[Senate Hearing 109-653]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 109-653
 
VETERANS AFFAIRS DATA PRIVACY BREACH: TWENTY-SIX MILLION PEOPLE DESERVE 
                      ASSURANCE OF FUTURE SECURITY

=======================================================================

                                HEARING

                               BEFORE THE

                     COMMITTEE ON VETERANS' AFFAIRS
                          UNITED STATES SENATE

                       ONE HUNDRED NINTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 20, 2006

                               __________

       Printed for the use of the Committee on Veterans' Affairs


 Available via the World Wide Web: http://www.access.gpo.gov/congress/
                                 senate


                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
29-717                      WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON VETERANS' AFFAIRS

                    Larry E. Craig, Idaho, Chairman
Arlen Specter, Pennsylvania          Daniel K. Akaka, Hawaii, Ranking 
Kay Bailey Hutchison, Texas              Member
Lindsey O. Graham, South Carolina    John D. Rockefeller IV, West 
Richard Burr, North Carolina             Virginia
John Ensign, Nevada                  James M. Jeffords, (I) Vermont
John Thune, South Dakota             Patty Murray, Washington
Johnny Isakson, Georgia              Barack Obama, Illinois
                                     Ken Salazar, Colorado
                  Lupe Wissel, Majority Staff Director
                   Bill Brew, Minority Staff Director


                            C O N T E N T S

                              ----------                              

                             July 20, 2006
                                SENATORS

                                                                   Page
Craig, Hon. Larry E., Chairman, U.S. Senator from Idaho..........     1
    Letter dated July 18, 2006 from James H. Burrus, Federal 
      Bureau of Investigation, regarding the recovered stolen 
      records....................................................     3
Akaka, Hon. Daniel K., Ranking Member, U.S. Senator from Hawaii..     4
Murray, Hon. Patty, U.S. Senator from Washington.................     5
Salazar, Hon. Ken, U.S. Senator from Colorado....................     6
Burr, Hon. Richard, U.S. Senator from North Carolina.............    25
Thune, Hon. John, U.S. Senator from South Dakota.................    28

                               WITNESSES

Nicholson, Hon. R. James, Secretary, Department of Veterans 
  Affairs; accompanied by Robert Howard, Senior Advisor to the 
  Deputy Secretary; Tim McClain, General Counsel; and Robert 
  Henke, Assistant Secretary for Management, Department of 
  Veterans Affairs...............................................     7
    Prepared statement...........................................    10
    Response to written questions submitted by Hon. Daniel K. 
      Akaka......................................................    11
Opfer, Hon. George J., Inspector General, Department of Veterans 
  Affairs; accompanied by Jon A. Wooditch, Deputy Inspector 
  General; and Maureen Regan, Counselor to the Inspector General, 
  Department of Veterans Affairs.................................    12
    Prepared statement...........................................    14
    Response to written questions submitted by Hon. Daniel K. 
      Akaka......................................................    19

                                APPENDIX

Newsweek article, ``The Best Medical Care in the U.S.''..........    38


VETERANS AFFAIRS DATA PRIVACY BREACH: TWENTY-SIX MILLION PEOPLE DESERVE 

                      ASSURANCE OF FUTURE SECURITY

                              ----------                              


                        THURSDAY, JULY 20, 2006

                               U.S. Senate,
                    Committee on Veterans' Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:04 a.m., in 
room SD-418, Russell Senate Office Building, Hon. Larry E. 
Craig, Chairman of the Committee, presiding.
    Present: Senators Craig, Burr, Thune, Akaka, Murray, and 
Salazar.

   OPENING STATEMENT OF HON. LARRY E. CRAIG, CHAIRMAN, U.S. 
                       SENATOR FROM IDAHO

    Chairman Craig. Good morning, everyone. The Senate 
Committee on Veterans' Affairs will come to order. I want to 
welcome all of you to this very important hearing. Secretary 
Nicholson, Inspector General Opfer, welcome, and thank you for 
taking the time to be with us this morning.
    On May 3rd, theft of a laptop computer and external hard 
drive from the home of a VA employee has been reported as an 
embarrassing and expensive management failure of VA. While that 
may be true, in the 8 weeks since our joint hearing with the 
Homeland Security and Governmental Affairs Committee, there has 
been much news, both good and bad, on the issue.
    We have learned that the employee was not authorized to 
take the data home and did not safeguard the data once he 
brought it home. We have learned that the appropriate people 
within VA were not informed of the stolen data in a timely 
manner. We have learned that VA policies, practices, and 
procedures are inadequate to safeguard personnel and 
proprietary information. And we have learned that VA has 
insufficiently address long-standing OIG-reported information 
security weaknesses.
    We have also learned that law enforcement officials 
recovered the stolen data and hard drive. That is a good news 
indeed. And even better news is that based on computer 
forensics examinations, both the FBI and the OIG have a high 
degree of confidence that the data was not accessed or 
compromised after the burglary, and they foresee no reason for 
that assessment to change. And that is very good news for 
America's veterans.
    However, the issue is, I believe, far from closed. This 
incident has had far-reaching implications. America, I believe, 
is watching VA and what VA does to learn from and correct its 
mistakes, because the issue of data security is a problem not 
only across Government, but within the private sector as well. 
I think what happened at VA should be an awakening to all of 
Government. There is not a single American who does not expect 
and, frankly, does not deserve assurances from their 
Government, one of the world's largest custodians of sensitive 
personal information. They deserve a vigilant security program 
to protect that information.
    So we are here today to talk about what needs to be done to 
improve data security and how VA intends to make that happen. 
How do we ensure that the policies, practices, and procedures 
at VA discourage the potential compromise of sensitive data? 
How do we prevent another wholesale failure to recognize the 
importance of a potential breach of security? And can VA more 
accurately assess the extent and scope of an incident in order 
to report these incidents to VA and Congressional leadership in 
a timely manner? And, finally, how do we leverage this enormous 
success that VA has had with electronic medical records to 
become the gold standard in information and cyber security as 
well? That ought to be a real and important challenge.
    The solution to some of these problems may lie in more 
strictly enforced policies, increased education about those 
policies, and increased utilization of data encryption and 
passwords. Some would argue that the solution lies in increased 
legislation and appropriations. But at the heart of it all, VA 
must resolve its repeatedly identified vulnerabilities, 
establish a clear chain of command, and implement an 
accountability structure for the security of its information.
    VA will testify today that they have an implementation 
strategy that is the road map to success and that they are on 
their way. Clearly, that puts their testimony at odds with 
historic patterns.
    I look forward to understanding the mechanics of this road 
map, so much so, in fact, that I will take this opportunity to 
post my first question of the hearing. Is this implementation 
strategy something which every single VA employee understands? 
Can I have a chat with the systems administrator at the Boise 
VA about the implementation strategy for securing VA 
information or perhaps even a claims supervisor at that same 
facility? Even bigger than the challenge of finding lost data 
is the challenge of making the security of those in the VA 
system everyone's top priority.
    I hope this hearing, like the one we held 2 months ago, 
will shed some more light on the situation, provide clarity to 
some of my concerns and the Committee's concerns--I think we 
hold this jointly--and, most importantly, provide 26 million 
veterans with answers they deserve.
    Before I turn to the Ranking Member, I would like to bring 
to the Committee's attention the July 18, 2006, letter from the 
FBI reiterating its high degree of confidence that the files on 
the external hard drive where the VA data was stored was not 
compromised. This letter will be made a part of the hearing 
record today.
    [The letter from James H. Burrus, Jr., Federal Bureau of 
Investigation (FBI) follows:]

[GRAPHIC] [TIFF OMITTED] T9717.001

    Chairman Craig. Also, before I turn to our Ranking Member 
and other Members for their comments, I want to recognize Tim 
McClain, our VA General Counsel who is with us today. Tim is 
leaving us September 1 to join the private sector. He has been 
an integral part of VA's senior leadership team as the chief 
legal counsel since 2001. He was in the Navy's Judge Advocate 
General Corps and retired from active duty in 1990. He has been 
the point person to handle crises such as Hurricanes Katrina 
and Rita. His tireless leadership in support of the Secretary 
and the VA in addressing the data issues has been key.
    Tim, on behalf of the Committee, I want to thank you for 
your service to VA, to America's veterans, and thank you for 
your service to the country.
    Mr. McClain. Thank you, Mr. Chairman.
    Chairman Craig. Thank you very much.
    [Applause.]
    Chairman Craig. Now let me turn to the Ranking Member of 
the Committee, Senator Danny Akaka.
    Danny.

STATEMENT OF HON. DANIEL K. AKAKA, RANKING MEMBER, U.S. SENATOR 
                          FROM HAWAII

    Senator Akaka. Thank you. Thank you very much, Mr. 
Chairman. And I want to take this opportunity to wish my 
brother well. Chairman Craig, happy birthday.
    Chairman Craig. Thank you.
    [Laughter.]
    Chairman Craig. Well, it will depend on how the hearing 
goes today how my birthday is, Mr. Secretary.
    [Laughter.]
    Chairman Craig. Please proceed, Danny.
    Senator Akaka. Mr. Chairman, thank you very much for 
calling this hearing. It is important. I am with you and with 
the Committee in trying to assure that we can improve data 
security for the Veterans' Administration.
    I want to welcome Secretary Nicholson and Mr. Opfer in 
joining us today, and I look forward to their testimony.
    I know there was a collective sigh of relief when the 
computer equipment containing the stolen data was recovered. It 
was great news to learn that the FBI reached the conclusion 
that it is highly unlikely that the data was compromised. Mr. 
Opfer, I thank you and your office for aggressively pursuing 
this investigation and the timeliness with which you completed 
it. Your hard work has provided the Secretary and us with 
recommendations that should go a long way toward fixing VA's 
information security problems.
    I note that the President's budget for the coming fiscal 
year calls for a serious cut of funding and staff for your 
office. Yet your office's response to this incident shows that 
VA needs more oversight of its internal workings and not less.
    It should not have taken the loss of personal information 
affecting 26.5 million veterans, guardsmen, reservists, and 
active-duty servicemembers, nor the expenditure of millions of 
dollars for me to realize that VA needs to take drastic steps 
to improve its cyber and information security.
    For the past 6 years, VA's IG has reported that information 
technology security is a major management challenge. VA has 
also received failing grades from its Federal Information 
Security Management Act audits. It should not have taken almost 
2 weeks for the Secretary to learn of a problem of this 
magnitude. The slow reaction which characterized the 
Department's response to the theft is unacceptable. I am very 
concerned about the state of VA's internal organization and how 
the Department functions.
    As VA recovers from this incident, it must have information 
of security policies, procedures, and practices that are 
standardized for all of its employees. I remain distressed that 
the removal of data was not a violation of any law or 
regulation.
    As I noted at our Committee's hearing on the data loss, the 
incident that brings us here today could have easily involved 
other Government departments and agencies. VA must establish 
safeguards to prevent any loss of data in the future. Secretary 
Nicholson, I hope you will be proactive in your efforts to 
remedy these problems. Veterans have entrusted the Department 
with their personal information and deserve nothing less, and I 
know you will certainly be working on it, and this Committee 
will be interested in how we do that.
    Mr. Chairman, I will continue to work with you to ensure 
that we provide effective oversight of VA's remediation plan. I 
look forward to hearing from our witnesses and hearing their 
testimony this morning.
    Thank you very much, Mr. Chairman.
    Chairman Craig. Senator Akaka, thank you very much.
    Now let us turn to Senator Patty Murray.
    Patty.

         STATEMENT OF HON. PATTY MURRAY, U.S. SENATOR 
                        FROM WASHINGTON

    Senator Murray. Well, thank you very much, Mr. Chairman, 
and happy birthday. I hope it is a good one as well.
    Chairman Craig. Thank you.
    Senator Murray. Thank you, Senator Akaka, especially, too, 
for holding this hearing, and welcome to Secretary Nicholson 
and the Inspector General.
    I know that Chairman Craig and Senator Akaka share my 
concerns about the recent data theft and how it has been 
handled, and we all gave a sigh of relief when obviously the 
data was found. But I was very frustrated to hear that the VA 
was not going to be providing the credit monitoring to veterans 
whose credit may be at risk, and I read the letter from the FBI 
and know that they say it is a high level of certainty that the 
data was not accessed. But, frankly, I would not bet my credit 
on it. And, more importantly, because the VA still does not 
have an adequate security system, I really think until that is 
fixed, the VA should keep its commitment to providing veterans 
with the credit monitoring, and I hope that we can change that 
direction and move forward on that. I will ask you about that 
later.
    I also share the concern of the Chairman and the Ranking 
Member about the past failures with data security. We know that 
the IG has warned time and time again that the systems were not 
secure about the lack of protection for this vital, sensitive 
information about health care and benefits. And these are 
really institutional problems within the VA, and it is going to 
take more than just words about it. We are going to have to 
really hear some very concrete plans, and I hope to ask 
questions about that at this morning's hearing. And I 
appreciate your being here so we can really get to the heart of 
why this investigation took so long to begin, and what changes 
have been made and what the future plans are to make sure that 
this problem does not happen again.
    Mr. Secretary, as we talked about when you came in, I hope 
that we can also take a few minutes to talk about your recent 
trip to Walla Walla 2 weeks ago when you came through my State 
on a series of campaign stops and stopped in Walla Walla. You 
made an announcement--actually both in Northwest Washington 
about a Northwest Washington CBOC and the Walla Walla hospital. 
And as you know, your visit to our State raised more questions 
than it answered, and I hope that I can have the opportunity to 
really define what some of that meant, because I know the 
people in Walla Walla. They are committed; their community is 
committed; the business community is committed; the veterans 
community is committed. They have really worked hard to have a 
seat at the table and want to know what the details are because 
that is really what matters.
    I did send you a letter. I got an answer to it last night, 
but I still feel that there are a number of questions that are 
unanswered, and I hope to get those answers today as well.
    So thank you, Mr. Chairman.
    Chairman Craig. Patty, thank you very much.
    Now let's turn to Senator Ken Salazar.
    Ken.

          STATEMENT OF HON. KEN SALAZAR, U.S. SENATOR 
                         FROM COLORADO

    Senator Salazar. Thank you very much, Mr. Chairman, and 
happy birthday to you.
    Chairman Craig. Thank you.
    Senator Salazar. And thank you, Senator Akaka, for holding 
this hearing.
    I also want to thank Tim McClain for the service that he 
has performed for the VA, and I have very much enjoyed working 
with him. Sometimes I think when we come to these hearings, it 
seems that we get into combat, if you will, with the VA on 
issues that are of concern to Members of this Committee. But I 
think it is also important, from time to time, to remember that 
there is a lot of good that goes on with the VA.
    I had a long conversation with Under Secretary Perlin 
yesterday about the latest article in Business Week, and I 
think it demonstrates that there is a lot of good in the VA. 
And I think that has come about through the joint efforts of 
this Committee and the Congress working closely with the VA.
    I am very appreciative of the fact that we are looking at 
the issue of security breaches at the VA. We all breathed a 
very deep sigh of relief when the FBI recovered the computer. 
We were all very, very lucky on that incident, but I think the 
central question still remains. It was a very troubling 
incident. I know that Secretary Nicholson shares that concern, 
and I am very hopeful that today we will hear more from 
Secretary Nicholson about how we make sure that this problem 
does not occur again. It has always been my view when these 
major mistakes occur and people's lives are affected that what 
we have to do is make sure that you prevent the problem from 
ever happening again. And I am hopeful that the ideas and 
policy directions that Secretary Nicholson is taking in the 
Department will address these issues effectively.
    Thank you, Mr. Chairman.
    Chairman Craig. Ken, thank you very much.
    Before I turn to the Secretary, let me thank you all for 
your kind wishes. In the aging process, there is also some 
humor, and it happened yesterday. We were in the Speaker's 
meeting room prior to the final ceremony on the 75th 
anniversary of the VA in the Rotunda. There was a gentleman 
there from Maryland who is 104 years old. He fought in World 
War I. He enlisted when he was 16 years old to serve in the 
Navy and is in just amazingly good shape, but he could not hear 
very well. And when I bent over to say hello to him, he looked 
up at me, and he said, ``And you fought in World War II.'' And 
I had to remind him that I was not yet born.
    [Laughter.]
    Chairman Craig. So that is part of the positive side of 
this memory as we work through the aging process.
    Anyway, with that, Mr. Secretary, thank you again for 
coming before the Committee. You have heard our Members' 
concern about the good news and the bad news and where we go 
from here. And I think that is going to be what this Committee 
focuses on now and into the future as we work with VA to get 
this right and prevent this problem from happening again.
    Please proceed.

 STATEMENT OF HON. R. JAMES NICHOLSON, DEPARTMENT OF VETERANS 
 AFFAIRS; ACCOMPANIED BY ROBERT HOWARD, SENIOR ADVISOR TO THE 
  DEPUTY SECRETARY; TIM McCLAIN, GENERAL COUNSEL; AND ROBERT 
                            HENKE, 
  ASSISTANT SECRETARY FOR MANAGEMENT, DEPARTMENT OF VETERANS 
                            AFFAIRS

    Secretary Nicholson. Well, thank you, Mr. Chairman, and let 
me add my greetings and happy birthday to you. I recall that 
incident yesterday slightly differently, however. He asked you 
if you fought in World War I.
    [Laughter.]
    Chairman Craig. Yes, I know.
    [Laughter.]
    Chairman Craig. Something about both--I did not want to 
suggest that his ears were failing and his eyes were failing.
    Secretary Nicholson. I appreciate being here before you and 
the Members of the Committee to follow up on what has occurred 
with the Department of Veterans Affairs since the unfortunate 
theft of data from the home of a VA employee on May 3rd. I 
appeared before you at a hearing on May 25th to tell you what I 
knew about this situation at that time. Since then much has 
happened and, as you know and have noted, on Thursday, June 29, 
2006, I announced that Federal law enforcement authorities had 
recovered the stolen laptop and external hard drive.
    The FBI's forensic examination of the recovered laptop and 
hard drive is complete, and the FBI has a high degree of 
confidence, based on the results of the forensic tests, and 
other circumstantial information gathered during the 
investigation that the data contained in that equipment was not 
accessed or compromised in any way.
    This is good news for the VA, most importantly for our 
veterans and our active-duty military personnel, and we believe 
should alleviate the concerns that they may have. But it is 
important that we remain vigilant. And for that reason, we will 
be retaining the services of a company that specializes in data 
breach analysis to monitor this situation.
    I know that the Members of this Committee have digested the 
VA Inspector General's report on events related to the data 
breach. That report is accurate, and it is harshly critical of 
the situation that has existed at the VA for years where we 
simply did not have in place proper procedures, regulations, 
guidelines, and directives. Nor did we have a culture of data 
security that should have precluded an occurrence like this. 
And once the event occurred, we did not show sufficient urgency 
in dealing with it. As you know, I was not informed of the 
theft until nearly 2 weeks after it had occurred.
    So I concur with the recommendations contained in the 
Inspector General's report and am fully committed to seeing 
them implemented in the shortest possible time line. Last 
October, I approved a major restructuring of information 
security within the Department--far, far before this incident 
occurred and reached the light of day. This restructuring 
ordered the centralizing of almost all of the information 
technology within the Department to come under the Chief 
Information Officer. This process was and, of course, still is 
underway and will greatly facilitate control, training, 
responsibility, and accountability. This consolidation of IT 
has been accelerated as a result of this incident.
    There have been several changes that have already been 
implemented, and as we continue this effort, we can make the VA 
the ``Gold Standard'' in the area of information security, just 
as we have done in the area of electronic medical records. The 
VA is the recognized leader in electronic health records, and I 
appreciate that being noted in the recent article in Business 
Week. VA is also the recognized leader in health safety and is 
setting the standards for others to follow. I am committed to 
doing the same in the area of information security.
    We have developed a plan with corrective actions and 
execution time lines necessary to fix the deficiencies cited in 
the IG report. It is a multi-phased effort which includes 
actions in the technical area, such as encryption processes and 
tools, actions in the management area, such as a complete 
overhaul of policies and directives, and actions focused on 
operational area, such as procedures and tools for monitoring 
the extraction of sensitive information.
    We will, of course, be pleased to brief the Committee in 
greater detail on that at your convenience.
    On June 28, 2006, I issued a memorandum delegating to the 
VA Chief Information Officer all authority and responsibilities 
given to me by the Federal Information Security Management Act, 
or FISMA. This delegation does not relieve me of the ultimate 
responsibility, but it does empower the CIO with the authority 
he needs to do his job.
    This delegation restructures responsibilities and 
authorities for information security at the VA, bringing them 
together in one individual. It also is the first step in 
bringing about the cultural changes within the VA generally, 
and more particularly, within the arena of information 
technology. That must occur. I have made it clear to all senior 
managers in the Department that information security, cyber 
security, and the reorganization of the Office of Information 
Technology are top priorities. These senior leaders know that 
every employee must be committed to ensure the safety of 
veterans' personal information. Performance evaluations and 
executive bonuses will reflect the leaders' and employees' 
level of commitment.
    When I commit to becoming the ``Gold Standard,'' I mean VA 
must be the best in the Federal Government in protecting 
personal and health information, training and educating our 
employees to achieve that goal. The culture must put the 
custody of veterans' personal information first--over and above 
expediency. And I expect nothing less.
    The IG report has highlighted serious deficiencies. We have 
a plan for transformation. I realize, however, the 
recommendations contained in this report are just a start. 
Achieving our goal of leadership will require much more.
    I have reached outside our ranks and enlisted the 
assistance of leading experts in the field of data security to 
assist us in defining our path. With their guidance and VA 
resources, we will become the system for all other agencies to 
emulate.
    Training in the area of information and cyber security will 
be a vital component of our transformation. To ensure quality 
and consistency in such a broad-based training program, I have 
directed the establishment of a new Office of Cyber and 
Information Security Training within the Office of Information 
Technology.
    This office will be responsible for developing and 
implementing a training program which will begin with new 
employee orientation and continue through such programs as 
Leadership VA, the Senior Executive Service Candidate 
Development Program, and the Senior Leadership Academy. I 
expect a continual emphasis on information security throughout 
an employee's career.
    Excellence in information security will take the full 
commitment of VA's senior leadership, both political appointees 
and career senior executives. It will also take money, and we 
will seek the budgetary resources we need for success from the 
Administration and from you, the Congress. And it will take 
time, but my sense of urgency is clear.
    Measurable progress will require a steady and consistent 
message for--and from--all who work for this agency.
    Industry experts will help our own IT professionals develop 
program changes and validate our time lines. Employees will be 
held accountable for safeguarding the sensitive information 
entrusted to us by veterans and other beneficiaries. Even now 
we are conducting an inventory to determine appropriate access 
needs for everyone within VA. And we will be instituting 
background checks appropriate to those access levels.
    In fact, it is our people that will make all of this 
happen. There is nothing more important than having people with 
training and character to assume the responsibility to 
implement the changes needed.
    Mr. Chairman, unfortunately a very bad thing happened. A 
monumentally awful thing, and I am outraged by it and by the 
slow response of some in our Department. But I am the 
responsible person, and it is to me that you are entitled to 
look to see that this is fixed. It will not be easy, and it 
will not be overnight. But I am absolutely convinced that we 
can do it. As I have said, I think we can turn the VA into the 
model for information security, just as it has become the model 
for health care in the United States.
    Finally, Mr. Chairman, thank you for your kind words for 
Tim McClain. We wish him well and will miss him.
    That concludes my testimony, and I would be pleased to 
answer any questions the Committee may have.
    [The prepared statement of Secretary Nicholson follows:]

Prepared Statement of Hon. R. James Nicholson, Secretary, Department of 
                            Veterans Affairs

    Mr. Chairman and Members of the Committee.
    Thank you for the opportunity to appear before you to follow up on 
what occurred within the Department of Veterans Affairs since the 
unfortunate theft of computer equipment containing VA data from the 
home of a VA employee on May 3rd. I appeared before you at a hearing on 
May 25th to tell you of what I knew about this situation at that time. 
Since then, much has happened.
    On Thursday, June 29, 2006, I announced that Federal law 
enforcement authorities had recovered the stolen laptop and external 
hard drive. The FBI's forensic examination of the recovered laptop and 
hard drive is complete. The FBI has a high degree of confidence--based 
on the results of the forensic tests and other information gathered 
during the investigation that the data contained on that equipment was 
not accessed or compromised.
    This is good news for our veterans and active duty military 
personnel and should alleviate any concerns they may have. But, 
identity theft is the fastest growing white-collar crime in this 
country, and it is important that we remain vigilant. For that reason, 
we will be retaining the services of a company that specializes in data 
breach analysis to monitor this situation.
    I know the Members of this Committee have digested the VA Inspector 
General's report on events related to the data breach.
    I concur with the recommendations contained in the Inspector 
General's report, and am fully committed to seeing them implemented in 
the shortest possible time. Last October I approved a major 
restructuring of information security within the Department, 
centralizing almost all of it under the Chief Information Officer. This 
process was, and of course, still is underway and will greatly 
facilitate control, training, responsibility and accountability. This 
consolidation of IT has been accelerated as a result of this incident. 
There have been several changes that have already been implemented, 
and, as we continue this effort, we can make VA the ``Gold Standard'' 
in the area of information security. VA has made great strides forward 
in the area of health care and today is the recognized leader in health 
records and safety and is setting the standards for others to follow. I 
am committed to doing the same in the area of information security.
    We are formulating an action plan that is a multi-phased effort 
which includes actions in the technical area such as encryption 
processes and tools; actions in the management area such as a complete 
overhaul of policies and directives; and actions focused on operational 
areas such as procedures and tools for monitoring the extraction of 
sensitive information.
    On June 28, 2006, I issued a memorandum delegating to the VA Chief 
Information Officer (CIO) all authority and responsibilities given to 
me by the Federal Information Security Management Act (FISMA.) This 
delegation does not relieve me of the ultimate responsibility but it 
does empower the CIO with the authority he needs.
    This delegation restructures responsibilities and authorities for 
information security at the VA, bringing them together in one 
individual. It also is the first step in bringing about the cultural 
changes within VA generally, and more particularly, within IT at VA, 
that must occur. I have made it clear to all senior managers in the 
Department that information security, cyber security and the 
reorganization of the Office of Information Technology (OIT) are top 
priorities. These senior leaders know that every employee must be 
committed to ensure the security of veterans' personal information. 
Performance evaluations and executive bonuses will reflect the leaders' 
and employees' level of commitment.
    When I commit to becoming the ``Gold Standard,'' I mean VA must be 
the best in the Federal Government in protecting personal and health 
information, training and educating our employees to achieve that goal. 
The culture must put the custody of veterans' personal information 
first . . . over and above expediency. I expect nothing less.
    The IG Report has highlighted serious deficiencies. We have a plan 
for transformation. I realize, however, the recommendations contained 
in this report are just a start. Achieving our goal of leadership will 
require much more.
    I have reached outside our ranks and enlisted the assistance of 
leading experts in the field of data security to assist us in defining 
our path. With their guidance and VA resources, we will become the 
system for all other agencies to emulate.
    Training in the area of information and cyber security will be a 
vital component of our transformation. To ensure quality and 
consistency in such a broad-based training program, I have directed the 
establishment of a new Office of Cyber & Information Security Training 
within the Office of Information Technology.
    This office will be responsible for developing and implementing a 
training program which will begin with new employee orientation and 
continue through such programs as Leadership VA, the SES Candidate 
Development Program and the Senior Leadership Academy. I expect a 
continual emphasis on information security throughout an employee's 
career.
    Excellence in information security will take the full commitment of 
VA's senior leadership, both political appointees and career senior 
executives. It will take time, but my sense of urgency is clear.
    Measurable progress will require a steady and consistent message 
for--and from--all who work for this agency.
    Industry experts will help our own IT professionals develop program 
changes and validate our time lines. Employees will be held accountable 
for safeguarding the sensitive information entrusted to us by veterans 
and beneficiaries. Even now we are conducting an inventory to determine 
appropriate access needs for everyone within VA. And we will be 
instituting background checks appropriate to those access levels.
    In fact, it is our people that will make all of this happen. There 
is nothing more important than having people with training and 
character, who assume the responsibility to implement the changes 
needed.
    Mr. Chairman, unfortunately a very bad thing happened. A 
monumentally awful thing. I am outraged by it and the slow response of 
some of our Department. But I am the responsible person, and it is to 
me that you are entitled to look to see that this is fixed. It won't be 
easy, and it won't be overnight, but I am absolutely convinced that we 
can do it. As I've said, I think we can turn VA into the model for 
information security, just as it has become the model for health care 
in the United States, as most recently attested to in an article in 
Business Week magazine dated July 17th.
    Mr. Chairman, that concludes my testimony. I would be pleased to 
answer any questions that the Committee may have.
                                 ______
                                 
  Response to Written Questions Submitted by Hon. Daniel K. Akaka to 
                        Hon. R. James Nicholson

    Question 1. Based on the FBI's findings that it is unlikely that 
the data on the hard drive was compromised, VA has withdrawn its plan 
for providing free credit monitoring for those whose personal 
information was on the stolen equipment. VA has stated it will continue 
with a contract for data breach analysis. Please detail when the 
contract will start and exactly what services will be contracting for.
    Answer. Failed to respond within allotted time.
    Question 2. As a result of the data breach analysis contract, if a 
breach is identified concerning a veteran's credit or identity, does VA 
intend to then provide credit monitoring to that veteran? What is VA's 
response plan?
    Answer. Failed to respond within allotted time.
    Question 3. The IG report identified thirteen different memorandums 
and directives that have been issued in response to the data theft. The 
report stated they found a patchwork of policies pertaining to 
information security that were fragmented and difficult to locate. What 
is VA doing to standardize and simplify the policies and procedures 
that pertain to protecting personal and proprietary data so that they 
are clearly understood by all VA employees and contractors?
    Answer. Failed to respond within allotted time.
    Question 4. The IG recommended that the Secretary take ``whatever 
administrative action'' deemed appropriate in connection with 
individuals involved in ``the inappropriate and untimely handling of 
the notification of stolen VA data.'' In your response to IG, you 
indicated that you had directed administrative investigations for some 
employees and for some political appointees on your immediate staff. 
Please explain about the administrative investigations--who is carrying 
them out, how they are being conducted, and what the current status is 
of their progress? With respect to those on your immediate staff, what 
is the timetable for the completion of these reviews?
    Answer. Failed to respond within allotted time.
    Question 5. The IG identified that there is a problem with position 
level designations not being done or being inaccurate for VA and 
contract employees. They also identified a problem of background checks 
for those with access to sensitive data. Please explain the size of the 
problem, how long it will take to fix it, and how much it will cost.
    Answer. Failed to respond within allotted time.
    Question 6. How long does VA intend on maintaining the call centers 
to answer data theft questions from veterans and their families?
    Answer. Failed to respond within allotted time.

    Chairman Craig. Mr. Secretary, thank you very much for that 
testimony.
    Now let us turn to the Honorable George Opfer, Inspector 
General, Department of Veterans Affairs. George, welcome to the 
Committee.

         STATEMENT OF HON. GEORGE J. OPFER, INSPECTOR 
GENERAL, DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY JON A. 
    WOODITCH, DEPUTY INSPECTOR GENERAL; AND MAUREEN REGAN, 
  COUNSELOR TO THE INSPECTOR GENERAL, DEPARTMENT OF VETERANS 
                            AFFAIRS

    Mr. Opfer. Thank you, Mr. Chairman and Members of the 
Committee. Thank you for the opportunity to testify on the 
results of our reviews of the issues related to the loss of VA 
information concerning the identity of millions of veterans.
    As you know, on May 3rd, the home of a VA employee was 
burglarized resulting in the theft of approximately 26.5 
million personal identification information on veterans and 
active-duty military personnel. The Secretary was not informed 
until May 16th. Congress and the veterans were not informed 
until May 22nd. Since then, this Committee, as well as other 
committees and Members of Congress, have expressed considerable 
interest in the incident involving the theft and loss of the 
data.
    When I testified before this Committee on May 25th, I 
described the OIG approach as three-pronged: An ongoing 
criminal investigation which is still continuing regarding the 
theft of the data; an administrative investigation into the 
handling of the incident once it was reported to VA; and a 
review of the policies and procedures in VA regarding 
information security and the process that was used to try to 
safeguard data.
    I am pleased to acknowledge that through the diligent and 
coordinated efforts of the VA OIG, the FBI, and the Montgomery 
County police, the stolen data was successfully recovered on 
June 28th. Based on the facts that we have gathered during this 
criminal investigation and the computer forensics examinations, 
we are highly confident that the data has not been compromised.
    My July 11th report addresses whether or not the employee 
had authorization to access the data, take the data home, 
whether management responded appropriately to the reported 
theft, and whether VA policies and procedures were adequate to 
protect the VA information. The report also discusses long-
standing information security weaknesses in VA.
    Because this employee was responsible for projects 
involving all aspects of VA, he was authorized to have access 
to VA databases. However, at the time of the burglary, his 
supervisors were not aware that he had taken the data home or 
was working on a self-initiated project. In addition, this data 
was not password-protected or encrypted in any way. Although a 
senior manager in the Office of Policy, Planning, and 
Preparedness was informed of the possible loss of VA data on 
May 3rd, it was not communicated up the chain of command to the 
Chief of Staff until May 9th. This is 6 days after the incident 
had been reported. Poor communication, partially resulting from 
a dysfunctional working relationship among senior executives, 
contributed to this delay. The lack of urgency was also 
impacted by a false assumption that other parts of VA had the 
responsibility to investigate and report this incident and make 
the required notifications.
    On May 10th, a day after learning of the incident, the 
Chief of Staff requested legal advice from the General 
Counsel's office. He decided to wait for that legal advice 
before notifying the Secretary. Yet during the 6 days that 
transpired afterwards, there was no follow-up to determine the 
status of that request. The Chief of Staff notified the Deputy 
Secretary on May 10th, and he, too, decided not to notify the 
Secretary until more information was gathered.
    The information security officials with responsibility for 
receiving, assessing, or notifying higher level officials of 
the data loss reacted with indifference and little sense of 
urgency. Efforts to investigate the matter were further impeded 
by errors and omissions in the original incident report.
    Twelve days after receiving the incident report, no 
meaningful progress was made in determining the magnitude of 
the event. Coincidentally, the incident ended up being referred 
back down to the individual who originally referred it in the 
first place.
    We were able to determine in the OIG after one interview 
with the employee the significance of the stolen data. I 
immediately notified the Chief of Staff on May 16th. The Chief 
of Staff notified the Secretary shortly after my call. It is 
unexplainable to us from the period of May 3rd through the 16th 
why no one in the chain of command reinterviewed the employee 
to determine the extent of the damage of the potential data 
loss.
    VA policies and procedures were not adequate in preventing 
the loss. We found that employees were not sufficiently 
trained, required background checks were not performed, 
contracts needed better safeguards to protect data, and 
incident-reporting procedures needed improvement.
    Since the incident, the Secretary has taken many positive 
steps toward strengthening the policies to prevent similar 
disclosures. We have made additional recommendations to the 
Secretary. Our report covers many recommendations aimed at 
taking appropriate administrative action and establishing an 
effective, comprehensive policy that will safeguard protected 
information.
    The Secretary has agreed with our findings and 
recommendations in the report and has provided an acceptable 
improvement plan.
    In closing, I would like to assure the Committee that we 
will follow up on the implementation of all these 
recommendations until they are fully completed. Mr. Chairman 
and distinguished Members of the Committee, thank you again for 
the opportunity to appear, and I would be pleased to answer any 
questions.
    [The prepared statement of Mr. Opfer follows:]

    Prepared Statement of Hon. George J. Opfer, Inspector General, 
                     Department of Veterans Affairs

                              INTRODUCTION

    Mr. Chairman and Members of the Committee, thank you for the 
opportunity to testify today on the results of the Office of Inspector 
General (OIG), Department of Veterans Affairs (VA), review of issues 
related to the loss of VA information involving the identity of 
millions of veterans. I am accompanied by Jon Wooditch, Deputy 
Inspector General, and Maureen Regan, Counselor to Inspector General.
    As you know, on May 3, 2006, the home of a VA employee was 
burglarized resulting in the theft of a personally owned laptop 
computer and an external hard drive, which was reported to contain 
personal information on approximately 26 million veterans and U.S. 
military personnel. The VA Secretary was not informed of the incident 
until May 16, 2006, almost 2 weeks after the data was stolen. The 
Congress and veterans were notified on May 22, 2006. Since then, the 
Senate Veterans' Affairs Committee, as well as other Congressional 
committees and Members of Congress, have expressed considerable 
interest in how this incident occurred and in how VA management 
responded after being notified of the loss of data.
    When I testified before this Committee on May 25, 2006, I described 
the OIG's involvement as a three-pronged approach including: (1) a 
criminal investigation, (2) an administrative investigation of the 
handling of the incident once reported to VA, and (3) a review of VA 
policies and procedures for using and safeguarding personal and 
proprietary data. I am pleased to announce that we completed the 
administrative investigation and the review of policies and procedures, 
and issued our final report on July 11, 2006.
    More importantly, I am also pleased to acknowledge that through the 
diligent and coordinated efforts of the VA OIG, the Federal Bureau of 
Investigation, and the Montgomery County Police Department in Maryland, 
the stolen data was successfully recovered on June 28, 2006. Based on 
all the facts gathered thus far during the criminal investigation, as 
well as the results of computer forensics examinations, we are highly 
confident that the data was not compromised after the burglary. I would 
also like to point out that we are continuing to pursue the criminal 
investigation into the burglary.
    The July 11, 2006, report essentially addresses whether the 
employee had authorization to access and take the data home, whether 
management responded appropriately to the incident, and whether VA 
policies and procedures were adequate to protect information. The 
report also discusses long-standing information security weaknesses in 
VA, even though OIG reports have repeatedly made recommendations for 
corrective action.

               EMPLOYEE NOT AUTHORIZED TO TAKE DATA HOME

    Because the employee was responsible for planning and designing 
analytical projects and supporting surveys involving all aspects of VA 
policies and programs, he was authorized access to, and use of, VA 
databases. The employee explained that much of the data that he had 
stored on the stolen external hard drive was for his ``fascination 
project'' that he self-initiated and worked on at home during his own 
time. Because of past criticism on the reliability of the National 
Survey of Veterans, his project focused on identifying approximately 
7,000 veterans who participated in the 2001 survey, in order to compare 
the accuracy of their responses with information VA already had on 
file. He began the project in 2003, but could not recall spending time 
working on it during 2006.
    To conduct this project, the employee took home vast amounts of VA 
data and loaded it on an external hard drive. The stolen laptop did not 
contain VA data. The employee reported that the external hard drive 
that was stolen likely included large record extracts from the 
Beneficiary Identification and Records Locator Subsystem that contained 
records on approximately 26 million living veterans. The extract 
contained veterans' social security numbers, names, birth dates, 
service numbers, and combined degree of disability. He also reported 
that the stolen hard drive likely contained an extract of the 
Compensation and Pension file, containing personal identifiers of over 
2.8 million living veterans.
    While the employee had authorization to access and use large VA 
databases containing veterans' personal identifiers in the performance 
of his official duties, his supervisors and managers were not aware 
that he was working on the project, and acknowledged that if they had, 
they would not have authorized him to take such large amounts of VA 
data home. By storing the files on his personal external hard drive and 
leaving it unattended, the employee failed to properly safeguard the 
data. While the employee stored the laptop and the external hard drive 
in separate areas of the house, he acknowledged that he took security 
of the data for granted.
    The loss of VA data was possible because the employee used 
extremely poor judgment when he decided to take personal information 
pertaining to millions of veterans out of the office and store it in 
his house, without encrypting or password-protecting the data. This 
serious error in judgment is one for which the employee is personally 
accountable. The Department proposed administrative action prior to 
issuance of our report.

   MANAGEMENT RESPONSE TO THE INCIDENT WAS NOT APPROPRIATE OR TIMELY

    The burglary was reported to the local police on May 3, 2006. When 
the employee discovered that the computer equipment was among the items 
stolen, he immediately notified VA management in the Office of Policy, 
Planning, and Preparedness (OPP&P), including Security and Law 
Enforcement personnel, that the stolen computer equipment contained VA 
data.
    Mr. Michael McLendon, Deputy Assistant Secretary for Policy, was 
one of the managers notified on May 3, 2006. However, it was not until 
May 5, 2006, that the Information Security Officer (ISO) for OPP&P 
interviewed the employee to determine more facts about the loss. The 
ISO reported that the employee was so flustered that the ISO decided 
not to discuss the matter; rather he asked the employee to write down 
what data was lost. The employee's written account of the lost data was 
an identification of database extracts with little quantified 
information concerning the significance or magnitude of the incident. 
This is important because this report served as the basis for all 
further notifications in VA up to, and including, the Deputy Secretary.
    Mr. McLendon received the report of the stolen data on May 5, 2006. 
Instead of providing the report to higher management, Mr. McLendon 
advised his supervisor, Mr. Dennis Duffy, Acting Assistant Secretary 
for Policy, Planning, and Preparedness, of his intent to rewrite the 
report because it was inadequate and did not appropriately address the 
event. He submitted his revised report to Mr. Duffy on May 8, 2006.
    Our review of Mr. McLendon's revisions determined that his changes 
were an attempt to mitigate the risk of misuse of the stolen data. He 
focused on adding information that most of the critical data was stored 
in files protected by a statistical software program, making it 
difficult to access. This, however, was not the case because we were 
able to display and print portions of the formatted data without using 
the software program. Mr. McLendon made these revisions without 
consulting with the programming expert on his staff or with the 
employee who reported the stolen data. Mr. Duffy provided the revised 
report to Mr. Thomas Bowman, VA Chief of Staff, on May 10, 2006. Mr. 
Duffy also did not attempt to determine the magnitude of the stolen 
data nor did he talk to the employee.
    Mr. McLendon also did not inform his direct supervisor, Mr. Duffy, 
when he learned of the incident on May 3, 2006. Mr. Duffy advised us 
that he did not learn of the theft until Friday morning, May 5, 2006, 
when he spoke with the OPP&P ISO, in what Mr. Duffy described as a 
rather ``casual hallway meeting.''
    Mr. Duffy did not discuss the matter initially with Mr. McLendon, 
noting that there had been a long and very strained relationship with 
him. Mr. Duffy said that Mr. McLendon had a very strong belief that, as 
a political appointee, he reported in some fashion to the Secretary and 
that there was no need for a ``careerist'' to supervise him. Mr. 
McLendon characterized the office as one of the most dysfunctional 
organizations in VA, and that it was one of the most hostile work 
environments he ever worked in.
    Mr. Duffy said he just did not perceive this as a crisis. In 
hindsight, he added that his greatest regret is that he ``failed to 
recognize the magnitude of the whole thing.'' Both Mr. Duffy and Mr. 
McLendon bear responsibility for the impact that their strained 
relationship, which both acknowledged, may have had on the operations 
of the office in handling this incident.
    We also concluded that Mr. John Baffa, Deputy Assistant Secretary 
for Security and Law Enforcement, who was notified of the incident on 
May 4, 2006, also failed to take appropriate action to determine the 
magnitude and significance of the stolen data.
    Shortly after Mr. Bowman received the report from Mr. Duffy on May 
10, 2006, he provided it to Mr. Jack Thompson, Deputy General Counsel, 
and asked him to provide legal advice on the agency's duties and 
responsibilities to notify individuals whose identifying information 
was compromised. On May 10, 2006, Mr. Bowman also informed Mr. Gordon 
Mansfield, Deputy Secretary. While the Deputy Secretary does not recall 
discussing the magnitude of the number of veterans affected by the 
theft, he too decided not to raise the issue to the Secretary until 
they knew more information on what VA's legal responsibilities were and 
more about the magnitude of the problem. Once again, no attempt was 
made to contact the employee who reported the theft to determine the 
magnitude of the stolen data.
    The OIG was able to determine the extent of the stolen data after 
one interview with the employee on May 15, 2006. As soon as I learned 
of the magnitude of the incident on the morning of May 16, 2006, I 
immediately notified the Chief of Staff that the stolen data most 
likely contained personal identifiers on approximately 26 million 
records. The Chief of Staff then notified the Secretary.
    The delay in notifying the Secretary was spent waiting for legal 
advice from the Office of General Counsel (OGC). This 6-day delay can 
be attributed to a lack of urgency on the part of those requesting this 
advice and those responsible for providing the response. This is not to 
say that everyone who was notified of the incident failed to recognize 
its importance, but no one clearly identified it as a high priority 
item and no one followed up on the status of the request until after I 
notified the Chief of Staff on May 16, 2006.

   INFORMATION SECURITY OFFICIALS ACTED WITH INDIFFERENCE AND LITTLE 
                            SENSE OF URGENCY

    On May 5, 2006, the OPP&P ISO forwarded information concerning the 
theft to the District ISO, who is responsible for coordinating ISO 
activities among VA Central Office staff offices. He also submitted it 
to the Security Operations Center (SOC), which has responsibility for 
assessing and resolving reported information security incidents. 
However, the OPP&P ISO's incident report had significant errors and 
omissions, and information security officials did not adequately 
attempt to identify the magnitude of the incident or elevate it until 
May 16, 2006.
    At nearly every step, VA information security officials with 
responsibility for receiving, assessing, investigating, or notifying 
higher level officials of the data loss reacted with indifference and 
little sense of urgency or responsibility. At no time did the District 
ISO or SOC attempt to interview the employee who reported the data 
stolen to clarify omissions in the OPP&P ISO's report or to gain a 
better understanding of the scope and severity of the potential data 
loss. While the District ISO elevated the matter to Mr. Johnny Davis, 
Acting Associate Deputy Assistant Secretary for Cyber Security 
Operations, this occurred as another ``hallway conversation,'' and he 
was not provided any details on the nature of the missing data. No 
further notifications were made up the chain-of-command.
    Twelve days after receiving the original incident report, the SOC 
had made no meaningful progress in assessing the magnitude of the event 
and, ironically, had passed responsibility to gather information on the 
incident back to the OPP&P ISO to review it as a possible privacy 
violation, an area outside the jurisdiction of the SOC. The OPP&P ISO 
also serves as the Privacy Officer (PO).

    POLICIES AND PROCEDURES DID NOT ADEQUATELY SAFEGUARD PROTECTED 
                              INFORMATION

    The potential disclosure of Privacy Act protected information 
resulting from the theft raised the issue of whether VA policies 
adequately safeguard information that is not stored on a VA automated 
system. Based on our review of VA policies that existed at the time of 
the incident; policies that have been issued since the incident; and 
interviews with VA employees, Chief Information Officers, POs, and 
ISOs; we concluded that VA policies, procedures, and practices do not 
adequately safeguard personal or proprietary information used by VA 
employees and contractors.
    We found a patchwork of policies that were difficult to locate and 
fragmented. None of the policies prohibited the removal of protected 
information from the worksite or storing protected information on a 
personally owned computer, and did not provide safeguards for 
electronic data stored on portable media or a personal computer.
    The loss of protected information not stored on a VA automated 
system highlighted a gap between VA policies implementing information 
laws and those implementing information security laws. We found that 
policies implementing information laws focus on identifying what 
information is to be protected and the conditions for disclosure; 
whereas, policies implementing information security laws focus on 
protecting VA automated systems from unauthorized intrusions and 
viruses. As a result, VA did not have policies in place at the time of 
the incident to safeguard protected information not stored on a VA 
automated system.
    Although policies implemented by the Secretary since the incident 
are a positive step, we determined that more needs to be done to ensure 
protected information is adequately safeguarded. We found that VA's 
mandatory Cyber Security and Privacy Awareness training are not 
sufficient to ensure that VA and contract employees are familiar with 
the applicable laws, regulations, and policies. We also found that 
position sensitivity levels designations for VA and contract employees 
are either not done or are not accurate. In addition, we found that VA 
contracts do not contain terms and conditions to adequately safeguard 
protected information provided to contractors.
    We determined that VA needs to enhance its policies for identifying 
and reporting incidents involving information violations and 
information security violations to ensure that incidents are promptly 
and thoroughly investigated; the magnitude of the potential loss is 
properly evaluated; and that VA management, appropriate law enforcement 
entities, and individuals and entities potentially affected by the 
incident are notified in a timely manner.

    INFORMATION SECURITY CONTROL WEAKNESSES HAVE PERSISTED FOR YEARS

    For the past several years, we have reported vulnerabilities with 
information technology security controls in our Consolidated Financial 
Statements (CFS) audit reports, Federal Information Security Management 
Act (FISMA) audit reports, and Combined Assessment Program (CAP) 
reports. The recurring themes in these reports support the need for a 
centralized approach to achieve standardization, remediation of 
identified weaknesses, and a clear chain-of-command and accountability 
structure for information security. Each year, we continue to identify 
repeat deficiencies and repeat recommendations that remain 
unimplemented. These recommendations, among other issues, highlight the 
need to address security vulnerabilities of unauthorized access and 
misuse of sensitive data, the accuracy of position sensitivity levels, 
timeliness of background investigations, and the effectiveness of Cyber 
Security and Privacy Awareness training. We have also reported 
information technology security as a Major Management Challenge for the 
Department each year for the past 6 years.

                               CONCLUSION

    Because the employee was responsible for planning and designing 
analytical projects and supporting surveys involving all aspects of VA 
policies and programs, he was authorized access to, and use of, these 
and other large VA databases. However, at the time of the burglary his 
supervisors were not aware of the employee's self-initiated project 
and, as such, had no official need or permission to take the data home. 
In addition, the employee reported that the data stored on the stolen 
external hard drive was neither password-protected nor encrypted.
    Although senior managers and other OPP&P staff were informed of the 
possible loss of data on May 3, 2006, the incident was not communicated 
up the chain-of-command until the VA Chief of Staff was notified 6 days 
later. Poor communication, partially resulting from a dysfunctional 
working relationship among senior OPP&P executives, contributed to the 
delay. While there was considerable rhetoric among management 
concerning the need to identify the extent and scope of the stolen 
data, there was virtually no follow-up with the employee to obtain 
results. Also, the lack of urgency in addressing this issue was 
impacted by the false assumption that the SOC had the responsibility to 
investigate the incident and make all required notifications.
    On May 10, 2006, Mr. Bowman requested legal advice from OGC. Yet, 
during the 6 days following this request, Mr. Bowman did not follow up 
to determine the status of the request, or task anyone to develop a 
more definitive description of how many veterans' records may have been 
stolen. Although Mr. Bowman acknowledged he knew the data stolen could 
potentially affect millions of veterans, he demonstrated no urgency in 
notifying the Secretary of the incident and decided to wait for OGC's 
response before doing so.
    Mr. Bowman also notified Mr. Mansfield on May 10, 2006, but Mr. 
Mansfield too decided not to raise the issue to the Secretary until 
they knew more information on what VA's legal responsibilities were and 
more about the magnitude of the problem.
    At nearly every step, VA information security officials with 
responsibility for receiving, assessing, investigating, or notifying 
higher level officials of the data loss reacted with indifference and 
little sense of urgency or responsibility. Efforts to investigate the 
incident were further impeded by errors and omissions in the ISO's 
incident report and were delayed due to ineffective coordination 
between the OPP&P ISO and the SOC. Twelve days after receiving the 
original incident report, the SOC had made no meaningful progress in 
assessing the magnitude of the event and had attempted to pass 
responsibility to gather information on the incident back to the OPP&P 
PO. Coincidentally, this is the same individual who referred the matter 
to the SOC in the first place, which he did in his dual capacity as ISO 
for OPP&P.
    The OIG was able to determine the magnitude and extent of the 
stolen data after one interview with the employee on May 15, 2006, and 
I notified the Chief of Staff on the morning of May 16, 2006. The Chief 
of Staff notified the Secretary shortly after my call. It is 
unexplainable why no one in the management chain-of-command ever 
attempted to re-interview the employee to gain a better understanding 
of the scope and severity of the potential data loss, prior to my call.
    While no policy was violated in the handling of the incident, staff 
and senior managers who were notified of the theft failed to take 
appropriate action to determine the magnitude of what was stored on the 
stolen external hard drive, or whether it was properly safeguarded. The 
failure to determine this resulted in not recognizing the potential 
significance on VA programs, operations, and veterans. Since the local 
police were not told for 13 days that VA data was stolen during the 
burglary, valuable forensic evidence was most likely lost. The delay 
also prevented the burglary from receiving the urgency it warranted 
from Federal law enforcement agencies.
    We found that VA's policies and procedures for safeguarding 
information and data were not consolidated or standardized to ensure 
all employees were following all applicable requirements in a similar 
fashion, and that policies and procedures were not adequate in 
preventing the loss of the data. We also found that VA employees and 
contractors were not adequately trained and reminded of the policies 
and procedures to follow to safeguard personal or proprietary 
information, sensitivity level designations were not always accurate, 
information and data provided to contractors need to be better 
safeguarded, and VA incident reporting procedures and controls need 
improvement.
    Since the incident VA managers have attempted to strengthen 
policies, procedures, and controls to prevent similar disclosures, but 
additional actions need to be taken to safeguard protected information 
and VA's automated systems.
    Our CFS audits, FISMA audits, and individual CAP reports of VA 
medical facilities and regional offices all highlight specific 
vulnerabilities that can be exploited, but the recurring themes in 
these reports are the need for a centralized approach to achieve 
standardization in VA, remediation of identified weaknesses, and 
accountability in VA information security. Specific recommendations 
were not made in our July 11, 2006, report because 17 recommendations 
are listed in previously issued OIG reports and are being followed up 
on separately.

                            RECOMMENDATIONS

    We recommend that the Secretary:
     Take whatever administrative action deemed appropriate 
concerning the individuals involved in the inappropriate and untimely 
handling of the notification of stolen VA data involving the personal 
identifiers of millions of veterans.
     Establish one clear, concise VA policy on safeguarding 
protected information when stored or not stored in VA automated 
systems, ensure that the policy is readily accessible to employees, and 
that employees are held accountable for non-compliance.
     Modify the mandatory Cyber Security and Privacy Awareness 
training to identify and provide a link to all applicable laws and VA 
policy.
     Ensure that all position descriptions are evaluated and 
have proper sensitivity level designations, that there is consistency 
nationwide for positions that are similar in nature or have similar 
access to VA protected information and automated systems, and that all 
required background checks are completed in a timely manner.
     Establish VA-wide policy for contracts for services that 
requires access to protected information and/or VA automated systems, 
that ensures contractor personnel are held to the same standards as VA 
employees, and that information accessed, stored, or processed on non-
VA automated systems is safeguarded.
     Establish VA policy and procedures that provide clear, 
consistent criteria for reporting, investigating, and tracking 
incidents of loss, theft, or potential disclosure of protected 
information or unauthorized access to automated systems, including 
specific timeframes and responsibilities for reporting within the VA 
chain-of-command and, where appropriate, to OIG and other law 
enforcement entities, as well as appropriate notification to 
individuals whose protected information may be compromised.
    The Secretary agreed with the findings and recommendations in our 
report and provided acceptable improvement plans.

                                CLOSING

    In closing, I would like to assure the Committee that we will 
follow up on the implementation of these recommendations until they are 
completed. Mr. Chairman and other distinguished Members of the 
Committee, thank you again for this opportunity and I would be pleased 
to answer any questions.
                                 ______
                                 
  Response to Written Questions Submitted by Hon. Daniel K. Akaka to 
                          Hon. George J. Opfer

    Question 1. Please provide an explanation for the apparent 
breakdown within the Office of Information and Technology in responding 
to this incident.
    Answer. The breakdown was attributable to a number of factors, not 
the least of which was the lack of a single coherent policy for 
investigating incidents in which protected information was 
inappropriately disclosed, lost, or stolen. Existing VA policies 
focused more on incidents involving the breach or attack into VA's 
automated systems, and less on Privacy Act violations. Also, the 
incident report initially filed contained errors and omissions which 
made it difficult to determine if this was an information system or 
privacy violation. The distinction was not made for 12 days.
    Question 2. Please provide any details on the specifics of the 
FBI's forensic examination of the stolen hard drive.
    Answer. It is my understanding that when you copy or access 
computer files, there is evidence of it in the form of a time/date 
stamp. The FBI computer forensics examinations did not reveal any date 
stamp on any of the stolen files after May 2, 2006, the day before the 
burglary. The FBI cannot give 100 percent assurance because there are 
highly technical ways to access or copy files without leaving a time/
date stamp. However, we do not believe the thieves possessed the 
necessary technical skills for the following reasons.
     The string of burglaries around the same time and in the 
same general area suggests that the thieves were targeting items such 
as laptops and other computer equipment that are in demand and could be 
easily sold. The fact that the computer equipment was purchased off the 
street for such a negligible amount indicates that the individual 
selling it was unaware of what was contained on the hard drive.
     Multiple computer disks with VA files, which were used to 
download the VA data onto the external hard drive, were in the 
employee's house but not taken during the burglary. This suggests that 
the computer equipment and not the data was the target of the theft.
    Given all these factors, we are highly confident that the data was 
not accessed.

    Chairman Craig. Well, Mr. Secretary and Inspector General, 
I am sure we can dwell on the past, and we have just heard a 
recapitulation of the past and the failures of the system and 
the personnel involved to deal with this in a timely fashion. 
Or we can focus on the future and where we go from here.
    By your own expression and by the consistent expression of 
observers of the past, this system had shortfalls, could fail, 
did fail. So let me proceed with those thoughts in mind to a 
series of questions of how we go forward.
    First and foremost, Mr. Secretary, you say you are 
retaining a company for the purpose of monitoring information 
or breach flows. Is that a result of the lack of absolute 
confidence that the information was not breached or a risk that 
there could have been some breaches?
    Secretary Nicholson. More the former, Mr. Chairman. There 
is a company out there--and there may be more than one--that 
has a proprietary software that analyzes large banks of data 
and looks for correlations of incidents and can by doing that 
determine these identity thefts are being sourced from a common 
data bank.
    One company that we are very familiar with and have talked 
to in great detail is called ID Analytics. ID Analytics 
subsequently donated its services to VA at no cost. But that 
gives us, a suspenders-and-belt sort of feeling that, while the 
FBI has told us that they say with a very high degree of 
probability this has not been compromised, they do not say it 
is 100 percent. So by engaging this company, it gives us 
another line of reconnaissance, if you will, to see if anything 
would start popping up that could be traced back to this bank 
of data. If that happened, then we can take actions with 
respect to monitoring and so forth, notifications.
    Chairman Craig. Do you know or have a general idea of what 
this monitoring will cost? And do you have the money to 
accomplish that?
    Secretary Nicholson. I do have a general idea of what it 
will cost, and we do have the money, yes. It is, I can say, we 
are bidding it, so we would like to protect our position.
    Chairman Craig. That is why I asked the way I asked.
    Secretary Nicholson. It is relatively inexpensive. It is 
surprisingly inexpensive.
    Chairman Craig. OK. Mr. Secretary, you have begun to 
outline for us a great deal of what you are putting into place 
as a result of this failure, and before asking this series of 
questions, I think it is tremendously important for this 
Committee to gain from you and from VA a detailed plan as to 
what you plan to do and how you plan to implement it for a lot 
of reasons.
    First of all, you have said it will take time, and that is 
appropriate, to get it right and to develop a consistency 
inside VA and a culture and a protocol and all of that. And my 
guess is it will be a time in which you may be long gone from 
here, as may I and others. But it is important for this 
Committee and those of us who will monitor it--because we 
will--to understand that procedure, that process, for a couple 
of reasons: To be critical of it, yes, to be observant of it, 
to monitor it, to check it along the way, to work with VA to 
make sure this happens. As you know, the House is moving, I 
think today, to mark up legislation directing and mandating a 
certain procedure.
    So having said all of that, does this plan give veterans, 
in your opinion, the assurance they deserve that information 
and cyber security has become your top priority?
    Secretary Nicholson. I would say unequivocally yes to that. 
You know, this is the order of the day at the VA, and since 
this has occurred, I have traveled out and about and talked to 
hospital directors and regional office directors, and they have 
the word. They have the sense of urgency.
    But, it is still in the nascent stage; you know, we are 
talking and we are getting the talk right, and we are beginning 
to confront the culture. But there is a great deal now that has 
to be done. I mean, the real implementation, then 
transformation has to be done.
    But I would point out--and I think it is fair to do that 
and to give acknowledgment of it, that we started--last October 
we started a major change in this agency, and that was a very 
big decision I made, resisted in many quarters of the vast 
organization, because it is bringing about a big change. On 
October 1st, some 5,050-some people will be moved and over $400 
million will be moved to the CIO, consistent with the 
centralization of responsibility and control over information 
technology and information security.
    Chairman Craig. I will come back with additional questions. 
Let me turn to Senator Akaka.
    Senator Akaka. Thank you very much, Mr. Chairman.
    Mr. Secretary, I am sure that you appreciate that, as a 
result of the data theft, veterans' confidence in VA has been 
low. The veterans my office is hearing from are not certain 
about VA and what VA is trying to do to help them, and it gives 
me a feeling that they will not be easily reassured.
    As I am sure you know, many veterans organizations are 
opposed to the decision to not provide credit monitoring, and 
so my question to you is: What is the status of that about 
credit monitoring? You did mention that you will retain from 
the private sector a company that will continue to monitor this 
situation. Can you give me a status of that?
    Secretary Nicholson. Yes, I can, Senator. The decision was 
made both at OMB with engagement by us, the VA, that the credit 
monitoring that was moving forward as a result of the recovery 
of the data and the FBI's prognosis that it was not compromised 
caused us to conclude that individual monitoring was not 
necessary at this time. And then we were affirmatively going to 
engage this data bank monitoring. And that is the case, and we 
have had conversations with the VSOs. Some of them do oppose 
our decision, and some concur with it, think that it would be a 
waste of $160 million at this time based on the FBI's analysis.
    Senator Akaka. Is the company that you are retaining to 
continue this monitoring of the situation the same group that 
was dealing with the credit monitoring?
    Secretary Nicholson. No, sir. It is a different company. 
There may be other companies. We are putting it out for 
proposal, you know, a request for bids. But we know of the one, 
we have talked to them.
    Senator Akaka. Thank you.
    Mr. Opfer, your investigation found that a number of senior 
VA officials did not seem to have a sense of urgency in 
reporting the missing data to the Secretary who has, again, 
said that he did not know about it until 2 weeks after the 
theft. Do you have any explanation for that?
    Mr. Opfer. Yes, Senator. Most of the senior officials that 
we interviewed seemed to be unfamiliar with the databases 
believed to have been stolen and records that they contained. 
The initial notification of the incident did not quantify the 
magnitude of the potential for the loss. And it did not seem to 
trigger a sense of urgency on the part of any of them to look 
into it or to take control of the issue to try to determine 
what potentially could be the harm. Several of them told us 
that they were working on the mistaken assumption that someone 
else in VA was going to be following up and doing an 
investigation and making the notifications to higher management 
and that they were waiting for additional information. It 
really comes down to a failure to recognize the magnitude of 
the potential loss and taking control of the issue and trying 
to determine exactly what potentially could have been 
compromised by the employee losing that data.
    Senator Akaka. Mr. Secretary, I am sure you appreciate one 
of the concerns that Congress has is that we learned of the 
data loss only shortly before hearing about it on CNN and other 
media outlets. If you had to do it over again, once you learned 
of the data breach, would you at least have come to the 
leadership of the Veterans's committees and let us know about 
the problem earlier?
    Secretary Nicholson. That is a good question, Senator. Here 
was the dilemma: After I did learn about it, of course, I 
immediately informed the White House about it, and then, the 
Department of Justice and the FBI and a lot of very senior 
people got involved in it. But one of the dilemmas was if you 
go public with this, you will inform whoever has that of what 
they have, thinking they may not know what they have. As it 
turned out, as I have often said, through good law enforcement 
and the grace of God, they did not know what they had and we 
got it back. They fenced it and somebody turned it in for the 
reward.
    But that was the dilemma, and on the eve of the day--that 
is, the 21st of May--we had a very big powwow about that, and 
there were pros and cons. I made the decision that we needed to 
inform you, the veterans, that this had happened. And so on the 
22nd, we did it.
    Senator Akaka. Thank you very much. Before I give it up, I 
want to add my gratitude to General Counsel McClain for your 
service and I want to wish you well.
    Mr. McClain. Thank you, Senator.
    Senator Akaka. Thank you, Mr. Chairman.
    Chairman Craig. Thank you, Danny.
    Senator Murray.
    Senator Murray. Thank you very much, Mr. Chairman, and I do 
want to follow up Senator Akaka's question on credit 
monitoring. But before I do that, I wanted to return to the 
question about your trip to Walla Walla, because as you know, I 
have a community that cares deeply about this. They have 
followed the process very, very closely, and they want to have 
a real voice in the process. And I specifically wanted to ask 
you about the plan to involve the local community. They have 
followed the CARES process very, very closely. They expect that 
the VA will follow it, too, and that means sending a plan to 
the local advisory committee for review. Can you commit to us 
that you will follow the CARES process and work with that Local 
Advisory Panel?
    Secretary Nicholson. Yes, I can, Senator Murray. We have 
followed it, and we have been through the first two stages, and 
our analysis based on that, I make those decisions. I made a 
decision on Walla Walla that we would keep that campus open. 
And the purpose of my visit there was to tell them--the 
community, the patients, and the staff, all of whom had 
anxiety--about whether or not we were going to close this. For 
the benefit of the others, it is a very small VA hospital 
complex. And I made a decision to keep it open, and that was my 
purpose of going there.
    Now, we are going to go into the third stage, which is 
being justifiable to keep it open. What will it look like? And 
as you know, when I went there, I assured them that we were 
going to have a new ambulatory outpatient clinic facility 
there. We have other issues that we will be dealing with, and 
we will be engaging the Local Advisory Panel on those issues, 
such as long-term care, inpatient medicine and inpatient 
mental. We have those capabilities there, but as you know, the 
populations are very small. For example, the average daily 
census in the nursing home is 22, in the mental health it is 
18, and in medicine it is 10.
    Senator Murray. OK. But you will follow the LAP process so 
that that plan will go to the LAP committee and they will have 
their official----
    Secretary Nicholson. Yes.
    Senator Murray [continuing].--responsibility to have a 
response back?
    Secretary Nicholson. Yes, we will.
    Senator Murray. The questions that are raised are really--I 
mean, we have been dealing with for a long time. There aren't 
any facilities in the local community to outsource this to. And 
maybe more to the point, as you know, your announcement came as 
a surprise because many of us have been working very, very 
closely on this for a number of years now with the community 
and did not know that you were coming out there. I am glad that 
you have taken the first step to do that, and now the second 
step to continue the LAP process and send the plan.
    But could I get your commitment to come in and talk with 
me, bring your staff, so that I can talk with you about the 
proposal and learn where we are going to go from here?
    Secretary Nicholson. Yes, indeed. Sure, we will do that.
    Senator Murray. OK. I would really appreciate that because 
this is obviously a very involved community. Senator Craig has 
been out there. He knows as well as I do, and we would like to 
work with you to get us to where we need to be. I would 
appreciate that.
    I also wanted to ask you about Bellingham because when you 
were there, we were told that you committed to bringing a VA 
clinic to Northwest Washington and that some kind of 
announcement would be coming within the week. And I have been 
unable to get any clarification from your staff, and I wanted 
to find out from you here, can you tell me what you said in 
Bellingham about the new clinic so that we all are on the same 
page?
    Secretary Nicholson. I can. What I said to the veterans 
there with whom I met was that we have made a decision in the 
CBOC business plan analysis that we would put a new community-
based outpatient clinic, CBOC, in Northwest Washington, 
somewhere between Seattle and the Canadian border. I did not 
specify where it would be located, and I would be happy, when 
we have our meeting, to discuss that with you, but we have not 
made a decision as to where to site it.
    Senator Murray. But the decision has been made to site one 
there?
    Secretary Nicholson. Yes.
    Senator Murray. Is there a time on that, a time commitment?
    Secretary Nicholson. We hope to make the decision about 
where to put it before the end of the year, and then, you know, 
it usually takes us 6 months or so then to open one.
    Senator Murray. Well, I appreciate that, and, again, part 
of the reason there has been such a flare-up over this is that 
our veterans are very well aware of politics and policy. They 
care deeply about policy, and the confluence there has really 
riled a lot of people, as you probably know now from the press. 
But one of the problems, I think, that I am hearing back and I 
think you should be aware of is that people are aware that 
clinics are a promise to veterans and they need to be part of a 
policy that we are all aware of. And there is a deep concern 
that many of these promises that are being made for clinics are 
being made in Republican districts and not in Democratic 
districts. And maybe it is just a confluence of where things 
are, but are you aware that since you have been announcing 
clinics, 80 percent of them are in Republican districts? And I 
think that has brought some question to whether or not we are 
going to have politics become part of the VA process. I do not 
want that to happen. I do not think anybody does. But I just 
wanted you to be aware that is part of what some of the 
backlash has been on this.
    But I do appreciate your commitment to work with us. As you 
know, having been in Walla Walla, this is a really caring 
community. They have worked very hard on this, and I really 
appreciate your commitment to the LAP process and to having 
that community continue to be involved. And I will work with 
you on the western Washington CBOC, and I am really glad that 
is part of the process that you are going in as well. So thank 
you very much.
    Secretary Nicholson. I was not aware of that statistic. I 
have never done that calculus. In fact, I am quite sure that 
district is a Democratic district.
    Senator Murray. It currently is, but, unfortunately, the 
announcement was made on a political campaign rather than 
bringing the veterans in who have been following this, believe 
me, day by day.
    Chairman Craig. Senator Murray, thank you.
    Senator Burr, thanks for joining us, and please proceed 
with any opening comments you would like to make and questions 
of the Secretary and the IG.

         STATEMENT OF HON. RICHARD BURR, U.S. SENATOR 
                      FROM NORTH CAROLINA

    Senator Burr. Thank you, Mr. Chairman, and my 
congratulations on one additional notch on your age. I 
understand it is your birthday today.
    Chairman Craig. Thank you so much.
    Senator Burr. Mr. Secretary, I really only had one 
question, but Senator Akaka has stimulated me to make a 
statement, and I will try to do this as diplomatically and 
delicately as I can.
    Your answer to his question basically said that there was a 
lengthy debate with a lot of people about whether and when to 
notify Congress, and you won. I would tell you, just as a 
Member of Congress and of this Committee, a debate on whether 
that happens and when is not a debate that needs to happen. 
Notification of this body is an automatic thing.
    You were not served well, I think you have acknowledged 
that, from a standpoint of the lag time it took for the 
information to get to you. I also look at what you considered 
to be a quick decision in this debate at issue, and I consider 
the lag time between the 16th and the 22nd, the notification of 
us, as unacceptable. So my intent was not to rehash any old 
stuff. It is just to make the point that we are partners, and 
we serve the veterans, you serve the veterans. We each have a 
piece of the responsibility. Ours is policy and financially. It 
takes all partners to make it work, and I would hope that in 
the future, regardless of what area of Government, there would 
not be a debate about whether or when Congress was included in 
good news or bad news.
    My question is a very simple one. You have gone through an 
exhaustive process to find what the correct path from here is, 
and I commend you for that. I think it has been done very 
thoroughly. What will you do to gain back the trust of 
veterans? I think that was at the root of Senator Akaka's 
question. We made an offer to veterans that I think was an 
offer we had to make--credit monitoring. I was not part of that 
debate as to whether we continued it or not. But that decision 
was made. Now the responsibility still falls to you of, over 
and above, just fixing this system and monitoring to see what 
happens, how do we gain back the trust of veterans across the 
country?
    Secretary Nicholson. Well, Senator, I think you have to 
earn it and you have to show leadership and commitment and 
delivery. I travel a lot. I meet with a lot of veterans, and I 
talk to them about a lot of things. And I would say that 
generally, because the VA continues to function very well--I 
mean, I don't know if you were in here when they mentioned 
about the Business Week article saying that we are not only the 
biggest, but the best health care system in the United States 
of America. And a week ago Monday night, Harvard University 
awarded the VA its top award that it gives every year for the 
best innovative solutions in Government. And 1,000 entities 
competed for that. And the VA won, and they had a big banquet 
up here at the Washington Hilton and awarded that to the VA.
    The VA earned that. The VA continues to provide outstanding 
services, medically and benefits and burials, to veterans. So 
it is functioning very well. But this is, no question about it, 
you know, a real flaw and a very visible one. So we have to 
earn that back. The best way to do it is every day, you know, 
getting up, putting on your work clothes, and doing a good job, 
and then making sure that we get this right, that this does not 
happen, and that we do indeed become the model for this that we 
can be depended on.
    Senator Burr. Well, I clearly acknowledge to you, I believe 
we do much more good than we do bad. This is an unfortunate 
incident. Let me just restate that if there is one organization 
out there that is unhappy with the course that we have laid 
out, then it makes our job that much harder to build that trust 
back, and I would just encourage you today to, as aggressively 
as you can, bring those groups in that represent those 
veterans. Find a way to bring their assurance level high enough 
that it is not just a cutoff mark. And, you know, we all know 
the realities that we are faced with, and if there is $160 
million that we do not have to spend on that, we can put it 
into health care. That makes tremendous sense. But I think we 
also have to understand that there is some element of the 
population out there that we also promised that money to make 
sure that their identity, their credit was protected. As long 
as 100 percent of them feel and are told that they should be 
comforted at what direction we have turned to, I will feel 
comfortable. But unless we have reached that consensus, I think 
we still have some work to do.
    I thank you for your willingness to come up and share your 
plans with us. I thank you for your service, especially at a 
time that it has not been easy as Secretary of the VA. More 
importantly, I thank the Chairman for, I think, the methodical 
way that this Committee has worked through this issue trying to 
find a common solution, and I commend you.
    Chairman Craig. Thank you, Senator.
    Mr. Secretary, General Opfer, let me make a couple of 
comments and then go into the plan and where you all are going 
to go. We are tremendously proud of what VA did during 
Hurricane Katrina, the orderly process of evacuating hospitals 
and removing people and taking them out of harm's way. You did 
it because you had a plan and you had practiced it and executed 
it. You could do it jointly or hospitals could do it 
individually. And when communications systems broke down, 
hospitals did it individually.
    I was here on 9/11. Most of us were. Chaos reigned supreme 
on Capitol Hill. Why? No plan of execution, no process, no 
procedure, and, more importantly, no drilling--no establishment 
within the system and within the employees--of how you deal 
with an emergency crisis. We are now doing that. The bells ring 
around here. People orderly march out. They go to their points 
of contact. They go to garages. They are quarantined. We 
practice, we drill. And we are getting better. And even during 
that, there is a sense of calm now that, if it were real, 
somehow we would have a way of orderly moving through this and 
getting out of it. That is how you establish a culture. You do 
not do it by simply putting it on paper. You work it. You 
process it. You proceed. You practice it. And you enforce it 
amongst those who fail to listen. As much as I respect the VA, 
I also understand the firewalls of a bureaucracy that will 
resist change.
    So let me turn to you, General Opfer. Have you had a chance 
to review VA's implementation plan that the Secretary talks 
about? And if so, what are your comments?
    Mr. Opfer. Yes, Mr. Chairman. The report that we issued 
covered a lot of issues raised in the FISMA work, the 
consolidated financial statement audit, as well as the data 
loss. We made a number of recommendations to the Secretary, and 
I am very pleased at the reaction of the Secretary and his 
commitment toward the recommendations in our reports. The 
Secretary has concurred with all the findings and the 
recommendations that we have made and provided us improvement 
plans.
    In his response, he has extended a commitment to 
strengthening and clarifying all the VA policies which relate 
to information security and privacy issues, holding employees 
as well as--I think a very important factor--contractors to the 
same standards and to make sure that we are correcting the 
problems found with contracts, so that they all comply with 
these policies.
    Improvement plans provided by the Secretary are responsive 
to our recommendations, and I think when they are fully 
completed and fully implemented, they will address the concerns 
that we raised in the report. The Secretary mentioned an issue 
which I think is one that we have to overcome. There is a 
culture problem that we need to address because this change 
really addresses that we need to have the people, all the 
employees in VA and contractors, those that use the systems 
change their culture regarding the use, the storage, and 
transmission of the data. And I think that the plan will 
provide us an opportunity, and we will fully review all the 
recommendations as they are being implemented to make sure that 
they are fully implemented.
    Chairman Craig. You have walked into my next question, and 
that was: Do you have a plan to follow up and to monitor?
    Mr. Opfer. Yes, usually what we do--and we will in this 
case, Mr. Chairman--is we will not close out any of the 
recommendations until they are fully implemented. For example, 
implementation of a new policy and procedures without 
compliance does not do any good. You have to have the 
compliance with the policies and procedures. So we will not 
accept that they have established a policy and procedure, we 
will go out to various facilities to make sure that there is 
compliance, not only in headquarters, but whether it is in a 
hospital or another location out in the country. We will 
aggressively follow up on all those recommendations and make 
sure that they are in compliance.
    In addition, as I mentioned, our FISMA work and 
consolidated financial statements audits, prior to this issue, 
I had made a decision that I was going to contract out next 
year for the FISMA work, and I wanted to use the staff that the 
IG had that was doing the FISMA work to do additional IT 
penetration tests and other IT security issues. So this would 
fall right into it. We will aggressively pursue--and as I am 
testifying here today, we are doing unannounced penetration 
tests and other compliance audit reviews, and we will 
aggressively continue to do those.
    Chairman Craig. Thank you.
    We have been joined by Senator Thune. John, do you have any 
opening comments or questions before we start the second round?

          STATEMENT OF HON. JOHN THUNE, U.S. SENATOR 
                       FROM SOUTH DAKOTA

    Senator Thune. Mr. Chairman, I just want to thank you for 
holding the hearing, and I want to thank Secretary Nicholson--
and good to have you here, Mr. Opfer--for joining us and 
hopefully shedding some additional light on this very important 
issue of data security. It is something that veterans in South 
Dakota--one of the things when I travel in my State, and I am 
sure you hear this, too--an issue that really got on the radar 
screen. There is a tremendous concern--it really penetrated the 
consciousness of our veteran community out there and a real 
concern. And I guess my whole concern here--and I hope that 
some of the findings and recommendations and issues that have 
arisen out of this will give us an opportunity to address this 
so that it never happens again. So we look forward to working 
with you on that, and I want to thank you, Mr. Chairman, for 
holding this hearing.
    As we said at the last hearing we had, when initially this 
was disclosed, we have got a lot of work ahead of us, and so we 
look forward to getting that done. I will let you go ahead and 
some of the folks who have been waiting here ask some 
questions, and I will perhaps ask some questions on the second 
round. So thank you for holding the hearing.
    Chairman Craig. Senator Thune, thank you.
    Senator Murray.
    Senator Murray. Thank you, Mr. Chairman.
    Let me follow up on the credit monitoring issue again, 
because I think Senator Burr spoke to the issue that I think is 
deeply concerning to all of us, that is, reestablishing trust 
to our veterans. And a promise was made to them, after they 
felt very violated that their records had been gone, that they 
would have this credit monitoring for a year. So I think the 
announcement that they would then not have it has jarred a lot 
of feelings, well, how do we trust this? I think that is an 
important point in consideration, and no one wants to spend 
money unwisely. But I would suggest that it would be wise money 
spent. I listened very carefully to the plan, and obviously a 
change of culture with an additional long-term implementation 
of encryption processes and all the other things that are going 
to go into making sure that the records are not breached again, 
leaving those records vulnerable until all of that is 
accomplished, it seems to me that the credit monitoring would 
be a wise investment.
    But the other issue that I want to raise as well that tells 
me that we should keep credit monitoring is that we are getting 
a number of veterans calling us telling us that they are 
getting called by people who say they are with the VA and 
asking for personal information in order to protect the 
veteran's credit. I am very concerned that we have left this 
population vulnerable to those kinds of individuals, and 
providing the credit monitoring will give them the ability to 
say, ``I already have protection,'' and make them much less 
vulnerable to those kinds of people who will use this incident 
to go after them.
    So I would like to ask you again, Mr. Secretary, where you 
stand on the individual credit monitoring and how we can 
perhaps go back to that question.
    Secretary Nicholson. Again, we made a decision that after 
the data had been stolen, was, you know, at large, that we 
should contract and provide credit monitoring for the affected 
veterans. Then the data was recovered, and the FBI is saying 
that this data was not compromised. And the cost, given the 
large population of people, is approximately $160 million. So 
the facts changed. The situation has changed.
    We plan to inform the veterans of that, and we plan to 
inform the veterans in a letter telling them they can still 
have their credit monitored by one of the three monitoring 
agencies, free for a period of, I think it is 90 days by 
calling them on a 1-800 number. They can still get credit 
reports three times during the year if they have any concerns, 
and that we are doing this overarching analysis of this data 
to----
    Senator Murray. So is the credit monitoring still available 
to the veterans? Maybe I misunderstood.
    Secretary Nicholson. Not in the form that we were going to 
provide before the data was recovered, no. But all veterans, 
all citizens are entitled to call one of those credit 
monitoring companies and get a copy of their credit report and 
to have a credit alert put on their file for----
    Senator Murray. But it costs them something.
    Secretary Nicholson. No, it does not cost them anything.
    Senator Murray. But you are not going to offer the one year 
free credit monitoring that originally was involved. Well, can 
you give this Committee the assurance 100 percent that 
information was not accessed?
    Secretary Nicholson. I can only give you, Senator Murray, 
what the FBI has given us, which is that this data, based on 
their forensic analysis and the expertise that they have, 
combined with the circumstantial part of it, which was that 
this was, again, random burglary that was not seeking this 
data, and the way it was handled and fenced and somebody bought 
it and turned it in for a reward----
    Senator Murray. But it was fenced and someone else had it, 
so it is--I have not seen the FBI report. Obviously, they have 
not shared all the details with us. But there still can be a 
chance that it was accessed by someone who knew what they were 
doing.
    Secretary Nicholson. I think that I could not sit here and 
say to you that it is 100 percent, because the FBI has not told 
us that.
    Senator Murray. OK. And we also know that the VA records 
themselves, still we have not implemented the plan that you 
have now moved forward. You are moving forward on one, but the 
records still are not encrypted. There still has not been the 
change of culture, those kinds of things that we can guarantee 
people. Correct?
    Secretary Nicholson. All of our restructuring and 
reformation and all that are not complete. That is correct. 
There are many things underway.
    Senator Murray. And are you aware that some of our veterans 
are getting called by people saying that they are with the VA 
and offering services?
    Secretary Nicholson. I have heard that on a couple of 
occasions they were being called by the VA because the VA does 
polling of its beneficiaries continuously, both medically and 
benefit----
    Senator Murray. They call and ask for personal information 
over the phone?
    Secretary Nicholson. We have discontinued that. It is just 
authentication information that they are talking to the right 
person. But we have discontinued that for now because that was 
causing confusion. But, additionally, it is possible that--I 
mean, it is not only possible, it is probably happening that 
veterans are getting calls from people in this fraudulent world 
because that happens. Last year, I am told that 9 million 
Americans had their identity stolen.
    Senator Murray. Right. And, unfortunately, some people are 
using this incident to then call veterans and ask for their 
personal information, saying that they are with the VA, which 
leads me, again, to the conclusion that providing this credit 
monitoring for a year will give some security to veterans at a 
time when, whether it was real or not, whether actually the 
data was used or not, there is a lot of insecurity out there. 
So I guess I would just ask, Mr. Chairman, if that question 
could be reconsidered, if we could look at the facts. I think 
it is a time when we have to reassure our veterans. I do not 
want to spend the money any more than anyone else does. I 
certainly do not want to see it come from benefits or health 
care. But I also know that a climate has been created that 
could be used by someone who is using it fraudulently, but also 
when our veterans themselves still do not know that their 
information is encrypted, and I think that kind of security 
would be something that we--I hope we can relook at that 
decision and do it quickly.
    Chairman Craig. I thank the Senator, and I do not think any 
of us do not share in your concern. And it is not a perfect 
world, and I think the reality is--and that is when we began to 
look at this in a situation where we believed--we knew that the 
information had been stolen. We did not know that it had been 
breached yet; that veterans, by simply the multiplier that the 
Secretary spoke to, some were going to get their ID stolen, 
whether it was out of this database or whether it was another 
database; and that how we measured that was going to be 
critical because the Government is not responsible for a 
veteran's loss of information if it is not out of this 
database, and how we break that out, clarify it, and understand 
it.
    So I am to date comfortable with the current monitoring 
that is underway and planned for the broad sense to try to 
assure that what we believe is now at hand is valid. And I am 
willing to live with that for the time being.
    If there is any indication that it is not, then I am going 
to agree that there is a responsibility.
    Senator Murray. Well, we do have a problem because we have 
all been out there talking to veterans saying, ``Your credit is 
free monitoring.'' They may not know that the decision has been 
rescinded, and, you know, for us to go back out there and say, 
``Oh, never mind now'' is a very difficult situation.
    Chairman Craig. That is a communications problem that I 
think we have got to all work collectively at, and I----
    Senator Murray. Yes, and I am just looking at it, it is 
just my recommendation that we continue it.
    Chairman Craig. I appreciate that.
    Senator Murray. But we will have the discussion.
    Chairman Craig. Yes.
    Mr. Secretary, how do we, how does this Committee, how does 
VA, and how does a new Secretary 3 years from now or 4 years 
from now, sit before this Committee and hold up a brochure like 
this and say, ``Today Harvard has announced that the 
information system of the VA is the best in the Nation and a 
model for the rest of the Federal Government to follow?'' How 
over the course of the next 3 years do we work with you and a 
new Secretary to make sure that that announcement day comes? We 
obviously, by the establishment of VA's electronic medical 
records success, have it within the system's capability of 
getting it done. And how do we work with you to assure that 
same thing will happen system wide in the information world?
    Secretary Nicholson. Well, that is exactly the goal, Mr. 
Chairman. You have described it. That is what we talk about, 
our leadership team, when we talk about the change that we are 
in. We use the term the ``Gold Standard,'' but that is really 
what we are talking about. If we can win this annual award for 
innovations and Government solutions for our electronic medical 
records, we can do it for our information technology and 
security systems.
    But, you know, it is going to take a very good plan, that 
is, good architecture. Then it is going to take good 
implementation and constant monitoring, you know, management, 
to see that it is functioning the way that it should. And that 
is the path that we are on.
    We have brought in the best, we think, that exists to help 
us in that architecture to design the kinds of systems that we 
need. And as I have said in my testimony, we made the threshold 
decision last October which had to be the predicate for all of 
this that we have centralized the management of information 
technology in this vast bureaucracy where it was decentralized 
all over the world, really, from Maine to Manila. That is all 
being pulled in, and that was underway because of some of the 
deficiencies that had been pointed out for several years by the 
IG.
    It is accelerating. We have a sense of urgency about this. 
This is a terrible event. I do not think that a lot of it is 
very technical when you talk about the kinds of encryption 
models that we are going to use and those kinds of things, but 
a lot of it is common sense of having people inculcated with 
this culture. And the model that I use, which I am very 
familiar with, is the military, where to have access to 
classified information, you have to have a clearance and you 
have to have a need to know. I think that is a model that we 
need for access to all this digitized information that we now 
work with in this agency and so many others. We need to know 
something about the people to whom we are giving this access 
because you have to--in the end game--you have to trust them. 
You cannot keep it from them.
    Somebody asked me at one of the hearings how we could let 
them carry it out, and I held my wallet up, which is larger 
than this hard drive. But they do not have to carry it out, Mr. 
Chairman. They can send it out.
    Chairman Craig. That is right.
    Secretary Nicholson. So you have to be able to depend on 
the people, and you have to know something about them, which 
means give them background investigations, clearances. So it is 
a composite of all those things. It is going to take a lot of 
management.
    Chairman Craig. Have you established a time line? Is that 
now in place? Or are you far enough along to say here are time 
lines in which certain things will be accomplished that we in 
the Congress can--that you can share with those of us in 
Congress who are focused on this, share with the Inspector 
General, in a way that we can monitor with you those successes?
    Senator Murray talks about a state of confidence. Senator 
Burr talks about a state of confidence. Senator Akaka talks 
about a state of confidence. As I said in my opening statement, 
the state of confidence on Capitol Hill does not exist today 
because of repeated warnings, repeated observations, and a 
failure to adhere to that, not on your watch, but on many 
watches before you. Had that state of confidence been 
established, and a procedure and a process, prior to your 
presence as Secretary, there is a strong likelihood that what 
occurred on the 3rd of May would not have occurred. And so I do 
not think this Congress is going to be confident, and my guess 
is that the population that VA serves will not be confident, 
until that plan is monitored, publicized, implemented, and the 
implementation phases are monitored and publicized.
    When can we expect to see that kind of time line, 
procedure, and process?
    Secretary Nicholson. We have that, Mr. Chairman. In fact, 
it is at Tab 3 of the IG's report, which I am sure you have a 
copy of.
    Chairman Craig. OK.
    Secretary Nicholson. It takes pretty good eyesight because 
it is----
    Chairman Craig. That may be my problem at 61 years of age.
    [Laughter.]
    Secretary Nicholson. I was going to say as a World War I 
veteran----
    [Laughter.]
    Secretary Nicholson. I would refer you to that, and this is 
a dynamic document, but it does show the functional things that 
we are doing and time lines that have been affixed to them. And 
because it is dynamic and it is not all cast in bronze yet, I 
would not submit it for the record of this hearing. But the IG 
has it, and it is in the report.
    Chairman Craig. We have it. That is why I brought it up. 
This needs to be known.
    Inspector General, how do you monitor this time line? It is 
in your report. You have a process in place now to follow 
through?
    Mr. Opfer. Yes, that would be the process I described 
before, Mr. Chairman, of any recommendations or findings that 
we have in the report. We do not clear those recommendations or 
findings until they have been fully implemented and we have 
verified that they have been implemented throughout all the 
facilities in VA. That is part of our follow-up process.
    Chairman Craig. OK. Thank you.
    Senator Thune.
    Senator Thune. Thank you, Mr. Chairman, and I appreciate 
that line of questioning. That is an issue that I have talked 
about in previous hearings here, and that is the issue that was 
raised with the House bill that would centralize everything. 
And I think we talked about at this hearing the efforts that 
are being made internally to accomplish some of those same 
objectives at the VA. And so I am very interested in the 
Chairman's line of questioning with respect to timing and how 
that is proceeding.
    I also am interested in just getting your reaction, because 
I think they are debating in the House today, to legislation 
that would make the CIO at the VA an Under Secretary, and if 
you think that makes sense, to have someone that has got more, 
I guess, line authority, someone that can oversee this whole 
effort that is being made to get this information centralized. 
And I know you have different models that have been described 
at previous hearings. The Federated model I think is the one 
that you are--is that correct? Is that the one that you are 
pursuing right now?
    Secretary Nicholson. Yes.
    Senator Thune. But I guess I would be interested in 
knowing, Mr. Secretary, whether the legislation is something 
that you would support, whether that is a worthwhile course to 
proceed with, and any other thoughts you might have about how 
we just tighten this up so that the information that is there 
does not have the propensity to be, I guess, lost or stolen 
like what we experienced here with this last event.
    Secretary Nicholson. Well, I think that is a very good 
question, Senator Thune, and we have been working with it. The 
House is doing that, with all the best intentions of trying to 
help this, that is, to make the Chief Information Officer an 
Under Secretary.
    I do not think it is necessary. The importance underlying 
all of this is leadership, the commitment, and sound 
management. And so the title that you give someone, that is not 
going to fix anything. It is how it is implemented and in this 
cultural change that we have been talking about.
    So it violates, frankly, my sense of design of an 
organization because we have three Under Secretaries and each 
of them have operational responsibility: One is to run a health 
system; the other is to run a benefits system; and the other is 
to run a burial system. They are operators. They are in a 
military context. They are maneuver element commanders. They 
are out there, they are fighters. And the others, everybody 
else is a staff supporter. And information technology and 
information security is a staff function. It is a very 
important one, but it is still a staff function. And by doing 
the centralization that we have done and by empowering the CIO, 
which I have done--and for some reason it was never done, but I 
have done it--I have by directive given him not just the 
responsibility, but the delegated authority commensurate with 
his responsibilities to manage IT as an Assistant Secretary. 
And so I do not think it is necessary.
    Senator Thune. Mr. Opfer, are there any other agencies that 
you are aware of that are doing a good job in the information 
security--I am sorry--that have--you know, in terms of the way 
they go about this? I guess what I am asking is, in the 
Government--and I realize each agency has unique needs and you 
have got different database requirements and everything else. 
But are there similarities or differences between the way the 
VA does and other agencies do it? And are there things that 
other agencies are doing that we could learn from and perhaps 
implement?
    Mr. Opfer. Senator, I think we would need to look at some 
of the agencies that have gotten good marks on the FISMA 
reports, for example. That would be mostly in IT security and 
the financial statements, I know some of the ones that come to 
mind to me would be the Social Security Administration; the 
Department of Education had problems over the years; they have 
done a very good job in correcting them and the Department of 
Labor.
    We just recently brought on board the new Deputy Assistant 
Inspector General in our office. The individual is considered 
an IT security expert who helped create the program for reviews 
in the Department of Education. And I think he will help in our 
role to assist the Department in going along with that. But I 
think we can look at other agencies. It is not exactly a 
layover, but look at some of the problems they have had and how 
they have addressed it. But a lot of it is really making sure 
that we hold people accountable and have policies and 
procedures in effect. And we have to realize that we are living 
in a digital age, and this is constantly evolving. And if we 
get the policies and procedures in place, we cannot say we have 
accomplished our mission. We have to review them. Are they 
still protecting us with the possible threat that we have now?
    Senator Thune. Do you contemplate in your analysis when you 
do these sorts of reports some of the things that are happening 
in other agencies? Do you incorporate that?
    Mr. Opfer. Yes, we do. I have actually been requested by 
some of the other Inspectors General and other Departments' 
Deputy Secretaries, when it is appropriate, to give lessons 
learned from our perspective, and I have already accepted to go 
and do that. And the President's Council on Integrity and 
Efficiency has asked us--they have what they call an IT 
Roundtable for all the Inspectors General, and we will put on a 
presentation of what we have learned from our review, and this 
is to the other IGs of the agencies.
    Senator Thune. Very good.
    Thank you, Mr. Chairman.
    Chairman Craig. Senator Thune, thank you very much.
    Well, Mr. Secretary, General Opfer, thank you for your time 
before the Committee today. I think this hearing was important 
not just for our record, but for any article or information 
that may flow from it as to where we are in this very important 
time and process as we work with you to transform VA into, I 
hope, a successful and recognizable system that develops the 
kind of integrity we need in information and intelligence flow 
within the agency itself. So remember our goal, Mr. Secretary.
    Secretary Nicholson. Yes, sir.
    Chairman Craig. Thank you.
    The Committee is adjourned.
    [Whereupon, at 11:34 a.m., the Committee was adjourned.]

                            A P P E N D I X

[GRAPHIC] [TIFF OMITTED] T9717.002

[GRAPHIC] [TIFF OMITTED] T9717.003

[GRAPHIC] [TIFF OMITTED] T9717.004

[GRAPHIC] [TIFF OMITTED] T9717.005

[GRAPHIC] [TIFF OMITTED] T9717.006

[GRAPHIC] [TIFF OMITTED] T9717.007

  

                                  
