Buyer: Veterans’ Committee pursuing answers, solutions to veterans’ data loss
 

Washington, DC — Responding to the theft of personal data on millions of veterans and servicemembers from the Department of Veterans Affairs (VA) in May, the House Committee on Veterans’ Affairs is moving quickly on a bipartisan basis with plans to consider legislation.

Immediately after VA Secretary Nicholson announced the theft, on May 22, Veterans’ Affairs Committee Chairman Steve Buyer (R-Ind.) brought him to testify before the Veterans’ Affairs Committee.

“Veterans, servicemembers and their families cannot wait for the wheels of government to slowly turn,” said Buyer. “We must act promptly, yet we must also understand what went wrong at VA so that we can prevent it from happening again. We will conduct an aggressive series of hearings to give us the information we need to both remedy any harm done to veterans by this incident and fix the problems in the system.”

Joining Chairman Buyer and committee members today in a roundtable with experts from the private sector was Chairman of the House Appropriations Subcommittee on Military Quality of Life and Veterans Affairs, James Walsh (R-N.Y). The roundtable discussion included information technology experts from the private sector, including Goldman, Sachs & Company, EMC Corporation, VISA, Citigroup, TriWest, and American Bankers Association, all of whom essentially agreed with the importance of centralized management of sensitive information.

Also attending the roundtable was the newly appointed special advisor for information security to Secretary of Veteran Affairs R. James Nicholson, VA’s assistant inspector general for audit, the Federal Trade Commission’s associate director for privacy and identity protection, and the Government Accountability Office’s director of information security issues.

As it works to protect America’s veterans, servicemembers, and their families, the Veterans’ Affairs Committee will hold hearings on June 14 with the VA IG and GAO to review prior recommendations on VA cyber security. That hearing will be followed on June 22, with one featuring academic and industry experts on operational aspects of IT security and with VA’s General Counsel invited to testify on legal implications.

On June 28, the committee will hold a hearing on the role of VA’s chief information officer and the department’s Office of Information and Technology. On June 29, the committee will hold a hearing with Secretary Nicholson invited to testify.

The Committee on Veterans’ Affairs has already directed several briefings from VA about the data loss and on May 25, 2006, held an oversight hearing on the matter at which Secretary of Veterans Affairs Nicholson, other senior VA officials, the VA’s Inspector General, the Government Accountability Office (GAO), and private sector data security experts testified on the situation and how to address it.

Buyer has called the incident a meltdown of VA information management.

The serious compromise by VA of personal data belonging to millions of veterans has prompted the introduction of several thoughtful pieces of legislation intended to help affected veterans and prevent incidences of data loss such as the one experienced in May.

While to date, five bills have been referred to the Committee on Veterans’ Affairs, it is important to understand that there are significant information security problems government-wide. The incident at VA should prompt examination throughout government, Buyer noted.

“Despite aggressive House oversight, VA’s internal controls and data security have been grossly inadequate. The GAO and VA’s Office of the Inspector General (IG) have both pointed to VA’s decentralized management and lack of accountability as major shortcomings,” said Buyer and Committee Ranking Member Lane Evans (D-Ill.) in a statement to members of Congress Wednesday. “These shortcomings have led to 16 recurring, unmitigated IT vulnerabilities that have been identified over the past eight years.”

The Veterans’ Affairs Committee and its subcommittees have during that time held a number of hearings covering many aspects of VA’s IT problems, including security.

In 2005, Buyer introduced H.R. 4061, the Department of Veterans Affairs Information Technology Management Act of 2005, which the House passed it 408 – 0 on November 2.

“This legislation would be an important step in remedying fundamental security problems at VA. Unfortunately, at the urging of an entrenched VA bureaucracy, the Senate has so far declined to act on the bill. As a result, with IT management continuing to operate in a completely stovepiped and decentralized manner, accountability remains elusive,” Buyer and Evans said in their statement.

A June 12, 2006, Newsweek article noted that, along with VA, some other large government agencies also get failing marks on information security. It concluded, “Maybe 26 million records lost will be a wake-up call.” The VA has recently disclosed that the data lost in the May theft included information on more than 2 million servicemembers.

“From our military experience, we know that one of the first things a commander does is identify the key control officer. You have to know how the keys are being controlled. The VA has too many keys and too little control,” they said.