Hon. Harry E. Mitchell, Chairman, and a Representative in Congress from the State of Arizona
I have accelerated our subcommittee’s review of VA information security management for several reasons. I thank all three panels of witnesses and our subcommittee members for their cooperation despite the somewhat short notice we were able to provide. It is my belief that when the subject matter justifies some sort of review, that such a review should be thorough, balanced and timely.
This topic was on the subcommittee agenda for later in this year. While it is a recurring and non-partisan topic for our Veterans Affairs Committee, the events regarding the data loss at Birmingham and other circumstances have led me to advance this hearing on our subcommittee docket.
In this hearing I wish to determine the current status of information security management at VA. Admittedly, the Birmingham incident holds powerful sway over the landscape. If the Birmingham incident stood alone against a backdrop of a sound information security management program perhaps we could address a one-time-only incident with more patience.
However, the record reflects a host of material weaknesses identified in Consolidated Financial Statement Audits and Federal Information Security Management Act [FISMA] audits over recent years. The Inspector General’s Office and the Government Accountability Office have both reviewed VA and found deficiencies in the information security management program over the last eight years. VA is slow to correct these deficiencies. For example, the VA IG made 16 recommendations with regard to information security management in 2004 – all 16 remained open in 2006.
During our full committee review of the May 3rd 2006 data loss, we discovered a general attitude regarding information security at VA that our current full committee Chairman Bob Filner once referred to as a “culture of indifference”. Today, I wish to address this issue of “culture” and the need for cultural change with regard to information security at VA.
Last year, the committee reviewed cultural problems at several levels at VA.
We looked at the very top levels of VA leadership and were critical.
We looked at the program leadership level and were critical.
We looked at the promulgation of information security policy in VA and were critical of the various methods employed by some program leaders and advisors to gut those policies, to avoid accountability and to weaken information security practices.
We were critical of the lack of checks and balances in the information security management system at VA - was guidance being followed, did oversight occur?
We were critical of the delay by VA in providing congressional notice of the May, 2006 incident. We were critical of the slow escalation in notice of the magnitude of that problem.
VA mailed notices to millions of veterans addressing the data compromise and made a public commitment to become the “gold standard” in information protection within the Federal Government. Eight months after the initial data loss, VA reports another loss of significant magnitude associated with a Birmingham VA research program.
That a weakness existed in this area surprised no one. That it happened at all serves to precipitate this type of congressional oversight hearing. While the actual loss of the external hard drive and the limited electronic protections on that missing equipment should be considered the 800 pound gorilla in this room, there were some silver linings with the Birmingham story as we now know it.
For example, the loss was reported in VA and quickly relayed to the appropriate people. Mr. Howard notified congressional oversight staff and Secretary Nicholson called the Chairmen and Ranking Members of the VA Committees. The Office of the Inspector General was quickly involved and opened an investigation.
In similar examples from May 2006, VA took days or weeks to accomplish those tasks – in the Birmingham incident of January 2007, VA took hours or days to accomplish the same tasks. Staff was notified within one day, and calls from the Secretary followed a few days afterwards. The investigative trail was reasonably fresh for the IG to follow.
What of VA culture with regard to this issue? The IG made five recommendations to the Secretary in their “Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans” in July 11, 2006. As of today, all five of those recommendations remain open. Why?
After the 2006 series of hearings, VA issued a series of tough sounding declarations, but problems still remained and another major incident has happened. After the Birmingham incident, the Secretary issued some tough guidance, but what impact will it have? Will history repeat itself? How deep are the cultural barriers?
I believe that it is important to review all aspects of this issue. We need to hear from VA leadership and in that regard we are pleased that Deputy Secretary Mansfield has agreed to testify. He, Secretary Nicholson, the Undersecretaries are key to setting policy – they represent the Department in this matter.
But we also need to look at this problem through the eyes of the remaining 200,000 plus people in the VA. Do leadership actions throughout the management hierarchy match policy guidelines everywhere in VA?
Do the rules say “no” but the culture beckons, “Aw, go ahead – make an extra copy of the data and your life will be easier” “Take a short-cut, no one will follow-up.” If we change the culture at VA we can begin to fix the problem.
But people have different cultural perspectives; those of the VA leaders on panel 1 may differ from those of the researchers in the field. Leadership’s policy guidance may now be spot on, but the question is how that policy is received at the user-end. For that reason, this subcommittee requires testimony across the spectrum of people who in any way handle sensitive information about our veterans. Let us approach this with open minds, consider other perspectives, and be able to put this problem to rest for a long time.
Before I recognize the Ranking Republican Member for her remarks, I would ask our Members’ consent for a guest and permit Congressman Artur Davis from Alabama to sit at the dais and be allowed to ask questions after all subcommittee members have had that opportunity. Without objection?
I now recognize Ms. Brown-Waite for opening remarks.