[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]


 
           ACADEMIC AND LEGAL IMPLICATIONS OF VA'S DATA LOSS

=======================================================================

                                HEARING

                               before the

                     COMMITTEE ON VETERANS' AFFAIRS
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             SECOND SESSION

                               __________

                             JUNE 22, 2006

                               __________

       Printed for the use of the Committee on Veterans' Affairs

                           Serial No. 109-56


                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
28-452                      WASHINGTON : 2007
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON VETERANS' AFFAIRS

                     STEVE BUYER, Indiana, Chairman
MICHAEL BILIRAKIS, Florida           LANE EVANS, Illinois, Ranking
TERRY EVERETT, Alabama               BOB FILNER, California
CLIFF STEARNS, Florida               LUIS V. GUTIERREZ, Illinois
DAN BURTON, Indiana                  CORRINE BROWN, Florida
JERRY MORAN, Kansas                  VIC SNYDER, Arkansas
RICHARD H. BAKER, Louisiana          MICHAEL H. MICHAUD, Maine
HENRY E. BROWN, JR., South Carolina  STEPHANIE HERSETH, South Dakota
JEFF MILLER, Florida                 TED STRICKLAND, Ohio
JOHN BOOZMAN, Arkansas               DARLENE HOOLEY, Oregon
JEB BRADLEY, New Hampshire           SILVESTRE REYES, Texas
GINNY BROWN-WAITE, Florida           SHELLEY BERKLEY, Nevada
MICHAEL R. TURNER, Ohio              TOM UDALL, New Mexico
JOHN CAMPBELL, California            JOHN T. SALAZAR, Colorado
                   James M. Lariviere, Staff Director


                            C O N T E N T S

                               __________

                             June 22, 2006

                                                                   Page
Academic and Legal Implications of VA's Data Loss................     1

                           OPENING STATEMENTS

Chairman Steve Buyer.............................................     1
    Prepared statement of Chairman Buyer.........................    50
Hon. Bob Filner, a Representative in Congress from the State of 
  California.....................................................     3
Hon. Ginny Brown-Waite, a Representative in Congress from the 
  State of Florida, prepared statement of........................    55
Hon. Corrine Brown, a Representative in Congress from the State 
  of Florida, prepared statement of..............................    57
Hon. Sylvestre Reyes, a Representative in Congress from the State 
  of Texas, prepared statement of................................    61
Hon. Stephanie Herseth, a Representative in Congress from the 
  State of South Dakota, prepared statement of...................    63
Hon. Tom Udall, a Representative in Congress from the State of 
  New Mexico, prepared statement of..............................    65

                               WITNESSES

Brody, Bruce A., Vice President, Information Security, INPUT, 
  Reston, VA, and former Associate Deputy Assistant Secretary for 
  Cyber and Information Security, U.S. Department of Veterans 
  Affairs........................................................     7
    Prepared statement of Mr. Brody..............................    76
Cook, Mike, Co-Founder, ID Analytics, San Diego, CA..............    11
    Prepared statement of Mr. Cook...............................    85
McClain, Hon. Tim S., General Counsel, U.S. Department of 
  Veterans Affairs...............................................    29
    Prepared statement of Mr. McClain............................    92
Spafford, Eugene H., Ph.D., Professor and Executive Director, 
  Purdue University Center for Education and Research in 
  Information Assurance and Security (CERIAS), West Lafayette, 
  IN; Chair, U.S. Public Policy Committee, Association for 
  Computer Machinery (USACM); and Member, Board of Directors, 
  Computing Research Association (CRA)...........................     5
    Prepared statement of Dr. Spafford...........................    67

                   MATERIAL SUBIMTTED FOR THE RECORD

Statements:
    Kappelman, Leon A., Ph.D., Professor of Information Systems, 
      Director Emeritus, Information Systems Research, Fellow, 
      Texas Center for Digital Knowledge; Associate Director, 
      Center for Quality and Productivity, Information Technology 
      and Decision Sciences Department, College of Business 
      Administration, University of North Texas..................   110
Post-hearing written Committee questions and the responses:
    Chairman Buyer to U.S. Department of Veterans Affairs........   111
    Chairman Buyer to Mr. Bruce A. Brody (INPUT).................   118
    Chairman Buyer to Mr. Mike Cook (ID Analytics)...............   121


       THE ACADEMIC AND LEGAL IMPLICATIONS OF THE VA'S DATA LOSS

                              ----------                              


                        THURSDAY, JUNE 22, 2006

                     U.S. House of Representatives,
                             Committee on Veterans Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to call, at 10:35 a.m., in Room 
334, Cannon House Office Building, Hon. Steve Buyer [Chairman 
of the Committee] presiding.
    Present: Representatives Buyer, Bilirakis, Moran, Brown of 
South Carolina, Miller, Brown-Waite, Filner, Snyder, Michaud, 
Herseth, Strickland, Reyes, Berkley, Udall, Salazar.
    The Chairman. The full Committee of the House will come to 
order, June 22nd, 2006.
    Good morning, ladies and gentlemen. We are here today to 
receive testimony on best practices from experts in the field 
of information security and data breaches. We will also hear 
from the Department of Veterans Affairs' General Counsel about 
the legal implication of the VA's information security breach 
and data loss.
    This hearing is part of a series that will help us 
determine how to understand the scope of the problems, so we 
can then proceed to assist in the correction of these concerns 
of the department. We are systematically examining key aspects 
of the security breach, and reviewing best practices, and 
thinking in the realm of information security.
    Last week, we heard testimony from the VA inspector general 
and from the Government Accounting Office, who provided 
historical context. The context is a sobering. Even as far back 
as 1997 the GAO had begun to examine these problems, and then 
in 2002, they recommended the VA centralize its IT security 
management functions and establish an information security 
program. The VA's own inspector general has gone on the record 
with a similar litany of warnings that have been largely if not 
completely ignored. The VA's assistant inspector general for 
audit told us the IG has reported VA information security 
controls as a material weakness in its annual consolidated 
financial statements, since fiscal year 1997 audit.
    VA's IT Information Security Management Act audits have 
identified significant information security vulnerabilities 
since fiscal year 2001. A reasonable person might ask what the 
VA is waiting for. The IG and GAO, our investigations have 
shown, are not alone in their support for centralized IT 
management. On June 8th, I held a roundtable discussion with 
information technology experts from business, including Goldman 
Sachs, EMC Corporation, Visa, Citigroup, Tri-West, and American 
Bankers Association. At my invitation attending also was the 
chairman of the military quality of life and veterans' 
appropriations Subcommittee, Jim Walsh.
    These experts offered candid appraisals, and emphasized the 
importance of centralized information security management. None 
from a good business sense could endorse the VA's approach, the 
federated model, which still shows a significant degree of 
decentralization. One of the experts said, quote, ``I see the 
federated approach as an excuse for lack of controls.''
    As part of our approach, the Subcommittee on disability 
assistance and memorial affairs held a hearing on Tuesday, on 
information security at the Veterans' Benefits Administration. 
Yesterday, the Subcommittee on health examined how the 
Veterans' Health Administration maintains security and 
integrity with electronic health records of patients. Both 
systems face challenges. We are aware of problems with the 
Benefits Administration. The VA IG has testified at VHA, tens 
of thousands of VA's health records have been sent by 
unencrypted e-mail, and were made vulnerable to interception. 
Problems with uncontrolled access to data, password protection, 
and even a failure to terminate access for long-departed 
employees, made the conditions for additional disasters. The 
more we learn about the awful results of decentralization, in 
contrast to the bright promises offered by some VA officials, 
the more we see the system has no departmental standards. And 
more important, the system, if you call it that, does not 
identify who is in charge of developing policy, implementing 
policy, or enforcing policy.
    It does not have to be this way. Today, experts from the 
academic world will also provide insights into the cutting edge 
information security theories and concepts. The recent passing 
of management expert, Professor Peter Drucker, reminds us that 
not all expertise is to be found in the world of practice. We 
have much to learn from those who earn their pay strictly from 
the work in their minds.
    We will then turn to the department's General Counsel, the 
Honorable Tim McClain, who will provide testimony regarding the 
legal implications of VA's data breach. I will also be 
interested in learning more about the legal review process for 
VA's information security directive for the past three years. 
Also, I want to learn more about the adequacy of the VA's legal 
authority to provide credit counseling and compensation to 
veterans affected by the loss of their personal information.
    Next week, completing a series of hearings, the full 
Committee will receive testimony from former VA chief 
information officers. And finally, we will hear from Secretary 
of Veterans' Affairs Nicholson, and the department's senior 
leadership, with an update on the progress being made in the 
department. So please be sure to note these important dates on 
your schedule.
    This weekend, we learned that a laptop stolen from a 
contractor working for the city of Washington DC, compromised 
sensitive information on thousands of city employees. While we 
are now seeing that data security has broad implications across 
the country and across government, what we would like to see is 
VA moving from worst disaster to best practice.
    We look forward to your testimony. I recognize the Ranking 
Member for any comments that he might have. Mr. Filner.
    [The statement of Chairman Buyer appears on p. 50.]
    Mr. Filner. Thank you, Mr. Chairman, and as we said last 
week, thank you for embarking on this series of oversight 
hearings. I don't think it's any accident that the VA announced 
finally some proactive measures yesterday. I think it's the 
calendar that you have outlined, reporting will have to be 
done, that has sparked some activities. I think this is the way 
that we, Congress, must proceed in terms of oversight, so I 
thank you so much.
    As you have pointed out, we have to figure out what 
happened, how it happened, how to prevent it, who was 
responsible, and of course, what can be done in the future. As 
Chairman Buyer has pointed out, on many occasions, we have 
heard that long-standing problems in cyber and information 
security went uncorrected at the VA for unconscionably long 
times. We have heard testimony before this Committee that the 
problem lies within the VA's culture of resistance to change, 
including being impervious to change in, of all arenas, 
information security. One written statement at a previous 
hearing offered a rationale for the resistance of VA, a desire 
to avoid accountability.
    Mr. Chairman, last week you and Dr. Snyder both noted 
apparent problems and conflict with the General Counsel 
opinions in 2003 and 2004. The net effect of these opinions, 
and we will hear what the General Counsel says, was to create 
confusion at VA regarding aspects of enforcement authority for 
information security. How could this happen if the Federal 
Information Security Management Act of 2002 was created just to 
resolve these very problems? And we have seen evidence of the 
difficulty of implementing change in the IT culture at VA.
    For me, as for you, Mr. Buyer, the most illustrative 
example of that resistance was Secretary Principi's failed 
directive to centralize control of the IT under the chief 
information officer. His was the right solution, but it never 
happened. When the edicts of the Secretary and his team are 
ignored by the agency, it is time for the Secretary to clean 
house. In this case, I and a number of my colleagues will be 
pleased to help move that process along.
    All too often, we hear about policy changes at VA that are 
in the works, or we hear about half solutions and changes that 
are just around the corner. Problems were raised about the HR 
links program, but substantive solutions were never 
implemented. HR links was a good idea, but leadership was 
needed, and there was none. The result: about a third of a 
billion-dollar loss to taxpayers.
    VETSNET will automate critical functions associated with 
the compensation and ratings awards, if it is ever fully 
implemented. But I note that the future tense is always used to 
address hopeful solutions to VETSNET, for over a decade, now.
    The core FLS is another example of a major information 
technology failure in the multi-hundred million dollars loss 
range, and the root cause I think is evident: mismanagement at 
the top.
    We must move the entrenched culture inside the agency to 
conform to what is best for the entire agency and for veterans. 
That is why we are here. At a minimum, as is often suggested by 
the Inspector General, implementation of a robust and 
standardized policy would be helpful. That has yet to happen.
    At our last full Committee hearing, Mr. Michaud referred to 
a threat by an offshore-based subcontractor to post medical 
information about 30,000 veterans on the Internet. Yet, when 
Committee staff asked about the off-shoring of medical 
transcript and services in previous years, they were told that 
there was no evidence of such activity. The IG now seems to 
have found ample evidence in a report released last week.
    This indirection and indifference by the Veterans' 
Administration regarding its protection of sensitive 
information must halt. We need to have straight shooting with 
Congress and with the American people.
    Finally, Mr. Chairman, the magnitude of the loss of the 26 
million records, plus apparently hundreds of thousands of 
others, is breathtaking. It looks like we are moving in a 
proactive way, although we have yet to see what contractor will 
win the contract. I hope we don't give the contract to 
Halliburton. In fact, one of the companies that is here today 
has offered the public service of doing it for very little, if 
any, cost to taxpayers.
    So we must assure that any promises we make to fix the 
problem can actually be kept. We must set expectations for 
veterans that can be delivered, and have the willpower to keep 
those promises. Let us keep the faith with our veterans. Thank 
you, Mr. Chairman.
    The Chairman. Thank you very much.
    Our first panel includes Dr. Eugene Spafford, Ph.D., who is 
a professor of computer science and is Executive Director for 
the Center of Education and Research in Information Assurance 
and Security, at Purdue University. Next, we have Mr. Bruce 
Brody, Vice President of Information Security for INPUT, and 
former Associate Deputy Assistant Secretary for Cyber and 
Information Security with U.S. Department of Veterans Affairs. 
And finally, we have Mike Cook, Vice President of ID Analytics.
    Dr. Spafford, personally I want to thank you for--often, 
the Federal government has turned to you for your Council. We 
did in the mid-1990s, with the DOD. You assisted the Department 
of Air Force, you have helped out with the FBI, we have turned 
to your expertise in regard to NSA, and once again we are now 
turning to you, and you don't hesitate. And so there is 
something inside that says, ``Yes, I have knowledge, I have 
some expertise, and I am willing to help my country.'' And you 
have been there, and you have also served on the president/s 
advisory. I welcome all the members--how many of these do you 
have, or can you gain access to?
    Dr. Spafford. I believe we have about 50 or 70 of them out 
there.
    The Chairman. You have about 50 or 70 of them out there? 
You are only here by yourself? You have somebody with you, 
staff?
    Dr. Spafford. There is somebody here, yes.
    The Chairman. Well, somebody go out there and get one of 
these to Tim McClain for me right now, while he can flip 
through this. Tim, have you seen this before?
    Mr. McClain. No, sir, I haven't.
    The Chairman. It is very interesting. If you would grab 
that box, I want to make sure everybody, all of my colleagues 
have this.
    Look how it is titled: ``Cyber Security, a Crisis of 
Prioritization.'' The president put these experts together.
    [The report is being retained in the Committee files and 
can be found on the internet at: http://www.nitrd.gov/pitac/
reports/20050301_cybersecurity/cybersecurity.pdf.]
    Dr. Spafford, you are recognized.

    STATEMENTS OF EUGENE H. SPAFFORD, PH.D., PROFESSOR AND 
   EXECUTIVE DIRECTOR, CENTER FOR EDUCATION AND RESEARCH IN 
  INFORMATION ASSURANCE AND SECURITY, PURDUE UNIVERSITY, WEST 
LAFAYETTE, IN, CHAIR, U.S. PUBLIC POLICY COMMITTEE, ASSOCIATION 
   FOR COMPUTING MACHINERY, AND MEMBER, BOARD OF DIRECTORS, 
   COMPUTING RESEARCH ASSSOCIATION; MR. BRUCE A. BRODY, VICE 
PRESIDENT, INFORMATION SECURITY, INPUT, RESTON, VA, AND FORMER 
ASSOCIATE DEPUTY ASSISTANT SECRETARY FOR CYBER AND INFORMATION 
  SECURITY, U.S. DEPARTMENT OF VETERANS AFFAIRS; AND MR. MIKE 
         COOK, CO-FOUNDER, ID ANALYTICS, SAN DIEGO, CA

                  STATEMENT OF EUGENE SPAFFORD

    Dr. Spafford. Thank you, Chairman Buyer and Members of the 
Committee. It is my pleasure to be here to attempt to help in 
this case. We are here because of the significant breach of 
security and privacy at the Veterans' Administration. That 
incident has obviously exposed many people to increased risk of 
identity theft, credit fraud, and other kinds of criminal 
activities. I would like to point out, however, that it is more 
than a financial impact that is potentially there. In addition, 
some of our active-duty personnel and veterans may find 
themselves denied security clearances, or find their names 
added to the TSA's no-fly list, because somebody else has 
misused their identity. And if you have ended up on the no-fly 
list and tried to get off, you know how difficult that is. And 
they may also have to criminal warrants or civil actions 
because others have committed crimes in their name.
    This problem is not unique to the Veterans' Administration, 
however. A recent article in ``Computer World'' noted that 
since the start of 2005, there have been nearly 200 similar 
incidents, resulting in significant disclosure of personal 
information, with nearly 90 of those incidents occurring since 
the beginning of this year. The total number of records 
disclosed by all of these incidents to date is 88 million. What 
is more, those are only the detected and reported incidents. 
The actual number is certainly much larger.
    For decades, professionals in the field of information 
security have been warning about the dangers of weak security, 
careless handling of data, lax enforcement policies, and 
insufficient funding for both law enforcement and research. 
This is similar to what you have been hearing from the 
Inspector General of the Veterans' Administration. Our warnings 
and cautions have largely been dismissed, however, as unfounded 
or too expensive to address. Unfortunately, we are now seeing 
the results of that lack of attention with incidents such as 
what happened at the VA.
    In addition, we have seen new levels of sophisticated 
computer viruses and spyware emerging, increasing cyber 
activity by organized crime around the world, and significant 
failures of security across a wide variety of public sector 
entities and government agencies. In the brief time that I have 
for my verbal remarks, I want to make special note of one 
particular failure present in this case that you have already 
identified. There is no centralized position that has all of 
the three components that are necessary to effectively manage 
information security: resources, accountability, and authority.
    There should be either the CIO or CISO, Chief Information 
Security Officer, who has adequate funding and trained 
personnel to carry out a comprehensive security plan. That 
office, and the management above it, must be held accountable 
for failures to satisfy necessary standards, and successfully 
pass audits.
    Last of all, that same office must have authority to make 
changes, shut down systems if necessary, and sanction employees 
for cause. There are other information security problems at the 
VA and elsewhere in the government which were not directly 
involved in the May disclosure incident, but could prove 
problematic later. It is beyond the scope of this testimony to 
describe all of them. It is also beyond the scope of this 
testimony to summarize the magnitude of cyber threats currently 
facing our information infrastructure, including the Veterans' 
Administration. There are a number of reports describing these 
threats, and I can summarize simply by saying the situation is 
poor, and getting worse. Regrettably, I believe the situation 
is going to get worse because the problems have been ignored 
and neglected for too long to be quickly remedied.
    As a member of academia, I wanted to say that we can offer 
few immediate solutions. Although we have several good programs 
at many colleges and universities across the United States, we 
are producing too small a number of students to meet the 
demand. Exacerbating this is a lack of resources. Outside of a 
few underfunded programs through the National Science 
Foundation that award competitive grants to faculty, and a few 
congressionally directed allocations to a few university 
projects around the country, there is almost no funding for 
basic research, capacity development, or infrastructure 
acquisition, for the programs working in information security. 
As an example, the center I direct at Purdue University, 
CERIAS, is the nation's leading center in multidisciplinary 
information security research and education, with over 80 
faculty, and we are graduating nearly 25 percent of the 
nation's Ph.D.'s in information security. CERIAS, in its nine- 
year lifetime, has never received any government support, 
although some individual faculty receive funding from agencies 
such as the NSF for individual research.
    As is the case with many of my peer institutions, our 
ability to make progress in education and research is limited 
by a severe lack of resources. In February, 2005, as Chairman 
Buyer noted, the President's Information Technology Advisory 
Committee issued this report, based on hearings and 
considerable study by many experts, myself included. That 
report was entitled ``Cyber Security, a Crisis of 
Prioritization.'' It described the nature of the problems with 
cyber security, and some of the trends. It also analyzed the 
inadequate Federal response to those challenges. It outlined in 
some detail an agenda to begin to address some of our cyber 
security problems. The response to that report was similar to 
other reports that have been issued over the years. Only one of 
the four recommendations has been acted upon, and PITAC was 
disbanded.
    I encourage members of the Committee to carefully read the 
PITAC cyber security crisis report. I participated in the 
research and writing of that document, and it goes into 
considerable detail about problems such as those faced at the 
VA, and issues behind our cyber security deficit, as well as 
making some concrete suggestions on how those issues might be 
addressed. I have also included some other recommendations in 
my written testimony, including a comprehensive list of 
recommendations for data privacy protection, as developed by 
the ACM's U.S. public policy Committee.
    I welcome your questions and working with you to help 
address these problems. Thank you.
    [The statement of Dr. Spafford appears on p. 67.]
    The Chairman. Thank you very much. Did all the members 
receive one of these? Everybody has got one? All right, thank 
you.
    Mr. Brody, you are now recognized.
    Mr. Brody. Mr. Chairman, Representative Filner, and members 
of the Committee, my name is Bruce Brody. As a veteran, I am 
very grateful for the opportunity to address this distinguished 
Committee today. With the Chair's permission, I will provide a 
brief overview, and then submit a longer statement for the 
record.
    The Chairman. Hearing no objection, so ordered. Dr. 
Spafford, did you have a written statement that you would like 
to be submitted for the record?
    Dr. Spafford. He has it.
    The Chairman. Mr. Cook, do you have a written statement you 
would like submitted for the record? All right. Hearing no 
objection, so ordered. All the statements will be submitted for 
the record.

                    STATEMENT OF BRUCE BRODY

    Mr. Brody. I am the Vice President for Information Security 
at INPUT, a market research firm based in Reston, Virginia. 
From 2001 to 2004, I was the Associate Deputy Assistant 
Secretary for Cyber and Information Security at the Department 
of Veterans Affairs. And from 2004 until January of this year, 
I was the associate chief information officer for cyber 
security at the Department of Energy. I believe that I am the 
only person ever to have served as the chief information 
security officer at two Cabinet-level departments.
    Like the members of this Committee and my fellow veterans, 
I view the loss of personal information of more than 26 million 
veterans as willful disregard for responsible behavior, and 
blatant contempt for established Federal security and privacy 
requirements by senior VA leadership. I urge this Committee to 
look very carefully at the following factors, which I believe 
contributed to the decades of information security and privacy 
neglect at the VA, that have been documented by the Inspector 
General and the Government Accountability Office.
    First, someone with appropriate substantive expertise must 
be empowered to set and enforce privacy and cyber security 
requirements, which will include the physical security 
requirements for how such records are maintained, and the 
personal security requirements for who is allowed access to 
such records. When I was first introduced to this Committee in 
April of 2001, I thought that the Secretary had hired me for 
that purpose. However, the apparent authorities invested in the 
CIO under the Clinger Cohen Act, and the Paperwork Reduction 
Act, and both the CIO and the CISO in the Computer Security Act 
of 1987, the Government Information Security Reform Act of 
2000, and finally, in the Federal Information Security 
Management Act of 2002, were not accepted by VA's leadership. I 
quickly learned that the department's chief information officer 
only had authority to advise, encourage, support, and persuade 
the administrations, insofar as information technology programs 
were concerned.
    In addition, I learned that the CIO had no authority to 
direct compliance. These points were captured in a memorandum 
from the assistant General Counsel dated October 6, 2000. 
Difficulties with this advise, encourage, support, and persuade 
approach to the CIO's management authority were raised at a 
March 12th, 2002, oversight Committee hearing by both Chairman 
Buyer and Ranking Member Carson, questioning the ability of the 
then-CIO to get the job done without line authority.
    Later that year, Secretary Principi took actions to direct 
the centralization, and enhance line authority of the CIO 
function, presumably acting on the recommendations of this 
Committee. But unfortunately, the Secretary's direction met 
with bureaucratic inertia and cultural resistance, and was 
never fully implemented.
    Subsequent to my arrival at the VA, the Government 
Information Security Reform Act, followed by the Federal 
Information Security Management Act, were enacted in 2000 and 
2002, respectively. Not being an attorney, I cannot offer legal 
opinions about what the words of these statutes mean. I can 
only apply common sense to the purpose of these important 
pieces of legislation. It seemed to me that after all was said 
and done, and the opinion of the assistant General Counsel 
issued in October 2000 was correct, then the Congress went 
through nonsensical amounts of effort to produce the 
legislation and provide such detail concerning specific 
responsibilities. It became all the more apparent that 
clarification was needed, following the MS Blaster malicious 
software incident in the second half of 2003.
    In advance of what proved to be a serious malicious 
software attack represented by MS Blaster, my office provided 
the necessary alerts, and also distributed notification 
concerning the necessary patches, throughout the VA enterprise. 
These alerts were widely ignored, and VA networks were savaged 
as a result. The apparent authorities invested in the CIO in 
the Clinger Cohen Act, and in the CIO and CISO in FISMA, did 
not seem to be accepted by VA or its leadership.
    As a result, I concluded that there was no longer any point 
in attempting to introduce cyber security changes in the VA 
unless there was a clear statement of authority to do so. That 
was when I requested the General Counsel opinion about FISMA 
authorities for the CIO and the CISO.
    Just prior to the MS Blaster attack, I had requested a 
clarification from the General Counsel concerning the 
responsibilities of the CIO under FISMA for national security 
and non-national security information and information systems. 
In a memorandum signed by the General Counsel, dated August 
1st, 2003, it was reinforced that the various security 
functions of the department, specifically information security, 
physical security, and personnel security, would remain under 
the authority of their respective offices. According to the 
memorandum, the CIO was allowed to issue policies pertaining to 
information security, but the daily operations of security 
clearance determinations, investigations, physical storage, and 
related activities wouldn't be placed under the purview of the 
CIO.
    Subsequent to the MS Blaster attack, I requested a 
clarification from the General Counsel concerning the authority 
of the CIO to enforce compliance with security legislation and 
relations. In a memorandum signed by the General Counsel on 
April 7th, 2004, it was asserted that the CIO cannot order or 
enforce compliance with information security requirements. 
Because FISMA used the word ``ensure,'' instead of the word 
``enforce,'' the General Counsel stated that the only recourse 
for the CIO when a security requirement was violated was to 
complain to the Secretary.
    The result of these two opinions was extremely unfortunate 
for the department. In effect, the first of these memos 
fragmented security authorities, and the second said that the 
CIO had no authority to enforce policies or to hold people 
accountable for violating policies. These memos accurately 
captured and reinforced the culture of the department, where 
resistance to central authority, and doing business according 
to hundreds of different local practices, have always been the 
norm.
    In day-to-day operations, these memos ensured that the 
fragmentation of security authorities enabled the lack of 
background investigation for individuals with access to VA 
networks, systems, resources; the unchecked access to VA 
information by foreign corporations and foreign nationals, 
limited to nonexistent logical and physical access controls for 
major medical systems; the disruption and denial of service 
from malicious software attacks such as MS Blaster, and 
hundreds of other negative information security findings, as 
highlighted in the reports of the independent public auditor, 
the Inspector General, and the government accountability 
office.
    I would ask the Committee if it agrees that the Clinger 
Cohen Act and FISMA do not require a Secretary, CIO, and CISO, 
to set and enforce the security requirements of the FISMA 
legislation? If FISMA and the Clinger Cohen Act did not convey 
the authority and accountability for enforcing security and 
privacy requirements, perhaps the Congress needs to amend these 
bills to so state. My personal experience is that the mismatch 
of authority and accountability from the CIO and CISO affect 
other departments, agencies, to the same extent as affects the 
VA. And I encourage legislative action to clarify this 
situation and possibly prevent more serious incidents from 
occurring.
    But the bottom line for the VA was that the two General 
Counsel memos reinforced the VA culture. And the VA culture is 
the root cause of this problem. The VA culture can be 
highlighted even further in the paper trail of nonconcurrences 
on VA directive 6500, the information security program.
    My second recommendation is that policies, procedures, and 
assignments of accountability regarding security, and privacy 
issues, cannot be held hostage to the individual interests of 
the senior officials whose concurrence must be obtained prior 
to review by the Secretary. In this regard, I invite the 
Committee's attention to the paper trail of nonconcurrence on 
VA directive 6500, the information security program.
    On January 16th, 2004, VHA non-concurred on VA directive 
6500, disagreeing with a blanket approach to background 
investigations, opposing any requirement to ensure that 
corporations having access to VA systems and data be American-
owned--in other words, subject to U.S. policy, and within the 
reach of U.S. courts, if U.S. laws are breached.
    VHA also opposed any requirements that visitor personnel be 
escorted at VA facilities, and resisted the ability of the 
associate deputy assistant Secretary for cyber and information 
security to establish mandatory penalties for noncompliance.
    VHA's nonconcurrence specifically dealt with the offshoring 
of sensitive information, such as medical records or 
transcriptions. Other significant nonconcurrences on VA 
directive 6500 are included in my written testimony for the 
record.
    The memos by the General Counsel and paper trail of 
nonconcurrence on VA directive 6500 are indicative of a culture 
of resistance to central authority, and refusal to accept 
anything other than business as usual. They also highlight the 
decentralized authority enjoyed by the administrations and 
program offices, who are empowered to define the role and 
authority of the CIO as they see fit in order to perpetuate 
their parochial interests.
    Most of all, these documents make it clear that the CIO and 
the subordinate CISO have no authority to do anything other 
than to issue policies. Now on top of that, they can only issue 
policies that the administrations and program offices allow 
them to issue through the concurrence process. Once issued, the 
CIO and CISO have no authority to enforce these watered-down 
policies that they are permitted to put in place.
    As a third recommendation, let me suggest to you that the 
CIO budget, including cyber security and privacy budgets, 
cannot be held hostage by the administrations and program 
offices. Since funds are not directly appropriated to the CIO 
by Congress, security and privacy initiatives depend on the 
funding support of the very offices that have historically been 
the cause of the problems being addressed.
    Fourth, I recommend you create a legislative requirement 
that would suspend all executive and senior bonuses in the VA 
until the environment for which the executive is responsible 
receives a clean bill of security health from the IG and the 
competent senior official placed in charge of security. There 
are more than 26 million veterans and active duty personnel who 
are uncertain that the loss of their personal information will 
bring them financial harm. These veterans deserve better, 
because they have served our country well. Unfortunately, the 
VA has not served them well, and the VA must make necessary 
amends. If the VA cannot reinvent itself and change its culture 
dramatically, then I would beg the Congress to do it for them, 
and to do it for our Nation's deserving veterans.
    Mr. Chairman, that concludes my statement. Thank you for 
the opportunity to appear here.
    [The statement of Mr. Brody appears on p. 76.]
    The Chairman. Thank you, Mr. Brody. Mr. Cook, you are now 
recognized.

                     STATEMENT OF MIKE COOK

    Mr. Cook. Chairman Buyer, Representative Filner, and 
esteemed members of the Committee, thank you for inviting ID 
Analytics to testify----
    The Chairman. Mr. Cook, can you turn that microphone on, 
and pull it close to you, please? Thank you.
    Mr. Cook. It wasn't on, I apologize. Thank you for inviting 
ID Analytics to testify on ways to help victims of the recent 
Veterans' Affairs data breach. My name is Mike Cook. I am a 
cofounder of ID Analytics, a San Diego-based company focused 
exclusively on stock and identity fraud. I have worked in the 
field of credit risk and fraud prevention for 20 years. ID 
analytics helps stop identity fraud through our identity 
network, a real-time identity fraud prevention system formed 
through a consortium of leading companies dedicated to 
protecting their customers from identity fraud.
    Our ID network gathers information from applications for 
credit, change of address, and other identity risk information 
from companies, including half the top 10 U.S. banks, almost 
all major wireless carriers, and a leading retail card issuer. 
Hundreds of times each day our technology helps stop fraudsters 
from obtaining credit services and merchandise in innocent 
consumers' names.
    We think it's important to make you aware that ID analytics 
does not market or sell the data we collect in the ID network 
for any purpose, to anyone.
    I am here today because ID analytics has unique expertise 
and knowledge of data breaches and their risk. Today, we are 
the only public or private entity that has studied the harm 
resulting from actual data breaches. Should any Committee 
member have interest, I would be happy to provide a copy of our 
white paper analyzing the harm from four actual well-publicized 
data breaches involving more than 500,000 breached consumer 
identities.
    I would first like to put this breach into context. At this 
point, no one knows the scope of risk the veterans are facing. 
The most dangerous data breaches are targeted thefts, where the 
thief committed the breach solely for the purpose of taking the 
consumer data. In this case, the purpose of the theft is 
unclear. Was the thief targeting a laptop, or the data held on 
it? I don't believe we know that answer today.
    If the data is misused, we can expect it to be misused in 
the following ways: its likely fraudsters will mainly attack 
the credit card industry. Stolen identities are an asset that 
sophisticated fraudsters can get the best rate of return by 
fraudulently obtaining credit cards, and then making fenceable 
purchases. Secondly, because the file contains so many 
identities, it is likely that the fraudsters will use the 
stolen identities once or twice and never again, to increase 
their approval rate. Low use rates of individual veteran 
identities will make detection more difficult for the lending 
community. Again, if the data is misused, sophisticated 
fraudsters will spread the misuse of identities across 
differing locations within a city, or even across different 
States, to avoid detection.
    The worst-case scenario is that the veteran file finds its 
way to a public distribution source, such as the Internet. If 
this happens, stolen identities will lose their connection to 
the VA data breach, and groups of fraudsters might actively 
trade that data among the broad community. Subsequently, more 
people might have access, and could misuse those identities on 
a grander scale. We know from additional research conducted 
earlier this year, the misuse rate of data traded on the 
Internet can climb substantially and exceed the average rate of 
identity theft of 1.5 percent.
    Some consumer advocates estimate the value of the stolen 
identity ranges from $25-$75, depending upon the available 
personal information associated with that identity. So because 
of the value of the data itself, wide distribution should be a 
concern, and should drive a real sense of urgency to try to 
recover the stolen data as fast as possible.
    So what can the VA do now? Over the course of the last 
year, ID Analytics has developed breach monitoring technology. 
With this technology, the VA can answer three essential 
questions about the data breach. The first question the VA can 
answer is, is the breached data being misused by fraudsters 
today? Secondly, if it is being misused, can we identify the 
specific veterans harmed by this misuse, and provide them with 
additional victim assistance? And thirdly, if the breached file 
is being misused, in what locations are those breached consumer 
identities being misused, so that law enforcement can stop the 
misuse, and potentially recover the breached data file?
    How does this technology work? Simply put, when thieves 
used a breached file, they leave tracks. In order to obtain 
credit or other goods, in a veteran's name, a fraudster would 
have to manipulate that veteran's identity information on a new 
account application. For instance, if a fraudster applies for a 
credit card in a veteran's name, the fraudster needs to change 
the address so he or she can collect the new credit card from 
the bank. The fraudster will change the veteran's phone number 
for personal and employment verification purposes. He or she 
may use the same addresses and phone numbers to commit identity 
theft against other identities that were part of that same 
breach.
    Our ID network, which receives hundreds of thousands of 
applications and other identity risk events per day, can 
identify these types of anomalous changes and relationships 
across a breached file, regardless of the size of the breached 
file. We believe this technology can be significant to the 
Department of Veterans Affairs for the following reasons: it 
can help identify any organized misuse of the personal data 
that has happened so far. The analysis can quickly identify 
veterans who may have been victimized, so that additional 
victim assistance can be expedited to them. It can actively 
monitor the file for possible misuse. This technology can help 
provide law enforcement a way to identify those individuals who 
have either stolen the files or have misused it to commit 
identity theft, to stop further misuse and to recover the lost 
file.
    The analysis can help determine if the file was in use by 
more than one individual, or one cohesive group. And finally, 
breach monitoring provides a deterrent effect, once publicly 
announced. Thieves should be aware that if they try to misuse 
any data from the VA data breach, they do so at their own 
peril.
    Thank you again, Mr. Chairman, for the opportunity to 
present this testimony.
    [The statement of Mr. Cook appears on p. 85.]
    The Chairman. All right. I have two areas I want to touch 
on, and then I am going to yield to my colleagues.
    Yesterday, when the VA made their announcement of credit 
monitoring, I don't know too much beyond that, nor do I know 
where they are going or how they define it. My first reaction 
was, I was concerned. And let me explain why I was concerned.
    The concern is that, are we creating a false expectancy 
among the veterans that the VA is now going to just be doing 
credit monitoring, and when I look at my current reports, I'm 
safe, that somehow that is going to provide a safe haven. And 
that is the reason I did not issue a statement yesterday. I 
couldn't stand up and cheer, because I still have great fears.
    So let me turn to you, and I want you to tell me, ``Steve, 
I agree with you,'' or ``I disagree with you, you should cheer 
about this.'' Because here, we take it down to the next step, 
is that if they know what they are doing, they are going to 
take this, and it is going to be synthetic identity theft. So 
Mr. Cook, as you identified that you look at the granulation of 
the information and then you begin to change it a little bit; 
so I take Dr. Eugene Spafford, I get your Social Security 
number, and I got your address, and know what your wife's name 
is. So I make the application, but I change the last two digits 
of your Social Security number. So now, I obtained a credit 
card and begin to make purchases. I do other things that spoil 
your life, Dr. Spafford, but if all I am doing is monitoring 
the credit report, then no serious action by me is not going to 
show up on the credit report, as I understand.
    So now, let me yield to the panel, and say, ``Steve, you 
get it right,'' or ``Steve, you got it wrong.''
    Mr. Cook. Chairman Buyer, we've done a lot of analysis on 
fraud and how criminals use data. And I don't believe the 
people, if they use this data, are going to perpetrate 
synthetic fraud. The reason for that is synthetic fraud is when 
you don't have any data available to you. So fraudsters could 
go out and use a name, and create a valid Social Security 
number, as we have seen, by a method such as Social Security 
number tumbling, to enable them to get past a validity check. 
People who perpetrate synthetic fraud do that because they 
don't have access to data, and the analysis we have done shows 
that if they perpetrate synthetic fraud, they do not perpetrate 
identity theft.
    So I would probably disagree and say I don't think 
synthetic fraud is going to be the case here. I think it is 
going to be identity theft, and I think that credit monitoring 
might help those consumers who take the credit monitoring up on 
that offer. It may help them detect some of the fraud that is 
happening to them. But it is not going to be the only solution 
that is available to them. Here is the reason for that: credit 
monitoring is going to tell you that you had an application 
that was filed in your name. By that point, it is probably too 
late. Because as I said in my opening statement, if these guys 
who took the file are sophisticated enough and use it the right 
way, they will use the identity once or twice, and never again. 
So by the time that monitoring alerts get to the consumer, it 
is already out there and there is nothing more they can do 
about it.
    So I think credit monitoring has its place for consumers. 
If you think about consumers, we all have about a one and a 
half to three percent chance of having identity theft happen to 
us. The chance of veterans having identity theft happening to 
them because of this breached file is far less than that, just 
because of the magnitude of it. So I think credit monitoring is 
fine for consumers, if they can afford it. But we think there 
are better technologies to detect if there is misuse; if there 
is misuse, to locate where it is so you can go and try to 
recover the file; and thirdly, to really detect if there is 
misuse for a specific veteran, and then you can help that 
veteran out.
    Dr. Spafford. Mr. Chairman, monitoring detects after 
something has occurred, as Mr. Cook already mentioned. But 
credit fraud is not the only concern that should be present. As 
I noted in my comments, we now have all of this information on 
individuals who have ably served their country, and that 
information can be used to get replacement identification 
cards, passports, driver's licenses, and other information, for 
individuals to have a clean record, or even a trusted record, 
to go out and cause trouble; that when they run up a criminal 
record or misbehavior under those identities, it is not going 
to show up in a credit report, but more likely in a criminal 
report or a civil action. And monitoring is not going to 
prevent that, or even assist that.
    The Chairman. All right. I mean, if I--by way of consumer 
products, and if in fact we are into the marketplace to 
purchase a consumer product, my sensing is that we don't want 
to just monitor. We want to do data verification, we want to be 
able to look at identity verification, and examine perhaps even 
insurance-based products. Because we have a choice: either--
gosh, I threw out this suggestion and wow, judiciary Committee 
runs off yesterday, and they create the claims adjudication 
process. All I said was we were thinking about it. Isn't that 
amazing about this institution? It is in consideration and 
boom, they go off and they do it. Now I have got to tell them, 
``Wait a minute.'' So I just want all of you to know, when you 
read about this today, we are going to put all this a little on 
hold, so we can understand all this a little bit better.
    This is what we need to know from the VA, and I am not 
going to go with you on this one, unless you are prepared to 
talk about it today, but if there is a product out there 
whereby we got to monitor this for almost three years, we need 
to give them the tools out there when we do this bid on this 
contract, and if we can purchase that insurance up there using 
proper algorithms, to what our exposure would be on a contract, 
is to go with an insurance-based product out there whereby the 
veteran is protected up to $25,000. That way we wouldn't have 
to get into the, quote, ``claims adjudication Process.'' We 
accept the responsibility, we, the government, have lost the 
data. But those are things for us as members to consider.
    The last point I will make before I yield to Mr. Filner is 
a point that the witnesses discussed, and that we have concerns 
about, and that is in our society, we believe in something that 
is very congruent, and that is if I say that you have the 
responsibility to do something, then it must be coupled with 
the authority to act. And if I were to say that you have the 
responsibility, but you do not have authority, it then creates 
a syntactic situation, meaning it results in something that is 
incongruent.
    And if you have something that incongruent, you then have 
an opinion that is called a heterodox. And a heterodox is 
something that is completely out of the norm of society's 
communications. So I say to the firemen, ``You have the 
responsibility to put out the fire, but you have no authority 
to hook up to city water.'' So the Secretary turns to the CIO 
and tells him that ``You have got the responsibility to do 
quality assurance; i.e., cyber security, et cetera, but that 
you have no authority to enforce, or tell anybody to do 
anything.'' I am very concerned.
    And I appreciate all of your testimonies. Mr. Filner, you 
are recognized.
    Mr. Filner. Thank you. Your testimonies show you have 
obviously great expertise. You also give us very specific 
recommendations, which we can act on, and that is very useful.
    You have tried to talk to the VA about the kind of 
technology that you have and the services you could provide?
    Mr. Cook. Yes, sir.
    Mr. Filner. What happened with that?
    Mr. Cook. We are continuing discussions with them. We are 
hoping to be able to provide them services.
    Mr. Filner. As I understood what you do, it goes beyond 
what their announcement was yesterday.
    Mr. Cook. Yes, sir. I looked at the announcement that they 
made. There was a small piece of that announcement that talked 
about looking at other breach monitoring, or breach remediation 
solutions. And I am assuming that that might have been looking 
at us, and other technologies that are available to do what we 
do, to which the best of my knowledge, we are the only one to 
do that.
    Mr. Filner. So they are talking to you and are going to 
become aware of your expertise?
    Mr. Cook. Yes, sir.
    Mr. Filner. I just read an ad for, I think Visa, and they 
said they have what is called ``neural technology.''
    Mr. Cook. Right.
    Mr. Filner. They are able to provide their millions of 
cardholders with the knowledge if anything anomalous happens. 
Is that equivalent to what you are doing, or similar, or----
    Mr. Cook. It is similar but different, Visa and other 
companies provide different modeling techniques. One is the one 
that you mentioned, where they can look at an account to see if 
I am using my credit card properly. All right, if I lived in 
Texas my whole life and all of a sudden I start using something 
overseas, and I start to buy a lot of fenceable goods, jewelry 
or something, that is an anomalous pattern in the account 
behavior, and there are technologies that do that.
    We are the only ones that really apply that kind of 
technique to an identity. So Visa and others can look at an 
account. We look at an identity, and look at anomalous patterns 
about an identity, and how it behaves, how it behaves over 
time, and then also how it might relate to other people. And 
that is the way that we are able to detect if a breached file 
would be misused in an organized way.
    Mr. Filner. Mr. Buyer was concerned about raised 
expectations for veterans. If we did use your system, are we 
giving them some of the security that they need, or the 
assurances that they need?
    Mr. Cook. You would be. You had mentioned that your credit 
monitoring is not going to get your criminal activity, and so 
when you look at a problem like fraud, you generally have to 
throw a couple different solutions at it, and you are still not 
going to get all the fraud that there is. Our technology I 
think will definitely detect if a fraud is misusing the file, 
and they are misusing it more than five or six times, in an 
anomalous way. We would be able to detect that misuse, and then 
provide that information to the VA.
    Mr. Filner. I thank you, and I hope we pursue that. Again, 
we will have to analyze competitors. If there are none, then I 
hope the VA will think about you.
    Mr. Cook. May I make one more point?
    Mr. Filner. Yes.
    Mr. Cook. On credit monitoring, and I mentioned this. 
Whatever solution the VA chooses, and we have talked with them 
about this, it is important not to publish how long that 
solution is going to be in place. For instance, if you're going 
to do credit monitoring for free for one year, anyone who took 
the file and has an intent to misuse a file, will sit on that 
for one year and one day, and then they will start to use it. 
So----
    The Chairman. Mr. Cook, I'm sorry. These will go out under 
an RFP, publicly bid on, and your people are going to know. I 
just want to let you know the reality of government 
procurement.
    Mr. Cook. Sir.
    Mr. Filner. Mr. Brody, I had used the analogy for this data 
breach, used the ``Katrina'' situation. I mean, at first it 
seems like a natural disaster, and you have to deal with it. 
But when you look further, you could have predicted the 
consequences of a category five hurricane, you know what levies 
would have to be built, and it turned out we didn't do it.
    In this case too, some thief that hopefully is not going to 
use it stole the data. We couldn't have known that, but then if 
you look further, we could have prevented this disaster. I 
don't know if there are any policies in place to keep that data 
from going to the employee's home. I think you are going to 
have trouble, Mr. McClain, to fire this employee if there are 
no policies to say you can't do this. I mean, that is a real 
problem.
    But not only did VA not have policies about taking the data 
home, but you have outlined years and years' long indifference. 
So it seems to me, it's not just a natural disaster. There is 
accountability of management, and I assume you would hold 
responsible for this breach the top management people----
    Mr. Brody. Oh, absolutely. I mean, as Chairman pointed out, 
the mismatch of accountability and authority was what we lived 
on a daily basis. I was the associate deputy assistant 
Secretary for a heterodox.
    Mr. Filner. He made up that word. Now you are going to use 
it.
    Mr. Brody. But even in the case of MS Blaster, for 
instance, that one incident where the VA networks were savaged 
as a result of malicious software attack, a root cause analysis 
was performed by the Veterans Health Administration, bringing 
in a distinguished doctor who had a history of doing root cause 
analyses, and the analysis concluded that the CIO's office was 
probably at fault because when it issued the warnings to put 
the patches in place, it didn't sufficiently convince everybody 
that we were really serious about putting the patches in place.
    Mr. Filner. When you testified to this Committee in your 
role as CIO, was it?
    Mr. Brody. CISO.
    Mr. Filner. CISO. Were you as frank and as open as you were 
just now? Were you able to be?
    Mr. Brody. No, I was not.
    Mr. Filner. Was that made clear to you?
    Mr. Brody. Yes.
    Mr. Filner. How do we get around that? It seems to me that 
the legislation will need to include the independence of the 
person. It is a difficult thing. You are in a chain of command. 
If the legislation is giving you authority, not from the 
Secretary but from the Congress, then I guess we should give 
you authority to testify, too, without going through OMB and 
everyone else. I am just trying to think ahead, what the 
problems could be.
    Mr. Brody. You are certainly thinking through all the right 
issues, believe me.
    Mr. Filner. Has a successor been chosen to you?
    Mr. Brody. Oh, yes. Yes, he has been in place for roughly 
two years.
    Mr. Filner. And nothing much has changed, as far as you 
know?
    Mr. Brody. No. The culture is still the culture.
    Mr. Filner. Your testimony is very disturbing. We knew 
about it, you heard me say words similar to yours. So I mean, 
there have been people that have been talking to you, and we 
have known about it. But you put it in a way that is extremely, 
extremely disturbing. This is all about the veterans, not about 
an organization, not about turf, not about covering up. It is 
about the veterans. They have lost a lot of confidence, 
obviously. And your testimony makes it apparent that there is 
going to have to be a broader scale of changes than just 
figuring out this particular problem, as bad as this is. The 
recent loss of data affected 13,000 people--and they offered a 
reward of $50,000. The VA's loss affected more than 26,000,000 
people and the data could be sold for more than $500,000,000. 
The magnitude is incredible. But as big as it is, we can solve 
the technical issues, but you bring in even a broader problem.
    Mr. Chairman, you have been talking about this for several 
years. I think everybody now understands why. We have a chance 
as a Committee, as a Congress, to make the kind of changes that 
will benefit our veterans and keep them secure in the years to 
come. Thank you.
    The Chairman. Sure.
    I appreciate the general line of questioning, and you were 
very kind to me. I don't want it to be spun out there that I am 
upset about credit monitoring. It is monitoring-plus, so I am 
glad you explore the other tools that are available, and that 
is what we want to make sure as members, that whatever the 
request for proposal that goes out, that it has a broader base 
to it. I think that is what we need to consider as we work with 
our appropriators, and figure out how they are also going to be 
paying for this, and out of what pools of money, and where does 
it come from. So we don't want it to be just monitoring, it is 
also the other tools.
    To correct the record before I get to Mr. Bilirakis, you 
said you are the only player in this space. Are you aware of a 
company called Intelius?
    Mr. Cook. I am not.
    The Chairman. All right, okay. I just want to let you know 
there are other players in the space.
    Mr. Bilirakis, you are now recognized.
    Mr. Bilirakis. Thank you, Mr. Chairman. And I have heard 
that, you know, great testimony, obviously. I have heard Mr. 
Brody use the term ``root cause.'' We are concerned about the 
veterans. This is the veterans' Committee. But I think that our 
concerns really ought to go past that point. No, we are not 
talking turf, here, anything of that nature. But Dr. Spafford, 
you were part of this President's--acronyms for every damn 
thing up here. But you are part of this group, and you all 
worked on it for approximately a year, from what I understand. 
Did you all come to the conclusion that there was no authority, 
enforcement authority that existed among these chief 
information officers?
    Dr. Spafford. When we did our study that was not a specific 
question we looked at. However, in talking to people across 
government agencies, and our own experience, we have found that 
in many places, individual unit directors and military unit 
commanders feel that they can override policy whenever it gets 
in their way. And there is a problem throughout in being able 
to ensure that security policies and procedures are 
appropriately carried out. Unfortunately, without some 
training, the people who are making these decisions do not 
understand the consequences of overriding those decisions.
    Mr. Bilirakis. Well, PITAC of course was not designed just 
to look into the VA Department. It was designed for government-
wide, right?
    Dr. Spafford. Yes, nationally.
    Mr. Bilirakis. In your recommendations, apparently you all 
failed to point out and to emphasize this lack of authority to 
enforce; isn't that true?
    Dr. Spafford. We were looking at the state of information 
technology across the nation, not simply in the government. And 
so our recommendations were for the state of cyber security as 
part of the national infrastructure, not simply government 
itself. So that was not one of the topic areas----
    Mr. Bilirakis. You were basically given areas to cover, and 
you were limited to those areas?
    Dr. Spafford. Effectively so, yes.
    Mr. Bilirakis. But you have now come to the conclusion--and 
as you were speaking, Mr. Brody was shaking his head. I didn't 
look over at Mr. Cook--that much of the problem is, I mean, 
first of all, you all mentioned culture, and God knows that is 
a hell of a problem. Not only in the VA, but I suppose probably 
in all departments and agencies. But shouldn't we be concerned 
that apparently the lack of authority that is so very, very 
significant here, so very dense in this area, for crying out 
loud, does not exist, or apparently does not exist, or doesn't 
exist adequately, in all the other agencies and departments in 
the government?
    Dr. Spafford. My comments about that in particular were 
based on my own personal experience rather than the Committee. 
That was a separate report. But yes, I have seen in many 
agencies, including Department of Defense, there is a lack of 
concomitant authority to go with the responsibility. In many 
agencies, such as appears to be at the Veterans' 
Administration, and in many companies, the person who is given 
the responsibility for security with no authority, the real 
position should have a label of ``scapegoat,'' because that is 
all that one can do, is take the blame, if you can't effect any 
change. And this is all too common in the area of security 
because those of us who understand the risks and want to 
implement the changes are resisted, because it costs money. It 
changes the way people do things. And so it is a very common 
problem throughout government and industry.
    Mr. Bilirakis. Mr. Brody.
    Mr. Brody. I can only concur. My direct observation was at 
the Departments of Veterans Affairs, Department of Energy, and 
the Department of Defense. And in all three cases, direct 
observation, there is no authority resident with the 
accountability function of these senior IT officials.
    Mr. Bilirakis. And you all agree that this--I mean, we can 
talk about maybe solving or fixing this particular problem 
ultimately, or whatever the case may be. We are spending so 
much time on this that we should be spending on other veterans' 
matters; claims, delay in claims, and healthcare, and things of 
that nature.
    I don't know. Does the president know that that significant 
part of this overall picture, that lack of authority to enforce 
does not exist? It was not part of your report that went to 
him.
    Dr. Spafford. No, sir.
    Mr. Bilirakis. So he does not know? I mean, he doesn't know 
by virtue of this report in any case.
    Dr. Spafford. We were asked specifically to look at the 
status of cyber security research and technology transfer in 
the country, and how effective it was. That was the nature of 
that report.
    Mr. Bilirakis. Well, you have said that, yeah.
    Dr. Spafford. Yes. So as to what the president knows or 
does not know, I can't comment.
    Mr. Brody. I just find it illuminating that the same body 
that gave us the Federal Information Security Management Act 
was not aware of this mismatch of accountability and authority.
    Mr. Bilirakis. So you know, are we accomplishing very much 
of anything here? If we really don't look to the root cause, 
not only to the VA, I mean, this same sort of thing is going to 
happen in other departments and other agencies--Federal Trade 
Commission, we just got word, and we are hearing about other 
agencies or other departments. Should we have legislation--and 
I guess legislation is only as good as the people who are 
supposed to be carrying it out, that would mandate, for crying 
out loud, that there be some sort of authority? We are going to 
hear from the Counsel in a little while, I guess who is going 
to tell us that the authority is not there.
    But should we have legislation that would do it? Not just 
with the VA, and of course obviously, it would be something 
that would be applicable to all of the other Committees, which 
might be just enough of a reason to kill the legislation, 
because you know, jurisdictions assigned by other Committees 
do. But shouldn't we do something like that? I mean, isn't that 
part of the root cause, getting to the root cause of all this?
    Mr. Brody. I am on record with the Committee on Government 
Reform as pointing out that the major flaws in FISMA include 
the accountability versus the authority mismatch, as well as 
the issue of FISMA not necessarily measuring the right 
categories of information security.
    Mr. Bilirakis. And you are on record as saying, and you all 
are on record as saying that basically you can't ever solve 
this unless you take care of that particular area; is that 
right?
    Mr. Brody. Correct.
    Mr. Bilirakis. Yeah. Let me ask--we understand that houses 
in the neighborhood of where this took place have also been 
burglarized apparently during the same period of time. And I 
guess they haven't been tied--whether the same person did it, 
or whatever the case may be. But I think that the impression is 
that the person took this did not know what he or she was 
doing, or that they did not know what they had. Are we wrong by 
virtue of holding these hearings and all this publicity out 
there and that sort of thing? Is it likely that the thief or 
thieves know by now what they have in their possession?
    Dr. Spafford. Based on the reports that I have seen, it is 
entirely possible because of a delay in reporting that if the 
thief was only interested in the physical computer, it had 
already left his or her possession by the time the news was 
released.
    Mr. Bilirakis. Why would that be? Why would it have left?
    Dr. Spafford. They would have sold it immediately. Those 
kinds of tests are usually to pay money for drugs or----
    Mr. Bilirakis. All right. But whoever they sold it to, the 
problem still potentially exists for that person, right?
    Dr. Spafford. Very often, those systems are completely 
wiped or whatever--so they can't be traced back. But the second 
part of your question about holding these hearings, I think are 
very important, and also goes to your earlier question about is 
something being accomplished? These kinds of problems have been 
happening for several years, and are going to happen more 
frequently. And it is very important that we all understand 
these problems and address them in some way. So I certainly 
applaud whatever you are doing in this regard.
    Mr. Bilirakis. Okay. Mr. Brody, you agree, Mr. Cook?
    Mr. Cook. I agree. If they do know that they have it, I 
know what I would do if I did. I would take it in the backyard 
and bury it.
    Mr. Bilirakis. You would what?
    Mr. Cook. I am sorry. If I knew that I had the information, 
I would take it in the backyard and bury it in a very deep 
hole. Because I think that there is so much scrutiny and so 
much interest in, you know, who has that file. I think there is 
other data that I would probably try and take----
    Mr. Bilirakis. Okay. So actually then, you feel that 
hearings like this will tend to maybe convince the thief that 
they had better bury it and not try to use it.
    Mr. Cook. We have done analysis in different breaches, and 
in one of the breaches there was a public announcement that was 
made. And what we noticed was, after the public announcement 
was made, the use of the file, the use of the names went way 
down. So we do think the public announcement helps a good deal. 
A concern that I would have is that over time, that data can 
get out. And if that information gets out over time, all of a 
sudden the attachment to the VA data breach might go away, and 
it just becomes names and Social Security numbers.
    Mr. Bilirakis. Right.
    Mr. Cook. And if that is the case, and if that information 
finds its way onto the Internet, over time, veterans can see 
identity theft happening to them from this breach. But we don't 
know that.
    Mr. Bilirakis. Okay, thank you. I am feeling a little 
better. Thank you, Mr. Chairman.
    The Chairman. Thanks very much. Mr. Michaud, you are now 
recognized.
    Mr. Michaud. Thank you very much, Mr. Chairman, for having 
this hearing. I really appreciate your willingness to stay on 
top of it. I also want to thank the panelists. It has been very 
informative.
    Mr. Brody, you had mentioned that VHA disagreed with the 
draft directive 6500 regarding the medical transcription 
services. Can you recall what they said, and why you thought 
this to be a faulty reasoning for not complying with it?
    Mr. Brody. Yeah. I mean, in general, their position was 
that the language of their contract with the transcription 
company was sufficient control. But my office tried to point 
out to them that number one, they weren't monitoring or 
auditing whether or not the contractor was in compliance with 
the contract; number two, that outsourcing to a foreign company 
created some issues related to whether or not the individuals 
that had access to this data had criminal background, or 
potentially, ties to terrorist organizations. And number three, 
foreign organizations, foreign corporations deny us the ability 
to seek to address any issues in the U.S. courts, should it 
come to that.
    And when we pointed those things out to them, they, you 
know, took them under advisement, and went off and did their 
own thing.
    Mr. Michaud. Thank you. Second thing, Mr. Brody, 
specifically was there any information or cyber security 
weaknesses in the VISTA system? If so, what were they and what 
could be done to fix them?
    Mr. Brody. The Committee might find this interesting, I 
recall reading in the VA publication that is distributed in the 
hallways and near the elevators a few years ago, where there 
was an article on this done, and it was declared in the article 
by, you know, senior VA officials, how proud they were that 
they were able to develop Vista underground, without any 
involvement by the headquarters. And so I don't know what the 
software looks like inside Vista. I do know that as of two 
years ago, it had no access control whatsoever. And I don't 
know if that has been corrected to date. So I would encourage 
the Committee to potentially take a look at--maybe do a 
security audit of Vista, and see what they find.
    Mr. Michaud. Thank you. You had mentioned that you had 
worked with DOD and the Department of Energy, and you mentioned 
some of the same things about, you know, who was in charge. Did 
you witness similar problems with the other agencies, as far as 
security, that you witnessed at the VA? And does the DOE suffer 
from another agency's similar resistance to change, even though 
the authority might not have been the same; has it been that 
resistance in the other agencies, that culture, so to speak?
    Mr. Brody. Overall, yes. I mean, not to quote Yogi Berra, 
but their similarities are different. And that means that in 
the national security world, which includes DOD and DOE, there 
tends to be a little bit greater appreciation for, across the 
population, for the need to operate more securely. Nonetheless, 
the decentralization, especially in an environment like DOE, 
has created similar, fragmented security issues, as exist in 
many other civilian agencies.
    Mr. Michaud. Thank you. And is technology difficult to 
centralize, the IT operation within the VA, do you think?
    Mr. Brody. There are some complexities associated with 
technology, but overall, technology is not the problem. I mean, 
the technology complexities relate to, in the case of the VA, 
some of these very older systems that are no longer supported 
by the original manufacturer, and those just probably need to 
be retired or migrated. But overall, the technology part of 
this problem is not the hard part of the problem. It is the 
cultural part of this problem.
    Mr. Michaud. And my last question. In your opinion, do you 
feel that the 26 million records, is that a national, or non-
national security problem?
    Mr. Brody. If you take the strict definition of FISMA, it 
is a non-national security problem. But I feel that when you 
begin aggregating the kinds of information that can be 
contained in those kinds of databases, you are very perilously 
close to a national security problem.
    Mr. Michaud. Thank you. Thank you, Mr. Chairman. I yield 
back the balance of my time.
    The Chairman. Thank you very much. Mr. Moran, you are 
recognized.
    Mr. Moran. Mr. Chairman, thank you very much.
    Mr. Cook, you said something in your testimony or a 
response to a question, I think, that caught my attention that 
I'd don't understand. And it dealt with the percentages of 
Americans that are subject to identity theft, and I think it 
was one and a half to three percent. And then you indicated 
that the veterans who were in this computer information were 
something less. Would you explain that to me?
    Mr. Cook. Sure. What I mean by that is, we have done a lot 
of analysis, and what we know is that the size of the breach is 
very important to the misuse rate of that breach. If it is 
misused and if you are a consumer, you want to be part of a 
very large breach. Because if you are part of a 26.5 million 
record breach, then the probability of somebody picking your 
name out of that fairly large hat and using your name to commit 
identity theft is very, very small. If you have a--and let us 
just say, if you put your mail in your mailbox and somebody 
takes your mail out, I would consider that a data breach of 
one. So there, you would have a very high percentage of your 
name being misused. So, the point I was trying to make is, we, 
all of us have got about a one and a half to three percent 
probability of identity theft happening to us during the course 
of a year.
    So the probability of identity theft happening to a veteran 
is one and a half to three percent, and so because now, they 
are part of a very large data breach, it is only going to 
increase very slightly for them, okay? But as a whole, it does 
mean that there will be more victims of identity theft in the 
U.S. It does mean that.
    Mr. Moran. What then is the value of the 26 and a half 
million names, the information, then, on the street? Twenty six 
and a half million is too much data for somebody who would be 
in the market for identity theft?
    Mr. Cook. Well, it is a lot. If you were one person, it 
would take you--we have done the math on it--it would take you 
about 12 lifetimes to use that one file. So it is a lot of data 
for one person to use. If they were to take it and disseminate 
it out on the Internet and try and sell it in packages, you 
know, we have heard anywhere from $25 to $75 from consumer 
advocate groups who have said this is what they hear. So there 
is a lot of dollars that they could get by selling that data, 
but again, if I had taken the data and I knew that it was the 
VA file, I would run away from it because I think there is 
going to be such intense scrutiny on that file, that people are 
going to be trying to find someone misusing that data.
    Mr. Moran. What is the occurrence that causes us to know at 
some point in time that the security has been breached, and the 
information is being used? What would you expect to be the 
first sign that there is a real problem?
    Mr. Cook. Well, it will be the anomalous behavior patterns 
that you would see in the file. For instance, there are 70, 60, 
50 people in the room today. If all of our data was breached, 
six months from now if we all started using the same cell phone 
number, that would be anomalous. If half of us started living 
in the same apartment complex, that would be anomalous. And 
that is how we can detect the misuse. It is the events that 
happen after the breach to a specific identity, and the way 
that we can pull those things together. And that I think would 
be your first indication that somebody is actually misusing 
that file.
    Mr. Moran. And this would be announced? This would become 
known because some veteran would indicate something bad is 
happening in his or her life?
    Mr. Cook. That is what credit monitoring would require, is 
that a consumer really kind of placed their own report, and 
then provide that data to a central source, and that is not 
being done. And there would be so much noise in that, because 
again, we have a percentage of identity theft that is going to 
happen to us. It wouldn't be the consumer saying it, it would 
be our ability to look at the breached file, and then look 
within our ID network and see applications that were filed in 
those veterans' names, and then determine which of those 
applications were probably filed by the veteran, and which of 
those applications might have been filed by a fraud ring who 
has access to that file.
    Mr. Moran. Thank you.
    Mr. Brody, I think you have been asked this question, and 
maybe Dr. Spafford as well, but for my understanding, is there 
something unique about the VA that really--I mean, this 
happened with VA information, so the focus is on the VA. We 
talk about the culture, the atmosphere, the attitude. Something 
unique about this place or just any other government agency is 
the same risk as the VA----
    Mr. Brody. My observation would be that we need to be 
careful about not focusing entirely on this incident, because 
again, this was discovered almost by accident. How many more of 
these kinds of incidents are out there and not just at the VA 
where we know there are no controls in place to prevent it? We 
know there are no controls in place at other government 
departments and agencies, where, you know, larger amounts of 
information may be on some employee's owned computer, or on 
some contractor's owned computer. And so maybe the attention we 
are drawing to this incident could be creating an opportunity 
for, you know, some other bad actor out there, and that would 
be an unfortunate turn of events.
    Mr. Moran. But the personnel of the VA aren't any blinder, 
or culturally resigned to the status quo than any other place?
    Mr. Brody. Not necessarily, no.
    Mr. Moran. Okay, thank you very much. Thank you, Mr. 
Chairman.
    The Chairman. Dr. Spafford, did you have something you 
wanted to say to Mr. Moran?
    Dr. Spafford. I was simply going to say that there are some 
better and some worse. A lot depends upon their individual view 
of the data, versus their mission. So some organizations, as 
Mr. Brody said, in working with national defense, will be more 
aware of that value. And in other places where they view that 
their mission--and unfortunately, this is part of the problem, 
why this happened. The person who lost the data viewed that his 
mission was to get his reports done, or get his work done, 
rather than protecting and serving the veterans that the agency 
was supposed to be involved with. And where that disconnect 
occurs, you have more of these problems.
    Mr. Moran. I would think that Mr. Buyer's leadership on 
this issue and the hearings that we are having, and the focus 
of the national attention on this issue, would cause other 
departments and agencies to have a desire to change their ways. 
Maybe that is just Kansas commonsense, but I hope it works that 
way in Washington, that this is the catalyst that causes us all 
to think that, ``My gosh, what we are doing isn't quite 
adequate.''
    Dr. Spafford. Well, as I noted, and as Mr. Brody noted, 
this is not the first such incident, and these kinds of things 
have been going on for years. And whoever is currently in the 
spotlight takes a fair amount of heat, and vows never to do it 
again, and then someone else gets caught.
    Mr. Moran. Thank you, Mr. Chairman.
    The Chairman. Mea culpa, mea culpa, mea culpa.
    Ms. Herseth.
    Ms. Herseth. Thank you, Mr. Chairman. And I appreciate the 
questions that I know Mr. Michaud had a chance to pose to Mr. 
Brody, and Mr. Moran's line of questioning. I hope this 
presents an opportunity, as I explored in an earlier hearing, 
to evaluate whether or not we have the same weaknesses within 
these CIO organization across other Federal agencies, which you 
had an opportunity to serve in two different agencies. And that 
while the VA is currently the one taking the heat, that whether 
it is USDA, EPA, DOE, others, start taking steps, and CIOs 
start sharing information across agencies, and that we make the 
decisions in the Congress about the resources at the front, and 
are they going to be necessary to prevent these types of 
situations that cost us far more at the back end.
    So let me just ask one question, because I know there is 
probably an interest in moving to the next panel, as well. Mr. 
Brody, we have had some discussions here about the age of the 
various files within the VA. Is it technically difficult to 
encrypt or convert VA's older databases?
    Mr. Brody. It is more difficult to encrypt the databases 
that are on older hardware platforms, and older software 
operating systems that are no longer supported by any 
manufacturer. There are workarounds, and there are some 
complexities, but it is not impossible. And by and large, the 
technology part of this problem is not the hard part of this 
problem. Technology is available to solve most of the 
deficiencies identified by the IG and the GAO, in the VA.
    Ms. Herseth. So if the technology isn't the problem, it is 
the resources and the obstructionism that we have to overcome, 
that is the problem?
    Mr. Brody. More or less, yes.
    Ms. Herseth. Okay. I yield back, Mr. Chairman. Thank you.
    The Chairman. Thank you. I know Mr. Udall has had to step 
out for just a moment, so let me--we have votes that are going 
to occur at 12:15 to 12:30. So what I would say to Mr. McClain, 
I apologize but it is life on the Hill.
    All right, so Mr. Brody, I am going to go back to this, and 
we are going to get into this in the next panel with the 
General Counsel, about why they made certain decisions in their 
memoranda. But if I try to follow the logic, that FISMA is 
not--let me restate this. According to the most recent FISMA 
report, VA has no agency-wide security policy, is what the 
recent report says. If you were to design security policies, 
what would be the key components to be included in that policy?
    Mr. Brody. It would include the confidentiality, integrity, 
the availability, and the accountability, for the necessary 
controls on all the VA's system, including the protection of 
data.
    The Chairman. Dr. Spafford, would you agree with that?
    Dr. Spafford. Those would certainly be the core elements of 
the policy.
    The Chairman. What kind of training would be necessary to 
implement such a policy? And what kind of time are we talking 
about?
    Mr. Brody. It would depend because there will be certain 
roles that would have to be trained. Managers across the agency 
would need a certain kind of training. Practitioners 
responsible for actually maintaining security devices would 
need a certain different kind of training. And by and large, a 
lot of that training is in place in the VA. We had put in 
place, following the incident in which some computer systems 
containing veterans' data were purchased by the television 
station in Indiana, we had put in place a program of 
practitioner professionalization, and we took 600 people 
through that program and certified them. But that is 600 in a 
population of over 200,000, that all need a significant degree 
of training.
    The Chairman. And would we have any problems with the VA 
personnel policies or labor practices?
    Mr. Brody. Those cropped up from time to time. Yes.
    The Chairman. Such as?
    Mr. Brody. Well, I mean--the details escape me at the 
moment, but you know, a fact of the matter is, whenever we 
tried to put in place any kind of policy that affected the day-
to-day life of the individual, the resistance from HR 
organization was fairly stiff.
    The Chairman. Interesting. Mr. Udall? You are recognized.
    Mr. Udall. Thank you, Mr. Chairman. Mr. Brody, you talked a 
little bit about security and issues of security, and I wanted 
to ask you about--under the Federal Information Security 
Management Act, are you comfortable with the distinctions 
between a national security database, and a non-national 
security database? And how would you define these? And with 
respect to the specific information that was lost there, which 
category does it fall into? And are there any things that we 
should do in order to better protect ourselves, in terms of 
these definitions?
    Mr. Brody. I would say I understand the definitions, and 
whether or not I am comfortable with them, I spent 10 years in 
the intelligence community, so I understand that when you take 
what would appear outwardly to be non-sensitive information and 
begin aggregating it so that it starts to become more 
sensitive, you cross a fine line into what could be classified 
as national security information. According to the definitions 
that are incorporated in FISMA, that does not apply in this 
case. But I would argue that the aggregation of information in 
VA's systems can be of significant value to those who would 
wish to do this country harm.
    Mr. Udall. And is there anything we can do to further 
protect in that area, other than what you have already outlined 
here today?
    Mr. Brody. Well, I mean I actually raised this issue in 
2001 when I arrived at the department. And I was told that that 
is the responsibility of the office of security and law 
enforcement, and ``Thank you very much for your input.'' So 
again, we are dealing with the fragmented security authorities 
across the department.
    Mr. Udall. Several statements by the VA indicate that the 
employee who took home the data did so without authorization. 
If he was already authorized access to the data, what policy or 
regulation would have required further authorization? and do 
you recall if the IG or the GAO, or any other entity, ever 
commented on this as a weakness?
    Mr. Brody. I am not aware of any policy that would have 
prevented this. Nor am I aware of any comments by any other 
party.
    Mr. Udall. A changed management system developed after 
Secretary Principi attempted in 2002 to centralize the CIO 
function. This new system was characterized by significant non-
line reporting. How well did this system work, and did that 
hybrid system approximate the Federated Management system 
recently adopted by the VA?
    Mr. Brody. Yeah, I would have to characterize the results 
of that as not in keeping with the spirit of this Committee's 
concerns, as addressed in 2002. Once we get to that of a line 
sort of authority thing, and then in the wake of the MS Blaster 
incident, we did an analysis internal to my office, and I am 
sorry that I don't have it present, but I am sure that we can 
probably draw it out of someone's files, where we determined 
specifically who had responsibility for configuration control 
and configuration management in the department. And it turned 
out that as a result of the efforts by Secretary Principi to 
put that memo in place in 2002, there were no less than 13 
separate places by which configuration control would be managed 
in the department.
    Mr. Udall. To Dr. Spafford or Mr. Cook, do you have any 
comments on anything you have heard, or I have raised here?
    Dr. Spafford. No.
    Mr. Cook. No.
    Mr. Udall. Okay, thank you. Thank you, Mr. Chairman. I 
yield back.
    The Chairman. Mr. Brody, in your testimony you testified to 
something that we as a Committee had considered, and that was 
whether to elevate the CIO to the level of an under Secretary. 
And we thought about that as a Committee when we put together 
our legislation, and I guess looking back on it, maybe we 
should have. Really, our inward discussions were dealing with 
if you have a culture of resistance that I called the 
``centurions of the status quo,'' and it is much easier for the 
three under secretaries to run over the CIO, especially if they 
can then--they all are competing to win the support of the 
deputy Secretary, or the Secretary. So I just want to let you 
know, I got your message. I embrace it, and we as a Committee 
are going to look back on your recommendations.
    Let me turn to Mr. Cook. With regard to data, when an 
individual feels--you know, they went to the ball game, just 
had their purse stolen, their pockets were picked, now it is 
like, ``Oh, my gosh. I had 12 credit cards in there. It is now 
gone. What do I do? Who do I call?'' My question to you is, 
what is the norm before an individual will begin to feel the 
bad effect?
    Mr. Cook. There has been some analysis on that, and FTC I 
think has done some of the best analysis, and another 
organization called Identity Theft Resource Center. I think the 
average--and I'm not sure of this, but I think the average is 
about six months before they actually see it. Because what 
happens is you might get an inquiry in your credit reports that 
you may not be aware of, because you don't have credit 
monitoring. And then, that account, if it is a wireless account 
or a credit card account, is open, and then that fraudster 
might use that account. Some people will take the account, buy 
fenceable goods, and go bad right away. Others will use that 
account over time, as many as 18 months, so that they can do 
something that the industry calls ``bust-out,'' where they can 
actually drive the account much higher than what the credit 
limit is.
    And so generally, consumers will find out they are a victim 
of identity theft because they will get a call either from 
their credit card issuing bank, or the wireless company, or 
from a collection company. So it is generally about six months, 
7, 8 months out.
    Now, if there is a fraudster who steals an identity and 
uses that identity over and over and over, and that consumer 
happens to have consumer monitoring--this is a very small 
percentage of people--then they may be aware of that within as 
quickly as three weeks, if you will.
    The Chairman. All right. Our challenge here is to build a 
system, and at the same time take care of the veterans, and 
produce that product in Congress, as we work with the 
administration. I want to thank you for taking your time to put 
together your testimony, and for being here. I appreciate that.
    Mr. Brody, thank you. We asked you to do a job, and put a 
patch over one eye and we tied your good arm to your back, and 
you did your very best. And I know it was hard, and it was 
difficult. And we don't view you as a scapegoat, because the 
more we do our forensics, the better the understanding we have 
about the culture, and the problems, and the resistance to 
change Mr. Filner had discussed.
    And we are going to embrace your recommendations, along 
with Dr. Spafford. Once again, let me thank you for helping 
your country. Your testimony is insightful and valuable to us, 
as we formulate this legislation.
    Any other questions?
    [No response.]
    This panel is now excused. If we could turn to the second 
panel. And even though we got a warning that votes will occur. 
Dr. Spafford, do you have to take off? Do you have to run? Dr. 
Spafford, do you have to catch a flight?
    Dr. Spafford. Later on this evening.
    The Chairman. Okay, could you sit and listen to this panel? 
Are you going to have to take off?
    Dr. Spafford. No, I can----
    The Chairman. That is wonderful, thank you. What I had 
planned to do, Dr. Spafford, is I would like you to listen to 
this panel, and then I am going to circle back with you--we 
could have a discussion. If we can't get it today, are you 
around Monday, at Purdue University?
    Dr. Spafford. No, sir, I will be at a conference----
    The Chairman. At a beautiful resort? Don't answer that.
    Dr. Spafford. Allegedly.
    The Chairman. Allegedly, great. Means you're in Toledo? 
Sorry, nothing against Toledo. All right. Hey, hey, hey.
    Sitting on our second panel is the General Counsel for the 
Department of Veterans Affairs, Mr. Tim McClain. Mr. McClain 
was confirmed by the Senate as the General Counsel for the 
Department of Veterans Affairs in April 2001. As General 
Counsel, he serves as the chief legal adviser to the Secretary 
of Veterans' Affairs and the department's other senior leaders, 
and manages the Office of General Counsel, which is comprised 
of nearly 400 attorneys assigned throughout the United States.
    Mr. McClain also served as the VA Chief Management Officer 
from January 2005, through November 2005, responsible for the 
department's budget, financial policy and operations, 
acquisitions, material management, real property asset 
management, environmental policy, and business oversight.
    Thank you very much for being here. If you would also 
introduce Mr. Thompson, who accompanies you and you will then 
be recognized.
    Mr. McClain. Mr. Chairman, thank you very much. Mr. 
Chairman, Ranking Member, and members of the Committee, 
accompanying me this morning is Jack Thompson, who is the 
Deputy General Counsel at the VA, and he has over 30 years of 
service with the VA as an attorney. Also, I would like to, if I 
could, ask that my full statement he made a part of the record.
    The Chairman. All right. We do. If you will arise and give 
me your right hand.
    [Witness sworn.]
    The Chairman. Thank you, please be seated. Mr. McClain, you 
are recognized.

  TESTIMONY OF THE HONORABLE TIM S. MCCLAIN, GENERAL COUNSEL, 
   U.S. DEPARTMENT OF VETERANS AFFAIRS, ACCOMPANIED BY JACK 
                THOMPSON, DEPUTY GENERAL COUNSEL

    Mr. McClain. Thank you, sir. And thank you for the 
opportunity to discuss the legal implications of the May 3, 
2006, theft from a VA employee's home, of personal identifying 
information concerning veteran servicemembers.
    This incident brings into sharp focus the Federal laws that 
address a similar issue; i.e., safeguarding personal 
information. Both the Privacy Act and the Federal Information 
Security Management Act, or FISMA, provide a framework for 
establishing agency safeguards to ensure the security and 
confidentiality of records. These statutes generally outline 
agency responsibilities, and require the agency head and senior 
officials to ensure compliance with the law. Since we were made 
aware of this terrible situation, the employees of the VA have 
worked tirelessly to ensure two things: one, that the normal 
services to veterans, including healthcare, benefits, burial, 
and memorial services, have continued uninterrupted. And two, 
that we address this situation in such a manner that it will 
minimize any adverse impact on a veteran. This is VA's problem, 
and we intend to address it as one.
    Secretary Nicholson has launched VA on a course that will 
result in VA being the gold standard for information security 
in Federal Government. That is no easy task. VA is so large, 
and with so many very vital programs, that it will take a 
concerted effort on every employee's part to make it happen. 
Just as VA transformed its health-care system from one of 
questionable quality in the early 1990s, to today, the 
recognized leader in healthcare delivery and electronic 
healthcare records, we are committed to leading the Federal 
Government in information security.
    Along that line, in an October 19, 2005, memorandum, 
Secretary Nicholson ordered the reorganization of VA's IT 
operations. In February 2006, the Secretary strongly advised 
senior agency officials at a senior management retreat that 
today's IT reorganization was his top priority. In that regard, 
on April 30th of this year, over 4000 employees were detailed 
to the Office of Information Technology, as part of this 
implementation plan. As of the end of the current fiscal year, 
those employees will permanently be transferred to the Office 
of Information Technology. This has placed all IT operations 
and maintenance personnel under the supervisory control of the 
CIO.
    Another major development was announced yesterday by the 
Secretary. That VA is committed to providing one year of free 
credit monitoring to individuals whose sensitive personal 
information, their names and Social Security numbers, may have 
been stolen as a result of this incident. Providing free credit 
monitoring will help safeguard those who may be affected, and 
will provide them with the peace of mind they deserve. This 
week, VA will solicit bids from qualified companies to provide 
a comprehensive credit monitoring solution. VA will ask these 
companies to provide expedited proposals, and be prepared to 
implement them rapidly, once they are under contract. Once VA 
hires a credit monitoring company, the department will send a 
detailed letter to individuals whose sensitive personal 
information may have been included in the stolen data. This 
letter will explain credit monitoring, and how those eligible 
can enroll or opt in for the services. The department expects 
to have credit monitoring services in place and the letters 
mailed by mid August. VA will also be soliciting bids to hire a 
company that provides a data breach analysis, which will look 
for possible misuse of the stolen VA data. The analysis will 
help measure the risk of the data loss, identify suspicious 
misuse of identity information, and expedite full assistance to 
affected individuals.
    These efforts will augment the other aggressive steps VA 
has already implemented in response to the unfortunate 
incident. As previously announced, the Secretary has already 
directed a series of personnel changes in the affected office 
within the department. The Secretary has also hired a former 
Maricopa County prosecutor, Richard Romley, as a special 
adviser for information security. He ordered the expedited 
completion of cyber security awareness training and privacy 
awareness training for all of VA employees, and also ordered an 
inventory of all positions requiring access to sensitive VA 
data. He also asked that every laptop undergo a security 
review. And the VA's facilities across the country, every 
hospital, CBOC, community outpatient clinic, regional office, 
national cemetery field office, and VA central office here in 
Washington, observe a security awareness week, beginning next 
Monday.
    Thank you, Mr. Chairman, for the opportunity to testify, 
and I will be glad to answer any questions from the Committee.
    [The statement of Mr. McClain and accompanying documents 
appears on p. 92.]
    The Chairman. All right. First, I have--have you been 
present during the discussions on formulating this policy to 
provide the free credit monitoring? Were you present at these 
discussions?
    Mr. McClain. Yes, sir.
    The Chairman. Okay. What does free credit monitoring mean?
    Mr. McClain. Well, it will be defined by the bids that are 
received in response to the RFP that has gone out. Credit 
monitoring is a package of services that are offered by, for 
the most part, the three major credit bureaus, and possibly 
others. And they have different levels of this service that you 
can actually purchase from them. The RFP will be requesting a 
very robust package for to cover the veterans, and it will be 
determined by actually what the bids are in response to the 
solicitation.
    The Chairman. You got my attention in your testimony when 
you talked about a comprehensive approach. My sensing for my 
colleagues is that is where our greatest interest is. And so 
let me go back to my earlier comments, when I heard about the, 
oh, credit monitoring. It has to be about more than just that. 
And that is also our testimony from the first panel. So now, we 
say, okay, we are going to invite the credit monitoring, you 
say we are going to do bids to do a comprehensive approach, and 
then we are also going to do a second--you have got two 
proposals that are going to be going out; is that correct?
    Mr. McClain. Yes, sir.
    The Chairman. All right, tell me a little bit more about 
your first proposal for a comprehensive approach. Is that sort 
of what the gentleman was talking about from analytics, or also 
Intelius does, out there in the private-sector?
    Mr. McClain. Sir, the comprehensive approach would be the 
entire--would be everything. In other words, both solicitations 
that go out, which would include a robust credit monitoring 
package, and it would include a company to come in and do the 
data breach analysis.
    The Chairman. Okay. But on a comprehensive approach, are we 
also saying that you are considering purchase of insurance-
based product?
    Mr. McClain. Yes, sir, because that normally comes with 
your normal commercial credit monitoring package. If you were 
to go to any of the big three credit bureaus that would be 
included in the package.
    The Chairman. Mr. McClain, that is a big deal. I think it 
is a big deal. Because Congress out here just yesterday, the 
Judiciary Committee immediately goes out there and does the 
claims adjudication process. And when I brought that up, I 
talked to the Secretary about that. And he is like, ``Whoa, 
Steve, I know what you are trying to do. Let us see what is 
available in the commercial market.''
    Even if we were to do that, do we want to keep it in-house? 
Would we keep it under you? Would you create a separate agency 
to do that? You don't want it to be organic, limited in scope, 
limited in time, a lot of things to think and consider about. 
But you can notice how heightened members are about the issue, 
that the Judiciary Committee would run out. So I would welcome 
the VA to explain this a little bit further as you are 
formulating this. I think that the VA is saying that we are 
interested in providing that financial assurance--an insurance-
based product while we do this, will make veterans feel a 
little bit better. Would you agree?
    Mr. McClain. Yes, sir. And we'll be glad to. I'm certainly 
not the expert in the credit monitoring packages or the 
insurance, but we'll be glad to provide the Committee with a 
more detailed reasoning as to exactly what that entails.
    The Chairman. All right. Here is what is happening, is that 
not only are you learning, VA, more about this; so are we. And 
that we want to work with you on how you develop your 
comprehensive approach, as opposed to us, you know; either that 
or we dictate something and we don't want to have to do that. I 
mean, we can set parameters, but you are also going to be 
coming here and asking us to pay for it. Okay?
    With that, I yield to Mr. Filner.
    Mr. Filner. Mr. McClain, I think you ought to be ashamed of 
the testimony you just gave us. You sat through an hour and a 
half of testimony, detailing some very grave problems in the 
culture of the VA. We also heard some very technical and very 
specific suggestions on what we might do, including the 
weaknesses of just credit monitoring. And you read the same 
thing that you walked in with, as if you didn't hear anything, 
nothing is wrong, the Secretary is taking action, you are 
taking action, everything is fine. You have the lowest guy on 
administrative leave, and it is not clear that he violated any 
policy, anyway, and his superior resigned. We just heard of 
extensive management failures of VA. You don't address that. It 
didn't happen. You are testifying about a completely different 
world from the one we heard.
    You have the biggest breach of security of identities in 
the history of this country, and you haven't come to grips with 
this issue. Your testimony shows the very reason why we have a 
problem. You don't recognize anything, you don't admit 
anything, you don't acknowledge anything, you don't want to 
change anything. This is disgraceful.
    Given the testimony from Dr. Spafford, and Mr. Brody, and 
Mr. Cook, why shouldn't you and everybody above you in the 
chain be held responsible for the data loss? It was your memos 
that said there couldn't be any centralization. It was your 
memos that contradicted the authority of FISMA. It was your 
memos that said the Secretary is not going to centralize. Why 
should you not be fired for this incredible breach?
    Mr. McClain. Mr. Filner, first of all, I think that VA has 
taken this very seriously. I mean, this is----
    Mr. Filner. The first step is to acknowledge a problem. 
Read your statement again and show me where you acknowledge 
that there were some errors in the management of your agency. 
Show me where. I just read your whole testimony. Not one word 
to show that you understand the severity of the problem. They 
say the first step in understanding addiction is, you have to 
get rid of denial. You are still in denial.
    Mr. McClain. Denial that there is a problem----
    Mr. Filner. That there is something--in the culture of the 
VA management system that caused this.
    Mr. McClain. I believe that the Secretary has testified on 
more than one occasion in front of this Committee and others, 
saying that there was a problem, and it has made him mad as 
hell.
    Mr. Filner. I can see everybody is mad as hell sitting 
here.
    When did you hear about the data breach after May third? 
When did you hear about it?
    Mr. McClain. May 16th.
    Mr. Filner. You don't think that is a problem in your 
system? That it took you two weeks to hear something?
    Mr. McClain. I believe it is.
    Mr. Filner. So what are you doing about it?
    Mr. McClain. We are----
    Mr. Filner. You are asking for an RFP, yet you are not 
doing one thing about the management, as far as I can tell.
    Mr. McClain. Oh, I think that----
    Mr. Filner. Tell me, what are you doing?
    Mr. McClain. We are doing a complete review of information 
security in every single office in the VA. From the lessons 
learned from that, and this is being chaired by the deputy 
Secretary. From the lessons learned, we are going to move 
forward with implementing changes, so that there is a uniform 
information security policy throughout the----
    Mr. Filner. What were the lessons you have learned?
    Mr. McClain. Sir?
    Mr. Filner. You said we are going to implement the lessons 
learned. What lessons have you learned?
    Mr. McClain. That we need to pay more attention to 
information security, that we have people out there that do not 
realize that what they have is a veteran's personal data in 
their hands, or on their laptop, and they are----
    Mr. Filner. Don't talk about other people. What have you 
learned? I want to know what you have learned. Do you question 
what you did in those memos in 2003 and 2004 when you gave 
basically the legal rationale for not doing anything? Would you 
retract those, or would you redo them? Tell me what you have 
learned.
    Mr. McClain. Mr. Filner, I would not retract those. I 
think----
    Mr. Filner. Okay, you are the problem. You are the problem. 
Until you admit that, it is not going to change.
    The Chairman. I am going to need to recess the Committee. 
We have six and a half minutes left. We have three votes. So 
after these three votes, we will return. Thank you. The 
Committee stands in recess.
    [The referenced memos are attached to Mr. McClain's 
prepared statement and appear on p. 96.]
    [Recess.]
    The Chairman. The VA Committee will come back to order, and 
I yield to the gentleman, Mr. Filner, so he may resume his line 
of questioning. Mr. Filner, you are now recognized.
    Mr. Filner. Thank you, Mr. Chairman. Thank you for waiting 
for us, Mr. McClain.
    The summary of what I was saying before is that we have a 
whole series of analysts who agreed on several things, and all 
my colleagues seemed to agree, also. The issue of authority and 
resources for the chief information officer or chief 
information security officer. And you made no comment on that. 
Your memos on this issue, where you debate the meaning of the 
word ``ensure,'' reminds me of the president who was trying to 
debate the meaning of ``is.'' You are looking for any reason 
not to get the CISO the authority he needs, and I ask you if 
you would retract those, and you said, ``No.''
    Do you believe that we have to pass additional legislation 
to give the CISO authority in your department, although you say 
here the Secretary could do it on his own? Have you made any 
steps in changing that authority in the VA? Everybody agreed 
that is the main thing.
    Mr. McClain. Mr. Filner, regarding the opinions, I do 
believe the opinions state the state of the law at the time 
that those opinions were written. In other words, the issues 
would come in, or questions would come in, and indeed, the case 
of the April 7th, 2004, opinion, we had three different offices 
ask us to opine on the particular issue of FISMA.
    [The April 7, 2004, memo referred to is attached to Mr. 
McClain's prepared statement and appears on p. 104.]
    Mr. Filner. Do you think that the CISO ought to have the 
authority that the three panels all agreed on for good cyber 
security?
    Mr. McClain. Well, I don't----
    Mr. Filner. You personally, what do you think? Why don't 
you ask us for legislation that would give the CISO authority? 
You are hiding behind all these words and these opinions. Do 
you think you are the General Counsel--do you think the CISO 
ought to have the authority to enforce the decisions that he 
makes?
    Mr. McClain. I think that if the CIO had additional 
authority it would probably make his particular job easier. Is 
that a good idea? That is really a policy discussion, and not a 
legal----
    Mr. Filner. Other agencies have interpreted the same law as 
giving their CISOs that authority, right?
    Mr. McClain. I am not aware of that, sir.
    Mr. Filner. Have you asked other agencies? Did you consult 
other General Counsels, to see what they said?
    Mr. McClain. No, we didn't.
    Mr. Filner. It seems to me that would be a good thing to 
do. It looks to me that you all decided he shouldn't have 
authority, then you found a way to quibble with the word 
``ensure.'' When Secretary Principi tried to change, he got 
resistance from everybody. So that is what I meant when I said 
you are the problem. You are the problem. You don't even 
believe the CISO should have authority, the way you said it, 
``it is a policy issue.'' I am asking you what you think. We 
just had the biggest breach in the history of the government, 
and you are still quibbling about what the word ``ensure'' 
means. Should the CISO have the authority to enforce cyber 
security rules?
    Mr. McClain. Yes, in some form he should.
    Mr. Filner. Well, thank you. Now, would you recommend to us 
please, by tomorrow, what you would need when you opined that 
he could actually have that authority? You are the Counsel. 
Give us some advice on that. Give us the language.
    Mr. McClain. I would be glad to discuss it with your staff, 
Congressman Filner----
    Mr. Filner. Call me. Don't talk to my staff. You're saying 
it would be a good thing, so make a recommendation that would 
make it happen, since you don't think it can happen under the 
existing legislation.
    Mr. McClain. Well, I didn't say it couldn't happen under 
the existing legislation. In fact, both of the opinions refer 
to the fact that there can be a delegation of authority.
    Mr. Filner. So why hasn't there been?
    Mr. McClain. There has been, to a certain degree, in the 
reorganization that is already underway.
    Mr. Filner. Has there been any change since May 3rd?
    Mr. McClain. No, I don't believe----
    Mr. Filner. Of this year, since this security breach?
    Mr. McClain. I don't believe so.
    Mr. Filner. So you are not doing anything. You are not 
focusing on the major problems.
    Mr. Chairman, as I said, this is very frustrating. You have 
been working on this for several years. I have to admit that I 
didn't pay any attention to you. I should have. And I don't 
think that Congress did. We have now the opportunity to do what 
you want to do, and I think we are all going to be behind you. 
This is not an issue coming from the lone action of one 
employee. That is what you from the VA keep stressing, because 
you think he is going to be terminated. We heard that 
enforcement guidance for cyber security is at best confusing. 
Some say it doesn't exist. We know that Mr. Brody and others 
tried to get that authority; it didn't happen.
    It all comes back to the policies and the management who 
makes those policies. Nobody seems to be accepting that 
responsibility, Mr. McClain. Not the Secretary, not the Deputy, 
not you. I just can't understand what type of leaders would 
fail to do their jobs and then try to put the blame on 
everybody else. When we didn't secure an Iraqi ammo dump, the 
DOD blamed the troops. When FEMA failed to execute a disaster 
plan, they blamed the weather. Now, after years of failing to 
implement a clear, meaningful policy, you blame an employee for 
breaking some unidentified policy.
    Mr. Chairman, I hope that you continue what you have 
started, and you have backing from all of us, and the American 
people. We should not tolerate these policies, or the field of 
leadership that allows them to continue. Thank you, sir.
    The Chairman. Thank you. I have a further line of 
questioning, Mr. Michaud, but let me make this statement, and I 
will yield to the gentleman. If you have additional questions, 
do you?
    Mr. Michaud. Yes, I have.
    The Chairman. Okay. Prior to the break, I had mentioned 
what the colleagues with the Judiciary Committee had done with 
regards to setting up a separate agency to deal with claims 
adjudication as an administrative remedy for pathway to the 
tort claims, Federal Tort Claims Act. And I have asked the 
majority leader to hold that at the moment.
    It really is just a great example of the heightened 
awareness, Mr. McClain, that members of Congress have to, 
quote, ``do something,'' but that can also get you in trouble. 
And so I am very sincere in sharing with you, number one, what 
I had done with the majority leader; number two, my 
conversation that I just had about 10 minutes ago with Chairman 
Walsh. I know that the Secretary will be before this Committee 
on Tuesday. I plan on attending. And I will see the Secretary 
again on Thursday.
    But over this time period or the next 10 days, we want to 
work with you. And I took from your testimony an inference, and 
it is okay, and the inference is that, ``we are outside of our 
lane,'' and with, ``how do we deal with this? We have never had 
to deal with this before.''
    So when you say to the Committee that, ``We are going to do 
an RFP, and we are interested in seeing what they are going to 
bring us,'' usually that is kind of backwards. We correlate 
these kinds of things, and let the private sector know what we 
want. And it is okay, I am not going to be critical of you, 
because we are interviewing just like you are interviewing, 
trying to figure out how to best deal with this, because of its 
scope? And also, how do we pay for it?
    I am not a contract lawyer. I have got to yield to you----
    Mr. McClain. I'm not either, sir.
    The Chairman. All right. And so that is why I am not going 
after you on that. I am just concerned----
    Mr. McClain. Well, Mr. Chairman----
    The Chairman. I just want to let you know, I am concerned 
about what the Judiciary Committee did. So what I am saying to 
you, and please convey to the Secretary what the Judiciary 
Committee just did, I am going to hold that as much as I can, 
okay, with my relationship with the majority leader, to hold 
that. Let us craft a product that not only can we begin to 
monitor, but we can also place the veteran in the assurance 
that they are not going to have an out-of-pocket loss. We are 
going to have potentially a disruption of their life. This is 
going to be uncomfortable. But if we are able to create a 
product, and there are some out there that can give them up to 
$25,000 insurance, with regard to the loss, and we make that 
part of a package, I think it is exactly where the Secretary 
was in his conversation with me. Not by number, we did not 
discuss numbers.
    But please, I yield to the gentleman.
    Mr. McClain. Thank you, sir. I was just saying that I know 
that they're working very hard on the statement of work, which 
will be up with the RFP, and I am sure it will define exactly 
what we're looking for from the three companies, or even more.
    The Chairman. Well, whoever the ``they'' is, will the 
``they'' communicate with our staff, and just as important, 
communicate with the appropriators?
    Mr. McClain. Yes.
    The Chairman. Last thing you want to have happen is put 
together something that you think is best, but has not been 
communicated with the appropriators, and you just turn to them 
and say, ``Pay for it.''
    Mr. McClain. No, I understand.
    The Chairman. You know, my gosh, you are going to end up 
just with what they did with Denver, and they zeroed out 
something because there wasn't the best of communications.
    Mr. Michaud.
    Mr. Michaud. Thank you very much, Mr. Chairman.
    Mr. McClain, The VA directive 6504 dated June 7th of this 
year stated that, I quote, ``the VA employees are permitted to 
transport, transmit, access, and use VA data outside VA 
facilities only when such activity has been specifically 
approved by the employers' supervisor, and when appropriate 
security measures are taken to ensure VA information and 
services are not compromised,'' end of quote.
    How does this policy differ from what was done prior to May 
3rd of this year?
    Mr. McClain. Congressman Michaud, I'm going to have to not 
get into that area because of the three pending class-action 
lawsuits that the actual policies and procedures that were in 
place at the time are at issue in each one of those lawsuits, 
and on advice of our attorney, Department of Justice, I can't 
comment on that.
    Mr. Michaud. Do you believe that the data involved in the 
May 3rd incident constituted a national security data breach, 
or in non-national security?
    Mr. McClain. I have not looked into that or rendered any 
particular opinion on that issue.
    Mr. Michaud. Ever been asked to render an opinion?
    Mr. McClain. I have not.
    Mr. Michaud. So no one at VA is looking at this issue?
    Mr. McClain. Well, I know that it has come up in the 
hearings, and someone is looking at it. But my office has not 
been asked to render an opinion on it.
    Mr. Michaud. Okay, and you have no idea who is looking at 
it in the VA? Because it has come up in previous hearings.
    Mr. McClain. I believe the--well, the office of information 
technology is looking into it right now.
    Mr. Michaud. Okay. Your memorandum of April 7th of 2004, 
states that FISMA does not require the Secretary to provide the 
CIO with the enforcement powers to the extent that he chooses 
to do so. However, he may delegate more authority to the CIO 
and it is provided for by FISMA. A couple of questions, what 
specific authority has the Secretary delegated prior to May 3rd 
of 2006?
    And has the Secretary delegated any additional authority 
since that date? And if so, to which officers?
    Mr. McClain. I don't believe that there was any delegation 
beyond the actual mandates of FISMA, and the Clinger Cohen Act, 
and also the Paperwork Reduction Act; kind of the three acts 
that really control what the CIO does.
    And there has been a lot of discussion on what is required 
at this point, and that is exactly what I was talking about 
before, is we're currently doing a complete inventory of all 
information security practices in every office in the VA. And 
based upon that inventory, that list of best practices and 
recommendations, I'm sure that there will be further action 
taken.
    Mr. Michaud. So you agree that the Secretary can delegate 
to the CIO the authority that he needs to make sure that these 
information security issues are upheld?
    Mr. McClain. I believe that--yes, I believe that there is 
sufficient authority that resides--authority that resides with 
the Secretary that could be delegated down. Now, the one thing, 
the one caveat that I want to put on it is that there was some 
discussion, in particular, Mr. Brody made his statement that he 
was frustrated that there was push-back from HR, I guess, 
when--relating to actual sanctions or penalties against 
government employees. And of course, that is a problem. When I 
say ``a problem,'' from an enforcement point of view. Every 
employee is protected by a lot of Title 5 rules and regulations 
in the government, and the question would be, could the CIO 
impose a penalty or sanction, or discipline, on say, a VHA 
employee that doesn't belong to the CIO? A VHA employee in the 
State of Washington, for example?
    And that would raise tremendous questions under Title 5, 
Title 38. And those issues would require legislation along some 
lines in order to accomplish the complete ability to impose 
sanctions.
    Mr. Michaud. Even if the Secretary gives him the authority?
    Mr. McClain. The Secretary may not have that authority 
because of the laws that are in place. That's why I made it a 
caveat.
    Mr. Michaud. Does the Secretary know that he has the 
authority to delegate a lot more than what has been delegated? 
Has anyone told the Secretary he has that authority?
    Mr. McClain. Yes.
    Mr. Michaud. So he is aware of it?
    Mr. McClain. Yes, he is.
    Mr. Michaud. Okay. And has he made any overtures to you 
that he is looking in that direction, to give all the authority 
that he can to the CIO?
    Mr. McClain. There have been quite a few discussions, as 
you can imagine, recently on the issue, and I'm not going to 
speak for the Secretary, but I believe that there may be action 
forthcoming.
    Mr. Michaud. Okay, thank you.
    Thank you, Mr. Chairman. I yield back.
    The Chairman. Thank you. Ms. Herseth.
    Ms. Herseth. Thank you, Mr. Chairman. I was a little 
confused by some of the responses. And I know I was a little 
late getting back in here, but let me just walk through that 
line of questioning of Mr. Michaud's once again.
    Your interpretation is that the Secretary has the authority 
to delegate certain responsibilities to the CIO?
    Mr. McClain. Yes.
    Ms. Herseth. And that would include enforcement 
authorities?
    Mr. McClain. Yes, certain enforcement authorities.
    Ms. Herseth. Certain enforcement authorities?
    The Chairman. Like what? Sorry.
    Ms. Herseth. Well--appreciate that. I think that----
    Mr. McClain. That's the next question.
    Ms. Herseth. Let us say, which ones would not be?
    Mr. McClain. When I had just responded in the actual taking 
disciplinary action against an employee that is not within his 
department. In other words--let me, if I can, analogize this a 
little bit. The--under Title 5 of--in Federal civil service, 
the appropriate person to propose discipline is the employee's 
supervisor. And so that system is used every day, still in 
place, and indeed that could be used today, in order to impose 
discipline on an employee that does not follow published rules 
and regulations.
    Ms. Herseth. So, separate from disciplinary actions, the 
Secretary would have the authority to delegate any other 
enforcement necessary to ensure compliance by the agency with 
information security requirements?
    Mr. McClain. I believe so. I mean, there's quite a few 
things that the CIO could do. I mean, under FISMA and--the CIO 
has the authority in order to set all of the standards that are 
for access, for classification, for personnel, those sorts of 
things, in order to get onto the CIO equipment, the computer 
equipment, and how to use it, and what to do with it. He can--
if you're talking about enforcement--he can prevent someone 
from getting on, prevent someone from bringing a piece of 
equipment on----
    Ms. Herseth. Prevent someone from obstruction? Of 
implementing the requirements?
    Mr. McClain. Yes. Yes.
    Ms. Herseth. Are you aware, you know, your memos have been 
the focus of a lot of the questions, and even some of the 
discussion in prior hearings? Are you aware of any similar 
conclusions that you drew regarding the CIO's enforcement 
purview of any other General Counsel in any other Federal 
agencies, reviewing the same type of questions that would come 
up about enforcement authorities of the CIO?
    Mr. McClain. No, actually that question was asked, and the 
answer is no, I'm not aware of any others.
    Ms. Herseth. Let me just ask a couple of questions with 
regard to implementation of the March 2004 Principi memorandum. 
Your written testimony states that it might be helpful to 
briefly state what the department has done to implement 
Secretary Principi's 2004 memorandum. You then state that on 
April 30th, 2006, approximately 4000 FTE's were temporarily 
detailed to the office of information and technology. Was that 
step taken to effectuate the March 2004 memorandum, which calls 
on then-CIO Robert McFarland, to devise a department-wide cyber 
security program under FISMA? Or was that a step taken to meet 
other department requirements or responsibilities, such as the 
creation of a separate information technology account, in last 
year's VA appropriations bill?
    Mr. McClain. I think it was a step in direct line with the 
Secretary's October 2005 decision to order an IT reorganization 
in the department.
    Ms. Herseth. And do you believe that the items you list in 
your testimony as addressing the March 2004 memorandum are 
sufficient actions to have taken in response to that 
memorandum, in the more than two years since it was released?
    Mr. McClain. I think that it is certainly a large step in 
the right direction. Are there other things that need to be 
done? Yes, and certainly the department acknowledges that there 
is more to be done in order to effectuate not only this 
memorandum, but the IT reorganization.
    Ms. Herseth. Do you have any thoughts on any of the 
recommendations Mr. Brody made in his written testimony that 
was submitted, most of which I think he also restated in his 
oral testimony today?
    Mr. McClain. No, I have no comment.
    Ms. Herseth. Would you, if you had more time to consider 
them?
    Mr. McClain. Perhaps.
    Ms. Herseth. I would then request from the Chairman that 
perhaps you could submit just any thoughts on those 
recommendations that he submitted to the Committee, from your 
experience in the last number of years here as General Counsel, 
on those recommendations.
    Mr. McClain. All right, certainly.
    Ms. Herseth. Thank you. I yield back.
    [The March 16, 2004, memo referred to is attached to Mr. 
McClain's prepared statement and appears on p. 103.]
    Mr. Filner. Point of order: do we have Counsel here? What 
is the definition of ``contempt of Congress?'' Those last two 
answers were in contempt of Congress, Mr. Counsel. They may not 
meet strict legal criteria, but--we sat here for two hours, 
asked questions of experts. They made recommendations but Mr. 
McClain has ``no comment,'' perhaps he will have something to 
say later. That is just irresponsible; that is contempt of 
Congress.
    The Chairman. All right. Mr. McClain, I have a series of 
questions, and it is going to follow the same lines of some 
issues Mr. Filner brought up, and in particular, Mr. Michaud 
and Ms. Herseth. I think I just got it for the first time.
    Ms. Herseth. Yeah, I couldn't----
    The Chairman. I saw you look up. My lisp, I work through 
it.
    Mr. Filner. Now try Snyder----
    The Chairman. One at a time.
    You are Senate-confirmed; correct?
    Mr. McClain. Yes, I am.
    The Chairman. And your title is an Assistant Secretary; 
right?
    Mr. McClain. No, my title is General Counsel.
    The Chairman. General Counsel, but your equivalent rank is 
Assistant Secretary?
    Mr. McClain. That's correct.
    The Chairman. Are you a senior government official?
    Mr. McClain. Depending on your----
    The Chairman. Are you a senior government official?
    Mr. McClain. I believe I would--the position would be 
considered a senior government official. Yes, sir.
    The Chairman. Assistant Secretary. How about what is the 
next level down? Are they assistant, or are they deputies? 
Deputy Assistant Secretaries? Are they Senate confirmed?
    Mr. McClain. No.
    The Chairman. So would you say that if you are Senate 
confirmed, that you would be a senior government official?
    Mr. McClain. Probably. Yes, sir.
    The Chairman. Trying to figure this out. How do you see 
your role as General Counsel? Are you the VA's chief legal 
officer?
    Mr. McClain. Yes.
    The Chairman. Okay, and how do you see your role?
    Mr. McClain. My role is the final legal word in the 
department on legal issues that are brought to our attention, 
in interpreting laws, and interpreting regulations. I am the 
counsel to the department, and for the most part I provide 
counsel to the Secretary, the deputy, and the senior 
leadership.
    The Chairman. Deputy Secretary--so when you say ``to the 
department,'' access to you is going to come from the 
Secretary, the deputy, and the three under secretaries?
    Mr. McClain. When you say ``access to me?''
    The Chairman. Yeah, they pick up the phone and you answer?
    Mr. McClain. Yes, sir, they will.
    The Chairman. Okay. At what point does that--I am trying to 
understand. I don't know the culture, so I am just trying to 
understand. At what point do you not pick up the phone? In 
other words, at what level is that at? I don't know.
    Mr. McClain. Well, it----
    The Chairman. Everything has a hierarchy. I just don't 
know.
    Mr. McClain. Oh, for me in particular, I have an open door 
policy, so I pretty much answer almost everyone's telephone 
calls, or----
    The Chairman. Yeah, but you got 400 lawyers out there.
    Mr. McClain. Yes, we do.
    The Chairman. You know, you are responsible for them all.
    Mr. McClain. That's right. We have about 270 in the field, 
and the others here in Washington.
    The Chairman. How long have you been the General Counsel?
    Mr. McClain. Since April of 2001.
    The Chairman. Who is your client?
    Mr. McClain. The department.
    The Chairman. Who is the department?
    Mr. McClain. Everyone in VA.
    The Chairman. I am trying to figure out meetings for which 
General Counsel is required to attend. They are what? What 
meetings are you required to attend?
    Mr. McClain. Pretty much any meeting that is scheduled or 
called for by the Secretary, Deputy Secretary. Any boards or 
other type of advisory Committees that I'm on, and can be 
invited to other meetings in the department that are scheduled 
by the under secretaries or an assistant secretary.
    The Chairman. Are there lawyers from your team that also 
would work for the under secretaries? Are there any----
    Mr. McClain. Not directly.
    The Chairman. Not directly, okay. So, the way you just said 
that, you like having line authority over your lawyers?
    Mr. McClain. Yes.
    The Chairman. Really? I bet the CIO does, too.
    Mr. McClain. Probably does. Not over my lawyers, but over 
his employees, yes, sir.
    The Chairman. Who in your legal department has 
responsibility for cyber security?
    Mr. McClain. We have a--I believe it's a GS 15, who is 
responsible for our cyber security, primarily. But ultimately, 
I would be responsible for cyber security.
    The Chairman. Giving your reaction to my question--so do 
you personally and professionally have concerns that the CIO 
could have enforcement authority over one of your employees?
    Mr. McClain. No, I don't. See, when you say--as it turns 
out, the initial reorganization that I think was ordered back 
in 2002, when Admiral Gauss was the CIO, turned out that there 
were a few, a small number of employees that were actually 
transferred to the office of information technology. And my 
information technology employees were transferred at that time. 
So we're actually functioning under this program, where they 
are doing work for us, but they actually belong to the CIO.
    The Chairman. So how does it work that if you have a 
vulnerability in your legal department, and the CIO, who has 
only the authority over compliance, he can only ensure 
compliance, has no authority to enforce anything, he would then 
have to alert you that there is a vulnerability, and that you 
then have the authority to cure; is that how it is supposed to 
work?
    Mr. McClain. Yes.
    The Chairman. Okay. So when the FISMA report says that 
there are these 16 vulnerabilities, and the VA receives an 
``F,'' fails, that then means that three under secretaries 
received a grade of ``F,'' would it not?
    Mr. McClain. I imagine so, yes. The whole department 
received a grade of ``F.''
    The Chairman. Uh-huh. So, given the lines of authority as 
to who is actually responsible for enforcement, it is hard for 
me to imagine, as the first panel described, that when you 
grant responsibility without authority, you are setting a 
position for somebody to be a scapegoat. I don't see how the 
CIO could be a scapegoat if they had no authority to enforce. 
Therefore, there is no scapegoat. There are individuals who are 
responsible, and the individuals who are responsible also have 
the authority.
    That is what is hard for me in all of this. And it is hard 
for me when I read your opinions. That is why I called it the 
heterodox, because it is so incongruent of what we do in our 
society. Because we have a leadership hierarchy in our society, 
that someone is responsible, has the authority, and therefore 
can be held accountable. When I take something out of that, it 
becomes incongruent, and it defies logic. And it makes it hard 
for us, then, to operate a system; actually, even to perfect 
change.
    So I have some more series of questions for you. Let me go 
back to when I mentioned the ``F.''
    As the VA's chief legal officer you are also, are you not, 
responsible to ensure that the VA is compliant with existing 
law? FISMA?
    Mr. McClain. I'm responsible for interpreting those laws, 
and how they apply to our business in the VA. Yes, sir.
    The Chairman. Okay, all right. So, when the FISMA report 
shows 16 vulnerabilities, and that the department has now 
received a failing grade, I would say that they are not in 
compliance with an existing statute. When it comes to you as 
the lawyer, do you worry about that or not worry about that?
    Mr. McClain. Well, I'm obviously concerned about it, and 
the question is, is it because there was inaction on the part 
of certain people? In other words, you would want to look at 
are we indeed violating a law, or not fully implementing a law?
    The Chairman. All right, if the VA receives a failing grade 
for their audit, how can that be following the law?
    Mr. McClain. Well, if it's not--if the law itself is not 
implemented within the department, you have a situation where 
the law is there and it's not being followed.
    The Chairman. Right. Well, that is what I had back in 1999, 
when I could not get the VA to create a CIO. You are right, we 
passed the laws, and we are trying to get the executive branch 
to implement, to execute.
    Does this issue of CIO authority affect the General 
Counsel's office in terms of control over General Counsel's IT 
assets?
    Mr. McClain. No.
    The Chairman. Okay. So your concerns are more on the 
personal side, then? Would that be correct?
    Mr. McClain. You mean for office of General Counsel----
    The Chairman. The office of General Counsel, yes.
    Mr. McClain. My only concern is that I have a good IT 
network that I can rely on and utilize, and that my people in 
the field can rely on and utilize. And so, as I said, my 
employees that I had were transferred over to the CIO. And so 
we are currently operating pretty well right now under that 
criterion.
    The Chairman. All right. These memos that the members are 
discussing, I, in my mind, I have this visual of you conducting 
a brief with three under secretaries, the deputy, and the 
Secretary. I don't know, did that ever happen? Or you just send 
them memos, and people just go about their business?
    Mr. McClain. These particular memos--a memo of this nature 
would come into the office either as an e-mail request or a 
written request for a General Counsel opinion on how this 
particular law applies to this set of facts, whatever it might 
be. That's pretty much how these opinions were initiated. And 
the opinion would be worked by staff attorneys, and it would 
then come up the administrative chain to my office. And the 
opinion would then be reviewed and signed, and sent back to 
whoever the addressee is on the memo. In other words, the 
requesting office. I believe one of them was the CIO, or the 
assistant Secretary for Information Technology, and the 
Assistant Secretary for Policy and Planning.
    The Chairman. When you have a dispute between a matter of 
interpretation of law or regulation between two under 
secretaries, who is your client?
    Mr. McClain. It is the department. I simply will----
    The Chairman. I don't know what that means. The two under 
secretaries are part of the department. The two under 
secretaries disagree on something. How about when the CIO 
disagrees with the three under secretaries? Who is the 
department?
    Mr. McClain. Well, they all are. And I don't take sides on 
it. The question would come to me--we have a dispute, ``I think 
the law should be applied this way, someone else thinks the law 
should be applied that way, please give us your opinion.'' And 
that's what we would do. It may be in the middle somewhere, it 
may not be exactly either person's position.
    The Chairman. All right, use the word ``role.'' What is the 
role and responsibility of the Secretary of the VA for 
information security under FISMA?
    Mr. McClain. He is ultimately responsible for ensuring that 
there is a system in place that ensures the security and 
accountability of personal information.
    The Chairman. Okay. And was the Secretary aware of this 
statutory role and responsibility?
    Mr. McClain. I'm sorry, I'm not sure. I would have to ask 
the Secretary.
    The Chairman. At any time, were you asked to brief the 
Secretary with regard to his role and responsibility in this 
area?
    Mr. McClain. No, sir.
    The Chairman. Okay. All right, let me power through this. 
Hang in here with me, all right?
    The General Counsel memo of August 1 of 2003 on information 
security to the CIO holds that, quote, ``FISMA requires the CIO 
to develop and implement an agency-wide security program to 
achieve the purposes of FISMA,'' end quote. Now that sounds 
pretty good. But then on the February 19th of 2004 memo, what 
that meant to your office was explained further. The memo 
suggests that enforcement language in draft directive 6500 be 
removed that would allow the CIO to hold individuals 
accountable to the CIO for noncompliance, and that would 
establish mandatory penalties. In addition, the memo 
recommended that language empowering the CIO to mandate 
budgetary commitments of administrations be removed because, 
quote, ``we are not aware of statutory authority.''
    [The August 1, 2003, and February 19, 2004, memos referred 
to are attached to Mr. McClain's prepared statement and appear 
on pages 96 and 100 respectively.]
    The Chairman. Basically, this leaves the CIO with 
responsibility, but no real authority to make anything happen. 
That is what we have been discussing here today. So directive 
6500 could have been written, could it not, to have empowered 
the CIO since you then state that the Secretary could have 
delegated that authority? Because what you have is first you 
go, ``there is no statutory authority,'' and the Secretary has 
the authority. Where was the next step of legal counsel back to 
the Secretary that says, ``Mr. Secretary, you can delegate if 
you want?'' But there was no affirmative action was ever taken.
    Mr. McClain. Well, I understand, Mr. Chairman, where you're 
going. I think the issue that I would ask is, given our 
opinion, and given the February 19th, 2004, memorandum, that 
there is no statutory authority for certain issues--and most of 
the issues were clustered under security clearance and 
suitability policies, security matters beyond that of the 
information and information security, and also personnel 
matters; human relations and labor-management issues, and the 
memo. And I'm talking in that memo, subparagraphs--paragraph 
2A-1, and then 2A, 2B, C, and D, essentially, in that 
particular memo.
    And what we're saying is entirely consistent with all of 
the opinions read together, is that the current state of law 
does not give the CIO these particular powers or authorities. 
That's what the opinions are, at the point in time on the date 
that they were issued, what is the state of the law as applied 
to the set of facts that we were asked to analyze.
    The Chairman. Is it a curious thing that this March 16th, 
2004, memo has no subject line? The Secretary's memo, March 
16th, 2004, has no subject line. Isn't that a curious thing? Or 
I'm just being----
    Mr. McClain. I note that it does not.
    The Chairman. You are saying, ``Steve, your attention to 
detail is too great?''
    Mr. McClain. Well, no, I----
    The Chairman. It is not a curious thing, I shouldn't make 
anything of it?
    Mr. McClain. I----
    The Chairman. Okay, doesn't mean anything?
    Mr. McClain. No, sir.
    The Chairman. All right. Let me go to what you had just 
stated. I got FISMA right here, okay. And you are right, two 
lawyers can read something that can totally--we can disagree, 
we can agree to disagree. But I read this thing differently 
than how you read it. And I am looking at section 3544, 
``Federal Agency Responsibilities.'' Now, you just made an 
interpretation that says the CIO doesn't have this 
responsibility, it is not granted to him by FISMA. But when I 
read this, section 3544-A, ``The head of each agency shall''--
okay, do you have it right there in front of you?
    Mr. McClain. Yes, sir, I do.
    The Chairman. Okay. See where it says, ``A, shall be 
responsible for,'' this is list A, B, and C, okay? Number two, 
it says ``shall ensure that senior agency officials provide 
information security for information and information systems 
that support the operation assets under their control, 
including,'' and goes down a whole list. Who are ``senior 
agency officials?''
    Mr. McClain. Pretty much what we had talked about 
previously. Under Secretary, Assistant secretaries can be 
senior agency officials, and it may even go further down, and 
that's in relation to FISMA, and information security. Yeah.
    The Chairman. When I read FISMA, if I wanted to, I can read 
this to interpret that only a senior agency official would be 
an under Secretary, and exclude the CIO. Your testimony to me 
is that the General Counsel and the CIO is the equivalent of a 
senior agency official. Now, if I go back and I say, ``Okay, I 
accept your testimony here today that you are a senior agency 
official, the CIO is a senior agency official, the under 
Secretary is a senior agency official, and now I read this lot, 
I don't understand how I can get the interpretation from your 
memo, doing that.'' Now, if I want to parse what I read and say 
that a senior agency official does not apply to what, you and 
the CIO, then I could come up with that memo, as it has been 
drafted.
    Mr. McClain. I think the spirit of the opinion obviously is 
interpreting FISMA. But I think that what's important to 
realize, and what I get out of this, applying these sorts of 
requirements to senior agency officials, is that there is a 
department-wide requirement, and is specially imposed on senior 
agency officials, to ensure that this system of protection for 
personal information is in place and operative. It is not 
giving it or requiring it of a single person, or a single head 
in the department. It is literally spreading it out and saying, 
``You're a senior agency official, you have this 
responsibility.''
    The Chairman. The section of FISMA that makes the Secretary 
responsible for implementation of this statute, 3544, states 
that the head of each agency shall--and again, I am going to 
say it--``ensure that senior agency officials provide 
information security for information, information systems, the 
support the operations and assets under their control.'' Under 
the Secretary's March 16 memo, assuming that it had been 
implemented sooner than last October, wouldn't the CIO also fit 
under these provisions a FISMA? That is what I just asked, 
because he would be a senior agency official under the 
authority of 4000 agency employees.
    The reason I ask this question, Mr. McClain, is that I have 
this sense that these memos essentially were efforts to box the 
CIO.
    Mr. McClain. No, sir.
    The Chairman. Well, that is what has happened by that legal 
interpretation. You disagree with that?
    Mr. McClain. Yes, sir, I disagree with that. I don't 
disagree that the CIO perhaps wanted additional authority that 
was just simply not there in statute, but the opinion is the 
legal opinion as to what the law provides.
    The Chairman. All right. Why did it take until October 19th 
of 2005, over a year and a half, for the VA to take just the 
first step in acting on Secretary Principi's memo? A glacial 
pace?
    Mr. McClain. Sir, I don't have an answer for that.
    Ms. Herseth. Mr. Chairman.
    The Chairman. Did Mr. McFarland--yes, ma'am?
    Ms. Herseth. Well, before you went too far down this, may I 
just follow up on a----
    The Chairman. Yes.
    Ms. Herseth. You just stated that the CIO perhaps wanted 
more authority than your interpretation of the statute allowed; 
right?
    Mr. McClain. Yes.
    Ms. Herseth. But not too long ago in response to some of 
the other questions--does your interpretation of the statute, 
however--I mean, where does the enforcement authority, or the 
authority that the CIO was seeking resides in the Secretary? 
Because getting back to this whole issue of what authorities 
the Secretary could have delegated, I am still trying to figure 
out, and I think the Chairman was raising this at the beginning 
of his second line of questioning, when he began again; tell me 
the distinction between your interpretation of the statute, and 
the authorities granted to the CIO, versus authorities that the 
Secretary has that could be delegated. Is there a distinction?
    Mr. McClain. Yes.
    Ms. Herseth. Okay. So I am going to let you explain the 
distinction, and then re-ask the question that I believe the 
Chairman did, which is, at what point could you have, or did 
you communicate with the Secretary about the possibility of 
delegating some of the authority that the CIO was seeking that 
the Secretary may have had to delegate, separate from an 
interpretation of the statute that didn't give, in your 
opinion, the authorities the CIO was the seeking?
    Mr. McClain. Let me give you one example of some additional 
authorities that reside in the Secretary that could have been 
delegated. At the Secretary's discretion, no requirement.
    First of all, FISMA requires the CIO to have certain 
responsibilities and duties and such. The Secretary could 
delegate further, and if--I would go back to the August, 2003 
opinion, which was essentially an opinion on who has authority 
over the national, versus non-national type of files, and also 
physical security versus actual paper, that sort of thing. And 
the opinion was that as the law currently stood, that authority 
over the national type of data, if there was any in VA, and 
physical security, resided in the office of law enforcement, 
within the department.
    Had the Secretary desired to make a change, he could have 
delegated that authority to the CIO. So there was already 
something in place.
    Ms. Herseth. I yield back.
    The Chairman. You know I was really concerned when Bob 
McFarland left. And you are also quite aware of being on the 
inside of that, you have had three under secretaries that were 
pretty strong in their opinions. You are also equally strong in 
an opinion. The Secretary had delegated to the deputy Secretary 
to work this one, work this issue. And Mr. McFarland was pretty 
stressed, because he felt that he was not getting a concurrence 
with his policies.
    So let me ask about the directive 6500. Is directive 6500, 
is it still in a development or a concurrence process?
    Mr. McClain. I believe--and I believe that 6500 is in our 
EDMS system, Electronic Data Management System--Document 
Management System. Still, within the office of information 
technology, for internal concurrence within that office.
    The Chairman. Under your federated approach --I know you 
don't like the word ``box.'' All right, let me rephrase this. 
Under your federated model, are your present interpretations 
that the CIO does not have these lines of authority to enforce, 
is that what is going to happen in your federated model? You 
are going to take that present opinion that you have held for 
the last several years, and apply it to the federated model?
    Mr. McClain. Well, I think several things have changed. One 
is that this particular issue that we were wrestling with 
talked about ISOs, and in particular the March 2004 memo from 
Secretary Principi, I believe was a reaction, as Mr. Brody 
said, to the Blaster worm situation, where the CIO didn't have 
control, any sort of supervisory control over ISOs out in the 
field, and there were over 400 of them.
    As of April 30th of this year, with the detailing of 
personnel into the office of information technology, that 
situation no longer exists. The CIO has direct supervisory 
authority over the ISOs, plus the other IT backbone or 
maintenance type people, even in the field.
    The Chairman. But if I am an under Secretary at the VA, and 
the CIO is giving me directives on compliance where I am 
noncompliant in a particular area, and I ignore him, what is 
the CIO's recourse, legally?
    Mr. McClain. Legally, I'm not sure he has one. 
Administratively, he should bring this directly to the deputy.
    The Chairman. Yeah, so he has got no authority. How about 
if I make the CIO, the Committee here decides to follow our 
instincts of a couple years ago and make the CIO the 
equivalency of an under Secretary? Does it matter?
    Mr. McClain. In other words, would it change our 
interpretation of FISMA?
    The Chairman. No, we are going to change FISMA. We are not 
going to let this stuff happen anymore. We are going to come up 
with our recommendations to change so they are not subject to 
interpretation. But if we g+o in and we make the CIO and under 
Secretary equivalent, and give him lines of authority and the 
ability to enforce--actually, let us go to the ability to 
enforce. Would you say that that under Secretary, the CIO then 
would not have the ability to enforce anything within the 
jurisdictions of the other three under secretaries?
    Mr. McClain. No, if you passed--if Congress passed a law 
along the lines that you just outlined, then the law would 
provide the authority.
    The Chairman. But unless we do that, your position is it is 
not there; it rests with the Secretary. The Secretary can grant 
that authority, could he not? He can grant, he can also remove. 
Secretary can remove certain authorities from the other three 
under secretaries, could he not?
    Mr. McClain. Yes, he could.
    The Chairman. Ah-hah. Was that ever recommended to the 
Secretary, or the deputy? That you can remove certain 
authorities, you can grant authority to the CIO, but--never?
    Mr. McClain. I'm not aware, sir.
    The Chairman. Well, I could see in disciplinary actions a 
challenge between granting authority or powers to someone who 
is not of an equal, you know, if they are under the under 
Secretary. That is what we are going to have to do.
    Mr. Filner.
    Mr. Filner. Just a quick question, if I can. Does the VA 
have a policy of executive bonuses? Bonuses to the senior 
staff?
    Mr. McClain. Not to political appointees, but to Senior 
executive service.
    Mr. Filner. Okay, so you don't get a bonus?
    Mr. McClain. No.
    Mr. Filner. So none of the political appointees do?
    Mr. McClain. That's right.
    Mr. Filner. And what is the first level that may get one?
    Mr. McClain. Career, who are SES.
    Mr. Filner. Were those bonuses given last year?
    Mr. McClain. I imagine they were. But I have no personal 
knowledge of it.
    Mr. Filner. And when FISMA audits gave the department an 
``F,'' did you take that in any way personally, or share in 
that responsibility?
    Mr. McClain. As to the department getting an ``F?'' I think 
the entire department has to share in that.
    Mr. Filner. Yes, but personally? Nothing happened to any 
person as a result? Nobody got pay cuts, or reprimands, or 
censure, or anything?
    Mr. McClain. Sir, I don't know. I would not normally be 
involved in that.
    Mr. Filner. But you didn't?
    Mr. McClain. I did not.
    Mr. Filner. I mean, there is simply no accountability here.
    The Chairman. I made a note here, Mr. Filner. When we come 
back here and discuss how to put together this legislation, Mr. 
Michaud, that we even should consider writing in our bill, we 
can seek compliance and say that there shall be no bonuses 
until the department is compliant with FISMA. If you got an 
``F,'' and we are giving bonuses, we shouldn't be giving that. 
Maybe we can put it on a sliding scale, get them to a ``B,'' 
you know? You know, I haven't been beyond giving my kids money 
for a good grade.
    All right. I want to thank you for--to my colleagues for 
being here, and let me just say in conclusion, Mr. McClain, I 
know you are here today also to defend your legal department 
and the individuals who wrote these legal opinions. I am 
stressed by them. I am stressed by them because I think that 
they were a contributing factor, and we ended up with a legal 
opinion that I am going to say for the umpteenth time, that is 
a heterodox opinion, and it was a contributing factor in the 
face of 16 unmitigated deficiencies, and something has to 
change.
    And we want to work with you. Please let the Secretary 
know, with regard to the issue that I brought up earlier one 
when we were asking for that proposal, that it also included 
insurance. Please let him know that we are going to work 
cooperatively here, in a bipartisan fashion, to make sure that 
we hold the Judiciary product until we can let them know that 
we are going to work in a positive manner, okay.
    Mr. Michaud.
    Mr. Michaud. Thank you, Mr. Chairman.
    Just one last question, Mr. McClain. Being legal counsel to 
the department, and through my experience in the Maine 
Legislature, where the attorney general offices are legal 
counsel to State departments, you can take different stances in 
different areas. Have you, at any time, while we have been 
dealing with this whole issue of the CIO, given verbal legal 
advice to the agency that this is the way you saw the law, but 
you were directed, or asked by a senior official, ``I want to 
do this, can you justify this, as well?'' Have you ever taken--
--
    Mr. McClain. No.
    Mr. Michaud. No? Okay, thank you. Thank you, Mr. Chairman.
    The Chairman. Thank you very much. All members will have 
five legislative business days to submit any statement that 
they may like. At this point, the hearing is now concluded. 
Thank you.
    [Whereupon, at 2:10 p.m., the Committee was adjourned.]

    [GRAPHIC] [TIFF OMITTED] T8452.001
    
    [GRAPHIC] [TIFF OMITTED] T8452.002
    
    [GRAPHIC] [TIFF OMITTED] T8452.003
    
    [GRAPHIC] [TIFF OMITTED] T8452.004
    
    [GRAPHIC] [TIFF OMITTED] T8452.005
    
    [GRAPHIC] [TIFF OMITTED] T8452.006
    
    [GRAPHIC] [TIFF OMITTED] T8452.007
    
    [GRAPHIC] [TIFF OMITTED] T8452.008
    
    [GRAPHIC] [TIFF OMITTED] T8452.009
    
    [GRAPHIC] [TIFF OMITTED] T8452.010
    
    [GRAPHIC] [TIFF OMITTED] T8452.011
    
    [GRAPHIC] [TIFF OMITTED] T8452.012
    
    [GRAPHIC] [TIFF OMITTED] T8452.013
    
    [GRAPHIC] [TIFF OMITTED] T8452.014
    
    [GRAPHIC] [TIFF OMITTED] T8452.015
    
    [GRAPHIC] [TIFF OMITTED] T8452.016
    
    [GRAPHIC] [TIFF OMITTED] T8452.017
    
    [GRAPHIC] [TIFF OMITTED] T8452.018
    
    [GRAPHIC] [TIFF OMITTED] T8452.019
    
    [GRAPHIC] [TIFF OMITTED] T8452.020
    
    [GRAPHIC] [TIFF OMITTED] T8452.021
    
    [GRAPHIC] [TIFF OMITTED] T8452.022
    
    [GRAPHIC] [TIFF OMITTED] T8452.023
    
    [GRAPHIC] [TIFF OMITTED] T8452.024
    
    [GRAPHIC] [TIFF OMITTED] T8452.025
    
    [GRAPHIC] [TIFF OMITTED] T8452.026
    
    [GRAPHIC] [TIFF OMITTED] T8452.027
    
    [GRAPHIC] [TIFF OMITTED] T8452.028
    
    [GRAPHIC] [TIFF OMITTED] T8452.029
    
    [GRAPHIC] [TIFF OMITTED] T8452.030
    
    [GRAPHIC] [TIFF OMITTED] T8452.031
    
    [GRAPHIC] [TIFF OMITTED] T8452.032
    
    [GRAPHIC] [TIFF OMITTED] T8452.033
    
    [GRAPHIC] [TIFF OMITTED] T8452.034
    
    [GRAPHIC] [TIFF OMITTED] T8452.035
    
    [GRAPHIC] [TIFF OMITTED] T8452.036
    
    [GRAPHIC] [TIFF OMITTED] T8452.037
    
    [GRAPHIC] [TIFF OMITTED] T8452.038
    
    [GRAPHIC] [TIFF OMITTED] T8452.039
    
    [GRAPHIC] [TIFF OMITTED] T8452.040
    
    [GRAPHIC] [TIFF OMITTED] T8452.041
    
    [GRAPHIC] [TIFF OMITTED] T8452.042
    
    [GRAPHIC] [TIFF OMITTED] T8452.043
    
    [GRAPHIC] [TIFF OMITTED] T8452.044
    
    [GRAPHIC] [TIFF OMITTED] T8452.045
    
    [GRAPHIC] [TIFF OMITTED] T8452.046
    
    [GRAPHIC] [TIFF OMITTED] T8452.063
    
    [GRAPHIC] [TIFF OMITTED] T8452.064
    
    [GRAPHIC] [TIFF OMITTED] T8452.065
    
    [GRAPHIC] [TIFF OMITTED] T8452.066
    
    [GRAPHIC] [TIFF OMITTED] T8452.074
    
    [GRAPHIC] [TIFF OMITTED] T8452.075
    
    [GRAPHIC] [TIFF OMITTED] T8452.076
    
    [GRAPHIC] [TIFF OMITTED] T8452.067
    
    [GRAPHIC] [TIFF OMITTED] T8452.068
    
    [GRAPHIC] [TIFF OMITTED] T8452.069
    
    [GRAPHIC] [TIFF OMITTED] T8452.070
    
    [GRAPHIC] [TIFF OMITTED] T8452.071
    
    [GRAPHIC] [TIFF OMITTED] T8452.072
    
    [GRAPHIC] [TIFF OMITTED] T8452.073
    
    [GRAPHIC] [TIFF OMITTED] T8452.047
    
    [GRAPHIC] [TIFF OMITTED] T8452.048
    
    [GRAPHIC] [TIFF OMITTED] T8452.049
    
    [GRAPHIC] [TIFF OMITTED] T8452.050
    
    [GRAPHIC] [TIFF OMITTED] T8452.051
    
    [GRAPHIC] [TIFF OMITTED] T8452.052
    
    [GRAPHIC] [TIFF OMITTED] T8452.053
    
    [GRAPHIC] [TIFF OMITTED] T8452.055
    
    [GRAPHIC] [TIFF OMITTED] T8452.056
    
    [GRAPHIC] [TIFF OMITTED] T8452.057
    
    [GRAPHIC] [TIFF OMITTED] T8452.058
    
    [GRAPHIC] [TIFF OMITTED] T8452.060
    
    [GRAPHIC] [TIFF OMITTED] T8452.061
    
    [GRAPHIC] [TIFF OMITTED] T8452.062
    
