<DOC>
[109th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:28455.wais]
UPDATE ON THE BREACH OF DATA
SECURITY AT THE DEPARTMENT OF
VETERANS AFFAIRS
========================================================================
HEARING
before the
COMMITTEE ON
VETERANS' AFFAIRS
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
__________
JUNE 29, 2006
__________
Printed for the use of the Committee on Veterans' Affairs
Serial No. 109-59
__________
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2007
28-455.PDF
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON VETERANS' AFFAIRS
STEVE BUYER, Indiana, Chairman
MICHAEL BILIRAKIS, Florida LANE EVANS, Illinois, Ranking
TERRY EVERETT, Alabama BOB FILNER, California
CLIFF STEARNS, Florida LUIS, V. GUTIERREZ, Illinois
DAN BURTON, Indiana CORRINE BROWN, Florida
JERRY MORAN, Kansas VIC SNYDER, Arkansas
RICHARD H. BAKER, Louisiana MICAHEL H. MICHAUD, Maine
HENRY E. BROWN, Jr., South Carolina STEPHANIE HERSETH, South
JEFF MILLER, Florida Dakota
JOHN BOOZMAN, Arkansas TED STRICKLAND, Ohio
JEB BRADLEY, New Hampshire DARLENE HOOLEY, Oregon
GINNY BROWN-WAITE, Florida SILVESTRE REYES, Texas
MICHAEL R. TURNER, Ohio SHELLEY BERKLEY, Nevada
JOHN CAMPBELL, California TOM UDALL, New Mexico
BRIAN BILLBRAY, California JOHN T. SALZAR, Colorado
JAMES M. LARIVIERE, Staff Director
(ii)
C O N T E N T S
June 29, 2006
Page
Update On The Breach Of Data Security at the Department of
Veterans Affairs.................................................. 1
OPENING STATEMENT
Chairman Buyer.................................................... 1
Hon. Bob Filner................................................... 3
Hon. Cliff Steanrs................................................ 4
STATEMENTS FOR THE RECORD
Hon. Corrine Brown................................................ 50
Hon. Tom Udall.................................................... 55
Hon. John T. Salazar.............................................. 56
WITNESSES
U.S. Department of Veterans Affairs:
Hon. R. James Nicholson, Secretary.............................. 5
Prepared statement of Hon. William F. Turek, Under Secretary for
Memorial Affairs, National Cemetery Administration............ 58
Prepared statement of Hon. Jonathan B. Perlin, M.D., Ph. D.,
MSHA, FACP, Under Secretary for Health, Veterans Health
Administration................................................ 67
Prepared statement of Hon. Gordon H. Mansfield, Deputy
Secretary..................................................... 76
Prepared statement of Hon. Ronald R. Aument, Deputy Under
Secretary for Benefits, Veterans Benefits Administration...... 84
MATERIAL SUBMITTED FOR THE RECORD
Letter and Memorandum dated June 28, 2006, regarding Delegation
of Authority for Responsibility for Departmental Information
Security........................................................ 98
VA Employee Home Use Amendment, Property Pass, and Justification
for Access to SSNs, submitted by Mr. Filner..................... 101
(ii)
UPDATE ON THE BREACH OF DATA SECURITY
AT THE DEPARTMENT OF VETERANS AFFAIRS
____________
THURSDAY, JUNE 29, 2006
House of Representatives,
Committee on Veterans Affairs,
Washington, D.C.
The Committee met, pursuant to call, at 10:30 a.m., in Room 334, Cannon
House Office Building, Hon. Steve Buyer [Chairman of the Committee]
presiding.
Present: Representatives Buyer, Stearns, Brown of South Carolina,
Miller, Boozman, Bradley, Filner, Brown of Florida, Snyder, Michaud,
Herseth, Berkley, Salazar.
The Chairman. The House Veterans Affairs Committee will come to order,
June 29, 2006.
This morning we will continue our examination of the data theft and
information security at the Department of Veterans Affairs. The
catalyst of this examination was the compromise in May of data belonging
to over 26 million veterans, 2.2 million servicemembers, and some family
members. The purpose of our oversight has focused on obtaining as much
understanding as possible, and has included business roundtable with
information experts. We have had seven hearings including two
Subcommittee hearings. This is nothing less than a full examination of
the information management systems of the Department of Veterans
Affairs.
What we learn here will inform us in our efforts to make whole any
veteran harmed by the theft of personal information, and assure the
security of veterans' personal information. Over the past month, this
Committee has brought in over 17 witnesses to examine the loss of data,
the current structure of information security as an extension of the
structure of information technology, and options regarding credit
monitoring and information security.
Witnesses have included Secretary Nicholson, the VA's Inspector General,
General Counsel, experts from GAO, an academic; and experts in the field
of data security, information technology management and identity theft
have testified. Additionally, the Subcommittee on disability assistance
and memorial affairs held a joint hearing with the Subcommittee on
economic opportunity on June 20th to review data security in the
Veterans Benefits Administration. The Subcommittee on health held a
hearing on June 21st to review the security of medical information in
the Veterans Health Administration.
Today's hearing is a capstone event. Mr. Secretary, I want to thank you
for being here this morning. We look forward to hearing what steps the
department has taken to mitigate the second largest breach of personal
data in American history, and how we are going to help our veterans. We
are interested in learning as well what the VA is doing to prevent
future security breaches, and what plans exist to mitigate the event of
identity theft as a result of this breach or any other breach.
And before we receive your testimony, Mr. Secretary, in fairness to you,
I offer a brief overview of what we have learned from these hearings,
not to mention several years of painful experience in dealing with these
issues and the VA's bureaucracy. Almost without exception, experts from
academia and leading businesses have told this Committee that the
complexities and threats characterizing information management today
require the system to be centralized. They further state that the VA's
decentralized IT structure make it, quote `` practically impossible''
end quote, to secure its data.
Time and again, we have heard the same counsel: limit the number of data
users, minimize the amount of data that must be exported for use, screen
and train your people, centralize the system, and empower the Chief
Information Officer.
While no one knows whether this compromise of data will produce cases of
fraud, executives who have successfully recovered from large-scale data
compromises have informed this Committee that fast action is required.
Communications with your customers is important when time is of the
essence. Offer mitigating services quickly, and coordinate with law
enforcement agencies quickly.
But the word ``quick'' does not seem to characterize anything about the
VA's response to this threat over the years. The GAO and the
department's own IG have testified on these issues repeatedly since
1997. They brought grave security deficiencies and vulnerabilities to
the attention of VA officials, who in turn essentially have ignored
them. Two immediate former department CIOs and a former associate deputy
assistant secretary for cyber and information security informed this
Committee of impenetrable barriers thrown up by a turf-bound culture of
the status quo that affects your middle and senior ranks of leadership.
The department's general counsel in 2004 I believe gave the narrowest
possible interpretation of your predecessor's decision of his efforts to
centralize IT authorities and empower the CIO.
Mr. Secretary, from this vantage point, I believe that at times you have
not been well-served. You have inherited an unfortunate situation, and
you are a military man yourself. I commend you on the acceptance of
responsibility for a sorry state of affairs. But you are attempting to
cut through the cultural resistance and fix it. I read the memo that
you issued last night, and I congratulate you for that memo. I can
almost envision the spirited debate that occurred at the table before
you signed that memo, so I would like to thank you for that.
In your opening statement I would also, though, like for you to inform
this Committee of any other data breaches that you have knowledge of;
more in particular, the data loss in Minneapolis, and I am distressed to
have heard about the lost tape in Indianapolis, because your counsel was
just this week before this Committee, yet never informed this Committee
that you have a missing tape that contains over 16,538 legal cases. So
I am pretty stressed this morning to have learned this last night, very
late.
At this point, I yield to Mr. Filner for any opening statement he may
have.
Mr. Filner. Thank you, Mr. Chairman, and I again, as I have said in the
preceding five hearings, thank you for this real example of oversight
the Committee should be following.
Mr. Secretary, we are grateful about the announcement that you just made
this morning. It lifts a heavy burden from the hearts of millions of
veterans, if it is true that there was no compromise of the data. We
congratulate law enforcement, and we can all breathe easier. I think
everybody here is very grateful. But it doesn't change some fundamental
things, Mr. Secretary. You start off with a little stunt, you never
told us that the data had been recovered. Typical for this last two
months, you have been spinning, spinning, spinning, you have been doing
PR, and you have done very little to deal with the issue that the
veterans face with fear every day.
It doesn't change the culture that we have had defined very clearly in
these hearings, and which Mr. Buyer has been talking about for seven
years. It doesn't change the lapses in your personnel chain, that has
kept information apparently from you, from the FBI, and from us.
It doesn't change the fact that your intentions seem to be to have
blamed all of this on one guy, who as we will show today at the hearing,
had permission to take his laptop home, had permission to download the
data, had help to download the data, had authorization to use that data,
and yet he has been, as far as I know, the only one in your whole
operation that any action has been taken against in a personnel way. He
has been accused, as I understand, of gross negligence. But he did
everything he was supposed to do. He informed his superior in 52
minutes. Your guys didn't inform you for six or seven days. Who was
grossly negligent?
So Mr. Secretary, we have got a lot to do. This memo that Mr. Buyer
referred to is a good step. I agree on that. It is something that you,
Mr. Chairman, have been working on for many years, and I know you feel
some satisfaction in that. This theft, which hopefully has not
compromised any identities, was the stimulus to take action. But the
Chairman saw this coming for many years.
So we still must act. We still must act on the culture, we still must
figure out why you decided to fire only one person in this whole mess,
and whether he was actually grossly negligent, or other people were.
Mr. Chairman, I ask that my full statement be made part of the record.
The Chairman. Hearing no objections, so ordered.
[No statement was submtited.]
The Chairman. If any other members have opening statements, you may
submit them for the record.
If you would like, I will yield to the gentleman.
[The statements of Ms. Corrine Brown, Mr. Tom Udall and Mr. John Salazar
appear on p. 50, p. 55, and p. 56, respectively.]
Mr. Stearns. Mr. Chairman, I just want to commend the Secretary for his
announcement this morning. I think it is breathtaking that he found the
computer, and I commend he and his staff for doing it.
Mr. Filner. I don't think he found it.
Mr. Stearns. Well, at any rate, his announcement that at point they
have the computer, and I think all of us are just waiting to hear more
what has happened, and I think perhaps the angels are on his side at
this point, so I will look forward to his comments.
Mr. Snyder. Mr. Chairman?
The Chairman. Yes, Dr. Snyder.
Mr. Snyder. Thank you Mr. Chairman. I am not going to make a
statement, but I was not here, and when I walked in -- and so I hope the
Secretary will begin anew, so I know exactly what Mr. Stearns is
commending him for, thank you.
The Chairman. We are going to give the Secretary great latitude, and we
have invited him to come back after we had also done our due diligence
and our investigations. And if you can recall, we had him here
immediately after this happened, but also the Senate wanted him, so we
only had him for about an hour. So we are going to have the Secretary
here for as long as it takes this morning. And he has his under
secretaries here, and Mr. Secretary, you are recognized.
STATEMENTS OF THE HON. R. JAMES NICHOLSON, SECRETARY, U.S. DEPARTMENT OF
VETERANS AFFAIRS, ACCOMPANIED BY THE HON. GORDON H. MANSFIELD, DEPUTY
SECRETARY; THE HON. JONATHAN B. PERLIN, M.D. Ph.D., MSHA, FACP, UNDER
SECRETARY FOR HEALTH, VETERANS HEALTH ADMINISTRATION; THE HONORABLE
RONALD R. AUMENT, DEPUTY UNDER SECRETARY FOR BENEFITS, VETERANS BENEFITS
ADMINISTRATION; THE HONORABLE WILLIAM F. TUERK, UNDER SECRETARY FOR
MEMORIAL AFFAIRS, NATIONAL CEMETERY ADMINISTRATION; THE HONORABLE TIM
MCCLAIN, GENERAL COUNSEL, U.S. DEPARTMENT OF VETERANS AFFAIRS; JACK
THOMPSON, DEPUTY GENERAL COUNSEL; THOMAS BOWMAN, CHIEF OF STAFF; DENNIS
DUFFY, ACTING ASSISTANT SECRETARY FOR POLICY, PLANNING AND PREPAREDNESS;
MARK WHITNEY, OFFICE OF POLICY, PLANNING AND PREPAREDNESS
Secretary Nicholson. Thank you, Mr. Chairman and members of the
Committee. When I was coming in here I was asked if I would make a
brief statement to the press because of the news that we have, the good
news, and so I will start just by repeating that, by saying that it was
confirmed to me by the Deputy Attorney General, just right before coming
up here, that they have indeed, law enforcement has in their possession
the subject laptop and hard drive; the serial numbers match.
We are diligently conducting forensic analysis on it to see if they can
tell whether it has been duplicated, or utilized, or entered in any way,
and that work is not complete. However, they did say to me that there
is reason to be optimistic about that. But that is not a certainty.
I would like to againI appreciate your kind words, Mr. Congressman. The
only part I had in this recovery were my prayers to St. Anthony, I'll
tell you. But the law enforcement community did a very, very good job
in this. And to have, you know, gotten their hands on these two small
items in the volume that there is circulating out there in that world is
really extraordinary, and I am very grateful, and I know you are. We
will just have to remain hopeful that they haven't been compromised, and
as I said, there is reason to be optimistic.
The Chairman. Are they studying the forensics right now?
Secretary Nicholson. As we speak, yes, sir.
The Chairman. All right, thank you.
Secretary Nicholson. Again, I would like to thank you all for the
opportunity to appear here today to follow up on what has occurred at
our department. And my testimony, my opening statement will be in the
context of this big problem, because I agree with Mr. Filner in many
respects. This has brought to the light of day some real deficiencies
in our department, and the manner in which we have handled personal data
and cyber information. And if there is a redeeming part of this, and I
believe there is, is that we can really turn this place around, and I
sincerely think we can make it into the gold standard for information
security, like we have the gold standard for electronic health records.
And that is our challenge, and indeed that is our mandate.
But I will testify in the context that things are as we thought they
were last night, or yesterday at this time. So again, this theft
occurred on May 3rd, and it has been tragic on many levels, but I also -
- and this may be moot, but there was a perception on the part of many
members of the public that the data was lost to the VA, but it was never
lost. These are copies of the data that were lost. And I also want to
highlight the fact, to you, the members of this oversight Committee,
that while we have been addressing this issue, as you would imagine,
double time, we also have been attending to the business of the VA,
which is our core mission, which is caring for the health needs and the
benefits of our veterans, and of course the burials.
I would point out to you that we have over a million veterans come to us
every week for health care provision, and we are taking darned good care
of them. Since this theft occurred, it has come to my attention, I have
taken many proactive steps on many fronts, but all of them have been
guided by one question, the answer to one question, which is what is
going to be the best for the veterans? And this Committee and its
various Subcommittees has had at least one hearing a week since this
theft became public, mostly focused on the elements of the theft and its
aftermath.
Other committees have held hearings on this, and we provided briefings
for various members of the Congress and their staffs. So for that
reason, much of what I say will be familiar to you, I know. But I would
like to organize my presentation into a few basic points, and that is
what have we done, what are we doing, what needs to be done, and how
will we measure progress on these fronts? And again, our goal is, on
behalf of the veterans, to make the VA into a first-rate organization in
the realm of cyber and information security, just as we have done as an
integrated healthcare provider.
Following the theft of this data at the employee's home, we determined
or attempted to determine the scope of the loss, and we retained
forensic experts. And once the magnitude of this was more fully
understood, we began working nonstop to see what steps are appropriate
now going forward to protect our veterans.
I directed a series of personnel changes in the office of policy and
planning where the breach occurred, the two senior people in that
department, as well as the person who had custodial responsibly for this
data. I retained an outside independent adviser to me, Rick Romley, the
former prosecutor and district attorney in Arizona. I have expedited
cyber security awareness training and privacy training for all VA
employees, directed that VA facilities across the country observe
Security Awareness Week this week, and it is focusing on assuring that
security is an integral part of our workplace culture ethic.
The VA's initial response to this loss was to create a call center with
a capacity to handle 260,000 calls, and we reprogrammed $25 million to
do that. To date, we have spent $9.3 million in that call center. We
have had a total of 212,000 calls. Another thing that we did is a
mailing to all of the 17.5 million people for whom we had addresses by
matching our data with the IRS to come up with those addresses. The
mailing cost was $7 million.
As you well know, we also requested and got the requisite policy
approval to seek from you the ability to provide security monitoring for
the affected veterans, servicemembers, and family members, and I have
quite a bit on that and I think I will demur on that, pending what
questions that you might have on that. You know, we hope and pray that
is academic, but we don't know that as I sit here.
Let me talk about some specific actions that are going to -- that are
and will occur at the VA, and again, one of the redemptive parts of this
I think is the absolute wake-up call lightning rod to make changes in
this organization, some of which I hope will become models for other
agencies that I know have some similar complacency and laxity that we
have had on information security.
I directed that every laptop computer in the VA undergo a security
review to ensure that all security and virus software is current,
including the immediate removal of any unauthorized information or
software, and application of appropriate encryption programs. But
because of the pending lawsuits, this directive has been placed on hold
until we obtain further guidance from the courts.
In addition, we have been in discussions with corporations which provide
unique data breach analysis to see if the data has been exploited. And
we anticipate that we will enter into a contract for that service
shortly, and I would add here parenthetically that I think that we
should do that anyway regardless of what the outcome of what we are now
hoping for, based on today's news. This is not extremely expensive. It
is a new technology, but they can tell you whether a body of data is
being used, exploited by people who do this, who steal identity and
exploit it.
We are making an effort to be responsive to the concerns of you, Mr.
Chairman, and this Committee, by directing us to provide detection,
protection, and insurance. And that I would say is there, it is pending
further information. I directed that the VA conduct an inventory of all
positions requiring access to sensitive VA data, to ensure that only
those employees who need such access to do their jobs have it. And that
they have the appropriate background checks.
And if you could think of a model for this, it is one that you are all
familiar with, which is having a security clearance for having access to
classified information, and having a need to know the information. This
unfortunately has just not been the standard in our organization. And
as you heard me say before, the person who had custody of this data had
not had a background check in 32 years, as an example.
We have been in an effort to conduct this inventory of these positions,
and then we are working on a program for getting these background checks
in place, which is no small task, given the time delays there are on
those, and it is costly. We are doing a major IT reorganization within
the VA, and it is true, as the Chairman and Ranking Member have said,
that the VA has been very highly decentralized, and this is a huge
organization that is spread all over the world really from Togus, Maine,
to Manila in the Philippines.
And some of that decentralization has been good. It has kept the IT
closer to the ultimate user, and I would say that it has also been very
valuable and important in the development of the highly vaunted
electronic medical records that we have, that lead -- I was at a world
forum of the American Enterprise Institute recently, where they were
universally praising the VA for what it has been able to accomplish in
this front.
But it has also, this decentralization, has led to a system that is
very, very complex, frequently incompatible, and very difficult to
manage. And that has become clear to me shortly after I came into this
job 16 months ago. So after reviewing the recommendations of the
consultant who had been studying the IT situation at the VA after the
ill- fated Core FLS endeavor in Florida in October of 2005, or that is
when I made the decision and signed the memorandum directing the
reorganization of the IT within the VA. That was last October.
And pursuant to that, now more than 4600 IT professionals engaged in
operation and maintenance of the department's IT infrastructure, plus
560 unencumbered positions, have been detailed to the Office of
Information and Technology under the direction of the Chief Information
Officer. As of the beginning of the new fiscal year coming up on
October 1st, those who have been detailed will become permanently
assigned there, establishing thereby a new career field within OIT.
Given collective bargaining agreements --
The Chairman. Excuse me, Mr. Secretary, if you could hold your spot,
okay? Put a little note there in your statement, hold that spot. I
have been informed we have three votes. We have a 15-minute vote on the
Poe amendment, a two-minute vote on Hefley, and a final passage. So we
are going to stand in recess for approximately 25 minutes.
And Mr. Secretary, given your announcement, I am sure that you are going
to be asked questions from the press. You have the permission of the
Committee to speak with the press and conduct an interview in this room.
The Committee stands in recess.
[Recess.]
The Chairman. The House Veterans Affairs' Committee full Committee will
come back to order.
Mr. Secretary, there is much abuzz about your announcement this morning.
We just returned from our votes. Members are feeling pretty good about
the news, but don't know whether they can take the next breath until we
have learned whether or not anything has been compromised. Sir, when we
left off you were still in your opening statement and we want to give
you latitude. You are now recognized, sir.
Secretary Nicholson. Thank you, Mr. Chairman, I am glad that there is
some positive buzz for a change, and let me, if I may read an e-mail
that I have gotten with an update, which is as follows:
``An FBI spokesman said the laptop computer was recovered in the area,
but could not provide more specific information. Forensic tests
showed,'' quote, ``the sensitive files were not accessed, according to
the special agent in charge, Bill Chase.''
So it is still positive, very positive, and we remain hopeful. With
that, Mr. Chairman, I would like, if I could, to pick up where I left
off, which is I think talking about a very important thing that we have
launched at the VA, which I think is pleasing to you and the members of
this Committee, which is the major movement of centralization that we
are undertaking.
And I had mentioned that we had moved 4,610 people, professionals,
engaged in the department's IT infrastructure, under the direct control
of the Chief of Information. Plus another 560 positions have been
detailed there. And come October 1st or the end of the current fiscal
year, these details there will become permanent, and a new career field
will be established in the VA, now, for career professionals in IT.
That has not ever been the case. And I think that that is a very
important, progressive, and needed step.
There are collective-bargaining agreements with our unions that come
into play and they have filed grievances in an attempt to prevent this
change. And some of this is I think normal. There is a fair amount of
anxiety because we are moving people now internally in the organization
into a new organization. We hope that we can resolve those things with
the union and see and convince them that these people are really going
to be better off, because they are no longer going to be hitchhiking
career-wise to a different career field than their own specialty.
And in this reorganization all IT professionals are then going to be
consolidated in the Office of Information and Technology. And then
there is one exception, and I know this is a very important exception to
the Chairman, and that is the software developers who reside mostly with
VHA and VBA. But even for these, the CIO will be responsible for their
enterprise architecture, their project planning approvals, through the
OMB 300 process, funding, and cyber and information security, which we
are meeting here today.
So in this concept, I think this is a very big step. I can tell you it
is a very big thing inside our organization. And I think a very positive
thing. And it is incremental, in my mind, and my goal is for these
developers to also be brought under the total control of the CIO. These
are the real creative types that are out there, you know, creating these
software application programs for medical research, and so on.
Various other functions are being centralized within the VA IT as well.
The position of Chief Financial Officer, with budget authority, has been
established in the Office of Information Technology. Security has also
been consolidated within the Office of Cyber and Information Security in
the OIT.
Additionally, I want to assure you that I have been paying close
attention to all of these hearings and I have heard your concerns about
whether or not the CIO has sufficient enforcement authority to ensure
compliance with the deficiencies noted in the past, and to ensure future
compliance. I have looked into this a great deal and I agree with you
that there has been an ambiguity, to put it mildly, probably, in our
directives.
Therefore, as has been mentioned, I have issued a memorandum making it
absolutely clear that all responsibilities with appropriate authority,
to include enforcement, lie with the Chief Information Officer, and I
will say that your interest in this, in this Committee, and you, Mr.
Chairman has been very helpful. This is long overdue.
Further I have directed that responsibility for information security be
included among the critical elements of all senior executives'
performance plans, tying security performance and plans, and the reviews
of that, to the effects on the bonuses of those individuals. We have
already had several major experts engaged to help us develop a
consolidated data security program. These include many recognized names
in the industry. They will be supporting a program whereby
responsibility, authority, accountability, and enforcement are
consolidated under the CIO. We have engaged one of the world's leaders
in the expert field of cyber and information security, which is a
Carnegie Mellon SEI, to independently verify and validate our security
plan and measure our implementation.
In addition, we will be retaining an acknowledged expert on program
management operations to manage this entire process of transformation.
I am also pleased to announce that just yesterday we entered into a
contract with IBM to assist us in implementing our overall IT
realignment plan. IBM is a recognized expert in IT integration. They
themselves have experienced the difficulties of IT realignment, but I am
confident that with our commitment and their assistance, we will meet
our goal of completely transitioning to a fully realigned IT management
system.
The range of IT programs administered by the Department of Veterans
Affairs on behalf of our veterans is extensive. Many of these programs
or services require that the IT to back them up be interactive, with VA
professionals having a need to access and manipulate data elements in
the course of providing health care or benefits, often in locations
outside of the VA facility. For example, VA employees checking on the
care that a fiduciary is being provided with respect to an incompetent
veteran, loan guarantee employees doing field examinations of
appraisers, or home health care providers for housebound veterans, and I
could go on and on. As a result, the array of hardware and software,
where it is located, the number of systems, the number of persons having
access to it, how that access is granted or denied, how the data is
utilized, and by whom, what background checks are needed; all have grown
tremendously over the years.
These are areas, then, that require our immediate review and, where
necessary, remediation. This VA data theft has been a real wake-up call
to us. IG reports in past years have highlighted specific weaknesses.
But as an institution, the VA did not respond to those with a sense of
urgency that in retrospect clearly was called for. With the benefit of
hindsight, that need for urgency is overwhelmingly apparent to me today.
We recognize that we must change the culture of this department, and we
have embarked on doing that.
On May 24th I instructed the deputy secretary to establish a three-phase
program to assess existing conditions, strengthen internal controls, and
establish enforcement mechanisms. The assessment phase is now almost
complete. We are now reissuing guidelines and regulations clarifying
and emphasizing requirements, and the ramifications for failure to
follow them.
In addition, I have directed that all VA's sensitive data be kept on VA
equipment, such as laptop computers. In the past many employees have
utilized their own personal computers to conduct VA business. We are
assessing just who is doing that and why, and we will be issuing
guidance regarding that in the near future. I have also directed that
previously authorized work procedures, which allowed VBA employees to
transport hard copies of claim folders to alternative work sites be
stopped. It is a government-wide practice to encourage telework or
telecommuting, especially here in the Washington area. Yet we must
assure that our policies and procedures implementing this are such that
sensitive data relating to our veterans is properly protected. I have
asked our Acting Under Secretary for Benefits to review and revise his
own guidance to his staff in this area to ensure the protection of the
veterans' vital records and sensitive data prior to resuming this
practice, if at all.
As I mentioned, the VA is revising its regulations, policies,
guidelines, and directives, in the entire area of information technology
and security. We are working to assure that we have clear guidance for
all VA employees in place and that they are fully trained in what is
required of them, and that compliance is monitored.
We are revising VA directive 6500, which sets forth the guidelines for
information security and the enforcement mechanisms pertaining to that.
This is on a fast track, and I anticipate issuing that directive very
shortly. But I am convinced that coming out of a very bad situation, we
can make the VA a model for data security.
How are we going to measure our success in this endeavor? Well, I am
putting forth a slate of directives enhancing the authority of the CIO,
creating accountability throughout the system and requiring measurement,
and I have mentioned the consultants that we are engaging to help us
with that. Performance metrics will be tracked by my office in
conjunction with the CIO until we become that model to be emulated by
others. And of course, we have our own Inspector General, who has
pointed out shortcomings in the past. And while the IG is housed at the
VA he is independent, reporting directly to the President. I think you
will see that he offers a critical overview of what we are doing. And
initially that will be to correct deficiencies noted by him in the past.
In addition, we are scored each year on FISMA compliance. And as I have
noted in the past, we have received abysmal scores. That is
unacceptable and we must and we will do better. In the area of
legislation, Mr. Chairman, the Health Insurance Portability and
Accountability Act, known by you all I am sure as HIPAA, governs all
aspects of the privacy of sensitive information related to a person's
health. HIPAA provides for criminal penalties of up to 10 years'
imprisonment and a fine of up to $250,000 for its intentional misuse.
There is no comparable law pertaining to the misuse of other non-health
sensitive personal information. And I believe that Congress should
enact such a law. Someone intent on fraudulently using personal
information may think twice if he or she focuses on severe penalties
that could be encountered for such a crime. I also now serve on the
President's new task force on identity theft and I will be making
similar requests there for tougher laws, greater deterrents, and other
actions that will minimize the likelihood of an event such as this
occurring again.
In conclusion, Mr. Chairman, unfortunately a terrible thing happened,
monumentally terrible. It has outraged me and so has the slow response
by some of my very good subordinates, but I am the responsible person,
and it is to me that I think you are entitled to look to see that our
victims are treated right and that this place gets fixed. And it will
not be easy, and it will not be overnight, I am convinced that we can do
this. And we are already on the way I think to establishing a new
culture of security within the VA with the policies and procedures and
the people in place to maintain them.
That concludes my testimony, Mr. Chairman, I would be pleased to answer
questions.
The Chairman. Thank you very much, Mr. Secretary.
Under Secretary Tuerk, Under Secretary Perlin, Deputy Secretary
Mansfield, Assistant Secretary Aument; the four of you have written
testimonies, do you not?
All answer in affirmative. Would you submit that statement for the
record?
[All answer in the affirmative.]
The Chairman. Hearing no objection it is entered, so ordered.
[The statements of Mr. Tuerk, Dr. Perlin, Mr. Mansfield, and Mr. Aument
appear on p. 58, p. 67, p. 76, and p. 84, respectively.]
The Chairman. Other witnesses are here to accompany the Secretary, and
if members have questions of them we have a roving microphone. If these
witnesses will please rise when recognized.
The Honorable Tim McClain, General Counsel to the Department of Veterans
Affairs. You may be seated. Mr. Tom Bowman, who is the Chief of Staff
to the Department of Veterans Affairs. Mr. Dennis Duffy, the Acting
Assistant Secretary for Policy, Planning, and Preparedness, for the
Department of Veterans Affairs. Missing? Sorry, please stand. If you
did, I didn't see you. I apologize. And Mr. Mark Whitney, with Policy,
Planning, and Preparedness, for the Department of Veterans Affairs.
Thank you.
Mr. Secretary, in your opening statement you referred to a memorandum.
I would ask unanimous consent that your memorandum signed and dated June
28, 2006, entitled, "Memorandum for the Assistant Secretary for
Information and Technology,'' subject line, `` Delegation of Authority
for the Responsibility for the Department Information Security,'' be
entered into the record. Hearing no objection so ordered.
[The attachment appears on p. 98]
The Chairman. I Would also like to publicly thank Health Net. Health
Net is a company that does business with the VA, that they supplied
$25,000 and matched the reward money. And I think they should be
publicly recognized for what they have done.
I will also ask Mr. Secretary, and I do want all the members to have
their opportunity to talk with you, but I do want you to share with us
these two other breaches that have occurred: the one in Minneapolis,
whereby you had an employee put a laptop computer in the trunk of a car
and the car was stolen and information was compromised, and you did have
two cases of identity theft. The other, I would like to discuss the
circumstances, and I would like to know about the notification
procedures regarding the loss of a backup tape at the regional counsel's
office, whereby they are missing 16,538 legal cases in the city of
Indianapolis. Mr. Secretary?
Secretary Nicholson. Yes, sir, Mr. Chairman. The incident in Minnesota
was brought to our attention by a postal inspector, who had reason to
believe that two people, two patients in one of our extended care
facilities, was possibly having their identity exploited, and that led
to a fact-finding endeavor that the IG has been investigating this. And
it turns out that the VA had a financial auditor in that facility to
audit the income status of certain patients, because there is a means
test that goes on for some of them in those facilities. And that person
put some of these patient files in the trunk of a car, of a rented car,
and that car was stolen. And there were I think 60- some, 66, I
believe, people's information was in that, they were paper copies, and
that happened in 2005, the car was stolen in 2005.
This did not come to our attention until, as I said, the postal
inspector sensed that two people were being defrauded, and so we have
the IGs inspecting, conducting an investigation and we are, you know,
going back to the responsible person, waiting for the final report of
the IG. Another case where the importance of this was not sensed and
dealt with by that employee. The Indianapolis --
The Chairman. Sir, we have a question on Minneapolis.
Secretary Nicholson. Yes?
The Chairman. When you said 66 people, are these 66 veterans?
Secretary Nicholson. Yeah, I think they --
The Chairman. All right.
Secretary Nicholson. I am told yes. I pause because there are a few
people in -- facilities who are not --
The Chairman. And an audit of materials, would it indicate that it also
contained necessary granulated information such as name, address, Social
Security numbers?
Secretary Nicholson. Yes, sir.
The Chairman. And with regard to the notification of all 66 veterans,
have they been notified with regard to the loss of this data?
Secretary Nicholson. They have been notified, yes, sir.
The Chairman. And are you considering taking the same action with
regard to these 66 veterans as you were going to take with regard to
this stolen laptop and hard drive, with regard to credit monitoring?
Secretary Nicholson. Yes, sir, credit monitoring.
The Chairman. And insurance?
Secretary Nicholson. Yes.
The Chairman. Okay. All right, let's talk about Indianapolis.
Secretary Nicholson. All right. Indianapolis is more recent, where
there is a backup tape that is missing. This occurred, I think, on May
5. It was in the regional counsel's office in Indianapolis, and the
general counsel was notified of this on May 23rd. It involves 16,500
individual cases. And again, the IG is investigating this, and we await
their report for you know, the actions that we will take with respect to
personnel. We are notifying these people, and we plan to give them
credit protection as well. The General Counsel is here, Tim McClain, if
he cares to add anything to this, I would welcome him to do that.
There, the reporting was better than it has been. But the practice, I
mean, it happened, and we have a tape missing. The data again is not
missing, in that there is a daily chronology of these cases, a lot of
this is litigation and stuff that they are tracking electronically, and
so they have the day before and the day after, so that the data is not
missing to us, but that tape is missing, with those individuals on it.
The Chairman. Well, may I ask your counsel. Mr. McClain, if there is a
remote mike. Mr. McClain, if there are 16,538 legal case records, would
it not be true then that these files would have contained once again
granulated information regarding the veteran, perhaps their dependents,
some could be VA employees, Social Security numbers, claim numbers,
addresses, date of birth, legal case numbers? Would that be an accurate
assessment?
Mr. McClain. In some cases, yes, Mr. Chairman.
The Chairman. And in these case files, then, could there also possibly
be embedded case-related documents such as claims, court documents,
patient medical records, property descriptions, other personal
information?
Mr. McClain. Yes.
The Chairman. With regard to the backup procedures that occurred prior
to the loss, could you explain what occurred in the regional office in
Indianapolis, with regard to how a backup was conducted and how these
tapes were safeguarded?
Mr. McClain. From what I have learned about this particular office, and
how it was run, there is a computer room that the computers and the
servers that run this particular system. This is a homegrown software
system known as GC Laws. It is something that we developed and had
implemented in 2002, and it has been in development since then. It is a
case tracking and attorney time tracking software.
Cases can be anything from a 30-minute telephone call with someone such
as the VISN director or the medical center director, to a full-blown
Federal Tort Claim Act case or medical case. And so, we define a case
essentially as you are giving legal advice in a substantive area and you
are doing it for about 30 minutes or more. That is why the number of
cases are not going to be the same as the number of actual individual
identifiers in the GC Laws area. Every day, this system, which has
information only from this particular region -- we have 22 regions that
this is region 22 -- and they then back up this server that the GC Laws
software resides.
The Chairman. Do you know the territory of that region?
Mr. McClain. Sir, it is the regional counsel offices in the federal
building in Indianapolis, which I know you are very familiar with, sir.
The Chairman. That would include parts of Ohio, Michigan, Illinois,
Kentucky --
Mr. McClain. It would include all of Indiana and Kentucky.
The Chairman. Please continue.
Mr. McClain. This particular office maintained two weeks' worth of
backup tapes; first Monday through Friday, second Monday through Friday.
Every night, the tape would be changed, and then put into its
appropriate -- the one taken out would be put into its appropriate
slot. On May 5th, it was discovered by the information security officer
that the tape for the second Monday was missing.
The Chairman. Are you aware or not whether it was a common practice for
a backup tape to be taken home with one of your lawyers?
Mr. McClain. I am not aware of that, sir. The backup tapes for the
most part stayed in the room.
The Chairman. I would invite you to explore. Did the tape contain
confidential and privileged information?
Mr. McClain. There most likely was privileged information that would
have been generated in federal tort claims cases, which would have been
attorney-client privilege.
The Chairman. The room where these backup tapes are stored, is it
secured or unsecured?
Mr. McClain. It has a lock on it, but that is all. It is in the office
and it has it on the door.
The Chairman. I want to thank you, Mr. Secretary. Mr. Filner had asked
for a timeline yesterday and we have received the timelines with regard
to individuals for the case in Maryland. Mr. McClain, have you put
together a timeline with regard to notifications, with regard to this
case in Indianapolis?
Mr. McClain. Yes, sir, we have a general timeline.
The Chairman. Okay. Just for curiosity's sake, why didn't you tell us
about this yesterday?
Mr. McClain. That was my oversight, sir. I owed you that. I was
concentrated on this particular situation that we have. And there is no
question you should have been notified.
The Chairman. Mr. Secretary -- let me ask Mr. McClain. When were you
notified with regard to the loss of this tape?
Mr. McClain. May 23rd.
The Chairman. Missing on May 5th, you were notified on the 23rd? Mr.
Secretary, when were you notified with regard to this lost tape in
Indianapolis?
Secretary Nicholson. I think that I was notified either that day or the
next day, Mr. Chairman.
The Chairman. The 23rd or the 24th?
Secretary Nicholson. Yes, sir.
The Chairman. This case runs parallel to what was occurring in
Maryland, with regard to the notifications, and procedures. We are
going to need to learn more about Indianapolis, Mr. Secretary, and I am
pleased about your opening statement, because you exercised leadership
here over the last four weeks. But there is definitely more that we
need to learn about this case in Indianapolis. Because this is a
tremendous exposure potential with regard to your legal system, Mr.
McClain.
Mr. McClain. Yes, sir.
The Chairman. The last thing I would ask, with regard to the memo that
has now been submitted for the record dated June 28th, Mr. McClain, as
General Councel for the VA, do you believe that this memo complies with
FISMA?
Mr. McClain. Yes, sir, I do.
The Chairman. Congratulations. I yield to Mr. Filner.
Mr. Filner. Thank you, Mr. Chairman. And Mr. Secretary and your staff,
we are all feeling better this morning. You said, the saints were
smiling on you. I guess that was for your service in the Vatican, not
on the RNC.
Secretary Nicholson. St. Anthony.
Mr. Filner. And we are all fortunate of course, we don't have to spend
the money apparently for credit monitoring. I was upset about the
proposal for those dollars from an administration that spends hundreds
of billions in a supplemental in the war on Iraq, yet wouldn't do a
supplemental for the veterans, of $130 million. It was going to take
money out of food stamp programs or student loans, so I am glad that we
won't have to argue about that one. Let's hope that we don't.
And like the Chairman, I thought your statement was very good and
powerful. I wrote down some quotes I thought were very welcome here,
the recognition of real deficiencies, a sense of urgency, the `` wake up
call.'' I think those are all powerful statements, and I hope that they
echo through the VA system.
There is a famous quote that says ``Those who cannot remember the past
are condemned to repeat it.'' I know you all want to look forward and
clear up some of the mistakes and errors and deal with them. I still
think there is a sense of denial, Mr. Secretary. Mr. McClain just
referred to this whole thing, as ``the situation.'' Yesterday he called
it an ``incident.'' You called it a ``wake-up call.'' I call it a
major disaster. And I think people have to accept that we may have come
out lucky on it, but it was a true disaster. Until people get that, I
don't think we are going to get the change throughout the system that
you need.
The timelines that we have looked at have showed some real
programmatical errors, I think. And I hope you deal with them. We are
grateful that the FBI was able to do something, but from the timelines
it looks like it took almost a month before they were even brought into
it. It maybe would have gone faster, it looked like to me after the
initial police report there was all kinds of internal stuff and then you
were notified and you called the White House. And then the FBI, and so
it took some time for them to even be involved in it. And I find that
is a little disturbing, if that is the case.
All right, I would just like to take a few minutes, if I may, Mr.
Secretary -- but your statement on the `` F'' grades from FISMA about
``determined to change those'' is again, I think that needs to echo
through the whole system, and I appreciate those statements.
With regard to the personnel and the errors that were made in the last
eight weeks, has anybody been given a notice that they are going to be
fired in this whole process?
Secretary Nicholson. Yes, sir. One person has been fired, because --
he could be fired summarily because he was a political appointee, who
was the Deputy Assistant Secretary for Planning and Policy. The Acting
Assistant Secretary is a career employee and has rights and due process.
And so through a mutual arrangement, he retired, because he is eligible
for retirement. Those are the two senior guys, those are the number one
and the number two guy in that department.
The person who had custody of the data that was stolen I will tell you
quite frankly, when I heard about it I said, `` he needs to be fired,
fire him.'' I was then told `` you can't fire him, but you can put him
on administrative leave with pay,'' which we did, we have done. And we
have initiated a process to have him terminated from federal employment.
Mr. Filner. Based on what?
Secretary Nicholson. Based on the advice that I was given that he did
this in violation of existing policies. And that he acted irresponsibly
and negligently in having that kind of data, you know, that could be
stolen.
Mr. Filner. The reason I am concentrating on this, Mr. Chairman, is I
think there was an initial sense, what you called the Abu Ghraib
mentality, to blame it on the lowest person possible. I would like to
enter into the record several documents that have been redacted from
names, so I think it is perfectly acceptable, what is called an
``employee home use amendment'' to the VA's license agreement for the
software, that this employee was authorized to have that data at home.
Also, there is a property pass that was issued to him that he was
authorized to have the laptop at home. And a third document, again
redacted from the names, that he had authority for access to the files.
The Chairman. Does the gentleman ask unanimous consent that these be
made part of the record?
Mr. Filner. I do, sir.
The Chairman. Preserving the right to object upon further examination -
-
Mr. Filner. Sure. Under the advice of counsel, they have been redacted
of any personnel specifics.
The Chairman. I have no objection to entering these in the record. Any
objections? So ordered, they will be made part of the record.
[The information referred to by Mr. Filner appears on p. 101]
The Chairman. Mr. Secretary, are you familiar with these documents?
Secretary Nicholson. No, I am not. I would like to take a look at
those if I could. I have heard about those, but I don't think I have --
Mr. Filner. You have heard of them, did you say?
Secretary Nicholson. I heard that they existed, yes, sir.
Mr. Miller. Mr. Chairman, can we get copies?
The Chairman. Yes.
Mr. Miller. They are all being passed out over here?
The Chairman. I am not sure.
Mr. Filner. We will get copies to you.
The Chairman. Let us allow the Secretary to look at the three documents
and -- Ma'am, are you passing out the three documents? All right.
Mr. Miller. And the minority members have them as well.
The Chairman. Yes.
Secretary Nicholson. Okay, all right.
The Chairman. Mr. Secretary, you are familiar with these three
documents?
Secretary Nicholson. I am looking at this document, first time I have
ever seen it.
The Chairman. Mr. McClain, are you familiar with these documents?
Mr. McClain. Yes, sir, generally.
The Chairman. Generally. Mr. Duffy, are you familiar with these three
documents?
Mr. Duffy. Again, generally, yes.
The Chairman. All right. Mr. Filner, you are --
Mr. Filner. My sense is, and you can comment on this, Mr. McClain, that
the employee was authorized to remove these files, and that was the
first thing he was going to be removed for. And gross negligence, I
mean, he got all the approvals that he was supposed to have, and I am
told that even in the -- well, I'll ask about this later.
It looks to me that the gross negligence is in the policies. There is
no policy. You have said he violated the policy. I don't know of any
policy that he violated. That is the real negligence, that there were
no policies.
He notified the police 52 minutes after the theft occurred, according to
the police report. And your staff didn't notify you for 6 to seven
days. I don't know which is more gross.
Secretary Nicholson. Thirteen days.
Mr. Filner. I am sorry, 13 days. Thank you. I think there is more
gross negligence from the uppers than this poor guy at the bottom. So
what policy did he violate and why is it more negligent to not tell you
about what happened and not tell the FBI et cetera, et cetera?
Secretary Nicholson. Mr. Filner, we have taken these actions and we
took them based on the reasons that I have given you. This employee who
has, you know, rights -- has asserted those rights and he is entitled
to a hearing and will have that hearing, and that is pending. And with
all due respect, Sir, I think it would be wise for me not to comment
further on the disposition of this employee.
Mr. Filner. I understand that, Mr. Secretary. I introduced them, again
redacted for names, to show that we didn't want to have one person at
the very bottom of the food chain held responsible for the biggest data
loss in federal government history. I mean, that is what it is, and we
are saved by something or other but it is still there. It is still
happening. And I guess I would like to ask you, and you don't have to
answer now, but the powerful statement you made in terms of changing the
culture, which is still going to be a hard job, but I think you are. I
think the Chairman and I would agree that you are doing exactly what has
to be done, that you have to hold folks accountable for the `` F''
grades, the previous FISMA things, for the delay in reporting, for all
that was going on. I appreciate the one mistake of a good employee is
not the only thing in this record, but I think you have to make a bolder
statement about accountability, with some personnel changes, is my
sense. You don't have to comment now, but I think our sense of you as
trying to change the culture would be enhanced by that.
I may say one more thing for the record, the Secretary took the
initiative just a little while ago, pulling me aside and saying, "let's
get on a more personal note here.'' I appreciate that very much. I
think we are both trying to do the best we can for veterans. I'll try
to do better in terms of personal actions, but I appreciate your taking
the initiative, and as always, Mr. Chairman, we are saved by our spouses
who are working together for the PVA annual gala dinner.
Mr. Secretary, we want to do the best for veterans. We want to help you
do that job. You have taken the first step, and we do appreciate the
announcement today.
Thank you Mr. Chairman.
The Chairman. Mr. Filner, I do not question the spirit of your personal
enterprise. I appreciate the bipartisan fashion here over the last four
or five weeks that we have worked together, all of us on this Committee
have worked in a bipartisan fashion. This really goes back with Art Wu
and Len Sistek, almost seven years and I think that investment of time
is paying off dividends.
And Mr. Secretary, I am going to yield to Mr. Brown, but you know, I
enjoin and affiliate myself with the comments of Mr. Filner. The
statement that you give us today compared to the statement that you gave
us several weeks ago, you cannot compare the two statements. You came
in here today as a man in charge. You told us in response to a moment
of your leadership that you were going to do that, that you were going
to exercise leadership and take control of this, give assurances to
veterans, and make changes to the system. And you have come in here
with your bold strokes and bold initiatives and for that you are
entitled to be recognized.
Mr. Brown, you are recognized.
Mr. Brown of South Carolina. Thank you, Mr. Chairman. Mr. Secretary, a
recent IG report identified vulnerabilities relating to offshore
subcontractors who have access to VA medical transcription data. I know
that you were confronted with this question by Chairman Walsh earlier
this week. But this Committee is also very interested in your views on
the role of offshore contractors and subcontractors and their access to
sensitive health-specific data on US veterans. Would it be prudent in
your opinion to consider contracting limitations for offshore entities
in order to mitigate the risk of data loss or theft?
Secretary Nicholson. Thank you for that question, Mr. Brown. The case
you are referring to is one that I have looked into. It was a case
where we had entered into a contract, the contractor subbed, and he
subbed to another sub, doing back-office work in India. The
Intermediary sub went bankrupt. Our contractor had paid the first sub
that went bankrupt, and the working folks in India weren't paid. I go
into this detail to illustrate the vulnerabilities of this.
So they weren't paid, they came to us. And they have over 30,000
entries of sensitive data of veterans that they were working with and
they said that `` You either pay us or we are going to put this
online,'' which to me is a microcosm of the vulnerability that we have
in this whole field, where we give people access to this data that we
don't know enough about. Even our own employees, let alone people
offshore.
So the answer to your question is clearly yes. We should endeavor not
to have these contracts end up offshore for that reason, particularly.
Mr. Brown of South Carolina. How many other contractors are you dealing
with, Mr. Secretary, besides this one? Do you know?
Secretary Nicholson. One minute. The only one that I know of right
now, we are looking at this, but there is one other right now and that
is a contract that we entered into with a company to provide the general
management of the homes that we repossess under our VA guaranteed loan
program. We have a master contractor to go through the foreclosure,
take possession, refurbish, and remarket those homes. They do their
back-office accounting work, have it done offshore. That is the only
one that I know of right now. By the way, we are reviewing that
contract, because it is coming up for renewal and that is a relevant
item in that discussion that we are having.
Mr. Brown of South Carolina. So I guess your opinion, and you are going
to try to lessen any further exposure by going offshore with some of the
information gathering?
Secretary Nicholson. You know it is this globalized digital world that
we are living but I think it just creates too many vulnerabilities for
us.
Mr. Brown of South Carolina. Thank you. Thank you for your service,
Mr. Secretary.
The Chairman. Mr. Brown, I want to yield--but may I ask a follow-up?
It provides too many vulnerabilities to us? Following Chairman Brown's
questioning, this issue about subcontracting and offshoring,
outsourcing, these present grave concerns to you? They do?
Secretary Nicholson. Yes they do.
The Chairman. Okay. all right, do we have any of our call centers that
are subcontracting coming of places such as China? Are you aware?
Secretary Nicholson. No, sir. No, none that I am aware of.
The Chairman. Is it possible that service centers for your medical
devices might originate from China? Is Mr. Howard in the room?
Secretary Nicholson. I might best refer to Dr. Perlin for a detailed
answer.
Dr. Perlin. Mr. Chairman, with respect to medical devices, many of the
major manufacturers are not American: Siemens, Fujitsu, Motorola,
Philips, et cetera, if you want any MRI or CAT scan or angiography suite
or radiology. I personally am not aware if any originate from China but
I would not be surprised if some devices are manufactured there.
I would note that the servicing of the device is electronic in 2006.
And there is interaction with that. I would have to defer to Mr. Howard
for any further elaboration.
The Chairman. Mr. Howard?
General Howard. Sir, I really can't add any more to that.
The Chairman. All right. Well, I think if you take a look, you are
going to find out perhaps that it may be true that one of the service
centers for one of your medical devices comes from China. As the world
gets smaller, the more we are interconnected, and then as we seek to try
to protect our veterans I think we are going to find we have some
serious problems.
Ms. Brown?
Ms. Brown of Florida. Thank you, Mr. Chairman, and thank you for
holding this hearing. Yesterday, I had the pleasure of meeting with the
Veterans Widows International Network. I am looking forward to working
with them, but as we move forward for the Independence holiday, we
cannot forget why we are here, and we are here all of us to serve the
veterans.
And Mr. Secretary, in your testimony you stated that you have just
issued a memorandum that all functions lie within the CIO. Which
guarantees will you make that the lawyers will not get involved and rule
the exact opposite like what happened to your predecessor?
Secretary Nicholson. If I understand your question correctly, Madame
Congresswoman, my answer is yes, that is the purpose, is to centralize
this, and to have residing with the same person, and not just
responsibility but the authority.
Ms. Brown of Florida. Yes sir, I understand what you are saying. But
what I am saying is that your predecessor did the exact same thing:
issued the memorandum saying that that person had the responsibility,
but the lawyers ruled just the opposite.
Secretary Nicholson. I am with you now, and that has changed. We have
changed that. We moved these people to come under the CIO. A lot of
objection, debate, just we have done it. And they now are under that
Chief Information Officer.
The Chairman. Mr. McClain, could you help and be responsive to the
gentle lady's question?
Mr. McClain. If I understand the question correctly, is that the
Secretary ordered a directive and then my office, as Office of General
Counsel, would say that it was invalid or ruled differently?
Ms. Brown of Florida. Yes, just the exact opposite.
Mr. McClain. Mr. Chairman, I would basically rely on my testimony from
last week, where this was gone into in depth as to exactly what that
opinion was. And both opinions from 2003 and 2004, essentially, was in
a nutshell an interpretation of FISMA and what could be delegated. And
this delegation memo that we have here today is actually what was
delegated under FISMA.
Ms. Brown of Florida. I have a follow-up question for you.
Mr. McClain. Yes, ma'am?
Ms. Brown of Florida. In reading the information, what was passed out
as far as the employee that took the information home and had clearance
to do that, a memorandum, and also directly afterwards, reported that it
was stolen, I mean, just right away, but this is a person that is going
to be fired, can you clear that up for me? Because I can see that we
are headed to a lawsuit with this, because he had permission, and he had
it in writing, a memorandum.
Mr. McClain. First, I am not going to comment directly on pending
personnel action for this employee, because it is still pending. There
has been no final decision made in this employee's particular case. But
the documents that were presented by Mr. Filner, one being a
justification for access to Social Security numbers, that would be part
of his job to look at those. Another one is an employee license to have
software at home, and the other one is a laptop property pass that does
not relate to this laptop.
Ms. Brown of Florida. That's your answer?
Mr. McClain. Yes.
Ms. Brown of Florida. Well I guess, you know, I am not a computer geek,
but it would be no point in using the software at home if you know, you
couldn't use it.
Mr. McClain. Yes, ma'am, I understand that once again I would like to
say that the process is continuing, and for the integrity of indeed this
due process that the employee is entitled to, I can't directly comment
on the pending personnel action.
The Chairman. May I?
Ms. Brown of Florida. Yes, sir.
The Chairman. We are in a touchy area. My colleagues, What I feel a
little uncomfortable with is that we interviewed this individual. The
Counsel for Minority and Majority, along with the staff directors of
oversight, interviewed the individual. And these were some of the
documents, and I am a little uncomfortable for us to move this into the
public arena, because this individual has rights.
Ms. Brown of Florida. Yes.
The Chairman. Ms. Brown --
Mr. Filner. If I may --
The Chairman. Yes.
Mr. Filner. Ms. Brown, the particular property pass Counsel referred to
was just one of a series of authorizations that the employee had. I
don't know if the number of this one matches, but there were a series.
Certainly he believes for several years that he had the authorization to
take it home.
Ms. Brown of Florida. Just a follow-up question then, with the
Secretary. Mr. Secretary, I know that everybody is breathing a sigh of
relief, but I want to know whether or not we are going to continue to
monitor the situation to see whether or not the integrity of the
information that was out there, are we still going to give the veterans
the assurances that we are going to monitor the credit reports? I mean,
where are you with this?
Secretary Nicholson. Well, I think that is a very fair question. You
know, it is dynamic. Things are happening even since we have been in
this room. But my feeling about it right now is that we should engage
the unique capability that we have to see if data are being exploited.
That is not relatively expensive to do that, and we could do that, and
then I think we ought to keep an eye on, to make darn sure that this
data has not been exploited, or has not, you know, been copied, which
would be subject to being exploited. And I think we need to remain
vigilant.
Ms. Brown of Florida. All right. Thank you, Mr. Chairman, Mr.
Secretary, I yield back the balance of my time.
The Chairman. Thank you, Ms. Brown. My colleagues, the Secretary is
accompanied by the Deputy Secretary. Two of the Under secretaries could
not be here. So we have his Assistant Secretary. Sir, what should I
say? You haven't been confirmed by the Senate, and that is why you are
not at the witness table.
The reason we have them all here is for you to be able to ask questions.
As we learned from the Under Secretary, the CIO did not have certain
authorities to enforce. Therefore the enforcement of all these
directives and rules really lay with these gentlemen.
Chairman Miller, you are recognized.
Mr. Miller. Thank you, Mr. Chairman. Mr. Secretary, is somebody from
the Board of Veterans Appeals involved in looking at the security
issues? And the reason I raise the question is that many of us recall
several years ago that an employee from VBA was found to have many files
in boxes in their garage.
Secretary Nicholson. Yes. Judge Terry has been involved in the many
meetings we have had on this. I will say that they do have a program
whereby they take files home, the judges. But we have looked at it very
carefully, and it has been prescribed, it was authorized, and they are
in locked containers en route. They are to be put in locked containers,
when they are not being worked on at the residence, and in locked
containers coming back. We have made a few spot checks on that, and it
looks like there is good compliance on that. So we have not made that
change.
You noted in my testimony that with respect to the Veterans Benefits
Administration, they were taking files home for adjudication. I have
stopped that because it was not tight enough. So we are, they are very
engaged with us on this and I think, you know, getting the message as
well.
Mr. Miller. Going back to the backup tape, is it assumed missing or
potentially stolen?
Secretary Nicholson. I think that is an open question. I would ask
General Counsel, do you have a view?
Mr. McClain. [Inaudible.]
Secretary Nicholson. We are captioning it as being missing. It is
missing, and the IG is investigating it. I don't know.
Mr. Miller. And I asked the question that way because I think if you
were framing it that you think that somebody took it, that the chances
would be different from the laptop scenario, where it just happened to
be that somebody took a laptop that had the data on it, versus somebody
knowing that they have now in their possession a backup file and you
could -- I would assume that something nefarious would be intended with
that information. And so I was wanting to know, you know, at what point
do you treat it differently from being stolen, to missing?
Secretary Nicholson. I don't think we treat it very differently. We
are notifying all the people involved. We are setting up credit
monitoring for them. I don't think with respect to the effect of people
that it makes much difference.
Mr. Miller. And back to the records that the Chairman was referring to
that were entered into the record, the three documents. Is there
anything in these three documents that indicates -- not gives the
impression or not gives an assumption, but indicates that the employee
with these documents had the ability to take home that information? I
don't read that, but I am just wanting to know if there is anything in
here that I am missing.
The Chairman. Does the gentleman mean ability or authority?
Mr. Miller. Either. Obviously, he had the ability.
Mr. Filner. Would you yield for a second, Mr. Miller?
Mr. Miller. No, sir, on my time, and I would like to hear the
Secretary.
Secretary Nicholson. Chairman Miller, I am going to demur. This is a
pending personnel action, and I think for the protection of the affected
employee and the integrity of the system, that we probably shouldn't
discuss this any further than we have. He is going to have a hearing,
and a fair hearing.
Mr. Miller. And as he should. You know, it is unfortunate that in this
entire incident that you had an employee that had he not come forward
and said that he had this information on this laptop, VA may never have
known that it was on the laptop. They may have known that the laptop
was gone, but not that the information was. And I am glad to hear that
he will get the due process that is due. And I yield to my friend Mr.
Filner.
Mr. Filner. I just wanted to point out that one of the forms says ``
home use,'' authorization for home use. And the other one says a
property pass to take home.
Mr. Miller. -- reclaim my time. Well, on the license agreement, and
this gets outside of that so this is not the employee in particular. An
employee that is there today has this signed, the software. Is there
anything this software is used for other than -- I mean, other data
that is in it, could it be used for something else? I am just trying to
get to the fact that I think this is a stretch, and I am wanting to know
if the software can be used for anything else other than what he was
using it for? Other data collection?
Secretary Nicholson. Well, I will give you, you know, a general answer
that yes, I mean, the software has different applications that would
make it available for different kinds of use and collations.
Mr. Miller. Thank you, that answers my question.
The Chairman. Chairman Miller, would you yield for just a second?
Mr. Miller. Yes, sir.
The Chairman. Mr. Secretary, you notice that members have been asking
questions about the firing of the employee. I would also note that your
testimony, well, actually, while you were waiting to testify on the
second panel before the Appropriations Subcommittee, that expert
witnesses talked about their concerns about immediate firing of
employees, that it could have a chilling effect with regard to future
losses of data.
I would note that the case that you discussed here today with regard to
Minneapolis was a case whereby you were not notified through internal
sources. You testified to us that it came from a postal inspector. So
I think what you are finding is members have concerns here in how, as
the man in charge, you want people to be able to tell us what the
vulnerabilities are, and what has gone wrong; if something is lost,
please tell us. If they feel that they will lose their job because of
it, we may never know, and the vulnerabilities could hurt our veterans,
and I think that is what I am sensing from the questions of Mr. Miller,
Ms. Brown, and some others. I just wanted to note that to you, Mr.
Secretary. Yes, I yield back to the gentleman.
Mr. Miller. Thank you. One other question, are you aware your cyber
security chief is resigning as of today? And if so, do you know why?
Secretary Nicholson. Am I aware that my cyber security chief is
resigning today?
Mr. Miller. Yeah, is there any truth to that?
Secretary Nicholson. I am not aware of that.
Mr. Miller. Is anybody at the table aware of that?
General Howard. The answer to that is yes, sir. We were notified
today.
Mr. Miller. And the Secretary wasn't?
The Chairman. You didn't tell the Secretary?
General Howard. I told the Deputy as he came in.
Mr. Miller. No further questions.
General Howard. I got an e-mail about half an hour ago that it was
official.
The Chairman. Wait a minute. Mr. Miller, you still have the time.
Mr. Miller. I yield to you, Mr. Chairman.
The Chairman. Thank you. Your CIO has resigned, your Chief Information
Officer resigned not long ago. Now your cyber security man has
resigned. Mr. Howard, do we know why the CISO has resigned?
General Howard. Sir, about two weeks ago he gave me a letter of
recusal, that he was thinking about leaving. I convinced him to take it
back, you know, that we needed his service and all of that. And just
the other day, he handed me another one with no date as to when he was
going to resign. And as I mentioned, you know, I just got an e-mail a
while ago that it is effective. I think the date on my e- mail was 13
July or something like that. As far is I know, it was due to pressure
on his family due to what has been going on. You know, he has been
working extremely hard. He has been in charge of the forensic work, for
example, that has been going on, working very long hours. They are all
under a great deal of pressure, you know, to get at the details, produce
the facts. And I think most of it was family, but it was probably just
the work environment as well.
The Chairman. All right, Dr. Snyder, may I ask a question, or Mr.
Miller?
Have you informed the Secretary?
General Howard. Sir, I told the Deputy Secretary.
The Chairman. Have you informed the Secretary, Deputy?
Mr. Mansfield. No, sir. I heard it in the hallway on the way in here.
The Chairman. All right. Mr. Secretary, you are now informed.
Mr. Mansfield. I wasn't sure if it was official. I was trying to get
that information.
General Howard. Sir, it was official --
The Chairman. All right, let me just ask. Mr. Miller, may I continue?
Something deep inside here is telling me something, that there have been
meetings at the table; the CIO, the former CIO, Mr. McFarland, didn't
get along too well at these meetings at the table. He tried to perfect
some changes. He ended up making a professional judgment to leave. We
now have the CISO, who has now resigned. Regarding this memorandum, Mr.
Secretary, that you have issued, did the CISO participate in the
drafting of this memo, or give input with regard to this memo over
security matters it VA?
General Howard. Sir, I am not sure if he was personally involved, but I
definitely know his people were. I can get you the answer to that and
they --
The Chairman. You know, I really can't blame the guy for resigning. If
I were the man in charge of security for a department -- that is
exactly what the Secretary has asked of me -- and have not been invited
to be at the meeting of the drafting of the security issues on behalf of
the Secretary?
Let me ask this, Mr. Secretary: who was in charge to help put this
matter together for you?
Secretary Nicholson. This was a collegial effort between myself, the
CIO, the Deputy, the General Counsel, our consultant, Mr. Romley. There
were a lot of people involved in this.
The Chairman. All right, thank you.
Secretary Nicholson. But I would say, Mr. Chairman, I would not be
surprised if there aren't other people that resign, because the world is
changing over there. And these two and I think there might be other
people that will resign.
The Chairman. Well, I don't doubt that. Mr. Miller's question here --
I thank you for bringing this to our attention -- but if it is the
people of whom are supposed to be perfecting these changes, who are
fighting against the culture and they are the ones who are leaving,
maybe the wrong people are leaving. I yield back to Mr. Miller.
Mr. Miller. I yield back Mr. Chairman.
The Chairman. Dr. Snyder, you are recognized.
Mr. Snyder. Thank you, Mr. Chairman, and thank you for your work on
this. I have been unable to attend all the hearings we have had because
of the Armed Services Committee has been often at the same time, but I
appreciate the hearing.
I had one little detail question, Mr. Secretary. When I arrived today
or several of us arrived today at the beginning of the hearing, we had a
bit of a circus going on here with you talking into a microphone and
holding a mini press conference. In your opening statement you said
someone asked you to take the microphone and make some kind of
informative statement. Who asked you to take a microphone and make a
statement?
Secretary Nicholson. I don't know. Some person from the press, as my
press person was coming down the hall, said `` they were going to ask
you to make a statement when you step into the room about what has just
unfolded with respect to the data.''
Mr. Snyder. What is the current status, as I assume you are in the same
boat that we -- I assume you have one of your letters --
Secretary Nicholson. I did, yes.
Mr. Snyder. I got one too. I appreciate you sending it to me. What is
the status, though, that was mentioned, you know, I guess from Mr.
Filner, about credit reporting? You have publicly announced that
veterans would have some kind of monitoring of credit reporting, and I
expect there are veterans that have relied on that information at some
point along the way. Have you made any kind of announcement or decision
about where we are at with regard to the announcement you made recently
with the credit reporting?
Secretary Nicholson. Where we are with that, sir, is we are writing the
RFP right now, put that out for bids, for the companies that provide
that service to bid on. There are certainly three of them: Trans Union,
Esperion, and Equifax --
Mr. Snyder. Are you moving ahead with that, or are you under discussion
now of not moving ahead with that in view of the fact that the computer
was found?
Secretary Nicholson. That was a question I think was asked the little
while ago. You know, a lot has changed this morning. We have been
pretty focused on this hearing, but my internal sense is telling me
right now that we ought to definitely go ahead with the capability that
is out there to analyze data to see if they are being exploited. That's
relatively inexpensive. And continue to, you know, to verify and see if
the FBI and these people are conducting these forensic analyses have a
high enough sense of confidence that this has not been used, that we
need not do it, while having that other screen out there looking to see
if anything pops up, and they have a pretty good way of telling whether
a collective amount of data is being used.
Mr. Snyder. In the memorandum of June 28, your memorandum, Mr.
Secretary, which seems to be very thorough in the way you all put it
together, but there is an itemized list of what is delegated. And you
say, `` this includes but is not limited to the authority to.'' Give
me a few examples of some things that are not on the list, you know,
that phrase `` is not limited to'' ? What are some things that are
beyond what is on the list of delegated authority?
Secretary Nicholson. Could you point to --
Mr. Snyder. Says number two, Delegation, ``This memorandum delegates
the Assistant Secretary for IT complete responsibility and complete
authority for enforcement of information security policies, procedures
and practices. This includes but is not limited to the authority to.''
What are some examples of some things of authority that you are
delegating but is not in this itemized bullet point list?
Secretary Nicholson. I think that language is somewhat boilerplate-ish
in that I intend for this to be expansive or, you know, not to be
inclusive, but to be exclusive, to -- I want the Assistant Secretary
for IT to feel empowered in a broad way, and not a narrow way.
Mr. Snyder. Is there any discussion -- I know you have been in the
crisis mode here for several weeks. Is there discussion underway,
currently with regard to this issue that has come up before, about when
and if both the military and Veterans Affairs Department is going to
abandon the use of Social Security numbers as an identifier?
Secretary Nicholson. Yes, we had a lot of discussion about that in this
crisis that we have been in. I can't tell you I am too sanguine about
it, because you know, to be a veteran you have to come through DoD, and
on every dog tag and -- I have got an ID card in my wallet, that has
got my Social Security number and on it, military ID card --
Mr. Snyder. Yeah, but we are of a different generation, Mr. Secretary -
- Ms. Herseth and Mr. Michaud -- my service number was not my social
number -- 1969, I finished my -- I enlisted in 1967 I have a service
number that is -- I still remember, but is not my Social Security
number, and in 1969 the change was made from the Social Security number,
and what can be changed one time can be changed back. But I agree there
clearly will have to be a coordination, potentially with the military
about that, and that maybe something that ought to get -- I assume you
all are having discussions.
Secretary Nicholson. We are, and certainly we are not rigid on it. We
could deal with the different identifier.
Mr. Snyder. My last question is totally apart from all of this
discussion here which you have been focused on now for weeks. I want to
be sure we are not losing track of anything else. What is the number
two thing that keeps you awake these days with regard to what's going on
with veterans? If you didn't have all this computer business and cyber
breaches, what is the number two thing on your list that is important to
you and important to this Committee also?
Secretary Nicholson. Well, I can only be kept awake once, you know, one
night at a time, and this has been doing it. I think it is our -- the
job that we need to be doing for the returnees from the combat area,
that we are doing the transition effectively, seamlessly. You know, we
have a growing number of trauma patients and -- and our polytrauma
centers are performing. That is something that I think about a lot.
Mr. Snyder. Thank you, sir. Thank you. Mr. Chairman.
The Chairman. Thank you. Chairman Boozman?
Mr. Boozman. Thank you, Mr. Chairman. I also was pleased, as the
Chairman and Ranking Member mentioned, that you were saying -- things
like `` wake-up call,'' and `` lightning rod,'' these are truly the
kind of rhetoric that I want to hear. And not just the rhetoric, but it
looks like you are doing what you need to do to get things in place.
The VA has done such a good job of switching over, as you mentioned, we
are the model for trying to get our records this way.
I think we are almost missing the forest for the trees though, in the
sense that this is a problem in the VA, but it is a huge problem in
government in general. And I hope that as you are around those cabinet
meetings, envisioning with the President, envisioning with your cohorts
in the other agencies, that there is some coordination, that this is a
problem that is not going to go away. That as we do a better job of
getting our records, and data like this, we are much more in advancement
of doing that, versus the security. A few years ago, if you were to
take that information home, you would need a van to haul the computer
in. A few years before that, you would need maybe even semi loads or
tractor-trailers, to get that information home. As you mentioned in your
testimony not too long ago, that data, I think, you said five times that
data now could be just on, basically a card.
So I guess the question I have got, alluded to you laying awake at night
and you are responsible -- we are ultimately responsible, in this
sense. I am laying awake thinking about lots of different things. Who
is the guy now, you are responsible. Who is the guy in the VA that once
this settles down -- and it will settle down, and, we will get this
fixed -- what position, who is the guy responsible for moving this
thing forward? What position is that? Who is the person in that role
now? Who will we look to in the future?
Secretary Nicholson. It is the Chief Information Officer, and that is
Major General Bob Howard, who is the Acting Assistant Secretary for
Information, and in a pending confirmation. He has had a distinguished
career in the military, he has had a rich background in IT, was a math
professor at West Point, and is a highly qualified, highly motivated
person. We are very lucky to get him, and we got him out of private
industry to come in and do this.
Mr. Boozman. I guess my next question would be -- legislatively, has
he got all the tools that he needs to do his job?
Secretary Nicholson. Well, I think collectively we don't. That is,
this agency and I would say probably that about other departments of the
government, serving on the President's task force on identity theft. I
think that we need some more legislation. I mentioned in my testimony,
I think we need to change the teeth for violations of the privacy act
and make them comparable to those of HIPAA, because there is a real
sensitivity about HIPAA. In fact, when I first came in to this job 16
months ago we were done having trouble getting medical records from the
Department of Defense because of HIPAA. And we needed them to treat the
people they were protecting.
And they were, you know, they were in good faith on that. They felt
that was a problem. We need, I think, some legislation to enable us to
get what I call clearances for these people. More background checks,
which is also going to cost more money. I think we could use some new
law on personnel dispositions, you know, we can debate the disposition
of this person that we have debated around here, but I think that
managers of these agencies, like I am, need more prerogative. We talked
about changing the veterans' ID system, we just talked about it, I think
that is something that we ought to look at, and I think that FISMA needs
some changes to give more enforcement power to the Chief Information
Officers. Like ours.
Mr. Boozman. Very good. Well again, we are responding to this crisis.
And hopefully the silver lining is, in all this, that we really can,
through our Committee, and, whoever else we need to involve, can give
you the tools to get the job done.
And then again, I really would encourage you to have an individual who
is responsible in the VA. We really need an individual that has
significant authority with the administration, to coordinate this among
the agencies, because the other side is, we are going to wind up
spending, hundreds of millions of dollars on this, probably agency-by-
agency versus coordinating -- because we all have the same problem.
And so I would encourage you, as you have the President's ear, to really
push him in that direction. Thank you.
Secretary Nicholson. Yes sir.
The Chairman. Ms. Herseth, you are now recognized.
Ms. Herseth. Thank you, Mr. Chairman. And I thank Mr. Michaud for
allowing me to pose some questions in the essence of time for other
committees that many of us must get to before they wrap up.
Mr. Secretary, I will just associate myself with the comments of many on
both sides here about appreciating the memorandum, your testimony today.
Can you tell me about when exactly the police or the FBI recovered the
laptop? Was it just yesterday, do you know precisely the date it was
recovered?
Secretary Nicholson. It was yesterday.
Ms. Herseth. And all the data that we were concerned about was on the
laptop? It wasn't an external hard drive as well that perhaps wasn't
recovered? It was everything that we thought had been compromised we
know have back on the laptop?
Secretary Nicholson. Madame Congresswoman, most of the data was on the
hard drive. But we have both of them, we have the laptop and the hard
drive.
Ms. Herseth. And the hard drive, okay. And I am going to submit a
question for the record before I have to leave, to all the Under
Secretaries that are here, and the Deputies as well, based on some of
the questions we have posed over the last couple of weeks to other
witnesses on different panels.
But let me ask you this, Mr. Secretary: a few people have asked about
the credit monitoring, the fact that we have let veterans know we are
going to do this one year of free credit monitoring. And I know that
some might contend that things have significantly changed in light of
yesterday's development. I don't think so. I would like to think so,
but when we have incidents in Minneapolis and Indianapolis, when some of
the questions that have gone to whether or not the employee in question
here had authorization or not, I have this great fear that there is data
floating around out there, whether it was authorized to be taken out or
not. And in the case of the Minneapolis case it was last year and you
weren't made aware of it until recently.
And I agree with the Chairman. I just think you came into a tough spot;
at times you haven't been served well, and I would contend that we
should continue and move forward. Even with the cost of offering one
year of free credit monitoring, to put people's minds at ease, as you
make this ID IT realignment. Would you at least be open today in
responding that you will fully consider continuing to offer the one year
of credit monitoring in light of these other instances of potentially
compromised data, particularly in Minneapolis when it looks like maybe
two individuals whose paper files were taken out may be defrauded?
Secretary Nicholson. Well, so noted, Congresswoman. With respect to
Minneapolis, the 66 people there, they are going to get credit
monitoring. The 16,500 in Indianapolis, they will get credit
monitoring. As to this big thing, I am going to reserve judgment.
Ms. Herseth. But let me just rephrase. You have not made any final
decisions as of today that you are not going to continue to pursue the
RFP, and put this out to bid, and offer credit monitoring?
Secretary Nicholson. No, I have not.
Ms. Herseth. I would just suggest to my colleagues on the Committee
that there is some potential risk, some huge risk that continues to be
out there, and we should also consider whether or not the entire
universe of veterans' data that is held at the VA, that one year of free
credit monitoring to all of our veterans might be in order.
But anyway, let me just pose this before having to depart: I think now
we have the memo that delegates clear authority to the CIO and now that
we have contractors that you described, that are going to help move this
IT realignment forward; the question that I would pose, and would hope
that each under secretary could submit to the members of the Committee,
timely, is how do you think things are going to go differently now. I
don't want there -- none of us want there to be, as Mr. McFarland
described yesterday, these disagreements with any of the recommendations
for how to go forward with IT realignment, or disagreements with the
memo. We are here now. We have the memo. We have the contractors to
move forward with the realignment. So how will each Under Secretary do
things differently than they did before in ensuring that compliance
moves forward, that the recommendations are implemented, and that we
don't have inaction in response to disagreements that continue to exist?
Secretary Nicholson. I think that is a very good question. And things
are already happening, and differently, and I mean, I told you that we
moved 4,610 IT people out of their, you know, comfort of their present
work cocoon into a new department. There is a great amount of
uncertainty and anxiety that goes with that, and we are trying to leaven
that with the fact that we think we are going to be better off because
they are going to become professionals in their own career field which
we are establishing.
And that has the full credit and support of the three Under Secretaries,
you know, the three operating arms of the VA: medical, benefits, and
burials. They are strongly supportive of that. They also of course --
I think they would tell you -- had a lot of these meetings that we have
had, they have been charged to be very, very vigilant. We have the
Chief Information Officer, has now, you know, a great deal of authority
and responsibility, but they are in the loop as well, when it comes to
enforcement of transgressions of their people. And answerable to me on
that.
But I think the transcendent point is that there is en route a new
culture. And there is a big need for that, frankly, and you know, it is
my job to make sure that that progresses and happens.
Ms. Herseth. Thank you, Mr. Secretary. Thank you, Mr. Chairman.
The Chairman. Ms. Herseth, in regard to your questions to the Chair,
Mr. Secretary, it is worthy of your consideration for an IDIQ contract,
whereby you can award a contract based on quantity and usage. Therefore,
you should consider placing this in your budget, while you are getting
hold of this one, knowing that we already have some present data losses,
whereby a contract can be ordered. You might be able to access this,
because I think we are going to have some other breaches, until we can
come into full compliance.
And probably that would be my recommendation, rather than just awarding
it to everyone. But you are going to have to come up with a budget
number and request for proposals, most importantly to put the veterans
in good stead.
Mr. Bradley, I thank the gentleman, and I yield.
Mr. Bradley. Thanks very much, Mr. Chairman, and thank you, gentlemen,
and certainly Mr. Secretary, Deputy Secretary Mansfield, for the
forthright way that you have answered the questions today, and the
leadership that you have shown to try to deal with what has had to have
been an extremely difficult situation for all of you personally, and
certainly for the 26.5 million veterans.
I apologize if this question has been answered. Like Dr. Snyder, I was
at an armed services hearing on the Sarin containers that were found
recently in Iraq and trying to be in two places at once.
Did you describe how the computer was actually found, how the FBI -- I
assume you said was the FBI found it?
Secretary Nicholson. Congressman Bradley, I cannot detail, because one,
I don't know. And two, the FBI, when I talked to them last, which was -
- well, I talked to the Deputy Attorney General before the starting of
this hearing this morning, and there have been a few developments since
then, like an e-mail from an FBI spokesman, you know. I don't know if
you were here or not, but it said that it appears that this data has not
been exploited in any way. We sure hope that is true.
What I have been told is that there have been no arrests made, that this
data was provided to law enforcement and that the reward is operative.
Mr. Bradley. And at least at this point in time, and my last question
is, you are reasonably certain, based on what the FBI has told you, that
the hard drive was not breached in a way that would have revealed the
data?
And how long do you think it will be until you are more certain, and
reasonably certain? Or is there no way to even know that at this point?
Secretary Nicholson. Whether or not you can know this with 100 percent
certainty, I don't know. I will tell you what I do know. And I was
told by the Deputy Attorney General with whom I spoke just before coming
here, and I asked him the same questions that you are asking me about
the timing on the analysis by the forensic experts. He said that it
will be soon. He also said there was a reason to be optimistic.
So I asked him to follow up and I got no further details, but he did
say, on the timing, he did say it would be expressible in days, not
weeks. Since we have come here we have gotten this e-mail from this FBI
spokesman. So, you know, that leads me to believe that they have gotten
pretty conclusive about how they feel about.
Mr. Bradley. And my last question, when you have determined as
conclusively as you are able to conclude okay whether the data has been
breached, and the 26 million veterans either have to continue to worry
or not worry, are you going to do another letter and inform them of the
status of, you know, the information?
Secretary Nicholson. That's a good question, and I honestly haven't had
time to think about it. We have been thinking about the credit
monitoring question, but the letter is provoking. I will think about
it. Thank you.
Mr. Bradley. Very good. Thank you.
The Chairman. Thank you. Mr. Michaud?
Mr. Michaud. Thank you very much, Mr. Chairman, for having this
hearing, and your continued interest in looking at this issue.
And I want to thank you, Mr. Secretary, in coming before this Committee.
I also appreciate the focus you are now giving this issue and your
willingness to keep the Committee up to date on the progress that is
being made. A couple of questions, and you mentioned something here
earlier today in previous meetings that relate to what Mr. Filner had
brought up earlier that you are disappointed that you did not fire the
employee immediately, that you needed more prerogative.
But looking at the documentation Mr. Filner had presented, it is clear
the employee, had home use, he had a license for the program, he had
authorization to remove the computer and accessories. It looks like the
employee was doing his work. I guess the concern that I have is that in
your statement a little earlier, that you need more prerogative, is that
an individual who was authorized to work at home is being used as a
sacrificial lamb to cover the gross data security problem at VA.
You know, civil service laws exist, Mr. Secretary, for a reason. They
exist to protect career civil servants from being political scapegoats.
I view this as a leadership failure. The data breach is the fault of VA
leadership, for failing to implement the necessary data security
measures that time after time after time have been recommended by the
Committee, by the IG, and by the GAO. It is the leadership where the
failure is at. And I do not think you need any more prerogative to do
what you have to with that leadership.
As far as using this one employee as a scapegoat or firing, I think that
is more bad judgment after bad judgment. My concern is, what is going
to happen here on out for other employees who are authorized to bring
work home and are broken into and equipment is stolen? It is going to
lead to them not actually reporting it. So I do think you have the
prerogative, because I believe a lot of this failure is at the top
level.
My question is -- a couple of questions. Dealing with the $131.5
million that is going to be used for the credit monitoring, and it looks
like that might not be used, but if you still have to use it,
whereabouts is that going to come from within the VA budget? What
programs will have to sacrifice because of themoving of the funds?
Secretary Nicholson. Twenty nine point five million of that will be a
program that come from the VA, Congressman Michaud. And that will come,
if it comes, from unexpended funds in the VBA, Veteran Benefits
Administration. They are ramping up, but they are -- had some savings
in there. Many of the hires that they have made have been more junior
pay grade than anticipated, so there has been a savings there. Plus,
there is some lag in the training cycles, put these people in, that has
saved some payroll expenses. And the combination allows us to make that
transfer out of there without any diminution of services, or diminution
of hiring in the VBA.
Mr. Michaud. When the budget is put together, are you fully funded for
all the positions you are authorized to have, even if they are vacant?
Secretary Nicholson. Are we fully-funded for all VISNs?
Mr. Michaud. The headcount that the VA has, are those, when you submit
your budget, when you get your budget, are those position counts fully
funded? Even if they are vacant?
Secretary Nicholson. In the VA?
Mr. Michaud. Anywhere within the VA system. If you have headcount --
Secretary Nicholson. If I understand your question right, I think the
answer is yes, referring to our VERA allocations to the VISNs; yes, we
look at the positions in those VISNs and allocate that money thusly,
which is based on the veteran population count, you know. So yes, the
answer is yes.
Mr. Michaud. I only received the memo today, that was handed out
earlier this morning. Not having a chance to compare this with what
former Secretary Principi had done, I thought, if I remember correctly,
what the former secretary did was similar to this. How does what you
are doing today differ from what former Secretary Principi tried to do?
And the second part of the question is, in this memorandum have you
given all the authority that you are legally able to give over to the
information officer?
Secretary Nicholson. Yes, I have, in answer to the last part of your
question first. Secretary Principi issued two memoranda in this regard,
that were pretty much disregarded. There was also a disagreement
between the Secretary and Secretary's office and the General Counsel's
office about the delegation, and whether the delegation was operative,
and effective, and permissible. That is not the case. This is --
gone over this very carefully. The General Counsel is in concurrence
with this. This is a stronger, clearer delegation of both
responsibility and authority. And there is a great amount of command
emphasis on this.
Mr. Michaud. Okay, I don't know if this is a question for you, Mr.
Secretary, or Mr. Howard, but as Acting Assistant Secretary of
Information Technology, does the Secretary's letter, Mr. Howard, from
yesterday, delegate authority for -- to you, that applies to you fully,
or are there legal limitations, because you have not been confirmed by
the Senate?
Secretary Nicholson. I will go, then I will ask Bob Howard if he would
like to comment. I need to point out that on the enforcement part, with
regard to people who are not in his command, that belongs to the Under
Secretary. So they, that has to be a communication between the CIO and
them. And I am looking to them, then, to do the enforcement. So that
is a power he doesn't have from this.
With that, I would ask him, do you have anything to add, Bob?
General Howard. Sir, I have the letter from the Secretary designating
me Supervisor of the Office of Information and Technology, and to do
what I need to do, and that is what I intend to do.
Mr. Michaud. Even though and you haven't been confirmed by the Senate
as an Acting Assistant Secretary?
General Howard. The letter gives me all the authority I may need.
Mr. Michaud. Thank you. My last question, Mr. Secretary, deals with an
issue that actually came up at one of the other hearings we had earlier
from a former employee of the VA when you look at the failing grades, so
to speak, of the agency. When you deal with security and data issues,
that former employee thought that VA failed I think 16, or can't
remember how many areas, and that there should be no bonuses given out
to the folks who are within the agency. You have the authority to give
bonuses. I don't know if you heard the testimony on this issue, but,
what are your comments on that?
Secretary Nicholson. I didn't hear that testimony but I guess whoever
you are talking about, I agree with and I testified to that in my
opening statement. I think that is another way to put some teeth into
this, into this cultural change that we need to make, as it will pinch
them in the pocketbook as well.
Mr. Michaud. So is it your intention that any time, if the Inspector
General comes up with a report, and you have failed, that you will not
be giving any bonuses?
Secretary Nicholson. It is my intention to look at each of those cases
with that in mind, yes, sir.
Mr. Michaud. So they could fail, but you still might give bonuses.
Secretary Nicholson. Well, it is hard to imagine doing that if they
failed, because I believe, you know, in performance pay and in
performance reviews. And bonuses are also an incentive -- well, not
also, they are an incentive. But in this case, they are going to become
sort of a negative thing if people are not performing, and giving this
the attention that it needs.
Mr. Michaud. Thank you very much. I yield back, Mr. Chairman.
The Chairman. Thank you very much. Ms. Berkley, you are recognized.
Ms. Berkley. Thank you, Mr. Chairman, and I will be brief. I had a
series of questions, but I would like the opportunity to review the
testimony, because I wasn't here during a lot of the questioning, and
with a little effort on my part, some of these questions may have
already been answered. And whatever is left, I would like to submit, if
that is all right.
The Chairman. Ms. Berkley, you may submit questions for the record. We
will be responsive.
Ms. Berkley. Thank you. And if I can just make a quick statement, I
first welcome all of you. We are not strangers to each other and we
have worked very well together on behalf of the veterans in my community
for quite a while now. I think we have been very fortunate and
hopefully we have averted a crisis here. And I am hoping that it will
serve as a wake-up call, not only for the VA department and for all of
us, but for the other agencies and departments within our government,
that they need to start looking at these systems and ensure that the
privacy not only of our veterans but of all Americans are protected.
And I think this is an important first step for us. I have been very
critical of you, Mr. Secretary, and I think you know that. When you
were here earlier in the year to present the budget, I didn't think that
after a year of being in your position that you were as engaged as I
would have liked to have seen you and as knowledgeable about what was
happening in your department as I think you needed to be, and I believe
I said that at that time.
I also think it is important to compliment as well. The difference
between now and a few months ago is quite dramatic and I am very happy
to see it. I think as I mentioned, this is a wake-up call for all of
us, but the burden of your position has fallen on you and I think you
have picked up the gauntlet, and understand the importance of what we
are doing here collectively.
Secretary Nicholson. Thank you.
Ms. Berkley. I also want to thank you for that and I suspect -- I know
that between Mr. Filner and Mr. Buyer, we will be watching, and
hopefully, this will not be the VA will not be an embarrassment for any
of us; quite the contrary, it is going to be a shining example of what
we can do well in government to protect the people that look to the
United States Congress and the United States government to have their
needs met.
So I am looking forward to working with you on this. And I will submit
whatever questions you haven't answered after I have had an opportunity
to review your remarks to other questions. So thank you very much.
Thank you, Mr. Chairman.
The Chairman. Thank you very much. I would like to ask an open
question to all of the witnesses. Does anyone here have knowledge of
any other data breaches within the VA other than what has been presented
in Maryland, Minneapolis, and Indianapolis?
Mr. Mansfield. Yes, sir, I do.
The Chairman. Yes, Secretary Mansfield?
Mr. Mansfield. Mr. Chairman, yes, I do.
The Chairman. All right, where?
Mr. Mansfield. There is a newly instituted weekly report that comes
forward that identifies the incidents across the system. Some of it is
historical and includes the two that you have just mentioned. It just
got started this week -- sorry, it started three weeks ago. It goes
down in the Office of Cyber Information Security. The operations group,
they are the ones that with the new collection of all the ISOs that do a
national group, or a centralized group under the office of IT, that are
now reporting through the national system.
So that report just started, and one of the things we have obviously
learned this morning is that there isn't a part of it that requires
notifications as you mentioned. That's part of what we had to work on as
we bring folks in to help us redesign the system on a national basis.
The Chairman. All right, and where is the additional data breach?
Mr. Mansfield. Sir, we have a whole list. Most of them are small, some
of them are pending information, and the most recent --
The Chairman. While the Deputy Secretary is reviewing the list, Mr.
Secretary, have you been informed of this list?
Secretary Nicholson. I know that we are making this list, we are
keeping this list, we just started this. And I have been presented with
this list, I don't know that I have this copy that Gordon is reading
from.
The Chairman. All right, let me ask this, before we go too much
further. This list would contain how many incidents approximately? Is
this pages?
Mr. Mansfield. Sir, I would have to -- one, two, three, four, five,
six, seven, eight, nine, 10. And I could make the point that these
cover the waterfront. For example, this one talks about potential
unauthorized access to information, and it goes down and talks about
this case can be closed out as the contractors were authorized access to
sensitive information, so --
The Chairman. All right. I think what we are doing here is helpful,
because what you are seeking, Mr. Secretary, is a process of open
disclosure. Because what you have got is a team, and you have to build
that esprit de corps. And if somebody makes an error, you need to know
about the error because we need to make sure we take care of veterans
and then that it is corrected.
So my purpose here is not to go through all these. I want to know what
our vulnerabilities are, what is out there. I would like to speak with
you offline about many of these because some of them you may not want to
discuss. I don't know where they are in the process. I yield to you,
Mr. Secretary.
Secretary Nicholson. I think that, Mr. Chairman, if you like it would
seem to me we could provide this report to you and the Ranking Member if
you want it, if you want to see that on a weekly basis. I mean, you
know, we are trying to be really sensitive. Here is one where, you
know, an employee may have taken sensitive information home on a
spreadsheet contains some information about medications. You know, we
are try to err on the --
The Chairman. You know what, I can even see a lot of this happening.
So in your opening testimony, you say to us that you are going to check
all laptops, that you are going to make sure that they are all secure.
Have you granted any waivers to that policy?
Mr. Mansfield. Doctors.
The Chairman. Doctors?
Secretary Nicholson. No, we have not granted any waivers to checking,
but doctors who deal with patients from home will have to be able to
continue to do that. We do know that. But that doesn't exempt them
from a data call.
The Chairman. All right, going back to this issue on the budget for the
moment. It appears that until you are able to perfect your federated
model, as you move to centralize your IT management systems, we are
going to continue to have vulnerabilities. As the culture begins to
change, it is highly possible that we will have some future data
breaches. There is a human element.
So Mr. Secretary, I would ask of you to work with OMB. You work with OMB
with regard to your potential budget supplemental, the $160.5 million.
It appears that that number will now change. But it appears that some
monies will need to be accessed.
My hope is that in your communication with OMB, I don't want OMB to say
to you, Mr. Secretary, `` You are to take this out of hide,'' and ``
out of hide'' would be, you know, FTE for personnel with regard to
claims processing, and the other painful decisions or judgments that you
have to make. So I would hope that you would communicate with OMB and
the director that with regard to these monies that were offered up, when
they said to you `` that last $29 million had to come from you,'' that
was the last part, and we ought to be able to access the monies with
regard to this account for you to do one of these ID IQ contracts, and
we could access as we proceed. Would you concur that that would be a
good initiative?
Secretary Nicholson. Well, I absolutely concur, and, you know, of
course had those conversations with OMB on that subject. Yes, sir.
The Chairman. All right, very good. With regard to lines of authority,
General Howard is going to directly report to whom?
Secretary Nicholson. Direct report to me.
The Chairman. To you?
Secretary Nicholson. Yes.
The Chairman. Does he have dotted line to the deputy, or just a
straight shot to you?
Secretary Nicholson. A straight shot to me, with a dotted line to the
Deputy.
The Chairman. Okay, now as we proceed on the implementation of your
federated model, our milestones or benchmarks, performance measures,
have these been, are they in place, with regard to your Under
Secretaries, so that they can provide the leadership that down the
chain, that your initiatives are being implemented and executed?
Secretary Nicholson. The answer is generally yes, in that we have, you
know, a very good consultant in place helping us with that, and we have,
as I said now two or three times this morning, we have already detailed
those people out of their old existing organizations into this detailed
status of the new IT organization. And then come October 1st, the
beginning of the fiscal year, they will be formalized in that. That of
course is a major benchmark. And we have several others in this perk
chart that we are following to do this with.
The Chairman. All right, we will follow that with you.
Secretary Nicholson. I am sure you will.
The Chairman. Let me turn to your Under Secretaries if I may. Dr.
Perlin, with regard to our patient medical records, what assurances can
you give veterans today that as we perfect the federated model, that
these records are secure?
Dr. Perlin. Mr. Chairman, the electronic health record is a great
advance in security over paper. Unlike paper, there is an audit trail.
But with the advances in the department, with the leadership that will
occur in cyber security with the end-to-end encryption as was discussed
here in previous hearings, the security that already exists will be
enhanced.
Unlike the tragic event that recently occurred, the electronic health
records are not transportable in bulk. And so that is in itself one very
important assurance. And when they are looked at or accessed, there is
an audit trail of who was there, and with that we can know why.
The Chairman. All right. Before I yield to Mr. Filner, we had
painfully learned here over the past few weeks how Mr. McClain's memo
was interpreted. So we are very clear that with regard to authorities
of enforcement of the Secretary's policies, that it rests with the under
secretaries, that the so-called `` F'' belongs to you.
So what that means is, as I turn to the Secretary and say `` you are
not being served well,'' I return to the under secretaries and say it
is also your moment of leadership. So please advise the Committee right
now, and we have the three of you testify, as to what are you doing to
ensure veterans' records are secure?
Secretary Tuerk?
Mr. Tuerk. Well, thank you for that opportunity, Mr. Chairman. As you
will see in my prepared testimony, we have taken a number of actions, we
are in the midst of executing a number of actions, and we have a number
of actions planned for the future, essentially all leading toward the
same goal.
These actions emphasize my commitment to assuring that veterans' privacy
is respected and protected. They reinforce the necessity for all of our
employees to understand their obligations in detail with respect to
these issues, and they proceed towards implementing, within our internal
organizational assessment process, a more penetrating review and self-
assessment of compliance with those requirements so that we can assure
accountability of the people within the National Cemetery
Administration. Everything I have done with respect to this issue has
been aimed towards those ends.
The Chairman. Dr. Perlin?
Dr. Perlin. Mr. Chairman, thank you as well for the opportunity to
comment on this. And I want to say first and foremost that I fully
support the Secretary's plan -- a real opportunity to work on
developing what we hope will indeed be the gold standard for information
and privacy, not only in government but certainly also in health care.
This week is an important week; as the Secretary mentioned at the
beginning of the testimony, this is Security Awareness Week, and we are
pleased that VHA took the lead in authoring the activities in support of
the Secretary's plan for the different events during Security Awareness
Week.
Because however hard we make the hardware, and however tight we make the
software, it ultimately comes down to the warm-ware, the people, and
that is why we believe that today, through this week, that security
awareness has to be the first part, to make people understand the need
to operate with the information necessary to do-, but transport or
access the minimum information necessary to do- their jobs. So at this
very moment, I am literally on a broadcast throughout the system,
instructing the VHA employees on the importance of operating with
vigilance and diligence, and the protection of secured information.
We support Bob Howard and the activities that he will bring forward in
terms of hardening, the biometrics that limit the access, and prevent,
and preclude inappropriate access. Because while this occurred in an
area totally, totally unrelated to health records, we embrace that this
is a wake-up call and an opportunity. We support anything that comes
forward in the Department in terms of encryption. We believe that can
enhance our ability to safely serve veterans. We are inventorying all
of the data sets and inventorying all of the assets throughout the
system again to ensure that where it exists, there is a need to know;
that people understand that that is a privilege in the process of
serving veterans. Thank you.
The Chairman. Mr. Aument?
Mr. Aument. Yes, Mr. Chairman. At VBA, we have undertaken a complete
review of all of our policies and procedures governing access to
information and access to VBA systems in particular. We have rules of
behavior that anyone who wishes to gain access to a VBA business system,
whether that be a VBA employee or others who may be authorized access to
VBA systems, such as veterans' services organization representatives, we
require that they first of all undergo the cyber security training that
all employees must undergo, and that they read and understand and sign
our rules of behavior.
We have acquired encryption software that we are going to be applying to
all laptop computers in the Veterans Benefits Administration. We have
had all of those laptop computers returned to the home office by their
employees. Once general counsel has given us a green light to proceed to
install that software, we will proceed to ensure that all laptops are
encrypted. We have taken steps to make sure that all of our employees
within the organization have completed both the cyber security and
privacy training, that are to be completed by tomorrow.
We believe that we have taken very strong steps. We have also reviewed
the agreements that we have in place to provide outside entities
information from VBA systems. That includes entities both within the
department and external to the Department of Veterans Affairs. And we
are making sure that those are current, they are still needed, and that
they bring with them all of the access controls that are appropriate for
the data that is being provided.
The Chairman. Thank you. Mr. Filner?
Mr. Filner. Thank you, Mr. Chairman. Let's wrap up this long hearing
for all of you. Mr. Buyer asked the folks in the front row. Let me just
get the folks right behind you, if you would give the microphone to Mr.
Whitney. Your position, Mr. Whitney?
Mr. Whitney. I am the office system administrator, privacy officer, and
security officer.
Mr. Filner. And you help people with routine IT problems, I take it?
Mr. Whitney. Day-to-day, yes.
Mr. Filner. And would you help people load up their computers for their
software, their accessories, say, if they worked at home?
Mr. Whitney. No, I do not load up home computers. I would provide the
appropriate software once they have been approved for home --
Mr. Filner. Well, I am not talking about a home computer. Say you have
an office laptop that would be taken home to do work at home.
Mr. Whitney. Yes, if it was designated for that, that would be me.
Mr. Filner. And people do do that, right? They take work home? They
are authorized to do that?
Mr. Whitney. Yes.
Mr. Filner. And so you would help load up the software if they required
it.
Mr. Whitney. If it was necessary, yes.
Mr. Filner. Okay. I just wanted to see how that was working.
And Mr. Duffy, your position right now?
Mr. Duffy. I am presently the principal Deputy Assistant Secretary for
Policy and Planning.
Mr. Filner. And as of tomorrow?
Mr. Duffy. As of tomorrow, I will officially retire from the Department
of Veterans Affairs.
Mr. Filner. How long have you been with the department?
Mr. Duffy. Been with the department 34 and a half years.
Mr. Filner. That's a long time. Thank you for all that work.
Mr. Duffy. Thank you.
Mr. Filner. When someone has software, a software license that
authorizes home use of the software, that is intended for office work,
right? That is the purpose?
Mr. Duffy. That is correct.
Mr. Filner. And so, this employee who had that authorization, what was
exactly he doing?
Mr. Duffy. The individual was a senior data analyst, a statistician.
He worked on a variety of different analytical projects, including
things like the development of the next national survey of veterans.
Mr. Filner. And that is what he was working on when this --
Mr. Duffy. That is my understanding. That was one of the issues that
he was working on at the time of this particular tragedy.
Mr. Filner. Mr. Duffy, We wish you well in your retirement.
Mr. Bowman. Thank you.
Mr. Filner. Mr. Bowman, you are the Chief of Staff, give me an English
definition of that?
Mr. Bowman. Well, sir, as the chief of staff --
Mr. Filner. For the Secretary?
Mr. Bowman. for the Secretary, yes, sir.
Mr. Filner. And how did you come to know about this tragic situation?
Mr. Bowman. I was made aware of it initially in a conversation with Mr.
Duffy on the 9th of May.
Mr. Filner. Did you think there was a sense of urgency?
Mr. Bowman. I felt that there was a sense of serious concern, based
upon how it was described to me as the potential for the loss. But
there was still some doubt as to exactly what was the magnitude of the
loss.
Mr. Filner. And how far do you actually work from the Secretary?
Mr. Bowman. Sir?
Mr. Filner. How far is your office from the Secretary's office?
Mr. Bowman. Maybe 75 feet.
Mr. Filner. And I assume you talked to him many times during the week,
after you knew about this?
Mr. Bowman. Well, sir, there were two days -- I have open access to the
Secretary.
Mr. Filner. I still can't figure out, as a chief of staff, why you
didn't tell him about it earlier than you did.
Mr. Bowman. I can tell you right up front that me not telling him I
regret at this point. But when I became aware of it on the ninth, I
felt it important to gain a little more information, and I asked Mr.
Duffy to provide me that information in a memo. The concern being, with
a greater awareness of what might be the magnitude of the loss and the
kind of information that may be missing, it would help define what might
be the approach the department may take in addressing it.
Mr. Filner. Has the Secretary expressed regret that you didn't tell
him? I mean -- what is going to happen differently in that
relationship and knowledge that comes to you, based on this?
Mr. Bowman. Well, one thing that has happened differently is that as I
become aware of anything that would be important to the Secretary, I
report it and obviously I have to apply some sense of judgment to that,
I exercise very open access with the Secretary and with the deputy.
Mr. Filner. Thank you. I appreciate that. You know, we have the
luxury of asking you in hindsight, and I realize that. But it looks to
me, there were serious lapses of judgment, and not sufficient
appreciation of the effect on the veterans and the fear that was
propagated to everybody.
I think all you at the top failed us -- not failed us, failed the
veterans. Again, I mentioned at other hearings, I had a recent
election, so I was talking to a lot of people in the last month, after
the theft was known. There was incredible fear, and a sense that
veterans didn't know how to handle this, and they weren't getting the
help, or assurance that they were going to be helped, and I think you
all have to examine that whole process. I mean, you got to have --
some of you military guys, in your debriefing, or after action reports,
you got to go over this and see what happened.
I am not going to just say everybody ought to be fired -- I have said
some things like that in the past -- I think all of you want to serve
the veterans. But this is a serious lapse and you have to figure out
why it happened and make sure it does not happen again. You all have to
work on that, and let us know how that is solved, because the folks
outside are really, really afraid.
Lastly, Mr. Secretary, I think you are appropriately still leaving open
the need for credit monitoring. You have put a lot of emphasis on
credit reporting as your proactive thing. The testimony that we have
had from these experts -- and it sounds like you have had similar
conversations, because of some of your answers -- it may be more
important -- one, I would have, if this thing was still an open
question today, I would emphasize insurance, some sort of insurance
policy for loss, because it is cheaper and it is much more assuring.
Any credit changes, if this was a professional job, would not be
apparent for a year or so. So it may not do any good to monitor.
And the RFP that you are still working on, getting a sense of was there
any identity theft based on analyses of different databases, is far more
important and a lot cheaper. At least one company that testified said
they would do it free for the first year. So I think this is a matter
of judgment still. And I don't think that you have to assume that just
credit -- everybody is saying `` credit monitoring.'' That doesn't
sound to me like the answer that you need, especially at this point.
The `` screen,'' as you called it, between a certain set of data and
what could have happened to it is far more important, because it will
show up on credit later.
I still don't understand why we have a lot of experts here that never
even talked to you. I think you should have called them first. I still
can't figure out why Mr. McClain doesn't talk to other general counsels
about interpretation of FISMA. As several people said on both sides of
the aisle, the coordination here with other departments is absolutely
vital. And if Mr. McClain was the only one who said that you had to
interpret FISMA this way, versus 10 others, that should have led to some
questioning in the department, why is he the only one saying this?
These are just some thoughts I have from someone who has been critical.
I am trying to say, take this seriously and show us that there have been
some results and some self-critical judgment. Thank you, Mr. Secretary
for sitting through all this. If you have any final thoughts, please --
Secretary Nicholson. The only one right now I would say, Mr. Filner is,
I agree with you, I think we should pursue the, you know, the data
screen on this population, just as a belt and suspender, you know, at
least, and it is not very expensive. And the question of then credit
monitoring in my mind right now is still open.
The Chairman. I thank the gentleman. Mr. Aument, before I conclude, I
need to go back because I have been pondering one of your responses and
this deals with the issue about the laptops and making sure all the
laptops are secure. So, you went out into the field and asked for
everybody to bring their laptops in and `` let us check them and make
sure they are properly encrypted,'' or have the right software on them?
Mr. Aument. That is correct, Mr. Chairman. We have had all the
employees, those who by nature of their positions have to be working
away from the office; visiting schools, appraisers, fiduciaries, we have
had them bring their laptops back to their home regional office.
The Chairman. What was it that you needed, that you have to get
permission from general counsel to do what?
Mr. Aument. This is the lawsuit that has been filed, that was requiring
us to leave the machines intact while the litigation was proceeding. So
I believe General Counsel can answer that much better, but we were asked
not to make any changes fundamentally to those machines until that issue
had been resolved.
The Chairman. Well, this is a rather bizarre situation. If we have
veterans' groups filing a lawsuit, for them to think they are going to
act on the interest of veterans, and the lawsuit now is to the detriment
of veterans. I am disappointed, and I am also most hopeful that these
organizations would dismiss that class-action lawsuit. This is not
necessary, and I am most hopeful that these organizations will direct
their lawyers to take appropriate action to do so. It is hard for us to
work through this, work with you, Mr. Secretary, perfect change and take
care of veterans, if we can't do so because of a class-action lawsuit.
Is this also occurring with you, Secretary Tuerk, and Secretary Perlin?
Does the same apply to you with your laptops?
Dr. Perlin. Yes, Mr. Chairman. We understand that from General
Counsel, that there is effectively an injunction precluding the sort of
actions that we would all want to take. I would turn to our General
Counsel for additional elaboration.
The Chairman. What has the court directed you to do or not do, Mr.
McClain?
Mr. McClain. Mr. Chairman, really, there are two separate issues. We
have three class-action lawsuits that have been filed. There was a TRO
that was issued last Friday in the Eastern District of Kentucky, and
will be heard tomorrow at 2:00 o'clock in the afternoon. And the issue
there was communicating with potential members of the class, and credit
monitoring.
In one of the other cases, there was a very strong letter from the
plaintiff's counsel saying that he had heard about the Secretary's plan
for the security awareness week, which included one of the items being
the security of the laptops, to ensure that things were supposed to be
on it were, and were not supposed to be on it were taken off. They sent
a letter saying, `` we believe that this would be destroying evidence,
or tampering potential evidence in the lawsuit,'' and therefore our
attorneys at DOJ recommended that until we can get the court to rule,
that we not do anything with the laptops. So it is a delay in doing
this with the laptops; it is not a moratorium.
The Chairman. So now we have a Secretary and under secretaries seeking
compliance, and they can't do so to secure their systems because of
class-action lawsuits. Is that what you are telling me?
Mr. McClain. Yes, sir.
The Chairman. That is a sad state of affairs. Now we have got the
plaintiff's bar involved. Well, wow. Mr. McClain, the Department of
Justice is litigating your defense?
Mr. McClain. Yes, in all three cases.
The Chairman. Have they filed for summary judgment in all three cases?
Mr. McClain. That is under consideration right now, sir. We have made
no appearance yet in these cases.
The Chairman. Given that there is no evidence of damage -- you have
got a class that has been certified, but yet no evidence of damage, this
ought to be an immediate summary judgment. I yield to you, but I think
we are certainly --
Mr. McClain. We are certainly considering it, sir.
The Chairman. Yes. Well, I would encourage that, Mr. Secretary. We
need to get on, make sure this is secure. This is unprecedented in the
history of the VA, and you know that, Mr. Secretary.
And I laud your leadership. You have had to take control of this, and
you have done that. When I said it was a moment of your leadership, you
have stepped forward. And you are off the heels and on the toes. And I
think you are sending the right message, not only to the deputy
secretary. He gets it, and so do your under secretaries, by their
testimony here today.
And Mr. Howard, I do not understand, perhaps, why your cyber security
man was not in the room in the drafting of the directive. Perhaps that
was your choice, but with this memorandum you have been empowered. It
appears that you are about to be embraced to perfect these changes.
Taking advantage of the widely felt impetus for change, as you spoke,
Mr. Secretary, I am most hopeful this will yield the vast and crucial
improvements necessary in your department, and we will continue our
oversight. And I want to thank you, and we will work with you with
regard to these budgetary matters.
This hearing is now concluded.
[Whereupon, at 2:11 p.m., the Committee was adjourned.]
APPENDIX
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]
[GRAPHIC] [TIFF OMITTED]