VA officials ignored security warnings
- By Bob Brewin
- May 29, 2006
For years, the Department of Veterans Affairs has had a culture in which employees ignored warnings about poor security practices, and that partly led to the theft of a VA computer and disks containing personal information on 26.5 million veterans, top current and former VA officials said.
VA Secretary Jim Nicholson said the agency has policy directives to safeguard sensitive information, but many VA employees take them lightly, seeing them as suggestions rather than requirements.
The recent theft involved a VA data analyst who had loaded personal information on every living veteran, including birth dates and Social Security numbers, onto his laptop computer, which the employee took home. Someone stole the computer from the employee’s home May 3. The data was also on a portable device, which officials have not identified. That device was also stolen. The VA did not alert the public until last week.
The employee’s actions violated agency policy, Nicholson told a joint hearing of the Senate Veterans’ Affairs and Homeland Security and Governmental Affairs committees.
The employee apparently did not feel bound by the policy and had routinely worked on sensitive data at home during the past three years, said VA Inspector General George Opfer. None of the employee’s supervisors knew he had taken a file of 26.5 million records home.
At the hearing, Sen. Susan Collins (R-Maine) emphasized the lack of adherence to guidelines by reciting a litany of VA IG and Government Accountability Office reports that have identified information security vulnerabilities at the VA for years.
Opfer told the panel that Federal Information Security Management Act reviews by his office have identified significant information security vulnerabilities at the VA since 2001.
He said the IG’s office has repeatedly warned of serious security problems caused by the VA’s lack of control and oversight of access to information systems, including poor monitoring of employee access to sensitive information.
The situation placed sensitive veteran information at risk, Opfer said, “possibly without detection of inadvertent or deliberate misuse, fraudulent use, improper disclosure or destruction.”
Nicholson told Collins that he had no excuse for ignoring the warnings from the IG and GAO during his 15 months on the job, but he said he believed the department has started to make progress under a plan to centralize information technology. Recently retired VA chief information officer Robert McFarland developed the plan.
Nicholson, an Army veteran who spent eight years on active duty and 22 years in the Reserves, said he is “mad about the loss of veteran data, and the fact that one person has put us all at risk.”
The VA has “begun a relentless examination of its policies and procedures to make sure nothing like this happens ever again,” Nicholson said.
To ensure VA employees make data protection a critical part of their jobs, Nicholson said, every employee will be required to complete cybersecurity and information privacy courses by June 30, and they will need to annually sign a Privacy Act statement.
Those measures reflect standard practices at high-tech commercial enterprises. Nasrin Rezai, global director for information security at Cisco Systems, said the company has a security education program that includes in-person training and on-demand videos, and the company’s code of business conduct enshrines security.
Cisco employees must sign an annual statement that they have reviewed and received training to learn the company’s information security policies, Rezai said.
Technologies can help protect data
The VA will also work to encrypt sensitive information and plans to have new guidelines by June to govern remote users’ access to data, Nicholson said. He did not provide any details.
Other federal agencies are well on their way to protecting information on portable computers. The Army, for example, will require computer purchases made in the next decade to have a Trusted Platform Module Chip to prevent unauthorized use of the computers, said Eduardo Velez, CIO of the Army’s Program Executive Office for Enterprise Information Systems (PEO-EIS).
That chip will work in conjunction with BitLocker, a new universal drive encryption technology. Microsoft will use BitLocker in Vista, its latest Windows operating system upgrade.
David Pierce, a senior line of business manager for cybersecurity at GTSI, said some of the VA’s regional organizations, which he declined to identify, have already deployed encryption software from Credant Technologies for laptops and other mobile devices.
Nicholson said he has started the recruitment process for a personal information security czar to ensure that data protection remains at the forefront.
Nicholson should give the VA’s CIO and chief financial officer a position equal in rank to undersecretary so that they can influence and enforce information security policies, said John Gauss, who was the VA’s CIO from 2001 to 2003 and is now president and chief operating officer at FGM.
Bruce Brody, who was the VA’s chief information security officer from 2001 to 2004 and is now vice president for information security at Input, agreed with Gauss, saying that the VA’s CIO has never had the authority to enforce policies. Brody said Congress needs to provide the CIO with real authority in annual authorization bills.
Otherwise, he said, managers and workers at the VA’s health, benefits and cemetery administrations will continue to do what they have always done: ignore the CIO’s policy directives and procedures.