<DOC> [109 Senate Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:29717.wais] S. Hrg. 109-653 VETERANS AFFAIRS DATA PRIVACY BREACH: TWENTY-SIX MILLION PEOPLE DESERVE ASSURANCE OF FUTURE SECURITY ======================================================================= HEARING BEFORE THE COMMITTEE ON VETERANS' AFFAIRS UNITED STATES SENATE ONE HUNDRED NINTH CONGRESS SECOND SESSION __________ JULY 20, 2006 __________ Printed for the use of the Committee on Veterans' Affairs Available via the World Wide Web: http://www.access.gpo.gov/congress/ senate ______ U.S. GOVERNMENT PRINTING OFFICE 29-717 WASHINGTON : 2006 _____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800 Fax: (202) 512ÿ092250 Mail: Stop SSOP, Washington, DC 20402ÿ090001 COMMITTEE ON VETERANS' AFFAIRS Larry E. Craig, Idaho, Chairman Arlen Specter, Pennsylvania Daniel K. Akaka, Hawaii, Ranking Kay Bailey Hutchison, Texas Member Lindsey O. Graham, South Carolina John D. Rockefeller IV, West Richard Burr, North Carolina Virginia John Ensign, Nevada James M. Jeffords, (I) Vermont John Thune, South Dakota Patty Murray, Washington Johnny Isakson, Georgia Barack Obama, Illinois Ken Salazar, Colorado Lupe Wissel, Majority Staff Director Bill Brew, Minority Staff Director C O N T E N T S ---------- July 20, 2006 SENATORS Page Craig, Hon. Larry E., Chairman, U.S. Senator from Idaho.......... 1 Letter dated July 18, 2006 from James H. Burrus, Federal Bureau of Investigation, regarding the recovered stolen records.................................................... 3 Akaka, Hon. Daniel K., Ranking Member, U.S. Senator from Hawaii.. 4 Murray, Hon. Patty, U.S. Senator from Washington................. 5 Salazar, Hon. Ken, U.S. Senator from Colorado.................... 6 Burr, Hon. Richard, U.S. Senator from North Carolina............. 25 Thune, Hon. John, U.S. Senator from South Dakota................. 28 WITNESSES Nicholson, Hon. R. James, Secretary, Department of Veterans Affairs; accompanied by Robert Howard, Senior Advisor to the Deputy Secretary; Tim McClain, General Counsel; and Robert Henke, Assistant Secretary for Management, Department of Veterans Affairs............................................... 7 Prepared statement........................................... 10 Response to written questions submitted by Hon. Daniel K. Akaka...................................................... 11 Opfer, Hon. George J., Inspector General, Department of Veterans Affairs; accompanied by Jon A. Wooditch, Deputy Inspector General; and Maureen Regan, Counselor to the Inspector General, Department of Veterans Affairs................................. 12 Prepared statement........................................... 14 Response to written questions submitted by Hon. Daniel K. Akaka...................................................... 19 APPENDIX Newsweek article, ``The Best Medical Care in the U.S.''.......... 38 VETERANS AFFAIRS DATA PRIVACY BREACH: TWENTY-SIX MILLION PEOPLE DESERVE ASSURANCE OF FUTURE SECURITY ---------- THURSDAY, JULY 20, 2006 U.S. Senate, Committee on Veterans' Affairs, Washington, DC. The Committee met, pursuant to notice, at 10:04 a.m., in room SD-418, Russell Senate Office Building, Hon. Larry E. Craig, Chairman of the Committee, presiding. Present: Senators Craig, Burr, Thune, Akaka, Murray, and Salazar. OPENING STATEMENT OF HON. LARRY E. CRAIG, CHAIRMAN, U.S. SENATOR FROM IDAHO Chairman Craig. Good morning, everyone. The Senate Committee on Veterans' Affairs will come to order. I want to welcome all of you to this very important hearing. Secretary Nicholson, Inspector General Opfer, welcome, and thank you for taking the time to be with us this morning. On May 3rd, theft of a laptop computer and external hard drive from the home of a VA employee has been reported as an embarrassing and expensive management failure of VA. While that may be true, in the 8 weeks since our joint hearing with the Homeland Security and Governmental Affairs Committee, there has been much news, both good and bad, on the issue. We have learned that the employee was not authorized to take the data home and did not safeguard the data once he brought it home. We have learned that the appropriate people within VA were not informed of the stolen data in a timely manner. We have learned that VA policies, practices, and procedures are inadequate to safeguard personnel and proprietary information. And we have learned that VA has insufficiently address long-standing OIG-reported information security weaknesses. We have also learned that law enforcement officials recovered the stolen data and hard drive. That is a good news indeed. And even better news is that based on computer forensics examinations, both the FBI and the OIG have a high degree of confidence that the data was not accessed or compromised after the burglary, and they foresee no reason for that assessment to change. And that is very good news for America's veterans. However, the issue is, I believe, far from closed. This incident has had far-reaching implications. America, I believe, is watching VA and what VA does to learn from and correct its mistakes, because the issue of data security is a problem not only across Government, but within the private sector as well. I think what happened at VA should be an awakening to all of Government. There is not a single American who does not expect and, frankly, does not deserve assurances from their Government, one of the world's largest custodians of sensitive personal information. They deserve a vigilant security program to protect that information. So we are here today to talk about what needs to be done to improve data security and how VA intends to make that happen. How do we ensure that the policies, practices, and procedures at VA discourage the potential compromise of sensitive data? How do we prevent another wholesale failure to recognize the importance of a potential breach of security? And can VA more accurately assess the extent and scope of an incident in order to report these incidents to VA and Congressional leadership in a timely manner? And, finally, how do we leverage this enormous success that VA has had with electronic medical records to become the gold standard in information and cyber security as well? That ought to be a real and important challenge. The solution to some of these problems may lie in more strictly enforced policies, increased education about those policies, and increased utilization of data encryption and passwords. Some would argue that the solution lies in increased legislation and appropriations. But at the heart of it all, VA must resolve its repeatedly identified vulnerabilities, establish a clear chain of command, and implement an accountability structure for the security of its information. VA will testify today that they have an implementation strategy that is the road map to success and that they are on their way. Clearly, that puts their testimony at odds with historic patterns. I look forward to understanding the mechanics of this road map, so much so, in fact, that I will take this opportunity to post my first question of the hearing. Is this implementation strategy something which every single VA employee understands? Can I have a chat with the systems administrator at the Boise VA about the implementation strategy for securing VA information or perhaps even a claims supervisor at that same facility? Even bigger than the challenge of finding lost data is the challenge of making the security of those in the VA system everyone's top priority. I hope this hearing, like the one we held 2 months ago, will shed some more light on the situation, provide clarity to some of my concerns and the Committee's concerns--I think we hold this jointly--and, most importantly, provide 26 million veterans with answers they deserve. Before I turn to the Ranking Member, I would like to bring to the Committee's attention the July 18, 2006, letter from the FBI reiterating its high degree of confidence that the files on the external hard drive where the VA data was stored was not compromised. This letter will be made a part of the hearing record today. [The letter from James H. Burrus, Jr., Federal Bureau of Investigation (FBI) follows:] [GRAPHIC] [TIFF OMITTED] T9717.001 Chairman Craig. Also, before I turn to our Ranking Member and other Members for their comments, I want to recognize Tim McClain, our VA General Counsel who is with us today. Tim is leaving us September 1 to join the private sector. He has been an integral part of VA's senior leadership team as the chief legal counsel since 2001. He was in the Navy's Judge Advocate General Corps and retired from active duty in 1990. He has been the point person to handle crises such as Hurricanes Katrina and Rita. His tireless leadership in support of the Secretary and the VA in addressing the data issues has been key. Tim, on behalf of the Committee, I want to thank you for your service to VA, to America's veterans, and thank you for your service to the country. Mr. McClain. Thank you, Mr. Chairman. Chairman Craig. Thank you very much. [Applause.] Chairman Craig. Now let me turn to the Ranking Member of the Committee, Senator Danny Akaka. Danny. STATEMENT OF HON. DANIEL K. AKAKA, RANKING MEMBER, U.S. SENATOR FROM HAWAII Senator Akaka. Thank you. Thank you very much, Mr. Chairman. And I want to take this opportunity to wish my brother well. Chairman Craig, happy birthday. Chairman Craig. Thank you. [Laughter.] Chairman Craig. Well, it will depend on how the hearing goes today how my birthday is, Mr. Secretary. [Laughter.] Chairman Craig. Please proceed, Danny. Senator Akaka. Mr. Chairman, thank you very much for calling this hearing. It is important. I am with you and with the Committee in trying to assure that we can improve data security for the Veterans' Administration. I want to welcome Secretary Nicholson and Mr. Opfer in joining us today, and I look forward to their testimony. I know there was a collective sigh of relief when the computer equipment containing the stolen data was recovered. It was great news to learn that the FBI reached the conclusion that it is highly unlikely that the data was compromised. Mr. Opfer, I thank you and your office for aggressively pursuing this investigation and the timeliness with which you completed it. Your hard work has provided the Secretary and us with recommendations that should go a long way toward fixing VA's information security problems. I note that the President's budget for the coming fiscal year calls for a serious cut of funding and staff for your office. Yet your office's response to this incident shows that VA needs more oversight of its internal workings and not less. It should not have taken the loss of personal information affecting 26.5 million veterans, guardsmen, reservists, and active-duty servicemembers, nor the expenditure of millions of dollars for me to realize that VA needs to take drastic steps to improve its cyber and information security. For the past 6 years, VA's IG has reported that information technology security is a major management challenge. VA has also received failing grades from its Federal Information Security Management Act audits. It should not have taken almost 2 weeks for the Secretary to learn of a problem of this magnitude. The slow reaction which characterized the Department's response to the theft is unacceptable. I am very concerned about the state of VA's internal organization and how the Department functions. As VA recovers from this incident, it must have information of security policies, procedures, and practices that are standardized for all of its employees. I remain distressed that the removal of data was not a violation of any law or regulation. As I noted at our Committee's hearing on the data loss, the incident that brings us here today could have easily involved other Government departments and agencies. VA must establish safeguards to prevent any loss of data in the future. Secretary Nicholson, I hope you will be proactive in your efforts to remedy these problems. Veterans have entrusted the Department with their personal information and deserve nothing less, and I know you will certainly be working on it, and this Committee will be interested in how we do that. Mr. Chairman, I will continue to work with you to ensure that we provide effective oversight of VA's remediation plan. I look forward to hearing from our witnesses and hearing their testimony this morning. Thank you very much, Mr. Chairman. Chairman Craig. Senator Akaka, thank you very much. Now let us turn to Senator Patty Murray. Patty. STATEMENT OF HON. PATTY MURRAY, U.S. SENATOR FROM WASHINGTON Senator Murray. Well, thank you very much, Mr. Chairman, and happy birthday. I hope it is a good one as well. Chairman Craig. Thank you. Senator Murray. Thank you, Senator Akaka, especially, too, for holding this hearing, and welcome to Secretary Nicholson and the Inspector General. I know that Chairman Craig and Senator Akaka share my concerns about the recent data theft and how it has been handled, and we all gave a sigh of relief when obviously the data was found. But I was very frustrated to hear that the VA was not going to be providing the credit monitoring to veterans whose credit may be at risk, and I read the letter from the FBI and know that they say it is a high level of certainty that the data was not accessed. But, frankly, I would not bet my credit on it. And, more importantly, because the VA still does not have an adequate security system, I really think until that is fixed, the VA should keep its commitment to providing veterans with the credit monitoring, and I hope that we can change that direction and move forward on that. I will ask you about that later. I also share the concern of the Chairman and the Ranking Member about the past failures with data security. We know that the IG has warned time and time again that the systems were not secure about the lack of protection for this vital, sensitive information about health care and benefits. And these are really institutional problems within the VA, and it is going to take more than just words about it. We are going to have to really hear some very concrete plans, and I hope to ask questions about that at this morning's hearing. And I appreciate your being here so we can really get to the heart of why this investigation took so long to begin, and what changes have been made and what the future plans are to make sure that this problem does not happen again. Mr. Secretary, as we talked about when you came in, I hope that we can also take a few minutes to talk about your recent trip to Walla Walla 2 weeks ago when you came through my State on a series of campaign stops and stopped in Walla Walla. You made an announcement--actually both in Northwest Washington about a Northwest Washington CBOC and the Walla Walla hospital. And as you know, your visit to our State raised more questions than it answered, and I hope that I can have the opportunity to really define what some of that meant, because I know the people in Walla Walla. They are committed; their community is committed; the business community is committed; the veterans community is committed. They have really worked hard to have a seat at the table and want to know what the details are because that is really what matters. I did send you a letter. I got an answer to it last night, but I still feel that there are a number of questions that are unanswered, and I hope to get those answers today as well. So thank you, Mr. Chairman. Chairman Craig. Patty, thank you very much. Now let's turn to Senator Ken Salazar. Ken. STATEMENT OF HON. KEN SALAZAR, U.S. SENATOR FROM COLORADO Senator Salazar. Thank you very much, Mr. Chairman, and happy birthday to you. Chairman Craig. Thank you. Senator Salazar. And thank you, Senator Akaka, for holding this hearing. I also want to thank Tim McClain for the service that he has performed for the VA, and I have very much enjoyed working with him. Sometimes I think when we come to these hearings, it seems that we get into combat, if you will, with the VA on issues that are of concern to Members of this Committee. But I think it is also important, from time to time, to remember that there is a lot of good that goes on with the VA. I had a long conversation with Under Secretary Perlin yesterday about the latest article in Business Week, and I think it demonstrates that there is a lot of good in the VA. And I think that has come about through the joint efforts of this Committee and the Congress working closely with the VA. I am very appreciative of the fact that we are looking at the issue of security breaches at the VA. We all breathed a very deep sigh of relief when the FBI recovered the computer. We were all very, very lucky on that incident, but I think the central question still remains. It was a very troubling incident. I know that Secretary Nicholson shares that concern, and I am very hopeful that today we will hear more from Secretary Nicholson about how we make sure that this problem does not occur again. It has always been my view when these major mistakes occur and people's lives are affected that what we have to do is make sure that you prevent the problem from ever happening again. And I am hopeful that the ideas and policy directions that Secretary Nicholson is taking in the Department will address these issues effectively. Thank you, Mr. Chairman. Chairman Craig. Ken, thank you very much. Before I turn to the Secretary, let me thank you all for your kind wishes. In the aging process, there is also some humor, and it happened yesterday. We were in the Speaker's meeting room prior to the final ceremony on the 75th anniversary of the VA in the Rotunda. There was a gentleman there from Maryland who is 104 years old. He fought in World War I. He enlisted when he was 16 years old to serve in the Navy and is in just amazingly good shape, but he could not hear very well. And when I bent over to say hello to him, he looked up at me, and he said, ``And you fought in World War II.'' And I had to remind him that I was not yet born. [Laughter.] Chairman Craig. So that is part of the positive side of this memory as we work through the aging process. Anyway, with that, Mr. Secretary, thank you again for coming before the Committee. You have heard our Members' concern about the good news and the bad news and where we go from here. And I think that is going to be what this Committee focuses on now and into the future as we work with VA to get this right and prevent this problem from happening again. Please proceed. STATEMENT OF HON. R. JAMES NICHOLSON, DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY ROBERT HOWARD, SENIOR ADVISOR TO THE DEPUTY SECRETARY; TIM McCLAIN, GENERAL COUNSEL; AND ROBERT HENKE, ASSISTANT SECRETARY FOR MANAGEMENT, DEPARTMENT OF VETERANS AFFAIRS Secretary Nicholson. Well, thank you, Mr. Chairman, and let me add my greetings and happy birthday to you. I recall that incident yesterday slightly differently, however. He asked you if you fought in World War I. [Laughter.] Chairman Craig. Yes, I know. [Laughter.] Chairman Craig. Something about both--I did not want to suggest that his ears were failing and his eyes were failing. Secretary Nicholson. I appreciate being here before you and the Members of the Committee to follow up on what has occurred with the Department of Veterans Affairs since the unfortunate theft of data from the home of a VA employee on May 3rd. I appeared before you at a hearing on May 25th to tell you what I knew about this situation at that time. Since then much has happened and, as you know and have noted, on Thursday, June 29, 2006, I announced that Federal law enforcement authorities had recovered the stolen laptop and external hard drive. The FBI's forensic examination of the recovered laptop and hard drive is complete, and the FBI has a high degree of confidence, based on the results of the forensic tests, and other circumstantial information gathered during the investigation that the data contained in that equipment was not accessed or compromised in any way. This is good news for the VA, most importantly for our veterans and our active-duty military personnel, and we believe should alleviate the concerns that they may have. But it is important that we remain vigilant. And for that reason, we will be retaining the services of a company that specializes in data breach analysis to monitor this situation. I know that the Members of this Committee have digested the VA Inspector General's report on events related to the data breach. That report is accurate, and it is harshly critical of the situation that has existed at the VA for years where we simply did not have in place proper procedures, regulations, guidelines, and directives. Nor did we have a culture of data security that should have precluded an occurrence like this. And once the event occurred, we did not show sufficient urgency in dealing with it. As you know, I was not informed of the theft until nearly 2 weeks after it had occurred. So I concur with the recommendations contained in the Inspector General's report and am fully committed to seeing them implemented in the shortest possible time line. Last October, I approved a major restructuring of information security within the Department--far, far before this incident occurred and reached the light of day. This restructuring ordered the centralizing of almost all of the information technology within the Department to come under the Chief Information Officer. This process was and, of course, still is underway and will greatly facilitate control, training, responsibility, and accountability. This consolidation of IT has been accelerated as a result of this incident. There have been several changes that have already been implemented, and as we continue this effort, we can make the VA the ``Gold Standard'' in the area of information security, just as we have done in the area of electronic medical records. The VA is the recognized leader in electronic health records, and I appreciate that being noted in the recent article in Business Week. VA is also the recognized leader in health safety and is setting the standards for others to follow. I am committed to doing the same in the area of information security. We have developed a plan with corrective actions and execution time lines necessary to fix the deficiencies cited in the IG report. It is a multi-phased effort which includes actions in the technical area, such as encryption processes and tools, actions in the management area, such as a complete overhaul of policies and directives, and actions focused on operational area, such as procedures and tools for monitoring the extraction of sensitive information. We will, of course, be pleased to brief the Committee in greater detail on that at your convenience. On June 28, 2006, I issued a memorandum delegating to the VA Chief Information Officer all authority and responsibilities given to me by the Federal Information Security Management Act, or FISMA. This delegation does not relieve me of the ultimate responsibility, but it does empower the CIO with the authority he needs to do his job. This delegation restructures responsibilities and authorities for information security at the VA, bringing them together in one individual. It also is the first step in bringing about the cultural changes within the VA generally, and more particularly, within the arena of information technology. That must occur. I have made it clear to all senior managers in the Department that information security, cyber security, and the reorganization of the Office of Information Technology are top priorities. These senior leaders know that every employee must be committed to ensure the safety of veterans' personal information. Performance evaluations and executive bonuses will reflect the leaders' and employees' level of commitment. When I commit to becoming the ``Gold Standard,'' I mean VA must be the best in the Federal Government in protecting personal and health information, training and educating our employees to achieve that goal. The culture must put the custody of veterans' personal information first--over and above expediency. And I expect nothing less. The IG report has highlighted serious deficiencies. We have a plan for transformation. I realize, however, the recommendations contained in this report are just a start. Achieving our goal of leadership will require much more. I have reached outside our ranks and enlisted the assistance of leading experts in the field of data security to assist us in defining our path. With their guidance and VA resources, we will become the system for all other agencies to emulate. Training in the area of information and cyber security will be a vital component of our transformation. To ensure quality and consistency in such a broad-based training program, I have directed the establishment of a new Office of Cyber and Information Security Training within the Office of Information Technology. This office will be responsible for developing and implementing a training program which will begin with new employee orientation and continue through such programs as Leadership VA, the Senior Executive Service Candidate Development Program, and the Senior Leadership Academy. I expect a continual emphasis on information security throughout an employee's career. Excellence in information security will take the full commitment of VA's senior leadership, both political appointees and career senior executives. It will also take money, and we will seek the budgetary resources we need for success from the Administration and from you, the Congress. And it will take time, but my sense of urgency is clear. Measurable progress will require a steady and consistent message for--and from--all who work for this agency. Industry experts will help our own IT professionals develop program changes and validate our time lines. Employees will be held accountable for safeguarding the sensitive information entrusted to us by veterans and other beneficiaries. Even now we are conducting an inventory to determine appropriate access needs for everyone within VA. And we will be instituting background checks appropriate to those access levels. In fact, it is our people that will make all of this happen. There is nothing more important than having people with training and character to assume the responsibility to implement the changes needed. Mr. Chairman, unfortunately a very bad thing happened. A monumentally awful thing, and I am outraged by it and by the slow response of some in our Department. But I am the responsible person, and it is to me that you are entitled to look to see that this is fixed. It will not be easy, and it will not be overnight. But I am absolutely convinced that we can do it. As I have said, I think we can turn the VA into the model for information security, just as it has become the model for health care in the United States. Finally, Mr. Chairman, thank you for your kind words for Tim McClain. We wish him well and will miss him. That concludes my testimony, and I would be pleased to answer any questions the Committee may have. [The prepared statement of Secretary Nicholson follows:] Prepared Statement of Hon. R. James Nicholson, Secretary, Department of Veterans Affairs Mr. Chairman and Members of the Committee. Thank you for the opportunity to appear before you to follow up on what occurred within the Department of Veterans Affairs since the unfortunate theft of computer equipment containing VA data from the home of a VA employee on May 3rd. I appeared before you at a hearing on May 25th to tell you of what I knew about this situation at that time. Since then, much has happened. On Thursday, June 29, 2006, I announced that Federal law enforcement authorities had recovered the stolen laptop and external hard drive. The FBI's forensic examination of the recovered laptop and hard drive is complete. The FBI has a high degree of confidence--based on the results of the forensic tests and other information gathered during the investigation that the data contained on that equipment was not accessed or compromised. This is good news for our veterans and active duty military personnel and should alleviate any concerns they may have. But, identity theft is the fastest growing white-collar crime in this country, and it is important that we remain vigilant. For that reason, we will be retaining the services of a company that specializes in data breach analysis to monitor this situation. I know the Members of this Committee have digested the VA Inspector General's report on events related to the data breach. I concur with the recommendations contained in the Inspector General's report, and am fully committed to seeing them implemented in the shortest possible time. Last October I approved a major restructuring of information security within the Department, centralizing almost all of it under the Chief Information Officer. This process was, and of course, still is underway and will greatly facilitate control, training, responsibility and accountability. This consolidation of IT has been accelerated as a result of this incident. There have been several changes that have already been implemented, and, as we continue this effort, we can make VA the ``Gold Standard'' in the area of information security. VA has made great strides forward in the area of health care and today is the recognized leader in health records and safety and is setting the standards for others to follow. I am committed to doing the same in the area of information security. We are formulating an action plan that is a multi-phased effort which includes actions in the technical area such as encryption processes and tools; actions in the management area such as a complete overhaul of policies and directives; and actions focused on operational areas such as procedures and tools for monitoring the extraction of sensitive information. On June 28, 2006, I issued a memorandum delegating to the VA Chief Information Officer (CIO) all authority and responsibilities given to me by the Federal Information Security Management Act (FISMA.) This delegation does not relieve me of the ultimate responsibility but it does empower the CIO with the authority he needs. This delegation restructures responsibilities and authorities for information security at the VA, bringing them together in one individual. It also is the first step in bringing about the cultural changes within VA generally, and more particularly, within IT at VA, that must occur. I have made it clear to all senior managers in the Department that information security, cyber security and the reorganization of the Office of Information Technology (OIT) are top priorities. These senior leaders know that every employee must be committed to ensure the security of veterans' personal information. Performance evaluations and executive bonuses will reflect the leaders' and employees' level of commitment. When I commit to becoming the ``Gold Standard,'' I mean VA must be the best in the Federal Government in protecting personal and health information, training and educating our employees to achieve that goal. The culture must put the custody of veterans' personal information first . . . over and above expediency. I expect nothing less. The IG Report has highlighted serious deficiencies. We have a plan for transformation. I realize, however, the recommendations contained in this report are just a start. Achieving our goal of leadership will require much more. I have reached outside our ranks and enlisted the assistance of leading experts in the field of data security to assist us in defining our path. With their guidance and VA resources, we will become the system for all other agencies to emulate. Training in the area of information and cyber security will be a vital component of our transformation. To ensure quality and consistency in such a broad-based training program, I have directed the establishment of a new Office of Cyber & Information Security Training within the Office of Information Technology. This office will be responsible for developing and implementing a training program which will begin with new employee orientation and continue through such programs as Leadership VA, the SES Candidate Development Program and the Senior Leadership Academy. I expect a continual emphasis on information security throughout an employee's career. Excellence in information security will take the full commitment of VA's senior leadership, both political appointees and career senior executives. It will take time, but my sense of urgency is clear. Measurable progress will require a steady and consistent message for--and from--all who work for this agency. Industry experts will help our own IT professionals develop program changes and validate our time lines. Employees will be held accountable for safeguarding the sensitive information entrusted to us by veterans and beneficiaries. Even now we are conducting an inventory to determine appropriate access needs for everyone within VA. And we will be instituting background checks appropriate to those access levels. In fact, it is our people that will make all of this happen. There is nothing more important than having people with training and character, who assume the responsibility to implement the changes needed. Mr. Chairman, unfortunately a very bad thing happened. A monumentally awful thing. I am outraged by it and the slow response of some of our Department. But I am the responsible person, and it is to me that you are entitled to look to see that this is fixed. It won't be easy, and it won't be overnight, but I am absolutely convinced that we can do it. As I've said, I think we can turn VA into the model for information security, just as it has become the model for health care in the United States, as most recently attested to in an article in Business Week magazine dated July 17th. Mr. Chairman, that concludes my testimony. I would be pleased to answer any questions that the Committee may have. ______ Response to Written Questions Submitted by Hon. Daniel K. Akaka to Hon. R. James Nicholson Question 1. Based on the FBI's findings that it is unlikely that the data on the hard drive was compromised, VA has withdrawn its plan for providing free credit monitoring for those whose personal information was on the stolen equipment. VA has stated it will continue with a contract for data breach analysis. Please detail when the contract will start and exactly what services will be contracting for. Answer. Failed to respond within allotted time. Question 2. As a result of the data breach analysis contract, if a breach is identified concerning a veteran's credit or identity, does VA intend to then provide credit monitoring to that veteran? What is VA's response plan? Answer. Failed to respond within allotted time. Question 3. The IG report identified thirteen different memorandums and directives that have been issued in response to the data theft. The report stated they found a patchwork of policies pertaining to information security that were fragmented and difficult to locate. What is VA doing to standardize and simplify the policies and procedures that pertain to protecting personal and proprietary data so that they are clearly understood by all VA employees and contractors? Answer. Failed to respond within allotted time. Question 4. The IG recommended that the Secretary take ``whatever administrative action'' deemed appropriate in connection with individuals involved in ``the inappropriate and untimely handling of the notification of stolen VA data.'' In your response to IG, you indicated that you had directed administrative investigations for some employees and for some political appointees on your immediate staff. Please explain about the administrative investigations--who is carrying them out, how they are being conducted, and what the current status is of their progress? With respect to those on your immediate staff, what is the timetable for the completion of these reviews? Answer. Failed to respond within allotted time. Question 5. The IG identified that there is a problem with position level designations not being done or being inaccurate for VA and contract employees. They also identified a problem of background checks for those with access to sensitive data. Please explain the size of the problem, how long it will take to fix it, and how much it will cost. Answer. Failed to respond within allotted time. Question 6. How long does VA intend on maintaining the call centers to answer data theft questions from veterans and their families? Answer. Failed to respond within allotted time. Chairman Craig. Mr. Secretary, thank you very much for that testimony. Now let us turn to the Honorable George Opfer, Inspector General, Department of Veterans Affairs. George, welcome to the Committee. STATEMENT OF HON. GEORGE J. OPFER, INSPECTOR GENERAL, DEPARTMENT OF VETERANS AFFAIRS; ACCOMPANIED BY JON A. WOODITCH, DEPUTY INSPECTOR GENERAL; AND MAUREEN REGAN, COUNSELOR TO THE INSPECTOR GENERAL, DEPARTMENT OF VETERANS AFFAIRS Mr. Opfer. Thank you, Mr. Chairman and Members of the Committee. Thank you for the opportunity to testify on the results of our reviews of the issues related to the loss of VA information concerning the identity of millions of veterans. As you know, on May 3rd, the home of a VA employee was burglarized resulting in the theft of approximately 26.5 million personal identification information on veterans and active-duty military personnel. The Secretary was not informed until May 16th. Congress and the veterans were not informed until May 22nd. Since then, this Committee, as well as other committees and Members of Congress, have expressed considerable interest in the incident involving the theft and loss of the data. When I testified before this Committee on May 25th, I described the OIG approach as three-pronged: An ongoing criminal investigation which is still continuing regarding the theft of the data; an administrative investigation into the handling of the incident once it was reported to VA; and a review of the policies and procedures in VA regarding information security and the process that was used to try to safeguard data. I am pleased to acknowledge that through the diligent and coordinated efforts of the VA OIG, the FBI, and the Montgomery County police, the stolen data was successfully recovered on June 28th. Based on the facts that we have gathered during this criminal investigation and the computer forensics examinations, we are highly confident that the data has not been compromised. My July 11th report addresses whether or not the employee had authorization to access the data, take the data home, whether management responded appropriately to the reported theft, and whether VA policies and procedures were adequate to protect the VA information. The report also discusses long- standing information security weaknesses in VA. Because this employee was responsible for projects involving all aspects of VA, he was authorized to have access to VA databases. However, at the time of the burglary, his supervisors were not aware that he had taken the data home or was working on a self-initiated project. In addition, this data was not password-protected or encrypted in any way. Although a senior manager in the Office of Policy, Planning, and Preparedness was informed of the possible loss of VA data on May 3rd, it was not communicated up the chain of command to the Chief of Staff until May 9th. This is 6 days after the incident had been reported. Poor communication, partially resulting from a dysfunctional working relationship among senior executives, contributed to this delay. The lack of urgency was also impacted by a false assumption that other parts of VA had the responsibility to investigate and report this incident and make the required notifications. On May 10th, a day after learning of the incident, the Chief of Staff requested legal advice from the General Counsel's office. He decided to wait for that legal advice before notifying the Secretary. Yet during the 6 days that transpired afterwards, there was no follow-up to determine the status of that request. The Chief of Staff notified the Deputy Secretary on May 10th, and he, too, decided not to notify the Secretary until more information was gathered. The information security officials with responsibility for receiving, assessing, or notifying higher level officials of the data loss reacted with indifference and little sense of urgency. Efforts to investigate the matter were further impeded by errors and omissions in the original incident report. Twelve days after receiving the incident report, no meaningful progress was made in determining the magnitude of the event. Coincidentally, the incident ended up being referred back down to the individual who originally referred it in the first place. We were able to determine in the OIG after one interview with the employee the significance of the stolen data. I immediately notified the Chief of Staff on May 16th. The Chief of Staff notified the Secretary shortly after my call. It is unexplainable to us from the period of May 3rd through the 16th why no one in the chain of command reinterviewed the employee to determine the extent of the damage of the potential data loss. VA policies and procedures were not adequate in preventing the loss. We found that employees were not sufficiently trained, required background checks were not performed, contracts needed better safeguards to protect data, and incident-reporting procedures needed improvement. Since the incident, the Secretary has taken many positive steps toward strengthening the policies to prevent similar disclosures. We have made additional recommendations to the Secretary. Our report covers many recommendations aimed at taking appropriate administrative action and establishing an effective, comprehensive policy that will safeguard protected information. The Secretary has agreed with our findings and recommendations in the report and has provided an acceptable improvement plan. In closing, I would like to assure the Committee that we will follow up on the implementation of all these recommendations until they are fully completed. Mr. Chairman and distinguished Members of the Committee, thank you again for the opportunity to appear, and I would be pleased to answer any questions. [The prepared statement of Mr. Opfer follows:] Prepared Statement of Hon. George J. Opfer, Inspector General, Department of Veterans Affairs INTRODUCTION Mr. Chairman and Members of the Committee, thank you for the opportunity to testify today on the results of the Office of Inspector General (OIG), Department of Veterans Affairs (VA), review of issues related to the loss of VA information involving the identity of millions of veterans. I am accompanied by Jon Wooditch, Deputy Inspector General, and Maureen Regan, Counselor to Inspector General. As you know, on May 3, 2006, the home of a VA employee was burglarized resulting in the theft of a personally owned laptop computer and an external hard drive, which was reported to contain personal information on approximately 26 million veterans and U.S. military personnel. The VA Secretary was not informed of the incident until May 16, 2006, almost 2 weeks after the data was stolen. The Congress and veterans were notified on May 22, 2006. Since then, the Senate Veterans' Affairs Committee, as well as other Congressional committees and Members of Congress, have expressed considerable interest in how this incident occurred and in how VA management responded after being notified of the loss of data. When I testified before this Committee on May 25, 2006, I described the OIG's involvement as a three-pronged approach including: (1) a criminal investigation, (2) an administrative investigation of the handling of the incident once reported to VA, and (3) a review of VA policies and procedures for using and safeguarding personal and proprietary data. I am pleased to announce that we completed the administrative investigation and the review of policies and procedures, and issued our final report on July 11, 2006. More importantly, I am also pleased to acknowledge that through the diligent and coordinated efforts of the VA OIG, the Federal Bureau of Investigation, and the Montgomery County Police Department in Maryland, the stolen data was successfully recovered on June 28, 2006. Based on all the facts gathered thus far during the criminal investigation, as well as the results of computer forensics examinations, we are highly confident that the data was not compromised after the burglary. I would also like to point out that we are continuing to pursue the criminal investigation into the burglary. The July 11, 2006, report essentially addresses whether the employee had authorization to access and take the data home, whether management responded appropriately to the incident, and whether VA policies and procedures were adequate to protect information. The report also discusses long-standing information security weaknesses in VA, even though OIG reports have repeatedly made recommendations for corrective action. EMPLOYEE NOT AUTHORIZED TO TAKE DATA HOME Because the employee was responsible for planning and designing analytical projects and supporting surveys involving all aspects of VA policies and programs, he was authorized access to, and use of, VA databases. The employee explained that much of the data that he had stored on the stolen external hard drive was for his ``fascination project'' that he self-initiated and worked on at home during his own time. Because of past criticism on the reliability of the National Survey of Veterans, his project focused on identifying approximately 7,000 veterans who participated in the 2001 survey, in order to compare the accuracy of their responses with information VA already had on file. He began the project in 2003, but could not recall spending time working on it during 2006. To conduct this project, the employee took home vast amounts of VA data and loaded it on an external hard drive. The stolen laptop did not contain VA data. The employee reported that the external hard drive that was stolen likely included large record extracts from the Beneficiary Identification and Records Locator Subsystem that contained records on approximately 26 million living veterans. The extract contained veterans' social security numbers, names, birth dates, service numbers, and combined degree of disability. He also reported that the stolen hard drive likely contained an extract of the Compensation and Pension file, containing personal identifiers of over 2.8 million living veterans. While the employee had authorization to access and use large VA databases containing veterans' personal identifiers in the performance of his official duties, his supervisors and managers were not aware that he was working on the project, and acknowledged that if they had, they would not have authorized him to take such large amounts of VA data home. By storing the files on his personal external hard drive and leaving it unattended, the employee failed to properly safeguard the data. While the employee stored the laptop and the external hard drive in separate areas of the house, he acknowledged that he took security of the data for granted. The loss of VA data was possible because the employee used extremely poor judgment when he decided to take personal information pertaining to millions of veterans out of the office and store it in his house, without encrypting or password-protecting the data. This serious error in judgment is one for which the employee is personally accountable. The Department proposed administrative action prior to issuance of our report. MANAGEMENT RESPONSE TO THE INCIDENT WAS NOT APPROPRIATE OR TIMELY The burglary was reported to the local police on May 3, 2006. When the employee discovered that the computer equipment was among the items stolen, he immediately notified VA management in the Office of Policy, Planning, and Preparedness (OPP&P), including Security and Law Enforcement personnel, that the stolen computer equipment contained VA data. Mr. Michael McLendon, Deputy Assistant Secretary for Policy, was one of the managers notified on May 3, 2006. However, it was not until May 5, 2006, that the Information Security Officer (ISO) for OPP&P interviewed the employee to determine more facts about the loss. The ISO reported that the employee was so flustered that the ISO decided not to discuss the matter; rather he asked the employee to write down what data was lost. The employee's written account of the lost data was an identification of database extracts with little quantified information concerning the significance or magnitude of the incident. This is important because this report served as the basis for all further notifications in VA up to, and including, the Deputy Secretary. Mr. McLendon received the report of the stolen data on May 5, 2006. Instead of providing the report to higher management, Mr. McLendon advised his supervisor, Mr. Dennis Duffy, Acting Assistant Secretary for Policy, Planning, and Preparedness, of his intent to rewrite the report because it was inadequate and did not appropriately address the event. He submitted his revised report to Mr. Duffy on May 8, 2006. Our review of Mr. McLendon's revisions determined that his changes were an attempt to mitigate the risk of misuse of the stolen data. He focused on adding information that most of the critical data was stored in files protected by a statistical software program, making it difficult to access. This, however, was not the case because we were able to display and print portions of the formatted data without using the software program. Mr. McLendon made these revisions without consulting with the programming expert on his staff or with the employee who reported the stolen data. Mr. Duffy provided the revised report to Mr. Thomas Bowman, VA Chief of Staff, on May 10, 2006. Mr. Duffy also did not attempt to determine the magnitude of the stolen data nor did he talk to the employee. Mr. McLendon also did not inform his direct supervisor, Mr. Duffy, when he learned of the incident on May 3, 2006. Mr. Duffy advised us that he did not learn of the theft until Friday morning, May 5, 2006, when he spoke with the OPP&P ISO, in what Mr. Duffy described as a rather ``casual hallway meeting.'' Mr. Duffy did not discuss the matter initially with Mr. McLendon, noting that there had been a long and very strained relationship with him. Mr. Duffy said that Mr. McLendon had a very strong belief that, as a political appointee, he reported in some fashion to the Secretary and that there was no need for a ``careerist'' to supervise him. Mr. McLendon characterized the office as one of the most dysfunctional organizations in VA, and that it was one of the most hostile work environments he ever worked in. Mr. Duffy said he just did not perceive this as a crisis. In hindsight, he added that his greatest regret is that he ``failed to recognize the magnitude of the whole thing.'' Both Mr. Duffy and Mr. McLendon bear responsibility for the impact that their strained relationship, which both acknowledged, may have had on the operations of the office in handling this incident. We also concluded that Mr. John Baffa, Deputy Assistant Secretary for Security and Law Enforcement, who was notified of the incident on May 4, 2006, also failed to take appropriate action to determine the magnitude and significance of the stolen data. Shortly after Mr. Bowman received the report from Mr. Duffy on May 10, 2006, he provided it to Mr. Jack Thompson, Deputy General Counsel, and asked him to provide legal advice on the agency's duties and responsibilities to notify individuals whose identifying information was compromised. On May 10, 2006, Mr. Bowman also informed Mr. Gordon Mansfield, Deputy Secretary. While the Deputy Secretary does not recall discussing the magnitude of the number of veterans affected by the theft, he too decided not to raise the issue to the Secretary until they knew more information on what VA's legal responsibilities were and more about the magnitude of the problem. Once again, no attempt was made to contact the employee who reported the theft to determine the magnitude of the stolen data. The OIG was able to determine the extent of the stolen data after one interview with the employee on May 15, 2006. As soon as I learned of the magnitude of the incident on the morning of May 16, 2006, I immediately notified the Chief of Staff that the stolen data most likely contained personal identifiers on approximately 26 million records. The Chief of Staff then notified the Secretary. The delay in notifying the Secretary was spent waiting for legal advice from the Office of General Counsel (OGC). This 6-day delay can be attributed to a lack of urgency on the part of those requesting this advice and those responsible for providing the response. This is not to say that everyone who was notified of the incident failed to recognize its importance, but no one clearly identified it as a high priority item and no one followed up on the status of the request until after I notified the Chief of Staff on May 16, 2006. INFORMATION SECURITY OFFICIALS ACTED WITH INDIFFERENCE AND LITTLE SENSE OF URGENCY On May 5, 2006, the OPP&P ISO forwarded information concerning the theft to the District ISO, who is responsible for coordinating ISO activities among VA Central Office staff offices. He also submitted it to the Security Operations Center (SOC), which has responsibility for assessing and resolving reported information security incidents. However, the OPP&P ISO's incident report had significant errors and omissions, and information security officials did not adequately attempt to identify the magnitude of the incident or elevate it until May 16, 2006. At nearly every step, VA information security officials with responsibility for receiving, assessing, investigating, or notifying higher level officials of the data loss reacted with indifference and little sense of urgency or responsibility. At no time did the District ISO or SOC attempt to interview the employee who reported the data stolen to clarify omissions in the OPP&P ISO's report or to gain a better understanding of the scope and severity of the potential data loss. While the District ISO elevated the matter to Mr. Johnny Davis, Acting Associate Deputy Assistant Secretary for Cyber Security Operations, this occurred as another ``hallway conversation,'' and he was not provided any details on the nature of the missing data. No further notifications were made up the chain-of-command. Twelve days after receiving the original incident report, the SOC had made no meaningful progress in assessing the magnitude of the event and, ironically, had passed responsibility to gather information on the incident back to the OPP&P ISO to review it as a possible privacy violation, an area outside the jurisdiction of the SOC. The OPP&P ISO also serves as the Privacy Officer (PO). POLICIES AND PROCEDURES DID NOT ADEQUATELY SAFEGUARD PROTECTED INFORMATION The potential disclosure of Privacy Act protected information resulting from the theft raised the issue of whether VA policies adequately safeguard information that is not stored on a VA automated system. Based on our review of VA policies that existed at the time of the incident; policies that have been issued since the incident; and interviews with VA employees, Chief Information Officers, POs, and ISOs; we concluded that VA policies, procedures, and practices do not adequately safeguard personal or proprietary information used by VA employees and contractors. We found a patchwork of policies that were difficult to locate and fragmented. None of the policies prohibited the removal of protected information from the worksite or storing protected information on a personally owned computer, and did not provide safeguards for electronic data stored on portable media or a personal computer. The loss of protected information not stored on a VA automated system highlighted a gap between VA policies implementing information laws and those implementing information security laws. We found that policies implementing information laws focus on identifying what information is to be protected and the conditions for disclosure; whereas, policies implementing information security laws focus on protecting VA automated systems from unauthorized intrusions and viruses. As a result, VA did not have policies in place at the time of the incident to safeguard protected information not stored on a VA automated system. Although policies implemented by the Secretary since the incident are a positive step, we determined that more needs to be done to ensure protected information is adequately safeguarded. We found that VA's mandatory Cyber Security and Privacy Awareness training are not sufficient to ensure that VA and contract employees are familiar with the applicable laws, regulations, and policies. We also found that position sensitivity levels designations for VA and contract employees are either not done or are not accurate. In addition, we found that VA contracts do not contain terms and conditions to adequately safeguard protected information provided to contractors. We determined that VA needs to enhance its policies for identifying and reporting incidents involving information violations and information security violations to ensure that incidents are promptly and thoroughly investigated; the magnitude of the potential loss is properly evaluated; and that VA management, appropriate law enforcement entities, and individuals and entities potentially affected by the incident are notified in a timely manner. INFORMATION SECURITY CONTROL WEAKNESSES HAVE PERSISTED FOR YEARS For the past several years, we have reported vulnerabilities with information technology security controls in our Consolidated Financial Statements (CFS) audit reports, Federal Information Security Management Act (FISMA) audit reports, and Combined Assessment Program (CAP) reports. The recurring themes in these reports support the need for a centralized approach to achieve standardization, remediation of identified weaknesses, and a clear chain-of-command and accountability structure for information security. Each year, we continue to identify repeat deficiencies and repeat recommendations that remain unimplemented. These recommendations, among other issues, highlight the need to address security vulnerabilities of unauthorized access and misuse of sensitive data, the accuracy of position sensitivity levels, timeliness of background investigations, and the effectiveness of Cyber Security and Privacy Awareness training. We have also reported information technology security as a Major Management Challenge for the Department each year for the past 6 years. CONCLUSION Because the employee was responsible for planning and designing analytical projects and supporting surveys involving all aspects of VA policies and programs, he was authorized access to, and use of, these and other large VA databases. However, at the time of the burglary his supervisors were not aware of the employee's self-initiated project and, as such, had no official need or permission to take the data home. In addition, the employee reported that the data stored on the stolen external hard drive was neither password-protected nor encrypted. Although senior managers and other OPP&P staff were informed of the possible loss of data on May 3, 2006, the incident was not communicated up the chain-of-command until the VA Chief of Staff was notified 6 days later. Poor communication, partially resulting from a dysfunctional working relationship among senior OPP&P executives, contributed to the delay. While there was considerable rhetoric among management concerning the need to identify the extent and scope of the stolen data, there was virtually no follow-up with the employee to obtain results. Also, the lack of urgency in addressing this issue was impacted by the false assumption that the SOC had the responsibility to investigate the incident and make all required notifications. On May 10, 2006, Mr. Bowman requested legal advice from OGC. Yet, during the 6 days following this request, Mr. Bowman did not follow up to determine the status of the request, or task anyone to develop a more definitive description of how many veterans' records may have been stolen. Although Mr. Bowman acknowledged he knew the data stolen could potentially affect millions of veterans, he demonstrated no urgency in notifying the Secretary of the incident and decided to wait for OGC's response before doing so. Mr. Bowman also notified Mr. Mansfield on May 10, 2006, but Mr. Mansfield too decided not to raise the issue to the Secretary until they knew more information on what VA's legal responsibilities were and more about the magnitude of the problem. At nearly every step, VA information security officials with responsibility for receiving, assessing, investigating, or notifying higher level officials of the data loss reacted with indifference and little sense of urgency or responsibility. Efforts to investigate the incident were further impeded by errors and omissions in the ISO's incident report and were delayed due to ineffective coordination between the OPP&P ISO and the SOC. Twelve days after receiving the original incident report, the SOC had made no meaningful progress in assessing the magnitude of the event and had attempted to pass responsibility to gather information on the incident back to the OPP&P PO. Coincidentally, this is the same individual who referred the matter to the SOC in the first place, which he did in his dual capacity as ISO for OPP&P. The OIG was able to determine the magnitude and extent of the stolen data after one interview with the employee on May 15, 2006, and I notified the Chief of Staff on the morning of May 16, 2006. The Chief of Staff notified the Secretary shortly after my call. It is unexplainable why no one in the management chain-of-command ever attempted to re-interview the employee to gain a better understanding of the scope and severity of the potential data loss, prior to my call. While no policy was violated in the handling of the incident, staff and senior managers who were notified of the theft failed to take appropriate action to determine the magnitude of what was stored on the stolen external hard drive, or whether it was properly safeguarded. The failure to determine this resulted in not recognizing the potential significance on VA programs, operations, and veterans. Since the local police were not told for 13 days that VA data was stolen during the burglary, valuable forensic evidence was most likely lost. The delay also prevented the burglary from receiving the urgency it warranted from Federal law enforcement agencies. We found that VA's policies and procedures for safeguarding information and data were not consolidated or standardized to ensure all employees were following all applicable requirements in a similar fashion, and that policies and procedures were not adequate in preventing the loss of the data. We also found that VA employees and contractors were not adequately trained and reminded of the policies and procedures to follow to safeguard personal or proprietary information, sensitivity level designations were not always accurate, information and data provided to contractors need to be better safeguarded, and VA incident reporting procedures and controls need improvement. Since the incident VA managers have attempted to strengthen policies, procedures, and controls to prevent similar disclosures, but additional actions need to be taken to safeguard protected information and VA's automated systems. Our CFS audits, FISMA audits, and individual CAP reports of VA medical facilities and regional offices all highlight specific vulnerabilities that can be exploited, but the recurring themes in these reports are the need for a centralized approach to achieve standardization in VA, remediation of identified weaknesses, and accountability in VA information security. Specific recommendations were not made in our July 11, 2006, report because 17 recommendations are listed in previously issued OIG reports and are being followed up on separately. RECOMMENDATIONS We recommend that the Secretary: <bullet> Take whatever administrative action deemed appropriate concerning the individuals involved in the inappropriate and untimely handling of the notification of stolen VA data involving the personal identifiers of millions of veterans. <bullet> Establish one clear, concise VA policy on safeguarding protected information when stored or not stored in VA automated systems, ensure that the policy is readily accessible to employees, and that employees are held accountable for non-compliance. <bullet> Modify the mandatory Cyber Security and Privacy Awareness training to identify and provide a link to all applicable laws and VA policy. <bullet> Ensure that all position descriptions are evaluated and have proper sensitivity level designations, that there is consistency nationwide for positions that are similar in nature or have similar access to VA protected information and automated systems, and that all required background checks are completed in a timely manner. <bullet> Establish VA-wide policy for contracts for services that requires access to protected information and/or VA automated systems, that ensures contractor personnel are held to the same standards as VA employees, and that information accessed, stored, or processed on non- VA automated systems is safeguarded. <bullet> Establish VA policy and procedures that provide clear, consistent criteria for reporting, investigating, and tracking incidents of loss, theft, or potential disclosure of protected information or unauthorized access to automated systems, including specific timeframes and responsibilities for reporting within the VA chain-of-command and, where appropriate, to OIG and other law enforcement entities, as well as appropriate notification to individuals whose protected information may be compromised. The Secretary agreed with the findings and recommendations in our report and provided acceptable improvement plans. CLOSING In closing, I would like to assure the Committee that we will follow up on the implementation of these recommendations until they are completed. Mr. Chairman and other distinguished Members of the Committee, thank you again for this opportunity and I would be pleased to answer any questions. ______ Response to Written Questions Submitted by Hon. Daniel K. Akaka to Hon. George J. Opfer Question 1. Please provide an explanation for the apparent breakdown within the Office of Information and Technology in responding to this incident. Answer. The breakdown was attributable to a number of factors, not the least of which was the lack of a single coherent policy for investigating incidents in which protected information was inappropriately disclosed, lost, or stolen. Existing VA policies focused more on incidents involving the breach or attack into VA's automated systems, and less on Privacy Act violations. Also, the incident report initially filed contained errors and omissions which made it difficult to determine if this was an information system or privacy violation. The distinction was not made for 12 days. Question 2. Please provide any details on the specifics of the FBI's forensic examination of the stolen hard drive. Answer. It is my understanding that when you copy or access computer files, there is evidence of it in the form of a time/date stamp. The FBI computer forensics examinations did not reveal any date stamp on any of the stolen files after May 2, 2006, the day before the burglary. The FBI cannot give 100 percent assurance because there are highly technical ways to access or copy files without leaving a time/ date stamp. However, we do not believe the thieves possessed the necessary technical skills for the following reasons. <bullet> The string of burglaries around the same time and in the same general area suggests that the thieves were targeting items such as laptops and other computer equipment that are in demand and could be easily sold. The fact that the computer equipment was purchased off the street for such a negligible amount indicates that the individual selling it was unaware of what was contained on the hard drive. <bullet> Multiple computer disks with VA files, which were used to download the VA data onto the external hard drive, were in the employee's house but not taken during the burglary. This suggests that the computer equipment and not the data was the target of the theft. Given all these factors, we are highly confident that the data was not accessed. Chairman Craig. Well, Mr. Secretary and Inspector General, I am sure we can dwell on the past, and we have just heard a recapitulation of the past and the failures of the system and the personnel involved to deal with this in a timely fashion. Or we can focus on the future and where we go from here. By your own expression and by the consistent expression of observers of the past, this system had shortfalls, could fail, did fail. So let me proceed with those thoughts in mind to a series of questions of how we go forward. First and foremost, Mr. Secretary, you say you are retaining a company for the purpose of monitoring information or breach flows. Is that a result of the lack of absolute confidence that the information was not breached or a risk that there could have been some breaches? Secretary Nicholson. More the former, Mr. Chairman. There is a company out there--and there may be more than one--that has a proprietary software that analyzes large banks of data and looks for correlations of incidents and can by doing that determine these identity thefts are being sourced from a common data bank. One company that we are very familiar with and have talked to in great detail is called ID Analytics. ID Analytics subsequently donated its services to VA at no cost. But that gives us, a suspenders-and-belt sort of feeling that, while the FBI has told us that they say with a very high degree of probability this has not been compromised, they do not say it is 100 percent. So by engaging this company, it gives us another line of reconnaissance, if you will, to see if anything would start popping up that could be traced back to this bank of data. If that happened, then we can take actions with respect to monitoring and so forth, notifications. Chairman Craig. Do you know or have a general idea of what this monitoring will cost? And do you have the money to accomplish that? Secretary Nicholson. I do have a general idea of what it will cost, and we do have the money, yes. It is, I can say, we are bidding it, so we would like to protect our position. Chairman Craig. That is why I asked the way I asked. Secretary Nicholson. It is relatively inexpensive. It is surprisingly inexpensive. Chairman Craig. OK. Mr. Secretary, you have begun to outline for us a great deal of what you are putting into place as a result of this failure, and before asking this series of questions, I think it is tremendously important for this Committee to gain from you and from VA a detailed plan as to what you plan to do and how you plan to implement it for a lot of reasons. First of all, you have said it will take time, and that is appropriate, to get it right and to develop a consistency inside VA and a culture and a protocol and all of that. And my guess is it will be a time in which you may be long gone from here, as may I and others. But it is important for this Committee and those of us who will monitor it--because we will--to understand that procedure, that process, for a couple of reasons: To be critical of it, yes, to be observant of it, to monitor it, to check it along the way, to work with VA to make sure this happens. As you know, the House is moving, I think today, to mark up legislation directing and mandating a certain procedure. So having said all of that, does this plan give veterans, in your opinion, the assurance they deserve that information and cyber security has become your top priority? Secretary Nicholson. I would say unequivocally yes to that. You know, this is the order of the day at the VA, and since this has occurred, I have traveled out and about and talked to hospital directors and regional office directors, and they have the word. They have the sense of urgency. But, it is still in the nascent stage; you know, we are talking and we are getting the talk right, and we are beginning to confront the culture. But there is a great deal now that has to be done. I mean, the real implementation, then transformation has to be done. But I would point out--and I think it is fair to do that and to give acknowledgment of it, that we started--last October we started a major change in this agency, and that was a very big decision I made, resisted in many quarters of the vast organization, because it is bringing about a big change. On October 1st, some 5,050-some people will be moved and over $400 million will be moved to the CIO, consistent with the centralization of responsibility and control over information technology and information security. Chairman Craig. I will come back with additional questions. Let me turn to Senator Akaka. Senator Akaka. Thank you very much, Mr. Chairman. Mr. Secretary, I am sure that you appreciate that, as a result of the data theft, veterans' confidence in VA has been low. The veterans my office is hearing from are not certain about VA and what VA is trying to do to help them, and it gives me a feeling that they will not be easily reassured. As I am sure you know, many veterans organizations are opposed to the decision to not provide credit monitoring, and so my question to you is: What is the status of that about credit monitoring? You did mention that you will retain from the private sector a company that will continue to monitor this situation. Can you give me a status of that? Secretary Nicholson. Yes, I can, Senator. The decision was made both at OMB with engagement by us, the VA, that the credit monitoring that was moving forward as a result of the recovery of the data and the FBI's prognosis that it was not compromised caused us to conclude that individual monitoring was not necessary at this time. And then we were affirmatively going to engage this data bank monitoring. And that is the case, and we have had conversations with the VSOs. Some of them do oppose our decision, and some concur with it, think that it would be a waste of $160 million at this time based on the FBI's analysis. Senator Akaka. Is the company that you are retaining to continue this monitoring of the situation the same group that was dealing with the credit monitoring? Secretary Nicholson. No, sir. It is a different company. There may be other companies. We are putting it out for proposal, you know, a request for bids. But we know of the one, we have talked to them. Senator Akaka. Thank you. Mr. Opfer, your investigation found that a number of senior VA officials did not seem to have a sense of urgency in reporting the missing data to the Secretary who has, again, said that he did not know about it until 2 weeks after the theft. Do you have any explanation for that? Mr. Opfer. Yes, Senator. Most of the senior officials that we interviewed seemed to be unfamiliar with the databases believed to have been stolen and records that they contained. The initial notification of the incident did not quantify the magnitude of the potential for the loss. And it did not seem to trigger a sense of urgency on the part of any of them to look into it or to take control of the issue to try to determine what potentially could be the harm. Several of them told us that they were working on the mistaken assumption that someone else in VA was going to be following up and doing an investigation and making the notifications to higher management and that they were waiting for additional information. It really comes down to a failure to recognize the magnitude of the potential loss and taking control of the issue and trying to determine exactly what potentially could have been compromised by the employee losing that data. Senator Akaka. Mr. Secretary, I am sure you appreciate one of the concerns that Congress has is that we learned of the data loss only shortly before hearing about it on CNN and other media outlets. If you had to do it over again, once you learned of the data breach, would you at least have come to the leadership of the Veterans's committees and let us know about the problem earlier? Secretary Nicholson. That is a good question, Senator. Here was the dilemma: After I did learn about it, of course, I immediately informed the White House about it, and then, the Department of Justice and the FBI and a lot of very senior people got involved in it. But one of the dilemmas was if you go public with this, you will inform whoever has that of what they have, thinking they may not know what they have. As it turned out, as I have often said, through good law enforcement and the grace of God, they did not know what they had and we got it back. They fenced it and somebody turned it in for the reward. But that was the dilemma, and on the eve of the day--that is, the 21st of May--we had a very big powwow about that, and there were pros and cons. I made the decision that we needed to inform you, the veterans, that this had happened. And so on the 22nd, we did it. Senator Akaka. Thank you very much. Before I give it up, I want to add my gratitude to General Counsel McClain for your service and I want to wish you well. Mr. McClain. Thank you, Senator. Senator Akaka. Thank you, Mr. Chairman. Chairman Craig. Thank you, Danny. Senator Murray. Senator Murray. Thank you very much, Mr. Chairman, and I do want to follow up Senator Akaka's question on credit monitoring. But before I do that, I wanted to return to the question about your trip to Walla Walla, because as you know, I have a community that cares deeply about this. They have followed the process very, very closely, and they want to have a real voice in the process. And I specifically wanted to ask you about the plan to involve the local community. They have followed the CARES process very, very closely. They expect that the VA will follow it, too, and that means sending a plan to the local advisory committee for review. Can you commit to us that you will follow the CARES process and work with that Local Advisory Panel? Secretary Nicholson. Yes, I can, Senator Murray. We have followed it, and we have been through the first two stages, and our analysis based on that, I make those decisions. I made a decision on Walla Walla that we would keep that campus open. And the purpose of my visit there was to tell them--the community, the patients, and the staff, all of whom had anxiety--about whether or not we were going to close this. For the benefit of the others, it is a very small VA hospital complex. And I made a decision to keep it open, and that was my purpose of going there. Now, we are going to go into the third stage, which is being justifiable to keep it open. What will it look like? And as you know, when I went there, I assured them that we were going to have a new ambulatory outpatient clinic facility there. We have other issues that we will be dealing with, and we will be engaging the Local Advisory Panel on those issues, such as long-term care, inpatient medicine and inpatient mental. We have those capabilities there, but as you know, the populations are very small. For example, the average daily census in the nursing home is 22, in the mental health it is 18, and in medicine it is 10. Senator Murray. OK. But you will follow the LAP process so that that plan will go to the LAP committee and they will have their official---- Secretary Nicholson. Yes. Senator Murray [continuing].--responsibility to have a response back? Secretary Nicholson. Yes, we will. Senator Murray. The questions that are raised are really--I mean, we have been dealing with for a long time. There aren't any facilities in the local community to outsource this to. And maybe more to the point, as you know, your announcement came as a surprise because many of us have been working very, very closely on this for a number of years now with the community and did not know that you were coming out there. I am glad that you have taken the first step to do that, and now the second step to continue the LAP process and send the plan. But could I get your commitment to come in and talk with me, bring your staff, so that I can talk with you about the proposal and learn where we are going to go from here? Secretary Nicholson. Yes, indeed. Sure, we will do that. Senator Murray. OK. I would really appreciate that because this is obviously a very involved community. Senator Craig has been out there. He knows as well as I do, and we would like to work with you to get us to where we need to be. I would appreciate that. I also wanted to ask you about Bellingham because when you were there, we were told that you committed to bringing a VA clinic to Northwest Washington and that some kind of announcement would be coming within the week. And I have been unable to get any clarification from your staff, and I wanted to find out from you here, can you tell me what you said in Bellingham about the new clinic so that we all are on the same page? Secretary Nicholson. I can. What I said to the veterans there with whom I met was that we have made a decision in the CBOC business plan analysis that we would put a new community- based outpatient clinic, CBOC, in Northwest Washington, somewhere between Seattle and the Canadian border. I did not specify where it would be located, and I would be happy, when we have our meeting, to discuss that with you, but we have not made a decision as to where to site it. Senator Murray. But the decision has been made to site one there? Secretary Nicholson. Yes. Senator Murray. Is there a time on that, a time commitment? Secretary Nicholson. We hope to make the decision about where to put it before the end of the year, and then, you know, it usually takes us 6 months or so then to open one. Senator Murray. Well, I appreciate that, and, again, part of the reason there has been such a flare-up over this is that our veterans are very well aware of politics and policy. They care deeply about policy, and the confluence there has really riled a lot of people, as you probably know now from the press. But one of the problems, I think, that I am hearing back and I think you should be aware of is that people are aware that clinics are a promise to veterans and they need to be part of a policy that we are all aware of. And there is a deep concern that many of these promises that are being made for clinics are being made in Republican districts and not in Democratic districts. And maybe it is just a confluence of where things are, but are you aware that since you have been announcing clinics, 80 percent of them are in Republican districts? And I think that has brought some question to whether or not we are going to have politics become part of the VA process. I do not want that to happen. I do not think anybody does. But I just wanted you to be aware that is part of what some of the backlash has been on this. But I do appreciate your commitment to work with us. As you know, having been in Walla Walla, this is a really caring community. They have worked very hard on this, and I really appreciate your commitment to the LAP process and to having that community continue to be involved. And I will work with you on the western Washington CBOC, and I am really glad that is part of the process that you are going in as well. So thank you very much. Secretary Nicholson. I was not aware of that statistic. I have never done that calculus. In fact, I am quite sure that district is a Democratic district. Senator Murray. It currently is, but, unfortunately, the announcement was made on a political campaign rather than bringing the veterans in who have been following this, believe me, day by day. Chairman Craig. Senator Murray, thank you. Senator Burr, thanks for joining us, and please proceed with any opening comments you would like to make and questions of the Secretary and the IG. STATEMENT OF HON. RICHARD BURR, U.S. SENATOR FROM NORTH CAROLINA Senator Burr. Thank you, Mr. Chairman, and my congratulations on one additional notch on your age. I understand it is your birthday today. Chairman Craig. Thank you so much. Senator Burr. Mr. Secretary, I really only had one question, but Senator Akaka has stimulated me to make a statement, and I will try to do this as diplomatically and delicately as I can. Your answer to his question basically said that there was a lengthy debate with a lot of people about whether and when to notify Congress, and you won. I would tell you, just as a Member of Congress and of this Committee, a debate on whether that happens and when is not a debate that needs to happen. Notification of this body is an automatic thing. You were not served well, I think you have acknowledged that, from a standpoint of the lag time it took for the information to get to you. I also look at what you considered to be a quick decision in this debate at issue, and I consider the lag time between the 16th and the 22nd, the notification of us, as unacceptable. So my intent was not to rehash any old stuff. It is just to make the point that we are partners, and we serve the veterans, you serve the veterans. We each have a piece of the responsibility. Ours is policy and financially. It takes all partners to make it work, and I would hope that in the future, regardless of what area of Government, there would not be a debate about whether or when Congress was included in good news or bad news. My question is a very simple one. You have gone through an exhaustive process to find what the correct path from here is, and I commend you for that. I think it has been done very thoroughly. What will you do to gain back the trust of veterans? I think that was at the root of Senator Akaka's question. We made an offer to veterans that I think was an offer we had to make--credit monitoring. I was not part of that debate as to whether we continued it or not. But that decision was made. Now the responsibility still falls to you of, over and above, just fixing this system and monitoring to see what happens, how do we gain back the trust of veterans across the country? Secretary Nicholson. Well, Senator, I think you have to earn it and you have to show leadership and commitment and delivery. I travel a lot. I meet with a lot of veterans, and I talk to them about a lot of things. And I would say that generally, because the VA continues to function very well--I mean, I don't know if you were in here when they mentioned about the Business Week article saying that we are not only the biggest, but the best health care system in the United States of America. And a week ago Monday night, Harvard University awarded the VA its top award that it gives every year for the best innovative solutions in Government. And 1,000 entities competed for that. And the VA won, and they had a big banquet up here at the Washington Hilton and awarded that to the VA. The VA earned that. The VA continues to provide outstanding services, medically and benefits and burials, to veterans. So it is functioning very well. But this is, no question about it, you know, a real flaw and a very visible one. So we have to earn that back. The best way to do it is every day, you know, getting up, putting on your work clothes, and doing a good job, and then making sure that we get this right, that this does not happen, and that we do indeed become the model for this that we can be depended on. Senator Burr. Well, I clearly acknowledge to you, I believe we do much more good than we do bad. This is an unfortunate incident. Let me just restate that if there is one organization out there that is unhappy with the course that we have laid out, then it makes our job that much harder to build that trust back, and I would just encourage you today to, as aggressively as you can, bring those groups in that represent those veterans. Find a way to bring their assurance level high enough that it is not just a cutoff mark. And, you know, we all know the realities that we are faced with, and if there is $160 million that we do not have to spend on that, we can put it into health care. That makes tremendous sense. But I think we also have to understand that there is some element of the population out there that we also promised that money to make sure that their identity, their credit was protected. As long as 100 percent of them feel and are told that they should be comforted at what direction we have turned to, I will feel comfortable. But unless we have reached that consensus, I think we still have some work to do. I thank you for your willingness to come up and share your plans with us. I thank you for your service, especially at a time that it has not been easy as Secretary of the VA. More importantly, I thank the Chairman for, I think, the methodical way that this Committee has worked through this issue trying to find a common solution, and I commend you. Chairman Craig. Thank you, Senator. Mr. Secretary, General Opfer, let me make a couple of comments and then go into the plan and where you all are going to go. We are tremendously proud of what VA did during Hurricane Katrina, the orderly process of evacuating hospitals and removing people and taking them out of harm's way. You did it because you had a plan and you had practiced it and executed it. You could do it jointly or hospitals could do it individually. And when communications systems broke down, hospitals did it individually. I was here on 9/11. Most of us were. Chaos reigned supreme on Capitol Hill. Why? No plan of execution, no process, no procedure, and, more importantly, no drilling--no establishment within the system and within the employees--of how you deal with an emergency crisis. We are now doing that. The bells ring around here. People orderly march out. They go to their points of contact. They go to garages. They are quarantined. We practice, we drill. And we are getting better. And even during that, there is a sense of calm now that, if it were real, somehow we would have a way of orderly moving through this and getting out of it. That is how you establish a culture. You do not do it by simply putting it on paper. You work it. You process it. You proceed. You practice it. And you enforce it amongst those who fail to listen. As much as I respect the VA, I also understand the firewalls of a bureaucracy that will resist change. So let me turn to you, General Opfer. Have you had a chance to review VA's implementation plan that the Secretary talks about? And if so, what are your comments? Mr. Opfer. Yes, Mr. Chairman. The report that we issued covered a lot of issues raised in the FISMA work, the consolidated financial statement audit, as well as the data loss. We made a number of recommendations to the Secretary, and I am very pleased at the reaction of the Secretary and his commitment toward the recommendations in our reports. The Secretary has concurred with all the findings and the recommendations that we have made and provided us improvement plans. In his response, he has extended a commitment to strengthening and clarifying all the VA policies which relate to information security and privacy issues, holding employees as well as--I think a very important factor--contractors to the same standards and to make sure that we are correcting the problems found with contracts, so that they all comply with these policies. Improvement plans provided by the Secretary are responsive to our recommendations, and I think when they are fully completed and fully implemented, they will address the concerns that we raised in the report. The Secretary mentioned an issue which I think is one that we have to overcome. There is a culture problem that we need to address because this change really addresses that we need to have the people, all the employees in VA and contractors, those that use the systems change their culture regarding the use, the storage, and transmission of the data. And I think that the plan will provide us an opportunity, and we will fully review all the recommendations as they are being implemented to make sure that they are fully implemented. Chairman Craig. You have walked into my next question, and that was: Do you have a plan to follow up and to monitor? Mr. Opfer. Yes, usually what we do--and we will in this case, Mr. Chairman--is we will not close out any of the recommendations until they are fully implemented. For example, implementation of a new policy and procedures without compliance does not do any good. You have to have the compliance with the policies and procedures. So we will not accept that they have established a policy and procedure, we will go out to various facilities to make sure that there is compliance, not only in headquarters, but whether it is in a hospital or another location out in the country. We will aggressively follow up on all those recommendations and make sure that they are in compliance. In addition, as I mentioned, our FISMA work and consolidated financial statements audits, prior to this issue, I had made a decision that I was going to contract out next year for the FISMA work, and I wanted to use the staff that the IG had that was doing the FISMA work to do additional IT penetration tests and other IT security issues. So this would fall right into it. We will aggressively pursue--and as I am testifying here today, we are doing unannounced penetration tests and other compliance audit reviews, and we will aggressively continue to do those. Chairman Craig. Thank you. We have been joined by Senator Thune. John, do you have any opening comments or questions before we start the second round? STATEMENT OF HON. JOHN THUNE, U.S. SENATOR FROM SOUTH DAKOTA Senator Thune. Mr. Chairman, I just want to thank you for holding the hearing, and I want to thank Secretary Nicholson-- and good to have you here, Mr. Opfer--for joining us and hopefully shedding some additional light on this very important issue of data security. It is something that veterans in South Dakota--one of the things when I travel in my State, and I am sure you hear this, too--an issue that really got on the radar screen. There is a tremendous concern--it really penetrated the consciousness of our veteran community out there and a real concern. And I guess my whole concern here--and I hope that some of the findings and recommendations and issues that have arisen out of this will give us an opportunity to address this so that it never happens again. So we look forward to working with you on that, and I want to thank you, Mr. Chairman, for holding this hearing. As we said at the last hearing we had, when initially this was disclosed, we have got a lot of work ahead of us, and so we look forward to getting that done. I will let you go ahead and some of the folks who have been waiting here ask some questions, and I will perhaps ask some questions on the second round. So thank you for holding the hearing. Chairman Craig. Senator Thune, thank you. Senator Murray. Senator Murray. Thank you, Mr. Chairman. Let me follow up on the credit monitoring issue again, because I think Senator Burr spoke to the issue that I think is deeply concerning to all of us, that is, reestablishing trust to our veterans. And a promise was made to them, after they felt very violated that their records had been gone, that they would have this credit monitoring for a year. So I think the announcement that they would then not have it has jarred a lot of feelings, well, how do we trust this? I think that is an important point in consideration, and no one wants to spend money unwisely. But I would suggest that it would be wise money spent. I listened very carefully to the plan, and obviously a change of culture with an additional long-term implementation of encryption processes and all the other things that are going to go into making sure that the records are not breached again, leaving those records vulnerable until all of that is accomplished, it seems to me that the credit monitoring would be a wise investment. But the other issue that I want to raise as well that tells me that we should keep credit monitoring is that we are getting a number of veterans calling us telling us that they are getting called by people who say they are with the VA and asking for personal information in order to protect the veteran's credit. I am very concerned that we have left this population vulnerable to those kinds of individuals, and providing the credit monitoring will give them the ability to say, ``I already have protection,'' and make them much less vulnerable to those kinds of people who will use this incident to go after them. So I would like to ask you again, Mr. Secretary, where you stand on the individual credit monitoring and how we can perhaps go back to that question. Secretary Nicholson. Again, we made a decision that after the data had been stolen, was, you know, at large, that we should contract and provide credit monitoring for the affected veterans. Then the data was recovered, and the FBI is saying that this data was not compromised. And the cost, given the large population of people, is approximately $160 million. So the facts changed. The situation has changed. We plan to inform the veterans of that, and we plan to inform the veterans in a letter telling them they can still have their credit monitored by one of the three monitoring agencies, free for a period of, I think it is 90 days by calling them on a 1-800 number. They can still get credit reports three times during the year if they have any concerns, and that we are doing this overarching analysis of this data to---- Senator Murray. So is the credit monitoring still available to the veterans? Maybe I misunderstood. Secretary Nicholson. Not in the form that we were going to provide before the data was recovered, no. But all veterans, all citizens are entitled to call one of those credit monitoring companies and get a copy of their credit report and to have a credit alert put on their file for---- Senator Murray. But it costs them something. Secretary Nicholson. No, it does not cost them anything. Senator Murray. But you are not going to offer the one year free credit monitoring that originally was involved. Well, can you give this Committee the assurance 100 percent that information was not accessed? Secretary Nicholson. I can only give you, Senator Murray, what the FBI has given us, which is that this data, based on their forensic analysis and the expertise that they have, combined with the circumstantial part of it, which was that this was, again, random burglary that was not seeking this data, and the way it was handled and fenced and somebody bought it and turned it in for a reward---- Senator Murray. But it was fenced and someone else had it, so it is--I have not seen the FBI report. Obviously, they have not shared all the details with us. But there still can be a chance that it was accessed by someone who knew what they were doing. Secretary Nicholson. I think that I could not sit here and say to you that it is 100 percent, because the FBI has not told us that. Senator Murray. OK. And we also know that the VA records themselves, still we have not implemented the plan that you have now moved forward. You are moving forward on one, but the records still are not encrypted. There still has not been the change of culture, those kinds of things that we can guarantee people. Correct? Secretary Nicholson. All of our restructuring and reformation and all that are not complete. That is correct. There are many things underway. Senator Murray. And are you aware that some of our veterans are getting called by people saying that they are with the VA and offering services? Secretary Nicholson. I have heard that on a couple of occasions they were being called by the VA because the VA does polling of its beneficiaries continuously, both medically and benefit---- Senator Murray. They call and ask for personal information over the phone? Secretary Nicholson. We have discontinued that. It is just authentication information that they are talking to the right person. But we have discontinued that for now because that was causing confusion. But, additionally, it is possible that--I mean, it is not only possible, it is probably happening that veterans are getting calls from people in this fraudulent world because that happens. Last year, I am told that 9 million Americans had their identity stolen. Senator Murray. Right. And, unfortunately, some people are using this incident to then call veterans and ask for their personal information, saying that they are with the VA, which leads me, again, to the conclusion that providing this credit monitoring for a year will give some security to veterans at a time when, whether it was real or not, whether actually the data was used or not, there is a lot of insecurity out there. So I guess I would just ask, Mr. Chairman, if that question could be reconsidered, if we could look at the facts. I think it is a time when we have to reassure our veterans. I do not want to spend the money any more than anyone else does. I certainly do not want to see it come from benefits or health care. But I also know that a climate has been created that could be used by someone who is using it fraudulently, but also when our veterans themselves still do not know that their information is encrypted, and I think that kind of security would be something that we--I hope we can relook at that decision and do it quickly. Chairman Craig. I thank the Senator, and I do not think any of us do not share in your concern. And it is not a perfect world, and I think the reality is--and that is when we began to look at this in a situation where we believed--we knew that the information had been stolen. We did not know that it had been breached yet; that veterans, by simply the multiplier that the Secretary spoke to, some were going to get their ID stolen, whether it was out of this database or whether it was another database; and that how we measured that was going to be critical because the Government is not responsible for a veteran's loss of information if it is not out of this database, and how we break that out, clarify it, and understand it. So I am to date comfortable with the current monitoring that is underway and planned for the broad sense to try to assure that what we believe is now at hand is valid. And I am willing to live with that for the time being. If there is any indication that it is not, then I am going to agree that there is a responsibility. Senator Murray. Well, we do have a problem because we have all been out there talking to veterans saying, ``Your credit is free monitoring.'' They may not know that the decision has been rescinded, and, you know, for us to go back out there and say, ``Oh, never mind now'' is a very difficult situation. Chairman Craig. That is a communications problem that I think we have got to all work collectively at, and I---- Senator Murray. Yes, and I am just looking at it, it is just my recommendation that we continue it. Chairman Craig. I appreciate that. Senator Murray. But we will have the discussion. Chairman Craig. Yes. Mr. Secretary, how do we, how does this Committee, how does VA, and how does a new Secretary 3 years from now or 4 years from now, sit before this Committee and hold up a brochure like this and say, ``Today Harvard has announced that the information system of the VA is the best in the Nation and a model for the rest of the Federal Government to follow?'' How over the course of the next 3 years do we work with you and a new Secretary to make sure that that announcement day comes? We obviously, by the establishment of VA's electronic medical records success, have it within the system's capability of getting it done. And how do we work with you to assure that same thing will happen system wide in the information world? Secretary Nicholson. Well, that is exactly the goal, Mr. Chairman. You have described it. That is what we talk about, our leadership team, when we talk about the change that we are in. We use the term the ``Gold Standard,'' but that is really what we are talking about. If we can win this annual award for innovations and Government solutions for our electronic medical records, we can do it for our information technology and security systems. But, you know, it is going to take a very good plan, that is, good architecture. Then it is going to take good implementation and constant monitoring, you know, management, to see that it is functioning the way that it should. And that is the path that we are on. We have brought in the best, we think, that exists to help us in that architecture to design the kinds of systems that we need. And as I have said in my testimony, we made the threshold decision last October which had to be the predicate for all of this that we have centralized the management of information technology in this vast bureaucracy where it was decentralized all over the world, really, from Maine to Manila. That is all being pulled in, and that was underway because of some of the deficiencies that had been pointed out for several years by the IG. It is accelerating. We have a sense of urgency about this. This is a terrible event. I do not think that a lot of it is very technical when you talk about the kinds of encryption models that we are going to use and those kinds of things, but a lot of it is common sense of having people inculcated with this culture. And the model that I use, which I am very familiar with, is the military, where to have access to classified information, you have to have a clearance and you have to have a need to know. I think that is a model that we need for access to all this digitized information that we now work with in this agency and so many others. We need to know something about the people to whom we are giving this access because you have to--in the end game--you have to trust them. You cannot keep it from them. Somebody asked me at one of the hearings how we could let them carry it out, and I held my wallet up, which is larger than this hard drive. But they do not have to carry it out, Mr. Chairman. They can send it out. Chairman Craig. That is right. Secretary Nicholson. So you have to be able to depend on the people, and you have to know something about them, which means give them background investigations, clearances. So it is a composite of all those things. It is going to take a lot of management. Chairman Craig. Have you established a time line? Is that now in place? Or are you far enough along to say here are time lines in which certain things will be accomplished that we in the Congress can--that you can share with those of us in Congress who are focused on this, share with the Inspector General, in a way that we can monitor with you those successes? Senator Murray talks about a state of confidence. Senator Burr talks about a state of confidence. Senator Akaka talks about a state of confidence. As I said in my opening statement, the state of confidence on Capitol Hill does not exist today because of repeated warnings, repeated observations, and a failure to adhere to that, not on your watch, but on many watches before you. Had that state of confidence been established, and a procedure and a process, prior to your presence as Secretary, there is a strong likelihood that what occurred on the 3rd of May would not have occurred. And so I do not think this Congress is going to be confident, and my guess is that the population that VA serves will not be confident, until that plan is monitored, publicized, implemented, and the implementation phases are monitored and publicized. When can we expect to see that kind of time line, procedure, and process? Secretary Nicholson. We have that, Mr. Chairman. In fact, it is at Tab 3 of the IG's report, which I am sure you have a copy of. Chairman Craig. OK. Secretary Nicholson. It takes pretty good eyesight because it is---- Chairman Craig. That may be my problem at 61 years of age. [Laughter.] Secretary Nicholson. I was going to say as a World War I veteran---- [Laughter.] Secretary Nicholson. I would refer you to that, and this is a dynamic document, but it does show the functional things that we are doing and time lines that have been affixed to them. And because it is dynamic and it is not all cast in bronze yet, I would not submit it for the record of this hearing. But the IG has it, and it is in the report. Chairman Craig. We have it. That is why I brought it up. This needs to be known. Inspector General, how do you monitor this time line? It is in your report. You have a process in place now to follow through? Mr. Opfer. Yes, that would be the process I described before, Mr. Chairman, of any recommendations or findings that we have in the report. We do not clear those recommendations or findings until they have been fully implemented and we have verified that they have been implemented throughout all the facilities in VA. That is part of our follow-up process. Chairman Craig. OK. Thank you. Senator Thune. Senator Thune. Thank you, Mr. Chairman, and I appreciate that line of questioning. That is an issue that I have talked about in previous hearings here, and that is the issue that was raised with the House bill that would centralize everything. And I think we talked about at this hearing the efforts that are being made internally to accomplish some of those same objectives at the VA. And so I am very interested in the Chairman's line of questioning with respect to timing and how that is proceeding. I also am interested in just getting your reaction, because I think they are debating in the House today, to legislation that would make the CIO at the VA an Under Secretary, and if you think that makes sense, to have someone that has got more, I guess, line authority, someone that can oversee this whole effort that is being made to get this information centralized. And I know you have different models that have been described at previous hearings. The Federated model I think is the one that you are--is that correct? Is that the one that you are pursuing right now? Secretary Nicholson. Yes. Senator Thune. But I guess I would be interested in knowing, Mr. Secretary, whether the legislation is something that you would support, whether that is a worthwhile course to proceed with, and any other thoughts you might have about how we just tighten this up so that the information that is there does not have the propensity to be, I guess, lost or stolen like what we experienced here with this last event. Secretary Nicholson. Well, I think that is a very good question, Senator Thune, and we have been working with it. The House is doing that, with all the best intentions of trying to help this, that is, to make the Chief Information Officer an Under Secretary. I do not think it is necessary. The importance underlying all of this is leadership, the commitment, and sound management. And so the title that you give someone, that is not going to fix anything. It is how it is implemented and in this cultural change that we have been talking about. So it violates, frankly, my sense of design of an organization because we have three Under Secretaries and each of them have operational responsibility: One is to run a health system; the other is to run a benefits system; and the other is to run a burial system. They are operators. They are in a military context. They are maneuver element commanders. They are out there, they are fighters. And the others, everybody else is a staff supporter. And information technology and information security is a staff function. It is a very important one, but it is still a staff function. And by doing the centralization that we have done and by empowering the CIO, which I have done--and for some reason it was never done, but I have done it--I have by directive given him not just the responsibility, but the delegated authority commensurate with his responsibilities to manage IT as an Assistant Secretary. And so I do not think it is necessary. Senator Thune. Mr. Opfer, are there any other agencies that you are aware of that are doing a good job in the information security--I am sorry--that have--you know, in terms of the way they go about this? I guess what I am asking is, in the Government--and I realize each agency has unique needs and you have got different database requirements and everything else. But are there similarities or differences between the way the VA does and other agencies do it? And are there things that other agencies are doing that we could learn from and perhaps implement? Mr. Opfer. Senator, I think we would need to look at some of the agencies that have gotten good marks on the FISMA reports, for example. That would be mostly in IT security and the financial statements, I know some of the ones that come to mind to me would be the Social Security Administration; the Department of Education had problems over the years; they have done a very good job in correcting them and the Department of Labor. We just recently brought on board the new Deputy Assistant Inspector General in our office. The individual is considered an IT security expert who helped create the program for reviews in the Department of Education. And I think he will help in our role to assist the Department in going along with that. But I think we can look at other agencies. It is not exactly a layover, but look at some of the problems they have had and how they have addressed it. But a lot of it is really making sure that we hold people accountable and have policies and procedures in effect. And we have to realize that we are living in a digital age, and this is constantly evolving. And if we get the policies and procedures in place, we cannot say we have accomplished our mission. We have to review them. Are they still protecting us with the possible threat that we have now? Senator Thune. Do you contemplate in your analysis when you do these sorts of reports some of the things that are happening in other agencies? Do you incorporate that? Mr. Opfer. Yes, we do. I have actually been requested by some of the other Inspectors General and other Departments' Deputy Secretaries, when it is appropriate, to give lessons learned from our perspective, and I have already accepted to go and do that. And the President's Council on Integrity and Efficiency has asked us--they have what they call an IT Roundtable for all the Inspectors General, and we will put on a presentation of what we have learned from our review, and this is to the other IGs of the agencies. Senator Thune. Very good. Thank you, Mr. Chairman. Chairman Craig. Senator Thune, thank you very much. Well, Mr. Secretary, General Opfer, thank you for your time before the Committee today. I think this hearing was important not just for our record, but for any article or information that may flow from it as to where we are in this very important time and process as we work with you to transform VA into, I hope, a successful and recognizable system that develops the kind of integrity we need in information and intelligence flow within the agency itself. So remember our goal, Mr. Secretary. Secretary Nicholson. Yes, sir. Chairman Craig. Thank you. The Committee is adjourned. [Whereupon, at 11:34 a.m., the Committee was adjourned.] A P P E N D I X [GRAPHIC] [TIFF OMITTED] T9717.002 [GRAPHIC] [TIFF OMITTED] T9717.003 [GRAPHIC] [TIFF OMITTED] T9717.004 [GRAPHIC] [TIFF OMITTED] T9717.005 [GRAPHIC] [TIFF OMITTED] T9717.006 [GRAPHIC] [TIFF OMITTED] T9717.007 <all>