VA officials ignored security warnings

Featured eBooks
Cyber Workforce
Read Now

Law Enforcement Tech

Read Now

AI in the Workplace

Read Now
By Bob Brewin

By Bob Brewin

|

In wake of data theft secretary vows relentless pursuit of compliance with security policies

For years, the Department of Veterans Affairs has had a culture in which employees ignored warnings about poor security practices, and that partly led to the theft of a VA computer and disks containing personal information on 26.5 million veterans, top current and former VA officials said.

VA Secretary Jim Nicholson said the agency has policy directives to safeguard sensitive information, but many VA employees take them lightly, seeing them as suggestions rather than requirements.

The recent theft involved a VA data analyst who had loaded personal information on every living veteran, including birth dates and Social Security numbers, onto his laptop computer, which the employee took home. Someone stole the computer from the employee’s home May 3. The data was also on a portable device, which officials have not identified. That device was also stolen. The VA did not alert the public until last week.

The employee’s actions violated agency policy, Nicholson told a joint hearing of the Senate Veterans’ Affairs and Homeland Security and Governmental Affairs committees.

The employee apparently did not feel bound by the policy and had routinely worked on sensitive data at home during the past three years, said VA Inspector General George Opfer. None of the employee’s supervisors knew he had taken a file of 26.5 million records home. At the hearing, Sen. Susan Collins (R-Maine) emphasized the lack of adherence to guidelines by reciting a litany of VA IG and Government Accountability Office reports that have identified information security vulnerabilities at the VA for years.

Opfer told the panel that Federal Information Security Management Act reviews by his office have identified significant information security vulnerabilities at the VA since 2001.

He said the IG’s office has repeatedly warned of serious security problems caused by the VA’s lack of control and oversight of access to information systems, including poor monitoring of employee access to sensitive information.

The situation placed sensitive veteran information at risk, Opfer said, “possibly without detection of inadvertent or deliberate misuse, fraudulent use, improper disclosure or destruction.” Nicholson told Collins that he had no excuse for ignoring the warnings from the IG and GAO during his 15 months on the job, but he said he believed the department has started to make progress under a plan to centralize information technology. Recently retired VA chief information officer Robert McFarland developed the plan.

Nicholson, an Army veteran who spent eight years on active duty and 22 years in the Reserves, said he is “mad about the loss of veteran data, and the fact that one person has put us all at risk.”

The VA has “begun a relentless examination of its policies and procedures to make sure nothing like this happens ever again,” Nicholson said.

To ensure VA employees make data protection a critical part of their jobs, Nicholson said, every employee will be required to complete cybersecurity and information privacy courses by June 30, and they will need to annually sign a Privacy Act statement.

Those measures reflect standard practices at high-tech commercial enterprises. Nasrin Rezai, global director for information security at Cisco Systems, said the company has a security education program that includes in-person training and on-demand videos, and the company’s code of business conduct enshrines security.

Cisco employees must sign an annual statement that they have reviewed and received training to learn the company’s information security policies, Rezai said.

Technologies can help protect data
The VA will also work to encrypt sensitive information and plans to have new guidelines by June to govern remote users’ access to data, Nicholson said. He did not provide any details.

Other federal agencies are well on their way to protecting information on portable computers. The Army, for example, will require computer purchases made in the next decade to have a Trusted Platform Module Chip to prevent unauthorized use of the computers, said Eduardo Velez, CIO of the Army’s Program Executive Office for Enterprise Information Systems (PEO-EIS). That chip will work in conjunction with BitLocker, a new universal drive encryption technology. Microsoft will use BitLocker in Vista, its latest Windows operating system upgrade.

David Pierce, a senior line of business manager for cybersecurity at GTSI, said some of the VA’s regional organizations, which he declined to identify, have already deployed encryption software from Credant Technologies for laptops and other mobile devices.

Nicholson said he has started the recruitment process for a personal information security czar to ensure that data protection remains at the forefront.

Nicholson should give the VA’s CIO and chief financial officer a position equal in rank to undersecretary so that they can influence and enforce information security policies, said John Gauss, who was the VA’s CIO from 2001 to 2003 and is now president and chief operating officer at FGM.

Bruce Brody, who was the VA’s chief information security officer from 2001 to 2004 and is now vice president for information security at Input, agreed with Gauss, saying that the VA’s CIO has never had the authority to enforce policies. Brody said Congress needs to provide the CIO with real authority in annual authorization bills.

Otherwise, he said, managers and workers at the VA’s health, benefits and cemetery administrations will continue to do what they have always done: ignore the CIO’s policy directives and procedures.

VA needs 26 million envelopesAs if the Department of Veterans Affairs didn’t have enough concerns to wrestle with following the theft of 26.5 million veterans’ records that were stored on a VA employee’s laptop computer, it now also needs millions of plain old-fashioned mailing envelopes right away.

The VA plans to notify all those veterans by mail, but the agency does not have enough envelopes, said VA Secretary Jim Nicholson last week at a joint hearing of the Senate Veterans’ Affairs and Homeland Security and Governmental Affairs committees.

The mailing will include information to help veterans guard against possible misuse of the stolen personal information, which included Social Security numbers and birth dates, VA Inspector General George Opfer said at the hearing.

The laptop was stolen from the employee’s Maryland home, but it remains unclear whether the thieves are aware of the veterans’ personal data or plan to do anything with it. Nicholson said the agency lacks envelopes and money for the mailing. “We don’t have 26 million envelopes,” he said. “And we need to reprogram $25 million for the envelopes and the call center.” The VA set up a special call center to handle calls from veterans concerned about the theft.

Nicholson estimated the costs of the envelopes and mailing would be $10 million to $11 million, with the remainder of the $25 million going to the call center.

The center, set up May 22, logged calls from more than 100,000 veterans in its first three days of operation, Nicholson said.

Sen. Susan Collins (R-Maine) assured Opfer and Nicholson that the Senate would give the VA funds to handle the mailing, operate the call center and provide other veteran outreach programs connected to the data theft.

— Bob Brewin

VA theft is a cautionary tale for fed teleworkersTelework initiatives encourage federal employees to take their work home, but the recent theft of a laptop computer from the home of a Department of Veterans Affairs employee shows that this is not always a good idea. The laptop contained personal information on 26.5 million veterans, including their Social Security numbers, creating a potential for identity theft. The employee was violating agency policy by taking the veterans’ personal data home, but a growing number of federal employees carry government equipment and data home for legitimate telework activity.

“Great numbers of people at this agency and this government telecommute,” said VA Secretary Jim Nicholson, testifying last week before the Senate Veterans’ Affairs and Homeland Security and Governmental Affairs committees.

“We need to know who they are, what kind of people they are out there with this data and absolutely get better control over it,” he said.

Nicholson’s concerns did not faze Stephen O’Keefe, executive director of advocacy group Telework Exchange. O’Keefe said enforcing and training employees on existing policies regarding safeguarding sensitive data is critical to avoid a situation such as the VA’s from happening again. O’Keefe said the theft should not affect how federal executives view telework. He cited recent Government Accountability Office reports that included telework as a major component of federal continuity-of-operations plans. Despite resistance from various agencies to implement telework programs, O’Keefe added that he did not believe there was any chance telework would disappear from agency plans.

“That would be like if the government just got computers and they were infected by a virus for the first time, and that caused the government to toss all those computers and go back to the abacus,” he said.

— Wade-Hahn Chan

NEXT STORY: DOD: China fielding cyberattack units