McFarland: VA lacked info access controls

Lack of access controls to sensitive information and an inability to monitor employees who tap into databases containing the personal information of veterans indirectly led to the theft of data on 26.5 million veterans earlier this month, said Robert McFarland, former Department of Veterans Affairs chief information officer.

McFarland, in an interview with Federal Computer Week, added that the decentralized VA information technology structure also contributed to problems in controlling access to data.

The Veterans Benefits Administration, Veterans Health Administration and the National Cemetery Administration all operated their own IT systems, which made it difficult to establish the kind of information access controls standard in most government and commercial organizations, he said.

The VA employees in these administrations built, managed and accessed databases without any central oversight or control, McFarland said. This lack of control allowed a VA data analyst to repeatedly copy and take home large data files, resulting in the theft of a laptop PC and digital media containing the records of 26.5 million veterans, the VA recently disclosed.

McFarland said if the VA had instituted a centrally managed information access control policy and digital rights system some time ago, “an alert would have gone off” as the analyst downloaded files containing veterans' names, birth dates and Social Security numbers.

“It all comes down to access controls and rights management,” McFarland said, and “in a well-run operation alarms would have gone off” when an employee tried to access and copy sensitive information, especially such a vast trove of data. Central IT control and policies would have also insured that.

The unidentified data analyst could end up as an unwitting but powerful change agent for the development of a centralized VA infrastructure, which McFarland kicked off shortly before he retired.

The reorganization and consolidation of the VA infrastructure is ongoing, and McFarland said he expects the department to select a contractor to help the VA develop a federated IT architecture within 30 to 60 days.

McFarland said he strongly pushed for development of the federated architecture, endorsed by VA Secretary Jim Nicholson at a Senate hearing last week, and in the process became the focus of institutional resistance and animus.

“I forced the consolidation of budgets, assets and people [in the three VA administrations], which the culture did not want, and it became a very contentious environment,” McFarland said.

Restructuring VA IT “was not about technology, it was about changing the culture,” he said, and so he decided to “step out of the way" and retire so the restructuring could proceed without a personal focus on him.

As a consequence of the data theft, McFarland said he has no doubt that Nicholson will strongly back the centralization of VA IT and the development of federated systems backed by central policies and procedures.

"I really believe they are well on their way to IT reorganization," McFarland said.

Nicholson made a series of staff changes today directly related to the data theft and the lag in time before he was notified. Nicholson said he has started the process to dismiss the unidentified data analyst and placed Dennis Duffy, acting assistant secretary for policy, on administrative leave.

Duffy learned of the data theft on May 5, but Nicholson said he was not informed until May 16, and the public was alerted on May 22. Mike McLendon, deputy assistant secretary for policy, who also quickly learned about the theft but did not report it to Nicholson, has resigned from the VA, effective June 2.

Nicholson said Paul Hutter, current assistant general counsel for management and operations, will temporarily lead the VA’s Office of Policy, Planning and Preparedness until Congress responds to the recent nomination of Patrick Dunne as assistant secretary.