT 
management with the department's chief information officer.  Both the 
department and the Senate have sadly resisted such centralization of 
VA's IT architecture.  Even the Independent Budget of the VSOs opposed 
centralization of VA's IT infrastructure in their 2007 budget.

The VA Inspector General in his November 2005 report entitled, "major 
management challenges of fiscal year 2005," stated that, quote, "VA has 
not been able to effectively address some significant information 
security vulnerabilities and reverse the impact of its historically 
decentralized management approach."

The report went on to say that, quote, "While the VA has accelerated 
efforts to improve Federal information security, more needs have to be 
done to put security improvements in place that effectively eliminate 
the risk and vulnerabilities of unauthorized access and misuse of 
sensitive information," end quote.

Look where we are here today, Mr. Secretary.  This Committee, this 
Congress, we have asked to empower the CIO to put his arms around this 
one, and that was resisted.  We also--I have even asked about 
letting the VA be on parity with other departments with regard to 
political appointments.  That has been resisted.  And now what we have 
is, we have some management questions.  This isn't just an issue of a 
low-level employee.  There is very serious mismanagement of information 
technology that is at stake.

So with that context, I believe there is a damaged trust, angered 
veterans and families, and there are systematic flaws.  And Mr. 
Secretary, this is a defining moment of your leadership.

With that I yields now to Mr. Strickland.
[The statement of Chairman Buyer appears on p. 66]

Mr. Strickland.  Mr. Chairman, I would yield to my colleague from 
California, Mr. Filner, and I would ask that my statement be entered 
into the record, please.

The Chairman.  Thank you, Mr. Strickland.  All the members may have 
opening statements, and your statements will be submitted for the 
record.
[The statement of Mr. Strickland appears on p. 68]

The Chairman.  Mr. Filner, you are now recognized.

Mr. Filner.  Thank you, Mr. Chairman, and thank you for this hearing.  
Thank you for your opening remarks.  I associate myself completely with 
them.  You laid out a complete record, I think that we don't have to 
repeat, so I appreciate your strong attitude toward this issue.

We are now presented, as the Chairman said, with a catastrophic problem.  
The VA simply did not protect essential personal information entrusted 
to its care.  Now and for the next few decades maybe, a potential sort 
of Damocles hangs over the financial well-being of over 26 million 
veterans, unless this data is recovered.

In the last five years, as the Chairman outlined, a host of agencies, 
the VA Inspector General, the GAO, prominent IT consultants have 
reported that VA has many problems with information security.  We found 
multiple failures under the Federal Information Security Management Act, 
and the performance reviews required by that Act.  We note that three or 
four information security recommendations to the VA by the Government 
Accountability Office in March 2002 have yet to be implemented.  Outside 
contractors have noted related problems.  And how does VA react? With 
indifference.

Internal VA recommendations to strengthen the control of information 
meet with resistance.  Even Secretary Principi's directive to centralize 
information technology at the VA in 2002 was met with indifference.  It 
was not implemented.

In the last few years, this Committee and its Subcommittees have 
chronicled problems related to unclear lines of IT management authority 
throughout the VA, from information security Officer training in the VBA 
to sensitive information releases on unscrubbed computer hard drives at 
VA medical centers, a host of very expensive major computer project 
failures and delays.

We rarely see accountability, neither in the IT or the information 
security world at the Veterans Administration.  The individual 
responsible for the release of the unscrubbed hard drives was soon 
promoted.  Again, VA seems to react with indifference to its problems in 
this area.

As Chairman Buyer pointed out, the problem before us today is not 
unexpected.  It has sprung from a culture of indifference, at the 
Veterans Administration, and has grown strong among the leaders who have 
allowed it to grow.  The most important agent in information control and 
security in an organization is its leadership.  When they are not 
proactive, Mr. Secretary, bad things happen.  And a very bad thing has 
happened that we are looking at today.

Too much time transpired before Congress was notified.  Sure, you needed 
to hope that the thing was found, but you could have briefed the 
Chairman and others in this body about that, what happened.  Too much 
time transpired before veterans were notified.  And when you did notify 
them, you left it to them to go contact their credit bureau, or their 
banks.  You didn't say, "We will take care of it, we will be behind you, 
we will pay for the problems that you might have." VA's message was, 
"Trust us, we will handle it."  Well, we should now question if even 
after this wake-up call, you are up to the task.

Certainly this administration has proclaimed its need to collect 
information on our citizens.  On May 11th, President Bush defended those 
actions by noting that the privacy of ordinary Americans is fiercely 
protected in all of our activities.  Well, I think this data debacle 
before us today clearly demonstrates the folly of the President's 
attempt to place us at ease regarding the Administration's ability to 
fiercely protect our privacy.  This does not meet my definition of 
fierce protection.  I only see indifference.

Mr. Chairman, I appreciate again this opportunity to look into this 
incredible disaster.

The Chairman.  Thank you, Mr. Filner.  And I associate myself with Mr. 
Filner's comments.

Testifying now will be Secretary Nicholson.  Secretary Nicholson is 
accompanied by the Honorable Alan Pittman, the Assistant Secretary of 
Human Resources and Administration; the Honorable Robert J. Henke, 
Assistant Secretary for Management; Retired Army Major General Bob 
Howard, the Acting Assistant Secretary for Information Technology; Pedro 
Cadinez, Jr., Associate Deputy Assistant Secretary for Cyber and 
Information Security, and the Acting Deputy Assistant Secretary for 
Information Technology; Dennis M. Duffy, Acting Assistant Secretary for 
Policy, Planning, and Preparedness; Michael Mclendon, Deputy Assistant 
Secretary for Policy; and the Honorable Tim Mclean, the Department's 
General Counsel.

All the individuals who I have just identified, if you would please 
stand, I'm going to swear all of you in.  Would you please raise your 
right hand.

[Witnesses sworn.]

Mr. Secretary, you are now recognized.


TESTIMONY OF HON. R. JAMES NICHOLSON, SECRETARY, VETERANS AFFAIRS; 
ACCOMPANIED BY R. ALLEN PITTMAN, ASSISTANT SECRETARY FOR HUMAN RESOURCES 
AND ADMINISTRATION; ROBERT J. HENKE, ASSISTANT SECRETARY FOR MANAGEMENT; 
MAJOR GENERAL (RET.) ROBERT HOWARD, ACTING ASSISTANT SECRETARY FOR 
INFORMATION AND TECHNOLOGY; PEDRO CADENAS, JR., ASSOCIATE DEPUTY 
ASSISTANT SECRETARY FOR CYBER AND INFORMATION SECURITY AND ACTING DEPUTY 
ASSISTANT SECRETARY FOR INFORMATION TECHNOLOGY; DENNIS M. DUFFY, ACTING 
ASSISTANT SECRETARY FOR POLICY, PLANNING AND PREPAREDNESS; MICHAEL 
MCLENDON, DEPUTY ASSISTANT SECRETARY FOR POLICY; TIM S. MCCLAIN, GENERAL 
COUNSEL; AND GEORGE J. OPFER, INSPECTOR GENERAL, DEPARTMENT OF VETERANS 
AFFAIRS


Secretary Nicholson.  Mr. Chairman and members of the Committee, thank 
you for giving me the opportunity to appear before you today, to explain 
a devastating occurrence that has happened in my agency.  It has come to 
my attention recently.  It was announced to all on Monday of this week.

I am the person ultimately responsible to our veterans, and therefore, 
the responsibility for this situation rests on me.  A VA employee who 
was a data analyst took home electronic data files from the VA.  He was 
not authorized to do so, nor were they encrypted.  His house was 
burglarized and the data were stolen.  This happened on May 3rd.  If 
that wasn't bad enough, I wasn't notified about this event until May 
16th.  As a veteran myself, I have to tell you that I am outraged.  I am 
frankly mad as hell.  But I must carry on, and lead the efforts to get 
to the bottom of this, and take corrective actions to see that it 
doesn't happen again.

My compass for this is the veterans.  How do we best take care of them 
now, and mitigate the effects of this on them?  These stolen data 
contained identifying information including names and dates of birth for 
up to 26.5 million veterans, and some of their spouses.  In addition, 
that information, plus Social Security numbers, was available for some 
19.6 million of those veterans.  Also included possibly were some 
numerical disability ratings and the diagnostic codes which identified 
the disabilities being compensated.

It is important to note that the data did not include any of the VA's 
electronic health records.  Neither did it contain explicit financial 
information, although knowing of a disability rating could enable one to 
compute what the implied terms of compensation payments are.

On May 3rd, the employees's home was broken into in what appears to 
local law enforcement to have been a routine breaking and entering; that 
is, a random burglary, not a targeted one.  And the VA data were stolen.  
The employee has been placed on administrative leave pending the outcome 
of an investigation with which he is cooperating.

As I have said, I am a veteran too, and I am outraged at the loss of our 
veterans' personal data.  And I am outraged at the fact that an employee 
would put us all at risk by taking it home in violation of VA policies 
with which he was very familiar.  I am also very outraged that it was 
not until May 16th that I was notified of this incident.  And I am upset 
about the timing of the department's overall response once the burglary 
became known.  I will not and have not tolerated inaction and poor 
judgment when it comes to protecting our veterans.

Appropriate law enforcement agencies, including local police, the FBI, 
and the VA Inspector General's office, have launched full-scale 
investigations into this matter.  Authorities believe it is unlikely the 
perpetrators targeted the items stolen because of any knowledge of the 
data contents.  It is possible that the thieves remain unaware of the 
information they possess, or how to make use of it.  Because of that, we 
have attempted to describe the equipment stolen, the location from which 
it was stolen, and other information, in quite general terms.  We have 
not and do not want to provide information to the thieves that might be 
more helpful as to the nature of what they have.  We still hope that 
this was a common theft, and that no use will be made of the VA data.

From the moment I was informed, the VA began taking all possible steps 
to protect and inform our veterans.  However, there were those in the 
law-enforcement community who wanted me to wait longer before announcing 
this theft, so as to pursue leads and keep the burglars in the dark.  I 
chose to inform our veterans nevertheless, but limiting the details of 
where and when initially, so as not to tip our hand to the robbers.  
Whether it is one veteran or the numbers we are talking about here 
today, the VA needed to act in a manner that maintained a balance 
between protecting our veterans, and informing the crooks.

Another very disturbing aspect of this circumstance is that although it 
happened on May 3rd, and the VA employee informed his bosses of this 
fact on that day, I was not made aware, as I said, until May 16th.  
Equally disturbing is that Federal law enforcement and investigating 
agencies were not informed immediately, either.  It wasn't until May 
10th that the VA IG became aware of it.  I cannot explain these lapses 
in judgment on the part of my people.  It makes me really angry and 
disappointed, and after the IG finishes his investigation as to exactly 
what went on, I plan to take decisive actions.

The VA now also has begun a relentless examination of our policies and 
procedures to find out how we can prevent something like this from 
happening again.  We will stay focused on the problems until they are 
fixed.  I have formed a special task force under the deputy secretary to 
examine comprehensively all of our information security programs and 
policies, to bring about a ringing change in the way we do business.  
Ever since 1999, the VA has gotten low marks from the IG on its 
information and a cyber security programs.  Last year, the GAO flunked 
the VA on its cyber security system.  This has to change.

This situation is exacerbated by the fact that the Assistant Secretary 
for IT, who had been at the VA that's the beginning of 2004, has just 
recently resigned.  He came to the VA from the private sector, Dell 
Computers, and has now returned to the private sector. We do have--
and think we have recruited a good replacement, but he is not in place 
at this time.

Ironically, we, the VA, continue to get very exemplary evaluations on 
electronic medical records systems.  And during Hurricane Katrina, the 
system and our people performed heroically to evacuate hundreds of 
patients and save many lives.  We are also off to a strong start on our 
IT reformation to centralize all of our IT applications, except for 
development.

What this suggests is that we can get this information and cyber 
security mission done right, also.  I am also pleased that just 
yesterday the President announced his intention to nominate a brilliant 
recently retired Navy Admiral to head up our office of policy and 
planning, where this incident arose from.  He should be on board very 
soon.

Additionally, we are taking direct and immediate action to address and 
alleviate veterans concerns and to regain their confidence.  I have 
taken the following actions so far:

Directed that all VA employees complete the VA cyber security awareness 
training course, and complete the separate general employee privacy 
awareness course by June 30, 2006.

I have also directed a memo be issued requiring all VA employees to sign 
annually an employee a statement of awareness that includes there are 
awareness of privacy act, unauthorized disclosing or using, directly or 
indirectly, information obtained as a result of employment in the VA, 
which is of a confidential nature, or which represents a matter of 
trust, or other information so obtained, of such a character that its 
disclosure would--or its use would be contrary to the best interest 
of the VA, or the veterans being served.

And certify their awareness on the loss of, damage to, or unauthorized 
use of government property, through carelessness, or negligence, or 
through maliciousness, or intent.

In addition, the department will immediately be conducting an inventory 
and review of all current positions requiring access to sensitive VA 
data.  The inventory will determine whether positions in fact require 
access to data.  We will then be requiring all employees requiring 
access to sensitive VA data to undergo an updated national agency check 
and inquiries, and/or a minimum background investigation, depending on 
the level of access required by the responsibilities associated with 
their position.  Because it has come to my attention also that we know 
virtually nothing about these people that have access to these enormous 
amounts of data.  For example, this individual having the entire 
veterans' file, one person who has not to our knowledge had a background 
check for 32 years.

I have directed the office of information and technology to publish by 
June 30 of this year, as a VA directive, the revisions to the security 
guidelines for single user remote access developed by the Office of 
Cyber Information Security.  This document will set the standards for 
access, use, and information security, including physical security, 
incident reporting, and responsibilities.

VA is working with Congress, the news media, and veterans service 
organizations and other government agencies, to help ensure that those 
veterans and their families are aware of the situation, and of the steps 
they may take to protect themselves from misuse of their personal 
information.  VA is coordinating with other agencies to send individual 
notifications to all 19.6 million individuals whose Social Security 
numbers were stolen, instructing them to be both vigilant in order to 
detect any signs of possible identity theft, and how to protect 
themselves.

In the meantime, veterans can also go to www.firstgov.gov for more 
information on this matter.  This is a Federal Government web site 
capable of handling large amounts of Web traffic.  Additionally, the VA 
has set up a manned call center that veterans may use to get information 
about this situation, and learn more about consumer identity protection.  
That toll-free number is 1-800-333-4636.  The call center operates from 
8:00 a.m. to 9:00 p.m. Monday to Saturday, and it will as long as it is 
needed.  The call center handles up to 20,000 calls an hour.  Through 
the end of the day on yesterday, concerned veterans had made a total of 
105,753 calls to this number.

I want to acknowledge the significant efforts of numerous government 
agencies in assisting the VA in preparing for this announcement of May 
22nd.  Agencies at all levels of the Federal Government pitched in to 
ensure that our veterans had information on actions they could take to 
protect their credit.  Hundreds of people worked around-the-clock last 
weekend, writing materials to inform the veterans, and setting up call 
centers and a Web site to ensure maximum dissemination of the 
information.  And I want to personally thank each of these agencies and 
the people therein for their selfless efforts on behalf of our veterans.

Three nationwide credit bureaus have established special procedures to 
handle inquiries and requests for fraud alerts from our veterans. 
Experian and Trans-Union have placed a front-end message on their 
existing toll-free fraud lines, bypassing the usual phone tree of 
instructions for placing a fraud alert.  Equifax has set up a new toll-
free number for veterans to place fraud alerts.

The new procedures became operational on Tuesday.  The bureaus report a 
spike in phone calls 171 percent of normal, and in requests for free 
credit reports, through the annual free credit report web site.  The 
Federal Trade Commission also experienced high call volumes about the 
incident earlier this week.  On Monday, the Office of Comptroller of the 
Currency notified its examiners of the theft.  On Tuesday, the Office of 
Comptroller posted an advisory on an internal network available to its 
banks, and instructed examiners to direct their banks to the advisory.  
It explains what happened, and asked the banks to exercise extra 
diligence in processing veterans' payments.  The advisory also reminds 
the banks of their legal obligations to verify the identities of persons 
seeking to open new accounts, to safeguard customer information against 
unauthorized access or use, and attaches a summary of relevant laws and 
regulations.

I briefed the Attorney General and the Chairman of the Federal Trade 
Commission, the co-chairs of the President's Identity Task Force shortly 
after I became aware of this occurrence, and they have been very 
cooperative as well.

Task force members have already taken actions to protect the affected 
veterans, including working with the credit bureaus to help ensure that 
veterans receive the free credit report that they are entitled to under 
the law.

Additionally, the task force met on Monday to coordinate the 
comprehensive Federal response, and to recommend further ways to protect 
affected veterans, and increased safeguards to prevent the recurrence of 
these incidents.  On Monday, following the announcement of this 
incident, I also issued a memorandum to all VA employees.  The purpose 
was to remind them of the public trust we hold, and to set forth the 
requirement that all employees complete their annual general privacy 
training and VA cyber security awareness training for the current year, 
by June 30.  Following that, all will be required to sign a statement of 
commitment and understanding, which will acknowledge consequences for 
noncompliance.

Information security is challenging business.  And ultimately, it 
depends on the integrity and the work ethics of the workforce.

The Chairman.  Mr. Secretary, if you could summarize your conclusion, 
please.

Secretary Nicholson.  I wanted to just, for purposes of one graphic, and 
this was not the equipment that was involved in this so I can use--
but this is a hard drive.  This little piece of equipment that is 
smaller than my wallet has 60 gigabytes.  The information that we are 
dealing with here, this entire roll of our veterans and the data on it 
is five gigabytes.  So you could put 12 times that on that piece of 
equipment that fits easily into one's pocket.  All of us carry a cell 
phone, a Blackberry, or a personal digital assistant, and they contain 
vast amounts of data.

I promise you that we will do everything in our power to structure a 
policy and a regulatory regime that make clear what is proper use of 
this data by our employees.  We will train employees in these policies, 
and enforce them.  We have already begun discussions regarding immediate 
automatic encryption of all sensitive information.  We will work with 
the President's task force very closely.  VA's mission to serve and 
honor our nation's veterans is one we take seriously.  The 235,000 
dedicated VA employees are deeply saddened by any concern or anxiety 
this incident is causing to our veterans and their families.  We honor 
the service of our veterans and what they have done for our country, and 
we are working hard to keep this most unfortunate circumstance from 
causing them undue pain and anxiety.  Thank you.
[The statement of Secretary Nicholson appears on p. 96]

The Chairman.  Thank you, Mr. Secretary.

To my colleagues, sitting to the Secretary's right is Mr. George Opfer.  
He is the VA's IG, and it was on purpose that he was not sworn in.

I will also you ask unanimous consent that Thelma Drake and Jim Walsh be 
permitted to sit at the dais of the Veterans' Affairs Committee.

[No response.]

Hearing no objections, so ordered.

I want to thank Chairman Walsh for being present today.  He also wanted 
to hold his own hearing on this, and given the time constraints was not 
able to, and it's impressive that he is taking equal concern on this.

What we have here, Mr. Secretary, is this Committee working 
cooperatively with Mr. Walsh and Mr. Chet Edwards on IT.  And before you 
took this job, we had been working hard on IT.  And when we couldn't get 
the VA to listen, we worked cooperatively with not only setting forth 
our budget, taking out $400 million to get somebody's attention, but the 
appropriators also followed suit.

I am going to yield so other members can ask questions.  The only thing 
I would like for you to take away from this, Mr. Secretary, is that we 
intend to have follow-on hearings.  I would ask this of you: would you 
consider offering a reward, say, a million-dollar reward for information 
that would lead to the arrest or recovery of this device?  I want you to 
think about that.  I want you to work with the Department of Justice on 
whether or not that could be helpful to us.  That million dollars is 
nothing compared to what we are about to expend.  You have already sent 
us a reprogramming notice for $25 million.  So I don't know where this 
could end.  But I want you to consider that.

Secretary Nicholson.  We will.

The Chairman.  At this point, let me yield to Mr. Bilirakis for two 
minutes.

Mr. Bilirakis.  Thanks, Mr. Chairman.  Mr. Secretary, welcome, I guess.  
Mr. Secretary, in Vietnam you were a true, most courageous hero, a true 
hero.  You received many awards.  I doubt that the difficulties you 
found there are as bad as they are with the VA.

Foundationally this is a problem in the VA.  And it is foundational.  
Others will ask questions regarding this particular instance, and I am 
as concerned about it as anybody else is.  Mr. Chairman, I would like to 
ask unanimous consent that a two-page document, a written statement by a 
Dr. Leon A. Kappelman be made a part of the record.

The Chairman.  Hearing no objection, so ordered.
[The information appears on p. 122]
Mr. Bilirakis.  And I would like to quote from that, Mr. Secretary, very 
quickly here: "VA has tens of thousands of dedicated, hard-working 
employees committed to the important mission of serving our nation's 
veterans and their families.  But there is a dark side to the VA.  Its 
bureaucratic culture is unprincipled, profligate, and intransigent.  I 
have seen them ignore Congress, GAO, OMB, and one executive appointee 
after another.  Oh, they know how to play the game to get the executive 
in Congress to open the budget floodgates, but VA doesn't really care 
how the dollars are actually spent, as long as it doesn't interfere with 
business as usual at the VA.  I have personally seen VA personnel 
sabotage and subvert hundreds of millions of dollars' worth of IT 
projects, and read about billions more wasted on other failures.  I have 
seen a total disregard for one cyber security effort after another.  
These are only the tip of the iceberg.  And why do such things happen at 
the VA?  Largely, because these systems and efforts would make the 
utilization of budget and personnel more transparent and thereby make 
accountability possible."

Mr. Secretary, without going into the merits of these statements and 
that sort of thing, the gentleman is not here for us to cross-examine or 
whatever.  But I think we all agree that there is a problem, a basic 
bureaucratic type of a problem--at least I hope we all agree.  And I 
ask you, if that is the case, and let's go on the premise that that is 
the case, can't you do something about it?  What is preventing you from  
--  I guess this task force reviewing the entire VA and basically 
saying, "Hey, we are going to chop here, we are going to change here, we 
are going to do this, we are going to do that."  Is it civil service?  
Does anything prevent you from doing these things?  Are we sort of stuck 
with this kind of an image, on the premise now again that this is 
basically true?  And I frankly think that it is, based on my experience 
of over 24 years on this Committee.

Secretary Nicholson.  I would say absolutely-- 

Mr. Bilirakis.  Your mike, I guess, sir.

Secretary Nicholson.  No.  I mean, I am aware of the history of these 
problems that the Chairman and the Ranking Member have recited.  There 
are others.  I am trying to ascertain exactly how many people 
telecommute.  Yesterday, I was talking to an employee on this subject, 
who was a data expert, who asked somebody to burn some records, some 
health records for him onto a CD that he needed for a project.  It was 
done, they were mailed to him very timely, tidy.  Wrote an e-mail back 
to them and he said "That was great.  It was prompt.  I ready appreciate 
it.  Where do you work here?  At the VA Central office?  Maybe I'll run 
into you and we can have a cup of coffee."

And the guy says, "I don't work here.  I work in South Dakota." And so 
we have people telecommuting all over this country, and we need to get 
our arms around who these people are, and what they are like?  And they 
have enormous amounts of data with enormous amounts of potential.  Not 
necessarily because they may be up to mischief, but they may be like the 
current case where they are negligent.  And this is an enormous, 
troubling situation.  But I will say to you that you cannot default to 
it.  We have to fix it.  And we can.

Mr. Bilirakis.  Do you have the authority?  Do you have the power to fix 
it?

Secretary Nicholson.  Well, if we don't have it, we will come and seek 
it.  But you raise a good point, Mr. Chairman, because there are things 
that are called guidelines, which some employees think do not apply 
because they say "guidelines," and they don't say "directives."  And 
that has a history to it as well, about how expeditious you can get out 
a guideline versus the time it takes to do a directive.

I will say that the thing needs to be reviewed from tip to stern.  We 
have queued up I think a very strong leader to come in and replace the 
person that has left, as the chief information officer who I told you 
about, who I think did a very good job in forcing us into the 
transformation that we are now in on centralizing, you know, a portion 
of IT for business purposes and so forth.  But in the information 
security area, there is a lot needed, and--but it can be done.  
These things can be fixed.
[The statement of Mr. Bilirakis appears on p. 70]

The Chairman.  I thank the gentleman.  I am going to hit this and go 
right to Mr. Filner.  What assurance can you, Mr. Secretary, give 
veterans that if indeed these records end up in the hands of identity 
thieves, that veterans will not suffer financially or otherwise for 
these illegal attacks on their credit?

Secretary Nicholson.  Well, I think before I could give you that 
assurance, I'm going to have to work with, the Congress to--and see 
if it could be funded.  If they suffer a loss from this.  We are working 
at a fever pitch with several proprietary companies that are in this 
business of trying to help monitor consumers, people's credit records 
for them, and we are meeting with them, reviewing their proposals.  With 
the enormous amount of people involved, there's gonna be a substantial 
cost to that.  But that would give--that would give a lot of peace 
of mind to our veterans, if they suffer a loss, the system of--then 
compensating that, which I think is something that is owed to a veteran, 
we'll have to figure out.

The Chairman.  Mr. Filner, you are recognized for two minutes.

Mr. Filner.  Thank you, Mr. Chairman.  Who is the highest level official 
who didn't tell you for 13 days about this?

Secretary Nicholson.  That knew it during that time before, the deputy 
chief of--the deputy secretary.

Mr. Filner.  Is he going to be fired?

Secretary Nicholson.  I'm reviewing all of these issues, Mr. Filner, 
with a view towards what actions that I'm gonna take, and I'm going to 
take--but the IG is continuing to do some work on this, and I want 
to-- 

Mr. Filner.  You know, your responses are incredibly bureaucratic.  I 
don't see, as I have told you, I do not see any passion. I don't see you 
saying, "I take responsibility."  Well, the most dramatic thing you 
could do to take responsibility is resign.  In last years budget, you 
didn't know there was a war going on, so you couldn't take care of the 
veterans.  Now, your own people do not tell you about the theft of the 
data of 26 million veterans, and you go through all this bureaucratic 
rigamarole.  You issue something to veterans, "Frequently Asked 
Questions," and you tell them, "if you have any problem, call your 
credit bureau, call your bank."

Where is your responsibility in all this?  You tell your veterans, "Go 
call a number"--which you gave the wrong number, by the way, in your 
testimony.  At least it is different than your press release.

So you are not taking any responsibility.  Not only financially but for 
this management debacle.  And you have said time and again as from your 
press release, there is no medical data here.  Is that what you have 
said?

Secretary Nicholson.  Yes, I said none of the medical records-- 

Mr. Filner.  But you are being very bureaucratic. Isn't there a 
diagnostic code on here that indicates a specific injury, disability, or 
medical condition, that is part of the record here?

Secretary Nicholson.  For disability recipients, yes.

Mr. Filner.  Well, why not state that clearly and bluntly?  Every 
specific code relates to a specific health condition, and the disability 
codes are linked to specific individuals by their name and date of 
birth, and they reveal each disabled veteran's medical problems and 
conditions; correct?

Secretary Nicholson.  Yes, I--I think it is--that would be 
correct, yes.

Mr. Filner.  So we have medical knowledge floating around here on 26 
million people.  You should resign, Mr. Secretary.

Secretary Nicholson.  No, sir.  It's--I mean that it happens to be 
those that are getting disability, which is not a small number-- 

Mr. Filner.  How many is that?

Secretary Nicholson.  It's about 2.6 million.

Mr. Filner.  Oh, I'm sorry.  So only 3 million people suffer from that.

The Chairman.  Thank you, Mr. Filner.

Mr. Filner.  Okay, you should resign one eighth of the time.

The Chairman.  Thank you, Mr. Filner.

Mr. Stearns, you are recognized for two minutes.

Mr. Stearns.  Thank you, Mr. Chairman.  I would say to Mr. Filner that 
Mr. Nicholson has indicated he takes full responsibility.  I mean, he 
said that personally and I understand with his record how upset he is.

But Mr. Secretary, have you fired the employee who lost this 
information, and why not?

Secretary Nicholson.  He has been put on administrative leave pending 
further action.  There are other people, to go back to Mr. Filner's 
comment, who are also in my sights as a result of this.

Mr. Stearns.  Do you have internal controls?  For example, why wasn't 
this information encrypted?  In commercial corporations, they encrypt 
all this information as a standard operating procedure.  How in the 
world could a person take this outside and not be encrypted?

Secretary Nicholson.  He was--one, he wasn't authorized take it home 
at all.  That we have a standing regulation, standing policy, that 
anyone who he is authorized to take sensitive information outside of 
their workstation has to have it encrypted.

Mr. Stearns.  Okay, do you have in place an internal security operation, 
with a security chief, with internal audits, and occasionally an outside 
audit, to confirm that this information is secure, in the Veterans 
Administration?  Just yes or no.

Secretary Nicholson.  Yes.

Mr. Stearns.  What is this going to cost the Veterans Administration?  
Your first diagnosis of this, what do you think this is going to cost 
and you're going to need from this Committee?

Secretary Nicholson.  That's a tough call, because it's going to depend 
on what, you know, what level we decide you-- 

Mr. Stearns.  You're talking about 20 million, 5 million, 2 billion?

Secretary Nicholson.  No, we're talking-- 

Mr. Stearns.  I mean, you must have a figure.

Secretary Nicholson.  We're talking--I would say we're talking way 
north of 100 million.

Mr. Stearns.  So you might be talking about half 500 million?

Secretary Nicholson.  It could be.

Mr. Stearns.  Okay.  Thank you, Mr. Chairman.
[The statement of Mr. Stearns appears on p. 76]
Secretary Nicholson.  Yes, sir.

The Chairman.  Thank you.  Mr. Gutierrez?

Mr. Gutierrez.  Yes, I yield to Corinne Brown.

Secretary Nicholson.  Mr. Chairman, I'm sorry but I'm going have to--
I'm committed to go to the Senate-- 
The Chairman.  Well, I know.  We are going to do Mr. Gutierrez, Miller, 
and then you are gone.  So you have four minutes.

Mr. Gutierrez.  Thank you very much.  I yield to Corinne Brown.
[The statement of Mr. Gutierrez appears on p. 74]
Ms. Brown of Florida.  Thank you very much.  Mr. Secretary, can you see 
me in my nice pretty red suit?  This Monday all of us will be facing our 
veterans in the Memorial celebration.  And I do not know what we are 
supposed to say.  They are going to paint us with the same brush.  What 
assurances will we be able to give about the 26 million veterans' 
records, how have we notified them?  How have we assured the veterans 
that we are going to work with them throughout the process?  And I also 
want to know, you know, some of our veterans say this could have been an 
inside job.  Have we done lie detector tests with everybody involved?

Secretary Nicholson.  Well, as I said, Congresswoman, I hate this I'm 
sure more than you do.  And I'll take responsibility for it.  It 
happened to my organization, and I think what we are doing is everything 
we can in the time that we've had so far to try to get the word out to 
the vets.  We're gonna send them each a letter, but we can't send 26 
million letters instantaneously.  We've found out we can't right now 
even get 26 million envelopes, but we're underway in getting them.  And 
they will each get a letter.  You can help inform us with the 1-800 
number, and the Website, the media.  Because we want each of them to 
know what to do, and to know that right now there is no reason to panic.  
There's nothing, there's no sign that any of this is being used at this 
time.

Ms. Brown of Florida.  Mr. Secretary, I asked a question.  What 
assurances do we have?  Because this identity theft is a very profitable 
thing.  How do you know it wasn't an inside job?

Secretary Nicholson.  Because the local law enforcement authorities that 
investigated the scene of the crime--that's the first question I 
asked, by the way--are convinced that it--that it was a real 
break-in.
[The statement of Corrine Brown of Florida appears on p. 78]
The Chairman.  Ms. Brown, I thank you.

Ms. Brown of Florida.  Well, are we going to be able to give these 
questions in writing to the Secretary.

The Chairman.  Yes.  If anybody has questions in writing, please, you 
can submit them and we will get them to the Secretary.

The last questioner, Mr. Miller, is recognized for two minutes and then 
the Secretary has to leave.  Thank you, Ms. Brown.

Mr. Miller.  Thank you very much, Mr. Chairman.  I did hear the 
Secretary in his opening remarks refer to the fact that there were codes 
that was in this information, so I do think he brought it to this 
Committee's attention, contrary to my colleague's question.

Two things: number one, why would an employee take this information 
home?

Secretary Nicholson.  Congressman Miller, he took it home to work with 
it.  He was working on a project where he was trying to streamline a 
telephonic polling that we do of veterans periodically, and it's done 
randomly, that they're called and asked a series of questions, which is, 
you know, benign.  We're trying to find out what's going on in their 
life, how we're doing with them, how they're doing, and so forth, and he 
thought he had a way that he could make this more efficient in the 
selection of the veterans that we were calling, and he took this data 
home to work it.

Mr. Miller.  And my second question and as of course, we are all 
concerned about the financial implications to the veterans, but I also 
want to know, you know, the financial institutions, banks, credit 
unions, retailers, anybody that may get caught up in this; who is going 
to be responsible for the cost that may be incurred for private entities 
out there?

Secretary Nicholson.  Well, you know, I suppose the ultimate answer to 
that question is going to be up to you all that make the laws.  I mean, 
we're--it happened because of--it happened because of us.

Mr. Miller.  Well, let me ask it this way: what would your 
recommendation be?

Secretary Nicholson.  Well, my recommendation would be that we'd be 
responsible for it.  We caused it.

Mr. Miller.  Thank you.  That is what I wanted to hear.
[The statement of Mr. Miller appears on p. 83]
The Chairman.  All right.  Mr. Secretary, thank you very much.  You and 
Mr. McClain are excused.  Thank you.

I would now like the other witnesses to please come to the table to 
replace the Secretary and the General Counsel.  If staff could help 
them.  What we may have to do is bring your chairs to the front.

To all of my colleagues, while all this administrative shuffle is 
occurring, the team that the Secretary is leaving behind is the team 
that is responsible for cyber security and in charge of plans and 
policy.

There is a hearing on the Senate side that starts at 10:00 a.m., and 
that is the purpose of the Secretary's and General Counsel's exit.  But 
what I wanted to insure for all of my colleagues is that as the 
secretary leaves, these are the individuals who are in the responsible 
positions.

Ms. Berkley?

Ms. Berkley.  Thank you, Mr. Chairman.  With all due respect, and I am 
sure these are the men and women that do the nuts and bolts on this 
issue, but I was hoping to talk to the Secretary, and have an 
opportunity to question him.  Will he be available to us?  It seems that 
something this important, one hour in front of this Committee simply is 
not enough.  Oh, I'm sorry, 45 minutes.

The Chairman.  45 minutes.  We will entertain that.  WWe are going to 
have follow-on hearings.  If the Secretary is necessary we will bring 
the Secretary back before the full Committee.  We can do briefings to 
members.  I will seek your counsel.

Ms. Berkley.  I would appreciate that.  Thank you, Mr. Chairman, and I 
am going to the IR Committee markup.

The Chairman.  All right, thank you.
All right.  Mr. Michaud, you are now recognized.  The Committee will 
come to order, please.  People can take seats and please close the door.  
If somebody can help out and make sure all the nameplates can be read by 
the members, please.

I'm sorry, Mr. Michaud.  I just wanted to say good morning to you.

Mr. Michaud.  Good morning, Mr. Chairman.

The Chairman.  Good morning.  Prerogative of the chair, I would ask 
unanimous consent to rescind the former unanimous consent to yield to 
members for two minutes, and now go back to regular order.

[No response.]

Hearing no objection, so ordered.  Mr. Strickland, you are now 
recognized for five minutes.

Mr. Strickland.  Thank you, Mr. Chairman.  Mr. Chairman, I also am sorry 
that the Secretary is not here.  I wrote down verbatim what he said to 
us, "I am the person ultimately responsible for our veterans, and 
therefore, the responsibility for what has happened rests with me."  I 
am not sure what it means to take responsibility.  I think it ought to 
mean more than just uttering those words.  I think it should imply some 
decisive action.  And quite frankly, if this was the first concern I had 
about the Secretary, I may be a little more charitable in my response.  
But quite frankly, I don't think the Secretary is up to this job, and I 
do hope he takes this opportunity to reconsider whether or not he should 
remain in that position.  I quite frankly have serious questions about 
whether or not he should.

I have a question regarding the fact that many states have enacted 
privacy laws that in some cases certainly supersede the requirements 
that may be currently in place under the VA's system.  Thirty-five 
states have introduced data security legislation.  Twenty-two states 
have actually enacted such security laws, one of those states being my 
home state of Ohio.  Can someone at the table inform me as to whether or 
not the VA takes seriously the states that may exist at the state level, 
and makes efforts to comply with those state security laws, if they are 
more stringent than those currently embraced by the VA?

General Howard.  Sir, Bob Howard.  I have not seen any evidence that we 
have addressed that for the states.  One of the efforts that the Office 
of Information and Technology has been undergoing, you know, throughout 
this incident is trying to determine what guidelines and policies exist.  
I have not seen that, unless any of my other colleagues have.

Mr. Strickland.  Can someone give a definitive answer as to whether or 
not there was a difference in requirements between State and Federal 
law? Or there was a conflict there; would it be likely that the VA would 
attempt to comply with those more stringent state laws, within the 
state?

Mr. Duffy.  Congressman, it's my understanding that Federal law 
supersedes state law.  I believe however that the department makes every 
effort to meet state law where it's consistent with our own rules and 
standards of practice.

Mr. Strickland.  Okay, thank you.  I am curious as to why an employee 
would take this kind of material home.  I mean perhaps he is just a very 
dedicated employee that is willing to work above and beyond what may be 
required of him at his official worksite.  Why was he not doing this 
work during regular work hours?  Can someone speak to me about the 
staffing needs that may be inadequate, that would result in an employee 
taking such action, in terms of taking this kind of data to work on it 
at home rather than doing it at the facility, or at the worksite?

Mr. Duffy.  Congressman, I think in this particular instance we have an 
individual who believed that with--on his own time, and without the 
din of daily work; telephones and meetings and the like, he would be 
able to apply his own time and talent to resolving what to him was a 
basic problem of reducing substantially the size of a survey instrument 
that we were attempting to create.

I would say to you that he fully understood that it was inconsistent 
with departmental policy to take that information home with him, that he 
had no right to remove the materials from his worksite.  He did it with 
all of the best intentions, at least that's my personal opinion.  There 
was no malice a forethought.  I don't believe that there was any 
sinister intent here.  He did it because he wanted to be more productive 
and to come back with a problem solved.  And in all candor, I think we 
attempt to promote individual initiative on the part of our employee 
workforce.  However in this instance, it was contrary to what the rules 
and regulations require regarding safeguarding sensitive personal 
identifier data.

Mr. Strickland.  Thank you.  Just sitting here listening to Secretary 
estimate the potential cost, I think he said it could be over $100 
million.  And if, as the Chairman has suggested, we have the 
responsibility to make whole any veterans who have been harmed, I can 
see where that number could go much, much higher.  Just sitting here 
thinking, the latest I have heard the cost of the Capitol Visitor Center 
was I think something over $500 million, and the work has been going on 
for years and years, and we know what a massive undertaking that has 
been.  So just kind of putting this in perspective, if the lower cost 
estimates of $100 million hold forth, we can see what an incredible cost 
this is going to be to the taxpayer, to the Federal Government, and 
ultimately to the VA administration, and that means ultimately to the 
individual veteran, in terms of how they are served.  So you know, I 
don't think this is a little thing, and I don't imply that any of you 
believe it is a little thing.  I think this is just incredibly serious.  
It is going to be very very costly, even if the best case scenario it is 
that there is no use of this data for, you know, for nefarious purposes.  
It is still in to be incredibly, incredibly costly.  And it is just such 
an unfortunate incident.

Mr. Chairman, I thank you for the hearing.  I do hope that we could have 
the Secretary back at some point in the future, and I yield back my 
time.

The Chairman.  I thank you, Mr. Strickland. I thank you for your 
leadership.  Mr. Strickland and Mr. Bilirakis, Mr. Filner and I want to 
work with both of you because at some point, where do we retain this at 
Committee; where do we do a handoff to the O&I Subcommittee?  We want to 
work with you with regard to our jurisdictions.

I have asked Mr. Opfer to remain with us, as he is not going over to the 
Senate.  This is the VA IG.

And at this point, I am going to yield to Mr. Bilirakis, who has asked 
for his three minutes.

Mr. Bilirakis.  Thank you again, Mr. Chairman.  Mr. Opfer, who do you 
work for?

Mr. Opfer.  Sir, I work for the President and-- 

The Chairman.  Scoot up to a microphone.

Mr. Opfer.  Sir, I am a presidential appointee, Senate-confirmed, which 
means I can only be removed by the president.

Mr. Bilirakis.  Okay.  Very good, that is what I wanted to hear.  Mr. 
Opfer, you know, these things happen and they have been happening.  The 
same sort of thing has been happening over a period of years.  I know we 
have had secretary after secretary after secretary here.  And you know, 
when the media is here, particularly, we speak very brusquely and that 
sort of thing in order to make the media and whatnot.  But you know, in 
my opinion, as I indicated during my two minutes, two minutes-plus, it 
is culture.  It is a culture at the VA.  Maybe it is a bureaucratic 
culture of all the agencies and departments.  I don't know, but 
certainly at the VA.

Let me ask you, sir, when were you made aware of the theft of the data?

Mr. Opfer.  The Office of Inspector General and I particularly were 
never notified by the Department of theft of the data.

Mr. Bilirakis.  You never were?

Mr. Opfer.  Never were.

Mr. Bilirakis.  Never were.  How about that?  Yeah, how did you learn?  
You read about it in the newspaper?

Mr. Opfer.  What happened was on May 10th, the information security 
officer of the Office of Inspector General was attending a normal 
monthly meeting in the department.  And at that meeting, one of the ISOs 
mentioned that an employee of VA had lost data which was stolen from 
their residence.  That information security officer, who is not an 
agent, not an investigator, came back, reported to his supervisor, and 
the next day it was reported into our office of investigations.  We had 
no information other than an employee had lost data that was stolen in a 
burglary in their residence.

Mr. Bilirakis.  And what was your reaction-- 

The Chairman.  Can you pull that microphone closer to you.  We can 
barely hear you.

Mr. Bilirakis.  Yeah.  What was your reaction to that?

Mr. Opfer.  I was not notified then because the information was very 
sketchy.  Our Office of Investigations dispatched agents on Friday, May 
12th, to try and locate the information security officer who had the 
information, and also to locate and start the interview process of the 
employee who had had their residence burglarized.

The information security officer that had the information was not 
working.  The agents attempted to locate him at his residence and left 
messages there, as well as at work.  It wasn't until Monday, May 15th, 
that the Office of Investigations located the subject employee that had 
the burglary, and we conducted the interview.
[The statement of Mr. Opfer appears on p. 101]

Mr. Bilirakis.  Wow.  Well, there you go.  Yeah, I guess the Chairman is 
suggesting I do this.  Misters Duffy and McClendon, why did you not 
notify the IG?

Mr. Duffy.  I'll begin first.  Let me begin by noting that the first I 
was notified of it was on Friday morning, May 5th.  And my notification 
was in hallway conversation with the IT specialist who serves as both 
our security and privacy-- 

Mr. Bilirakis.  In a hallway conversation?

Mr. Duffy.  Yes, sir.  He indicated to me at that time that there had 
been the burglary of one of our data analysts, that some sensitive data 
and information may have been burglarized.  At that time, I asked him to 
do two things: first, attempt to identify and document for me all of the 
data sets and personal identifier elements that may have been 
compromised.  The second thing I asked him to do was to confirm for me 
of what the formal process for notification is in the department 
regarding a matter such as this; that is, where information or data has 
been compromised.

He agreed to prepare for me a memorandum that would identify for me, to 
the best of his knowledge, the information that might have been 
compromised.  With respect to notification, what he told me was that the 
process was to notify the cyber security systems operations center, and 
that they have an incident management process in place for responding to 
these types of issues.

Later that afternoon, sometime around 3:30 in the afternoon, I received 
the first initial memorandum from my IT specialist that identified in 
rather generic terms the data and the information that appeared to have 
been stolen.  I talked at that time with Mr. McLendon, who is the deputy 
assistant secretary for policy.  He asked for an opportunity to have a 
member of his staff, who has dramatically more familiarity with the data 
sets, take a look at it, and review and validate that information, and 
indeed he did that.

Monday morning, the eighth, we had a new, more detailed memorandum on 
the nature of the information that was contained on the hard drive that 
was stolen.

On Tuesday the ninth, early afternoon, I had a meeting with the 
department's chief of staff, Tom Bowman, and informed him at that time 
for there had apparently been a burglary, and that some significant 
personal data may have been compromised, and indicated to him at that 
time that I thought it important that senior leadership get together and 
identify exactly what our responsibilities were regarding notification 
to the beneficiaries whose information might have been compromised.

Mr. Bilirakis.  Did you ever take in consideration when you should 
notify the IG?

Mr. Duffy.  Sir, with all due respect, my understanding was that all 
that would have been processed through the incident management reporting 
system in cyber security, in the SOC.

The Chairman.  Oh, so you are blaming who?

Mr. Duffy.  I'm not blaming anybody.  What I'm telling you is what was 
in my mind.  And what was in my mind was two things: one is that we had 
made formal notification through our IT systems specialist to cyber 
security, that they have that responsibility.  The other point that I 
would make to you is that when I had information in hand, it was 
provided up the chain to those above me regarding the fact that the 
information may have been compromised, and our need to take some 
affirmative action.

The Chairman.  Mr. Bilirakis, may I?

Mr. Bilirakis.  Well, my time as long up.  Yes, sir, by all means.

The Chairman.  Mr. Cadenas, you are sitting right there.  What do you 
think about what Mr. Duffy just said?

Mr. Cadenas.  Well, sir, because we get a number of reports on a regular 
basis, the SOC, the Security Operations Center, did receive this 
notification.  But before it's escalated, it must be confirmed that a-- 
because the original message that came in says "possible compromise."  
So part of the process is we contact the information security officer to 
validate if in fact it has been compromised.

A number of days had lapsed.  We started beginning our own 
investigation, asking additional questions, and the information was not 
forthcoming, as well.  Still had no valid confirmation that the 
information was lost or stolen or anything to that effect.  We're still 
dealing with the compromise, potential compromise, of information.

During the course of the process, we asked the information security 
officer to also contact the privacy officer based on the information 
that you identified that was on there.  We later found out--I don't 
know if it was my office or the individual himself, there was a privacy 
office ticket violation opened up on that.

I found out about this incident on the 16th, as well, and my team, they 
were trying to conduct their due diligence to validate that this in fact 
had happened.

The Chairman.  Do you work with the IG?  Do you ever report these 
incidents to the IG?

Mr. Cadenas.  Well, yes, sir.  We have understood rules of engagement.  
Once it reaches a certain level, any incident reaches a certain level, 
we back off because now it could be a potential criminal investigation, 
and then we hand off.

The Chairman.  But the IG has testified that he has never even received 
this yet.  So when does this rise to the level of concern?

Mr. Cadenas.  Well, in looking at the entire incident, sir, because this 
does not fall--and I don't mean to sound like the bureaucracy here  
--  but because it does not fall under cyber security, this was not a 
cyber security attack or hack, we tried to follow up with the privacy 
office, and we ran it up the chain.  This is a privacy issue.

The Chairman.  Okay.  It is not your problem, I guess now it is not 
yours.  Now it is not the privacy guy.  We don't have the privacy guy at 
the table?

General Howard.  It is a bureaucracy, Mr. Chairman, and it is culture  -
- 

The Chairman.  All right, let me just pause a moment.

General Howard.  Mr. Chairman-- 

The Chairman.  Ms. Brown, you are now recognized.  Hold on, I know you 
want to say something.  But Ms. Brown wants her three minutes.  I need 
to yield to her.

Ms. Brown, you are recognized for three minutes.

Ms. Brown of Florida.  Well, I hate to break the chain.  I am going to 
let you answer your question, and then I will go to mine.  Just finish 
what you were saying.

General Howard.  I just wanted to comment that--that there's the 
constant refrain of "it's just a large bureaucracy."  It is indeed a 
large and complex structure, but it is not so large that we don't talk 
to each other.  And the truth is that a number of days passed where the 
information was being reviewed and validated.  The burglary took place 
on the third.  On the fourth, the employee did not report for work.  He 
was told by--as I understand it, the home had been ransacked, and he 
had been told by police to secure his premises and the like.  So he was 
not in.  He did not come in until the morning of the fifth, on that 
Friday.  That's the day when Mr. McLendon and a senior data analyst sat 
down with the individual and talked specifically about the nature of the 
data that may have been compromised.  And it was only after a full day 
of discussions with somebody who quite candidly appeared to be fairly 
distraught about the whole incident.

Ms. Brown of Florida.  Well, do you know this is a meltdown?  And the 
secretary said he didn't find out about it until the 16th?  When did the 
secretary find out?

General Howard.  He indicated the 16th.

Ms. Brown of Florida.  It is a complete failure.  Since 2001, has your 
office requested changes that would limit anyone's ability to remove VA 
data to a personal computer or storage device?

Mr. Cadenas.  Yes. Yes, ma'am, the office of-- 

Ms. Brown of Florida.  Yes, what was the result of that action?

Mr. Cadenas.  We do not have the authority to enforce any such request.

The Chairman.  Ms. Brown?

Ms. Brown of Florida.  Yes, sir?

The Chairman.  If you pay really close attention to the response that he 
just gave, what I just learned from last night, and I want to make sure 
I get to all the members, I have a March 16th, 2004 document from Tony 
Principi, when he was the Secretary.  And he instructed that the chief 
information officer be the individual that is responsible.  We need 
somebody in charge of all this.  Then we have the General Counsel.  He 
writes an opinion.  And in his opinion, he says that the CIO does not 
have that authority.  And matter of fact, Mr. Cadenas here with cyber 
security can only do compliance.  He does not have the authority to 
demand anybody to do anything.  He can only say whether somebody has 
complied or not.

I yield back.

Ms. Brown of Florida.  It is a complete meltdown.  The system is not 
working for the veterans.

To your best knowledge, does anyone other than VA employees take home or 
store veterans' personal information; names, Social Security, date of 
birth, financial, medical, anywhere in VA?  Is there a statute, 
regulation, or policy, that allows that action?

General Howard.  Ma'am, we have procedures in place to permit telework, 
virtual connections, you know, through laptops and what have you.  The 
only clear guideline that I have personally seen on the rules of the 
game, regarding taking information away from a VA facility, is contained 
in the guideline that the secretary mentioned during his testimony.  And 
there are two specific items in that guideline: one is to take 
information such as what we are talking about away from a VA's facility, 
the individual has to have permission.  And the second key part of it, 
it must be encrypted.  Clearly, both of those elements were not 
followed.  But that guide--it's in a guideline.  It's not a 
directive.

Ms. Brown of Florida.  Oh.  God, we need help.  This is unbelievable.  I 
am going to yield my time, but I can tell you that this system is a 
failure.  I mean, we are not talking to each other, we are not 
communicating.  You can't tell me how many other people have this 
information, that could have this data at home.  It is not illegal to do 
it.  It is a regulation, it is not--do you hear what he is saying?

[Laughter.]

Mr. Bilirakis.  What the gentle lady yield?

Ms. Brown of Florida.  Yes.

Mr. Bilirakis.  Yeah.  The VA Inspector General in his November '05 
report entitled "Major Management Challenges; Fiscal Year 2005," stated 
that, quotes, "VA has not been able to effectively address its 
significant information security vulnerabilities and reverse the impact 
of its historically decentralized management approach," end quotes.  And 
there you are.

That is why I keep going back to this culture business, this environment 
business, because that is where the problem stems from.  Mistakes are 
made.  I mean, we are all human beings.  But continually, continually, 
and the frustrations of IT, and the lack of security.  Thank you, Mr. 
Chairman, thank you for-- 

Ms. Brown of Florida.  I think it has to go back with whose 
responsibility it is.  I think the ultimate responsibility is with us.  
As a co-equal branch of government, we have not done our job.

The Chairman.  Well, we passed the CIO Bill, ma'am.  When I look at this 
for the members, I would ask unanimous consent that the documents which 
I referred to in my discussions with Corrine Brown be submitted for the 
record.  And in particular, the memorandum from Secretary Principi dated 
March 16th, 2004 be entered into the record.

[No response.]

Hearing no objection, so ordered.

[The attachment appears on p. 132]

The Chairman.  I would ask that the General Counsel's memorandum dated 
April 7th, 2004, be entered into the record.

[No response.]

Hearing no objection, so ordered.

[The attachment appears on p. 133]
The Chairman.  The Secretary Principi, this is what he says:

"Cyber security is everyone's responsibility, and all employees are 
accountable for protecting VA's computer and information systems.  
Specifically I have tasked the Assistant Secretary for information and 
technology, the CIO, Bob McFarland, with responsibility to devise and 
implement a department-wide cyber security program under the Federal 
Information Security Management Act."

We passed that act.

"I expect all employees to fully support and cooperate with the 
implementation of the department's cyber security policies.  It is my 
intention to ensure that the Assistant Secretary McFarland has all the 
power and authority necessary to carry out the heavy responsibilities 
associated with cyber security in the department.  This will include 
certain administrative and supervisory authority over employees directly 
involved in the implementation of cyber security policy.  Appropriate 
directives, policies, personnel regulations, are being drafted to 
effectuate my intentions."

We have the acting CIO in front of us, former Major General Howard.  Now 
the problem is the General Counsel comes along and does an 
interpretation and says they CIO does not have these authorities.  And 
that is what we now end up, we have got a mess in that bureaucracy.

Ms. Brown of Florida.  Mr. Chairman, could I--30 seconds?

The Chairman.  Yes ma'am.

Ms. Brown of Florida.  Mr. Chairman, we often passed bills, and then the 
agency will come up with regulations that's just opposite of what we 
pass.

The Chairman.  Well, that is why we have been working on this Committee 
in a bipartisan fashion, ma'am, to bore through this, but we have a 
bureaucracy that is recalcitrant.  We have individuals sitting at this 
table.

Yes, Mr. Duffy, I just saw your reaction.  You and I have a complete 
disagreement with regard to centralization versus decentralization.  You 
fought us all along.  You go, "Oh, this is my business.  Stay out of my 
world."

Well, now that the problems we have got.  We said, "Okay, we are going 
to leave it to you, we are going to leave it to Mr. McLendon," and look 
what we have got in a decentralization.

Mr. Duffy.  Mr. Chairman, with all due respect, I have never taken a 
position on centralization or decentralization of IT.  It has nothing  -
- 

The Chairman.  Thank you for your views, Mr. Duffy.

Mr. Duffy.--it affects me only on the margins.  And trust me, I 
have not entered that-- 

The Chairman.  Well, that's one hell of a margin for a veteran.

Mr. Duffy.  Well.

The Chairman.  I yield to Mr. Miller.

Mr. Miller.  Thank you, Mr. Chairman.  I have already asked my 
questions.  I will yield back my time.

The Chairman.  All right.  I have been asked to meet with the Speaker.

Mr. Bilirakis.  [Presiding].  Okay, where are we here?  Mr. Boozman?

Mr. Boozman.  Yes.

Mr. Bilirakis.  Mr. Boozman is recognized for five minutes.

Mr. Boozman.  Yeah, I would like to know a little bit about what 
happened.  So the place was broken into, and not just the computer was 
stolen, but the whole place was ransacked?  I think somebody alluded to 
that earlier.

Mr. McLendon.  I'll be glad to answer that, Mr. Boozman.  The employee 
had left to go home from work.  His wife is also a government employee.  
She arrived home to find the home having been broken into and ransacked.  
She called her husband and reached him on the cell phone when he was I 
guess in the parking lot fixing to get in his car to drive home.  As 
best I understand it, she arrived home somewhere around maybe 3:30, 4:00 
o'clock in the afternoon.  So they did the notification to the police.  
When he finally kind of got a handle on what was going on, he called the 
office.  The secretary got ahold of me, and I called him just a few 
minutes later, probably somewhere around 5:30, quarter of six that 
afternoon.

He was very distraught, as you can imagine.  He was also concerned 
because his wife had found a break-in, and he was kind of after-the-fact 
concerned that maybe somebody was still in the house.  He described that 
the house had been ransacked, that they had gone through drawers 
upstairs, and drawers all over the house, and that things like change 
that we would normally put in a glass jar or something was missing out 
of drawers.  He described kind of the state of the house, and how they 
had broken into a back window.  And then he said that, you know, that 
they had taken--he was surprised at things that they had passed up 
in the house, you know, like silver and those kind of things, but it 
appeared that they had grabbed his personal laptop and external hard 
drive when he had--when they had left.

And it was at that point that just straightforwardly, and I have to give 
the individual credit for this, that he said he believed that there was 
some veterans' data on his hard drive.  And I have to say that to this 
day, that that individual does not understand that there are many people 
who would not have self-reported that information.  But he did, and he 
acknowledged on the phone that he knew that he was not supposed to have 
done that, and he just had no explanation as to why.  And clearly, he 
was just very distraught at the incident.

So he was--the police were still there.  He said he needed to work 
with them.  He had already notified VA security office about the 
incident.  He was not at work the next day because the police had asked 
him to secure his home and be available for questions and whatever.

Early the morning on Thursday morning--and also I have to say, after 
I talked to the gentleman that afternoon, I contacted the individual in 
our office who is the most technically knowledgeable about the details 
of the data and systems, to also called the individual to try to elicit 
more information from him.  And so then he reported back to me, so that 
early Thursday morning, that individual, Dat Tran and I sat down with 
the information security officer for the office of policy planning to 
relate everything we knew up to that point, and to say, "Okay, now you 
tell us what the process is and what additional information that is 
gonna be required."

And he very matter-of-factly laid out what he said he knew the 
procedures were, just like Dennis acknowledged, about what was gonna 
happen, who he would be generally talking to, and he says if I need any 
more information, or when I do, I will come back and tell you.

Mr. Boozman.  So if he hadn't self-reported it, then we really would 
have had no way of knowing that the data ever left the office, or 
whatever.

Mr. McLendon.  No, sir, we wouldn't have.  And I think it's important to 
remember that this is not a case in which information was put up on the 
Internet for wide public access.  It was, he had taken some disk from 
work that he was using, to use on his external hard drive at home, to 
continue to do work.  He's a Ph.D. analyst-- 

Mr. Boozman.  What are the police saying?  I mean this happens all the 
time, you know, sadly, in the sense that places are broken into.  What 
is the customary stuff, when you steal electronics--first of all, 
who are they saying are the likely thieves?  What kind of profile do 
they have?  What do they customarily do with this stuff when they get 
it?

Mr. McLendon.  Depends upon--I'll just say from my personal 
experience, I have been through this, it could be anywhere from kids to 
more professional individuals who are looking for easy prey and things 
they can quickly turn a dollar on.  I don't believe that the police 
report or the FBI has completed their investigation yet, so we will just 
have to wait and see what they say.

Mr. Boozman.  Thank you.

Mr. Bilirakis.  The gentleman's time has expired.

Mr. Boozman.  Mr. Chairman, also, could I have a statement put in the 
record, please?

Mr. Bilirakis.  Oh, yes.  That, you see, took place before you came in.

Mr. Boozman.  Okay, thank you.

[The statement of Mr. Boozman is found on p. 89]

Mr. Bilirakis.  Mr. Salazar to inquire.

Mr. Salazer.  Thank you, Mr. Chairman.  We do appreciate this.

As I hear more about what happened and the items that were taken during 
this burglary, it seems like you were talking, Mr. McLendon, that silver 
was passed up, and other things.  It almost seems to actually send up a 
red flag because it seems like the computer was targeted.

We introduced legislation a couple days ago.  It is HR-5455, the 
Veteran's Identity Protection Act, which will actually provide free 
credit reports for veterans who might have been affected by this for a 
period of one year.  Could someone in this panel maybe address that?  
And do you think this is something that should be done?

Mr. Henke.  Sir, I am not familiar with the particular legislation you 
cite, but obviously our first concern is to protect veterans.  And as 
the Secretary has indicated, he would be more than happy to work with 
the Congress to find ways to do that and take those steps that are 
necessary.

Mr. Salazer.  Well, what this particular legislation will actually do, 
is provide free credit reports for veterans for a period of a year to 
make sure that in case some of their credit information has been 
breached, that it would not necessarily have to come out of their 
pockets.  Of course, you know, the first credit report is free for any 
time that you apply.  But after that, you have to pay for it.

Of course this will cost taxpayers, and VA maybe, an incredible amount.  
I think the price tag is 1.5 billion for the first year.  Would you be 
supportive of that?

Mr. McLendon.  Let me just make a general comment.  I think it's very 
fair to say that the department certainly takes it seriously.  There 
have been a lot of discussions over the last week about exactly how 
could we do something like that, what the mechanics would be, what the 
logistics are associated with doing that, how that would occur.  And the 
department is actively looking at how to bring that about, those kind of 
things, right now.

Mr. Salazer.  Thank you.  Mr. Chairman, there are a lot of people here 
that want to ask questions, so I would like to submit my full statement 
for the record.

Mr. Bilirakis.  The chair appreciates that.

[The statement of Mr. Salazar is found on p. 93]


Mr. Bilirakis.  Mr. Moran, to inquire.

Mr. Moran.  Mr. Chairman, thank you very much.  Perhaps what is most 
troublesome to me about this scenario is the failure to communicate to 
the Secretary in what I would consider a timely fashion.  And I 
understand Mr. Filner asked the question earlier about what level this 
information reached, as far as the hierarchy of the Department of 
Veterans Affairs.  And you know, I am interested in knowing, you know, 
why the Secretary was not notified immediately.  I would at least like 
to think in my own professional life that something dramatic happened 
that I would be at the top of the list of people who would know.  And I 
don't know whether it is a concern with the attitude, I should have a 
concern with the attitude of VA officials as, "This is something we 
don't want to tell our superiors."  Or it is a distance by the 
Secretary; he is not there, interested, available.

I cannot imagine that is the case, but there is something--again, 
Mr. Bilirakis's word, the "culture"--that is troublesome to me, that 
we wouldn't immediately go to the top leadership, the leader of the 
Department of Veterans' Affairs with this kind of information.  So I am 
interested in any thoughts that you all have as to what the problem 
would be that this would not be seen at the VA as an incident that would 
be immediately reported to the leader of the department.  I am curious 
just to know whether in the course of time you have observed other 
departments, studied what their security measures are, how this is 
prevented.  I am interested in knowing if there are other departments 
out there within the Federal Government that are role models that the 
Department of Veterans Affairs should have been following.  Or other 
disasters waiting to happen at other cabinet-level positions, other 
departments within our Federal Government, that we as members of 
Congress should be aware of.

And finally, a more practical question: my constituents, my veterans are 
calling, asking, "you think that information about me or my spouse are 
in these records?" Example, a Vietnam veteran discharged in 1972 who has 
now deceased, his spouse, his wife is calling to say, "Is there any 
chance that there is information there about my husband or me?"

And so if there is information that you can provide as to how we can 
answer the calls we are receiving as to who is included in this 26.5 
million veterans whose records are released.

I thank the Chairman.  Anyone, respond to any or all of those.

General Howard.  Sir, you ask a number of questions.  I would like to 
recommend we answer all of them for the record.  But let me address a 
couple of them.  You mentioned the other government agencies.  One 
government agency that is a role model is Social Security.  You know, 
they constantly get very high grades with protection of information.  I 
know that for a fact.

There are others besides VA that don't get high grades, I know that 
also.  It is a very real problem in other government agencies, I don't 
recall the scores.  When you say the Veterans' Affairs is fairly low, 
you're exactly right.  You know, our grades have not been high.  But as 
I say, there are role models.  There are definitely things that we can 
do to improve things.

Mr. Moran.  What you are telling me is that what has occurred at the 
Department of Veterans' Affairs may not be an anomaly, but something we 
could to see repeated elsewhere?

General Howard.  Sir, with respect to the magnitude it may be an 
anomaly.  You know, what's significant--obviously, the loss of any 
data is a serious problem, but it's the magnitude of this one that is so 
troublesome.  I suppose it could occur in other government agencies, but 
you know, I really can't comment on that.

Mr. Moran.  Any explanation of the nature of the VA that the Secretary 
would not know this immediately?

Mr. Duffy.  Congressman, I'll make an effort to answer it.  And that is 
that in all candor, I don't believe anybody had a true appreciation 
originally of the magnitude, the size of the data set that was lost.  
When I first heard that there was a BIRL's extract, while I knew from my 
own experience that the BIRL's record is a large data set with millions 
of records, my own thought was, "Well, he probably extracted some very 
small subset of that record."  And once notified, I think what we did 
was we attempted to do due diligence.  And that is, we first of all 
attempted to get the facts.  And once we had the facts in hand, we 
provided them to the chief of staff, who in turn said, "Well, let's work 
with the general counsel to assess what our obligations or 
responsibilities are here."

And it was that process that took some time.  Now, should the Secretary  
--  in hindsight, obviously the Secretary should have been notified 
earlier.  But again, I think originally there was no sense of the size 
or magnitude of the data loss.

Mr. Moran.  Can you assure us that there was no cover-up involved?

Mr. Duffy.  I can certainly assure you of that from my personal vantage 
point and from dealing with the individuals that I have dealt with.  
There absolutely was no effort, no attempt at all.  We made every effort 
to do what we thought was the right and prudent thing.

Mr. Bilirakis.  The gentleman's time has expired.

Mr. Moran.  Thank you Mr. Chairman.

Mr. Bilirakis.  Ms. Hooley to inquire.

Ms. Hooley.  Thank you, Mr. Chair.  This is really frustrating, and 
there are so many troubling things about this incident. This is one of a 
string of data breaches that have happened in all kinds of other 
industries, and is why I think we need some kind of data security 
legislation, which I have championed in the Financial Services 
Committee.  I have also introduced legislation that would require VA 
administration to provide veterans six months' of free credit reporting, 
that there would be authorized funding, and that you would also have 
negotiating powers so that you can get the best price for the monitoring 
services.  There has been a lot of estimates about what this would cost. 
We have gotten estimates anywhere from 25 million to $1.2 billion, so it 
is a wide range.  And hopefully, we can narrow that piece down.

My question is, if this legislation passes, could you implement that in 
a very timely manner to help our veterans?  And are you prepared to 
negotiate the best price for credit monitoring services?  You can answer 
that now or wait until I am finished.

And I guess the third question would be, could you start that process 
right now?  Do you have to wait for legislation to pass?  Can you start 
the process right now?

Fourth, right now you are giving I think some good advice, but it is 
very reactive.  You're saying, you know, "Please monitor this, call your 
bank," you know, all of those things.  But why aren't you more 
proactive?  For example, you could say to every veteran, "You could put 
a fraud alert on your credit report"  If they put a fraud alert they 
automatically get a free credit report.  Right now, even without having 
their information taken, or stolen, or breached, they can get a free 
credit report every year.  I mean, that is the law, currently.  And if 
they get one from each credit bureau, they can do one credit bureau, and 
then another credit bureau, and another credit bureau, they can get a 
free report every four months.

So it seems to me there are some very proactive things you can tell all 
of the veterans that have had their, security breached, you can give 
them that proactive information today.  And my question is, are you 
doing that; and if not, why not?  Then-- 

Mr. Bilirakis.  Wouldn't you not like to get some answers to those?

Ms. Hooley.  Yeah, I am ready to get answers any time they are ready to 
give them to me.

Mr. Bilirakis.  Yeah.

Ms. Hooley.  And then I have one last question.

Mr. Bilirakis.  Good.

General Howard.  Some of that information is on one of the Websites that 
the veterans are referred to.

Ms. Hooley.  Some of the information.  I know what is on your Website, 
and it is very reactive, saying "Monitor this," but it is not proactive, 
and there are some very specific things they can do that will make a 
difference on whether or not they have their identity stolen, which is a 
huge problem if that happens.

General Howard.  That's what I meant.  Some of that--things that 
they can take, what they are authorized, is available.

With respect to additional items like credit monitoring and things like 
that that Veterans' Affairs could pay for, I'll defer to Bob Henke.  We 
get into budget issues and authorities to pay for that sort of thing.  
Obviously, we're prepared to do anything that we need to do, but I'd let 
Bob comment on the financial aspect of it.

Mr. Henke.  Ma'am, I went to the Websites that we have set up for this 
particular incident, and it does link you to the opportunity to get a 
free credit report, and for every member to put a 90 day fraud alert on 
their individual accounts, so that information is out there, through 
both the VA Websites and firstgov.gov.

Ms. Hooley.  Is that your recommendation?  I mean, do you recommend that 
happen, that they do that?

Mr. Henke.  That members-- 

Ms. Hooley.  I mean, it is on there.  When they go onto the Website, 
what are the things that you tell them that they can do, the first 
things they can do?

General Howard.  Monitor their information.

Ms. Hooley.  Monitor their information.  Which is good advice.  But 
there are some proactive things they can do immediately.  You say, you 
know, Put a fraud alert on.  What does that mean if they do that?  How 
long does that last?  It lasts 90 days.  They get a free credit report.  
I mean, I think that is the kind of proactive information you should be 
giving your veterans.

Mr. Miller.  Congresswoman, I think it's fair to say that the Secretary 
and this task force is indeed looking at a whole host of different 
affirmative steps that the department can take, all the way to perhaps 
providing credit monitoring.  What we need to do is lay out what those 
potential options are, what the costs are that are associated with them, 
and what authorities we have.  I think the secretary made clear that we 
were going to do everything in our power to mitigate whatever adverse 
impact this may have on the veterans whose data was compromised-- 

Mr. Bilirakis.  The gentle lady's time has expired.  But Mr. Duffy, with 
all due respect, you know, meetings, consultations, "we are looking at 
it, we are trying to decide what authority we have."  In the meantime, a 
lot of bad things can be happening. I think that's what the gentle lady 
is saying, sure.

Ms. Hooley.  I just want you to take some leadership.  That's what I 
want you to do.  I want you to take some leadership.

Mr. Bilirakis.  Yeah, well.

Ms. Hooley.  Excuse me, Mr. Chair.

Mr. Salazer.  Especially for people who don't have computers.

Mr. Bilirakis.  Well, that is another point.  There are many veterans 
out there who don't have computers.  So you can't just look at that one 
particular way to do it.  There are public service announcements that 
all the television stations as broadcasters are required to make 
available.

General Howard.  And the department is taking steps now to send 
individualized letters to every veteran that we can indeed identify, to 
notify them personally.  You are absolutely right about not everybody 
having a home computer.

Mr. Bilirakis.  Well again, as Ms. Hooley said, take some leadership 
here.  Let us not just sit back and, "we will let these bad things 
happen"--then the cow has already left the barn, or whatever the 
proper terminology is.

Let us see, Mr. Bradley to inquire.

Mr. Bradley.  Thank you very much, Chairman Bilirakis.  I would just 
like to start out by thanking you, and Mr. Filner, and Chairman Buyer, 
for your leadership in making sure we have this hearing in an 
expeditious fashion.

Not to beat a dead horse, but my concern I think with some of the other 
more recent questioners is the 27 million people that have potentially 
had their data stolen, and it may well be used.  Let me try to 
encapsulate what I think you have said today in terms of procedures that 
are in place, or about to be in place:

You are going to write a letter to all 26.5 million, but you don't have 
envelopes, so we don't know when that is going to happen. There is a 
Website.  The question that Ms. Hooley asked is why is there no fraud 
alert on it?  There is a call center with an 800 number.  Are there 
enough operators, and is the information clear?  There are expedited 
procedures at credit bureaus.  How helpful that is, that would be a 
question I would have.  Equifax has a toll-free number.

We don't know that there are any problems yet, which I guess is good 
news.  Secretary Nicholson I think made a pretty clear statement.  The 
VA is responsible.  Let us admit the reality.  That means we are 
responsible, and we are going to have to deal with this, in terms of 
responsibility.

So, in terms of questions, do you have authority right now under your 
existing authorizations and budget, authority to pay for any credit 
checks, counseling, or any other expenses such as that?  And number two, 
do you have statutory authority to make people whole if they do have 
identity theft problems?  Or if you don't have that authority, are you 
prepared to work with us immediately so that we can take the legislative 
steps necessary to give you that authority?

General Howard.  We are clearly prepared to do anything we need to do, 
sir.  We do not believe we have the authority to do that right now.

Mr. Bradley.  Either authorities I asked?  You don't believe you have 
the authority to compensate for counseling, for credit checks, or any 
other expenses that are preventative in nature?

General Howard.  I don't believe so.  No.

Mr. Bradley.  And if you don't have that authority, you probably don't 
have the authority to make people whole in the event that problems do 
manifest themselves.

General Howard.  I don't believe so, sir.  We would need some additional 
authority.

Mr. Bilirakis.  I understand that Mr. McLean left with the Secretary to 
go over to the Senate.  But his assistant is here?  Can you answer that 
question, sir?  Mr. Thompson, Mr. Jack Thompson?

Mr. Thompson.  Yes, sir, I am Jack Thompson.

Mr. Bilirakis.  Yeah, why don't you pick up that mic, and maybe you can 
respond to that.

Mr. Thompson.  Yes, sir.  We have determined that VA does in fact, 
incident to its authority to administer these benefit programs, have the 
inherent authority to provide, to fund credit checks for individuals.  
What we lack is clear authority if any individual suffers economic 
damage as a result of identity theft.  Those sorts of losses perhaps 
could be compensated through an action under the Federal Tort Claims 
Act, based on Federal negligence.  But quite frankly, there would be a 
number of legal obstacles in the path of anybody who needed to go that 
route.

Mr. Bilirakis.  Well, now, sir, would your department, your office, 
furnish this Committee your opinions regarding what additional authority 
might be needed so that we can do whatever is necessary I guess through 
legislation if you don't think they have the authority?


ATTY A  Yes, sir-- 

Mr. Bilirakis.  Let us not wait until it happens I guess is what I am 
saying.


ATTY A  Yes, Congressman.  We would be glad to.

Mr. Bilirakis.  Many of furnish that to us as soon as you possibly can?  
Good, all right.

Mr. Bradley, I am sorry to take up your time.

Mr. Bradley.  Not a problem.  Glad to accommodate you, Mr. Chairman.

So having answered the first question about authority, that you do in 
fact have the authority, it would seem incumbent upon all of you to make 
sure that in the widest possible venues, whether it is the letter, the 
call centers, the Website, public service announcements, on and on and 
on, that you disseminate the information that in fact veterans will be 
compensated for, if they have expenses to do with credit counseling 
checks or any other expenses, on that first authority I asked you.

And I look forward to working on a bipartisan fashion with all the 
members on this Committee on the second authority, which we need to do, 
it would seem to me, as soon as possible.

Mr. Bilirakis.  I thank you, Mr. Bradley.  I thank you, Mr. Thompson.

Mr. Udall to inquire.

Mr. Udall.  Thank you, Mr. Chairman, and let me say this in listening to 
all of you and listening to the Secretary, it seems to be like a comedy 
of errors, and I think you can probably understand why so many members 
of this Committee have expressed on both sides of the aisle a great deal 
of displeasure with what has gone on here.  We do not have to tell you, 
these are men and women who have served this country, and potentially we 
have put them in a situation violating their privacy, and costing them a 
significant amount of money.

And Mr. Chairman, I would like to echo what others have said.  I think 
we have many questions that were unanswered from the Secretary.  He is 
the one in charge of this department.  We should bring him back here and 
get those answers.  I mean, the thing that he said that was shocking to 
me, to hear this happened on May the third, and he did not learn until 
the 16th of May, and he is the guy running the department.  
Theoretically within the Veterans' arena, the buck stops at his desk, 
and all of you that work for him, it did not get to his desk for 13 
days.

And I guess my first question is why is that the case?  Why did none of 
you that are here, or anybody else, report to him for 13 days what had 
gone on?  We heard from you, Mr. McLendon, we heard that you interviewed 
and had the information.  You knew there was a breach on the 5th.  It 
would seem to me that that would be the date that someone would report 
to the Secretary that we have had a very serious problem here.  Can 
anybody answer that?

Mr. Filner.  Tom, can I just add half a sentence?

Mr. Udall.  Yeah, sure.  Please, yeah.

Mr. Filner.  Mr. McLendon testified earlier that on the fifth you called 
the secretary.  I do not know who you meant.

Mr. Udall.  Because the Secretary in his testimony here said he did not 
learn until May the 16th is what-- 

Mr. McLendon.  I was referring to our administrative secretary in our 
office when I said "the secretary." She's the one that first get the 
call.  If I could just add from my point of view, is we have a process 
in place that says, and we are trained do this, that you notify your 
security and information privacy officer, and there is a protocol that 
they follow as to what they do.  And that's what we did.  And I think 
General Howard would probably say the same--we were both trained by 
the same building--that when you have a protocol and process in 
place, you pass that information along, you do the due diligence that's 
required, and you give them the information.  And you wait for them to 
tell you what it is that they need to move this process forward.

Mr. Udall.  But Mr. McLendon, Mr. McLendon--after you did your 
interview, you knew on the fifth that 26 million veterans' information 
was out there and had been stolen.  And you had a process clearly--
you had a process clearly to follow-- 

Mr. McLendon.  No, sir--no sir, we did not know that on the fifth  -
- 

Mr. Udall.  When did you know that, then?

Mr. McLendon.  We began doing due diligence when [Stricken from the 
record upon request of the Presiding Chairman] was able--came back 
to work on Friday.  And talking to him about what he thinks that he had 
done.  And that's when a memo was prepared on the eighth, that as Mr. 
Duffy shared with you what happened with that, that-- 

Mr. Udall.  But when did we know that 26 million veterans had 
information that was in that disk, was in that hard drive that was 
taken?  When did we know that?

Mr. McLendon.  I don't think we completely knew that until somewhere 
around the 16th.  And let me-- 

Mr. Udall.  Why did it take so long to figure that out?  I mean, you had 
the employee in your office.  He told you what he was taking home.

Mr. McLendon.  Well, by this point the employee had already been placed 
on administrative leave, and-- 

Mr. Udall.  You did not do a thorough interview of him before?  Before  
-- 

Mr. McLendon.  Yes, we did a thorough interview.  The IG did several 
interviews with the individual.  But you have to sit down and go through 
a fairly painstaking process of looking at all of the records that are 
in a file.  And let me just make a comment about Burrels-- 

Mr. Udall.  Well, let me ask you one question here because I wanted to 
ask the secretary this, but the VA has an internal system to rate the 
sensitivity of veterans' data, from a one to a nine, with a level nine 
reserved for VIPs like the president of United States, or a member of 
Congress, or a cabinet member.  In 2001, the VA stated that only 43 
people had VA-wide, were authorized access to those records.  Was this 
GS 14 individual specifically authorized access to all sensitivity 
levels, including Cabinet member records, prior to the incident?

Mr. McLendon.  Not as far as I know, sir.

Mr. Udall.  So there was no authorization.

Mr. McLendon.  Sensitivity levels are established in a very strict way 
within VA in terms of access.  I would not even have access to that 
information.

Mr. Udall.  Thank you, Mr. Chairman.

[The statement of Mr. Udall appears on p. 91]

Mr. Bilirakis.  Talking about insensitivity: without objection, the name 
that was uttered by Mr. McLendon will be struck from the record.

Mr. McLendon.  Excuse me, Mr. Chairman.  I didn't understand that.

Mr. Bilirakis.  Well, there was a name mentioned of the employee.  That 
will be struck from the record.

Mr. McLendon.  Oh, oh, oh, yeah. Okay.  Yeah.  Yeah, yeah, yeah, yeah.

Mr. Bilirakis.  Without objection.  Ms. Brown-Waite to inquire.

Ms. Brown-Waite.  Thank you very much, Mr. Chairman.

Any member of Congress whose district office is helping constituents, 
including veterans, if one of our employees took this information home 
and the same thing happened, we would immediately fire that employee for 
putting the constituents at risk.  General Howard, you referred to the 
"rules of the game."  The problem is this is not a game.  It was not a 
game.  You know, the guidelines, that the VA had put down were kind of 
like suggestions.  We often hear that people believe the Ten 
Commandments are suggestions.  So obviously, you all put this down as 
suggestions.

The VA has had problems that the IG has reported: information, security, 
material weaknesses, every year since the 1997 audit.  This is 2006, and 
this has happened?  I am sorry, what are you all doing over there?

Back in our individual districts, the medical care that is being given 
is excellent.  But I will tell you, our constituents believe that 
Washington DC is La-la land, and I have sat here from the beginning 
listening to everybody, and I am starting to absolutely agree that this 
is La-la land, because you all are in denial.

Is the employee on paid administrative leave, or unpaid administrative 
leave for taking this material which he was not authorized to take?  Mr. 
Pittman, can you answer that?

Mr. Pittman.  Paid.

Ms. Brown-Waite.  Would you please stay by the microphone.  He is on 
paid leave?  Is there a reason why if he was not authorized to take this 
why he was not fired?

Mr. Pittman.  Yes, ma'am.  From the very beginning we were under the 
instructions that we have to investigate this process to determine the 
severity of the action to be taken, and that's what we've done.

Ms. Brown-Waite.  Is the employee a civil service employee, or is he a 
political appointee?

Mr. Pittman.  Civil service.

Ms. Brown-Waite.  If the Secretary does not know how many employees 
telecommute, do you?

Mr. Pittman.  Yes, ma'am, 1600.

Ms. Brown-Waite.  You have 1600 telecommuters?

Mr. Pittman.  Yes, ma'am.

Ms. Brown-Waite.  From all over the country?  Or just here in the DC 
area?

Mr. Pittman.  All over the country.  We have 40,000 occupation--
employees that are eligible to telecommunicate, but only 1600 take 
advantage of that category.

Ms. Brown-Waite.  And do you know--it has been 22 days since the 
burglary took place--does the department have a copy of the police 
report, or are they relying entirely on the individual's report of this 
incident?  Now obviously, the police report would not be completed 
because an investigation is ongoing.  But do you all have a copy of the 
initial report?

Mr. Pittman.  I'm told that the answer is yes.

Ms. Brown-Waite.  Could you confirm that?

Mr. Duffy.  I can confirm that for you.

Ms. Brown-Waite.  Okay, so you do have a copy of that.

Mr. Bilirakis.  Can we get a copy?

Ms. Brown-Waite.  Yes, we would like a copy.

The other thing is, did the department do a risk assessment on this 
breach?

Mr. Pittman.  I cannot answer that question.

Ms. Brown-Waite.  So no one here knows if a risk assessment was done on 
this breach?

Mr. Pittman.  No ma'am, I don't.

General Howard.  Don't believe it has.

Ms. Brown-Waite.  Well, inasmuch as it happened on the third, the 
Secretary did not find out until the 16th, but the deputy secretary 
found out somewhere in between that time.  Don't you think that it was 
appropriate to do some sort of a risk assessment?

General Howard.  There are actions going on as to what conditions do 
exist, but that's an ongoing effort to find out how much data is out 
there in an uncontrolled environment.  We don't know the answer to that 
right now.

Ms. Brown-Waite.  The other question is, why isn't all of this 
information encrypted?

General Howard.  It should be.  I believe I mentioned earlier, the 
guideline--and you're correct, ma'am, I should not have referred to 
it as "rules of the game," you're exactly right.  In that guideline, 
there were two key requirements.  One is that the information should not 
have been removed.  And two, it should have been encrypted, so--and 
it was not.

Ms. Brown-Waite.  What steps is the Department taking to ensure that 
information is quickly encrypted?

Mr. Bilirakis.  Would you furnish that information to us in some detail, 
please?

General Howard.  You mean the guideline, sir?

Mr. Bilirakis.  Well, what steps are being taken-- 

General Howard.  Yes, sir.

Mr. Bilirakis.--responding to the question.

Ms. Brown-Waite.  Mr. Chairman, I would also inquire as to why these are 
just guidelines, and that they are not in your regulations?

Mr. Bilirakis.  Well, even going further than that, the Inspector 
General's report that I referred to earlier of November of 2005 
indicated that there were some problems potentially, security problems.  
And you know, that was a half a year ago, and this has taken place.

General Howard, I am not going to get into that with you now, but come 
on, you are a general officer, and there is no way that when you were on 
active duty, that you would allow this to happen, and would not have 
taken care of the problem when you were notified by the Inspector 
General.  It is something, again, that goes back into the culture kind 
of thing.

I am going to recognize Ms. Herseth, and I am going to excuse the 
Inspector General.  But Sir, I am very much concerned what can be done.  
Because again, I have said this, what, for the third time, over 24 years 
that I have been here, similar things have arisen, and it seems like an 
awful lot of it has come from--you don't like the word 
"bureaucracy."  I don't know whether you like the word "culture."  But 
it is culture, and an environment there, and whatnot.  And Mr. IG, I 
would hope you can help us solve that.  I know we have got civil 
service, those particular problems.

Can you respond very quickly?  Do you mind very much, Stephanie?  Go 
ahead, sir.

Mr. Opfer.  Mr. Chairman, let me just say from the IG's perspective what 
we are doing.  Once this came to our attention that we had a serious 
breach of security, I initiated a criminal, investigation and an 
administrative investigation, and tried to gather all the rules and 
policies and procedures in the department.

There are three prongs to our approach.  One is looking at the theft of 
the data.  Two which may answer some of the questions that were posed by 
the Committee members--we are looking at the incident: what happened 
when the employee reported it?  Who did he report it in to?  What did 
they do with the information?  All the way up to the top levels of the 
department.  That is part of our administrative investigation.

I have the Counsel to the Inspector General looking at all the policies 
and procedures, and we intend to review all those policies and 
procedures, we are looking not only at the policies and procedures for 
the department--are they only geared towards someone in IT, when 
there is hacking into the system, or attacking the system? But also, 
what policies procedures  What do we have regarding employees and their 
access to data?  And what are the authority?  Who is supervising it?  
Who is reviewing the need to have access to that material?  We hope to 
conclude that in our Inspector General review.

Mr. Bilirakis.  When do you anticipate that being completed?

Mr. Opfer.  We are going to try to--separating the ongoing criminal 
investigation and working with the Federal Bureau of Investigation and 
Montgomery County police, and the Department of Justice, keeping that 
separate because as you know, ongoing criminal investigations limit my 
ability to discuss and provide information.

Mr. Bilirakis.  Sure.

Mr. Opfer.  I have separate teams working on all of the other ones.  My 
goal is to try to have that out in 45 days.

Mr. Bilirakis.  Forty-five days.  Would you share all that information 
with this Committee directly?

Mr. Opfer.  Yes, sir.  Right now, my thought would be that we would have 
a number of recommendations, and a report would be addressed from myself 
as the Inspector General to the Secretary, and it would be provided to 
the Committee, and the members of the Committee.

Mr. Bilirakis.  Would you be able to also share with us suggestions?  I 
mean, I don't know if you agree with me.  I keep throwing this word 
"culture" around.  I don't know if you agree with me or not, but I think 
it is there, I think it is a problem, and otherwise a lot of these 
things would not be taking place.  Could you share with us maybe your 
suggestions on how that can be improved?

Mr. Opfer.  Yes, I think there is a good opportunity now, with the 
Congress enabling the agency, to centralize the IT function and give the 
authority and the responsibility to one individual to coordinate that.  
That was one of the recommendations for years from the Office of the 
Inspector General.

Mr. Bilirakis.  Okay.

Mr. Opfer.  So we continue to be pleased with that-- 

Mr. Pittman. Will you share that with us within that 45 day period of 
time, too?  Any suggestions-- 

Mr. Opfer.--we expect that in the FSM audits that we will continue 
to have those material weaknesses until they are corrected within the 
agency.

Mr. Bilirakis.  Exactly. Exactly.  Thank you, sir, and you are excused, 
and we appreciate very, very much your hanging around.

Ms. Herseth to inquire.

Ms. Herseth.  Well, thank you, Mr. Chairman.  I appreciate the questions 
you posed to Mr. Opfer, because I think that review will answer some of 
the questions that had been posed previously and that I have as well.  
But let me make a couple of initial observations, and then get to a 
couple of the questions about the IT system now, and how it's working.

First, I think we do need some clarification from the Secretary, because 
I specifically wrote down during his testimony that he indicated that 
the VA Inspector General became aware of this on May 10th.  He may have 
misspoken and meant the information security officer, or perhaps he was 
under the impression that this information had been communicated to the 
IG, which it hasn't, but we need some clarification on the issue.

Also, it's my understanding based on your testimony and the questions 
posed in your responses that the reason that the VA has not formally 
notified the IG even as of this date is because it is not a cyber 
security issue in your opinion, it is a privacy issue; and therefore, it 
is being handled by an office, a division not currently represented 
today.

Secondly, I shared Ms. Brown-Waite's concern that we have to address 
this issue of something being a guideline versus a directive, as it 
relates to any employee in the VA being permitted to take this 
information outside the workplace, getting the permission, having 
encryption, because I think someone made a note in particular that that 
is a guideline, not a directive.

So let me ask two questions.  The first is very straightforward.  If one 
of my constituents who is concerned that his or her information is among 
the 26.5 million records within what was stolen and he or she calls the 
800-number, will the person answering that number be able to tell him or 
her whether or not his or her records were among the 26.5 million 
records were stolen?

Mr. McLendon.  To do that would be to provide this people access to the 
Burles system and other databases, for which they may not be authorized 
to be accessed.  So the short answer to your question is no, they would 
not have access to that.

Ms. Herseth.  So they won't know until they receive the letter of 
notification from the VA?

Mr. McLendon.  That's why we are sending the letters.  And let me also 
add, people keep talking about 25 million records.  19 of those--
million of those records have Social Security numbers.  6 million do not 
have any identifying Social Security numbers.

Ms. Herseth.  Okay.

Mr. McLendon.  And of the 19 million we believe that there are a number 
of those veterans are deceased, because when we look at the birth dates 
of a number of them.  So there is effort going underway to try to 
understand of that 19 million-- 

Ms. Herseth.  I appreciate that.  I appreciate that.  So what the 
information that one of my constituents would get by calling 800 number 
is just the recommendation to monitor their credit?

Mr. McLendon.  Yes, they are getting direction on what they need to do.

Ms. Herseth.  Okay.  And we do not have a time frame yet as to when 
those letters would go out, or did you mention that earlier and I missed 
it?

General Howard.  No, I don't think--yeah, I don't-- 

Ms. Herseth.  Because you still have to analyze all of this data?  Okay.  
Let me move to-- 

General Howard.  To elaborate, though-- 

Ms. Herseth.  I am going to let you elaborate.  I just want to make sure 
I get to this third question.  And if there is time, the Chairman 
permitting, please elaborate.  I mean, there is so much information that 
we do want here.  We are just under these time constraints.

Five, six years ago, I was practicing law at a very large firm here in 
Washington, a firm that has a global presence, number of offices across 
the country.  I could not save a document, any client identification 
numbers on a disk.  We didn't even have hard drives in our desk.  But 
what we did have if we were going to do any work outside of the office 
was a secure ID that changed, as you know, every few seconds so that 
when you are home, or on your laptop, that you have that ID number that 
you type in that is only available--you know what I am talking 
about.

General Howard.  Yes, ma'am.

Ms. Herseth.  Do you have that?  Is that a process that you are 
utilizing, that you are integrating over time?  I just don't understand 
why any employee would be able to save anything onto a desk or an 
external hard drive, and maybe that is part of where we are heading with 
a centralized IT system, but it just seems that a five or six years ago, 
and I note it is a difference between a private sector and a public 
sector and different resources, but are we moving in that direction, to 
have a system like that in place?

General Howard.  We definitely need to improve on the procedures that 
you just described.  The specific drive that this information was stored 
on, the folder is protected.  In fact, I physically tried to get into it 
myself, and I could not do it.  Dennis, you can probably comment on-- 

Ms. Herseth.  Okay, I appreciate knowing that there is a firewall or two 
that the thieves would have to get through here.  But do you have-- 

General Howard.  Ma'am, not the information that was on his drive.  I am 
talking about where he originally took it.  The drive that was stolen, 
as far as we know the information was not encrypted.

Ms. Herseth.  All right, okay.  Okay, thank you for the clarification.  
Of the 1600 telecommuters, are they access saying the system remotely in 
the way that I just described?  With a secure ID, into the centralized 
system?

Mr. Pittman.  No, ma'am.  The only thing that they are doing is they are 
accessing the computer by logging onto the system via a security access 
password.

Ms. Herseth.  Okay.  I have more questions, but I will submit them for 
the record.  Thank you, Mr. Chairman.

[The statement of Ms. Herseth appears on p. 87]
Mr. Bilirakis.  Thank you, gentle lady. Mr. Michaud.

Mr. Michaud.  Thank you very much, Mr. Chairman.  I also want to thank 
you for having this hearing.

Most of the questions have been asked, but I just want to follow up on a 
few of them. As we read and heard the IG state, that this condition has 
been going on for a number of years as far as the security deficiencies 
and in his testimony, he says in the 141 of the 181 VHA facilities, they 
identified security deficiencies, as well as in 37 of the 55 VBA 
facilities. You heard the Chairman talk earlier about former secretary 
Principi giving the directive, then the legal counsel saying they did 
not have the authority to do that.

Whether they have the authority or not, I guess this question would be 
for Mr. Duffy, wasn't that a good idea, what the IG had talked about, on 
these deficiencies?  Regardless of whether, they had the authority or 
not?  If it is a good idea, why not implement it?

Mr. Duffy.  Absolutely, Congressman.  And we thought we were indeed 
implementing them.  In this particular instance, it was an individual 
who violated policies and procedures, who clearly understood that what 
he was doing was inconsistent with established policies and procedures, 
someone who had in recent months completed cyber security awareness 
training and privacy act training.  So there are indeed policies and 
procedures in place.  There is heightened awareness through standard 
annual training for all employees who are involved in this kind of work.  
In this instance, we had an individual who simply chose to use poor 
judgment and violated those policies and procedures.

Mr. Michaud.  As you heard the Secretary mention earlier this morning, 
someone has to be responsible if something happens in this situation as 
far as identity theft; has there been--and clearly this is a severe 
case--has VA heard of identity theft in past from veterans?  And if 
so, how many of those cases that are out there on a yearly basis?

Mr. McLendon.  Not personally aware of any, Congressman.

Mr. Michaud.  Okay, thank you.  My next question, we heard a lot from 
different individuals here on, you know, what did you know, when did you 
know it, and could you give the details?  Actually, I haven't heard Mr. 
McLendon, when actually did you know it?  What did you know, when did 
you know it, and can you give, some details of that timing?

Mr. McLendon.  Well, I knew before 6:00 o'clock on Wednesday that there 
had been a break-in at the individual's home, that he had reported that 
he had lost his personal computer and an external drive.  At that time, 
the way he communicated, it also sounded like he had lost a little 
external USB drive, that we would call a memory stick, and some CDs.  He 
was quite upset at the time, so that's one of the reasons why I called 
the guy who's our technical expert on data and systems to see if he 
could talk more in a technical terminology to try to pull out of him a 
little bit more.

So we knew on Thursday that something indeed had happened.  We did not 
know the scope of it, or any of the details of it.  And so when we began 
meeting with him on Friday morning, and then our information security 
manager met with him, we began to get I would say a broader outline, but 
yet not the details out exactly what was on those disks.

It's fair to say that it wasn't until Monday that those of us who had 
been talking together and talking with him could kind of look at each 
other and say, "Okay, we believe we've got kind of the initial look at 
what we think may be there."  And that's when a memo was prepared that, 
as Mr. Duffy explained, where it went and what had happened after that.  
Then the information security officer had further discussions with him.  
I don't believe that we all understood the details, in terms of 25 
million records, some of these other things, until we understood that 
his disk had not been stolen and his memory stick was not gone.  There 
was some confusion about that right after he started talking about it, 
which is understandable.

And then we started painstakingly going through those of files to 
understand what files there were, what data variables there were, 
related to each one of those files.  That's what led to again preparing 
a memo on the 16th, which went to the general counsel on the 17th, which 
laid that out.

Sometimes it takes a finite period of time to do the due diligence to 
find out exactly what is on those files and where could they have 
possibly come from.

Mr. Michaud.  Thank you.  Thank you, Mr. Chairman.

[The statement of Mr. Michaud appears on p. 82]

The Chairman. [Presiding]  Has everyone asked all the questions?

Mr. Filner.  If I could just follow up for a couple minutes?

The Chairman.  Sure, Mr. Filner.

Mr. Filner.  Thank you, Mr. Chairman.  Just to follow up on Mr. 
Michaud's questions, in the time line you provided to us, you said there 
was a memo on May 5th that says "possibly lost veterans' data." We don't 
have a copy of that, but what did you think, then, that was lost?

Mr. McLendon.  That may have been an original memo that the information 
security officer prepared. I don't have that in front of me.  I'll have 
to go get that but I-- 

Mr. Filner.  I was just wondering what you knew at that moment.

Mr. McLendon.  Well, what we knew at the afternoon of the fifth was that 
there had been a break-in at the individual's home, that he had self-
reported that his personal laptop and personal external drive had been 
stolen, that he believed that he had loaded some veterans' data, if I 
remember the words right, onto that.  But he didn't know for sure, and 
couldn't say in any detail what may or may not have been on there.

Mr. Filner.  Mr. Duffy, is that your understanding of that, this memo 
that you provided Mr. Bowman?  I'm just reading from your time line.

Mr. Duffy.  Yeah, let me back up a little bit.  And I apologize because 
there is just a little bit of confusion regarding memos.  There was an 
original memo prepared by the IT specialist, our security and privacy 
officer, late in the afternoon of May 5th.

The Chairman.  His name?

Mr. Duffy.  I'm sorry, his name?  Mr. Mark Whitney.  Mr Whitney 
prepared, at my instruction, a memo that attempted to lay out what he 
understood to be the data sets and elements.  And indeed, I think he did 
a pretty good job.  Mr. McLendon and I, upon reviewing it, Mr. Mclendon 
asked for the opportunity to review and validate the information.  
Again, while Mr. Whitney is our IT support person, he does not 
necessarily have detailed understanding or information on the data sets 
or data elements.  So Mr McLendon and Mr. Tran indeed did that, modified 
slightly the May 5th memo.  It was finalized over the weekend and 
provided to me on May 8th.  The unfortunate thing is that the date of 
the memo was never changed.  So we've got two May 5th memos; one more 
expansive than the other, simply clarifying the nature of the extracts, 
the type of programming language that they were contained in, and 
further detail than the previous memo.  So it was that memo that was--
an original memo on the fifth, modified on the eighth, provided to the 
chief of staff on the--discussed with the chief of staff on the 
ninth, and given to him on the tenth.

Mr. Filner.  And the chief of staff is directly under the secretary?

Mr. Duffy.  Yes, sir.

Mr. Filner.  But everybody took the weekend off on the sixth and 
seventh, it looks like.  Normal weekend in your life, 25 million things 
gone, what the hell?

Mr. McLendon.  Congressman, I can assure you that there has been a deep 
sense of urgency about--concern about this issue, and working on 
this issue.

Mr. Filner.  Except that Friday you did something and then you waited 
till Monday to do it more, you know, Saturday and Sunday, nothing done, 
according to what--I am just going by what you provided us.

Mr. McLendon.  Well, that was just the date that was put on it was 
Monday, that was the first working day back.

Mr. Filner.  You can detect the frustration and the outrage in all of 
our voices.  And again, I mean I don't think you took it seriously 
enough at the beginning, this chief of staff and the deputy secretary 
knew a week before they decided to tell the Secretary. In addition, even 
given all that, the so-called outreach to our veterans, you know, you 
say, "Well, if you have a Website, look us up.  Notify your bank, notify 
your credit bureau.  Don't tell us, we don't need to know if you guys 
have a breach of security."

I mean, there is no outreach in the letter that is going to go out.  As 
somebody said, you don't even have 26 million envelopes.  I mean this is 
ridiculous.  I mean, I think you all should be fired.  To take this as 
un-seriously as you have, to take the amount of time that you took, and 
then still, even at this late date, you don't have a system where 
anybody even knows that their name was there.  There is no outreach for 
people who--the normal person who may not know how to get your 
Website.  Nothing is being done on television, radio.

I mean, you are just waiting, you know, to get this information--
these guys are scared to death.  And you sit there--you don't seem 
to want to understand that.  And you give these bureaucratic answers 
that don't mean anything to the people we are trying to serve here.  As 
one of the Congresspeople said, if this happened in our staffs, I mean, 
they would be fired right away.  And I think the Secretary, as the last 
act before he resigns, ought to fire the whole bunch of you.

The Chairman.  I think what would be helpful to us is Mr. Duffy, if you 
could submit to the Committee, I would like the draft--I don't know 
if we ought to call it the draft--the original memo from Mr. Whitney  
-- 

Mr. McLendon.  The May 5th?

The Chairman.  The original memo, I want to see what that one says. I 
want to then see whatever changes that were made.

Mr. McLendon.  Right.

The Chairman.  I want to compare the two documents.

Mr. McLendon.  Reflected on the eighth.  Happy to.

The Chairman.  Yes.  And then that ends up to the Secretary's Chief of 
Staff on May 10th.  At some point, the Chief of Staff notifies the 
deputy secretary, but almost another six days go by before anybody even 
alerts the Secretary.  You know, what we have here is a chronology, but 
the Secretary, because it has got a lot of other personal identifying 
information in it, has asked us not to have this put in the record.  But 
I think what we are going to need to do here is, with my indulgence, is 
let me take and ask these witnesses to put a time line on the record in 
their testimony.  Is that all right, my colleagues?

So Mr. Duffy, let's just begin with you.  I know you did this a little 
bit earlier, but let us go ahead and take your time line from the first 
moment that your department had knowledge and Mr. McLendon, I want you 
to add in.  And then we are going to turn to the other witnesses with 
regard to the time line as they know it.

Well, let me pause.  I am going to seek counsel.  You can do this a 
thousand ways.  We can either do it day by day and take the testimony of 
them on what they knew, or we can do witnesses.  Mr. Filner, what do you 
want to do?  All right, we will turn to Mr. Duffy.  Hold on.

Mr. Bradley.  Mr. Chairman, could I ask a quick question where I was not 
able to follow up on my time frame?

The Chairman.  Absolutely.

Mr. Bradley.  If you recall--and thank you very much, Mr. Chairman  
--  if you recall my questions from before about the authority to 
reimburse veterans for credit counseling and credit checks, you 
indicated that you had that authority.  That's correct, okay.  The bulk 
of the phone calls and e-mails that my office has gotten have expressed 
a concern over the fact that it may cost fifty to sixty dollars to 
actually do that kind of a credit check right now.  So if you have 
authority to do that, are you prepared to propose to us, today, that you 
will actually establish some mechanism for veterans who have to have 
expenses out of pocket to do a credit check, of a mechanism for them to 
be reimbursed for these expenses?

General Howard.  Sir, in discussions this morning before we came over 
here, that is the intent of the Secretary, but he was concerned about to 
ensure that we have the authority.  There are financial impacts that 
need to be addressed.  It is actively being discussed.

Mr. Bradley.  So it is being discussed, you have the authority.  When 
can we expect a decision on how you are going to implement that kind of 
reimbursement?

General Howard.  Sir, that I'm not sure.

Mr. Bradley.  If I can ask the indulgence of the Chair.  Mr. Chairman, 
in terms of the immediate impact on the 26.5 million veterans, which I 
think all of us, under your leadership and under Mr. Filner's leadership 
on a bipartisan basis, want to make sure that we have done everything 
that we possibly can to insure the safety and sanctity of their records.  
The most expeditious manner that these gentlemen can make that kind of 
reimbursement possible, to me would seem to be one of the most important 
first step that we can do for the 26.5 million veterans that are 
affected, to say nothing of all of these security measures that have to 
go into place, but for those people that are worried, on an individual 
basis, and I would urge that we attack that head-on with obviously their 
assistance.

And I thank you for that.

The Chairman.  All right.  Here is what we will do.  To preserve time, I 
am going to ask you to prepare a chronology, time lines, I want each of 
you to prepare that, excepting personnel, unless you have something to 
add that we don't know about.

Mr. Pittman.  No, sir.

The Chairman.  Okay, thank you.  So with the rest of the witnesses, I 
need to know the chronology: what did you know, when did you know it, 
and how it got passed along, okay?  So provide that, then, to the 
Committee.  That is the best way, I think, to do this.  Can you get that 
to us in about 10 days?

General Howard.  Yes, sir.

Mr. Baker.  Yes, sir.

Mr. Duffy.  Yes, sir.

The Chairman.  All right, thank you.

With regard to the data analyst, who is his immediate supervisor?

Mr. McLendon.  His immediate supervisor is Mr. Mike Moore.

The Chairman.  Mike Moore.  And then who is his boss?

Mr. McLendon.  Me.

The Chairman.  You.  I apologize, I was gone.  The project which they 
are working on was what?

Mr. McLendon.  [Stricken upon request of the Chairman]--The 
individual is-- 

Mr. Bilirakis.  Strike the name.

The Chairman.  Pardon?

Mr. Bilirakis.  Strike the name.

The Chairman.  We are going to strike the name of the data analyst from 
the record.

Mr. McLendon.  The analyst is a programmer, statistician, he supports a 
number of different projects in the office that are ongoing.  He was 
doing work looking at a national survey of veterans project.  He was 
also doing some matching to support other projects he was supporting in 
terms of activities that other people in the office were doing during 
that time.

The Chairman.  Are you aware of any of your employees taking data home 
with them to do, quote, "homework?"

Mr. McLendon.  Not to my personal knowledge.  But I would say this to be 
quite candid: we in government today facilitate, encourage, and reward 
people for working from home.  We give them computers to do that, we 
give them access to do that.  Each agency allows them to--has their 
own policies about how they do that and when they do that.  But it is 
not our policy to encourage people to take work home, or to take data 
home.

The Chairman.  How many employees does the VA have that work from home 
and access your data bank?

General Howard.  Two different numbers, Sir.  Work from home is, what 
was it, 1600?

Mr. Pittman.  Those that are the telework employees are 1600. Then there 
is another group of virtual employees, which he'll address.

The Chairman.  And encryption is used?

Mr. Pittman.  It is not.

General Howard.  Sir, if they access-- 

The Chairman.  I apologize.  I was just told that has already been asked 
and answered.  In the negative, shockingly.  Do you, Mr. McLendon, know 
whether or not the data analyst's supervisor approved of the practice 
for this individual to take this type of data out of the office?

Mr. McLendon.  No one would have approved that.

The Chairman.  Okay.  But you encourage people to do homework?

Mr. McLendon.  Don't encourage people to do homework.  What I am saying 
is that when people are allowed to telework from home you have to be 
extremely careful about what people do, and what they use.  And it is 
not my policy or anyone I know of, has a policy that allows people to 
take serialized, controlled information of people home, or veterans 
home, to do work.  That's a no-no in the analytical business.  You just 
don't do that.

The Chairman.  Let me ask General Howard, if I go back to this directive 
from the Secretary Principi, had the CIO been charged with this 
responsibility over security as the Secretary wanted, you think this 
would have happened?

General Howard.  There is a memo that I saw signed by Bob McFarland.  I 
don't recall exactly what it said.  One of the--and I do know that 
one of the difficulties that they were trying to sort out is just what 
exactly the authority was.  There was a lot of discussion about the 
word, "ensure," that's in Secretary Principi's directive--I think 
that's the one that it's in, sir--and if I'm not mistaken, was a 
keyword that the general counsel addressed.

The bottom line--again, I don't remember the exact details of the 
memo from the General Counsel, but it is obvious to me that the CIO has 
authority to set policy, to set the guidelines, but then it's up to the 
individual who supervises, administration heads, and assistant 
secretaries, to implement those policies.

The Chairman.  But see, had this been enacted, then you had the 
enforcement power.  Now, you can't enforce cyber security.  You can't do 
anything, all you can do is do compliance; correct?

Mr. Cadenas.  That is correct, sir, check for compliance.

The Chairman.  And so under a decentralized model, for which Mr. 
McLendon, Mr. Duffy--well, strike Mr. Duffy--for which Mr. 
McLendon I know has argued, that enforcement, that is where it goes, it 
is decentralized.

So let me just say this gentleman, one of the first things I learned in 
the Army: when you take command, you want to know who the key control 
custodian is, because you just signed personal responsibility for all 
that property.  Under a decentralized model, you have too many keys.

General Howard.  Sir, I will say that the federated model that has been 
adopted, as you know, will give us a better capability.  It won't give 
us the ultimate capability-- 

The Chairman.  Yes, that's right.  You are going to get a half-baked 
loaf.

General Howard.--but it will help to some degree to get a better 
handle on it.

The Chairman.  So let me ask this.  You are the acting CIO, and I am 
going to turn to cyber security.  I have done hearings with you before, 
and those hearings dealt with the hackers from the outside, "Oh, we 
spent all this money," but you also came, and with the IG and GAO, you 
talked about all the unauthorized use of employees, you talked about 
that.

So to go beyond just compliance--or if you are going to say, "Steve, 
no, my job is only to do cyber security.  That from the outside, 
somebody else should do that," give us your best counsel, the two of 
you, right now with regard to authorities and enforcement.  You are a 
general officer.  Does dissemination work very well in the Army?

General Howard.  Very well, sir.

The Chairman.  Dissemination?

General Howard.  We also-- 

The Chairman.  Somebody has got to be in charge with distinct lines and 
chains of command, right?

General Howard.  Sir, there's no question about that.

The Chairman.  All right.

General Howard.  And one thing that we do have, as you know, sir, in the 
Army, is very clear regulations.  As I mentioned earlier, we've looked 
for the clear policies and directives, and with respect to what the 
individual actually did, the only place I can see that is in a 
guideline.  It's not a directive or a regulation that you would think it 
should be.  It is being turned into a regulation, or a directive.  The 
VA uses the term, "directive."  That is being accomplished without any 
more waiting.

But it's too late for that.  I mean, the incident occurred, and it was 
not clear that this was a violation of a directive, because it wasn't a 
directive at the time.  But what you described, it has to be 
straightened out.  Clear directives do need to be put into place.  As I 
said earlier, the federated model is helping a great--we've only 
been into it for a short time, as you know, but it's already helping to 
shed light on some activities that are going on that need to be 
tightened up.

The Chairman.  General, if you were to have adopted the federated model 
you let the individual stovepipes to do their own development, you don't 
own development under the federated model.

General Howard.  That's right, sir.

The Chairman.  That is where the problem has been occurring.  In 
software development.  Wasting millions and millions of dollars.  That 
is why we have come in and zeroed out programs.  We are extremely upset.  
It is why we on a bipartisan basis have asked for you, your position to 
be empowered.

So you are correct.  You can look at this and go, "Well, directives 
weren't violated."  This is bigger than a small, little employee-- 

General Howard.  They weren't violated, because they didn't exist.

The Chairman.  Well, this Committee is not going to permit an Abu Graib, 
whereby you prosecute the little people, and others don't have problems.  
We are going to work with you.  We are going to work with you, on 
policies, and practices, and procedures, and empowerment.  And we are 
going to also--we may use this to get a stronger hand around the 
development side of the house.

General Howard.  Sir, can I comment on the term, "enforcement?" I don't 
think you will ever get away from the fact that individuals in charge of 
organizations are clearly in--responsible for implementing the 
policies, and enforcing the policies.  We have a greater role in 
determining if violations may have occurred, inspections, that sort of 
thing.  But I don't think we should ever remove the enforcement 
responsibility from those actually in charge of administrations and 
staff sections.  We didn't operate that way in the Army, either.  The 
commander was in charge.

The Chairman.  Mr. Cadenas, what do you have to add to this?

Mr. Cadenas.  All I can say, sir, is in the three years, six months that 
I've been here at the VA, it's been a little frustrating and challenging 
for us, and the team.  We're looking forward to good things with the 
federated, as I said last time when I was up here, because now those 
systems will go under the leadership of of the CIO, and because he now 
owns those systems and I work directly for him, I don't need any 
authority to execute.

There--you know, we try the best we can.  The reason why you see so 
many guidelines is because where we can't get policies or directives 
pushed through, then we go down to the next level, and then the next 
level, to where we are successful in getting guidelines out there.

The Chairman.  Under this federated model, will you receive the 
necessary delegated authority from the Secretary to do your job so an 
incident like this will never occur again?

Mr. Cadenas.  Sir, to be honest I won't need his authority because I 
directly report to the CIO's office.  And under the federated model, the 
CIO is in charge of all the operations and maintenance systems, to where 
he can tell me, "I got a problem out there, go fix it now with your 
team," or ensure or enforce compliance or execution.

The Chairman.  But on the development side of the house?

Mr. Cadenas.  No, sir.  Not on the development.

The Chairman.  Yes, that is my point.

Mr. Cadenas.  But we're working-- 

The Chairman.  That is what I want to make clear to all the members.  On 
the development side of the house--we can go with the federated 
model, but this will continue.

All right, does anyone have any follow-up questions?

No response.]

All right, we are going to continue our hearing at a later date.  I 
thank you for your testimony.  This panel is now excused.

Mr. Filner.  Mr. Buyer, I just want to thank you for your knowledge and 
your commitment to follow through. We will follow your lead.  I 
appreciate it very much.

The Chairman.  The second panel will please come forward.

The second panel is three representatives from the private sector to 
shed light on the implications of the failure of the Department of 
Veterans' Affairs to control information management.  Going from left to 
right, we have Mr. Stuart Pratt, President and Chief Executive Officer 
of Consumer Data Industry Association. Next, we have Mr. Dennis Hoffman, 
Vice President for Information Security for EMC Corporation.  And 
finally, we have-- 

Ms. Litan.  Avivah Litan.

The Chairman.  You say it's pronounced-- 

Ms. Litan.  Avivah Litan.

The Chairman.  Pull it close, really close.

Ms. Litan.  Oh, sorry.  Avivah Litan.

The Chairman.  Avivah Litan?

Ms. Litan.  Litan.

The Chairman.  Thank you.  Vice President and Business Director for 
Gartner Incorporated.  I would also like to mention that we have Joel 
Winston, associate director of the FTC's privacy and identity protection 
division, and Betsy Broder, assistant director of the same division, in 
the audience today.  Both are members of the Identity Theft Task Force, 
and have been listening to the testimony.  They will be available for 
any questions that any members may have following the hearing.

We look forward to hearing from our panelists on how we can ensure the 
safeguarding of sensitive information to re-earn the trust of veterans 
and their families.


STATEMENTS OF STUART PRATT, PRESIDENT AND CHIEF EXECUTIVE OFFICER, 
CONSUMER DATA INDUSTRY ASSOCIATION; DENNIS HOFFMAN, VICE PRESIDENT FOR 
INFORMATION SECURITY, EMC CORPORATION; AND AVIVAH LITAN, VICE PRESIDENT 
AND RESEARCH DIRECTOR, GARTNER, INCORPORATED

STATEMENT OF STUART PRATT


The Chairman.  Mr. Pratt, you may begin.

Mr. Pratt.  Mr. Chairman, thank you for this opportunity to appear 
before you, and thank you also-- 

The Chairman.  Thank you.  To all the witnesses, if you have written 
statements-- do all of you have written statements?

Mr. Pratt.  Yes, sir.

The Chairman.  They all acknowledge in the affirmative.  It will be 
submitted for the record.  And if you would, please summarize.

Mr. Pratt.  Thank you, Mr. Chairman.

This past weekend, CDIA was contacted by the Federal Trade Commission 
regarding this breach.  We are thankful for the FTC's outreach to us 
which allowed CDIA to liaison with our national credit reporting company 
members, who had to plan for likely heavy call volumes on their toll-
free numbers, and hit rates on their Websites.

Based on this contact, our members technology teams were ordered in 
preparation for the announcement on Monday, May 23rd.  And as part of 
this very late stage coordination, our members also voluntarily either 
adjusted current toll-free number menus to include special referents for 
affected veterans, or implemented entirely new toll-free numbers which 
can be used by veterans to request the placement of a fraud alert on 
their credit reports.

Once a fraud alert is placed, a veteran is then by law entitled to a 
copy of his or her credit report, free of charge.  Our members report 
that subsequent to the announcement by the Veterans' Administration and 
ensuing media coverage, the call volumes have been running at 
approximately 170 percent over normal volumes.

If we had a criticism of this process, it is simply the fact that our 
members were not consulted sooner by the Veterans' Administration.  We 
appreciate however the fact that the FTC did contact us, and they were 
embargoed in terms of when they could get in touch with us to begin 
coordination.

Even over the weekend, the FTC was not permitted to release the name of 
the agency: and thus our members could not execute plans to customize 
toll-free number service until after 11:00 a.m. on Monday, May 23rd.  We 
believe government agencies should be obligated to coordinate with their 
members well in advance where they intend to publish advice, which 
includes our members contact information.  This is simply the right step 
to take so that our members can verify the accuracy of the information 
and ensure that our systems are prepared for the increase in contact 
volume.  Ultimately, this obligation helps us all serve those who are 
affected.

Your staff has expressed interest in hearing what steps we would 
recommend that a veteran take in response to the announcement, and our 
views on the key steps are really no different than those which the FTC 
has already compiled.  We believe consistency in a message is very 
important at this stage, and that all veterans are empowered to take the 
steps that are appropriate to the level of risk they perceive.  And 
these include of course placing a fraud alert.

We would only add emphasis to the FTC's point that veterans need only 
call one national credit reporting company to place a fraud alert, since 
our members exchange fraud alert requests.  Further, upon placement of 
fraud alerts, veterans are entitled to a free copy of a credit report 
and will receive instructions on how to order this.  Some veterans may 
be confused about whether or not they need to annualcreditreport.com to 
obtain this free report, and the answer is they do not.  They will 
receive specific instructions once their fraud alert has been placed 
that will allow them to access that credit report as well.

As demonstrated by this breach-- 

Mr. Filner.  May I just ask you a question?  Sorry to interrupt you.

Mr. Pratt.  Yes.

Mr. Filner.  Could the VA do that for every veteran right now?  Would 
you recommend that?  Why are we relying on the people who are suffering?  
Why don't we take a proactive step?

Mr. Pratt.  It is a balance sheet question, Congressman, so let me give 
you both sides-- 

Mr. Filner.  It could be done though, right?

Mr. Pratt.  The law does permit a third party to make that request on 
behalf of the individual.  Yes, sir.

Mr. Filner.  And what are the minuses?

Mr. Pratt.  I am sorry, sir?

Mr. Filner.  You said there are pros and cons.

Mr. Pratt.  The only con is that a fraud alert stops transactions, slows 
transactions down, and you may find there are veterans in the middle of 
refinancing a home, obtaining credit, and they may not appreciate the 
fact that it was inserted right in the middle of that process.  It is a 
balance sheet question that we all have to wrestle with, Congressman.  I 
think that is as good as I can do.

The Chairman.  You may proceed.

Mr. Pratt.  Thank you, sir.

As demonstrated by this breach, data security and the need to notify 
consumers, including the nation's veterans, where significant risk of 
harm exists, it is essential.  The following statement delivered before 
other Committees is still our position today:

The discussion of safeguarding sensitive personal information and 
notifying consumers when there is a substantial risk of identity theft, 
has expanded beyond the borders of financial institutions.  It is our 
view that a rational and effective national standard should be enacted, 
both for information security and consumer notification, as it applies 
to sensitive personal information, regardless of whether the person is a 
financial institution.

At this Committee knows, there are a number of House and Senate 
Committees that are focused on developing uniform national standards.  
We believe enactment of national standards will ensure that sensitive 
personal information is protected by all who possess it, including 
Federal and state government agencies.  New nationwide safeguards 
regulations, offered by the Federal Trade Commission will compel all to 
deploy physical and technical safeguards strategies for this type of 
information.  As we head into the Memorial Day weekend, we must redouble 
our efforts to pass strong and effective national law that will require 
all to secure sensitive personal information properly, and to notify 
consumers when there is a significant risk of identity theft.  We should 
do no less for our veterans, who have served us all.  Thank you.
[The statement of Mr. Pratt appears on p. 107]


The Chairman.  Next is Mr. Hoffman.


                   STATEMENT OF DENNIS HOFFMAN


Mr. Hoffman.  Mr. Chairman, members of the Committee, thank you for the 
opportunity to testify before the Committee on Veterans' Affairs.  My 
name is Dennis Hoffman.  I am the Vice President of Information Security 
for EMC Corporation.  For those of you who aren't familiar with the EMC 
Corporation, we are the world's largest provider of storage and 
information management solutions.  Our Fortune 1000 customers include 
the top 30 commercial banks, the top 40 insurance companies, 19 of the 
top 20 pharmaceutical companies, all of the top aerospace and defense 
organizations, and 14 of the top 15 health care medical facilities, and 
many others.

I have personally spent a great deal of time with our customers over the 
past year discussing issues like the one this Committee is 
investigating, and today I can report to you all that the veterans' 
administration is not alone in wrestling with what is clearly becoming a 
very pervasive issue, which the industry calls "data leakage."

While the identity theft problem continues to make headlines, due 
largely to regulation causing it to be made public, it may well be the 
tip of the iceberg.  Relative to all confidential information that 
organizations and corporations have, personally identifiable information 
is actually a minority problem.  It is however the one that is making 
front-page news, and is the one that of course you are investigating.  
My point is that there is a lot more confidential information in the 
world, and it is all subject to the kinds of problems that you talked 
about here.

So I think it is fair to ask why do these problems exist?  They exist 
largely, from a technical perspective--as you have heard today, this 
is certainly not simply a technical problem.  But on the technology 
side, they exist due to something called perimeter-centric thinking.

In the sense that from the days of medieval Europe, the notion of 
security has been largely to dig moats, build walls, erect castles, 
erect towers inside the castles, and believe that what is inside the 
tower ought to be safe.  That is largely the way that we have gone about 
doing information security, from a technical perspective.  The irony is 
that the vast majority of products which make up the information 
security marketplace today don't protect information.  They protect 
assets that are supposed to protect information.

I can almost guarantee you that the laptop we have been discussing all 
morning had antivirus software on it.  That is the single largest-
selling security product in the marketplace today.  And of course, it 
has nothing whatsoever to do with protecting the data on the laptop.  
Moreover, what this has led to is it has led us to conclude, or ignore 
the simple fact that information lives, has a life cycle.  And during 
that lifecycle, it moves.  And when it moves, it tends to walk right out 
of the castle.  And therein lies the big issue.

It is not simply a laptop.  It could be a USB device.  There have been 
many publicized cases of backup tapes falling off of UPS trucks.  When 
data leaves security parameters, it becomes exposed if we haven't done 
something to secure the information itself.  And so what we are seeing 
in talking to a lot of our customers is a very significant shift in 
thinking to something we would call information-centric security, 
ironically enough, where we actually begin with the notion of securing 
the information, and then applying security to all of the assets through 
which the information has to pass.

That means four basic things: we have to understand our data and our 
people as organizations, because at the end of the day, we don't have 
information until data reaches a person.  So we must be able to model 
both of those and control those.  We need to secure the information 
infrastructure that manages and stores the information.  We need to 
protect the data comprehensively.  To date, we have been very focused on 
the availability of information, and not nearly as focused on its 
confidentiality and integrity.  And it takes all three to truly secure 
information. Lastly, we need to assure policy compliance.

There are no silver bullets.  This is a systemic problem, and it 
requires a systemic solution, which you have been investigating all 
morning, particularly around policy and process and people.  And in 
particular, I would like to warn that a knee-jerk reaction to encryption 
as the silver bullet will likely miss the point, to the extent that 
encryption is only one technology, and it is only as good as the 
business problem it solves.  If the encryption keys are not managed 
appropriately there are even more problems because the data has 
effectively been deleted when it was encrypted.  If they keys cannot be 
shared, collaboration is slowed down.

Encrypting data makes it opaque.  It makes it impossible to actually 
know what is inside it.  So a recent regulation in the UK--or was it 
a regulation that existed previously, was recently enacted, to make 
certain that all enterprises in the United Kingdom turn over their 
encryption keys to the government so the government can at least look at 
what the data is.

There are many problems, and there is no single silver bullet solution.  
There are however some very significant critical enablers, and you can 
put these all under the very general heading of "you can't secure what 
you can't manage."  You cannot secure information that cannot be 
managed.  These fall under the heading of things like infrastructure 
consolidation.  When data is spread everywhere it becomes extremely 
difficult to stop leaks.  Content management is a technology that has 
existed for years to actually manage loose content in files.  On top of 
that, digital rights management technology allows you to do things like 
encrypt specific files, prohibit whether they can be re-e-mailed, sent, 
printed, or copied to a USB device.

Data classification is enormous in the sense that data classification 
helps us to understand whether the data in question on a storage device 
is actually the Veterans' Administration logo, or some confidential 
document, or Social Security number.  At a certain level within the IT 
organization, those two pieces of data are absolutely indeterminate; you 
don't know.

And then finally, identity management.  Securing data, ironically, 
begins with securing and understanding the people, which again you have 
been exploring all morning.  I have found in speaking with most of our 
customers that are at the forefront of this issue that there is a 
relatively simple formula they are all trying to drive toward.  First, 
maximize access control.  These are issues like authentication, the 
secure ID comment that was made.  How do you know that the person doing 
the work is actually the person?  Strong authentication and 
authorization are key.

Segmented infrastructure.  If you actually understand the difference 
between your public Website logo and a confidential document, you might 
not want to put them on the same network, the same storage devices, or 
the same workstations.  And lastly, classified data, simply being able 
to tell the difference between the two.

So maximize access control is the first step in the formula that a lot 
of our leading customers are applying.  Secondly, minimize data 
movement.  Where possible, they are trying to eradicate these use of 
backup tapes, the theory being if I don't put the tape on the truck and 
it doesn't leave my data center, then I am less likely to be compromised 
by it.

Issues like the guidelines we have been discussing this morning are 
meant to do just that: keep data from leaving the security perimeter.  
But as was pointed out by the Veterans' Administration, it is very 
difficult to legislate against an individual deciding to go against the 
policy.

Thirdly, selectively encrypt whatever remains.  So if we maximize the 
access control and minimize the movement of data, what remains should be 
encrypted.

And then lastly, log and monitor everything, so that we can piece 
together what has happened, both in real-time and after the fact.

Thank you.

[The statement of Mr. Hoffman appears on p. 110]

The Chairman.  Thank you very much.  Ms. Litan?


                     STATEMENT OF AVIVAH LITAN


Ms. Litan.  Yes, I am Avivah Litan, can you hear me now?  Can you hear 
me now?  I am Avivah Litan, I am a vice president at Gartner, and I 
follow identity theft and security.  And thank you for inviting Gartner 
here to testify about the issue.  Certainly I don't envy you at all.  It 
is a big, huge task to get this out of control.

But ladies and gentlemen, you have to assume that the cat is out of the 
bag.  At least 10 percent of US adult Social Security numbers, and all 
of these veteran records, could be in criminal hands.  In fact, I just 
heard this morning that sale of Social Security numbers are way up on 
criminal sites, and I would have to verify that with another source, but 
we have to assume that that has happened.

Secondly, I think that it is impractical to ask veterans to take control 
of a problem that they cannot see.  So there has been a lot of talk 
about free credit report monitoring.  Sure, that is better than nothing, 
but there are so many crimes that can be committed by stealing data that 
you won't ever see with credit report monitoring.  So it is not 
practical to ask any individual, especially a veteran, to have to take 
charge of this problem when they didn't create it, and they have no 
control over it, and they have no visibility into how their data is 
being misused.

So what can we do?  Well, there are two practical steps that I think we 
can take if there is a will to execute.  And of course these may sound, 
you know, beyond execution.  But number one, stop relying on Social 
Security numbers as the ultimate provider of identity proof.  When you 
have all these data elements compromised, you just can't rely on them 
anymore.  That is the facts.  So we shouldn't be worried in all this 
data gets in criminal hands; we need to just assume it is, and stop 
relying on it.

Instead, there are things called identity scoring systems that use his 
Social Security number, along with many other variables to determine an 
individual's identity.  These systems are already used by some of the 
best lenders and credit card issuers in the country, because they don't 
want to make a loan or issue a credit card to an identity thief, because 
they will lose money.

Those same systems should be used throughout, by other sectors including 
the government sector, the Veterans' Administration, the Motor Vehicle 
Administration, before dispersing benefits or issuing credentials, in 
order to protect the innocent from identity theft.  You can just 
imagine, someone is going to get hold of this veteran data, change the 
address of a check, and then some criminal is going to get the benefit 
and then the veteran is going to have to go spend months trying to undo 
this.  A credit report monitor would not tell the veteran anything about 
this.

By stealing a Social Security number, you can get into these free credit 
reports and sign up for them, and the crook has better access to the 
credit report than the veteran does, because they can answer the 
questions that are asked when you register.

So be realistic about this.  Just assume Social Security numbers are not 
reliable anymore.

Number two, we do need to protect the sensitive data we have left and 
continue to generate, whether it is health records, financial 
information, telephone records, or anything else.  To do so, there are 
several cost-effective technologies that enterprises and government 
agencies can deploy to protect data; including data encryption and host 
intrusion prevention.  Of course I am not going to bore you with all the 
details of these technologies, but you should know that they have become 
much more cost-effective and easier to implement over the last two 
years.  So these excuses among different companies out undue complexity 
and high implementation costs are really no longer valid, and they 
shouldn't be tolerated.

But as you have discussed today, you already know that many data 
compromises cannot be stopped with technical controls.  In fact, they 
they weren't caused by lack of technical controls.  If you look at what 
happened in ChoicePoint, their failure was the result of not extending 
information security into the registration and verification process of 
their clients.

Other compromises such as incidences and Bank of America and Wachovia 
were caused by authorized insiders illegally taking fraudulent action.  
And of course the compromise of veterans' data at the VA was in part an 
example of a poor business practice that allowed an employee to bring 
home 26 million records.  And you know, as you have said, it is not this 
employee's fault completely.  It is the process that allowed him to take 
home all those records.

And in fact, fixing the business process is much harder than 
implementing technology.  But still, security technology is important.  
We looked at three scenarios that are documented in our testimony that 
has been submitted to the Committee.  We talked about data encryption, 
host intrusion prevention systems, and more vigorous and continuous 
security audits.  So just those three, if you implement those three 
systems and processes, you can spend about six dollars just on data 
encryption per customer account, up to $16 per account, just on 100,000 
records.

So if you are looking at 26 million records at the VA, they could do 
this kind of technology I'm guessing for far less than a dollar per 
veteran.  And you compare that to the cost of a breach, and we have 
totaled that up to be about at least $90 per customer account, and that 
doesn't even include government fines and big lawsuits.  So you compare 
a dollar or fifty cents to $90, it is a no-brainer that our data should 
be protected, a regardless of compliance or regulations.

So hopefully, everyone will be embarrassed enough to take action, but 
nobody so far--it seems to be very slow.

[The statement of Ms. Litan appears on p. 116]
The Chairman.  Thank you very much for your testimony.  I am going to 
limit each of us to two minutes.  Then we can complete this, and then we 
can go on.  Mr. Filner, you are recognized.  You pass?  Mr. Michaud?

Mr. Michaud.  No, I just wanted to thank the panelists. It was very 
informative, and we really appreciate your time coming here.  And thank 
you again, Mr. Chairman.

The Chairman.  Thank you.  Mr. Udall?

Mr. Udall.  Did most of you hear the earlier testimony?

Ms. Litan.  Yeah.

Mr. Udall.  And you heard the number thrown around, 100 million, 500 
million, in terms of losses and things?  Do you have any comment on 
that?  I mean, do you, in terms of what you heard here, what kind of 
damage might be done?

Ms. Litan.  In terms of the damages caused, the total aggregate, I 
really think that nobody has a clue.  But you can't assume that the 
average cost of an identity theft, if it is a new account, it is about 
1500.  The FTC probably has better data on that than us.  But if it is 
$1500 times 26 million, that would be probably the average worst-case.

Mr. Pratt.  I don't have anything-- 

The Chairman.  Excuse me?

Mr. Pratt.  I don't have anything to add.  I think that using the FTC 
numbers as a baseline is a good approach if you are just trying to 
estimate general risk.

Mr. Udall.  Yeah.  And Mr. Hoffman, you have anything on this?

Mr. Hoffman.  Yeah, nothing major to add except that it could be zero.  
We don't know--obviously, there is an enormous potential liability.  
Significant trust damage has been done, but it is very possible that 
somebody just tried to rip off a laptop, and didn't know anything about 
it, you know, and immediately just erased and sold it, or ripped the 
hard drive out of it and resold it.  You don't know.  But the number can 
be enormous.

Mr. Udall.  Do any of you have any critique on the way the Veterans' 
Administration was operating, in terms of the testimony you have heard 
here?

Mr. Hoffman.  I would say that there is--they represented to you 
what in my experience is an absolute poster child for what is going on 
in corporations and organizations, public and private.  This is a system 
problem that requires people, and process, and technology, and they had 
issues at multiple phases of that.  You know, the analogy is you can 
build a very safe car, and you can't somehow and necessitate a very safe 
driver in that car.  And ultimately, security becomes a set of trade-
offs around this.  So I would just tell you that they are not alone, and 
unfortunately, they are not unique.

What does seem to differentiate them from many of the companies I have 
dealt with is the massive dispersion of the IT infrastructure, and the 
control of that infrastructure.  Again, it is extremely hard to secure 
something you can't manage.  And when it is that distributed, it becomes 
really hard to control.

Mr. Pratt.  I would only add that if I recall, one of the witnesses 
talked about an individual who had dual responsibilities: IT and then 
security.  That may not be the accurate description, but good data 
management starts with a chief privacy officer, a chief information 
security officer, a set of highly trained individuals who have very 
specific skills in both the knowledge of the--the technical 
knowledge of data security.  Encryption isn't the only solution, for 
example.  It is a much wider array of strategy.  But if you don't have 
the infrastructure that answers right up through--in the corporate 
world, it would be right up through the Committees of the board that 
would have oversight for that--you really don't have the proper 
infrastructure to even begin to make the decisions to address the 
dispersion, to oversee the proper management of the data.

Mr. Hoffman.  That is exactly right.  We have been working very much 
with a large mutual fund company in Boston who had a very similar event 
two or three weeks ago: losing a laptop with information on it.  There 
is no ambiguity about who is responsible for that.  The response is 
lightning fast, because there is a chief information security officer 
reporting either to a chief information officer, or a chief risk 
officer.  And they are empowered and accountable, and it goes right up 
to the board to answer the problem.

Mr. Pratt.  And in the private sector, it is risk-based, all of these 
decisions are risk-based decisions the corporations are working into 
their infrastructure.

The Chairman.  In this case, the risk base is the American taxpayer.

Ms. Litan.  I would also like to point out that private sector is 
governed in many cases by the Payment Card Industry standard, that has a 
definite chain of command, and penalties if there is no compliance.  
Here, I don't see any distinct rules that they are subject to and any 
reason that they have to get fined.  So there is no stick.

I get a lot of calls from companies that are complying with PCI, and 
they are damn worried about fines from Visa and MasterCard, and that is 
what motivates them.  I don't see the same kind of motivation at the VA.

The Chairman.  Well, nobody has any enforcement. Gartner consulting, are 
you still on contract with the VA, do you know?

Ms. Litan.  Yes, we are.

The Chairman.  Okay.  Since this incident has occurred, has anybody from 
the VA contacted you, Gartner consulting?

Ms. Litan.  Personally, I haven't been contacted.  I think--and I 
can't really speak for the company because there are a lot of points of 
contact, so--but I think the main contact was on this hearing.

The Chairman.  EMC, do you have a contract with the VA?

Mr. Hoffman.  We have sold stuff, yes, we have sold products.

The Chairman.  Sold on hardware.

Mr. Hoffman.  Yeah.  And some software.  And we have been in some 
significant conversation over the last few days on how we can help with 
this.

The Chairman.  Before some of these incidents had occurred, you know, I 
have got Secretary Cadenas still here, we had a hearing because in our 
disability fraud cases we individuals on the inside doing things they 
shouldn't be doing, and that's of he really worked on, compliance.-- He 
works with the IG.  So those things happen.

I had a conversation with an individual CIO of one of the Fortune 20, 
and I asked a basic question, "So could any employee pull down the 
entire personnel record, or the customer list of your company, and take 
it home?" You know, he laughed at me.  No, I'm serious, he laughed at me 
like that was the most ridiculous question he had ever heard, because 
there is no way possible they would ever let that occur.

What is your response to that?  Tell me what is happening out there in 
the private sector?  Why did he laugh at that question?

Mr. Hoffman.  Fortune 20 financial services firm?

The Chairman.  No, a Fortune 20 in the world.  Sales, and sales.

Mr. Hoffman.  What industry?

The Chairman.  I am not going to tell you.

[Laughter.]

Mr. Hoffman.  The reason I ask is because we see a significant deviation 
in industry vertical to industry vertical.  Typically, defense and 
intelligence get this, know what they are supposed to be doing around 
protection of confidential information.  Financial services, 
particularly the large banks, get this.  Healthcare organizations are 
beginning to, but there is a very steep falloff in the understanding and 
awareness of information security, issues, technology, organization 
structure.  But if you are speaking to somebody in one of those higher-
end verticals when it comes to security-- 

The Chairman.  It is.

Mr. Hoffman.--it is laughable, because they have dealt with, you 
know--they know that they are personally liable.  These are 
information companies.  To lose the information is to lose the company.  
In banks, they trade in information, that is their business.  And they 
are very aggressive about making certain things like that can't happen.

The Chairman.  Well, we already know the advice and counsel to us from 
Gartner Consulting with Gartner's centralized approach at this, and it 
was not taken seriously at the VA.  The bureaucracy sort of cheered.  
They felt like they won.  We had one of the best in our country as a CIO 
of VA.  He didn't have to take that job.  He went in and took that job, 
very challenging.  There were a lot of career employees that had been 
there for a long time, they don't want to change: "Why should we do 
that?  This model has always worked that way."  And you can always come 
up with a list, very articulate, they sound very sensible, very 
reasoned.

But the challenge for our, quote, "government," for all departments is 
to get our arms around this.  And both of you may criticize us.  You 
called this "maximum dispersion."  I guess we call it 
"decentralization."  I like your term you have used here.  And what we 
did here on a bipartisan basis was to get our arms around this, we 
needed to empower the CIO, and get hold of the architecture, and begin 
to then work in the systems.  That was our approach.

And we tried to be good listeners to what is going on in the private 
sector.  It has been really challenging, in the 14 years that I have 
done this, to get government to say it is okay to utilize some business 
practices and principles.  It shouldn't be a radical concept, but it is 
really challenging, and you know that because you are consultants to, 
quote, "government." But we provide their budgets every year, and monies 
come, and they spend monies, and they don't, quote, "have to change."  
And it is very, very challenging.

I am glad that the acting CIO stayed here, General Howard, I appreciate 
that, and Secretary Cadenas, and Secretary Duffy, that you have remained 
here to listen to this testimony.  And I would welcome you to contact 
them for their expertise and counsel as we proceed.

Thank you very much, you have helped your country.

This hearing is now concluded.

[Whereupon, at 12:15 p.m., the Committee was adjourned.]


                         APPENDIX



[GRAPHIC] [TIFF OMITTED]

