[Senate Hearing 109-772]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 109-772
 
     NOMINATION OF ROBERT T. HOWARD TO BE ASSISTANT SECRETARY FOR 
               INFORMATION AND TECHNOLOGY, DEPARTMENT OF 
                            VETERANS AFFAIRS

=======================================================================

                                HEARING

                               BEFORE THE

                     COMMITTEE ON VETERANS' AFFAIRS
                          UNITED STATES SENATE

                       ONE HUNDRED NINTH CONGRESS

                             SECOND SESSION

                               __________

                           SEPTEMBER 26, 2006

                               __________

       Printed for the use of the Committee on Veterans' Affairs


 Available via the World Wide Web: http://www.access.gpo.gov/congress/
                                 senate



                    U.S. GOVERNMENT PRINTING OFFICE

32-202 PDF                  WASHINGTON : 2007
------------------------------------------------------------------
For sale by Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax:  (202) 512-2250. Mail:  Stop SSOP, 
Washington, DC 20402-0001



                     COMMITTEE ON VETERANS' AFFAIRS

                    Larry E. Craig, Idaho, Chairman
Arlen Specter, Pennsylvania          Daniel K. Akaka, Hawaii, Ranking 
Kay Bailey Hutchison, Texas              Member
Lindsey O. Graham, South Carolina    John D. Rockefeller IV, West 
Richard M. Burr, North Carolina          Virginia
John Ensign, Nevada                  James M. Jeffords, (I) Vermont
John Thune, South Dakota             Patty Murray, Washington
Johnny Isakson, Georgia              Barack Obama, Illinois
                                     Ken Salazar, Colorado
                  Lupe Wissel, Majority Staff Director
                   Bill Brew, Minority Staff Director

                            C O N T E N T S

                              ----------                              

                           September 26, 2006
                                SENATORS

                                                                   Page
Craig, Hon. Larry E., Chairman, U.S. Senator from Idaho..........     1
Isakson, Hon. Johnny, U.S. Senator from Georgia..................     3
Murray, Hon. Patty, U.S. Senator from Washington.................     3
Salazar, Hon. Ken, U.S. Senator from Colorado....................     4
    Prepared statement...........................................     5

                               WITNESSES

Howard, General Robert T., Nominee to be Assistant Secretary for 
  Information and Technology, Department of Veterans Affairs.....     6
    Prepared statement...........................................     7
     Questionnaire...............................................     9


     NOMINATION OF ROBERT T. HOWARD TO BE ASSISTANT SECRETARY FOR 
               INFORMATION AND TECHNOLOGY, DEPARTMENT OF 
                            VETERANS AFFAIRS

                              ----------                              


                      TUESDAY, SEPTEMBER 26, 2006

                               U.S. Senate,
                    Committee on Veterans' Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10 a.m., in room 
SR-418, Russell Senate Office Building, Hon. Larry E. Craig, 
Chairman of the Committee, presiding.
    Present: Senators Craig, Isakson, Murray, and Salazar.

   OPENING STATEMENT OF HON. LARRY E. CRAIG, CHAIRMAN, U.S. 
                       SENATOR FROM IDAHO

    Chairman Craig. Good morning, ladies and gentlemen, and 
welcome to the Senate Committee on Veterans' Affairs.
    The Committee meets this morning to consider the nomination 
of Robert Howard to serve as Assistant Secretary for 
Information and Technology at the Department of Veterans 
Affairs.
    Not long ago, I think if I had asked a group of veterans or 
Senators what the most important positions at the Department 
were, I would probably have heard Secretary, Under Secretary 
for Health and Benefits, and maybe Assistant Secretary for 
Financial Management. And while all of those positions are 
still of utmost importance to the operation of VA, I think all 
of us here today would concede that the job for which we are 
now considering this nominee has taken an increased 
significance.
    I am not just speaking of the high-profile lapses of IT 
security that may have made the news lately. They are 
important, too, and I will touch upon them in a moment. But, I 
am talking about the reality that VA would probably come to a 
grinding halt without all of the IT services that make it run 
every single day. Whether it is online application for health 
care services and benefits, electronic transfers of payments to 
our deserving beneficiaries, or the highly touted electronic 
health records system that has brought VA national acclaim. VA 
simply cannot live without IT every moment of every day. It is, 
as they say in management terms, an essential support function.
    Having said that, General Howard, if you are confirmed, you 
will be expected to lead VA in certain areas, not just support 
the agency's mission. Most importantly, you will be expected to 
bring VA up to the gold standard of Federal IT security that 
Secretary Nicholson has said he expects to achieve.
    The events of the past few months were disturbing to all of 
us. Employees carelessly putting sensitive information on 
portable hard drives and taking it home, VA contractors failing 
to adequately secure hardware containing VA's information, and 
laptop computers in the hands of thousands of employees still 
present us with daily challenges. All of this is happening 
while VA is undergoing a massive management restructuring in 
the IT department.
    I want to make it clear that I am not suggesting that VA's 
employees or contractors intentionally compromised VA data. But 
as you and I have discussed, General Howard, I think VA and the 
Federal Government as a whole need a wake-up call and a 
cultural change with respect to information security.
    We need to impress upon our employees and our contractors 
that information is not just power; it is a priceless commodity 
to many people. So we need to handle it, work with it, and 
guard it like the valuable commodity that it is.
    General Howard, today I hope to hear what your plan is to 
identify the shortcomings in VA's IT programs, what needs to be 
done to correct those deficiencies, and what is a responsible 
timeframe for accomplishing those goals and bringing VA up to 
that gold standard. I also hope to be reassured that 
restructuring and IT security challenges will not tie the hands 
of the 200,000 VA employees. I understand, as do many of my 
colleagues, that we could have perfect security by ensuring no 
one uses VA's data. But that, of course, would be unreasonable.
    We also need to allow access to data while ensuring that we 
know exactly where it is going, who is viewing it, and whether 
it is being misused. That is an incredible challenge. But I 
think you are up to the job.
    General Howard comes before the Committee with an 
impressive resume and a very distinguished record of Government 
service. He holds a master's degree in civil engineering, and 
is a highly decorated Vietnam veteran who rose to the level of 
Major General in the United States Army before retiring from 
active duty in 1996. He spent several years in the private 
sector after retiring from the Army. During this time, he 
worked with Eastern European countries to help them harness 
technology in order to emerge from communist hold and join the 
democratic capitalistic societies of the world.
    General Howard, we welcome you to the Committee. After my 
colleagues have given any opening comments, I will ask you to 
rise and be sworn in, as is required under the rules of the 
Committee, and, of course, to introduce any family member that 
you have with you today.
    With that, there we go. Order of entry, I will turn to my 
colleague from Georgia, Senator Isakson.
    Johnny?

               STATEMENT OF HON. JOHNNY ISAKSON, 
                   U.S. SENATOR FROM GEORGIA

    Senator Isakson. Thank you, Mr. Chairman.
    I had the privilege of meeting with General Howard last 
week on Thursday, and had an in-depth discussion based on the 
experiences I have had in the technology area in running a 
department of our State government as well as in a private 
sector business. And I have to tell you, I was very impressed 
with his knowledge of software, the potential pitfalls in terms 
of that, and also very much impressed with his understanding 
that the reporting of failures in technology need to be with 
the same speed that technology itself delivers information. And 
that was very important to me because of the experience we had 
at VA with the lost computer and the tardiness with which the 
chain of command responded.
    I just wanted to say at the outset before the testimony 
that I was very impressed with the meeting. I am very impressed 
with the General, and I think he will make an outstanding 
contribution to the Veterans' Administration.
    Chairman Craig. Johnny, thank you very much.
    Now, let me turn to Senator Patty Murray of Washington.
    Patty?

                STATEMENT OF HON. PATTY MURRAY, 
                  U.S. SENATOR FROM WASHINGTON

    Senator Murray. Thank you, Mr. Chairman. I want to thank 
you and Ranking Member Akaka, for holding today's hearing. I 
know he is traveling back from Hawaii and wished he could have 
been here.
    General Howard, I want to thank you for coming before us 
today. I look forward to hearing about your plan to help build 
the IT system that our veterans need and deserve.
    But before I discuss your nomination, I wanted to mention 
to the Committee a recent article from the Associated Press 
that really should concern every one of us on this Committee. 
It suggests that the VA has no plan to deal with the influx of 
veterans from Iraq and Afghanistan. It states that, ``More than 
one-third of Iraq and Afghanistan veterans seeking medical 
treatment from the Veterans Health Administration report 
symptoms of stress or other mental disorders, a tenfold 
increase in the last 18 months, according to a VA study.''
    The article says that veterans are facing ``long waits for 
doctor appointments, staffing shortages, and lack of equipment 
and medical centers run by the Veterans Affairs Department. It 
mentions in the article that a soldier from Virginia Beach, 
Virginia, who was having a hard time sleeping after he returned 
from Iraq was told he would have to wait 2\1/2\ months for an 
appointment at the VA facility.
    Now, here is a servicemember in need, and all the VA could 
say to him is, ``Get in line and wait 75 days.'' I find that 
pretty disgraceful.
    When you look at the numbers, you can really see a crisis 
in the making because just over half a million veterans have 
served in Iraq and Afghanistan and have separated from the 
military. Of those, 185,000 are currently seeking care at our 
VA medical centers; 150,000 of them are applying for benefits; 
and more than 100,000 have sought help at our Vet Centers. If 
the system is already straining, as the AP article told us, 
then the bulk of the trouble is still yet to come.
    We have nearly a million servicemembers who have served in 
Iraq and Afghanistan but have yet to separate. They are coming 
down the pipeline into a VA system that is already overwhelmed, 
and we have to figure out how we are going to serve those 
veterans.
    The numbers are really staggering. The doctors at Walter 
Reed have stated that 16 percent of all injured servicemembers 
have eye injuries. Many of them have come with traumatic brain 
injuries. And we have one-third that are seeking mental health 
care. According to the VA's own report, nearly 60,000 Iraq and 
Afghanistan vets have ill-defined conditions. And if you have 
been on this Committee long enough, you will know that some of 
those symptoms sound very familiar to what we later called the 
Gulf War syndrome in the first Gulf War.
    So, Mr. Chairman, I am very concerned. The numbers show 
that a crisis is coming, and so far we have not seen a plan 
from the VA on how we are going to deal with that. I hope that 
this Committee can bring Secretary Nicholson before us, find 
out what the plan is, and what help he needs from all of us to 
meet those needs. And I hope that we can have that hearing when 
we come back so that we can take steps that we need to meet our 
veterans' needs.
    General Howard, you and I had a chance to visit. I really 
appreciate that. As you know, I have some concerns under the 
new reorganization that the VA is not collaborating with the 
Health Administration, the Benefits Administration, and 
Memorial Affairs. And I am also concerned that we are not 
bringing in the best IT staff to fill some of our current 
openings. I am also concerned that the VA leadership in 
Washington, DC, from what I am hearing, is disconnected from 
field operations. I hope to hear how you can help us address 
those situations.
    I am sure you are aware of the article from GovEx.com, 
dated August 1st, that raises many concerns about VA 
operations. It outlines a world where everyone is pointing 
fingers, and it says what the VA really needs is a world where 
everyone is working together. I look forward to hearing from 
you today on how you can help make that world work together and 
not point fingers.
    Thank you, Mr. Chairman.
    Chairman Craig. Patty, thank you very much.
    Now, let me turn to Senator Ken Salazar of Colorado.
    Ken?

                STATEMENT OF HON. KEN SALAZAR, 
                   U.S. SENATOR FROM COLORADO

    Senator Salazar. Mr. Chairman, I have a statement that I 
will submit.
    Chairman Craig. Fine.
    Senator Salazar. I will just make two quick comments.
    First of all, General Howard, congratulations and I look 
forward to working with you as we deal with the information 
technology issues which have been so much at the forefront of 
what the VA has had to deal with in the last year.
    And, second of all, Mr. Chairman, I agree with Senator 
Murray that I think it would be a good thing for us, perhaps 
after the election, to get together with Secretary Nicholson 
and others from the VA so that we can look ahead to see what 
kinds of challenges we are going to be dealing with, with the 
influx of veterans coming home from both Iraq and Afghanistan.
    Thank you, Mr. Chairman.
    [The prepared statement of Senator Salazar follows:]
   Prepared Statement of Hon. Ken Salazar, U.S. Senator from Colorado
    Thank you, Chairman Craig and Senator Akaka, for holding today's 
hearing. I also want to acknowledge Mr. Robert Howard, the President's 
nominee to be Assistant Secretary for Information and Technology in the 
Department of Veterans Affairs. Thank you, Mr. Howard, for coming 
before this Committee today to discuss several critical issues that 
directly impact veterans in Colorado and across the Nation.
    We have heard a lot about the VA's handling of information and 
technology this year both about the greater opportunities it presents 
to us and the greater responsibility it demands from us. I look forward 
to hearing directly from the President's nominee to be the Department's 
Chief Information Officer about how the VA can better manage these 
opportunities and responsibilities.
    Specifically, we need to know what the Office of Information and 
Technology can do to help safeguard our veterans' personal information. 
In addition to hearing about the steps OIT has taken in response to 
this spring's data theft, I would like to know what impact the recent 
reorganization of the Office of Information and Technology will have on 
the ability of the Department to provide information security.
    I understand that this reorganization will involve consolidating 
many of the Department's IT professionals under the OIT, increasing the 
number of personnel operating under your office from 350 to nearly 
6,000. This is a huge increase, and I am interested in hearing about 
both the potential benefits and potential drawbacks of such a dramatic 
overhaul.
    Finally, I would like to discuss how the information and technology 
resources that OIT has at its disposal can be used to better serve 
veterans who are living in rural or geographically remote areas.
    With the technological advances we have seen over the past ten to 
twenty years, including the growth of the Internet, there is enormous 
potential for government to use technology to improve the way we 
provide services to our citizens. I believe we have only begun to 
scratch the surface of that potential.
    While I understand that VA's Office of Information and Technology 
is only one piece of the puzzle, I would like to hear Mr. Howard's 
ideas on how we can use technology to bridge the physical gap that 
exists between veterans living in rural communities and the VA 
facilities that are in some cases located hundreds of miles away. These 
tools have already begun to change the way the Americans interact with 
their government, and I am excited at the vast opportunities they 
present for the future.
    Again, I would like to thank Chairman Craig and Senator Akaka for 
holding this hearing, and to thank Mr. Howard for sharing his views 
with the Committee today. I look forward to discussing these and other 
issues that are important to our Nation's veterans.

    Chairman Craig. Well, thank you. I appreciate those 
suggestions from both of you.
    General Howard, Senator Akaka, our Ranking Member, is not 
with us today. As Patty mentioned, he is returning from a 
successful primary election in the State of Hawaii and will 
join us later on in the day.
    I want the Committee to know that I intend to convene the 
Committee off the floor this afternoon to vote to report the 
nominee to the full Senate. I do not think any of us, I would 
hope, would want to hold back getting this man on board and at 
work on an issue that all of us have opined about in our 
comments this morning as it relates to building a strong IT 
system within the VA. That is assuming that all goes well in 
the balance of the hearing, of course, and I would hope we 
could do that sometime today or, if we have a vote, around the 
noon hour.
    With that, General, if you will please rise. Do you swear 
or affirm that the testimony you are about to give to this 
Committee will be the truth, the whole truth, and nothing but 
the truth, so help you God?
    General Howard. I do.
    Chairman Craig. Thank you. Please proceed, and as I
    mentioned in my opening comment, if you have family with 
you, please introduce them to the Committee.
    General Howard. Sir, I have a statement. Do I have time to 
read that?
    Chairman Craig. You do have time to read that.

    STATEMENT OF ROBERT T. HOWARD, NOMINEE TO BE ASSISTANT 
           SECRETARY FOR INFORMATION AND TECHNOLOGY, 
                 DEPARTMENT OF VETERANS AFFAIRS

    General Howard. Mr. Chairman and Members of the Committee, 
good morning, and thank you for the opportunity to testify 
today. It is indeed an honor to be nominated by President Bush 
to be the Assistant Secretary for Information and Technology at 
the Department of Veterans Affairs and to appear before you 
today. I would like to thank the President for nominating me, 
and Secretary Nicholson for expressing confidence in my 
abilities by supporting this nomination.
    My dedication to the United States military is marked by a 
history of service and commitment. In 1963, I left Everett, 
Massachusetts, and entered the U.S. Army to embark upon a 
career spanning 33 years. During my time of service, I 
developed a deep respect and appreciation for those who serve 
in our Armed Forces--and their families. Personal sacrifice and 
devotion to duty is routine among members of the military, so 
they deserve our unwavering support both while wearing the 
uniform and when they transition into the community of 
veterans. I am privileged to work for them and support that 
critically important mission stated many years ago by President 
Lincoln: ``To care for him who shall have borne the battle and 
for his widow and orphan.'' For me, time has come full circle--
from a long career in active military service to now assisting 
our Nation's veterans through public service.
    As you know, I have been the supervisor of the Office of 
Information and Technology within the VA since early May 2006, 
so I am very familiar with all the work that must be 
accomplished to form a new, significantly expanded organization 
and to also remedy the deficiencies that exist within the area 
of data security. I am confident that my experience in the U.S. 
Army and in the private sector with the Cubic Corporation, has 
helped hone the skills required to lead the organization 
effectively and contribute to the successful accomplishment of 
a wide variety of important tasks.
    The reorganization of IT within the VA is a major event 
that will result in more standard processes and better 
interoperability across the Department. I am totally committed 
to its successful implementation and improving our performance, 
not only in the area of operations and maintenance, but in 
developmental programs as well.
    The reorganization will assist us in many ways, including 
the area of data security where the most difficult work 
resides--work that is especially important to our veterans. 
Secretary Nicholson has clearly stated that he wants the 
Department of Veterans Affairs to become the gold standard for 
all of Government in the area of information security. 
Achievement of that goal involves many activities of the 
Department, but it must involve the completion of all actions 
associated with the Data Security-Assessment and Strengthening 
of Controls Program.
    This is VA's high-priority program designed to remedy the 
many security deficiencies that have been uncovered.
    Because of its importance, I have provided the Committee 
staff copies of the action plan associated with this program. 
This is a living document that will guide our work. Its 
successful execution is, without question, my highest priority. 
In VA we want to create an environment where veteran and VA 
employee information is treated with respect and is protected 
with a high degree of rigor.
    I realize the position of Assistant Secretary for 
Information and Technology will involve very difficult work. I 
am fully prepared for this since I know I have the full support 
of the VA leadership. I also know that you are committed to 
helping us in any way you can.
    If confirmed, I will strive to position VA's Office of 
Information and Technology to be the leader among Federal IT
    organizations in providing secure, high-quality, and 
responsive service to supported organizations in meeting 
business needs by leveraging state-of-the-art technologies and 
building a high-performing workforce dedicated to the success 
of those they serve.
    I will continue to remain thoroughly familiar with the 
issues facing the Department and give my very best effort to 
work diligently and to faithfully advise the Secretary and the 
Deputy Secretary and to keep you informed of progress on a 
timely basis.
    With me today are my wife, Ciretta, originally from Revere, 
Massachusetts, and my youngest daughter, Laura Glaub, from 
Woodbridge, Virginia. I am very grateful for their constant 
love and support and to many other family members and friends 
whose support has been steadfast for many years.
    Also present today is Deputy Secretary Mansfield, whose 
strong support is greatly appreciated.
    Thank you again, Mr. Chairman and Members of the Committee, 
for your consideration of my nomination. I would be happy to 
answer any questions you may have.
    [The prepared statement of General Howard follows:]

    Prepared Statement of Robert T. Howard, Nominee to be Assistant 
   Secretary for Information and Technology, Department of Veterans 
                                Affairs

    Mr. Chairman, Senator Akaka, and Members of the Committee, 
good morning, and thank you for the opportunity to testify 
today. It is indeed an honor to be nominated by President Bush 
to be the Assistant Secretary for Information and Technology at 
the Department of Veterans Affairs and to appear before you 
today. I would like to thank the President for nominating me, 
and Secretary Nicholson for expressing confidence in my 
abilities by supporting this nomination.
    My dedication to the United States military is marked by a 
history of service and commitment. In 1963, I left Everett, 
Massachusetts, and entered the U.S. Army to embark upon a 
career spanning 33 years. During my time of service, I 
developed a deep respect and appreciation for those who serve 
in our Armed Forces--and their families. Personal sacrifice and 
devotion to duty is routine among members of the military, so 
they deserve our unwavering support both while wearing the 
uniform and when they transition into the community of 
veterans. I am privileged to work for them and support that 
critically important mission stated many years ago by President 
Lincoln: ``To care for him who shall have borne the battle and 
for his widow and orphan.'' For me, time has come full circle--
from a long career in active military service to now assisting 
our Nation's veterans through public service.
    I have been the supervisor of the Office of Information and 
Technology within the VA since early May 2006, so I am very 
familiar with all the work that must be accomplished to form a 
new, significantly expanded organization and to also remedy the 
deficiencies that exist within the area of data security. I am 
confident that my experience in the U.S. Army and in the 
private sector with the Cubic Corporation, has helped hone the 
skills required to lead the organization effectively and 
contribute to the successful accomplishment of a wide variety 
of important tasks.
    The reorganization of IT within the VA is a major event 
that will result in more standard processes and better 
interoperability across the Department. I am totally committed 
to its successful implementation and improving our performance, 
not only in the area of operations and maintenance, but in 
developmental programs as well.
    The reorganization will assist us in many ways,including 
the area of data security where the most difficult work 
resides--work that is especially important to our veterans. 
Secretary Nicholson has clearly stated that he wants the 
Department of Veterans Affairs to become the gold standard for 
all of Government in the area of information security. 
Achievement of that goal involves many activities of the 
Department, but it must involve the completion of all actions 
associated with the Data Security-Assessment and Strengthening 
of Controls Program (DS-ASC).
    This is VA's high-priority program designed to remedy the 
many security deficiencies that have been uncovered.
    Because of its importance, I have provided the Committee 
staff copies of the action plan associated with this program--
this is a living document that will guide our work. Its 
successful execution is, without question, my highest priority. 
In VA we want to create an environment where veteran and VA 
employee information is treated with respect and is protected 
with a high degree of rigor.
    I realize the position of Assistant Secretary for 
Information and Technology will involve very difficult work. I 
am fully prepared for this since I know I have the full support 
of the VA leadership. I also know that you are committed to 
helping us in any way you can.
    If confirmed, I will strive to position VA's Office of 
Information and Technology to be the leader among Federal IT 
organizations in providing secure, high-quality, and responsive 
service to supported organizations in meeting business needs by 
leveraging state-of-the-art technologies and building a high-
performing workforce dedicated to the success of those they 
serve.
    I will continue to remain thoroughly familiar with the 
issues facing the Department and give my very best effort to 
work diligently and to faithfully advise the Secretary and 
Deputy Secretary and to keep you informed of progress on a 
timely basis.
    With me today are my wife, Ciretta, originally from Revere, 
Massachusetts, and my youngest daughter, Laura Glaub, from 
Woodbridge, Virginia. I am very grateful for their constant 
love and support and to many other family members and friends 
whose support has been steadfast for many years.
    Thank you again, Mr. Chairman and Members of the Committee, 
for your consideration of my nomination. I would be happy to 
answer any questions you may have.
[GRAPHIC] [TIFF OMITTED] 32202.001

[GRAPHIC] [TIFF OMITTED] 32202.002

[GRAPHIC] [TIFF OMITTED] 32202.003

[GRAPHIC] [TIFF OMITTED] 32202.004

[GRAPHIC] [TIFF OMITTED] 32202.005

[GRAPHIC] [TIFF OMITTED] 32202.006

    Chairman Craig. General, thank you very much for that 
testimony. Let us get to the questions because I think all of 
us are, as we have expressed, very concerned about the task at 
hand and before you.
    You have made available this printout that I find is 
fascinating. I wish I understood it.
    [Laughter.]
    Chairman Craig. Because I am not quite sure of the 322 
tasks by number, where we are, and what it will mean when we 
get there. But I suspect you do, and maybe you will be able to 
tell us a bit about that.
    Certainly, your leadership credentials are not at question 
at this point at all. However, can you talk to us a bit about 
your technical qualifications for the position, what 
experiences do you have in the management of IT programs that 
will help us ensure VA's Office of Information and Technology's 
success, and what all of this means?
    General Howard. Yes, sir. Sir, actually, as an engineer, of 
course, I am very comfortable in the technical arena. But I 
have had a number of assignments over the years which directly 
relate to information technology and the production of 
computer-based products. One in particular was as a brigadier 
out at Fort Leavenworth, Kansas, where I led an organization 
called TRADOC Analysis Command.
    What we did there, we were responsible for the cost and 
operational effectiveness analysis for the U.S. Army dealing 
with modernization of weapons systems, and also assisting in 
the training area as well.
    What we did is we built computer models that were used to 
evaluate future weapons systems based against existing 
platforms. There were a number of types of these, and we not 
only wrote the code, we developed the mathematical algorithms 
in order to define the particular activity of the weapons 
system. And I had quite a few folks working for me out there, a 
large group, in fact, down at White Sands Missile Range, a 
number of them computer coders, and the systems engineers.
    So those 2 years out at Fort Leavenworth were very helpful 
in that regard in terms of the production of computer-based 
products.
    We also built training simulations and, again, this was in 
the late 1980s. In that time training simulations had really 
begun to be used by the military and it is routine today. We 
built a number of those simulations to include production of 
the scenarios, the scripting of the particular documentation 
that needed to be coded, and then go through the coding process 
to produce the various training products that were then used by 
field commanders to train their commanders and staffs.
    Most recently, with the Cubic Corporation, my division was 
involved in the production of educational and training 
technologies, computer-based products that we used, interactive 
products, Web-based products that were designed for both 
training and education in a number of areas.
    The other aspect of my division at Cubic, as you mentioned, 
was helping countries in Eastern and Central Europe become more 
Westernized and improve their systems in the military. A number 
of them were heavily involved in introduction of information 
technology systems. In particular, three countries--Czech 
Republic, Slovak Republic, and Hungary--we directly assisted 
them in bringing on more modern IT systems to support them in a 
number of areas, from personnel to logistics, force design, and 
a number of other areas as well. So that briefly is some 
background relating to information technology and the 
production of computer-based products.
    Sir, with respect to the plan itself, I have my copy.
    I do not have one under my pillow, but I probably should.
    Sir, quite frankly, as you have seen this----
    Chairman Craig. Let's cut to the chase. Some are arguing 
out there in the field that the 322 so designated tasks here 
are simply a rearranging of the deck chairs on the deck of the 
Titanic.
    General Howard. Sir, that is absolutely not the case.
    Chairman Craig. OK.
    General Howard. As you see, believe it not, they are 
actually 100 percent indicated by some of these.
    This program began shortly after the breach in May. It was 
directed by the Deputy Secretary, and we began putting together 
a list of actions that needed to be taken, actions that needed 
to be completed. And more than anything else, that is what this 
is. At least we know what needs to be done.
    We began to lay down timelines, as you can see. Some of 
them, obviously, continue to be adjusted as we know more about 
what we are dealing with. But with respect to the completion of 
these, one of the most important facets of this was the first 
phase, the assessment phase. We began very early on, as the 
dates indicate, by assessment briefings from all the 
administrations and the staff sections within the VA. These 
briefings were chaired by the Deputy Secretary, and they had to 
be given by the principal in charge. There were some minor 
cases where deputies gave the presentation, but we insisted on 
senior officials standing up and telling us what were the 
conditions regarding information security within their 
organization.
    This was very revealing. We went through all of that, as 
you can see on the front page, and what we are into now is 
doing the same thing with all the administrations and staff 
agencies, staff sections, with non-VA organizations.
    For example, we have contractors working for us. What are 
the conditions under which they operate? Do they work with 
sensitive information? Is it properly protected?
    We are in the process of having these briefings right now. 
In fact, just yesterday, we had two more, and the day before, 
we had VBA. There are just a couple left.
    We left VHA for last because they have got a huge amount of 
contracts, a very difficult situation, so we let them have as 
much time as they could to prepare for that.
    We are moving through the assessment phase, but we are also 
moving into other areas as well. You will notice the second 
phase of this program is the strengthening of controls portion, 
and that is broken down into three sections:
      Management activities, like, for example, 
updating our directives, and we have got several of those 
complete and a number already in draft form, and we will share 
those with you as they get completed. That is in the management 
area.
      In the technical area, we have a number of 
activities going on, particularly in the area of encryption and 
understanding additional actions that can be taken to better 
control the communications and the passing of sensitive 
information within the VA, but do that in a way that we do not 
shut down the operation. Sir, you mentioned that yourself as a 
key concern, and you are exactly right. That is a difficult 
balance. We need to tighten up, but at the same time we have 
got things we have got to accomplish. And we recognize that.
      The laptop encryption is just about complete. In 
fact, we have encrypted almost 15,000 laptops over the last 
couple of weeks. There is a small number that we were not able 
to encrypt, less than a hundred, and one of the reasons for 
that, particular computers were not able to accept the Guardian 
Edge software. We are working both with the manufacturer of the 
computer--Micron and Guardian Edge--trying to solve that. But 
in the meantime, those laptops are secure. They are not being 
used. These are VA laptops.
    As you know, we have non-VA laptops that are being used, 
and our objective there ultimately is to replace those with 
Government-furnished equipment. That is going to take a while. 
It is a task on this plan for fiscal year 2007. The reason it 
is in 2007 is we know that would cost us money, but we also 
need to think through how we actually want to do that.
    So that is the goal, but those individuals using personal 
laptops already know that they are required to protect 
sensitive information that passes through those laptops. That 
is per a directive that we have already published, Directive 
6504, which in fact, prescribes that.
    There are a number of other activities further down the 
list that we are already working on. A big area that we are 
thinking through is additional technologies to bring into the 
VA to further protect computers and the infrastructure, 
techniques that are already out there. We have been talking to 
a number of companies. We have not put out any RFPs yet. But 
there are technologies available that you do not even know they 
are there, that help us visualize what is happening with 
respect to the passing of information.
    But these are technologies that we must understand to be 
sure we go forward and ask for any additional support. So that 
is important.
    There are also abilities to shut down USB ports. In fact, 
that is already going on at various facilities throughout the 
VA where you can control the use of USB devices simply by 
shutting down the port. People are not able to plug in a thumb 
drive and pull out the information.
    Now, again, you have got to be careful with that because 
people have to operate, and you cannot shut the hospital down 
by just turning off all the access that physicians and other 
staff members might need.
    So, sir, that is kind of a summary of what this is all 
about.
    Chairman Craig. Thank you very much.
    Let me turn to Senator Isakson. Johnny?
    Senator Isakson. Thank you, Mr. Chairman.
    The breach that came to our attention earlier this year was 
the physical transfer of a hard drive or a laptop off the VA 
premises to a home. That is not an electronic transfer. That is 
a physical transfer. I assume the control has been put in place 
to no longer allow that to take place within the VA. Is that 
correct?
    General Howard. Sir, that is not allowed unless you have 
specific permission, for example, if we are transferring files 
from one hospital to another and, in fact, that does happen. 
You are actually physically moving media, whether they are CDs 
or back-up tapes or whatever. But it must be approved, and it 
must be done under certain circumstances. Those are now spelled 
out in Directive 6504, which I mentioned. We have a lot of 
directives we need to clean up and to publish. Directive 6504 
was one of the first ones right after the breach that we put in 
place as quick as we could. And, we may need to adjust it in 
some ways, but, quite frankly, it is a very good directive, and 
the folks in the field are paying attention to it.
    Senator Isakson. If I remember correctly, it was 21 or 22 
days from the time the laptop was lost and the time Secretary 
Nicholson was advised of the breach. What has been put in place 
in terms of the chain of command to ensure that lapses or 
breaches like that quickly rise to the level they should in 
terms of the administration?
    General Howard. Sir, right now we have a much improved 
reporting process. Quite frankly, at the time there really was 
not a very good reporting process at all. It was haphazard. 
There was no structure to it. Since that time, we have 
established a very good process for reporting incidents. In 
fact, our guidance to the field is when in doubt, report it. No 
matter how small it is, no matter how insignificant, get it 
reported and then we will deal with it.
    We have also insisted that security incidents and privacy 
incidents get reported to one place, and that is the Security 
Operations Center, which produces daily reports.
    These daily reports go all the way to the Secretary and the 
Deputy Secretary and a number of other senior officials each 
day. There are certain mandates in place, like, for example, we 
must report incidents to the US-CERT within 1 hour, and we meet 
that. We might miss it every now and then, but that is an 
objective that we have.
    So with this reporting mechanism, we believe we do have 
visibility over activities that are taking place that should 
not be. Quite frankly, as I have talked with a number of your 
staff, there is always the concern about what do you do in 
terms of follow-up and punishment and that sort of thing. We 
have, in fact, taken action in some cases, but we have also got 
to be very careful about that because we do not want to shut 
down and make people too concerned about reporting things. That 
is a balance issue.
    We have to look at every case. But clearly, in cases where 
it was not just a careless act but a deliberately negligent 
act, that they knew they should not do, in that case we have 
taken action.
    Senator Isakson. One last question. The physical transfer 
of information which we have been addressing is one way to lose 
it. The electronic transfer is another way, and that can happen 
in two ways--either from within the agency to the outside or a 
hacker coming into the inside.
    Just briefly, are you monitoring the internal operations to 
catch any transfer out? And do we have a security system in 
terms of the hacking incident?
    General Howard. Sir, we do not have a system where you have 
100 percent visibility over every single thing that goes on in 
transfer of information from computers. That is a very 
difficult environment to put in place. Do we have total control 
over someone being able to go into a sensitive database, pull 
information out, put it on a piece of media or a thumb drive or 
whatever and walk out the door? That can happen. There are 
directives in place, though, that prohibit that. As I mentioned 
to you, in some cases we have begun to shut down USB ports and 
things like that to better control. But, quite frankly, sir, 
the best way to really achieve 100 percent compliance to ensure 
the situation where that does not occur, is through making sure 
every single employee understands and lives up to their 
responsibilities. This is a people issue. It really is.
    We can go nuts with technical solutions, but the bottom 
line is the people involved. And some of them are pretty 
clever. They will figure out a way to get at it unless we make 
sure we continue to communicate to them. And they understand 
how important it is, and my feeling right now throughout the VA 
there is heightened awareness. There is no question about that. 
We see it in some of the reports coming in and, in fact, the 
actions that are being taken.
    So 100 percent, probably impossible. But we do need to do 
all we can to prevent that from happening.
    Senator Isakson. Well, my time is up, but I think you are 
saying what I was trying to--100 percent is impossible for 
practical reasons. However, random monitoring is not, and it is 
important that the people within the agency understand that 
random monitoring is going on, just to protect the integrity of 
the system. And I assume you are doing that.
    General Howard. Sir, you are exactly right. In fact, we are 
actually doing random cyber penetration as well. So those 
activities do go on, but it is sporadic.
    Senator Isakson. Thank you.
    Chairman Craig. Thank you very much, Senator Isakson.
    Senator Murray?
    Senator Murray. Thank you.
    General Howard, I understand that there was recently an 
incident in the VA system that put eight of our VA medical 
centers in the Northwest network at risk. Apparently, there was 
some untested software that was added to the system, and as a 
result, it broke many of the VA applications, including the 
VA's health data repository.
    From what I understand, that still has not been fixed. 
Could you tell the Committee what happened, why it has not been 
fixed, and what we are doing to ensure it will not happen 
again?
    General Howard. Ma'am, I am not familiar with that in great 
detail. I believe I know the situation you are talking about, 
though, where a patch was put in place on the network which 
caused some problems with CPRS.
    I believe that has been fixed, but I cannot be sure. I will 
get back with you on that, if you do not mind.
    Senator Murray. My understanding is that it has not been 
fixed yet, so if you could get back to me and let me know why 
and, more importantly, how can we make sure that does not 
happen again.
    General Howard. Right.
    Senator Murray. I understand that the new model of 
reorganization that you are talking about can create quite a 
divide between the IT folks at headquarters and people who work 
out in the field. How are you going to ensure that our veterans 
who are counting on getting services get seamless, 
uninterrupted service?
    General Howard. Ma'am, first of all, there is a strong 
communication effort going on right now with respect to making 
sure the folks understand what is about to happen, and to 
reassure those who need the IT support that the IT individuals 
who supported them in the past are not going anywhere. They are 
still there. They are dedicated to the support of the mission, 
that is, whether it is health or benefits or actually the core 
missions of the Department.
    We have communicated that to the IT individuals who, at 
least up to now, have been detailed to us and come October 1 
the permanent transfer will take place.
    Continuous communication, both through the IT community and 
through the three administrations and staff sections is very, 
very important. But the fact of the matter is it is going to 
boil down to performance. We can talk and explain all we want, 
but the physicians out there, they want support, they want 
performance, and we understand that. And I am committed to make 
sure that they get the support, the same response, and 
hopefully, better response than they got before.
    Senator Murray. Since you are going to have a more 
centralized model, how are you going to ensure that some of the 
field-level CIOs and directors are going to have input?
    General Howard. We are already in communication--again, 
they have been detailed to me already, so we have dialogue 
going on. We have broken the country into four regions. We have 
regional directors for each of those locations. They, in turn, 
supervise CIOs, who were formerly VISN CIOs or RO CIOs. And 
those individuals have further connectivity down into the 
facilities. So there is an organization already in place that 
will become permanent on October 1 to help organize that.
    We have set things up so we have a reasonable span of 
control. For example, there are four regions, and in each of 
those regions we have a number of CIOs reporting to that 
regional director.
    Senator Murray. I hope as you implement it you keep that in 
mind and make sure that those lines of communication are open.
    General Howard. Extremely important. You are absolutely 
right, and believe me, I understand that and am committed to 
that.
    Senator Murray. Are you bringing in the best of the best 
when it comes to IT and IT management?
    General Howard. We are in the hiring process right now. As 
part of the IT realignment, I have been provided over 500 FTE 
empty spaces that we are now in the process of filling. Finding 
quality people, of course, is always difficult, but we have 
several that are moving and are being hired. But we have a 
great deal more to do in that area.
    Senator Murray. One last question. I think this whole 
unfortunate data loss system really showed us that the VA lacks 
some strong policies and directives regarding information 
technology acquisition and usage. How is this reorganization 
that you are talking about going to solve problems like the 
lack of strong IT architecture and cyber security concerns and 
the ability to invest soundly in IT?
    General Howard. Ma'am, no question that the IT 
reorganization is going to help a lot. I control the network 
now--at least come effective October 1. The network, the 
activities are not permitted to plug into the network without 
our authorization. There is no doubt--in fact, I have seen 
already some of the impact that we are going to feel in the 
months and years to come.
    A good example is the laptop encryption. In the last 
several weeks, we have encrypted almost 15,000 laptops. That 
went smooth as can be. We had a great deal of cooperation from 
facility IT people, the VISN CIOs, all of the folks that we 
were just talking about. There were teams put together, 
tremendous dialogue back and forth, e-mails flying all over the 
place, a great deal of cooperation and organization that 
permitted us to do that.
    Now, I do not know for sure, but my guess is if we had not 
had this organization in place, even from a detailed 
standpoint, we would have had a much difficult job. We have 
much better control and are making sure encryption is put in 
place where it is needed, patches are put in place; they cannot 
resist because we control the network.
    Senator Murray. Thank you, Mr. Chairman.
    Chairman Craig. Thank you, Senator Murray.
    General, most of the attention VA's IT program has received 
lately has been centered around IT security and its 
development. However, the issue of VA-DOD information sharing 
and exchange still remains, to my understanding, an unsolved 
problem.
    Are we ever going to see the day when VA's records and 
DOD's records can be freely exchanged from one system to 
another in a secure manner? And from your perspective, why have 
we not accomplished that goal yet?
    General Howard. Sir, I believe that is possible. I am not 
intimately familiar with the DOD system, ALDA. I am familiar 
with HealtheVet, the system in the VA. Those two systems are 
not interoperable, but there is a great deal of interaction 
going on with DOD. We have the JEC Committee and a number of 
other committees in place where there is a good deal of 
dialogue regarding that particular issue.
    Why hasn't it been done? We probably have not put enough 
emphasis on it. We probably have not really focused on a 
particular subset. In the case of HealtheVet, there are a 
number of sub-applications that we can perhaps focus on and 
really get a success story there, working with DOD. Hopefully, 
we will be able to do that. To the degree I can influence that, 
I will, and to demonstrate that we really can produce an 
electronic health record that is interoperable, where data can 
be exchanged. I believe it is possible, but not without a lot 
of hard work.
    I think you know that in the case of VA, our system is 
based on an older code that we want to bring into a more 
modernized environment and work with DOD as we move forward in 
that respect.
    The President's Executive Order is a pretty clear mandate 
with respect to interoperability. So to speak, the burner has 
been turned up on making things more interoperable.
    Chairman Craig. I think if we really want to claim seamless 
transition, part of the fabric in that seam, if you will, is 
this ability to move records and not duplicate and have them 
applicable. It simply makes an awful lot of sense to me, and I 
am quite sure it does to the active member/veteran in their 
transition.
    I know the FBI recovered the stolen laptop and all of the 
data we originally feared might be lost, and the FBI is 
confident the information was not accessed or compromised.
    Still, some veterans out there are worried that their 
personal information will be used to steal their money, their 
ID, and their privacy.
    What do you say to those veterans who come to you with that 
concern?
    General Howard. Sir, in that particular case, I, too, have 
a very high degree of confidence that the information was not 
disturbed. I do not think they have to worry about that at all.
    Chairman Craig. Well, there are other questions I could ask 
you, but in general, I think you have covered the waterfront of 
the issue in response to either me or my colleagues. So let me 
ask you two remaining questions.
    Do you have any conflicts of interest that you have not 
fully disclosed to the Committee?
    General Howard. None, sir.
    Chairman Craig. Do you know of any other matters which, if 
known to the Committee, might affect the Committee's 
recommendations to the Senate with respect to your nomination?
    General Howard. None, sir.
    Chairman Craig. Do you agree to appear before the Committee 
at such times and concerning such matters as the Committee 
might request for as long as you serve in the position for 
which you seek nomination?
    General Howard. Yes, I do, sir.
    Chairman Craig. Well, I thank you very much for your 
openness and your frankness. It appears that you are living up 
to your reputation of understanding not only what has been 
accomplished, but what is to be accomplished over the next 
while, because I, too, agree with the Secretary. We want to 
make the IT of VA a gold standard for our Government to follow. 
We are proud of the success with our electronic medical 
records. They represent to the health care systems of this 
country a leadership position, a role, and it is now recognized 
that through those, quality health care has been dramatically 
enhanced. We want to be able to turn to the veterans in very 
short order and say that we have transformed the culture and 
the systems of the VA, and to assure them that their 
information that is held by VA is safe and secure, usable, 
accessible, and all of the other values for its presence.
    So we thank you very much again for your attendance this 
morning, and as I said in my opening comments, we will attempt 
over the course of the day to move expeditiously so that your 
nomination can be considered by the whole Senate before we 
recess.
    Again, General Howard, thank you very much, and to your 
wife and daughter, we are pleased that they were able to attend 
your confirmation hearing.
    General Howard. Thank you, Mr. Chairman.
    Chairman Craig. Thank you. The Committee will stand 
adjourned.
    [Whereupon, at 10:55 a.m., the Committee was adjourned.]



  

                                  
