Veterans Affairs Department Secretary James Nicholson endured a barrage of questioning and criticism from two different Congressional hearings Thursday morning regarding the theft of a VA laptop and hard drive containing sensitive data for up to 26.5 million veterans and their spouses.
Over the course of back-to-back grillings by the House Committee on Veterans Affairs and then the Senate Committee on Veterans Affairs, Nicholson was forced to endure repeated reminders of his department's poor IT security track record, much political grandstanding by Congressional leaders, and a call for his resignation.
The hearings focused on the fallout of the May 3 data theft, after a VA analyst took his laptop home to do some after-hours work. The analyst was authorized to access sensitive information about veterans, including Social Security numbers and dates of birth, which were required for a policy-related project he had been assigned. The analyst wasn't, however, authorized to remove VA data from the VA's offices, even though he admitted to having done so as part of his work routine since 2003. His home was burglarized, and the laptop and an external hard drive went missing.
To make the situation worse, the stolen data wasn't encrypted, even though Nicholson claimed Thursday that the VA has a policy of encrypting sensitive data to mitigate the damage of a data breach. And the VA Inspector General's subsequent investigation indicates that the analyst's supervisors weren't aware that the analyst had removed the data from VA offices.
Nicholson's responses to questions vacillated between taking responsibility for the data breach and expressing anger that he wasn't informed of the breach until two weeks after it occurred. "As a veteran myself, I have to tell you I'm outraged. Frankly, I'm mad as hell," Nicholson testified before the House Committee on Veterans Affairs. He won't be the only one when taxpayers find out that the data breach is expected to cost them at least $100 million to notify affected veterans and provide them with credit-checking services.
Nicholson also stated that his department has begun a "relentless investigation of its policies on information security." Still, it was revealed during the House hearing that the department doesn't even know how many of its employees telecommute.
The VA's Inspector General and the Government Accountability Office have for years criticized the VA regarding its IT security policies and practices. "We are also reviewing how policies are disseminated to VA employees, whether VA employees are aware of the policies, and whether VA procedures for identifying, reporting and taking action when data has been improperly accessed or improperly used are adequate," George Opfer, inspector general for the Veterans Affairs Department testified Thursday before a joint hearing held by the Senate Committee on Veterans Affairs and the Senate Committee on Homeland Security and Governmental Affairs.
The VA Inspector General's office issued a fiscal 2001 report indicating weaknesses in VA information security controls. "Our Federal Information Security Management Act reviews have identified significant information security vulnerabilities since FY 2001 that place VA at risk of denial of service attacks, disruption of mission-critical systems, and unauthorized access to sensitive data," Opfer testified Thursday.
An inspector general's report from fiscal 2004 included 16 recommendations for the VA to improve the security of its IT operations, including centralizing IT security programs, implementing an effective patch management program, and addressing unauthorized access and misuse of sensitive information and data that the IG's office discovered during its evaluation. To date, none of the 16 recommendations have been addressed, Opfer testified.