[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
FAILURE OF VA'S INFORMATION
MANAGEMENT
========================================================================
HEARING
before the
COMMITTEE ON
VETERANS' AFFAIRS
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
__________
MAY 25, 2006
__________
Printed for the use of the Committee on Veterans' Affairs
Serial No. 109-48
__________
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2007
28-124.PDF
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON VETERANS' AFFAIRS
STEVE BUYER, Indiana, Chairman
MICHAEL BILIRAKIS, Florida LANE EVANS, Illinois, Ranking
TERRY, Alabama BOB FILNER, California
CLIFF STEARNS, Florida LUIS, V. GUTIERREZ, Illinois
DAN BURTON, Indiana CORRINE BROWN, Florida
JERRY MORAN, Kansas VIC SNYDER, Arkansas
RICHARD H. BAKER, Louisiana MICAHEL H. MICHAUD, Maine
HENRY E. BROWN, Jr., South Carolina STEPHANIE HERSETH, South
JEFF MILLER, Florida Dakota
JOHN BOOZMAN, Arkansas TED STRICKLAND, Ohio
JEB BRADLEY, New Hampshire DARLENE HOOLEY, Oregon
GINNY BROWN-WAITE, Florida SILVESTRE REYES, Texas
MICHAEL R. TURNER, Ohio SHELLEY BERKLEY, Nevada
JOHN CAMPBELL, California TOM UDALL, New Mexico
JOHN T. SALZAR, Colorado
JAMES M. LARIVIERE, Staff Director
(ii)
C O N T E N T S
May 25, 2006
Page
Failure of VA's Information Management............................ 1
OPENING STATEMENT
Hon. Steve Buyer, Chairman........................................ 1
Prepared statement of Chairman Buyer.............................. 66
Hon. Ted Strickland............................................... 4
Prepared statement of Mr. Strickland.............................. 68
Hon. Bob Filner................................................... 4
STATEMENTS FOR THE RECORD
Hon. Michael Bilirakis............................................ 70
Hon. Luis V. Gutierrez............................................ 74
Hon. Cliff Stearns................................................ 76
Hon. Corrine Brown of Florida..................................... 78
Hon. Richard H. Baker............................................. 81
Hon. Michael H. Michaud........................................... 82
Hon. Jeff Miller of Florida....................................... 83
Hon. Stephaine Herseth............................................ 87
Hon. John Boozman................................................. 89
Hon. Tom Udall.................................................... 91
Hon. John T. Salazar.............................................. 93
Hon. Terry Everett................................................ 95
WITNESSES
Nicholson, Hon. R. James, Secretary, U.S. Department of
Veterans Affairs................................................ 6
Prepared statement of Secretary Nicholson.........................
Opfer, Hon. George J., Inspector General, U.S. Department of
Veterans Affairs................................................ 21
Prepared statement of Mr. Opfer................................... 101
Pratt, Stuart, President and Chief Executive Officer, Consumer
Data Industry Association....................................... 54
Prepared statement of Mr. Pratt................................... 107
(iii)
WITNESSES (CONTINUED)
Hoffman, Dennis, Vice President of Information Security,
EMC Corporation................................................. 56
Prepared statement of Mr. Hoffman................................. 110
Litan, Avivah, Vice President and Distinguished Analyst,
Gartner, Incorporated........................................... 59
Prepared statement of Ms. Litan................................... 116
INFORMATION FOR THE RECORD
Kappelman, Leon A., Ph.D., Professor of Information Systems,
Directory Emritus, Information Systems Research Center,
Fellow, Texas Center for Digital Knowledge, Associate
Directory, Center for Quality & Productivity, Information
Technology & Decision Sciences department, College of
Business Administration, University of North Texas,
statement of.................................................... 122
VA's Statement on the incident of May 3, 2006..................... 124
VA's Notification to Veterans..................................... 126
VA's FAQ's on the incident of May 3, 2006......................... 128
Secretary Principi's Memorandum for Under Secretaries, Assistant
Secretaries, Deputy Assistant Secretaries, and other Key
Officials, dated March 16, 2004................................. 132
VA's Memorandum dated April 7, 2004............................... 133
POST-HEARING QUESTIONS FOR THE RECORD
Responses of the U.S. Department of Veterans Affairs to Post-
Hearing Questions for the Record from Chairman Buyer,
Hon. Terry Everett, Hon. Jeb Bradley, Hon. Ginny Brown-
Waite, and Hon. John Campbell................................... 139
Responses of the U.S. Department of Veterans Affairs to Post-
Hearing Questions for the Record from Hon. Lane Evans,
Ranking Democractic Member and Hon. Luis V. Gutierrez........... 233
(iv)
FAILURE OF VA'S INFORMATION MANAGEMENT
____________
THURSDAY, MAY 25, 2006
House of Representatives,
Committee on Veterans Affairs,
Washington, D.C.
The Committee met, pursuant to call, at 9:05 a.m., in Room 334, Cannon
House Office Building, Hon. Steve Buyer [Chairman of the Committee]
presiding.
Present: Representatives Buyer, Bilirakis, Stearns, Moran, Brown of
South Carolina, Miller, Boozman, Brown-Waite, Campbell, Filner,
Gutierrez, Brown of Florida, Michaud, Herseth, Strickland, Hooley,
Reyes, Berkley, Udall, and Salazar.
The Chairman. The House Committee on Veterans' Affairs dated May 25,
2006, will come to order. If somebody will get the door for us, please.
By way of housekeeping, we only have the Secretary for about 45 minutes,
and then there's a hearing on the Senate side that starts at 10:00
o'clock. He will be taking Mr. McLean with him. Others of his staff
will remain, and step forward at the table when the Secretary leaves.
I will give an opening, and then I'm going to yield to Mr. Strickland
for an opening, and then we are going to immediately go to questions.
What I would propose is, because we only have him for 45 minutes, is
that I do a unanimous consent that each member may have three minutes to
do questions, so we try to give quick latitude to all the members. Any
objections?
[No response.]
All right. And hearing no objections, so ordered.
The purpose of this hearing is to learn more about the recent loss of
personal data belonging to as many as 26.5 million veterans and some
spouses experienced by the Department of Veterans Affairs. We have a
meltdown in VA's information Management. According to VA, this meltdown
has resulted in a catastrophic failure to safeguard sensitive personal
data. Last Monday, the Department of Veterans' Affairs released a
statement acknowledging that a data analyst took home electronic data
which he was authorized to access at work, but not authorized to bring
home. The burglary of his home and the theft of his computer resulted
in the loss of that data. This serious incident was not communicated to
this Committee until Monday, May 22nd, 19 days after the theft, and one
hour prior to its release to the public.
We must answer some pressing questions, which include: how did this
breach of information Management happen, what will we do to protect
veterans from identity theft, what policies and regulations are in place
in the department that should have stopped the mismanagement of
information, and what is the VA doing to eliminate the vulnerabilities
associated with the security of sensitive information? And there are
many others from my colleagues.
And let me be clear. We are here today to inform America's veterans and
their families what the government is doing to protect them against
fraud and ease their efforts to protect themselves. Our veterans and
their families must be assured of how you, Mr. Secretary, will safeguard
the information they place in your hands. Whether or not any identity
fraud results from the theft of this computer carried home by this VA
employee, what is clear is that damage has been done.
Speaking as one of those millions of veterans such as even yourself, Mr.
Secretary, the prospect of fraud, theft, of the awful prospect of
repairing damaged credit, is bad enough. For that stress to be caused
by our own Federal Government is deeply disturbing, and I know everyone
here agrees it is intolerable. There will unfortunately be a certain
percentage of the 26.5 million veterans that will have to deal with
identity theft in the normal cause of life. And now some of them will
blame the VA. So that's going to be a challenge for you.
Beyond the very personal dimension: this incident has implications
regarding the larger picture of control over VA information technology.
Over the last seven years we've seen compelling evidence of information
security problems at the VA, and I refer to the Committee hearings which
I've chaired. On May 11th of 2000, the GAO stated that computer
security, quote: "..is critical to VA's ability to safeguard its
assets, maintain the confidentiality of sensitive information, and
ensure the reliability of its financial data. The VA IG
acknowledged the department-wide weaknesses in information security
systems that continue to make VA's program and financial data vulnerable
to error and fraud," end quote.
At a September 21, 2000 hearing, GAO stated, quote, "Serious computer
security problems persisted throughout the department and VHA, because
VA had not yet fully implemented an integrated security management
program, and VHA had not effectively managed computer security at its
medical facilities," end quote.
At the April 4, 2001 hearing, the IG continued to, I quote, "identify
significant information security vulnerabilities that place the
department's data systems at risk of unauthorized access and
disclosure." The IG testified that, quote, "many of these
vulnerabilities exist in violation of VA policy," end quote.
At a March 13, 2002 hearing, the IG repeated findings of the
vulnerabilities of VA's information technology.
Then almost four years ago today, on May 20th and May 21st, a WISHTV 8
I-Team led by Karen Hensel in Indianapolis, Indiana, went to Goodwill
and bought three computer hard drives. Two of those hard drives she
learned were never cleansed, and they contained hospital patient records
from the Roudebush VA Hospital in Indianapolis. The names of veterans,
their Social Security numbers, home address, phone numbers, pages and
pages of government credit card numbers, information regarding veterans'
arrest records, whether they were receiving drug and alcohol counseling,
whether they were disabled. There was one of the veterans was blind,
disabled, and living alone and was a combat veteran. It discussed his
case. One of the patients was HIV. A hundred twenty of those computers
were sold at a surplus sale without ever having been cleansed.
So we went through all the hearings on that. "Oh, the controls are
going to be in place, we assure the Committee."
At the September 26, 2002 hearing, the IG testimony stated that, quote,
"Penetration testing completed during the past two years verified that
the VA's information system could be exploited to gain access to
sensitive veteran health and benefit information."
At a March 17, 2004 hearing, the VA testified that, quote, "there was a
glide path in place for the meeting, the 2004, April 2004 deadline for
the beginning of the VETSNET deployment. VETSNET has been in
development for a decade. I've been told that VETSNET will not deploy
in 2006 and maybe not even now till 2007."
As Chairman of the Subcommittee on oversight and investigations, and now
the Chairman of this Committee, I have led a bipartisan effort to
centralize VA's IT infrastructure and control over its IT systems. Last
November, this House voted unanimously, 408 to zero, to centralize IT
management with the department's chief information officer. Both the
department and the Senate have sadly resisted such centralization of
VA's IT architecture. Even the Independent Budget of the VSOs opposed
centralization of VA's IT infrastructure in their 2007 budget.
The VA Inspector General in his November 2005 report entitled, "major
management challenges of fiscal year 2005," stated that, quote, "VA has
not been able to effectively address some significant information
security vulnerabilities and reverse the impact of its historically
decentralized management approach."
The report went on to say that, quote, "While the VA has accelerated
efforts to improve Federal information security, more needs have to be
done to put security improvements in place that effectively eliminate
the risk and vulnerabilities of unauthorized access and misuse of
sensitive information," end quote.
Look where we are here today, Mr. Secretary. This Committee, this
Congress, we have asked to empower the CIO to put his arms around this
one, and that was resisted. We also--I have even asked about
letting the VA be on parity with other departments with regard to
political appointments. That has been resisted. And now what we have
is, we have some management questions. This isn't just an issue of a
low-level employee. There is very serious mismanagement of information
technology that is at stake.
So with that context, I believe there is a damaged trust, angered
veterans and families, and there are systematic flaws. And Mr.
Secretary, this is a defining moment of your leadership.
With that I yields now to Mr. Strickland.
[The statement of Chairman Buyer appears on p. 66]
Mr. Strickland. Mr. Chairman, I would yield to my colleague from
California, Mr. Filner, and I would ask that my statement be entered
into the record, please.
The Chairman. Thank you, Mr. Strickland. All the members may have
opening statements, and your statements will be submitted for the
record.
[The statement of Mr. Strickland appears on p. 68]
The Chairman. Mr. Filner, you are now recognized.
Mr. Filner. Thank you, Mr. Chairman, and thank you for this hearing.
Thank you for your opening remarks. I associate myself completely with
them. You laid out a complete record, I think that we don't have to
repeat, so I appreciate your strong attitude toward this issue.
We are now presented, as the Chairman said, with a catastrophic problem.
The VA simply did not protect essential personal information entrusted
to its care. Now and for the next few decades maybe, a potential sort
of Damocles hangs over the financial well-being of over 26 million
veterans, unless this data is recovered.
In the last five years, as the Chairman outlined, a host of agencies,
the VA Inspector General, the GAO, prominent IT consultants have
reported that VA has many problems with information security. We found
multiple failures under the Federal Information Security Management Act,
and the performance reviews required by that Act. We note that three or
four information security recommendations to the VA by the Government
Accountability Office in March 2002 have yet to be implemented. Outside
contractors have noted related problems. And how does VA react? With
indifference.
Internal VA recommendations to strengthen the control of information
meet with resistance. Even Secretary Principi's directive to centralize
information technology at the VA in 2002 was met with indifference. It
was not implemented.
In the last few years, this Committee and its Subcommittees have
chronicled problems related to unclear lines of IT management authority
throughout the VA, from information security Officer training in the VBA
to sensitive information releases on unscrubbed computer hard drives at
VA medical centers, a host of very expensive major computer project
failures and delays.
We rarely see accountability, neither in the IT or the information
security world at the Veterans Administration. The individual
responsible for the release of the unscrubbed hard drives was soon
promoted. Again, VA seems to react with indifference to its problems in
this area.
As Chairman Buyer pointed out, the problem before us today is not
unexpected. It has sprung from a culture of indifference, at the
Veterans Administration, and has grown strong among the leaders who have
allowed it to grow. The most important agent in information control and
security in an organization is its leadership. When they are not
proactive, Mr. Secretary, bad things happen. And a very bad thing has
happened that we are looking at today.
Too much time transpired before Congress was notified. Sure, you needed
to hope that the thing was found, but you could have briefed the
Chairman and others in this body about that, what happened. Too much
time transpired before veterans were notified. And when you did notify
them, you left it to them to go contact their credit bureau, or their
banks. You didn't say, "We will take care of it, we will be behind you,
we will pay for the problems that you might have." VA's message was,
"Trust us, we will handle it." Well, we should now question if even
after this wake-up call, you are up to the task.
Certainly this administration has proclaimed its need to collect
information on our citizens. On May 11th, President Bush defended those
actions by noting that the privacy of ordinary Americans is fiercely
protected in all of our activities. Well, I think this data debacle
before us today clearly demonstrates the folly of the President's
attempt to place us at ease regarding the Administration's ability to
fiercely protect our privacy. This does not meet my definition of
fierce protection. I only see indifference.
Mr. Chairman, I appreciate again this opportunity to look into this
incredible disaster.
The Chairman. Thank you, Mr. Filner. And I associate myself with Mr.
Filner's comments.
Testifying now will be Secretary Nicholson. Secretary Nicholson is
accompanied by the Honorable Alan Pittman, the Assistant Secretary of
Human Resources and Administration; the Honorable Robert J. Henke,
Assistant Secretary for Management; Retired Army Major General Bob
Howard, the Acting Assistant Secretary for Information Technology; Pedro
Cadinez, Jr., Associate Deputy Assistant Secretary for Cyber and
Information Security, and the Acting Deputy Assistant Secretary for
Information Technology; Dennis M. Duffy, Acting Assistant Secretary for
Policy, Planning, and Preparedness; Michael Mclendon, Deputy Assistant
Secretary for Policy; and the Honorable Tim Mclean, the Department's
General Counsel.
All the individuals who I have just identified, if you would please
stand, I'm going to swear all of you in. Would you please raise your
right hand.
[Witnesses sworn.]
Mr. Secretary, you are now recognized.
TESTIMONY OF HON. R. JAMES NICHOLSON, SECRETARY, VETERANS AFFAIRS;
ACCOMPANIED BY R. ALLEN PITTMAN, ASSISTANT SECRETARY FOR HUMAN RESOURCES
AND ADMINISTRATION; ROBERT J. HENKE, ASSISTANT SECRETARY FOR MANAGEMENT;
MAJOR GENERAL (RET.) ROBERT HOWARD, ACTING ASSISTANT SECRETARY FOR
INFORMATION AND TECHNOLOGY; PEDRO CADENAS, JR., ASSOCIATE DEPUTY
ASSISTANT SECRETARY FOR CYBER AND INFORMATION SECURITY AND ACTING DEPUTY
ASSISTANT SECRETARY FOR INFORMATION TECHNOLOGY; DENNIS M. DUFFY, ACTING
ASSISTANT SECRETARY FOR POLICY, PLANNING AND PREPAREDNESS; MICHAEL
MCLENDON, DEPUTY ASSISTANT SECRETARY FOR POLICY; TIM S. MCCLAIN, GENERAL
COUNSEL; AND GEORGE J. OPFER, INSPECTOR GENERAL, DEPARTMENT OF VETERANS
AFFAIRS
Secretary Nicholson. Mr. Chairman and members of the Committee, thank
you for giving me the opportunity to appear before you today, to explain
a devastating occurrence that has happened in my agency. It has come to
my attention recently. It was announced to all on Monday of this week.
I am the person ultimately responsible to our veterans, and therefore,
the responsibility for this situation rests on me. A VA employee who
was a data analyst took home electronic data files from the VA. He was
not authorized to do so, nor were they encrypted. His house was
burglarized and the data were stolen. This happened on May 3rd. If
that wasn't bad enough, I wasn't notified about this event until May
16th. As a veteran myself, I have to tell you that I am outraged. I am
frankly mad as hell. But I must carry on, and lead the efforts to get
to the bottom of this, and take corrective actions to see that it
doesn't happen again.
My compass for this is the veterans. How do we best take care of them
now, and mitigate the effects of this on them? These stolen data
contained identifying information including names and dates of birth for
up to 26.5 million veterans, and some of their spouses. In addition,
that information, plus Social Security numbers, was available for some
19.6 million of those veterans. Also included possibly were some
numerical disability ratings and the diagnostic codes which identified
the disabilities being compensated.
It is important to note that the data did not include any of the VA's
electronic health records. Neither did it contain explicit financial
information, although knowing of a disability rating could enable one to
compute what the implied terms of compensation payments are.
On May 3rd, the employees's home was broken into in what appears to
local law enforcement to have been a routine breaking and entering; that
is, a random burglary, not a targeted one. And the VA data were stolen.
The employee has been placed on administrative leave pending the outcome
of an investigation with which he is cooperating.
As I have said, I am a veteran too, and I am outraged at the loss of our
veterans' personal data. And I am outraged at the fact that an employee
would put us all at risk by taking it home in violation of VA policies
with which he was very familiar. I am also very outraged that it was
not until May 16th that I was notified of this incident. And I am upset
about the timing of the department's overall response once the burglary
became known. I will not and have not tolerated inaction and poor
judgment when it comes to protecting our veterans.
Appropriate law enforcement agencies, including local police, the FBI,
and the VA Inspector General's office, have launched full-scale
investigations into this matter. Authorities believe it is unlikely the
perpetrators targeted the items stolen because of any knowledge of the
data contents. It is possible that the thieves remain unaware of the
information they possess, or how to make use of it. Because of that, we
have attempted to describe the equipment stolen, the location from which
it was stolen, and other information, in quite general terms. We have
not and do not want to provide information to the thieves that might be
more helpful as to the nature of what they have. We still hope that
this was a common theft, and that no use will be made of the VA data.
From the moment I was informed, the VA began taking all possible steps
to protect and inform our veterans. However, there were those in the
law-enforcement community who wanted me to wait longer before announcing
this theft, so as to pursue leads and keep the burglars in the dark. I
chose to inform our veterans nevertheless, but limiting the details of
where and when initially, so as not to tip our hand to the robbers.
Whether it is one veteran or the numbers we are talking about here
today, the VA needed to act in a manner that maintained a balance
between protecting our veterans, and informing the crooks.
Another very disturbing aspect of this circumstance is that although it
happened on May 3rd, and the VA employee informed his bosses of this
fact on that day, I was not made aware, as I said, until May 16th.
Equally disturbing is that Federal law enforcement and investigating
agencies were not informed immediately, either. It wasn't until May
10th that the VA IG became aware of it. I cannot explain these lapses
in judgment on the part of my people. It makes me really angry and
disappointed, and after the IG finishes his investigation as to exactly
what went on, I plan to take decisive actions.
The VA now also has begun a relentless examination of our policies and
procedures to find out how we can prevent something like this from
happening again. We will stay focused on the problems until they are
fixed. I have formed a special task force under the deputy secretary to
examine comprehensively all of our information security programs and
policies, to bring about a ringing change in the way we do business.
Ever since 1999, the VA has gotten low marks from the IG on its
information and a cyber security programs. Last year, the GAO flunked
the VA on its cyber security system. This has to change.
This situation is exacerbated by the fact that the Assistant Secretary
for IT, who had been at the VA that's the beginning of 2004, has just
recently resigned. He came to the VA from the private sector, Dell
Computers, and has now returned to the private sector. We do have--
and think we have recruited a good replacement, but he is not in place
at this time.
Ironically, we, the VA, continue to get very exemplary evaluations on
electronic medical records systems. And during Hurricane Katrina, the
system and our people performed heroically to evacuate hundreds of
patients and save many lives. We are also off to a strong start on our
IT reformation to centralize all of our IT applications, except for
development.
What this suggests is that we can get this information and cyber
security mission done right, also. I am also pleased that just
yesterday the President announced his intention to nominate a brilliant
recently retired Navy Admiral to head up our office of policy and
planning, where this incident arose from. He should be on board very
soon.
Additionally, we are taking direct and immediate action to address and
alleviate veterans concerns and to regain their confidence. I have
taken the following actions so far:
Directed that all VA employees complete the VA cyber security awareness
training course, and complete the separate general employee privacy
awareness course by June 30, 2006.
I have also directed a memo be issued requiring all VA employees to sign
annually an employee a statement of awareness that includes there are
awareness of privacy act, unauthorized disclosing or using, directly or
indirectly, information obtained as a result of employment in the VA,
which is of a confidential nature, or which represents a matter of
trust, or other information so obtained, of such a character that its
disclosure would--or its use would be contrary to the best interest
of the VA, or the veterans being served.
And certify their awareness on the loss of, damage to, or unauthorized
use of government property, through carelessness, or negligence, or
through maliciousness, or intent.
In addition, the department will immediately be conducting an inventory
and review of all current positions requiring access to sensitive VA
data. The inventory will determine whether positions in fact require
access to data. We will then be requiring all employees requiring
access to sensitive VA data to undergo an updated national agency check
and inquiries, and/or a minimum background investigation, depending on
the level of access required by the responsibilities associated with
their position. Because it has come to my attention also that we know
virtually nothing about these people that have access to these enormous
amounts of data. For example, this individual having the entire
veterans' file, one person who has not to our knowledge had a background
check for 32 years.
I have directed the office of information and technology to publish by
June 30 of this year, as a VA directive, the revisions to the security
guidelines for single user remote access developed by the Office of
Cyber Information Security. This document will set the standards for
access, use, and information security, including physical security,
incident reporting, and responsibilities.
VA is working with Congress, the news media, and veterans service
organizations and other government agencies, to help ensure that those
veterans and their families are aware of the situation, and of the steps
they may take to protect themselves from misuse of their personal
information. VA is coordinating with other agencies to send individual
notifications to all 19.6 million individuals whose Social Security
numbers were stolen, instructing them to be both vigilant in order to
detect any signs of possible identity theft, and how to protect
themselves.
In the meantime, veterans can also go to www.firstgov.gov for more
information on this matter. This is a Federal Government web site
capable of handling large amounts of Web traffic. Additionally, the VA
has set up a manned call center that veterans may use to get information
about this situation, and learn more about consumer identity protection.
That toll-free number is 1-800-333-4636. The call center operates from
8:00 a.m. to 9:00 p.m. Monday to Saturday, and it will as long as it is
needed. The call center handles up to 20,000 calls an hour. Through
the end of the day on yesterday, concerned veterans had made a total of
105,753 calls to this number.
I want to acknowledge the significant efforts of numerous government
agencies in assisting the VA in preparing for this announcement of May
22nd. Agencies at all levels of the Federal Government pitched in to
ensure that our veterans had information on actions they could take to
protect their credit. Hundreds of people worked around-the-clock last
weekend, writing materials to inform the veterans, and setting up call
centers and a Web site to ensure maximum dissemination of the
information. And I want to personally thank each of these agencies and
the people therein for their selfless efforts on behalf of our veterans.
Three nationwide credit bureaus have established special procedures to
handle inquiries and requests for fraud alerts from our veterans.
Experian and Trans-Union have placed a front-end message on their
existing toll-free fraud lines, bypassing the usual phone tree of
instructions for placing a fraud alert. Equifax has set up a new toll-
free number for veterans to place fraud alerts.
The new procedures became operational on Tuesday. The bureaus report a
spike in phone calls 171 percent of normal, and in requests for free
credit reports, through the annual free credit report web site. The
Federal Trade Commission also experienced high call volumes about the
incident earlier this week. On Monday, the Office of Comptroller of the
Currency notified its examiners of the theft. On Tuesday, the Office of
Comptroller posted an advisory on an internal network available to its
banks, and instructed examiners to direct their banks to the advisory.
It explains what happened, and asked the banks to exercise extra
diligence in processing veterans' payments. The advisory also reminds
the banks of their legal obligations to verify the identities of persons
seeking to open new accounts, to safeguard customer information against
unauthorized access or use, and attaches a summary of relevant laws and
regulations.
I briefed the Attorney General and the Chairman of the Federal Trade
Commission, the co-chairs of the President's Identity Task Force shortly
after I became aware of this occurrence, and they have been very
cooperative as well.
Task force members have already taken actions to protect the affected
veterans, including working with the credit bureaus to help ensure that
veterans receive the free credit report that they are entitled to under
the law.
Additionally, the task force met on Monday to coordinate the
comprehensive Federal response, and to recommend further ways to protect
affected veterans, and increased safeguards to prevent the recurrence of
these incidents. On Monday, following the announcement of this
incident, I also issued a memorandum to all VA employees. The purpose
was to remind them of the public trust we hold, and to set forth the
requirement that all employees complete their annual general privacy
training and VA cyber security awareness training for the current year,
by June 30. Following that, all will be required to sign a statement of
commitment and understanding, which will acknowledge consequences for
noncompliance.
Information security is challenging business. And ultimately, it
depends on the integrity and the work ethics of the workforce.
The Chairman. Mr. Secretary, if you could summarize your conclusion,
please.
Secretary Nicholson. I wanted to just, for purposes of one graphic, and
this was not the equipment that was involved in this so I can use--
but this is a hard drive. This little piece of equipment that is
smaller than my wallet has 60 gigabytes. The information that we are
dealing with here, this entire roll of our veterans and the data on it
is five gigabytes. So you could put 12 times that on that piece of
equipment that fits easily into one's pocket. All of us carry a cell
phone, a Blackberry, or a personal digital assistant, and they contain
vast amounts of data.
I promise you that we will do everything in our power to structure a
policy and a regulatory regime that make clear what is proper use of
this data by our employees. We will train employees in these policies,
and enforce them. We have already begun discussions regarding immediate
automatic encryption of all sensitive information. We will work with
the President's task force very closely. VA's mission to serve and
honor our nation's veterans is one we take seriously. The 235,000
dedicated VA employees are deeply saddened by any concern or anxiety
this incident is causing to our veterans and their families. We honor
the service of our veterans and what they have done for our country, and
we are working hard to keep this most unfortunate circumstance from
causing them undue pain and anxiety. Thank you.
[The statement of Secretary Nicholson appears on p. 96]
The Chairman. Thank you, Mr. Secretary.
To my colleagues, sitting to the Secretary's right is Mr. George Opfer.
He is the VA's IG, and it was on purpose that he was not sworn in.
I will also you ask unanimous consent that Thelma Drake and Jim Walsh be
permitted to sit at the dais of the Veterans' Affairs Committee.
[No response.]
Hearing no objections, so ordered.
I want to thank Chairman Walsh for being present today. He also wanted
to hold his own hearing on this, and given the time constraints was not
able to, and it's impressive that he is taking equal concern on this.
What we have here, Mr. Secretary, is this Committee working
cooperatively with Mr. Walsh and Mr. Chet Edwards on IT. And before you
took this job, we had been working hard on IT. And when we couldn't get
the VA to listen, we worked cooperatively with not only setting forth
our budget, taking out $400 million to get somebody's attention, but the
appropriators also followed suit.
I am going to yield so other members can ask questions. The only thing
I would like for you to take away from this, Mr. Secretary, is that we
intend to have follow-on hearings. I would ask this of you: would you
consider offering a reward, say, a million-dollar reward for information
that would lead to the arrest or recovery of this device? I want you to
think about that. I want you to work with the Department of Justice on
whether or not that could be helpful to us. That million dollars is
nothing compared to what we are about to expend. You have already sent
us a reprogramming notice for $25 million. So I don't know where this
could end. But I want you to consider that.
Secretary Nicholson. We will.
The Chairman. At this point, let me yield to Mr. Bilirakis for two
minutes.
Mr. Bilirakis. Thanks, Mr. Chairman. Mr. Secretary, welcome, I guess.
Mr. Secretary, in Vietnam you were a true, most courageous hero, a true
hero. You received many awards. I doubt that the difficulties you
found there are as bad as they are with the VA.
Foundationally this is a problem in the VA. And it is foundational.
Others will ask questions regarding this particular instance, and I am
as concerned about it as anybody else is. Mr. Chairman, I would like to
ask unanimous consent that a two-page document, a written statement by a
Dr. Leon A. Kappelman be made a part of the record.
The Chairman. Hearing no objection, so ordered.
[The information appears on p. 122]
Mr. Bilirakis. And I would like to quote from that, Mr. Secretary, very
quickly here: "VA has tens of thousands of dedicated, hard-working
employees committed to the important mission of serving our nation's
veterans and their families. But there is a dark side to the VA. Its
bureaucratic culture is unprincipled, profligate, and intransigent. I
have seen them ignore Congress, GAO, OMB, and one executive appointee
after another. Oh, they know how to play the game to get the executive
in Congress to open the budget floodgates, but VA doesn't really care
how the dollars are actually spent, as long as it doesn't interfere with
business as usual at the VA. I have personally seen VA personnel
sabotage and subvert hundreds of millions of dollars' worth of IT
projects, and read about billions more wasted on other failures. I have
seen a total disregard for one cyber security effort after another.
These are only the tip of the iceberg. And why do such things happen at
the VA? Largely, because these systems and efforts would make the
utilization of budget and personnel more transparent and thereby make
accountability possible."
Mr. Secretary, without going into the merits of these statements and
that sort of thing, the gentleman is not here for us to cross-examine or
whatever. But I think we all agree that there is a problem, a basic
bureaucratic type of a problem--at least I hope we all agree. And I
ask you, if that is the case, and let's go on the premise that that is
the case, can't you do something about it? What is preventing you from
-- I guess this task force reviewing the entire VA and basically
saying, "Hey, we are going to chop here, we are going to change here, we
are going to do this, we are going to do that." Is it civil service?
Does anything prevent you from doing these things? Are we sort of stuck
with this kind of an image, on the premise now again that this is
basically true? And I frankly think that it is, based on my experience
of over 24 years on this Committee.
Secretary Nicholson. I would say absolutely--
Mr. Bilirakis. Your mike, I guess, sir.
Secretary Nicholson. No. I mean, I am aware of the history of these
problems that the Chairman and the Ranking Member have recited. There
are others. I am trying to ascertain exactly how many people
telecommute. Yesterday, I was talking to an employee on this subject,
who was a data expert, who asked somebody to burn some records, some
health records for him onto a CD that he needed for a project. It was
done, they were mailed to him very timely, tidy. Wrote an e-mail back
to them and he said "That was great. It was prompt. I ready appreciate
it. Where do you work here? At the VA Central office? Maybe I'll run
into you and we can have a cup of coffee."
And the guy says, "I don't work here. I work in South Dakota." And so
we have people telecommuting all over this country, and we need to get
our arms around who these people are, and what they are like? And they
have enormous amounts of data with enormous amounts of potential. Not
necessarily because they may be up to mischief, but they may be like the
current case where they are negligent. And this is an enormous,
troubling situation. But I will say to you that you cannot default to
it. We have to fix it. And we can.
Mr. Bilirakis. Do you have the authority? Do you have the power to fix
it?
Secretary Nicholson. Well, if we don't have it, we will come and seek
it. But you raise a good point, Mr. Chairman, because there are things
that are called guidelines, which some employees think do not apply
because they say "guidelines," and they don't say "directives." And
that has a history to it as well, about how expeditious you can get out
a guideline versus the time it takes to do a directive.
I will say that the thing needs to be reviewed from tip to stern. We
have queued up I think a very strong leader to come in and replace the
person that has left, as the chief information officer who I told you
about, who I think did a very good job in forcing us into the
transformation that we are now in on centralizing, you know, a portion
of IT for business purposes and so forth. But in the information
security area, there is a lot needed, and--but it can be done.
These things can be fixed.
[The statement of Mr. Bilirakis appears on p. 70]
The Chairman. I thank the gentleman. I am going to hit this and go
right to Mr. Filner. What assurance can you, Mr. Secretary, give
veterans that if indeed these records end up in the hands of identity
thieves, that veterans will not suffer financially or otherwise for
these illegal attacks on their credit?
Secretary Nicholson. Well, I think before I could give you that
assurance, I'm going to have to work with, the Congress to--and see
if it could be funded. If they suffer a loss from this. We are working
at a fever pitch with several proprietary companies that are in this
business of trying to help monitor consumers, people's credit records
for them, and we are meeting with them, reviewing their proposals. With
the enormous amount of people involved, there's gonna be a substantial
cost to that. But that would give--that would give a lot of peace
of mind to our veterans, if they suffer a loss, the system of--then
compensating that, which I think is something that is owed to a veteran,
we'll have to figure out.
The Chairman. Mr. Filner, you are recognized for two minutes.
Mr. Filner. Thank you, Mr. Chairman. Who is the highest level official
who didn't tell you for 13 days about this?
Secretary Nicholson. That knew it during that time before, the deputy
chief of--the deputy secretary.
Mr. Filner. Is he going to be fired?
Secretary Nicholson. I'm reviewing all of these issues, Mr. Filner,
with a view towards what actions that I'm gonna take, and I'm going to
take--but the IG is continuing to do some work on this, and I want
to--
Mr. Filner. You know, your responses are incredibly bureaucratic. I
don't see, as I have told you, I do not see any passion. I don't see you
saying, "I take responsibility." Well, the most dramatic thing you
could do to take responsibility is resign. In last years budget, you
didn't know there was a war going on, so you couldn't take care of the
veterans. Now, your own people do not tell you about the theft of the
data of 26 million veterans, and you go through all this bureaucratic
rigamarole. You issue something to veterans, "Frequently Asked
Questions," and you tell them, "if you have any problem, call your
credit bureau, call your bank."
Where is your responsibility in all this? You tell your veterans, "Go
call a number"--which you gave the wrong number, by the way, in your
testimony. At least it is different than your press release.
So you are not taking any responsibility. Not only financially but for
this management debacle. And you have said time and again as from your
press release, there is no medical data here. Is that what you have
said?
Secretary Nicholson. Yes, I said none of the medical records--
Mr. Filner. But you are being very bureaucratic. Isn't there a
diagnostic code on here that indicates a specific injury, disability, or
medical condition, that is part of the record here?
Secretary Nicholson. For disability recipients, yes.
Mr. Filner. Well, why not state that clearly and bluntly? Every
specific code relates to a specific health condition, and the disability
codes are linked to specific individuals by their name and date of
birth, and they reveal each disabled veteran's medical problems and
conditions; correct?
Secretary Nicholson. Yes, I--I think it is--that would be
correct, yes.
Mr. Filner. So we have medical knowledge floating around here on 26
million people. You should resign, Mr. Secretary.
Secretary Nicholson. No, sir. It's--I mean that it happens to be
those that are getting disability, which is not a small number--
Mr. Filner. How many is that?
Secretary Nicholson. It's about 2.6 million.
Mr. Filner. Oh, I'm sorry. So only 3 million people suffer from that.
The Chairman. Thank you, Mr. Filner.
Mr. Filner. Okay, you should resign one eighth of the time.
The Chairman. Thank you, Mr. Filner.
Mr. Stearns, you are recognized for two minutes.
Mr. Stearns. Thank you, Mr. Chairman. I would say to Mr. Filner that
Mr. Nicholson has indicated he takes full responsibility. I mean, he
said that personally and I understand with his record how upset he is.
But Mr. Secretary, have you fired the employee who lost this
information, and why not?
Secretary Nicholson. He has been put on administrative leave pending
further action. There are other people, to go back to Mr. Filner's
comment, who are also in my sights as a result of this.
Mr. Stearns. Do you have internal controls? For example, why wasn't
this information encrypted? In commercial corporations, they encrypt
all this information as a standard operating procedure. How in the
world could a person take this outside and not be encrypted?
Secretary Nicholson. He was--one, he wasn't authorized take it home
at all. That we have a standing regulation, standing policy, that
anyone who he is authorized to take sensitive information outside of
their workstation has to have it encrypted.
Mr. Stearns. Okay, do you have in place an internal security operation,
with a security chief, with internal audits, and occasionally an outside
audit, to confirm that this information is secure, in the Veterans
Administration? Just yes or no.
Secretary Nicholson. Yes.
Mr. Stearns. What is this going to cost the Veterans Administration?
Your first diagnosis of this, what do you think this is going to cost
and you're going to need from this Committee?
Secretary Nicholson. That's a tough call, because it's going to depend
on what, you know, what level we decide you--
Mr. Stearns. You're talking about 20 million, 5 million, 2 billion?
Secretary Nicholson. No, we're talking--
Mr. Stearns. I mean, you must have a figure.
Secretary Nicholson. We're talking--I would say we're talking way
north of 100 million.
Mr. Stearns. So you might be talking about half 500 million?
Secretary Nicholson. It could be.
Mr. Stearns. Okay. Thank you, Mr. Chairman.
[The statement of Mr. Stearns appears on p. 76]
Secretary Nicholson. Yes, sir.
The Chairman. Thank you. Mr. Gutierrez?
Mr. Gutierrez. Yes, I yield to Corinne Brown.
Secretary Nicholson. Mr. Chairman, I'm sorry but I'm going have to--
I'm committed to go to the Senate--
The Chairman. Well, I know. We are going to do Mr. Gutierrez, Miller,
and then you are gone. So you have four minutes.
Mr. Gutierrez. Thank you very much. I yield to Corinne Brown.
[The statement of Mr. Gutierrez appears on p. 74]
Ms. Brown of Florida. Thank you very much. Mr. Secretary, can you see
me in my nice pretty red suit? This Monday all of us will be facing our
veterans in the Memorial celebration. And I do not know what we are
supposed to say. They are going to paint us with the same brush. What
assurances will we be able to give about the 26 million veterans'
records, how have we notified them? How have we assured the veterans
that we are going to work with them throughout the process? And I also
want to know, you know, some of our veterans say this could have been an
inside job. Have we done lie detector tests with everybody involved?
Secretary Nicholson. Well, as I said, Congresswoman, I hate this I'm
sure more than you do. And I'll take responsibility for it. It
happened to my organization, and I think what we are doing is everything
we can in the time that we've had so far to try to get the word out to
the vets. We're gonna send them each a letter, but we can't send 26
million letters instantaneously. We've found out we can't right now
even get 26 million envelopes, but we're underway in getting them. And
they will each get a letter. You can help inform us with the 1-800
number, and the Website, the media. Because we want each of them to
know what to do, and to know that right now there is no reason to panic.
There's nothing, there's no sign that any of this is being used at this
time.
Ms. Brown of Florida. Mr. Secretary, I asked a question. What
assurances do we have? Because this identity theft is a very profitable
thing. How do you know it wasn't an inside job?
Secretary Nicholson. Because the local law enforcement authorities that
investigated the scene of the crime--that's the first question I
asked, by the way--are convinced that it--that it was a real
break-in.
[The statement of Corrine Brown of Florida appears on p. 78]
The Chairman. Ms. Brown, I thank you.
Ms. Brown of Florida. Well, are we going to be able to give these
questions in writing to the Secretary.
The Chairman. Yes. If anybody has questions in writing, please, you
can submit them and we will get them to the Secretary.
The last questioner, Mr. Miller, is recognized for two minutes and then
the Secretary has to leave. Thank you, Ms. Brown.
Mr. Miller. Thank you very much, Mr. Chairman. I did hear the
Secretary in his opening remarks refer to the fact that there were codes
that was in this information, so I do think he brought it to this
Committee's attention, contrary to my colleague's question.
Two things: number one, why would an employee take this information
home?
Secretary Nicholson. Congressman Miller, he took it home to work with
it. He was working on a project where he was trying to streamline a
telephonic polling that we do of veterans periodically, and it's done
randomly, that they're called and asked a series of questions, which is,
you know, benign. We're trying to find out what's going on in their
life, how we're doing with them, how they're doing, and so forth, and he
thought he had a way that he could make this more efficient in the
selection of the veterans that we were calling, and he took this data
home to work it.
Mr. Miller. And my second question and as of course, we are all
concerned about the financial implications to the veterans, but I also
want to know, you know, the financial institutions, banks, credit
unions, retailers, anybody that may get caught up in this; who is going
to be responsible for the cost that may be incurred for private entities
out there?
Secretary Nicholson. Well, you know, I suppose the ultimate answer to
that question is going to be up to you all that make the laws. I mean,
we're--it happened because of--it happened because of us.
Mr. Miller. Well, let me ask it this way: what would your
recommendation be?
Secretary Nicholson. Well, my recommendation would be that we'd be
responsible for it. We caused it.
Mr. Miller. Thank you. That is what I wanted to hear.
[The statement of Mr. Miller appears on p. 83]
The Chairman. All right. Mr. Secretary, thank you very much. You and
Mr. McClain are excused. Thank you.
I would now like the other witnesses to please come to the table to
replace the Secretary and the General Counsel. If staff could help
them. What we may have to do is bring your chairs to the front.
To all of my colleagues, while all this administrative shuffle is
occurring, the team that the Secretary is leaving behind is the team
that is responsible for cyber security and in charge of plans and
policy.
There is a hearing on the Senate side that starts at 10:00 a.m., and
that is the purpose of the Secretary's and General Counsel's exit. But
what I wanted to insure for all of my colleagues is that as the
secretary leaves, these are the individuals who are in the responsible
positions.
Ms. Berkley?
Ms. Berkley. Thank you, Mr. Chairman. With all due respect, and I am
sure these are the men and women that do the nuts and bolts on this
issue, but I was hoping to talk to the Secretary, and have an
opportunity to question him. Will he be available to us? It seems that
something this important, one hour in front of this Committee simply is
not enough. Oh, I'm sorry, 45 minutes.
The Chairman. 45 minutes. We will entertain that. WWe are going to
have follow-on hearings. If the Secretary is necessary we will bring
the Secretary back before the full Committee. We can do briefings to
members. I will seek your counsel.
Ms. Berkley. I would appreciate that. Thank you, Mr. Chairman, and I
am going to the IR Committee markup.
The Chairman. All right, thank you.
All right. Mr. Michaud, you are now recognized. The Committee will
come to order, please. People can take seats and please close the door.
If somebody can help out and make sure all the nameplates can be read by
the members, please.
I'm sorry, Mr. Michaud. I just wanted to say good morning to you.
Mr. Michaud. Good morning, Mr. Chairman.
The Chairman. Good morning. Prerogative of the chair, I would ask
unanimous consent to rescind the former unanimous consent to yield to
members for two minutes, and now go back to regular order.
[No response.]
Hearing no objection, so ordered. Mr. Strickland, you are now
recognized for five minutes.
Mr. Strickland. Thank you, Mr. Chairman. Mr. Chairman, I also am sorry
that the Secretary is not here. I wrote down verbatim what he said to
us, "I am the person ultimately responsible for our veterans, and
therefore, the responsibility for what has happened rests with me." I
am not sure what it means to take responsibility. I think it ought to
mean more than just uttering those words. I think it should imply some
decisive action. And quite frankly, if this was the first concern I had
about the Secretary, I may be a little more charitable in my response.
But quite frankly, I don't think the Secretary is up to this job, and I
do hope he takes this opportunity to reconsider whether or not he should
remain in that position. I quite frankly have serious questions about
whether or not he should.
I have a question regarding the fact that many states have enacted
privacy laws that in some cases certainly supersede the requirements
that may be currently in place under the VA's system. Thirty-five
states have introduced data security legislation. Twenty-two states
have actually enacted such security laws, one of those states being my
home state of Ohio. Can someone at the table inform me as to whether or
not the VA takes seriously the states that may exist at the state level,
and makes efforts to comply with those state security laws, if they are
more stringent than those currently embraced by the VA?
General Howard. Sir, Bob Howard. I have not seen any evidence that we
have addressed that for the states. One of the efforts that the Office
of Information and Technology has been undergoing, you know, throughout
this incident is trying to determine what guidelines and policies exist.
I have not seen that, unless any of my other colleagues have.
Mr. Strickland. Can someone give a definitive answer as to whether or
not there was a difference in requirements between State and Federal
law? Or there was a conflict there; would it be likely that the VA would
attempt to comply with those more stringent state laws, within the
state?
Mr. Duffy. Congressman, it's my understanding that Federal law
supersedes state law. I believe however that the department makes every
effort to meet state law where it's consistent with our own rules and
standards of practice.
Mr. Strickland. Okay, thank you. I am curious as to why an employee
would take this kind of material home. I mean perhaps he is just a very
dedicated employee that is willing to work above and beyond what may be
required of him at his official worksite. Why was he not doing this
work during regular work hours? Can someone speak to me about the
staffing needs that may be inadequate, that would result in an employee
taking such action, in terms of taking this kind of data to work on it
at home rather than doing it at the facility, or at the worksite?
Mr. Duffy. Congressman, I think in this particular instance we have an
individual who believed that with--on his own time, and without the
din of daily work; telephones and meetings and the like, he would be
able to apply his own time and talent to resolving what to him was a
basic problem of reducing substantially the size of a survey instrument
that we were attempting to create.
I would say to you that he fully understood that it was inconsistent
with departmental policy to take that information home with him, that he
had no right to remove the materials from his worksite. He did it with
all of the best intentions, at least that's my personal opinion. There
was no malice a forethought. I don't believe that there was any
sinister intent here. He did it because he wanted to be more productive
and to come back with a problem solved. And in all candor, I think we
attempt to promote individual initiative on the part of our employee
workforce. However in this instance, it was contrary to what the rules
and regulations require regarding safeguarding sensitive personal
identifier data.
Mr. Strickland. Thank you. Just sitting here listening to Secretary
estimate the potential cost, I think he said it could be over $100
million. And if, as the Chairman has suggested, we have the
responsibility to make whole any veterans who have been harmed, I can
see where that number could go much, much higher. Just sitting here
thinking, the latest I have heard the cost of the Capitol Visitor Center
was I think something over $500 million, and the work has been going on
for years and years, and we know what a massive undertaking that has
been. So just kind of putting this in perspective, if the lower cost
estimates of $100 million hold forth, we can see what an incredible cost
this is going to be to the taxpayer, to the Federal Government, and
ultimately to the VA administration, and that means ultimately to the
individual veteran, in terms of how they are served. So you know, I
don't think this is a little thing, and I don't imply that any of you
believe it is a little thing. I think this is just incredibly serious.
It is going to be very very costly, even if the best case scenario it is
that there is no use of this data for, you know, for nefarious purposes.
It is still in to be incredibly, incredibly costly. And it is just such
an unfortunate incident.
Mr. Chairman, I thank you for the hearing. I do hope that we could have
the Secretary back at some point in the future, and I yield back my
time.
The Chairman. I thank you, Mr. Strickland. I thank you for your
leadership. Mr. Strickland and Mr. Bilirakis, Mr. Filner and I want to
work with both of you because at some point, where do we retain this at
Committee; where do we do a handoff to the O&I Subcommittee? We want to
work with you with regard to our jurisdictions.
I have asked Mr. Opfer to remain with us, as he is not going over to the
Senate. This is the VA IG.
And at this point, I am going to yield to Mr. Bilirakis, who has asked
for his three minutes.
Mr. Bilirakis. Thank you again, Mr. Chairman. Mr. Opfer, who do you
work for?
Mr. Opfer. Sir, I work for the President and--
The Chairman. Scoot up to a microphone.
Mr. Opfer. Sir, I am a presidential appointee, Senate-confirmed, which
means I can only be removed by the president.
Mr. Bilirakis. Okay. Very good, that is what I wanted to hear. Mr.
Opfer, you know, these things happen and they have been happening. The
same sort of thing has been happening over a period of years. I know we
have had secretary after secretary after secretary here. And you know,
when the media is here, particularly, we speak very brusquely and that
sort of thing in order to make the media and whatnot. But you know, in
my opinion, as I indicated during my two minutes, two minutes-plus, it
is culture. It is a culture at the VA. Maybe it is a bureaucratic
culture of all the agencies and departments. I don't know, but
certainly at the VA.
Let me ask you, sir, when were you made aware of the theft of the data?
Mr. Opfer. The Office of Inspector General and I particularly were
never notified by the Department of theft of the data.
Mr. Bilirakis. You never were?
Mr. Opfer. Never were.
Mr. Bilirakis. Never were. How about that? Yeah, how did you learn?
You read about it in the newspaper?
Mr. Opfer. What happened was on May 10th, the information security
officer of the Office of Inspector General was attending a normal
monthly meeting in the department. And at that meeting, one of the ISOs
mentioned that an employee of VA had lost data which was stolen from
their residence. That information security officer, who is not an
agent, not an investigator, came back, reported to his supervisor, and
the next day it was reported into our office of investigations. We had
no information other than an employee had lost data that was stolen in a
burglary in their residence.
Mr. Bilirakis. And what was your reaction--
The Chairman. Can you pull that microphone closer to you. We can
barely hear you.
Mr. Bilirakis. Yeah. What was your reaction to that?
Mr. Opfer. I was not notified then because the information was very
sketchy. Our Office of Investigations dispatched agents on Friday, May
12th, to try and locate the information security officer who had the
information, and also to locate and start the interview process of the
employee who had had their residence burglarized.
The information security officer that had the information was not
working. The agents attempted to locate him at his residence and left
messages there, as well as at work. It wasn't until Monday, May 15th,
that the Office of Investigations located the subject employee that had
the burglary, and we conducted the interview.
[The statement of Mr. Opfer appears on p. 101]
Mr. Bilirakis. Wow. Well, there you go. Yeah, I guess the Chairman is
suggesting I do this. Misters Duffy and McClendon, why did you not
notify the IG?
Mr. Duffy. I'll begin first. Let me begin by noting that the first I
was notified of it was on Friday morning, May 5th. And my notification
was in hallway conversation with the IT specialist who serves as both
our security and privacy--
Mr. Bilirakis. In a hallway conversation?
Mr. Duffy. Yes, sir. He indicated to me at that time that there had
been the burglary of one of our data analysts, that some sensitive data
and information may have been burglarized. At that time, I asked him to
do two things: first, attempt to identify and document for me all of the
data sets and personal identifier elements that may have been
compromised. The second thing I asked him to do was to confirm for me
of what the formal process for notification is in the department
regarding a matter such as this; that is, where information or data has
been compromised.
He agreed to prepare for me a memorandum that would identify for me, to
the best of his knowledge, the information that might have been
compromised. With respect to notification, what he told me was that the
process was to notify the cyber security systems operations center, and
that they have an incident management process in place for responding to
these types of issues.
Later that afternoon, sometime around 3:30 in the afternoon, I received
the first initial memorandum from my IT specialist that identified in
rather generic terms the data and the information that appeared to have
been stolen. I talked at that time with Mr. McLendon, who is the deputy
assistant secretary for policy. He asked for an opportunity to have a
member of his staff, who has dramatically more familiarity with the data
sets, take a look at it, and review and validate that information, and
indeed he did that.
Monday morning, the eighth, we had a new, more detailed memorandum on
the nature of the information that was contained on the hard drive that
was stolen.
On Tuesday the ninth, early afternoon, I had a meeting with the
department's chief of staff, Tom Bowman, and informed him at that time
for there had apparently been a burglary, and that some significant
personal data may have been compromised, and indicated to him at that
time that I thought it important that senior leadership get together and
identify exactly what our responsibilities were regarding notification
to the beneficiaries whose information might have been compromised.
Mr. Bilirakis. Did you ever take in consideration when you should
notify the IG?
Mr. Duffy. Sir, with all due respect, my understanding was that all
that would have been processed through the incident management reporting
system in cyber security, in the SOC.
The Chairman. Oh, so you are blaming who?
Mr. Duffy. I'm not blaming anybody. What I'm telling you is what was
in my mind. And what was in my mind was two things: one is that we had
made formal notification through our IT systems specialist to cyber
security, that they have that responsibility. The other point that I
would make to you is that when I had information in hand, it was
provided up the chain to those above me regarding the fact that the
information may have been compromised, and our need to take some
affirmative action.
The Chairman. Mr. Bilirakis, may I?
Mr. Bilirakis. Well, my time as long up. Yes, sir, by all means.
The Chairman. Mr. Cadenas, you are sitting right there. What do you
think about what Mr. Duffy just said?
Mr. Cadenas. Well, sir, because we get a number of reports on a regular
basis, the SOC, the Security Operations Center, did receive this
notification. But before it's escalated, it must be confirmed that a--
because the original message that came in says "possible compromise."
So part of the process is we contact the information security officer to
validate if in fact it has been compromised.
A number of days had lapsed. We started beginning our own
investigation, asking additional questions, and the information was not
forthcoming, as well. Still had no valid confirmation that the
information was lost or stolen or anything to that effect. We're still
dealing with the compromise, potential compromise, of information.
During the course of the process, we asked the information security
officer to also contact the privacy officer based on the information
that you identified that was on there. We later found out--I don't
know if it was my office or the individual himself, there was a privacy
office ticket violation opened up on that.
I found out about this incident on the 16th, as well, and my team, they
were trying to conduct their due diligence to validate that this in fact
had happened.
The Chairman. Do you work with the IG? Do you ever report these
incidents to the IG?
Mr. Cadenas. Well, yes, sir. We have understood rules of engagement.
Once it reaches a certain level, any incident reaches a certain level,
we back off because now it could be a potential criminal investigation,
and then we hand off.
The Chairman. But the IG has testified that he has never even received
this yet. So when does this rise to the level of concern?
Mr. Cadenas. Well, in looking at the entire incident, sir, because this
does not fall--and I don't mean to sound like the bureaucracy here
-- but because it does not fall under cyber security, this was not a
cyber security attack or hack, we tried to follow up with the privacy
office, and we ran it up the chain. This is a privacy issue.
The Chairman. Okay. It is not your problem, I guess now it is not
yours. Now it is not the privacy guy. We don't have the privacy guy at
the table?
General Howard. It is a bureaucracy, Mr. Chairman, and it is culture -
-
The Chairman. All right, let me just pause a moment.
General Howard. Mr. Chairman--
The Chairman. Ms. Brown, you are now recognized. Hold on, I know you
want to say something. But Ms. Brown wants her three minutes. I need
to yield to her.
Ms. Brown, you are recognized for three minutes.
Ms. Brown of Florida. Well, I hate to break the chain. I am going to
let you answer your question, and then I will go to mine. Just finish
what you were saying.
General Howard. I just wanted to comment that--that there's the
constant refrain of "it's just a large bureaucracy." It is indeed a
large and complex structure, but it is not so large that we don't talk
to each other. And the truth is that a number of days passed where the
information was being reviewed and validated. The burglary took place
on the third. On the fourth, the employee did not report for work. He
was told by--as I understand it, the home had been ransacked, and he
had been told by police to secure his premises and the like. So he was
not in. He did not come in until the morning of the fifth, on that
Friday. That's the day when Mr. McLendon and a senior data analyst sat
down with the individual and talked specifically about the nature of the
data that may have been compromised. And it was only after a full day
of discussions with somebody who quite candidly appeared to be fairly
distraught about the whole incident.
Ms. Brown of Florida. Well, do you know this is a meltdown? And the
secretary said he didn't find out about it until the 16th? When did the
secretary find out?
General Howard. He indicated the 16th.
Ms. Brown of Florida. It is a complete failure. Since 2001, has your
office requested changes that would limit anyone's ability to remove VA
data to a personal computer or storage device?
Mr. Cadenas. Yes. Yes, ma'am, the office of--
Ms. Brown of Florida. Yes, what was the result of that action?
Mr. Cadenas. We do not have the authority to enforce any such request.
The Chairman. Ms. Brown?
Ms. Brown of Florida. Yes, sir?
The Chairman. If you pay really close attention to the response that he
just gave, what I just learned from last night, and I want to make sure
I get to all the members, I have a March 16th, 2004 document from Tony
Principi, when he was the Secretary. And he instructed that the chief
information officer be the individual that is responsible. We need
somebody in charge of all this. Then we have the General Counsel. He
writes an opinion. And in his opinion, he says that the CIO does not
have that authority. And matter of fact, Mr. Cadenas here with cyber
security can only do compliance. He does not have the authority to
demand anybody to do anything. He can only say whether somebody has
complied or not.
I yield back.
Ms. Brown of Florida. It is a complete meltdown. The system is not
working for the veterans.
To your best knowledge, does anyone other than VA employees take home or
store veterans' personal information; names, Social Security, date of
birth, financial, medical, anywhere in VA? Is there a statute,
regulation, or policy, that allows that action?
General Howard. Ma'am, we have procedures in place to permit telework,
virtual connections, you know, through laptops and what have you. The
only clear guideline that I have personally seen on the rules of the
game, regarding taking information away from a VA facility, is contained
in the guideline that the secretary mentioned during his testimony. And
there are two specific items in that guideline: one is to take
information such as what we are talking about away from a VA's facility,
the individual has to have permission. And the second key part of it,
it must be encrypted. Clearly, both of those elements were not
followed. But that guide--it's in a guideline. It's not a
directive.
Ms. Brown of Florida. Oh. God, we need help. This is unbelievable. I
am going to yield my time, but I can tell you that this system is a
failure. I mean, we are not talking to each other, we are not
communicating. You can't tell me how many other people have this
information, that could have this data at home. It is not illegal to do
it. It is a regulation, it is not--do you hear what he is saying?
[Laughter.]
Mr. Bilirakis. What the gentle lady yield?
Ms. Brown of Florida. Yes.
Mr. Bilirakis. Yeah. The VA Inspector General in his November '05
report entitled "Major Management Challenges; Fiscal Year 2005," stated
that, quotes, "VA has not been able to effectively address its
significant information security vulnerabilities and reverse the impact
of its historically decentralized management approach," end quotes. And
there you are.
That is why I keep going back to this culture business, this environment
business, because that is where the problem stems from. Mistakes are
made. I mean, we are all human beings. But continually, continually,
and the frustrations of IT, and the lack of security. Thank you, Mr.
Chairman, thank you for--
Ms. Brown of Florida. I think it has to go back with whose
responsibility it is. I think the ultimate responsibility is with us.
As a co-equal branch of government, we have not done our job.
The Chairman. Well, we passed the CIO Bill, ma'am. When I look at this
for the members, I would ask unanimous consent that the documents which
I referred to in my discussions with Corrine Brown be submitted for the
record. And in particular, the memorandum from Secretary Principi dated
March 16th, 2004 be entered into the record.
[No response.]
Hearing no objection, so ordered.
[The attachment appears on p. 132]
The Chairman. I would ask that the General Counsel's memorandum dated
April 7th, 2004, be entered into the record.
[No response.]
Hearing no objection, so ordered.
[The attachment appears on p. 133]
The Chairman. The Secretary Principi, this is what he says:
"Cyber security is everyone's responsibility, and all employees are
accountable for protecting VA's computer and information systems.
Specifically I have tasked the Assistant Secretary for information and
technology, the CIO, Bob McFarland, with responsibility to devise and
implement a department-wide cyber security program under the Federal
Information Security Management Act."
We passed that act.
"I expect all employees to fully support and cooperate with the
implementation of the department's cyber security policies. It is my
intention to ensure that the Assistant Secretary McFarland has all the
power and authority necessary to carry out the heavy responsibilities
associated with cyber security in the department. This will include
certain administrative and supervisory authority over employees directly
involved in the implementation of cyber security policy. Appropriate
directives, policies, personnel regulations, are being drafted to
effectuate my intentions."
We have the acting CIO in front of us, former Major General Howard. Now
the problem is the General Counsel comes along and does an
interpretation and says they CIO does not have these authorities. And
that is what we now end up, we have got a mess in that bureaucracy.
Ms. Brown of Florida. Mr. Chairman, could I--30 seconds?
The Chairman. Yes ma'am.
Ms. Brown of Florida. Mr. Chairman, we often passed bills, and then the
agency will come up with regulations that's just opposite of what we
pass.
The Chairman. Well, that is why we have been working on this Committee
in a bipartisan fashion, ma'am, to bore through this, but we have a
bureaucracy that is recalcitrant. We have individuals sitting at this
table.
Yes, Mr. Duffy, I just saw your reaction. You and I have a complete
disagreement with regard to centralization versus decentralization. You
fought us all along. You go, "Oh, this is my business. Stay out of my
world."
Well, now that the problems we have got. We said, "Okay, we are going
to leave it to you, we are going to leave it to Mr. McLendon," and look
what we have got in a decentralization.
Mr. Duffy. Mr. Chairman, with all due respect, I have never taken a
position on centralization or decentralization of IT. It has nothing -
-
The Chairman. Thank you for your views, Mr. Duffy.
Mr. Duffy.--it affects me only on the margins. And trust me, I
have not entered that--
The Chairman. Well, that's one hell of a margin for a veteran.
Mr. Duffy. Well.
The Chairman. I yield to Mr. Miller.
Mr. Miller. Thank you, Mr. Chairman. I have already asked my
questions. I will yield back my time.
The Chairman. All right. I have been asked to meet with the Speaker.
Mr. Bilirakis. [Presiding]. Okay, where are we here? Mr. Boozman?
Mr. Boozman. Yes.
Mr. Bilirakis. Mr. Boozman is recognized for five minutes.
Mr. Boozman. Yeah, I would like to know a little bit about what
happened. So the place was broken into, and not just the computer was
stolen, but the whole place was ransacked? I think somebody alluded to
that earlier.
Mr. McLendon. I'll be glad to answer that, Mr. Boozman. The employee
had left to go home from work. His wife is also a government employee.
She arrived home to find the home having been broken into and ransacked.
She called her husband and reached him on the cell phone when he was I
guess in the parking lot fixing to get in his car to drive home. As
best I understand it, she arrived home somewhere around maybe 3:30, 4:00
o'clock in the afternoon. So they did the notification to the police.
When he finally kind of got a handle on what was going on, he called the
office. The secretary got ahold of me, and I called him just a few
minutes later, probably somewhere around 5:30, quarter of six that
afternoon.
He was very distraught, as you can imagine. He was also concerned
because his wife had found a break-in, and he was kind of after-the-fact
concerned that maybe somebody was still in the house. He described that
the house had been ransacked, that they had gone through drawers
upstairs, and drawers all over the house, and that things like change
that we would normally put in a glass jar or something was missing out
of drawers. He described kind of the state of the house, and how they
had broken into a back window. And then he said that, you know, that
they had taken--he was surprised at things that they had passed up
in the house, you know, like silver and those kind of things, but it
appeared that they had grabbed his personal laptop and external hard
drive when he had--when they had left.
And it was at that point that just straightforwardly, and I have to give
the individual credit for this, that he said he believed that there was
some veterans' data on his hard drive. And I have to say that to this
day, that that individual does not understand that there are many people
who would not have self-reported that information. But he did, and he
acknowledged on the phone that he knew that he was not supposed to have
done that, and he just had no explanation as to why. And clearly, he
was just very distraught at the incident.
So he was--the police were still there. He said he needed to work
with them. He had already notified VA security office about the
incident. He was not at work the next day because the police had asked
him to secure his home and be available for questions and whatever.
Early the morning on Thursday morning--and also I have to say, after
I talked to the gentleman that afternoon, I contacted the individual in
our office who is the most technically knowledgeable about the details
of the data and systems, to also called the individual to try to elicit
more information from him. And so then he reported back to me, so that
early Thursday morning, that individual, Dat Tran and I sat down with
the information security officer for the office of policy planning to
relate everything we knew up to that point, and to say, "Okay, now you
tell us what the process is and what additional information that is
gonna be required."
And he very matter-of-factly laid out what he said he knew the
procedures were, just like Dennis acknowledged, about what was gonna
happen, who he would be generally talking to, and he says if I need any
more information, or when I do, I will come back and tell you.
Mr. Boozman. So if he hadn't self-reported it, then we really would
have had no way of knowing that the data ever left the office, or
whatever.
Mr. McLendon. No, sir, we wouldn't have. And I think it's important to
remember that this is not a case in which information was put up on the
Internet for wide public access. It was, he had taken some disk from
work that he was using, to use on his external hard drive at home, to
continue to do work. He's a Ph.D. analyst--
Mr. Boozman. What are the police saying? I mean this happens all the
time, you know, sadly, in the sense that places are broken into. What
is the customary stuff, when you steal electronics--first of all,
who are they saying are the likely thieves? What kind of profile do
they have? What do they customarily do with this stuff when they get
it?
Mr. McLendon. Depends upon--I'll just say from my personal
experience, I have been through this, it could be anywhere from kids to
more professional individuals who are looking for easy prey and things
they can quickly turn a dollar on. I don't believe that the police
report or the FBI has completed their investigation yet, so we will just
have to wait and see what they say.
Mr. Boozman. Thank you.
Mr. Bilirakis. The gentleman's time has expired.
Mr. Boozman. Mr. Chairman, also, could I have a statement put in the
record, please?
Mr. Bilirakis. Oh, yes. That, you see, took place before you came in.
Mr. Boozman. Okay, thank you.
[The statement of Mr. Boozman is found on p. 89]
Mr. Bilirakis. Mr. Salazar to inquire.
Mr. Salazer. Thank you, Mr. Chairman. We do appreciate this.
As I hear more about what happened and the items that were taken during
this burglary, it seems like you were talking, Mr. McLendon, that silver
was passed up, and other things. It almost seems to actually send up a
red flag because it seems like the computer was targeted.
We introduced legislation a couple days ago. It is HR-5455, the
Veteran's Identity Protection Act, which will actually provide free
credit reports for veterans who might have been affected by this for a
period of one year. Could someone in this panel maybe address that?
And do you think this is something that should be done?
Mr. Henke. Sir, I am not familiar with the particular legislation you
cite, but obviously our first concern is to protect veterans. And as
the Secretary has indicated, he would be more than happy to work with
the Congress to find ways to do that and take those steps that are
necessary.
Mr. Salazer. Well, what this particular legislation will actually do,
is provide free credit reports for veterans for a period of a year to
make sure that in case some of their credit information has been
breached, that it would not necessarily have to come out of their
pockets. Of course, you know, the first credit report is free for any
time that you apply. But after that, you have to pay for it.
Of course this will cost taxpayers, and VA maybe, an incredible amount.
I think the price tag is 1.5 billion for the first year. Would you be
supportive of that?
Mr. McLendon. Let me just make a general comment. I think it's very
fair to say that the department certainly takes it seriously. There
have been a lot of discussions over the last week about exactly how
could we do something like that, what the mechanics would be, what the
logistics are associated with doing that, how that would occur. And the
department is actively looking at how to bring that about, those kind of
things, right now.
Mr. Salazer. Thank you. Mr. Chairman, there are a lot of people here
that want to ask questions, so I would like to submit my full statement
for the record.
Mr. Bilirakis. The chair appreciates that.
[The statement of Mr. Salazar is found on p. 93]
Mr. Bilirakis. Mr. Moran, to inquire.
Mr. Moran. Mr. Chairman, thank you very much. Perhaps what is most
troublesome to me about this scenario is the failure to communicate to
the Secretary in what I would consider a timely fashion. And I
understand Mr. Filner asked the question earlier about what level this
information reached, as far as the hierarchy of the Department of
Veterans Affairs. And you know, I am interested in knowing, you know,
why the Secretary was not notified immediately. I would at least like
to think in my own professional life that something dramatic happened
that I would be at the top of the list of people who would know. And I
don't know whether it is a concern with the attitude, I should have a
concern with the attitude of VA officials as, "This is something we
don't want to tell our superiors." Or it is a distance by the
Secretary; he is not there, interested, available.
I cannot imagine that is the case, but there is something--again,
Mr. Bilirakis's word, the "culture"--that is troublesome to me, that
we wouldn't immediately go to the top leadership, the leader of the
Department of Veterans' Affairs with this kind of information. So I am
interested in any thoughts that you all have as to what the problem
would be that this would not be seen at the VA as an incident that would
be immediately reported to the leader of the department. I am curious
just to know whether in the course of time you have observed other
departments, studied what their security measures are, how this is
prevented. I am interested in knowing if there are other departments
out there within the Federal Government that are role models that the
Department of Veterans Affairs should have been following. Or other
disasters waiting to happen at other cabinet-level positions, other
departments within our Federal Government, that we as members of
Congress should be aware of.
And finally, a more practical question: my constituents, my veterans are
calling, asking, "you think that information about me or my spouse are
in these records?" Example, a Vietnam veteran discharged in 1972 who has
now deceased, his spouse, his wife is calling to say, "Is there any
chance that there is information there about my husband or me?"
And so if there is information that you can provide as to how we can
answer the calls we are receiving as to who is included in this 26.5
million veterans whose records are released.
I thank the Chairman. Anyone, respond to any or all of those.
General Howard. Sir, you ask a number of questions. I would like to
recommend we answer all of them for the record. But let me address a
couple of them. You mentioned the other government agencies. One
government agency that is a role model is Social Security. You know,
they constantly get very high grades with protection of information. I
know that for a fact.
There are others besides VA that don't get high grades, I know that
also. It is a very real problem in other government agencies, I don't
recall the scores. When you say the Veterans' Affairs is fairly low,
you're exactly right. You know, our grades have not been high. But as
I say, there are role models. There are definitely things that we can
do to improve things.
Mr. Moran. What you are telling me is that what has occurred at the
Department of Veterans' Affairs may not be an anomaly, but something we
could to see repeated elsewhere?
General Howard. Sir, with respect to the magnitude it may be an
anomaly. You know, what's significant--obviously, the loss of any
data is a serious problem, but it's the magnitude of this one that is so
troublesome. I suppose it could occur in other government agencies, but
you know, I really can't comment on that.
Mr. Moran. Any explanation of the nature of the VA that the Secretary
would not know this immediately?
Mr. Duffy. Congressman, I'll make an effort to answer it. And that is
that in all candor, I don't believe anybody had a true appreciation
originally of the magnitude, the size of the data set that was lost.
When I first heard that there was a BIRL's extract, while I knew from my
own experience that the BIRL's record is a large data set with millions
of records, my own thought was, "Well, he probably extracted some very
small subset of that record." And once notified, I think what we did
was we attempted to do due diligence. And that is, we first of all
attempted to get the facts. And once we had the facts in hand, we
provided them to the chief of staff, who in turn said, "Well, let's work
with the general counsel to assess what our obligations or
responsibilities are here."
And it was that process that took some time. Now, should the Secretary
-- in hindsight, obviously the Secretary should have been notified
earlier. But again, I think originally there was no sense of the size
or magnitude of the data loss.
Mr. Moran. Can you assure us that there was no cover-up involved?
Mr. Duffy. I can certainly assure you of that from my personal vantage
point and from dealing with the individuals that I have dealt with.
There absolutely was no effort, no attempt at all. We made every effort
to do what we thought was the right and prudent thing.
Mr. Bilirakis. The gentleman's time has expired.
Mr. Moran. Thank you Mr. Chairman.
Mr. Bilirakis. Ms. Hooley to inquire.
Ms. Hooley. Thank you, Mr. Chair. This is really frustrating, and
there are so many troubling things about this incident. This is one of a
string of data breaches that have happened in all kinds of other
industries, and is why I think we need some kind of data security
legislation, which I have championed in the Financial Services
Committee. I have also introduced legislation that would require VA
administration to provide veterans six months' of free credit reporting,
that there would be authorized funding, and that you would also have
negotiating powers so that you can get the best price for the monitoring
services. There has been a lot of estimates about what this would cost.
We have gotten estimates anywhere from 25 million to $1.2 billion, so it
is a wide range. And hopefully, we can narrow that piece down.
My question is, if this legislation passes, could you implement that in
a very timely manner to help our veterans? And are you prepared to
negotiate the best price for credit monitoring services? You can answer
that now or wait until I am finished.
And I guess the third question would be, could you start that process
right now? Do you have to wait for legislation to pass? Can you start
the process right now?
Fourth, right now you are giving I think some good advice, but it is
very reactive. You're saying, you know, "Please monitor this, call your
bank," you know, all of those things. But why aren't you more
proactive? For example, you could say to every veteran, "You could put
a fraud alert on your credit report" If they put a fraud alert they
automatically get a free credit report. Right now, even without having
their information taken, or stolen, or breached, they can get a free
credit report every year. I mean, that is the law, currently. And if
they get one from each credit bureau, they can do one credit bureau, and
then another credit bureau, and another credit bureau, they can get a
free report every four months.
So it seems to me there are some very proactive things you can tell all
of the veterans that have had their, security breached, you can give
them that proactive information today. And my question is, are you
doing that; and if not, why not? Then--
Mr. Bilirakis. Wouldn't you not like to get some answers to those?
Ms. Hooley. Yeah, I am ready to get answers any time they are ready to
give them to me.
Mr. Bilirakis. Yeah.
Ms. Hooley. And then I have one last question.
Mr. Bilirakis. Good.
General Howard. Some of that information is on one of the Websites that
the veterans are referred to.
Ms. Hooley. Some of the information. I know what is on your Website,
and it is very reactive, saying "Monitor this," but it is not proactive,
and there are some very specific things they can do that will make a
difference on whether or not they have their identity stolen, which is a
huge problem if that happens.
General Howard. That's what I meant. Some of that--things that
they can take, what they are authorized, is available.
With respect to additional items like credit monitoring and things like
that that Veterans' Affairs could pay for, I'll defer to Bob Henke. We
get into budget issues and authorities to pay for that sort of thing.
Obviously, we're prepared to do anything that we need to do, but I'd let
Bob comment on the financial aspect of it.
Mr. Henke. Ma'am, I went to the Websites that we have set up for this
particular incident, and it does link you to the opportunity to get a
free credit report, and for every member to put a 90 day fraud alert on
their individual accounts, so that information is out there, through
both the VA Websites and firstgov.gov.
Ms. Hooley. Is that your recommendation? I mean, do you recommend that
happen, that they do that?
Mr. Henke. That members--
Ms. Hooley. I mean, it is on there. When they go onto the Website,
what are the things that you tell them that they can do, the first
things they can do?
General Howard. Monitor their information.
Ms. Hooley. Monitor their information. Which is good advice. But
there are some proactive things they can do immediately. You say, you
know, Put a fraud alert on. What does that mean if they do that? How
long does that last? It lasts 90 days. They get a free credit report.
I mean, I think that is the kind of proactive information you should be
giving your veterans.
Mr. Miller. Congresswoman, I think it's fair to say that the Secretary
and this task force is indeed looking at a whole host of different
affirmative steps that the department can take, all the way to perhaps
providing credit monitoring. What we need to do is lay out what those
potential options are, what the costs are that are associated with them,
and what authorities we have. I think the secretary made clear that we
were going to do everything in our power to mitigate whatever adverse
impact this may have on the veterans whose data was compromised--
Mr. Bilirakis. The gentle lady's time has expired. But Mr. Duffy, with
all due respect, you know, meetings, consultations, "we are looking at
it, we are trying to decide what authority we have." In the meantime, a
lot of bad things can be happening. I think that's what the gentle lady
is saying, sure.
Ms. Hooley. I just want you to take some leadership. That's what I
want you to do. I want you to take some leadership.
Mr. Bilirakis. Yeah, well.
Ms. Hooley. Excuse me, Mr. Chair.
Mr. Salazer. Especially for people who don't have computers.
Mr. Bilirakis. Well, that is another point. There are many veterans
out there who don't have computers. So you can't just look at that one
particular way to do it. There are public service announcements that
all the television stations as broadcasters are required to make
available.
General Howard. And the department is taking steps now to send
individualized letters to every veteran that we can indeed identify, to
notify them personally. You are absolutely right about not everybody
having a home computer.
Mr. Bilirakis. Well again, as Ms. Hooley said, take some leadership
here. Let us not just sit back and, "we will let these bad things
happen"--then the cow has already left the barn, or whatever the
proper terminology is.
Let us see, Mr. Bradley to inquire.
Mr. Bradley. Thank you very much, Chairman Bilirakis. I would just
like to start out by thanking you, and Mr. Filner, and Chairman Buyer,
for your leadership in making sure we have this hearing in an
expeditious fashion.
Not to beat a dead horse, but my concern I think with some of the other
more recent questioners is the 27 million people that have potentially
had their data stolen, and it may well be used. Let me try to
encapsulate what I think you have said today in terms of procedures that
are in place, or about to be in place:
You are going to write a letter to all 26.5 million, but you don't have
envelopes, so we don't know when that is going to happen. There is a
Website. The question that Ms. Hooley asked is why is there no fraud
alert on it? There is a call center with an 800 number. Are there
enough operators, and is the information clear? There are expedited
procedures at credit bureaus. How helpful that is, that would be a
question I would have. Equifax has a toll-free number.
We don't know that there are any problems yet, which I guess is good
news. Secretary Nicholson I think made a pretty clear statement. The
VA is responsible. Let us admit the reality. That means we are
responsible, and we are going to have to deal with this, in terms of
responsibility.
So, in terms of questions, do you have authority right now under your
existing authorizations and budget, authority to pay for any credit
checks, counseling, or any other expenses such as that? And number two,
do you have statutory authority to make people whole if they do have
identity theft problems? Or if you don't have that authority, are you
prepared to work with us immediately so that we can take the legislative
steps necessary to give you that authority?
General Howard. We are clearly prepared to do anything we need to do,
sir. We do not believe we have the authority to do that right now.
Mr. Bradley. Either authorities I asked? You don't believe you have
the authority to compensate for counseling, for credit checks, or any
other expenses that are preventative in nature?
General Howard. I don't believe so. No.
Mr. Bradley. And if you don't have that authority, you probably don't
have the authority to make people whole in the event that problems do
manifest themselves.
General Howard. I don't believe so, sir. We would need some additional
authority.
Mr. Bilirakis. I understand that Mr. McLean left with the Secretary to
go over to the Senate. But his assistant is here? Can you answer that
question, sir? Mr. Thompson, Mr. Jack Thompson?
Mr. Thompson. Yes, sir, I am Jack Thompson.
Mr. Bilirakis. Yeah, why don't you pick up that mic, and maybe you can
respond to that.
Mr. Thompson. Yes, sir. We have determined that VA does in fact,
incident to its authority to administer these benefit programs, have the
inherent authority to provide, to fund credit checks for individuals.
What we lack is clear authority if any individual suffers economic
damage as a result of identity theft. Those sorts of losses perhaps
could be compensated through an action under the Federal Tort Claims
Act, based on Federal negligence. But quite frankly, there would be a
number of legal obstacles in the path of anybody who needed to go that
route.
Mr. Bilirakis. Well, now, sir, would your department, your office,
furnish this Committee your opinions regarding what additional authority
might be needed so that we can do whatever is necessary I guess through
legislation if you don't think they have the authority?
ATTY A Yes, sir--
Mr. Bilirakis. Let us not wait until it happens I guess is what I am
saying.
ATTY A Yes, Congressman. We would be glad to.
Mr. Bilirakis. Many of furnish that to us as soon as you possibly can?
Good, all right.
Mr. Bradley, I am sorry to take up your time.
Mr. Bradley. Not a problem. Glad to accommodate you, Mr. Chairman.
So having answered the first question about authority, that you do in
fact have the authority, it would seem incumbent upon all of you to make
sure that in the widest possible venues, whether it is the letter, the
call centers, the Website, public service announcements, on and on and
on, that you disseminate the information that in fact veterans will be
compensated for, if they have expenses to do with credit counseling
checks or any other expenses, on that first authority I asked you.
And I look forward to working on a bipartisan fashion with all the
members on this Committee on the second authority, which we need to do,
it would seem to me, as soon as possible.
Mr. Bilirakis. I thank you, Mr. Bradley. I thank you, Mr. Thompson.
Mr. Udall to inquire.
Mr. Udall. Thank you, Mr. Chairman, and let me say this in listening to
all of you and listening to the Secretary, it seems to be like a comedy
of errors, and I think you can probably understand why so many members
of this Committee have expressed on both sides of the aisle a great deal
of displeasure with what has gone on here. We do not have to tell you,
these are men and women who have served this country, and potentially we
have put them in a situation violating their privacy, and costing them a
significant amount of money.
And Mr. Chairman, I would like to echo what others have said. I think
we have many questions that were unanswered from the Secretary. He is
the one in charge of this department. We should bring him back here and
get those answers. I mean, the thing that he said that was shocking to
me, to hear this happened on May the third, and he did not learn until
the 16th of May, and he is the guy running the department.
Theoretically within the Veterans' arena, the buck stops at his desk,
and all of you that work for him, it did not get to his desk for 13
days.
And I guess my first question is why is that the case? Why did none of
you that are here, or anybody else, report to him for 13 days what had
gone on? We heard from you, Mr. McLendon, we heard that you interviewed
and had the information. You knew there was a breach on the 5th. It
would seem to me that that would be the date that someone would report
to the Secretary that we have had a very serious problem here. Can
anybody answer that?
Mr. Filner. Tom, can I just add half a sentence?
Mr. Udall. Yeah, sure. Please, yeah.
Mr. Filner. Mr. McLendon testified earlier that on the fifth you called
the secretary. I do not know who you meant.
Mr. Udall. Because the Secretary in his testimony here said he did not
learn until May the 16th is what--
Mr. McLendon. I was referring to our administrative secretary in our
office when I said "the secretary." She's the one that first get the
call. If I could just add from my point of view, is we have a process
in place that says, and we are trained do this, that you notify your
security and information privacy officer, and there is a protocol that
they follow as to what they do. And that's what we did. And I think
General Howard would probably say the same--we were both trained by
the same building--that when you have a protocol and process in
place, you pass that information along, you do the due diligence that's
required, and you give them the information. And you wait for them to
tell you what it is that they need to move this process forward.
Mr. Udall. But Mr. McLendon, Mr. McLendon--after you did your
interview, you knew on the fifth that 26 million veterans' information
was out there and had been stolen. And you had a process clearly--
you had a process clearly to follow--
Mr. McLendon. No, sir--no sir, we did not know that on the fifth -
-
Mr. Udall. When did you know that, then?
Mr. McLendon. We began doing due diligence when [Stricken from the
record upon request of the Presiding Chairman] was able--came back
to work on Friday. And talking to him about what he thinks that he had
done. And that's when a memo was prepared on the eighth, that as Mr.
Duffy shared with you what happened with that, that--
Mr. Udall. But when did we know that 26 million veterans had
information that was in that disk, was in that hard drive that was
taken? When did we know that?
Mr. McLendon. I don't think we completely knew that until somewhere
around the 16th. And let me--
Mr. Udall. Why did it take so long to figure that out? I mean, you had
the employee in your office. He told you what he was taking home.
Mr. McLendon. Well, by this point the employee had already been placed
on administrative leave, and--
Mr. Udall. You did not do a thorough interview of him before? Before
--
Mr. McLendon. Yes, we did a thorough interview. The IG did several
interviews with the individual. But you have to sit down and go through
a fairly painstaking process of looking at all of the records that are
in a file. And let me just make a comment about Burrels--
Mr. Udall. Well, let me ask you one question here because I wanted to
ask the secretary this, but the VA has an internal system to rate the
sensitivity of veterans' data, from a one to a nine, with a level nine
reserved for VIPs like the president of United States, or a member of
Congress, or a cabinet member. In 2001, the VA stated that only 43
people had VA-wide, were authorized access to those records. Was this
GS 14 individual specifically authorized access to all sensitivity
levels, including Cabinet member records, prior to the incident?
Mr. McLendon. Not as far as I know, sir.
Mr. Udall. So there was no authorization.
Mr. McLendon. Sensitivity levels are established in a very strict way
within VA in terms of access. I would not even have access to that
information.
Mr. Udall. Thank you, Mr. Chairman.
[The statement of Mr. Udall appears on p. 91]
Mr. Bilirakis. Talking about insensitivity: without objection, the name
that was uttered by Mr. McLendon will be struck from the record.
Mr. McLendon. Excuse me, Mr. Chairman. I didn't understand that.
Mr. Bilirakis. Well, there was a name mentioned of the employee. That
will be struck from the record.
Mr. McLendon. Oh, oh, oh, yeah. Okay. Yeah. Yeah, yeah, yeah, yeah.
Mr. Bilirakis. Without objection. Ms. Brown-Waite to inquire.
Ms. Brown-Waite. Thank you very much, Mr. Chairman.
Any member of Congress whose district office is helping constituents,
including veterans, if one of our employees took this information home
and the same thing happened, we would immediately fire that employee for
putting the constituents at risk. General Howard, you referred to the
"rules of the game." The problem is this is not a game. It was not a
game. You know, the guidelines, that the VA had put down were kind of
like suggestions. We often hear that people believe the Ten
Commandments are suggestions. So obviously, you all put this down as
suggestions.
The VA has had problems that the IG has reported: information, security,
material weaknesses, every year since the 1997 audit. This is 2006, and
this has happened? I am sorry, what are you all doing over there?
Back in our individual districts, the medical care that is being given
is excellent. But I will tell you, our constituents believe that
Washington DC is La-la land, and I have sat here from the beginning
listening to everybody, and I am starting to absolutely agree that this
is La-la land, because you all are in denial.
Is the employee on paid administrative leave, or unpaid administrative
leave for taking this material which he was not authorized to take? Mr.
Pittman, can you answer that?
Mr. Pittman. Paid.
Ms. Brown-Waite. Would you please stay by the microphone. He is on
paid leave? Is there a reason why if he was not authorized to take this
why he was not fired?
Mr. Pittman. Yes, ma'am. From the very beginning we were under the
instructions that we have to investigate this process to determine the
severity of the action to be taken, and that's what we've done.
Ms. Brown-Waite. Is the employee a civil service employee, or is he a
political appointee?
Mr. Pittman. Civil service.
Ms. Brown-Waite. If the Secretary does not know how many employees
telecommute, do you?
Mr. Pittman. Yes, ma'am, 1600.
Ms. Brown-Waite. You have 1600 telecommuters?
Mr. Pittman. Yes, ma'am.
Ms. Brown-Waite. From all over the country? Or just here in the DC
area?
Mr. Pittman. All over the country. We have 40,000 occupation--
employees that are eligible to telecommunicate, but only 1600 take
advantage of that category.
Ms. Brown-Waite. And do you know--it has been 22 days since the
burglary took place--does the department have a copy of the police
report, or are they relying entirely on the individual's report of this
incident? Now obviously, the police report would not be completed
because an investigation is ongoing. But do you all have a copy of the
initial report?
Mr. Pittman. I'm told that the answer is yes.
Ms. Brown-Waite. Could you confirm that?
Mr. Duffy. I can confirm that for you.
Ms. Brown-Waite. Okay, so you do have a copy of that.
Mr. Bilirakis. Can we get a copy?
Ms. Brown-Waite. Yes, we would like a copy.
The other thing is, did the department do a risk assessment on this
breach?
Mr. Pittman. I cannot answer that question.
Ms. Brown-Waite. So no one here knows if a risk assessment was done on
this breach?
Mr. Pittman. No ma'am, I don't.
General Howard. Don't believe it has.
Ms. Brown-Waite. Well, inasmuch as it happened on the third, the
Secretary did not find out until the 16th, but the deputy secretary
found out somewhere in between that time. Don't you think that it was
appropriate to do some sort of a risk assessment?
General Howard. There are actions going on as to what conditions do
exist, but that's an ongoing effort to find out how much data is out
there in an uncontrolled environment. We don't know the answer to that
right now.
Ms. Brown-Waite. The other question is, why isn't all of this
information encrypted?
General Howard. It should be. I believe I mentioned earlier, the
guideline--and you're correct, ma'am, I should not have referred to
it as "rules of the game," you're exactly right. In that guideline,
there were two key requirements. One is that the information should not
have been removed. And two, it should have been encrypted, so--and
it was not.
Ms. Brown-Waite. What steps is the Department taking to ensure that
information is quickly encrypted?
Mr. Bilirakis. Would you furnish that information to us in some detail,
please?
General Howard. You mean the guideline, sir?
Mr. Bilirakis. Well, what steps are being taken--
General Howard. Yes, sir.
Mr. Bilirakis.--responding to the question.
Ms. Brown-Waite. Mr. Chairman, I would also inquire as to why these are
just guidelines, and that they are not in your regulations?
Mr. Bilirakis. Well, even going further than that, the Inspector
General's report that I referred to earlier of November of 2005
indicated that there were some problems potentially, security problems.
And you know, that was a half a year ago, and this has taken place.
General Howard, I am not going to get into that with you now, but come
on, you are a general officer, and there is no way that when you were on
active duty, that you would allow this to happen, and would not have
taken care of the problem when you were notified by the Inspector
General. It is something, again, that goes back into the culture kind
of thing.
I am going to recognize Ms. Herseth, and I am going to excuse the
Inspector General. But Sir, I am very much concerned what can be done.
Because again, I have said this, what, for the third time, over 24 years
that I have been here, similar things have arisen, and it seems like an
awful lot of it has come from--you don't like the word
"bureaucracy." I don't know whether you like the word "culture." But
it is culture, and an environment there, and whatnot. And Mr. IG, I
would hope you can help us solve that. I know we have got civil
service, those particular problems.
Can you respond very quickly? Do you mind very much, Stephanie? Go
ahead, sir.
Mr. Opfer. Mr. Chairman, let me just say from the IG's perspective what
we are doing. Once this came to our attention that we had a serious
breach of security, I initiated a criminal, investigation and an
administrative investigation, and tried to gather all the rules and
policies and procedures in the department.
There are three prongs to our approach. One is looking at the theft of
the data. Two which may answer some of the questions that were posed by
the Committee members--we are looking at the incident: what happened
when the employee reported it? Who did he report it in to? What did
they do with the information? All the way up to the top levels of the
department. That is part of our administrative investigation.
I have the Counsel to the Inspector General looking at all the policies
and procedures, and we intend to review all those policies and
procedures, we are looking not only at the policies and procedures for
the department--are they only geared towards someone in IT, when
there is hacking into the system, or attacking the system? But also,
what policies procedures What do we have regarding employees and their
access to data? And what are the authority? Who is supervising it?
Who is reviewing the need to have access to that material? We hope to
conclude that in our Inspector General review.
Mr. Bilirakis. When do you anticipate that being completed?
Mr. Opfer. We are going to try to--separating the ongoing criminal
investigation and working with the Federal Bureau of Investigation and
Montgomery County police, and the Department of Justice, keeping that
separate because as you know, ongoing criminal investigations limit my
ability to discuss and provide information.
Mr. Bilirakis. Sure.
Mr. Opfer. I have separate teams working on all of the other ones. My
goal is to try to have that out in 45 days.
Mr. Bilirakis. Forty-five days. Would you share all that information
with this Committee directly?
Mr. Opfer. Yes, sir. Right now, my thought would be that we would have
a number of recommendations, and a report would be addressed from myself
as the Inspector General to the Secretary, and it would be provided to
the Committee, and the members of the Committee.
Mr. Bilirakis. Would you be able to also share with us suggestions? I
mean, I don't know if you agree with me. I keep throwing this word
"culture" around. I don't know if you agree with me or not, but I think
it is there, I think it is a problem, and otherwise a lot of these
things would not be taking place. Could you share with us maybe your
suggestions on how that can be improved?
Mr. Opfer. Yes, I think there is a good opportunity now, with the
Congress enabling the agency, to centralize the IT function and give the
authority and the responsibility to one individual to coordinate that.
That was one of the recommendations for years from the Office of the
Inspector General.
Mr. Bilirakis. Okay.
Mr. Opfer. So we continue to be pleased with that--
Mr. Pittman. Will you share that with us within that 45 day period of
time, too? Any suggestions--
Mr. Opfer.--we expect that in the FSM audits that we will continue
to have those material weaknesses until they are corrected within the
agency.
Mr. Bilirakis. Exactly. Exactly. Thank you, sir, and you are excused,
and we appreciate very, very much your hanging around.
Ms. Herseth to inquire.
Ms. Herseth. Well, thank you, Mr. Chairman. I appreciate the questions
you posed to Mr. Opfer, because I think that review will answer some of
the questions that had been posed previously and that I have as well.
But let me make a couple of initial observations, and then get to a
couple of the questions about the IT system now, and how it's working.
First, I think we do need some clarification from the Secretary, because
I specifically wrote down during his testimony that he indicated that
the VA Inspector General became aware of this on May 10th. He may have
misspoken and meant the information security officer, or perhaps he was
under the impression that this information had been communicated to the
IG, which it hasn't, but we need some clarification on the issue.
Also, it's my understanding based on your testimony and the questions
posed in your responses that the reason that the VA has not formally
notified the IG even as of this date is because it is not a cyber
security issue in your opinion, it is a privacy issue; and therefore, it
is being handled by an office, a division not currently represented
today.
Secondly, I shared Ms. Brown-Waite's concern that we have to address
this issue of something being a guideline versus a directive, as it
relates to any employee in the VA being permitted to take this
information outside the workplace, getting the permission, having
encryption, because I think someone made a note in particular that that
is a guideline, not a directive.
So let me ask two questions. The first is very straightforward. If one
of my constituents who is concerned that his or her information is among
the 26.5 million records within what was stolen and he or she calls the
800-number, will the person answering that number be able to tell him or
her whether or not his or her records were among the 26.5 million
records were stolen?
Mr. McLendon. To do that would be to provide this people access to the
Burles system and other databases, for which they may not be authorized
to be accessed. So the short answer to your question is no, they would
not have access to that.
Ms. Herseth. So they won't know until they receive the letter of
notification from the VA?
Mr. McLendon. That's why we are sending the letters. And let me also
add, people keep talking about 25 million records. 19 of those--
million of those records have Social Security numbers. 6 million do not
have any identifying Social Security numbers.
Ms. Herseth. Okay.
Mr. McLendon. And of the 19 million we believe that there are a number
of those veterans are deceased, because when we look at the birth dates
of a number of them. So there is effort going underway to try to
understand of that 19 million--
Ms. Herseth. I appreciate that. I appreciate that. So what the
information that one of my constituents would get by calling 800 number
is just the recommendation to monitor their credit?
Mr. McLendon. Yes, they are getting direction on what they need to do.
Ms. Herseth. Okay. And we do not have a time frame yet as to when
those letters would go out, or did you mention that earlier and I missed
it?
General Howard. No, I don't think--yeah, I don't--
Ms. Herseth. Because you still have to analyze all of this data? Okay.
Let me move to--
General Howard. To elaborate, though--
Ms. Herseth. I am going to let you elaborate. I just want to make sure
I get to this third question. And if there is time, the Chairman
permitting, please elaborate. I mean, there is so much information that
we do want here. We are just under these time constraints.
Five, six years ago, I was practicing law at a very large firm here in
Washington, a firm that has a global presence, number of offices across
the country. I could not save a document, any client identification
numbers on a disk. We didn't even have hard drives in our desk. But
what we did have if we were going to do any work outside of the office
was a secure ID that changed, as you know, every few seconds so that
when you are home, or on your laptop, that you have that ID number that
you type in that is only available--you know what I am talking
about.
General Howard. Yes, ma'am.
Ms. Herseth. Do you have that? Is that a process that you are
utilizing, that you are integrating over time? I just don't understand
why any employee would be able to save anything onto a desk or an
external hard drive, and maybe that is part of where we are heading with
a centralized IT system, but it just seems that a five or six years ago,
and I note it is a difference between a private sector and a public
sector and different resources, but are we moving in that direction, to
have a system like that in place?
General Howard. We definitely need to improve on the procedures that
you just described. The specific drive that this information was stored
on, the folder is protected. In fact, I physically tried to get into it
myself, and I could not do it. Dennis, you can probably comment on--
Ms. Herseth. Okay, I appreciate knowing that there is a firewall or two
that the thieves would have to get through here. But do you have--
General Howard. Ma'am, not the information that was on his drive. I am
talking about where he originally took it. The drive that was stolen,
as far as we know the information was not encrypted.
Ms. Herseth. All right, okay. Okay, thank you for the clarification.
Of the 1600 telecommuters, are they access saying the system remotely in
the way that I just described? With a secure ID, into the centralized
system?
Mr. Pittman. No, ma'am. The only thing that they are doing is they are
accessing the computer by logging onto the system via a security access
password.
Ms. Herseth. Okay. I have more questions, but I will submit them for
the record. Thank you, Mr. Chairman.
[The statement of Ms. Herseth appears on p. 87]
Mr. Bilirakis. Thank you, gentle lady. Mr. Michaud.
Mr. Michaud. Thank you very much, Mr. Chairman. I also want to thank
you for having this hearing.
Most of the questions have been asked, but I just want to follow up on a
few of them. As we read and heard the IG state, that this condition has
been going on for a number of years as far as the security deficiencies
and in his testimony, he says in the 141 of the 181 VHA facilities, they
identified security deficiencies, as well as in 37 of the 55 VBA
facilities. You heard the Chairman talk earlier about former secretary
Principi giving the directive, then the legal counsel saying they did
not have the authority to do that.
Whether they have the authority or not, I guess this question would be
for Mr. Duffy, wasn't that a good idea, what the IG had talked about, on
these deficiencies? Regardless of whether, they had the authority or
not? If it is a good idea, why not implement it?
Mr. Duffy. Absolutely, Congressman. And we thought we were indeed
implementing them. In this particular instance, it was an individual
who violated policies and procedures, who clearly understood that what
he was doing was inconsistent with established policies and procedures,
someone who had in recent months completed cyber security awareness
training and privacy act training. So there are indeed policies and
procedures in place. There is heightened awareness through standard
annual training for all employees who are involved in this kind of work.
In this instance, we had an individual who simply chose to use poor
judgment and violated those policies and procedures.
Mr. Michaud. As you heard the Secretary mention earlier this morning,
someone has to be responsible if something happens in this situation as
far as identity theft; has there been--and clearly this is a severe
case--has VA heard of identity theft in past from veterans? And if
so, how many of those cases that are out there on a yearly basis?
Mr. McLendon. Not personally aware of any, Congressman.
Mr. Michaud. Okay, thank you. My next question, we heard a lot from
different individuals here on, you know, what did you know, when did you
know it, and could you give the details? Actually, I haven't heard Mr.
McLendon, when actually did you know it? What did you know, when did
you know it, and can you give, some details of that timing?
Mr. McLendon. Well, I knew before 6:00 o'clock on Wednesday that there
had been a break-in at the individual's home, that he had reported that
he had lost his personal computer and an external drive. At that time,
the way he communicated, it also sounded like he had lost a little
external USB drive, that we would call a memory stick, and some CDs. He
was quite upset at the time, so that's one of the reasons why I called
the guy who's our technical expert on data and systems to see if he
could talk more in a technical terminology to try to pull out of him a
little bit more.
So we knew on Thursday that something indeed had happened. We did not
know the scope of it, or any of the details of it. And so when we began
meeting with him on Friday morning, and then our information security
manager met with him, we began to get I would say a broader outline, but
yet not the details out exactly what was on those disks.
It's fair to say that it wasn't until Monday that those of us who had
been talking together and talking with him could kind of look at each
other and say, "Okay, we believe we've got kind of the initial look at
what we think may be there." And that's when a memo was prepared that,
as Mr. Duffy explained, where it went and what had happened after that.
Then the information security officer had further discussions with him.
I don't believe that we all understood the details, in terms of 25
million records, some of these other things, until we understood that
his disk had not been stolen and his memory stick was not gone. There
was some confusion about that right after he started talking about it,
which is understandable.
And then we started painstakingly going through those of files to
understand what files there were, what data variables there were,
related to each one of those files. That's what led to again preparing
a memo on the 16th, which went to the general counsel on the 17th, which
laid that out.
Sometimes it takes a finite period of time to do the due diligence to
find out exactly what is on those files and where could they have
possibly come from.
Mr. Michaud. Thank you. Thank you, Mr. Chairman.
[The statement of Mr. Michaud appears on p. 82]
The Chairman. [Presiding] Has everyone asked all the questions?
Mr. Filner. If I could just follow up for a couple minutes?
The Chairman. Sure, Mr. Filner.
Mr. Filner. Thank you, Mr. Chairman. Just to follow up on Mr.
Michaud's questions, in the time line you provided to us, you said there
was a memo on May 5th that says "possibly lost veterans' data." We don't
have a copy of that, but what did you think, then, that was lost?
Mr. McLendon. That may have been an original memo that the information
security officer prepared. I don't have that in front of me. I'll have
to go get that but I--
Mr. Filner. I was just wondering what you knew at that moment.
Mr. McLendon. Well, what we knew at the afternoon of the fifth was that
there had been a break-in at the individual's home, that he had self-
reported that his personal laptop and personal external drive had been
stolen, that he believed that he had loaded some veterans' data, if I
remember the words right, onto that. But he didn't know for sure, and
couldn't say in any detail what may or may not have been on there.
Mr. Filner. Mr. Duffy, is that your understanding of that, this memo
that you provided Mr. Bowman? I'm just reading from your time line.
Mr. Duffy. Yeah, let me back up a little bit. And I apologize because
there is just a little bit of confusion regarding memos. There was an
original memo prepared by the IT specialist, our security and privacy
officer, late in the afternoon of May 5th.
The Chairman. His name?
Mr. Duffy. I'm sorry, his name? Mr. Mark Whitney. Mr Whitney
prepared, at my instruction, a memo that attempted to lay out what he
understood to be the data sets and elements. And indeed, I think he did
a pretty good job. Mr. McLendon and I, upon reviewing it, Mr. Mclendon
asked for the opportunity to review and validate the information.
Again, while Mr. Whitney is our IT support person, he does not
necessarily have detailed understanding or information on the data sets
or data elements. So Mr McLendon and Mr. Tran indeed did that, modified
slightly the May 5th memo. It was finalized over the weekend and
provided to me on May 8th. The unfortunate thing is that the date of
the memo was never changed. So we've got two May 5th memos; one more
expansive than the other, simply clarifying the nature of the extracts,
the type of programming language that they were contained in, and
further detail than the previous memo. So it was that memo that was--
an original memo on the fifth, modified on the eighth, provided to the
chief of staff on the--discussed with the chief of staff on the
ninth, and given to him on the tenth.
Mr. Filner. And the chief of staff is directly under the secretary?
Mr. Duffy. Yes, sir.
Mr. Filner. But everybody took the weekend off on the sixth and
seventh, it looks like. Normal weekend in your life, 25 million things
gone, what the hell?
Mr. McLendon. Congressman, I can assure you that there has been a deep
sense of urgency about--concern about this issue, and working on
this issue.
Mr. Filner. Except that Friday you did something and then you waited
till Monday to do it more, you know, Saturday and Sunday, nothing done,
according to what--I am just going by what you provided us.
Mr. McLendon. Well, that was just the date that was put on it was
Monday, that was the first working day back.
Mr. Filner. You can detect the frustration and the outrage in all of
our voices. And again, I mean I don't think you took it seriously
enough at the beginning, this chief of staff and the deputy secretary
knew a week before they decided to tell the Secretary. In addition, even
given all that, the so-called outreach to our veterans, you know, you
say, "Well, if you have a Website, look us up. Notify your bank, notify
your credit bureau. Don't tell us, we don't need to know if you guys
have a breach of security."
I mean, there is no outreach in the letter that is going to go out. As
somebody said, you don't even have 26 million envelopes. I mean this is
ridiculous. I mean, I think you all should be fired. To take this as
un-seriously as you have, to take the amount of time that you took, and
then still, even at this late date, you don't have a system where
anybody even knows that their name was there. There is no outreach for
people who--the normal person who may not know how to get your
Website. Nothing is being done on television, radio.
I mean, you are just waiting, you know, to get this information--
these guys are scared to death. And you sit there--you don't seem
to want to understand that. And you give these bureaucratic answers
that don't mean anything to the people we are trying to serve here. As
one of the Congresspeople said, if this happened in our staffs, I mean,
they would be fired right away. And I think the Secretary, as the last
act before he resigns, ought to fire the whole bunch of you.
The Chairman. I think what would be helpful to us is Mr. Duffy, if you
could submit to the Committee, I would like the draft--I don't know
if we ought to call it the draft--the original memo from Mr. Whitney
--
Mr. McLendon. The May 5th?
The Chairman. The original memo, I want to see what that one says. I
want to then see whatever changes that were made.
Mr. McLendon. Right.
The Chairman. I want to compare the two documents.
Mr. McLendon. Reflected on the eighth. Happy to.
The Chairman. Yes. And then that ends up to the Secretary's Chief of
Staff on May 10th. At some point, the Chief of Staff notifies the
deputy secretary, but almost another six days go by before anybody even
alerts the Secretary. You know, what we have here is a chronology, but
the Secretary, because it has got a lot of other personal identifying
information in it, has asked us not to have this put in the record. But
I think what we are going to need to do here is, with my indulgence, is
let me take and ask these witnesses to put a time line on the record in
their testimony. Is that all right, my colleagues?
So Mr. Duffy, let's just begin with you. I know you did this a little
bit earlier, but let us go ahead and take your time line from the first
moment that your department had knowledge and Mr. McLendon, I want you
to add in. And then we are going to turn to the other witnesses with
regard to the time line as they know it.
Well, let me pause. I am going to seek counsel. You can do this a
thousand ways. We can either do it day by day and take the testimony of
them on what they knew, or we can do witnesses. Mr. Filner, what do you
want to do? All right, we will turn to Mr. Duffy. Hold on.
Mr. Bradley. Mr. Chairman, could I ask a quick question where I was not
able to follow up on my time frame?
The Chairman. Absolutely.
Mr. Bradley. If you recall--and thank you very much, Mr. Chairman
-- if you recall my questions from before about the authority to
reimburse veterans for credit counseling and credit checks, you
indicated that you had that authority. That's correct, okay. The bulk
of the phone calls and e-mails that my office has gotten have expressed
a concern over the fact that it may cost fifty to sixty dollars to
actually do that kind of a credit check right now. So if you have
authority to do that, are you prepared to propose to us, today, that you
will actually establish some mechanism for veterans who have to have
expenses out of pocket to do a credit check, of a mechanism for them to
be reimbursed for these expenses?
General Howard. Sir, in discussions this morning before we came over
here, that is the intent of the Secretary, but he was concerned about to
ensure that we have the authority. There are financial impacts that
need to be addressed. It is actively being discussed.
Mr. Bradley. So it is being discussed, you have the authority. When
can we expect a decision on how you are going to implement that kind of
reimbursement?
General Howard. Sir, that I'm not sure.
Mr. Bradley. If I can ask the indulgence of the Chair. Mr. Chairman,
in terms of the immediate impact on the 26.5 million veterans, which I
think all of us, under your leadership and under Mr. Filner's leadership
on a bipartisan basis, want to make sure that we have done everything
that we possibly can to insure the safety and sanctity of their records.
The most expeditious manner that these gentlemen can make that kind of
reimbursement possible, to me would seem to be one of the most important
first step that we can do for the 26.5 million veterans that are
affected, to say nothing of all of these security measures that have to
go into place, but for those people that are worried, on an individual
basis, and I would urge that we attack that head-on with obviously their
assistance.
And I thank you for that.
The Chairman. All right. Here is what we will do. To preserve time, I
am going to ask you to prepare a chronology, time lines, I want each of
you to prepare that, excepting personnel, unless you have something to
add that we don't know about.
Mr. Pittman. No, sir.
The Chairman. Okay, thank you. So with the rest of the witnesses, I
need to know the chronology: what did you know, when did you know it,
and how it got passed along, okay? So provide that, then, to the
Committee. That is the best way, I think, to do this. Can you get that
to us in about 10 days?
General Howard. Yes, sir.
Mr. Baker. Yes, sir.
Mr. Duffy. Yes, sir.
The Chairman. All right, thank you.
With regard to the data analyst, who is his immediate supervisor?
Mr. McLendon. His immediate supervisor is Mr. Mike Moore.
The Chairman. Mike Moore. And then who is his boss?
Mr. McLendon. Me.
The Chairman. You. I apologize, I was gone. The project which they
are working on was what?
Mr. McLendon. [Stricken upon request of the Chairman]--The
individual is--
Mr. Bilirakis. Strike the name.
The Chairman. Pardon?
Mr. Bilirakis. Strike the name.
The Chairman. We are going to strike the name of the data analyst from
the record.
Mr. McLendon. The analyst is a programmer, statistician, he supports a
number of different projects in the office that are ongoing. He was
doing work looking at a national survey of veterans project. He was
also doing some matching to support other projects he was supporting in
terms of activities that other people in the office were doing during
that time.
The Chairman. Are you aware of any of your employees taking data home
with them to do, quote, "homework?"
Mr. McLendon. Not to my personal knowledge. But I would say this to be
quite candid: we in government today facilitate, encourage, and reward
people for working from home. We give them computers to do that, we
give them access to do that. Each agency allows them to--has their
own policies about how they do that and when they do that. But it is
not our policy to encourage people to take work home, or to take data
home.
The Chairman. How many employees does the VA have that work from home
and access your data bank?
General Howard. Two different numbers, Sir. Work from home is, what
was it, 1600?
Mr. Pittman. Those that are the telework employees are 1600. Then there
is another group of virtual employees, which he'll address.
The Chairman. And encryption is used?
Mr. Pittman. It is not.
General Howard. Sir, if they access--
The Chairman. I apologize. I was just told that has already been asked
and answered. In the negative, shockingly. Do you, Mr. McLendon, know
whether or not the data analyst's supervisor approved of the practice
for this individual to take this type of data out of the office?
Mr. McLendon. No one would have approved that.
The Chairman. Okay. But you encourage people to do homework?
Mr. McLendon. Don't encourage people to do homework. What I am saying
is that when people are allowed to telework from home you have to be
extremely careful about what people do, and what they use. And it is
not my policy or anyone I know of, has a policy that allows people to
take serialized, controlled information of people home, or veterans
home, to do work. That's a no-no in the analytical business. You just
don't do that.
The Chairman. Let me ask General Howard, if I go back to this directive
from the Secretary Principi, had the CIO been charged with this
responsibility over security as the Secretary wanted, you think this
would have happened?
General Howard. There is a memo that I saw signed by Bob McFarland. I
don't recall exactly what it said. One of the--and I do know that
one of the difficulties that they were trying to sort out is just what
exactly the authority was. There was a lot of discussion about the
word, "ensure," that's in Secretary Principi's directive--I think
that's the one that it's in, sir--and if I'm not mistaken, was a
keyword that the general counsel addressed.
The bottom line--again, I don't remember the exact details of the
memo from the General Counsel, but it is obvious to me that the CIO has
authority to set policy, to set the guidelines, but then it's up to the
individual who supervises, administration heads, and assistant
secretaries, to implement those policies.
The Chairman. But see, had this been enacted, then you had the
enforcement power. Now, you can't enforce cyber security. You can't do
anything, all you can do is do compliance; correct?
Mr. Cadenas. That is correct, sir, check for compliance.
The Chairman. And so under a decentralized model, for which Mr.
McLendon, Mr. Duffy--well, strike Mr. Duffy--for which Mr.
McLendon I know has argued, that enforcement, that is where it goes, it
is decentralized.
So let me just say this gentleman, one of the first things I learned in
the Army: when you take command, you want to know who the key control
custodian is, because you just signed personal responsibility for all
that property. Under a decentralized model, you have too many keys.
General Howard. Sir, I will say that the federated model that has been
adopted, as you know, will give us a better capability. It won't give
us the ultimate capability--
The Chairman. Yes, that's right. You are going to get a half-baked
loaf.
General Howard.--but it will help to some degree to get a better
handle on it.
The Chairman. So let me ask this. You are the acting CIO, and I am
going to turn to cyber security. I have done hearings with you before,
and those hearings dealt with the hackers from the outside, "Oh, we
spent all this money," but you also came, and with the IG and GAO, you
talked about all the unauthorized use of employees, you talked about
that.
So to go beyond just compliance--or if you are going to say, "Steve,
no, my job is only to do cyber security. That from the outside,
somebody else should do that," give us your best counsel, the two of
you, right now with regard to authorities and enforcement. You are a
general officer. Does dissemination work very well in the Army?
General Howard. Very well, sir.
The Chairman. Dissemination?
General Howard. We also--
The Chairman. Somebody has got to be in charge with distinct lines and
chains of command, right?
General Howard. Sir, there's no question about that.
The Chairman. All right.
General Howard. And one thing that we do have, as you know, sir, in the
Army, is very clear regulations. As I mentioned earlier, we've looked
for the clear policies and directives, and with respect to what the
individual actually did, the only place I can see that is in a
guideline. It's not a directive or a regulation that you would think it
should be. It is being turned into a regulation, or a directive. The
VA uses the term, "directive." That is being accomplished without any
more waiting.
But it's too late for that. I mean, the incident occurred, and it was
not clear that this was a violation of a directive, because it wasn't a
directive at the time. But what you described, it has to be
straightened out. Clear directives do need to be put into place. As I
said earlier, the federated model is helping a great--we've only
been into it for a short time, as you know, but it's already helping to
shed light on some activities that are going on that need to be
tightened up.
The Chairman. General, if you were to have adopted the federated model
you let the individual stovepipes to do their own development, you don't
own development under the federated model.
General Howard. That's right, sir.
The Chairman. That is where the problem has been occurring. In
software development. Wasting millions and millions of dollars. That
is why we have come in and zeroed out programs. We are extremely upset.
It is why we on a bipartisan basis have asked for you, your position to
be empowered.
So you are correct. You can look at this and go, "Well, directives
weren't violated." This is bigger than a small, little employee--
General Howard. They weren't violated, because they didn't exist.
The Chairman. Well, this Committee is not going to permit an Abu Graib,
whereby you prosecute the little people, and others don't have problems.
We are going to work with you. We are going to work with you, on
policies, and practices, and procedures, and empowerment. And we are
going to also--we may use this to get a stronger hand around the
development side of the house.
General Howard. Sir, can I comment on the term, "enforcement?" I don't
think you will ever get away from the fact that individuals in charge of
organizations are clearly in--responsible for implementing the
policies, and enforcing the policies. We have a greater role in
determining if violations may have occurred, inspections, that sort of
thing. But I don't think we should ever remove the enforcement
responsibility from those actually in charge of administrations and
staff sections. We didn't operate that way in the Army, either. The
commander was in charge.
The Chairman. Mr. Cadenas, what do you have to add to this?
Mr. Cadenas. All I can say, sir, is in the three years, six months that
I've been here at the VA, it's been a little frustrating and challenging
for us, and the team. We're looking forward to good things with the
federated, as I said last time when I was up here, because now those
systems will go under the leadership of of the CIO, and because he now
owns those systems and I work directly for him, I don't need any
authority to execute.
There--you know, we try the best we can. The reason why you see so
many guidelines is because where we can't get policies or directives
pushed through, then we go down to the next level, and then the next
level, to where we are successful in getting guidelines out there.
The Chairman. Under this federated model, will you receive the
necessary delegated authority from the Secretary to do your job so an
incident like this will never occur again?
Mr. Cadenas. Sir, to be honest I won't need his authority because I
directly report to the CIO's office. And under the federated model, the
CIO is in charge of all the operations and maintenance systems, to where
he can tell me, "I got a problem out there, go fix it now with your
team," or ensure or enforce compliance or execution.
The Chairman. But on the development side of the house?
Mr. Cadenas. No, sir. Not on the development.
The Chairman. Yes, that is my point.
Mr. Cadenas. But we're working--
The Chairman. That is what I want to make clear to all the members. On
the development side of the house--we can go with the federated
model, but this will continue.
All right, does anyone have any follow-up questions?
No response.]
All right, we are going to continue our hearing at a later date. I
thank you for your testimony. This panel is now excused.
Mr. Filner. Mr. Buyer, I just want to thank you for your knowledge and
your commitment to follow through. We will follow your lead. I
appreciate it very much.
The Chairman. The second panel will please come forward.
The second panel is three representatives from the private sector to
shed light on the implications of the failure of the Department of
Veterans' Affairs to control information management. Going from left to
right, we have Mr. Stuart Pratt, President and Chief Executive Officer
of Consumer Data Industry Association. Next, we have Mr. Dennis Hoffman,
Vice President for Information Security for EMC Corporation. And
finally, we have--
Ms. Litan. Avivah Litan.
The Chairman. You say it's pronounced--
Ms. Litan. Avivah Litan.
The Chairman. Pull it close, really close.
Ms. Litan. Oh, sorry. Avivah Litan.
The Chairman. Avivah Litan?
Ms. Litan. Litan.
The Chairman. Thank you. Vice President and Business Director for
Gartner Incorporated. I would also like to mention that we have Joel
Winston, associate director of the FTC's privacy and identity protection
division, and Betsy Broder, assistant director of the same division, in
the audience today. Both are members of the Identity Theft Task Force,
and have been listening to the testimony. They will be available for
any questions that any members may have following the hearing.
We look forward to hearing from our panelists on how we can ensure the
safeguarding of sensitive information to re-earn the trust of veterans
and their families.
STATEMENTS OF STUART PRATT, PRESIDENT AND CHIEF EXECUTIVE OFFICER,
CONSUMER DATA INDUSTRY ASSOCIATION; DENNIS HOFFMAN, VICE PRESIDENT FOR
INFORMATION SECURITY, EMC CORPORATION; AND AVIVAH LITAN, VICE PRESIDENT
AND RESEARCH DIRECTOR, GARTNER, INCORPORATED
STATEMENT OF STUART PRATT
The Chairman. Mr. Pratt, you may begin.
Mr. Pratt. Mr. Chairman, thank you for this opportunity to appear
before you, and thank you also--
The Chairman. Thank you. To all the witnesses, if you have written
statements-- do all of you have written statements?
Mr. Pratt. Yes, sir.
The Chairman. They all acknowledge in the affirmative. It will be
submitted for the record. And if you would, please summarize.
Mr. Pratt. Thank you, Mr. Chairman.
This past weekend, CDIA was contacted by the Federal Trade Commission
regarding this breach. We are thankful for the FTC's outreach to us
which allowed CDIA to liaison with our national credit reporting company
members, who had to plan for likely heavy call volumes on their toll-
free numbers, and hit rates on their Websites.
Based on this contact, our members technology teams were ordered in
preparation for the announcement on Monday, May 23rd. And as part of
this very late stage coordination, our members also voluntarily either
adjusted current toll-free number menus to include special referents for
affected veterans, or implemented entirely new toll-free numbers which
can be used by veterans to request the placement of a fraud alert on
their credit reports.
Once a fraud alert is placed, a veteran is then by law entitled to a
copy of his or her credit report, free of charge. Our members report
that subsequent to the announcement by the Veterans' Administration and
ensuing media coverage, the call volumes have been running at
approximately 170 percent over normal volumes.
If we had a criticism of this process, it is simply the fact that our
members were not consulted sooner by the Veterans' Administration. We
appreciate however the fact that the FTC did contact us, and they were
embargoed in terms of when they could get in touch with us to begin
coordination.
Even over the weekend, the FTC was not permitted to release the name of
the agency: and thus our members could not execute plans to customize
toll-free number service until after 11:00 a.m. on Monday, May 23rd. We
believe government agencies should be obligated to coordinate with their
members well in advance where they intend to publish advice, which
includes our members contact information. This is simply the right step
to take so that our members can verify the accuracy of the information
and ensure that our systems are prepared for the increase in contact
volume. Ultimately, this obligation helps us all serve those who are
affected.
Your staff has expressed interest in hearing what steps we would
recommend that a veteran take in response to the announcement, and our
views on the key steps are really no different than those which the FTC
has already compiled. We believe consistency in a message is very
important at this stage, and that all veterans are empowered to take the
steps that are appropriate to the level of risk they perceive. And
these include of course placing a fraud alert.
We would only add emphasis to the FTC's point that veterans need only
call one national credit reporting company to place a fraud alert, since
our members exchange fraud alert requests. Further, upon placement of
fraud alerts, veterans are entitled to a free copy of a credit report
and will receive instructions on how to order this. Some veterans may
be confused about whether or not they need to annualcreditreport.com to
obtain this free report, and the answer is they do not. They will
receive specific instructions once their fraud alert has been placed
that will allow them to access that credit report as well.
As demonstrated by this breach--
Mr. Filner. May I just ask you a question? Sorry to interrupt you.
Mr. Pratt. Yes.
Mr. Filner. Could the VA do that for every veteran right now? Would
you recommend that? Why are we relying on the people who are suffering?
Why don't we take a proactive step?
Mr. Pratt. It is a balance sheet question, Congressman, so let me give
you both sides--
Mr. Filner. It could be done though, right?
Mr. Pratt. The law does permit a third party to make that request on
behalf of the individual. Yes, sir.
Mr. Filner. And what are the minuses?
Mr. Pratt. I am sorry, sir?
Mr. Filner. You said there are pros and cons.
Mr. Pratt. The only con is that a fraud alert stops transactions, slows
transactions down, and you may find there are veterans in the middle of
refinancing a home, obtaining credit, and they may not appreciate the
fact that it was inserted right in the middle of that process. It is a
balance sheet question that we all have to wrestle with, Congressman. I
think that is as good as I can do.
The Chairman. You may proceed.
Mr. Pratt. Thank you, sir.
As demonstrated by this breach, data security and the need to notify
consumers, including the nation's veterans, where significant risk of
harm exists, it is essential. The following statement delivered before
other Committees is still our position today:
The discussion of safeguarding sensitive personal information and
notifying consumers when there is a substantial risk of identity theft,
has expanded beyond the borders of financial institutions. It is our
view that a rational and effective national standard should be enacted,
both for information security and consumer notification, as it applies
to sensitive personal information, regardless of whether the person is a
financial institution.
At this Committee knows, there are a number of House and Senate
Committees that are focused on developing uniform national standards.
We believe enactment of national standards will ensure that sensitive
personal information is protected by all who possess it, including
Federal and state government agencies. New nationwide safeguards
regulations, offered by the Federal Trade Commission will compel all to
deploy physical and technical safeguards strategies for this type of
information. As we head into the Memorial Day weekend, we must redouble
our efforts to pass strong and effective national law that will require
all to secure sensitive personal information properly, and to notify
consumers when there is a significant risk of identity theft. We should
do no less for our veterans, who have served us all. Thank you.
[The statement of Mr. Pratt appears on p. 107]
The Chairman. Next is Mr. Hoffman.
STATEMENT OF DENNIS HOFFMAN
Mr. Hoffman. Mr. Chairman, members of the Committee, thank you for the
opportunity to testify before the Committee on Veterans' Affairs. My
name is Dennis Hoffman. I am the Vice President of Information Security
for EMC Corporation. For those of you who aren't familiar with the EMC
Corporation, we are the world's largest provider of storage and
information management solutions. Our Fortune 1000 customers include
the top 30 commercial banks, the top 40 insurance companies, 19 of the
top 20 pharmaceutical companies, all of the top aerospace and defense
organizations, and 14 of the top 15 health care medical facilities, and
many others.
I have personally spent a great deal of time with our customers over the
past year discussing issues like the one this Committee is
investigating, and today I can report to you all that the veterans'
administration is not alone in wrestling with what is clearly becoming a
very pervasive issue, which the industry calls "data leakage."
While the identity theft problem continues to make headlines, due
largely to regulation causing it to be made public, it may well be the
tip of the iceberg. Relative to all confidential information that
organizations and corporations have, personally identifiable information
is actually a minority problem. It is however the one that is making
front-page news, and is the one that of course you are investigating.
My point is that there is a lot more confidential information in the
world, and it is all subject to the kinds of problems that you talked
about here.
So I think it is fair to ask why do these problems exist? They exist
largely, from a technical perspective--as you have heard today, this
is certainly not simply a technical problem. But on the technology
side, they exist due to something called perimeter-centric thinking.
In the sense that from the days of medieval Europe, the notion of
security has been largely to dig moats, build walls, erect castles,
erect towers inside the castles, and believe that what is inside the
tower ought to be safe. That is largely the way that we have gone about
doing information security, from a technical perspective. The irony is
that the vast majority of products which make up the information
security marketplace today don't protect information. They protect
assets that are supposed to protect information.
I can almost guarantee you that the laptop we have been discussing all
morning had antivirus software on it. That is the single largest-
selling security product in the marketplace today. And of course, it
has nothing whatsoever to do with protecting the data on the laptop.
Moreover, what this has led to is it has led us to conclude, or ignore
the simple fact that information lives, has a life cycle. And during
that lifecycle, it moves. And when it moves, it tends to walk right out
of the castle. And therein lies the big issue.
It is not simply a laptop. It could be a USB device. There have been
many publicized cases of backup tapes falling off of UPS trucks. When
data leaves security parameters, it becomes exposed if we haven't done
something to secure the information itself. And so what we are seeing
in talking to a lot of our customers is a very significant shift in
thinking to something we would call information-centric security,
ironically enough, where we actually begin with the notion of securing
the information, and then applying security to all of the assets through
which the information has to pass.
That means four basic things: we have to understand our data and our
people as organizations, because at the end of the day, we don't have
information until data reaches a person. So we must be able to model
both of those and control those. We need to secure the information
infrastructure that manages and stores the information. We need to
protect the data comprehensively. To date, we have been very focused on
the availability of information, and not nearly as focused on its
confidentiality and integrity. And it takes all three to truly secure
information. Lastly, we need to assure policy compliance.
There are no silver bullets. This is a systemic problem, and it
requires a systemic solution, which you have been investigating all
morning, particularly around policy and process and people. And in
particular, I would like to warn that a knee-jerk reaction to encryption
as the silver bullet will likely miss the point, to the extent that
encryption is only one technology, and it is only as good as the
business problem it solves. If the encryption keys are not managed
appropriately there are even more problems because the data has
effectively been deleted when it was encrypted. If they keys cannot be
shared, collaboration is slowed down.
Encrypting data makes it opaque. It makes it impossible to actually
know what is inside it. So a recent regulation in the UK--or was it
a regulation that existed previously, was recently enacted, to make
certain that all enterprises in the United Kingdom turn over their
encryption keys to the government so the government can at least look at
what the data is.
There are many problems, and there is no single silver bullet solution.
There are however some very significant critical enablers, and you can
put these all under the very general heading of "you can't secure what
you can't manage." You cannot secure information that cannot be
managed. These fall under the heading of things like infrastructure
consolidation. When data is spread everywhere it becomes extremely
difficult to stop leaks. Content management is a technology that has
existed for years to actually manage loose content in files. On top of
that, digital rights management technology allows you to do things like
encrypt specific files, prohibit whether they can be re-e-mailed, sent,
printed, or copied to a USB device.
Data classification is enormous in the sense that data classification
helps us to understand whether the data in question on a storage device
is actually the Veterans' Administration logo, or some confidential
document, or Social Security number. At a certain level within the IT
organization, those two pieces of data are absolutely indeterminate; you
don't know.
And then finally, identity management. Securing data, ironically,
begins with securing and understanding the people, which again you have
been exploring all morning. I have found in speaking with most of our
customers that are at the forefront of this issue that there is a
relatively simple formula they are all trying to drive toward. First,
maximize access control. These are issues like authentication, the
secure ID comment that was made. How do you know that the person doing
the work is actually the person? Strong authentication and
authorization are key.
Segmented infrastructure. If you actually understand the difference
between your public Website logo and a confidential document, you might
not want to put them on the same network, the same storage devices, or
the same workstations. And lastly, classified data, simply being able
to tell the difference between the two.
So maximize access control is the first step in the formula that a lot
of our leading customers are applying. Secondly, minimize data
movement. Where possible, they are trying to eradicate these use of
backup tapes, the theory being if I don't put the tape on the truck and
it doesn't leave my data center, then I am less likely to be compromised
by it.
Issues like the guidelines we have been discussing this morning are
meant to do just that: keep data from leaving the security perimeter.
But as was pointed out by the Veterans' Administration, it is very
difficult to legislate against an individual deciding to go against the
policy.
Thirdly, selectively encrypt whatever remains. So if we maximize the
access control and minimize the movement of data, what remains should be
encrypted.
And then lastly, log and monitor everything, so that we can piece
together what has happened, both in real-time and after the fact.
Thank you.
[The statement of Mr. Hoffman appears on p. 110]
The Chairman. Thank you very much. Ms. Litan?
STATEMENT OF AVIVAH LITAN
Ms. Litan. Yes, I am Avivah Litan, can you hear me now? Can you hear
me now? I am Avivah Litan, I am a vice president at Gartner, and I
follow identity theft and security. And thank you for inviting Gartner
here to testify about the issue. Certainly I don't envy you at all. It
is a big, huge task to get this out of control.
But ladies and gentlemen, you have to assume that the cat is out of the
bag. At least 10 percent of US adult Social Security numbers, and all
of these veteran records, could be in criminal hands. In fact, I just
heard this morning that sale of Social Security numbers are way up on
criminal sites, and I would have to verify that with another source, but
we have to assume that that has happened.
Secondly, I think that it is impractical to ask veterans to take control
of a problem that they cannot see. So there has been a lot of talk
about free credit report monitoring. Sure, that is better than nothing,
but there are so many crimes that can be committed by stealing data that
you won't ever see with credit report monitoring. So it is not
practical to ask any individual, especially a veteran, to have to take
charge of this problem when they didn't create it, and they have no
control over it, and they have no visibility into how their data is
being misused.
So what can we do? Well, there are two practical steps that I think we
can take if there is a will to execute. And of course these may sound,
you know, beyond execution. But number one, stop relying on Social
Security numbers as the ultimate provider of identity proof. When you
have all these data elements compromised, you just can't rely on them
anymore. That is the facts. So we shouldn't be worried in all this
data gets in criminal hands; we need to just assume it is, and stop
relying on it.
Instead, there are things called identity scoring systems that use his
Social Security number, along with many other variables to determine an
individual's identity. These systems are already used by some of the
best lenders and credit card issuers in the country, because they don't
want to make a loan or issue a credit card to an identity thief, because
they will lose money.
Those same systems should be used throughout, by other sectors including
the government sector, the Veterans' Administration, the Motor Vehicle
Administration, before dispersing benefits or issuing credentials, in
order to protect the innocent from identity theft. You can just
imagine, someone is going to get hold of this veteran data, change the
address of a check, and then some criminal is going to get the benefit
and then the veteran is going to have to go spend months trying to undo
this. A credit report monitor would not tell the veteran anything about
this.
By stealing a Social Security number, you can get into these free credit
reports and sign up for them, and the crook has better access to the
credit report than the veteran does, because they can answer the
questions that are asked when you register.
So be realistic about this. Just assume Social Security numbers are not
reliable anymore.
Number two, we do need to protect the sensitive data we have left and
continue to generate, whether it is health records, financial
information, telephone records, or anything else. To do so, there are
several cost-effective technologies that enterprises and government
agencies can deploy to protect data; including data encryption and host
intrusion prevention. Of course I am not going to bore you with all the
details of these technologies, but you should know that they have become
much more cost-effective and easier to implement over the last two
years. So these excuses among different companies out undue complexity
and high implementation costs are really no longer valid, and they
shouldn't be tolerated.
But as you have discussed today, you already know that many data
compromises cannot be stopped with technical controls. In fact, they
they weren't caused by lack of technical controls. If you look at what
happened in ChoicePoint, their failure was the result of not extending
information security into the registration and verification process of
their clients.
Other compromises such as incidences and Bank of America and Wachovia
were caused by authorized insiders illegally taking fraudulent action.
And of course the compromise of veterans' data at the VA was in part an
example of a poor business practice that allowed an employee to bring
home 26 million records. And you know, as you have said, it is not this
employee's fault completely. It is the process that allowed him to take
home all those records.
And in fact, fixing the business process is much harder than
implementing technology. But still, security technology is important.
We looked at three scenarios that are documented in our testimony that
has been submitted to the Committee. We talked about data encryption,
host intrusion prevention systems, and more vigorous and continuous
security audits. So just those three, if you implement those three
systems and processes, you can spend about six dollars just on data
encryption per customer account, up to $16 per account, just on 100,000
records.
So if you are looking at 26 million records at the VA, they could do
this kind of technology I'm guessing for far less than a dollar per
veteran. And you compare that to the cost of a breach, and we have
totaled that up to be about at least $90 per customer account, and that
doesn't even include government fines and big lawsuits. So you compare
a dollar or fifty cents to $90, it is a no-brainer that our data should
be protected, a regardless of compliance or regulations.
So hopefully, everyone will be embarrassed enough to take action, but
nobody so far--it seems to be very slow.
[The statement of Ms. Litan appears on p. 116]
The Chairman. Thank you very much for your testimony. I am going to
limit each of us to two minutes. Then we can complete this, and then we
can go on. Mr. Filner, you are recognized. You pass? Mr. Michaud?
Mr. Michaud. No, I just wanted to thank the panelists. It was very
informative, and we really appreciate your time coming here. And thank
you again, Mr. Chairman.
The Chairman. Thank you. Mr. Udall?
Mr. Udall. Did most of you hear the earlier testimony?
Ms. Litan. Yeah.
Mr. Udall. And you heard the number thrown around, 100 million, 500
million, in terms of losses and things? Do you have any comment on
that? I mean, do you, in terms of what you heard here, what kind of
damage might be done?
Ms. Litan. In terms of the damages caused, the total aggregate, I
really think that nobody has a clue. But you can't assume that the
average cost of an identity theft, if it is a new account, it is about
1500. The FTC probably has better data on that than us. But if it is
$1500 times 26 million, that would be probably the average worst-case.
Mr. Pratt. I don't have anything--
The Chairman. Excuse me?
Mr. Pratt. I don't have anything to add. I think that using the FTC
numbers as a baseline is a good approach if you are just trying to
estimate general risk.
Mr. Udall. Yeah. And Mr. Hoffman, you have anything on this?
Mr. Hoffman. Yeah, nothing major to add except that it could be zero.
We don't know--obviously, there is an enormous potential liability.
Significant trust damage has been done, but it is very possible that
somebody just tried to rip off a laptop, and didn't know anything about
it, you know, and immediately just erased and sold it, or ripped the
hard drive out of it and resold it. You don't know. But the number can
be enormous.
Mr. Udall. Do any of you have any critique on the way the Veterans'
Administration was operating, in terms of the testimony you have heard
here?
Mr. Hoffman. I would say that there is--they represented to you
what in my experience is an absolute poster child for what is going on
in corporations and organizations, public and private. This is a system
problem that requires people, and process, and technology, and they had
issues at multiple phases of that. You know, the analogy is you can
build a very safe car, and you can't somehow and necessitate a very safe
driver in that car. And ultimately, security becomes a set of trade-
offs around this. So I would just tell you that they are not alone, and
unfortunately, they are not unique.
What does seem to differentiate them from many of the companies I have
dealt with is the massive dispersion of the IT infrastructure, and the
control of that infrastructure. Again, it is extremely hard to secure
something you can't manage. And when it is that distributed, it becomes
really hard to control.
Mr. Pratt. I would only add that if I recall, one of the witnesses
talked about an individual who had dual responsibilities: IT and then
security. That may not be the accurate description, but good data
management starts with a chief privacy officer, a chief information
security officer, a set of highly trained individuals who have very
specific skills in both the knowledge of the--the technical
knowledge of data security. Encryption isn't the only solution, for
example. It is a much wider array of strategy. But if you don't have
the infrastructure that answers right up through--in the corporate
world, it would be right up through the Committees of the board that
would have oversight for that--you really don't have the proper
infrastructure to even begin to make the decisions to address the
dispersion, to oversee the proper management of the data.
Mr. Hoffman. That is exactly right. We have been working very much
with a large mutual fund company in Boston who had a very similar event
two or three weeks ago: losing a laptop with information on it. There
is no ambiguity about who is responsible for that. The response is
lightning fast, because there is a chief information security officer
reporting either to a chief information officer, or a chief risk
officer. And they are empowered and accountable, and it goes right up
to the board to answer the problem.
Mr. Pratt. And in the private sector, it is risk-based, all of these
decisions are risk-based decisions the corporations are working into
their infrastructure.
The Chairman. In this case, the risk base is the American taxpayer.
Ms. Litan. I would also like to point out that private sector is
governed in many cases by the Payment Card Industry standard, that has a
definite chain of command, and penalties if there is no compliance.
Here, I don't see any distinct rules that they are subject to and any
reason that they have to get fined. So there is no stick.
I get a lot of calls from companies that are complying with PCI, and
they are damn worried about fines from Visa and MasterCard, and that is
what motivates them. I don't see the same kind of motivation at the VA.
The Chairman. Well, nobody has any enforcement. Gartner consulting, are
you still on contract with the VA, do you know?
Ms. Litan. Yes, we are.
The Chairman. Okay. Since this incident has occurred, has anybody from
the VA contacted you, Gartner consulting?
Ms. Litan. Personally, I haven't been contacted. I think--and I
can't really speak for the company because there are a lot of points of
contact, so--but I think the main contact was on this hearing.
The Chairman. EMC, do you have a contract with the VA?
Mr. Hoffman. We have sold stuff, yes, we have sold products.
The Chairman. Sold on hardware.
Mr. Hoffman. Yeah. And some software. And we have been in some
significant conversation over the last few days on how we can help with
this.
The Chairman. Before some of these incidents had occurred, you know, I
have got Secretary Cadenas still here, we had a hearing because in our
disability fraud cases we individuals on the inside doing things they
shouldn't be doing, and that's of he really worked on, compliance.-- He
works with the IG. So those things happen.
I had a conversation with an individual CIO of one of the Fortune 20,
and I asked a basic question, "So could any employee pull down the
entire personnel record, or the customer list of your company, and take
it home?" You know, he laughed at me. No, I'm serious, he laughed at me
like that was the most ridiculous question he had ever heard, because
there is no way possible they would ever let that occur.
What is your response to that? Tell me what is happening out there in
the private sector? Why did he laugh at that question?
Mr. Hoffman. Fortune 20 financial services firm?
The Chairman. No, a Fortune 20 in the world. Sales, and sales.
Mr. Hoffman. What industry?
The Chairman. I am not going to tell you.
[Laughter.]
Mr. Hoffman. The reason I ask is because we see a significant deviation
in industry vertical to industry vertical. Typically, defense and
intelligence get this, know what they are supposed to be doing around
protection of confidential information. Financial services,
particularly the large banks, get this. Healthcare organizations are
beginning to, but there is a very steep falloff in the understanding and
awareness of information security, issues, technology, organization
structure. But if you are speaking to somebody in one of those higher-
end verticals when it comes to security--
The Chairman. It is.
Mr. Hoffman.--it is laughable, because they have dealt with, you
know--they know that they are personally liable. These are
information companies. To lose the information is to lose the company.
In banks, they trade in information, that is their business. And they
are very aggressive about making certain things like that can't happen.
The Chairman. Well, we already know the advice and counsel to us from
Gartner Consulting with Gartner's centralized approach at this, and it
was not taken seriously at the VA. The bureaucracy sort of cheered.
They felt like they won. We had one of the best in our country as a CIO
of VA. He didn't have to take that job. He went in and took that job,
very challenging. There were a lot of career employees that had been
there for a long time, they don't want to change: "Why should we do
that? This model has always worked that way." And you can always come
up with a list, very articulate, they sound very sensible, very
reasoned.
But the challenge for our, quote, "government," for all departments is
to get our arms around this. And both of you may criticize us. You
called this "maximum dispersion." I guess we call it
"decentralization." I like your term you have used here. And what we
did here on a bipartisan basis was to get our arms around this, we
needed to empower the CIO, and get hold of the architecture, and begin
to then work in the systems. That was our approach.
And we tried to be good listeners to what is going on in the private
sector. It has been really challenging, in the 14 years that I have
done this, to get government to say it is okay to utilize some business
practices and principles. It shouldn't be a radical concept, but it is
really challenging, and you know that because you are consultants to,
quote, "government." But we provide their budgets every year, and monies
come, and they spend monies, and they don't, quote, "have to change."
And it is very, very challenging.
I am glad that the acting CIO stayed here, General Howard, I appreciate
that, and Secretary Cadenas, and Secretary Duffy, that you have remained
here to listen to this testimony. And I would welcome you to contact
them for their expertise and counsel as we proceed.
Thank you very much, you have helped your country.
This hearing is now concluded.
[Whereupon, at 12:15 p.m., the Committee was adjourned.]
APPENDIX
[GRAPHIC] [TIFF OMITTED]
�