[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
HEARING ON THE REPEATED FAILURES OF
VA'S INFORMATION TECHNOLOGY MANAGEMENT
HEARING
BEFORE THE
COMMITTEE ON VETERANS' AFFAIRS
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
-------------
June 14, 2006
------------
Printed for the use of the Committee on Veterans' Affairs
Serial No. 109-51
--------------
U.S. GOVERNMENT PRINTING OFFICE
28-127 PDF WASHINGTON : 2007
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government
Printing Office Internet: bookstore.gpo.gov Phone: toll free (866)
512-1800; DC area (202) 512-1800 Fax: (202)512-2250 Mail: Stop SSOP,
Washington, DC 20402-0001
Wednesday, June 14, 2006
House of Representatives,
Committee on Veterans' Affairs,
Washington, D.C.
The committee met, pursuant to call, at 10:34 a.m., in Room 334,
Cannon House Office Building, Hon. Steve Buyer [chairman of the
committee] presiding.
Present: Representatives Buyer, Moran, Miller, Brown of South
Carolina, Boozman, Bilirakis, Filner, Michaud, Herseth, Snyder,
Salazar, Udall and Reyes.
The Chairman. The House Committee on Veterans' Affairs will come
to order. Today is June 14, 2006.
Good morning, ladies and gentlemen. We are here today to receive
testimony from the Department of Veterans' Affairs Inspector General
and the Government Accounting Office about past problems and
recommendations in connection with information security and
management at the VA.
We are on a fast track here at the committee. With the security of
personnel data compromised last month and the very trust of veterans
and their families at stake, we cannot afford to let time pass.
Already we have held one hearing to learn about the immediate impact
of the theft from the Secretary last week, joined by the Military
Quality of Life and Veterans' Affairs Appropriations Subcommittee
Chairman, Jim Walsh; and I have held a roundtable at which
information technology experts from Goldman Sachs & Company, EMC
Corporation, VISA, Citi Group, Tri-West, and the American Bankers
Association offered very candid appraisals, all emphasizing the
importance of a centralized management of key components of
information and information systems.
Today, we must establish how and why the second largest breach of
personal data in American history occurred at the VA. Then,
continuing an aggressive series of hearings over the next 2 weeks,
we will hear testimony from experts, largely from the private sector
and the academic world, which will provide best practices to further
guide us. Finally, we will be hearing also from the VA General
Counsel, Tim McClain, with an update on the progress being made
at the Department as well as the legal ramifications of this
breach. We will then hear again from Secretary Jim Nicholson at
the end of the month.
We must identify and understand the scope of this problem. Then we
can determine how to correct the problems at the Department. We will
then act on that determination.
Today is essentially about the past, about context. Without the
advantage of this historical context, the theft of an analyst's
computer might appear to be an aberration, something unusual that
can be corrected with a new policy or an official rule.
The context shows something entirely different. VA's internal
controls and data security have been grossly inadequate for years.
Both the VA IG and the GAO have indicated VA's decentralized
management and the lack of accountability as major shortcomings
which have led to 16 recurring, unmitigated information security
vulnerabilities over the past 8 years.
Since May of 2000, this committee has held six hearings where VA
information security has been specifically addressed and where
lapses have been repeatedly identified. We have continued to hold
three more hearings this Congress to review VA information
technology and monitor the Department's actions with respect to
IG and GAO recommendations and even directives from Department
leadership. In the upcoming hearings, we will continue to obtain
insights from witnesses, which will help us develop a bipartisan
approach to this problem.
The next hearing will be on June 20, when the Subcommittee on
Disability Assistance and Memorial Affairs and the Subcommittee on
Economic Opportunities will hold a joint hearing on the VA data
theft and cyber security procedures at the Veterans Benefits
Administration. This hearing will include an examination of
security measures to ensure fiduciaries are protecting sensitive
client information.
On June 21, the Subcommittee on Health will be meeting to examine
the Department of Veterans' Affairs efforts to maintain security and
integrity of the electronic health records of enrolled veterans
while safeguarding sensitive personal veteran information from
internal and external security threats.
On June 22, the full committee will meet to hear from academic and
industry experts on operational aspects of IT security, as well as
the VA General Counsel on legal implications.
On June 28, we will examine the role of VA's Chief Information Officer
and the Department's Office of Information and Technology Structure
and Operations. We will receive testimony from two of the former
CIOs at the VA.
And, finally, on June 29, we will bring back VA Secretary Jim
Nicholson to testify before the full committee to provide us with
an update of the status of the VA data theft.
Please make sure, my colleagues, that you mark these important dates
on your schedules. To the extent that information security is a
critical priority throughout government, what we hear today and the
successive hearings on this issue will, I believe, be of a broad
value that transcends any one agency.
I now recognize Mr. Filner for an opening statement.
Mr. Filner. Thank you, Mr. Chairman.
You used the words "aggressive" and "fast track" in these series of
hearings, and I certainly appreciate that, and we will give you our
full support. I think you have mapped out a fine approach from
this committee, and we thank you.
If it were possible to approach the theft of veterans' and service
members' records without the emotions triggered by this theft, and
what I can only call a pathetic response from the Veterans'
Administration, the emotions of disbelief, anger, frustration that
we all feel, this situation might be even an interesting case study
of lax policies, failed leadership, and organizational arrogance. I
can only call this situation the Katrina of the Veterans'
Administration. A disaster occurred presumably not of their own
doing, and yet the response was clearly inadequate, causing more
suffering, and a presidential crony at the top of the administration
unable to respond in an adequate way. I know that Mr. Nicholson
doesn't want to hear this phrase from President Bush, that he is
doing a heck of a job.
We have 26.5 million veterans and over 2.2 million active and reserve
service members at risk of identity theft, their lives now requiring
a new and constant vigilance. Sensitive disability codes pinpointing
health and medical information on service-connected disabled
veterans, their most private personal information, is poised to
enter the public domain, with the steady drip, drip, drip of
information each time adding more bad news. A lot of sensitive
information is involved here, with a baseless spin by Secretary
Nicholson and the other VA officials that the stolen data, and I
quote, "may have been erased by teenagers who sold the computer
equipment."
Reaching for outcomes that are less than tragic is not helpful in this
situation, when the street value of this information probably exceeds
half a billion dollars, quite an incentive for bad guys to get ahold
of this data.
We are collectively angered by the 19-day-long lag between the data
theft and public announcement. When we questioned what happened, we
find that the employee who took the data home told his supervisors
almost immediately about the theft, but it took 6 days for the VA
Chief of Staff to find out and another 6 days for the Deputy Chief
of Staff, the Deputy Secretary, and the VA General Counsel to get
around to notifying the Secretary. Don't some of these folks work
in the same office suite as the Secretary? Wouldn't it be
reasonable to tell the boss immediately about the possibility of
a great compromise of records?
Then we learn that the Inspector General's initial involvement was
not a result of direct notification by the leadership at the VA but
because someone from the IG's office happened to attend a
regularly scheduled information security meeting. We have to
question why the leadership of the VA would not be more proactive
in getting the issue to the investigators at the IG.
In addition, it seems that the VA's senior leadership was more
focusing on communicating with the White House than on notifying
the FBI. That task fell on the IG. While the most important
action should have been to recover the stolen data, message
management was more important to these political appointees than
getting the FBI involved in the investigation of the burglary.
When the FBI was finally brought into the investigation, the trail
was already 2 weeks old. Talk about misplaced priorities!
Not until this point did the VA Secretary notify the Nation's
veterans, on May 22, fully 19 days after the theft.
The Secretary now clamors for stiffer penalties for government
employees who mishandle personal information that is entrusted to
them. Yet this organization failed to update in any meaningful
way the internal policies and regulations of information security
before the theft. VA just simply ignored a host of findings
and recommendations over the years and never fixed any of the data
control and information security problems; and, unbelievably, after
the theft, the Secretary waited for over a month to implement an
updated and substantive policy on information security. Even that
policy is somewhat light on enforcement and on specific liabilities
and punitive actions when an individual fails to protect sensitive
information.
I believe, and I think the Chairman has said many times, this ID
theft would not have happened if VA leaders since 2001 had cared
about protecting sensitive data or could get the job done. This
would not have happened if this Congress was more of a co-equal
oversight mechanism for the executive branch. So we will learn
today the history of information security and information technology
problems at the VA, which the Chairman has amply outlined.
There still is avoidance of accountability and responsibility at
the VA. One wayward employee alone did not give birth to this
massive data compromise. It was born of a culture of indifference
and fathered by VA leaders who philosophically skipped town during
the last 5 years in their collective attempts to avoid
accountability.
Anyone at VA who waited or delayed over 24 hours to report this
compromise should be held accountable and fired. From the first
day, it was clear this was not a minor issue. Likewise, anyone
who interfered, blocked or undercut the numerous attempts to
improve substantive, enforceable information security and IT
policies should be held accountable. I am looking forward to the
testimony today to see how we may deal with that.
Lastly, Mr. Chairman, I spent the last days of May, and the early
part of June, talking to people all over my district. Veterans
were not only angry but scared. They have the potential compromise
of their most sensitive data. They got a letter from the VA just
recently, and they see a Web page from the VA, which says, basically
go talk to your credit bureau.
The VA should be proactive in response to this crisis, making sure
veterans know that the data breech will not be a cost to them, either
in money or in psychological anxiety. We have an obligation, given
what happened, to be comforting in every way possible, and the VA
simply is not doing this. I hope over the course of your month-long
hearings, Mr. Chairman, that the VA could sit down with the credit
bureaus and ask them to voluntarily provide, as a national service,
away to mark these 26 or 28 million records so if any undue activity
occurs we know about it right away, and it is not left up to the
individual veterans to figure out how to deal with it.
My colleagues, Mr. Salazar and Ms. Hooley, have legislation which
calls for monitoring of the credit reports; and also Mr. Salazar has
recently introduced legislation for an ombudsman at the VA to begin
to deal with this data breach.
Let us be proactive and not wait for more disasters to occur.
Thank you, Mr. Chairman.
The Chairman. I thank the gentleman.
As far as I know, the committee, on a bipartisan basis, Mr. Filner,
has gone back to 1997, according to GAO testimony, from their audit.
That was in submitted testimony.
Does anyone have any other opening statements?
Mr. Michaud, you are recognized.
Mr. Michaud. Thank you, Mr. Chairman.
Just briefly, I want to thank you for staying focused on this very
important issue. I commend you and Ranking Member Evans for your
leadership and having the committee explore this fully with an
aggressive schedule over the next month. I really appreciate it.
I also want to thank Congressman Salazar for introducing legislation
to look at this issue.
I look forward to hearing the witnesses testify here today, and I
would ask that my opening statement be submitted fully for the
record.
The Chairman. All written statements will be submitted for the
record, and members will have 3 business days to do so.
[The statement of Michael Michaud appears on p. :]
******** INSERT 1-1 ********
The Chairman. Any other opening statements?
All right, we will go to the witnesses.
Today, we welcome Michael Staley, the Assistant Inspector General
for Audit at the Department of Veterans' Affairs. Mr. Staley served
with the Second Battalion Ninth Marines in Vietnam in 1968. Upon
returning from Vietnam, he devoted his career to helping veterans
and their beneficiaries. He held several positions of responsibility
at the Veterans Benefit Administration upon joining them in 1971.
Michael Staley was appointed the Assistant Inspector General for
Auditing in December of 2003. He directs a nationwide staff of over
185 auditors and support staff located in offices across the
Nation. His office conducts audits and evaluations of the Department
of Veterans' Affairs programs and functions and provides audit
support to criminal and administrative investigations.
Also before us is Ms. Linda Koontz. You have been before us
quite often over the years, and we appreciate your testimony. She
is the Director of Information Management Issues at the U.S.
Government Accounting Office.
We also have Gregory Wilshusen, Director of Information Security
Issues at the U.S. Government Accountability Office.
Ms. Koontz is responsible for government-wide telecommunications
issues as well as issues concerning the collection, use, and
dissemination of government information in an era of rapidly
changing technology.
Mr. Wilshusen has over 22 years of auditing and financial management
information technology management experience and is the acting
director on GAO's information technology team, where he leads
information security audits at several Federal agencies.
We also have Mr. Raponi with the VA IG; and I will leave that,
Mr. Staley, for any further introductions.
STATEMENTS OF MICHAEL STALEY, ASSISTANT INSPECTOR GENERAL FOR AUDIT,
U.S. DEPARTMENT OF VETERANS' AFFAIRS, ACCOMPANIED BY MICHAEL
RAPONI, REGION DIRECTOR, ST. PETERSBURG AUDIT OPERATION DIVISION,
U.S. DEPARTMENT OF VETERANS' AFFAIRS; LINDA KOONTZ, DIRECTOR,
INFORMATION MANAGEMENT ISSUES, U.S. GOVERNMENT ACCOUNTABILITY
OFFICE; AND GREGORY WILSHUSEN, DIRECTOR, INFORMATION SECURITY ISSUES,
U.S. GOVERNMENT ACCOUNTABILITY OFFICE
The Chairman. Mr. Staley, you are now recognized.
STATEMENT OF MICHAEL STALEY
Mr. Staley. Thank you, Mr. Chairman.
Mr. Chairman, members of the committee, thank you for the
opportunity to testify today on the results of our reviews, which
continue to address information and security vulnerabilities in VA,
and to report on the status of VA's implementation of our
recommendations.
As you said, Mr. Mike Raponi is next to me today. He served as the
project manager on the IT security audits, as well as I have Steven
Gaskell in the audience, who also served as a project manager on
these audits.
We have conducted a number of audits and evaluations on information
management security and information technology systems that have
shown the need for continued improvements in addressing security
vulnerabilities. As such, we have included IT security as a major
management challenge for the Department in all of the major
management challenge reports since the year 2000.
In our annual financial statement audits, we have reported VA
information security controls as a material weakness since our
fiscal year 1997 audit. Specifically, we reported that VA's
financial data and sensitive veteran medical and benefits
information are at risk due to vulnerabilities related to access
controls, change controls, the need to segregate duties, and the
need to improve service continuity practices.
My IT security program auditors have identified and reported on
significant information security weaknesses since 2001. All four
of these annual audits have reported on similar issues; and the
recurring themes in these reports are the need for a centralized
approach to achieve standardization, remediation of identified
weaknesses, and accountability in VA information security. We
have continued to report control weaknesses in physical security,
electronic security, reporting, wireless security and employee
security. Additionally, we have reported significant issues
with the implementation of IT initiatives by VA.
Our combined assessment program reviews continue to report physical
security and access control security vulnerabilities at VA health
care facilities and VA regional offices where security issues were
evaluated. We have recently issued an advance copy of our draft IT
security program review to VA. While it is not our general
practice to comment on draft reports before they are published
because of the extensive public interest in these information
security issues, I have described the issues that VA is addressing
in my testimony.
In closing, I would like the committee to know that reviews of
VA's information security will remain a top priority in my office.
We remain committed to reporting on the adequacy of IT information
security controls and following up on actions taken by VA to
strengthen these controls as we remain dedicated to the goal of
protecting our Nation's veterans.
Mr. Chairman and members of the committee, thank you for the
opportunity to be before you today; and I would be pleased to
answer any questions that you might have.
[The statement of Michael Staley appears on p. :]
******** COMMITTEE INSERT ********
The Chairman. Ms. Koontz, you are recognized.
STATEMENT OF LINDA KOONTZ
Ms. Koontz. Mr. Chairman and members of the committee, thank you
for inviting us to participate in today's hearing on information
security and privacy at the Department of Veterans' Affairs.
The recent well-publicized security breach of the Department has
thrown into high relief the importance of good information security
controls in protecting personally identifiable information, not
only at VA but throughout the government. As we have reported many
times, poor information security is a widespread problem that can
potentially have devastating consequences.
Today, we would like to summarize the recurring security weaknesses
that we have reported at VA, discuss what agencies can do to prevent
breaches of personal information, and comment on the issue of
notifying individuals and the public when breaches occur.
Since 1998, GAO and the VA IG have reported on wide-ranging
deficiencies in VA's information security, including the lack of
effective controls to prevent unauthorized access to VA systems and
sensitive data. In addition, the Department had not consistently
provided adequate physical security for its computer facilities; it
had not assigned duties so that incompatible functions were
segregated; it had not controlled changes to its operating systems;
and it had not updated or tested its disaster recovery plans.
These deficiencies happened at least in part because VA had not
fully implemented key components of a comprehensive, integrated
information security program. Such a program would establish
Department-wide policies and procedures to address these
weaknesses.
Further, as we reported in 2002, VA's organization and management
may also have hindered its ability to fully address security
challenges. Specifically, we reported that the hundreds of
information security officers in VA did not report either
directly or indirectly to the cyber security officer, and this
official did not have control over a significant portion of the
financial resources that the security program depends on to
sustain its operations.
VA has taken steps to improve information security. For example,
it reports that it recently centralized its security management.
However, its efforts have not been sufficient to effectively protect
its information and information systems. As a result, sensitive
information, including personally identifiable information, remains
vulnerable to inadvertent or deliberate misuse, loss, or improper
disclosure, as the recent breach demonstrates.
In addition to a robust security program, agencies, including VA, can
take a number of steps to help guard against the inadvertent
compromise of personally identifiable information. Specifically,
under the E-Government Act, agencies are required to conduct privacy
impact assessments. Going forward, this gives agencies the
opportunity to assess upfront how personally identifiable information
is to be collected, stored, shared, and managed so that controls can
be built in from the beginning.
In addition, we suggest that agencies can take a number of other
practical steps. They can limit the collection of information to
what they really need, they can limit the time that they keep
such information, they can limit access to that information and
train personnel accordingly, and they can appropriately use
technological controls such as encryption when data needs to be
stored on portable devices.
Nonetheless, even with security and privacy protections in place,
breaches can occur, particularly if enforcement is lax or employees
willfully disregard policy. When such breaches occur, notifications
to those affected or the public has clear benefits, allowing people
the opportunity to protect themselves from identity theft.
Further, although existing law does not require agencies to notify
the public, such notification is consistent with agencies'
responsibility to inform individuals about how their information
is being accessed and used, and it promotes accountability for
privacy protections.
That said, we need to be careful to define appropriate criteria for
triggering notification, and notices must be sufficiently informative
to allow people to understand the threat and how they should
respond to it. As the Comptroller General testified last week,
these are factors we think that Congress should consider as it
deliberates on proposed legislation on breached notification.
In summary, Mr. Chairman, long-standing information security control
weaknesses at VA have placed its information systems and information,
including personally identifiable information, at increased risk of
misuse and unauthorized disclosure. Although VA has taken steps to
mitigate previously reported weaknesses, its efforts have been
insufficient to address these serious issues. Only through strong
leadership and sustained management commitment can VA implement a
comprehensive, integrated information security program that can
effectively manage risks on an ongoing basis.
Mr. Chairman, that concludes my statement. Mr. Wilshusen and I would
be happy to answer questions.
The Chairman. Thank you very much.
[The statement of Linda Koontz appears on p. :]
******** COMMITTEE INSERT ********
The Chairman. When I think about the lapses of security in some of
the hearings we have had over the years we had some problems in
pension compensation fraud. So whether it was a $12 million case
in Atlanta, a $6 million case in Manhattan, a $6 million case at
Bay Pines, each time we come up here we talk about what the problems
were; and it always goes back to unauthorized access, not having
sufficient controls, who had the keys, where was the authority.
I hate to keep saying it, but it is ditto, ditto, ditto. It is
almost like you can prepare your testimony by looking back on the
testimony that you have given over the years.
So here is what is sort of exhaustive. You highlight these problems
and concerns not only from GAO but IG, and you hand these off to
the administration. Who acts on them? Who is supposed to act on
the reports?
Mr. Wilshusen. Well, at least with regard to the GAO reports, we
usually direct our recommendations to the head of the agency, and
then they may direct it down to lower levels of management.
The Chairman. And in this case it is the Secretary?
Mr. Wilshusen. In this case, it would be to the Secretary of VA.
Because, under FISMA, which is the Federal Information Security
Management Act, it is the head of the agency that is responsible
for implementing the safeguards and information security controls
necessary to protect the information and information systems under
his control that support the operations and assets of that agency.
The Chairman. All right. Mr. Staley? I mean, you provided
testimony from your fiscal year 2004 report, including 16
recommendations, all of which remain open as of today. So these
reports go to whom?
Mr. Staley. We issue our draft reports, Mr. Chairman, to the
Chief Information Officer; and our recommendations in this report
that you referred to included the Chief Information Officer and
all of VA senior leadership that was involved in any IT security
functions so that they could act jointly in trying to resolve
these 16 recommendations.
In our prior reports, we have issued our reports to the Chief
Information Officer; and his concern and his response has been that
he doesn't have the enforcement authority to implement the
recommendations solely by himself. So, in an attempt to remediate
that issue, we were then broadening our recommendations to include
all of VA senior leadership.
The Chairman. All right, but_okay, so when you are faced with a
general counsel's decision that the CIO could only go with
compliance and not enforcement, you then would take your reports
and send them to whom above the CIO? When you say "senior
management," I don't know what that means.
Mr. Staley. If we are unable to resolve a recommendation or to get
an action plan that is acceptable, we would then elevate it to the
Deputy Secretary and the Secretary, if necessary.
The Chairman. Where does the CIO obtain his authority?
Mr. Staley. The CIO obtains his authority from the FISMA act.
The Chairman. Does he not also obtain his authority from directives
from the Secretary?
Mr. Staley. Certainly, he is responsible to reporting to the
Secretary, and he is under his leadership.
Mr. Wilshusen. And, also, if I may add, Mr. Chairman, Mr. Staley
is correct. FISMA, in addition to making_having the Secretary assume
overall responsibility for the program, he also can delegate to the
CIO the authority to ensure compliance with the Act and the
provisions of the Act and to develop and maintain an agency-wide
information security program that contains several different
elements including assessing risks, developing the policies and
procedures that are necessary to reduce those risks or
cost-effectively reduce those risks, and to provide the testing
and evaluation regarding the compliance and effectiveness of those
controls.
The Chairman. I have one last question. Are you aware_Ms. Koontz,
are you aware of the memorandum of March 16, 2004, whereby then
Secretary Tony Principi made an effort to make sure that cyber
security, accountability,and protecting VA's computer information
systems was the responsibility of the CIO Robert McFarland?
Ms. Koontz. Yes.
The Chairman. You are familiar with that memorandum?
Ms. Koontz. I have read it. Yes.
The Chairman. Are you also familiar then with the general counsel's
opinion that said that, despite the Secretary extending authority,
that he really did not have the authority of enforcement? Are you
familiar with the general counsel's memorandum?
Ms. Koontz. The general counsel memorandum that I am familiar with
is from February, 2004. I don't know if this is the same one or
not. I am not sure I have all the documentation that you have, but
a similar issue was raised at that time.
The Chairman. I have one here dated April 7, 2004. So I will make
sure you get a copy of this.
Ms. Koontz. Okay. Very good.
The Chairman. My question is, is when you look at the FISMA
legislation that we passed here in Congress, were there rulings
from other general counsels of other government departments
consistent to what the VA did with regard to authority of a CIO?
Ms. Koontz. We haven't done a government-wide review of that, but
I am not aware of any other general counsel that has_any other
counsel decisions that would be similar.
Mr. Wilshusen. Nor am I.
The Chairman. You are not aware of up to date, but you have not
given it a review.
Ms. Koontz. I haven't done a systematic review, no, and asked
everybody.
Mr. Chairman. Would you be outside of your lane to do that for
this committee?
Ms. Koontz. I don't think so.
Mr. Wilshusen. No, we could work with your staff to look at that.
The Chairman. All right. What we are most curious about is whether
this legal opinion is consistent with other general counsels' opinion
of the interpretation of the Act, or was this an opinion that was
written because it was placating toward the interests of the three
Under Secretaries?
Ms. Koontz. I understand.
The Chairman. Mr. Filner, you are recognized.
Mr. Filner. Thank you, Mr. Chairman.
It is a bit beyond the scope of your testimony, but I would like to
know if either of you have thought about or would need further
direction from this committee to think about a proactive response.
That is, we have an unprecedented breach of security here. I know
personally that dealing with identity theft is extremely difficult,
it is frustrating, it is time consuming. People who are older
especially, find it hard to fix. They need our help.
Have you thought about a way that we can, in fact, taking into
account privacy concerns, give the veterans some help from us
rather than leave it to them as individuals to figure out credit
breaches or monitor their credit reports or get their credit
reports? Could the VA figure out a way to work with the credit
bureaus to monitor any suspicious activity, and therefore know
of problems immediately? To put some of the burden on the VA
rather than on the individual veteran? Can you comment? Have
you thought about that at all?
We have to think outside the box, as they say. We are thinking in
very traditional terms about dealing with this issue, and yet this
massive breach and the kind of people that we have a responsibility
to deserve better.
Ms. Koontz. There are probably a number of options that are
available to the Congress to deal with this if the Congress makes
a policy decision that this kind of action is warranted. I have
seen proposals all the way from offering veterans free credit
reports over some period of time to working more proactively with
the credit bureaus in terms of monitoring. But, quite honestly,
we haven't evaluated any of these proposals nor looked into it
further.
Mr. Filner. Are you restricted to evaluating?
Ms. Koontz. Yes.
Mr. Filner. We have to have some people giving us some policy
recommendations in response to this breech, not just an audit
function.
The Chairman. Mr. Filner, that is what we have done in our
coordination of hearings. We will have academics, we have private
industries and all. We have brought in the auditors for them to
give us the historical context of all the problems and concerns.
When we understand the context of the problem, then we can move
out toward a solution.
Mr. Filner. I appreciate that, Mr. Chairman.
An independent audit that was done about a little more than 3 years
ago_this was not done by either GAO or IG but Deloitte and Touche_
and I quote from that report. In the so-called C and P system,
compensation and pension, we identified numerous security
weaknesses, including inappropriate access privileges and
inadequate management of access privilege, excessive assignment
of powerful privileges to sensitive information, and inadequate
segregation of duties, permitting individuals to both initiate
claims and authorize the claims for disbursement.
It seems to me we knew that there was a disaster waiting to occur.
Do you have any comment on that? Is that part of what you had found
in previous years?
Mr. Staley. Well, in commenting to the report, sir, the report
continued to talk about role-based user profiles in terms of_
Mr. Filner. I am sorry. Can you define this in English, please?
Mr. Staley. Identifying the employee's specific duties, and then
identifying what specific data that employee would need to perform
those duties, and then limiting the access and controlling the
access to only that specific set of data. What we are finding is
that there is a broader set of data that employees are able to
access.
By going ahead and limiting that access and I think, as Ms. Koontz
has said in her testimony, by going ahead and restricting how much
they can get, you certainly can mitigate the risks of some employee
going off farther into other data than they should be.
Mr. Wilshusen. I would just add that those lists of deficiencies
that you just pointed out from the Deloitte report are very
similar_in fact, identical_to many of the weaknesses we identified
years before then, after from 1997 or 1998 to 2002. And I think it
is just emblematic of the lack of having a comprehensive security
program.
Because you can find problems and weaknesses on one system with
one organization, and if you don't have a centralization of your
controls and standardization you will end up finding weaknesses
across the Department. Without having a strong, centralized focal
point for implementing information security, it is likely that
once an identified weakness is known it may be corrected, and VA
generally is pretty good at correcting identified weaknesses, but
they are not that good at proactively going forward and looking to
see if similar weaknesses exist across the Department and taking
corrective action.
Mr. Filner. Mr. Chairman, I don't mean this in any partisan way.
I don't care if it is a Democratic administration or a Republican
Congress or vice versa or executive-legislative being in the hands
of the same party. The oversight function of Congress is critical.
You have shown, as we look down the month's schedule, the proper
way to do oversight. I think all the committees have to take this
more seriously, again, without any partisan thought. I think you
have outlined a way that a committee ought to do oversight, and I
hope we can serve as an example for other committees, too.
My time is up. Thank you, Mr. Chairman.
The Chairman. Thank you.
Mr. Moran.
Mr. Moran. Thank you, Mr. Chairman.
We have heard for a long time, and you have outlined again today, a
long list, a long history of weaknesses within the system. My
interest is perhaps beyond your realm of ability to answer, but how
do you explain the failure of the VA to implement the recommendations
and for the atmosphere or culture that exists at the VA in regard
to this issue to continue despite the significant and series of
warnings that have occurred over a long period of time? What is
wrong at the VA that inadequate response occurs, it seems to me,
in each and every occasion to the Inspector General, to the GAO,
and to congressional committees' direction following review of
their procedures? Why no or insufficient response?
Mr. Staley. One of the reasons I think, sir, is that the
recommendations_the Department has seemed to focus on a resolution
of recommendations at the sites that we visit. We go out to the
information technology centers, and then we go out to a select
number of medical centers or regional offices, and then we conduct
these program reviews where we go out to offices. And the responses
we get back to those recommendations are, is we have taken actions
at site A.
Then next year we come along and we go to site B and we see that the
same conditions exist. We have been continuing to report that these
are systemic issues and that you need a comprehensive and central
approach to ensuring that all of the recommendations are issued at
all the sites concurrently. So we wind up going ahead and making
the recommendation the following year, and so then it just seems to
perpetuate itself.
Really, the Department needs to take an aggressive stance in ensuring
that all of the regional offices and all of the facilities are
correcting the vulnerabilities that we have identified and also
correcting the vulnerabilities that they have recognized through
their own certification and accreditation process in order to
mitigate the risks that we are talking about here today.
Mr. Wilshusen. If I may add, because I wholeheartedly endorse what
Mr. Staley said, is also there needs to be appropriate
accountability mechanisms in place to help assure compliance; and,
if not, that there are consequences for not implementing security
controls.
Mr. Moran. Mr. Wilshusen, your testimony was that, legally, the
responsibility for these issues, the security of information
contained at the VA, rests with the Secretary of the Department.
Is that true?
Mr. Wilshusen. Yes, under the Federal Information Security
Management Act.
Mr. Moran. So no question as to who is responsible legally.
Mr. Wilshusen. He has overall responsibility.
Mr. Moran. What is your reaction to what is very troublesome to me
as about the time frame in which it_the time passage. Say that
differently. A long period of time_at least in my mind, a long
period of time transpired before this breach reached the desk of
the Secretary, and yet you tell me that the Secretary is legally
responsible for this system and the consequences of that breach.
What does it tell us about the VA in the failure for this
information to quickly reach the Secretary?
Mr. Wilshusen. One of the elements that is required under law by
FISMA is that agencies develop the policies and procedures for
adequately detecting, reporting, and responding to security
incidents and events.
It seems clear_and, again, we haven't done any work, so I don't
know the specifics of this other than what I have read_but it seems
like there might have been a breakdown in those policies and
procedures.
Mr. Moran. Are there policies for response and for notification in
place at the VA today?
Mr. Wilshusen. That is something we haven't looked at recently.
Mr. Staley. There is an incident response criteria in VA's handbook.
We currently have an administrative investigation ongoing to look
at the specific instructions of the incident response handbook and
what occurred from the point of time where the employee notified
the VA. We hope to issue that report to the Department for comment
at the end of this month; and as soon as the Department responds to
our issues and recommendations, we will be issuing the report,
hopefully in mid-July.
Mr. Moran. Well, as I indicated, this aspect of it is clearly
troublesome to me, the idea that it would take so long for the
Secretary to learn of this breach. The concern it raises with me is
we either have a desire at a level of the VA in which to camouflage
or hide, cover up the errors and mistakes, or a suggestion that the
Secretary or the upper management is disengaged in these issues.
And either one is a terrible conclusion to reach.
But I would like to know_I am anxious for your report, Mr. Staley_to
learn why it would take such an extraordinary amount of time. I just
know in the management of any business, small or large, the first
place you go with something of this magnitude is to the leader; and
it clearly happened in a very slow fashion at the Department of
Veterans' Affairs.
Thank you, Mr. Chairman.
The Chairman. Thank you very much.
Mr. Michaud.
Mr. Michaud. Thank you very much, Mr. Chairman.
Question: During the coordinated draft, VA directive 6500
information security program, VHA questioned the requirement that
all companies acting as contractors or subcontractors with access
to VA's information system, including transcription services and
medical devices, shall be American owned.
Today, the VA Office of Inspector General will release a report
indicating that, in February of 2005, an offshore subcontractor
contacted the Office of Inspector General hot line division
threatening to expose about 30,000 VHA patient records from five
VHA facilities over the Internet if the contractor did not pay over
$28,000 owed. Draft directive 6500 would have prevented this. But
the culture within VHA, as explained at previous hearings, that
"don't tell me what to do" attitude, questioned the American-owned
transcription service requirement. They went out, but, as a result,
confidentiality of medical records of over 30,000 veterans was
jeopardized.
I would like you to comment.
Mr. Staley. Yes, sir. We have been conducting this audit for some
time in conjunction with our Office of Investigations, because there
have also been certain investigations that have been ongoing as
well, some of which would been under seal, so we have been a bit
delayed in issuing this report. In fact, we worked with the
Justice Department a few months ago to try to sort out what language
we could or could not put in the report before we issued it, and
we just recently received comments back from the Justice Department.
The break in the control is that the contracts do not specify to
the contractors a number of criteria in terms of how to protect
personal identifying information. Such as you can send it to a
U.S. contractor, but you cannot use an offshore foreign
subcontractor. It is silent on the issue. So, consequently, you
have an issue such as you have described this morning arise.
And, of course, our report hopes to be out on the Internet today,
latest tomorrow; and it talks about four issues: using speech
recognition technology in-house to try to keep more of this in-house
and not outsource it because the information is so sensitive;
acquiring transcription services uniformly; and verifying the
invoices and then, most importantly, the management controls over
patient privacy and personal patient identifiers.
The Chairman. Mr. Michaud, if the gentleman would yield to me. I
recognized you out of order, and if you hold your thoughts, let me
recognize Dr. Snyder, because he is going to have to get to the Armed
Services Committee.
Mr. Michaud. No problem.
The Chairman. Mr. Snyder.
Mr. Snyder. Thank you, Mr. Chairman. I appreciate your holding this
hearing, also.
I don't know if it happened to you, Mr. Chairman, but, as I mentioned
in another hearing, my wife and I have a 3-week-old baby, so we got
about 3 weeks behind in our mail. Two days ago we were going
through literally a laundry basket full of mail because we are on
so many lists, and there was my letter from Secretary Nicholson,
and I thought I was not going to be_did you think the same thing?
The Chairman. It was personalized, too.
Mr. Snyder. It was very personalized.
The Chairman. "Dear Veteran."
Mr. Snyder. It gives you this empty feeling when you realize that
somebody is sitting out there with your stuff.
But at one of the hearings that was held, I think it was in the
May 25th hearing_I will direct this to you, Mr. Staley_some
private-sector privacy experts suggested that the VA doesn't need to
be using Social Security numbers at all; and, in fact, that we were
all_everybody in the military memorizes for all time their service
number. We could either use our service number, which is just
distinctly for the military, or be assigned another number. Why do
we have to use a Social Security number at all since this is all an
in-house thing?
Mr. Staley. Well, it is certainly a policy decision by the Department.
But my views on that, as I had a service number and not a Social
Security number, but I also joined the VA around 1971, so I recognized
that the Department of Defense was moving from service numbers to
Social Security numbers depending on the branch of service you were
in. So VA eventually moved Social Security numbers as your general
identifier. And many of your affiliations and your other business
associates that work with the VA also use Social Security numbers.
Department of Defense uses Social Security numbers. So I think that
is pretty much how Social Security numbers became the_
Mr. Snyder. I understand why it was done 35 years ago. But why do
we perpetuate it? We have a distinctive number that is not a Social
Security number. Would that not add a different level of protection
if we got away from Social Security numbers?
Mr. Staley. Certainly your point is well taken.
Mr. Snyder. They go throughout their military career with using a
number that is not their Social Security number. Is that not
correct?
Mr. Staley. I am sorry, your question again?
Mr. Snyder. People in the military go throughout their military
career, whether it is 2 years or 20 years, with a number that is
not their Social Security number as their identifying number. Is
that not correct?
Mr. Staley. I believe_I am not sure whether all military branches
use a unique service number. I couldn't comment on that.
Mr. Snyder. I want to get back to Mr. Buyer's statement about this
memorandum on the CIO authority. And I haven't read this, I just
quickly looked through it.
When you start seeing_when someone has to ask for this kind of
guidance and somebody is quoting court cases on statutory authority,
you know, the principles of interpreting statute, we are in doo-doo
city. I mean, because somebody out there has to sit_is looking for
how do I have to do my dang job? And do I have authority or not?
And when I call up you to tell you I have the authority, I don't
need to be sending along: Well, you need to refer to page 7,
footnote 3, about my authority to tell you how to improve your
stuff. I mean, does this not point that we need to do some
clarifying legislative kind of language so that the lines of
authority on this are clear?
Mr. Staley. Obviously, I can't speak for the general counsel in that
their legal opinion has been the focal point of the reasons why the
CIO has continued to inform us, as we push forward in trying to move
our recommendations forward, that he had been hampered by enforcing
many of the initiatives that he had tried to execute in terms of
having the authority to make them happen.
Mr. Snyder. And you folks from the GAO, there is a statement in
there. You talk about the weaknesses, that things have been
identified in 2001 that had not been resolved, what Mr. Buyer
referred to as the ditto document, that we are rehashing some of
the stuff had been talked about in the past. In one line there in
the report, it talks about the Department has maximized limited
resources to make significant improvements. The phrase "limited
resources" catches my attention. Do we have now and have we had
funding issues in terms of getting this done?
Mr. Wilshusen. I think that was the Department's response.
Mr. Snyder. It was the Department's response. Do you agree with
that response? Is it partly a money issue?
Mr. Wilshusen. We believe_and in our reports we talk about what
resources are available that they have and how they are being
used. I wouldn't say that is a resource issue or that they need
more money. We generally don't make such recommendations along
those lines. We look at how they use the resources that they
have.
Mr. Snyder. Dr. Staley, one of the problems that you mentioned is
controlling access to physical space. Now we can talk about
encryption and all these kind of things as being a new problem.
We all understand new problems. But access, protection of medical
records, physical space is not a new challenge. Why is that not an
easy problem to correct?
I assume what we are talking about is the ability of someone just to
walk in and say I am going to grab that file. Why are we still
having to deal, after this many decades of concern about medical
privacy, before even the advent of computers, why are we still
dealing with controlling access to physical space, just somebody
walking in and grabbing files?
Mr. Staley. Well, it is an issue of vigilance, sir, and continually
ensuring that your physical space is secure. Obviously, the
Department has made improvements by adding key cards and things of
that nature to control physical space better. We see more and more
of that as we go out on these site visits.
But it doesn't preclude someone from sticking a pop bottle in that
door, and then we arrive and, my goodness, there is a pop bottle and
the door is open. It doesn't preclude cleaning crews from going
in there unescorted, or because of a lack of time, someone lets a
contractor in there to deliver materials and they are not there next
to them.
So these physical security issues continue to persist, and it is
really an issue of vigilance and ensuring that our guard is not let
down and that those areas are always secured.
Mr. Snyder. If you see in your work, if you see Mr. Buyer's or my
file laying around, would you let us know?
Thank you. Thank you, Mr. Chairman.
The Chairman. Dr. Snyder, your question with regard to Social
Security numbers. At the last hearing, Gartner Consulting gave
a recommendation to the committee that the VA should no longer
use Social Security numbers and should use a user personal
identifier. So, distinctive.
Your other question on enforcement, where we are going, is the
reason we have turned now to the other subcommittees to hold
their own hearings. Because if the CIO can't do the enforcement,
then the enforcement is the responsibility of the three Under
Secretaries. So we have got to bring them in.
Mr. Snyder. Thank you.
The Chairman. Mr. Michaud.
Mr. Michaud. Thank you very much, Mr. Chairman.
I just want to follow up on my last question. St our last hearing
we were assured that there is a culture within VHA based upon the
medical profession code to do no harm by Dr. Perlin. But my concern
when I find out that just last year that you received a call from
a subcontractor threatening to expose 30,000 veterans' information,
medical records, over the Internet unless VA pay the $28,000 owed
is a real concern that I have. And I am just wondering, in your
many reviews of the VA IT system, have you identified a stronger
IT security culture in VHA versus the Veterans Benefits
Administration or the National Cemetery Administration?
Mr. Staley. Our principal focus is in the Veterans' Health
Administration and the Veterans' Benefits Administration. They have
far more platforms and systems than the National Cemetery
Administration. There is only a few systems that are being used
there. And we are finding similar problems in both
administrations. Referring to encryption solutions, you will
find the same problems, that the veterans' benefits network does
transmit clear text, unencrypted among its network. You go to VHA,
you look at their Vista system, which is predominant, and the
transmission and storage is in clear text. And when you look at
some of the other areas that I have testified on in my written
testimony, similar conditions exist in both administrations.
Mr. Michaud. Has the GAO found that with other agencies dealing
with subcontractors, that this is a problem? Have you looked at
this issue as a potential problem?
Mr. Wilshusen. We looked at the issue last year in terms of the
use of contractors to provide services, information technology and
security-related services; and one of the things we found is that
Federal agencies, by and large, did not do an adequate job of
providing oversight over the services that those contractors
provide.
One of the things_again, I keep referring to FISMA. But one of the
things that FISMA does, is it also extends the requirement that the
agency's information security program extends to the information and
the systems that are being operated on its behalf by contractors
and other third parties; and we found that there is still room for
improvement on agencies' oversight of the work being done by
contractors with regard to information security.
Mr. Michaud. Thank you, Mr. Chairman.
The Chairman. Thank you.
Mr. Bilirakis.
Mr. Bilirakis. Thank you, Mr. Chairman.
Mr. Staley, as you may know, tomorrow the Subcommittee on Oversight
Investigations will hold a hearing on patient safety, where we will
hear testimony from GAO on credentialing physicians, which includes
background checks, of course. Your written testimony states that
you have identified instances where background investigations and
reinvestigations were not initiated in a timely manner on employees
and contractors or were not initiated at all. Now, are you telling
this committee that the Department is lacking background checks for
personnel that handle secure data as well?
Mr. Staley. Yes, Mr. Bilirakis.
Mr. Bilirakis. You are saying that.
Mr. Staley. Yes. VBA has recently reported to our office that they
need to conduct about 3,000 new background checks in order to
resolve this issue. So that is one of the reasons our recommendation
remains open and why we continue to monitor it.
Mr. Bilirakis. My God. We identified IT and security deficiencies
at 37; 67 percent of 55 Veterans' Benefits Administration facilities
reviewed. And this is something that has been in the offing, as you
know, for a long, long time. We have held hearing after hearing
after hearing. We have had roundtables. We can just go on and on
and on.
I guess we can continue to talk about the details here and about
Social Security numbers, but I don't know why in the world we got
away from the old military service numbers, quite frankly, and went
into Social Security numbers. All we did was just compounded the
problem.
Mr. Moran went into the atmosphere of the culture. I would add an
additional word to that, and that is turf, T-U-R-F. Frankly, one
of my biggest disappointments_and I am not a spring chicken. I have
served in the military. You just name it. Basically, I think I
have done it all. Yet it is still one of my biggest disappointments
since coming to the Congress 24 years ago is the turf concerns that
we have up here. I think we probably would function one hell of a
lot better if we weren't as concerned with it as we are. And maybe
it is human nature and maybe it is something we can't ever change
because it is within us. I don't know. But that is a terrible
disappointment on my part.
I might add, too, my first experience with the IG was when I was in
the military, and I saw a lot of power there. I mean, people
straightened up and paid attention when the IG got involved in a
particular situation. Now we have GAO which_thank God for you.
I think, frankly, you do great work. And we have the IG. And yet
we haven't been able to straighten things out at the VA.
Granted, we have secretaries who are political appointments, many of
whom don't even serve the full 4 years that they are appointed. I
think that there is a lot of resentment probably towards them by
the bureaucrats.
Why can't we get these things straightened out? I mean, don't you
have any recommendations to us? Is the only way to get this culture
and this atmosphere that exists there and these turf problems_and I
know you haven't acknowledged that yet, but I think you probably
would acknowledge that turf is part of the problem. Isn't there
any way to get this straightened out without necessarily someone
coming in and saying just we are going to clean out everybody? And
I don't want the papers to report that I have suggested that,
but_clean out everyone and start from scratch? Why should we
continue to_I mean, it creates work for us and whatnot. And maybe
that is good, because we are needed. But, at the same time, why
can't we get past that?
Comments? GAO, Ms. Koontz, say you are queen of the day. I mean,
tell me, what would you do?
Ms. Koontz. Well, I think one of the things that I didn't want to
leave this hearing without saying is that one of the very serious
problems at VA has been the lack of a strong CIO organization, and
VA was very slow to put into place a full-time CIO. That didn't
happen until 2001. And, since then, there has been two CIOs who
have come and gone. Each of them recognized that there was a need
to realign the CIO function and to strengthen it.
We supported the notion that you needed to have centralized security
management, and we supported the idea that the CIO really had to have
a seat at the table and needed to have veto authority, power over
things that just didn't make sense, that weren't standard within
the organization, that shouldn't be connected to the network, that
didn't meet security standards. And what you have seen is that two
CIOs have come and gone and the realignment has yet to happen.
Obviously, VA is very, very resistant to change, quite slow to move.
And I have to say I think it is up to the Secretary to make sure
that the CIO has the support to make the realignment happen in such
a way that we can get a positive result.
Mr. Bilirakis. Should that CIO be someone coming through the ranks,
so to speak, a bureaucrat, or should it be somebody from the
outside?
Ms. Koontz. I think that the CIO has to have particular
qualifications, and the CIO at VA is a political appointment. I
think that the talent and the qualifications of the person is
probably most important, but, also, the support from the Secretary
is very vital.
Mr. Bilirakis. But if that CIO is and has to be_I mean, I don't know
whether that person has to be a political appointment. But if he or
she has to be a political appointment, won't that person maybe
suffer the same problems that the Secretary_any Secretary might
because of resentment and the culture that exists there and this
is an outsider coming in?
Ms. Koontz. I think that will be a challenge for anyone coming up,
either within the ranks or from outside. And, again, I think that
the Secretary has the authority and the power to make sure that the
CIO can be effective in the organization, even though I recognize
there are big challenges in terms of all the reasons that you have
just mentioned_that it is a very large organization, it is very
difficult to change, and there appears to be some resistance to
changing things in this area.
Mr. Bilirakis. In the process_and I don't see the red light on yet,
Mr. Chairman, so I guess I will continue. But in the process of
your investigations and also the investigations of the IG, you go
into the details and you see things wrong and you make
recommendations, but do you take into consideration this culture,
invisible type of thing, culture, turf, atmosphere type thing in
the process? Or do you just concentrate on, I will say, the
tangible, if you will, the mistakes that are made, the
inefficiencies, and things of that nature?
Ms. Koontz. Well, I think_from a GAO perspective, I think we always
try to identify what the root cause is of any particular deficiencies
that we found. And I think we have reported over and over
that_management being a very critical problem at VA in terms of
IT and one that needs to be resolved. So I think we have taken
that into consideration.
RPTS LYNCH
DCMN NORMAN
Mr. Bilirakis. Mr. Staley, anything to add on that? Again, I said
my experience with you all is that you are awfully powerful, but are
you not powerful as far as the VA is concerned.
Mr. Staley. We continue to make recommendations, Mr. Bilirakis.
In my written testimony, the first recommendation speaks to a
centralized approach which we recognized because each administration
needs to work together to resolve the vulnerabilities that are
talked about in the testimony from 2 to 17, in that all of the
administrations need to work together to achieve success. And I
know there are some very hardworking individuals in each of the
administrations that have specific missions for their specific
administration. But there is a bigger picture here, in that what
everything points to is a standardized approach, and the only way
that can be accomplished is if it is all done as one voice.
Mr. Bilirakis. Do you see continuity? Secretary Principi left,
Secretary Nicholson came aboard. I guess there was probably a
little bit of a gap period of time there. Is there continuity?
How much time is spent by those two secretaries, along with their
chief personnel, to sit down and to kind of go over, hey, this is
what has been a problem, this is what we have accomplished, this
is what we have kind of turned over to you and recommend? Is that
taking place?
Mr. Staley. In the case of Secretary Principi he was very adamant
that the administrations complete their certifications and
accreditation process by August 21, 2005. And he made that happen.
And it also allowed the Department to realize and to catalog the
number of vulnerabilities that it really had to deal with just by
the fact that they were able to certify and accreditate all of
their systems. It also gave them a better handle on how many
systems they really had. So Secretary Principi did make progress
in that area, of course; then he had moved on. And now we have
secretary Nicholson trying to get a handle on this issue.
Mr. Bilirakis. Thank you.
The Chairman. We will have a second round. Ms. Herseth.
Ms. Herseth. Thank you, Mr. Chairman. If I could make just a
request to add on to yours, in working with the committee and with
the GAO to undertake a systematic analysis of the general counsel's
rulings. I would alsoinquire, Mr. Chairman, as to your willingness
to extend that to look at, in light of Ms. Koontz's acknowledgment
or her explanation of what she thinks is a problem here and a lack
of a strong CIO organization, we have got since 1996 under the
Klinger-Cohen Act, a CIO is supposed to be created in each Federal
agency. It would be interesting to see if we have the same problem
in the other Federal agencies with the lack of a strong organization
with the CIO, if there are other determinations, and maybe we can
extend it.
I only bring it up because we need some continuity across agencies.
And if they are having the same problem in another agency with the
lack of a strong CIO that has led to some of the same problems that
the VA has been experiencing based on a currently decentralized
system but the need for some sort of centralization, we have other
CIOs that have been created in other Federal agencies. And I do not
know if they all communicate effectively about the different problems
they are having, but we do need to facilitate the exchange of
information among these different entities we create after statutory
authority to do so.
The Chairman. Your point is well taken. The reason we focus on this
memo, and we will bring the general counsel up, is that Tony
Principi, the former Secretary, went out and found one of the
Nation's best and brightest in Bob McFarland to be the CIO to take
on these challenges that GAO and IG have laid out. But what happened
is we had a strong intelligent person who is undercut in his
authority to be able to implement it, and that is what we are going
to get to the bottom of.
I yield back.
Ms. Herseth. I appreciate that, Mr. Chairman, and I hope that we
can pursue this in other ways because I think_and this leads to sort
of my next question here_if we can identify where things are working
better in a different agency with a new position that we create,
that way it helps us to identify how we improve, kind of find sort
of the best practices for other agencies.
So that leads me, Mr. Stalely, to my question for you. And that is
on page 3 of your written testimony, and I know that Mr. Bilirakis
identified this as well. We have a number, significant percentages
here of our VHA and VBA facilities that have an ongoing problem
with implementing recommendations and have these vulnerabilities.
But has there ever been an analysis as to what is going right or
what steps were taken at the 40 VHA facilities and the 18 VBA
facilities in which these comprehensive reviews have shown that
the recommendations were acted on or they have been able to avoid
or take corrective action to address the vulnerabilities so that as
we seek to centralize and standardize the procedures, is it
differences in leadership at the regional offices? Is it differences
in attitude? We have all posed questions about culture. Is it
differences how resources are being allocated?
I would rather us move_while we can talk for hours about the
problems, maybe we could shift our focus to those sites, those
facilities, that have done a good job, and figure out how we
integrate their practices into our desire to have a more
centralized and effective system to address the vulnerabilities.
Has a similar analysis and trying to figure out and put together
a best practices has been completed?
Mr. Staley. Certainly we haven't reported as a cumulative on best
practices, as you have suggested. It is a good point. What we have
done is discuss a best practice or a control in an individual report.
But no, we have not taken those facilities that are complying and
are vigilant about access controls and those kind of issues and
talked about them as; here is a body of work and here is what you
need to do for example. We haven't done that.
We have reached out to these PCIE communities. My IG has reached
out to the PCIE to talk about whether we need to get together as a
group and look at this issue governmentwide. I do know that we are
scheduled to meet with the PCIE in the future and talk about this
very issue.
Ms. Herseth. And the acronym stands for what again? Did you say
PCAI?
Mr. Staley. PCIE, the President's Council on Integrity and
Efficiency.
Ms. Herseth. That was going to be another question. That is the
entity that brings all the offices of the inspector general
together.
Mr. Staley. Yes.
Ms. Herseth. To identify patterns and trends. And how often does
that Council get together?
Mr. Staley. It is routine. I cannot give you an exact time but
usually monthly.
Ms. Herseth. Just as a follow-up, Ms. Koontz, are you aware at the
GAO, do the CIOs created among the different agencies, do they have
a mechanism in which they get together on a regular basis to
share information?
Ms. Koontz. The CIOs also have the CIO Council which was
established_or reestablished under the E-Government Act.
Ms. Herseth. So they all meet together. They are meeting in sort
of subsets of one another, based on whether they are in the IG office
or CIO?
Ms. Koontz. Right.
Ms. Herseth. I will yield back. I hate to end on this note but I
think it is important to put this on the record again because it is
an observation that has some pretty powerful implications. In the
first hearing that we had on the data theft, we secured a written
statement from Dr. Leon Kappelman who is an expert in information
technology in our organization, culture, and operations. Here is
what he observed. He has personally seen VA personnel subvert
and sabotage hundreds of millions of dollars' worth of IT projects
and read about billions more wasted on other failures. I have
seen a total disregard for one cyber security effort after another.
These are only the tip of the iceberg.
Why do such things happen at VA? Largely because these systems and
efforts would make the utilization of budget and personnel more
transparent and thereby make accountability possible. Have either
of you in your work ever seen evidence at different facilities of
personnel intentionally subverting and sabotaging projects designed
to implement recommendations, particularly in the cyber security
and information technology arena?
Mr. Wilshusen. No, I cannot say that I have seen any personnel
sabotaging such projects.
Mr. Staley. The same for me. I can not recall any specific
instances. Of course we are an audit organization. We do have an
Office of Investigations, but I cannot speak for any specific
instance where that may have occurred.
Ms. Herseth. I appreciate your responses.
Mr. Bilirakis. Will the gentlewoman yield.
Ms. Herseth. Yes, Mr. Bilirakis.
Mr. Bilirakis. As a follow up on that, how does the VA in your
opinions, particularly GAO because you have experience throughout
all of the other departments and agencies, how does the VA compare
in these areas with the other departments and agencies?
Mr. Wilshusen. At least with regard to information security, every
year we look at the FISMA reports that are required that each agency
is supposed to send to the Congress and also to OMB. Our analysis
of those FISMA reports tends to show that VA and its implementation
of the FISMA requirements tends to be at the bottom end of the
scale, if you will, along with some of the other larger, more
diverse organizations compared to other smaller organizations that
tend to do higher on that particular score. But certainly with VA
reporting material weaknesses since 1998, 1997, it is an indication
that there is a lot of work that needs to be done.
Mr. Bilirakis. Thank you.
The Chairman. Thank you very much. I would like to go to your
issue number one and it deals with the implementation of a
centralized agencywide IT security program. We got to go to this
one because a lot of people will_and it is easy to say this is
the responsibility of the CIO. Really? I suppose that is what
it should be in corporate America and it is. It is what it should
be at the VA but it is not.
So Tony Principi goes out there and he finds one of the best, makes
him the CIO, and then we learn that operational controls are
decentralized among each of the administrations; so VHA, VBA, the
National Cemetery Administration and other programs, they have the
operational control. The CIO can only provide guidance and the
tools to support these activities but has no ability to enforce.
Is that statement correct?
Mr. Staley. That is correct. Correct, sir. That is correct,
sir.
The Chairman. I wanted to make sure I was hearing correctly. That
is an important predicate. It is an important predicate because
we need to figure out what are the lines of authority. If you
figure out what are the lines of authority, then we can get to
the implementation to cure the problem.
In Congress when we looked at this last year on a bipartisan basis,
we moved overwhelmingly, not only in this committee but in the
entire House. Not a single vote against centralizing the IT
system. Whoa, did we get pushed back. The Senate wanted to give
deference to the VA and the bureaucracy became the centurians.
Wow. Then we continued to receive your reports about all of these
issues that are still noncompliant. I suppose, then, if we have a
system that is so decentralized_ but let's go back.
We have the Secretary who has the authority. He then extends part
of his authority to CIO and part of that goes to cyber security,
both of which can only do compliance but not enforcement; therefore,
I must assume that enforcement then rests with the three Under
Secretaries. Would that be a correct assumption?
Mr. Staley. That is correct.
The Chairman. So it is now the responsibility of the three Under
Secretaries to implement these recommendations from GAO and IG;
would that be correct? I am looking for responsibility,
Mr. Stalely.
Mr. Staley. The CIO in conjunction with VA leadership, they have a
joint responsibility to implement these recommendations. That is
correct Mr. Chairman.
The Chairman. Okay. Both of you have an incredibly challenging
job. When you see something in error and you keep highlighting
the error and you are trying to work with someone else who says,
I know all about it but I have no authority, and this has been
happening for years.
Let me ask this. On GAO you have got to have a higher authority.
If the GAO turns to the VA and for years you give these
recommendations to cure, yet you have a department of government
that is not implementing GAO recommendations, who is your higher
authority?
Mr. Wilshusen. I would just say, you know, it is the management's
responsibility for implementing those recommendations. We continue
to make them.
The Chairman. Who is the manager of the management?
Mr. Wilshusen. That would be at the agency. It would be the
Secretary and the senior managers of CIO, as others.
The Chairman. Wait a minute, wait a minute. I do not understand
the answer. At the GAO you are overlooking departments of
government, and you have a department of government that is
noncompliant and perhaps even recalcitrant from a bureaucracy
that will not implement the changes, who do you appeal to. Do
you turn to OMB? Do you report this to the White House? Is there
a higher appellate authority? Or do you just say, you know what,
the Secretary reports to the Cabinet and all we can do is we're
auditors. We can tell them what we see and if they act on the
information that is great; if they do not act, well, I guess that
is what happens.
Mr. Wilshusen. Well, we do report to the Department; that is
correct. I do not know if we would appeal to OMB on a specific
instance where a department is noncompliant with implementing
our recommendations.
The Chairman. So your audits would only go to a Secretariat of a
department, and they do not go anywhere else.
Mr. Wilshusen. No, we also send, usually, copies of the
recommendations; and our reports go to different congressional
committees of jurisdiction.
The Chairman. So outside of our oversight and the Senate's
oversight, what oversight is there in the executive branch if
you have a department of government that does not implement
changes to prevent a train wreck? I don't know. If there is
not, just tell me. I am not asking you a question I know the
answer to. I do not know.
Mr. Wilshusen. I guess the only other higher authority might be
the American public, because many of our reports are also publicized
and put on the Web site.
The Chairman. I will stay within the executive branch. Within GAO
is there ever a function whereby you take your report and you send
it to anyone else? The anyone else would be what? The White House.
Because the Secretariats work for the President.
Mr. Wilshusen. Generally, when we would do a governmentwide review,
our recommendations and report would then usually be addressed to the
director of OMB if it has OMB issues in it. But that would not
necessarily be the result of our work that we have been doing over
at VA.
The Chairman. If it has OMB issues on it. All right. Let's go
with theft, fraud, 6 million, right, 6 million, 12 million, these
Bay Pines debacles, hundreds of millions of dollars. That is kind
of OMB implication, right? So if you have got the VA
nonimplementation, was there ever a thought within GAO that, gee,
we probably need to kick this over to OMB? I am just curious. I
do not know.
Ms. Koontz. I think one of the mechanisms that we use is that we
have publicized information security as being a governmentwide
high-risk area since 1997, I believe. And we have put a lot of
emphasis on it and there have been a lot of conversations with OMB
and with the individual agencies about trying to address this
particular weakness.
Mr. Wilshusen. Right. And one other comment, too, is that agencies
are to report how they have implemented the GAO recommendations.
So I guess it is to the GAO oversight committees, which would be
the House Government Reform and Senate Homeland Security, Government
Affairs.
The Chairman. All right. Let's go to Government Reform, because
they ended up coming with the FISMA act. So we put teeth in Privacy
Act violations. Are there sufficient_is there sufficient teeth for
compliance in this act? Do you think Congress needs to come back
in to the FISMA and make them equate with the Privacy Act violation?
Mr. Wilshusen. I do not think there are any particular, I will
say, penalties.
The Chairman. Enforcement mechanisms? Tools?
Mr. Wilshusen. Right. Other than agencies are required to report
to Congress and to OMB on the progress of implementing FISMA.
The Chairman. And there are no consequences for not?
Mr. Wilshusen. For not reporting? I do not know if that has
happened. I think each agency has reported.
The Chairman. Ms. Koontz, I can remember the first time in your
testimony before one of the subcommittees that I chaired, the VA
was the last to go out and get a CIO that I recall. It was driving
me crazy with the Klinger Act. And that is when I first_ I had
deep respect for you because you went right at it. And our
difficulty right now is that we have so many of these security
vulnerabilities, key controls, information that should have never
been taken down, information that does not even_if you have an
individual that gains access to particular information, it is not
even time sensitive.
This is going to take a tremendous amount of work to put this one
together. Does anybody else have further questions? Mr. Moran.
Mr. Moran. No, sir.
The Chairman. Mr. Bilirakis.
Mr. Bilirakis. I guess you have to go over there.
Mr. Michaud. Yes. Thank you, Mr. Chairman. FISMA applies to
national and nonnational security systems. The data that was
stolen, does that fall in that category as national or nonnational
security?
Mr. Staley. Sir, I am really not able to comment at this time, in
that we currently have an ongoing administrative investigation and
we are also doing a set of comprehensive policy reviews as well and
working with the Justice Department. And I believe our intention
is to get that report out at the end of the month to the Department
for comment, and then to issue it to the public and to the Hill by
mid-July.
Mr. Michaud. So you cannot comment whether it was national or
nonnational?
Mr. Staley. I would not be able to comment_ sir.
Mr. Michaud. Assuming that it was or is a national or
nonnational_assuming that it was or it is_my question is that on
August 1 of 2003, the general counsel issued an advisory opinion to
address the extent of the authority and responsibility to the VA
chief information officer contemplated by the Federal Information
Security Management Act of 2003 as a national security information
and information system. It held that FISMA charges the CIO with
certain security responsibilities, a major one being the development
and maintenance of information security policy, procedures and
controlled techniques to ensure security requirements issued by
the President and OMB requiring national and nonnational security
systems are met. FISMA requires the CIO to develop and implement
an agencywide security program to achieve these purposes. Has this
happened? Why or why not?
Mr. Staley. Certainly. Our reports have repeatedly shown that
security vulnerabilities continue to exist in many facets of the
Department, and that the VA even itself reported itself as receiving
an F grade in terms of IT security. I think, as GAO had pointed
out, they have a long way to go to mitigate these vulnerabilities
and to have a sound comprehensive IT security program.
Mr. Michaud. When will you know whether or not this is a national
or nonnational security issue?
Mr. Staley. Well, our report will be issued mid-July and it is
conducting a comprehensive review of policy procedures and these
other issues.
Mr. Michaud. Thank you, Mr. Chairman.
The Chairman. Mr. Filner.
Mr. Filner. I thank the panel for being here. I want to make two
quick comments, Mr. Chairman. We can go through all of this analysis
(We used to call it "analysis paralysis") and recommendations.
Between the lines of the bureaucratese and the big words everybody
is using, there is a failure of management at the very top. The
Secretary has not taken control, and we should hold him accountable.
It is as simple as that, as far as I can tell.
Secondly, it has been 6 weeks since this theft of data. The
Department of Veterans' Affairs finally got out a letter to people
who were impacted by this theft, although they said they didn't get
a letter out earlier because they did not have enough envelopes.
The letter gives the veteran little support or help. The Web site
that everybody has been referred to gives little or no help. The
800 number gives little or no help. Basically, the VA leaves it
to the individual veteran to solve this massive issue.
It is about time that the VA had an answer for these veterans. We
are going to make sure nothing happens again_that we have centralized
IT _but we still have this problem. Veterans are not getting the
help, and they better! I do not know how many people are sitting
out there from the VA Department. They have a lot of people
monitoring stuff rather than doing stuff. You better come back
with a proactive stance soon. It has been 6 weeks. We should not
go another week without having some help and hope for these
veterans.
The Chairman. Thank you, Mr. Bilirakis.
Mr. Bilirakis. Thank you, Mr. Chairman. To get clear here_and
maybe we already are, I do not know_the General Accountability
Office used to be the General Accounting Office. So your
responsibility is accountability. Is that accountability limited
to just making recommendations?
Mr. Wilshusen. Well, we do follow up to see if they are taking
corrective actions on our recommendations.
Mr. Bilirakis. And if they haven't, that is it?
Mr. Wilshusen. Well, we report on that.
Mr. Bilirakis. You report on that.
Mr. Wilshusen. Yes. We do not have the authority to actually
implement the actions at the organizations.
Mr. Bilirakis. So I guess it really gets back to, again, what we
have been talking about here, not really knowing where the buck
stops. And it really, I guess, stops with the head of the VA I,
suppose, the head of the particular agency or department.
Mr. Wilshusen. Well, under FISMA he is responsible for
implementing appropriate safeguards.
Mr. Bilirakis. Now, the IG sir, I keep coming back to you because I
keep thinking that you have, or should have maybe, more authority.
Again, in your case, what is it? You uncover things that go wrong
and you make, what, you make recommendations, then?
Mr. Staley. Yes, sir. At the conclusion of our audits we make a
series of recommendations to the Department. The leadership in the
Department is responsible for implementing those recommendations.
We have a follow-up system to determine whether their implementation
plans are adequate and, again, if the recommendations are not
implemented, we report them as such.
Mr. Bilirakis. You report them to, again, going back.
Mr. Staley. They are in our semiannual report to Congress and to
the Secretary. And we leave them open and we continue to ask the
Department for corrective action.
Mr. Bilirakis. Mr. Chairman, again, we can talk about details here,
but I am not sure even_we come up with legislation and we come up
with laws and we mandate certain things and whatnot, but we are
awfully busy people, despite the fact that we have oversight
subcommittees. We are awfully busy people and we go off to maybe
fight another fire or whatever the case might be. So it still comes
down, I think, to culture and the mental state of the people who
should be doing this job.
I do not really have any hope, I do not care how many hearings we
hold, that any of that is going to change until the culture
basically changes in the VA and the other organizations, here
in this committee where our concern is the VA. It has always been
my biggest concern ever since I have been in the Congress. It
is disappointing. Thank you, Mr. Chairman.
The Chairman. Thank you, Mr. Bilirakis.
Ms. Koontz, I have to go back to the issue on GAO and what actions
are taken when there is a Department that may not act. Have you ever
seen any other Department or agency of government not act on your recommendations with regard to IT?
Mr. Wilshusen. Well, I would also just like to say with regard to
VA, that on many of our recommendations that they have taken
corrective actions, usually on the specific, detailed, technical
control findings that we would identify. I do not want to leave
the impression that they have not done anything. But with regard
to the larger recommendations related to implementing an
entitywide security program, their efforts have fallen short in
that area.
Other agencies where we have conducted repeatable work, we find
similar situations where we can make a number of detailed technical
findings and recommendations. And often they will act on those,
but it is more in terms of acting proactively and taking what they
learned in terms of the identified findings and seeing if they
exist elsewhere where they fall short. And again it often comes
down to not having implemented an information security program
agencywide. And, yes, those incidents do occur where we have
made recommendations, and they have not yet fully implemented
them.
The Chairman. Tomorrow in the Commerce Committee under part of
Mr. Bilirakis' leadership, along with Nathan Deal and Sherrod
Brown, on a bipartisan basis, we are going to deal with the health
record and the security of the health record and these kind of
issues. We are going to create a position for a national
coordinator within HHS so that we move toward more of a
standardization with regard to plans and policies programmatics
with the health record.
And so it is interesting. We are going to try to create that czar
over the health record to make sure that everybody_and we moved
to centralized_so here we are, Mr. Bilirakis and I, on the Commerce
Committee, yet we are not going to defend a stovepipe. The
stovepipe in this case would be our jurisdiction of the VA.
So when Mr. Bilirakis talks about the turf and everybody defending
the turf, we are going to have to move toward the empowerment of
this national coordinator to make sure it all gets implemented so
we are not decentralized. So as we talk about centralized, what I
see is that is the trend line, that is where everybody is going.
I asked staff, Ms. Koontz, to give up the August 1, 2003, memorandum
from the general counsel that was read by Mr. Michaud. I give it
to you because as you look at this question for us with regard to
general counsel and the interpretation of the FISH bill, this is
on August 1, 2003, they make a holding that is completely different
than the April 2004. So it is almost like what happened over the
year? So it will be interesting, the way to get into this. And
we will be having Admiral Goss and Bob McFarland will both come
in and give their testimony about what happened.
These were two individuals who were attempted to have been empowered,
and then their authorities were taken away and we have ended up with
this mess. I think it is clear to the American people that this
loss of data was not caused by just the negligent act of just one
person. We have a systemwide meltdown of information management
systems, and what we are going to do here in Congress is move a
package that attempts to not only take actions to assist the
veterans but also what can we do with regard to implementation
down at VA?
I want to thank you for your leadership. We look forward to looking
to your report. And, Ms. Koontz I have a feeling that you will be
back before us soon. This hearing is now concluded.
[Whereupon, at 12:15 p.m., the committee was adjourned.]
�