[House Hearing, 109 Congress] [From the U.S. Government Publishing Office] ACADEMIC AND LEGAL IMPLICATIONS OF VA'S DATA LOSS ======================================================================= HEARING before the COMMITTEE ON VETERANS' AFFAIRS HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS SECOND SESSION __________ JUNE 22, 2006 __________ Printed for the use of the Committee on Veterans' Affairs Serial No. 109-56 ______ U.S. GOVERNMENT PRINTING OFFICE 28-452 WASHINGTON : 2007 _____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800 Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001 COMMITTEE ON VETERANS' AFFAIRS STEVE BUYER, Indiana, Chairman MICHAEL BILIRAKIS, Florida LANE EVANS, Illinois, Ranking TERRY EVERETT, Alabama BOB FILNER, California CLIFF STEARNS, Florida LUIS V. GUTIERREZ, Illinois DAN BURTON, Indiana CORRINE BROWN, Florida JERRY MORAN, Kansas VIC SNYDER, Arkansas RICHARD H. BAKER, Louisiana MICHAEL H. MICHAUD, Maine HENRY E. BROWN, JR., South Carolina STEPHANIE HERSETH, South Dakota JEFF MILLER, Florida TED STRICKLAND, Ohio JOHN BOOZMAN, Arkansas DARLENE HOOLEY, Oregon JEB BRADLEY, New Hampshire SILVESTRE REYES, Texas GINNY BROWN-WAITE, Florida SHELLEY BERKLEY, Nevada MICHAEL R. TURNER, Ohio TOM UDALL, New Mexico JOHN CAMPBELL, California JOHN T. SALAZAR, Colorado James M. Lariviere, Staff Director C O N T E N T S __________ June 22, 2006 Page Academic and Legal Implications of VA's Data Loss................ 1 OPENING STATEMENTS Chairman Steve Buyer............................................. 1 Prepared statement of Chairman Buyer......................... 50 Hon. Bob Filner, a Representative in Congress from the State of California..................................................... 3 Hon. Ginny Brown-Waite, a Representative in Congress from the State of Florida, prepared statement of........................ 55 Hon. Corrine Brown, a Representative in Congress from the State of Florida, prepared statement of.............................. 57 Hon. Sylvestre Reyes, a Representative in Congress from the State of Texas, prepared statement of................................ 61 Hon. Stephanie Herseth, a Representative in Congress from the State of South Dakota, prepared statement of................... 63 Hon. Tom Udall, a Representative in Congress from the State of New Mexico, prepared statement of.............................. 65 WITNESSES Brody, Bruce A., Vice President, Information Security, INPUT, Reston, VA, and former Associate Deputy Assistant Secretary for Cyber and Information Security, U.S. Department of Veterans Affairs........................................................ 7 Prepared statement of Mr. Brody.............................. 76 Cook, Mike, Co-Founder, ID Analytics, San Diego, CA.............. 11 Prepared statement of Mr. Cook............................... 85 McClain, Hon. Tim S., General Counsel, U.S. Department of Veterans Affairs............................................... 29 Prepared statement of Mr. McClain............................ 92 Spafford, Eugene H., Ph.D., Professor and Executive Director, Purdue University Center for Education and Research in Information Assurance and Security (CERIAS), West Lafayette, IN; Chair, U.S. Public Policy Committee, Association for Computer Machinery (USACM); and Member, Board of Directors, Computing Research Association (CRA)........................... 5 Prepared statement of Dr. Spafford........................... 67 MATERIAL SUBIMTTED FOR THE RECORD Statements: Kappelman, Leon A., Ph.D., Professor of Information Systems, Director Emeritus, Information Systems Research, Fellow, Texas Center for Digital Knowledge; Associate Director, Center for Quality and Productivity, Information Technology and Decision Sciences Department, College of Business Administration, University of North Texas.................. 110 Post-hearing written Committee questions and the responses: Chairman Buyer to U.S. Department of Veterans Affairs........ 111 Chairman Buyer to Mr. Bruce A. Brody (INPUT)................. 118 Chairman Buyer to Mr. Mike Cook (ID Analytics)............... 121 THE ACADEMIC AND LEGAL IMPLICATIONS OF THE VA'S DATA LOSS ---------- THURSDAY, JUNE 22, 2006 U.S. House of Representatives, Committee on Veterans Affairs, Washington, DC. The Committee met, pursuant to call, at 10:35 a.m., in Room 334, Cannon House Office Building, Hon. Steve Buyer [Chairman of the Committee] presiding. Present: Representatives Buyer, Bilirakis, Moran, Brown of South Carolina, Miller, Brown-Waite, Filner, Snyder, Michaud, Herseth, Strickland, Reyes, Berkley, Udall, Salazar. The Chairman. The full Committee of the House will come to order, June 22nd, 2006. Good morning, ladies and gentlemen. We are here today to receive testimony on best practices from experts in the field of information security and data breaches. We will also hear from the Department of Veterans Affairs' General Counsel about the legal implication of the VA's information security breach and data loss. This hearing is part of a series that will help us determine how to understand the scope of the problems, so we can then proceed to assist in the correction of these concerns of the department. We are systematically examining key aspects of the security breach, and reviewing best practices, and thinking in the realm of information security. Last week, we heard testimony from the VA inspector general and from the Government Accounting Office, who provided historical context. The context is a sobering. Even as far back as 1997 the GAO had begun to examine these problems, and then in 2002, they recommended the VA centralize its IT security management functions and establish an information security program. The VA's own inspector general has gone on the record with a similar litany of warnings that have been largely if not completely ignored. The VA's assistant inspector general for audit told us the IG has reported VA information security controls as a material weakness in its annual consolidated financial statements, since fiscal year 1997 audit. VA's IT Information Security Management Act audits have identified significant information security vulnerabilities since fiscal year 2001. A reasonable person might ask what the VA is waiting for. The IG and GAO, our investigations have shown, are not alone in their support for centralized IT management. On June 8th, I held a roundtable discussion with information technology experts from business, including Goldman Sachs, EMC Corporation, Visa, Citigroup, Tri-West, and American Bankers Association. At my invitation attending also was the chairman of the military quality of life and veterans' appropriations Subcommittee, Jim Walsh. These experts offered candid appraisals, and emphasized the importance of centralized information security management. None from a good business sense could endorse the VA's approach, the federated model, which still shows a significant degree of decentralization. One of the experts said, quote, ``I see the federated approach as an excuse for lack of controls.'' As part of our approach, the Subcommittee on disability assistance and memorial affairs held a hearing on Tuesday, on information security at the Veterans' Benefits Administration. Yesterday, the Subcommittee on health examined how the Veterans' Health Administration maintains security and integrity with electronic health records of patients. Both systems face challenges. We are aware of problems with the Benefits Administration. The VA IG has testified at VHA, tens of thousands of VA's health records have been sent by unencrypted e-mail, and were made vulnerable to interception. Problems with uncontrolled access to data, password protection, and even a failure to terminate access for long-departed employees, made the conditions for additional disasters. The more we learn about the awful results of decentralization, in contrast to the bright promises offered by some VA officials, the more we see the system has no departmental standards. And more important, the system, if you call it that, does not identify who is in charge of developing policy, implementing policy, or enforcing policy. It does not have to be this way. Today, experts from the academic world will also provide insights into the cutting edge information security theories and concepts. The recent passing of management expert, Professor Peter Drucker, reminds us that not all expertise is to be found in the world of practice. We have much to learn from those who earn their pay strictly from the work in their minds. We will then turn to the department's General Counsel, the Honorable Tim McClain, who will provide testimony regarding the legal implications of VA's data breach. I will also be interested in learning more about the legal review process for VA's information security directive for the past three years. Also, I want to learn more about the adequacy of the VA's legal authority to provide credit counseling and compensation to veterans affected by the loss of their personal information. Next week, completing a series of hearings, the full Committee will receive testimony from former VA chief information officers. And finally, we will hear from Secretary of Veterans' Affairs Nicholson, and the department's senior leadership, with an update on the progress being made in the department. So please be sure to note these important dates on your schedule. This weekend, we learned that a laptop stolen from a contractor working for the city of Washington DC, compromised sensitive information on thousands of city employees. While we are now seeing that data security has broad implications across the country and across government, what we would like to see is VA moving from worst disaster to best practice. We look forward to your testimony. I recognize the Ranking Member for any comments that he might have. Mr. Filner. [The statement of Chairman Buyer appears on p. 50.] Mr. Filner. Thank you, Mr. Chairman, and as we said last week, thank you for embarking on this series of oversight hearings. I don't think it's any accident that the VA announced finally some proactive measures yesterday. I think it's the calendar that you have outlined, reporting will have to be done, that has sparked some activities. I think this is the way that we, Congress, must proceed in terms of oversight, so I thank you so much. As you have pointed out, we have to figure out what happened, how it happened, how to prevent it, who was responsible, and of course, what can be done in the future. As Chairman Buyer has pointed out, on many occasions, we have heard that long-standing problems in cyber and information security went uncorrected at the VA for unconscionably long times. We have heard testimony before this Committee that the problem lies within the VA's culture of resistance to change, including being impervious to change in, of all arenas, information security. One written statement at a previous hearing offered a rationale for the resistance of VA, a desire to avoid accountability. Mr. Chairman, last week you and Dr. Snyder both noted apparent problems and conflict with the General Counsel opinions in 2003 and 2004. The net effect of these opinions, and we will hear what the General Counsel says, was to create confusion at VA regarding aspects of enforcement authority for information security. How could this happen if the Federal Information Security Management Act of 2002 was created just to resolve these very problems? And we have seen evidence of the difficulty of implementing change in the IT culture at VA. For me, as for you, Mr. Buyer, the most illustrative example of that resistance was Secretary Principi's failed directive to centralize control of the IT under the chief information officer. His was the right solution, but it never happened. When the edicts of the Secretary and his team are ignored by the agency, it is time for the Secretary to clean house. In this case, I and a number of my colleagues will be pleased to help move that process along. All too often, we hear about policy changes at VA that are in the works, or we hear about half solutions and changes that are just around the corner. Problems were raised about the HR links program, but substantive solutions were never implemented. HR links was a good idea, but leadership was needed, and there was none. The result: about a third of a billion-dollar loss to taxpayers. VETSNET will automate critical functions associated with the compensation and ratings awards, if it is ever fully implemented. But I note that the future tense is always used to address hopeful solutions to VETSNET, for over a decade, now. The core FLS is another example of a major information technology failure in the multi-hundred million dollars loss range, and the root cause I think is evident: mismanagement at the top. We must move the entrenched culture inside the agency to conform to what is best for the entire agency and for veterans. That is why we are here. At a minimum, as is often suggested by the Inspector General, implementation of a robust and standardized policy would be helpful. That has yet to happen. At our last full Committee hearing, Mr. Michaud referred to a threat by an offshore-based subcontractor to post medical information about 30,000 veterans on the Internet. Yet, when Committee staff asked about the off-shoring of medical transcript and services in previous years, they were told that there was no evidence of such activity. The IG now seems to have found ample evidence in a report released last week. This indirection and indifference by the Veterans' Administration regarding its protection of sensitive information must halt. We need to have straight shooting with Congress and with the American people. Finally, Mr. Chairman, the magnitude of the loss of the 26 million records, plus apparently hundreds of thousands of others, is breathtaking. It looks like we are moving in a proactive way, although we have yet to see what contractor will win the contract. I hope we don't give the contract to Halliburton. In fact, one of the companies that is here today has offered the public service of doing it for very little, if any, cost to taxpayers. So we must assure that any promises we make to fix the problem can actually be kept. We must set expectations for veterans that can be delivered, and have the willpower to keep those promises. Let us keep the faith with our veterans. Thank you, Mr. Chairman. The Chairman. Thank you very much. Our first panel includes Dr. Eugene Spafford, Ph.D., who is a professor of computer science and is Executive Director for the Center of Education and Research in Information Assurance and Security, at Purdue University. Next, we have Mr. Bruce Brody, Vice President of Information Security for INPUT, and former Associate Deputy Assistant Secretary for Cyber and Information Security with U.S. Department of Veterans Affairs. And finally, we have Mike Cook, Vice President of ID Analytics. Dr. Spafford, personally I want to thank you for--often, the Federal government has turned to you for your Council. We did in the mid-1990s, with the DOD. You assisted the Department of Air Force, you have helped out with the FBI, we have turned to your expertise in regard to NSA, and once again we are now turning to you, and you don't hesitate. And so there is something inside that says, ``Yes, I have knowledge, I have some expertise, and I am willing to help my country.'' And you have been there, and you have also served on the president/s advisory. I welcome all the members--how many of these do you have, or can you gain access to? Dr. Spafford. I believe we have about 50 or 70 of them out there. The Chairman. You have about 50 or 70 of them out there? You are only here by yourself? You have somebody with you, staff? Dr. Spafford. There is somebody here, yes. The Chairman. Well, somebody go out there and get one of these to Tim McClain for me right now, while he can flip through this. Tim, have you seen this before? Mr. McClain. No, sir, I haven't. The Chairman. It is very interesting. If you would grab that box, I want to make sure everybody, all of my colleagues have this. Look how it is titled: ``Cyber Security, a Crisis of Prioritization.'' The president put these experts together. [The report is being retained in the Committee files and can be found on the internet at: http://www.nitrd.gov/pitac/ reports/20050301_cybersecurity/cybersecurity.pdf.] Dr. Spafford, you are recognized. STATEMENTS OF EUGENE H. SPAFFORD, PH.D., PROFESSOR AND EXECUTIVE DIRECTOR, CENTER FOR EDUCATION AND RESEARCH IN INFORMATION ASSURANCE AND SECURITY, PURDUE UNIVERSITY, WEST LAFAYETTE, IN, CHAIR, U.S. PUBLIC POLICY COMMITTEE, ASSOCIATION FOR COMPUTING MACHINERY, AND MEMBER, BOARD OF DIRECTORS, COMPUTING RESEARCH ASSSOCIATION; MR. BRUCE A. BRODY, VICE PRESIDENT, INFORMATION SECURITY, INPUT, RESTON, VA, AND FORMER ASSOCIATE DEPUTY ASSISTANT SECRETARY FOR CYBER AND INFORMATION SECURITY, U.S. DEPARTMENT OF VETERANS AFFAIRS; AND MR. MIKE COOK, CO-FOUNDER, ID ANALYTICS, SAN DIEGO, CA STATEMENT OF EUGENE SPAFFORD Dr. Spafford. Thank you, Chairman Buyer and Members of the Committee. It is my pleasure to be here to attempt to help in this case. We are here because of the significant breach of security and privacy at the Veterans' Administration. That incident has obviously exposed many people to increased risk of identity theft, credit fraud, and other kinds of criminal activities. I would like to point out, however, that it is more than a financial impact that is potentially there. In addition, some of our active-duty personnel and veterans may find themselves denied security clearances, or find their names added to the TSA's no-fly list, because somebody else has misused their identity. And if you have ended up on the no-fly list and tried to get off, you know how difficult that is. And they may also have to criminal warrants or civil actions because others have committed crimes in their name. This problem is not unique to the Veterans' Administration, however. A recent article in ``Computer World'' noted that since the start of 2005, there have been nearly 200 similar incidents, resulting in significant disclosure of personal information, with nearly 90 of those incidents occurring since the beginning of this year. The total number of records disclosed by all of these incidents to date is 88 million. What is more, those are only the detected and reported incidents. The actual number is certainly much larger. For decades, professionals in the field of information security have been warning about the dangers of weak security, careless handling of data, lax enforcement policies, and insufficient funding for both law enforcement and research. This is similar to what you have been hearing from the Inspector General of the Veterans' Administration. Our warnings and cautions have largely been dismissed, however, as unfounded or too expensive to address. Unfortunately, we are now seeing the results of that lack of attention with incidents such as what happened at the VA. In addition, we have seen new levels of sophisticated computer viruses and spyware emerging, increasing cyber activity by organized crime around the world, and significant failures of security across a wide variety of public sector entities and government agencies. In the brief time that I have for my verbal remarks, I want to make special note of one particular failure present in this case that you have already identified. There is no centralized position that has all of the three components that are necessary to effectively manage information security: resources, accountability, and authority. There should be either the CIO or CISO, Chief Information Security Officer, who has adequate funding and trained personnel to carry out a comprehensive security plan. That office, and the management above it, must be held accountable for failures to satisfy necessary standards, and successfully pass audits. Last of all, that same office must have authority to make changes, shut down systems if necessary, and sanction employees for cause. There are other information security problems at the VA and elsewhere in the government which were not directly involved in the May disclosure incident, but could prove problematic later. It is beyond the scope of this testimony to describe all of them. It is also beyond the scope of this testimony to summarize the magnitude of cyber threats currently facing our information infrastructure, including the Veterans' Administration. There are a number of reports describing these threats, and I can summarize simply by saying the situation is poor, and getting worse. Regrettably, I believe the situation is going to get worse because the problems have been ignored and neglected for too long to be quickly remedied. As a member of academia, I wanted to say that we can offer few immediate solutions. Although we have several good programs at many colleges and universities across the United States, we are producing too small a number of students to meet the demand. Exacerbating this is a lack of resources. Outside of a few underfunded programs through the National Science Foundation that award competitive grants to faculty, and a few congressionally directed allocations to a few university projects around the country, there is almost no funding for basic research, capacity development, or infrastructure acquisition, for the programs working in information security. As an example, the center I direct at Purdue University, CERIAS, is the nation's leading center in multidisciplinary information security research and education, with over 80 faculty, and we are graduating nearly 25 percent of the nation's Ph.D.'s in information security. CERIAS, in its nine- year lifetime, has never received any government support, although some individual faculty receive funding from agencies such as the NSF for individual research. As is the case with many of my peer institutions, our ability to make progress in education and research is limited by a severe lack of resources. In February, 2005, as Chairman Buyer noted, the President's Information Technology Advisory Committee issued this report, based on hearings and considerable study by many experts, myself included. That report was entitled ``Cyber Security, a Crisis of Prioritization.'' It described the nature of the problems with cyber security, and some of the trends. It also analyzed the inadequate Federal response to those challenges. It outlined in some detail an agenda to begin to address some of our cyber security problems. The response to that report was similar to other reports that have been issued over the years. Only one of the four recommendations has been acted upon, and PITAC was disbanded. I encourage members of the Committee to carefully read the PITAC cyber security crisis report. I participated in the research and writing of that document, and it goes into considerable detail about problems such as those faced at the VA, and issues behind our cyber security deficit, as well as making some concrete suggestions on how those issues might be addressed. I have also included some other recommendations in my written testimony, including a comprehensive list of recommendations for data privacy protection, as developed by the ACM's U.S. public policy Committee. I welcome your questions and working with you to help address these problems. Thank you. [The statement of Dr. Spafford appears on p. 67.] The Chairman. Thank you very much. Did all the members receive one of these? Everybody has got one? All right, thank you. Mr. Brody, you are now recognized. Mr. Brody. Mr. Chairman, Representative Filner, and members of the Committee, my name is Bruce Brody. As a veteran, I am very grateful for the opportunity to address this distinguished Committee today. With the Chair's permission, I will provide a brief overview, and then submit a longer statement for the record. The Chairman. Hearing no objection, so ordered. Dr. Spafford, did you have a written statement that you would like to be submitted for the record? Dr. Spafford. He has it. The Chairman. Mr. Cook, do you have a written statement you would like submitted for the record? All right. Hearing no objection, so ordered. All the statements will be submitted for the record. STATEMENT OF BRUCE BRODY Mr. Brody. I am the Vice President for Information Security at INPUT, a market research firm based in Reston, Virginia. From 2001 to 2004, I was the Associate Deputy Assistant Secretary for Cyber and Information Security at the Department of Veterans Affairs. And from 2004 until January of this year, I was the associate chief information officer for cyber security at the Department of Energy. I believe that I am the only person ever to have served as the chief information security officer at two Cabinet-level departments. Like the members of this Committee and my fellow veterans, I view the loss of personal information of more than 26 million veterans as willful disregard for responsible behavior, and blatant contempt for established Federal security and privacy requirements by senior VA leadership. I urge this Committee to look very carefully at the following factors, which I believe contributed to the decades of information security and privacy neglect at the VA, that have been documented by the Inspector General and the Government Accountability Office. First, someone with appropriate substantive expertise must be empowered to set and enforce privacy and cyber security requirements, which will include the physical security requirements for how such records are maintained, and the personal security requirements for who is allowed access to such records. When I was first introduced to this Committee in April of 2001, I thought that the Secretary had hired me for that purpose. However, the apparent authorities invested in the CIO under the Clinger Cohen Act, and the Paperwork Reduction Act, and both the CIO and the CISO in the Computer Security Act of 1987, the Government Information Security Reform Act of 2000, and finally, in the Federal Information Security Management Act of 2002, were not accepted by VA's leadership. I quickly learned that the department's chief information officer only had authority to advise, encourage, support, and persuade the administrations, insofar as information technology programs were concerned. In addition, I learned that the CIO had no authority to direct compliance. These points were captured in a memorandum from the assistant General Counsel dated October 6, 2000. Difficulties with this advise, encourage, support, and persuade approach to the CIO's management authority were raised at a March 12th, 2002, oversight Committee hearing by both Chairman Buyer and Ranking Member Carson, questioning the ability of the then-CIO to get the job done without line authority. Later that year, Secretary Principi took actions to direct the centralization, and enhance line authority of the CIO function, presumably acting on the recommendations of this Committee. But unfortunately, the Secretary's direction met with bureaucratic inertia and cultural resistance, and was never fully implemented. Subsequent to my arrival at the VA, the Government Information Security Reform Act, followed by the Federal Information Security Management Act, were enacted in 2000 and 2002, respectively. Not being an attorney, I cannot offer legal opinions about what the words of these statutes mean. I can only apply common sense to the purpose of these important pieces of legislation. It seemed to me that after all was said and done, and the opinion of the assistant General Counsel issued in October 2000 was correct, then the Congress went through nonsensical amounts of effort to produce the legislation and provide such detail concerning specific responsibilities. It became all the more apparent that clarification was needed, following the MS Blaster malicious software incident in the second half of 2003. In advance of what proved to be a serious malicious software attack represented by MS Blaster, my office provided the necessary alerts, and also distributed notification concerning the necessary patches, throughout the VA enterprise. These alerts were widely ignored, and VA networks were savaged as a result. The apparent authorities invested in the CIO in the Clinger Cohen Act, and in the CIO and CISO in FISMA, did not seem to be accepted by VA or its leadership. As a result, I concluded that there was no longer any point in attempting to introduce cyber security changes in the VA unless there was a clear statement of authority to do so. That was when I requested the General Counsel opinion about FISMA authorities for the CIO and the CISO. Just prior to the MS Blaster attack, I had requested a clarification from the General Counsel concerning the responsibilities of the CIO under FISMA for national security and non-national security information and information systems. In a memorandum signed by the General Counsel, dated August 1st, 2003, it was reinforced that the various security functions of the department, specifically information security, physical security, and personnel security, would remain under the authority of their respective offices. According to the memorandum, the CIO was allowed to issue policies pertaining to information security, but the daily operations of security clearance determinations, investigations, physical storage, and related activities wouldn't be placed under the purview of the CIO. Subsequent to the MS Blaster attack, I requested a clarification from the General Counsel concerning the authority of the CIO to enforce compliance with security legislation and relations. In a memorandum signed by the General Counsel on April 7th, 2004, it was asserted that the CIO cannot order or enforce compliance with information security requirements. Because FISMA used the word ``ensure,'' instead of the word ``enforce,'' the General Counsel stated that the only recourse for the CIO when a security requirement was violated was to complain to the Secretary. The result of these two opinions was extremely unfortunate for the department. In effect, the first of these memos fragmented security authorities, and the second said that the CIO had no authority to enforce policies or to hold people accountable for violating policies. These memos accurately captured and reinforced the culture of the department, where resistance to central authority, and doing business according to hundreds of different local practices, have always been the norm. In day-to-day operations, these memos ensured that the fragmentation of security authorities enabled the lack of background investigation for individuals with access to VA networks, systems, resources; the unchecked access to VA information by foreign corporations and foreign nationals, limited to nonexistent logical and physical access controls for major medical systems; the disruption and denial of service from malicious software attacks such as MS Blaster, and hundreds of other negative information security findings, as highlighted in the reports of the independent public auditor, the Inspector General, and the government accountability office. I would ask the Committee if it agrees that the Clinger Cohen Act and FISMA do not require a Secretary, CIO, and CISO, to set and enforce the security requirements of the FISMA legislation? If FISMA and the Clinger Cohen Act did not convey the authority and accountability for enforcing security and privacy requirements, perhaps the Congress needs to amend these bills to so state. My personal experience is that the mismatch of authority and accountability from the CIO and CISO affect other departments, agencies, to the same extent as affects the VA. And I encourage legislative action to clarify this situation and possibly prevent more serious incidents from occurring. But the bottom line for the VA was that the two General Counsel memos reinforced the VA culture. And the VA culture is the root cause of this problem. The VA culture can be highlighted even further in the paper trail of nonconcurrences on VA directive 6500, the information security program. My second recommendation is that policies, procedures, and assignments of accountability regarding security, and privacy issues, cannot be held hostage to the individual interests of the senior officials whose concurrence must be obtained prior to review by the Secretary. In this regard, I invite the Committee's attention to the paper trail of nonconcurrence on VA directive 6500, the information security program. On January 16th, 2004, VHA non-concurred on VA directive 6500, disagreeing with a blanket approach to background investigations, opposing any requirement to ensure that corporations having access to VA systems and data be American- owned--in other words, subject to U.S. policy, and within the reach of U.S. courts, if U.S. laws are breached. VHA also opposed any requirements that visitor personnel be escorted at VA facilities, and resisted the ability of the associate deputy assistant Secretary for cyber and information security to establish mandatory penalties for noncompliance. VHA's nonconcurrence specifically dealt with the offshoring of sensitive information, such as medical records or transcriptions. Other significant nonconcurrences on VA directive 6500 are included in my written testimony for the record. The memos by the General Counsel and paper trail of nonconcurrence on VA directive 6500 are indicative of a culture of resistance to central authority, and refusal to accept anything other than business as usual. They also highlight the decentralized authority enjoyed by the administrations and program offices, who are empowered to define the role and authority of the CIO as they see fit in order to perpetuate their parochial interests. Most of all, these documents make it clear that the CIO and the subordinate CISO have no authority to do anything other than to issue policies. Now on top of that, they can only issue policies that the administrations and program offices allow them to issue through the concurrence process. Once issued, the CIO and CISO have no authority to enforce these watered-down policies that they are permitted to put in place. As a third recommendation, let me suggest to you that the CIO budget, including cyber security and privacy budgets, cannot be held hostage by the administrations and program offices. Since funds are not directly appropriated to the CIO by Congress, security and privacy initiatives depend on the funding support of the very offices that have historically been the cause of the problems being addressed. Fourth, I recommend you create a legislative requirement that would suspend all executive and senior bonuses in the VA until the environment for which the executive is responsible receives a clean bill of security health from the IG and the competent senior official placed in charge of security. There are more than 26 million veterans and active duty personnel who are uncertain that the loss of their personal information will bring them financial harm. These veterans deserve better, because they have served our country well. Unfortunately, the VA has not served them well, and the VA must make necessary amends. If the VA cannot reinvent itself and change its culture dramatically, then I would beg the Congress to do it for them, and to do it for our Nation's deserving veterans. Mr. Chairman, that concludes my statement. Thank you for the opportunity to appear here. [The statement of Mr. Brody appears on p. 76.] The Chairman. Thank you, Mr. Brody. Mr. Cook, you are now recognized. STATEMENT OF MIKE COOK Mr. Cook. Chairman Buyer, Representative Filner, and esteemed members of the Committee, thank you for inviting ID Analytics to testify---- The Chairman. Mr. Cook, can you turn that microphone on, and pull it close to you, please? Thank you. Mr. Cook. It wasn't on, I apologize. Thank you for inviting ID Analytics to testify on ways to help victims of the recent Veterans' Affairs data breach. My name is Mike Cook. I am a cofounder of ID Analytics, a San Diego-based company focused exclusively on stock and identity fraud. I have worked in the field of credit risk and fraud prevention for 20 years. ID analytics helps stop identity fraud through our identity network, a real-time identity fraud prevention system formed through a consortium of leading companies dedicated to protecting their customers from identity fraud. Our ID network gathers information from applications for credit, change of address, and other identity risk information from companies, including half the top 10 U.S. banks, almost all major wireless carriers, and a leading retail card issuer. Hundreds of times each day our technology helps stop fraudsters from obtaining credit services and merchandise in innocent consumers' names. We think it's important to make you aware that ID analytics does not market or sell the data we collect in the ID network for any purpose, to anyone. I am here today because ID analytics has unique expertise and knowledge of data breaches and their risk. Today, we are the only public or private entity that has studied the harm resulting from actual data breaches. Should any Committee member have interest, I would be happy to provide a copy of our white paper analyzing the harm from four actual well-publicized data breaches involving more than 500,000 breached consumer identities. I would first like to put this breach into context. At this point, no one knows the scope of risk the veterans are facing. The most dangerous data breaches are targeted thefts, where the thief committed the breach solely for the purpose of taking the consumer data. In this case, the purpose of the theft is unclear. Was the thief targeting a laptop, or the data held on it? I don't believe we know that answer today. If the data is misused, we can expect it to be misused in the following ways: its likely fraudsters will mainly attack the credit card industry. Stolen identities are an asset that sophisticated fraudsters can get the best rate of return by fraudulently obtaining credit cards, and then making fenceable purchases. Secondly, because the file contains so many identities, it is likely that the fraudsters will use the stolen identities once or twice and never again, to increase their approval rate. Low use rates of individual veteran identities will make detection more difficult for the lending community. Again, if the data is misused, sophisticated fraudsters will spread the misuse of identities across differing locations within a city, or even across different States, to avoid detection. The worst-case scenario is that the veteran file finds its way to a public distribution source, such as the Internet. If this happens, stolen identities will lose their connection to the VA data breach, and groups of fraudsters might actively trade that data among the broad community. Subsequently, more people might have access, and could misuse those identities on a grander scale. We know from additional research conducted earlier this year, the misuse rate of data traded on the Internet can climb substantially and exceed the average rate of identity theft of 1.5 percent. Some consumer advocates estimate the value of the stolen identity ranges from $25-$75, depending upon the available personal information associated with that identity. So because of the value of the data itself, wide distribution should be a concern, and should drive a real sense of urgency to try to recover the stolen data as fast as possible. So what can the VA do now? Over the course of the last year, ID Analytics has developed breach monitoring technology. With this technology, the VA can answer three essential questions about the data breach. The first question the VA can answer is, is the breached data being misused by fraudsters today? Secondly, if it is being misused, can we identify the specific veterans harmed by this misuse, and provide them with additional victim assistance? And thirdly, if the breached file is being misused, in what locations are those breached consumer identities being misused, so that law enforcement can stop the misuse, and potentially recover the breached data file? How does this technology work? Simply put, when thieves used a breached file, they leave tracks. In order to obtain credit or other goods, in a veteran's name, a fraudster would have to manipulate that veteran's identity information on a new account application. For instance, if a fraudster applies for a credit card in a veteran's name, the fraudster needs to change the address so he or she can collect the new credit card from the bank. The fraudster will change the veteran's phone number for personal and employment verification purposes. He or she may use the same addresses and phone numbers to commit identity theft against other identities that were part of that same breach. Our ID network, which receives hundreds of thousands of applications and other identity risk events per day, can identify these types of anomalous changes and relationships across a breached file, regardless of the size of the breached file. We believe this technology can be significant to the Department of Veterans Affairs for the following reasons: it can help identify any organized misuse of the personal data that has happened so far. The analysis can quickly identify veterans who may have been victimized, so that additional victim assistance can be expedited to them. It can actively monitor the file for possible misuse. This technology can help provide law enforcement a way to identify those individuals who have either stolen the files or have misused it to commit identity theft, to stop further misuse and to recover the lost file. The analysis can help determine if the file was in use by more than one individual, or one cohesive group. And finally, breach monitoring provides a deterrent effect, once publicly announced. Thieves should be aware that if they try to misuse any data from the VA data breach, they do so at their own peril. Thank you again, Mr. Chairman, for the opportunity to present this testimony. [The statement of Mr. Cook appears on p. 85.] The Chairman. All right. I have two areas I want to touch on, and then I am going to yield to my colleagues. Yesterday, when the VA made their announcement of credit monitoring, I don't know too much beyond that, nor do I know where they are going or how they define it. My first reaction was, I was concerned. And let me explain why I was concerned. The concern is that, are we creating a false expectancy among the veterans that the VA is now going to just be doing credit monitoring, and when I look at my current reports, I'm safe, that somehow that is going to provide a safe haven. And that is the reason I did not issue a statement yesterday. I couldn't stand up and cheer, because I still have great fears. So let me turn to you, and I want you to tell me, ``Steve, I agree with you,'' or ``I disagree with you, you should cheer about this.'' Because here, we take it down to the next step, is that if they know what they are doing, they are going to take this, and it is going to be synthetic identity theft. So Mr. Cook, as you identified that you look at the granulation of the information and then you begin to change it a little bit; so I take Dr. Eugene Spafford, I get your Social Security number, and I got your address, and know what your wife's name is. So I make the application, but I change the last two digits of your Social Security number. So now, I obtained a credit card and begin to make purchases. I do other things that spoil your life, Dr. Spafford, but if all I am doing is monitoring the credit report, then no serious action by me is not going to show up on the credit report, as I understand. So now, let me yield to the panel, and say, ``Steve, you get it right,'' or ``Steve, you got it wrong.'' Mr. Cook. Chairman Buyer, we've done a lot of analysis on fraud and how criminals use data. And I don't believe the people, if they use this data, are going to perpetrate synthetic fraud. The reason for that is synthetic fraud is when you don't have any data available to you. So fraudsters could go out and use a name, and create a valid Social Security number, as we have seen, by a method such as Social Security number tumbling, to enable them to get past a validity check. People who perpetrate synthetic fraud do that because they don't have access to data, and the analysis we have done shows that if they perpetrate synthetic fraud, they do not perpetrate identity theft. So I would probably disagree and say I don't think synthetic fraud is going to be the case here. I think it is going to be identity theft, and I think that credit monitoring might help those consumers who take the credit monitoring up on that offer. It may help them detect some of the fraud that is happening to them. But it is not going to be the only solution that is available to them. Here is the reason for that: credit monitoring is going to tell you that you had an application that was filed in your name. By that point, it is probably too late. Because as I said in my opening statement, if these guys who took the file are sophisticated enough and use it the right way, they will use the identity once or twice, and never again. So by the time that monitoring alerts get to the consumer, it is already out there and there is nothing more they can do about it. So I think credit monitoring has its place for consumers. If you think about consumers, we all have about a one and a half to three percent chance of having identity theft happen to us. The chance of veterans having identity theft happening to them because of this breached file is far less than that, just because of the magnitude of it. So I think credit monitoring is fine for consumers, if they can afford it. But we think there are better technologies to detect if there is misuse; if there is misuse, to locate where it is so you can go and try to recover the file; and thirdly, to really detect if there is misuse for a specific veteran, and then you can help that veteran out. Dr. Spafford. Mr. Chairman, monitoring detects after something has occurred, as Mr. Cook already mentioned. But credit fraud is not the only concern that should be present. As I noted in my comments, we now have all of this information on individuals who have ably served their country, and that information can be used to get replacement identification cards, passports, driver's licenses, and other information, for individuals to have a clean record, or even a trusted record, to go out and cause trouble; that when they run up a criminal record or misbehavior under those identities, it is not going to show up in a credit report, but more likely in a criminal report or a civil action. And monitoring is not going to prevent that, or even assist that. The Chairman. All right. I mean, if I--by way of consumer products, and if in fact we are into the marketplace to purchase a consumer product, my sensing is that we don't want to just monitor. We want to do data verification, we want to be able to look at identity verification, and examine perhaps even insurance-based products. Because we have a choice: either-- gosh, I threw out this suggestion and wow, judiciary Committee runs off yesterday, and they create the claims adjudication process. All I said was we were thinking about it. Isn't that amazing about this institution? It is in consideration and boom, they go off and they do it. Now I have got to tell them, ``Wait a minute.'' So I just want all of you to know, when you read about this today, we are going to put all this a little on hold, so we can understand all this a little bit better. This is what we need to know from the VA, and I am not going to go with you on this one, unless you are prepared to talk about it today, but if there is a product out there whereby we got to monitor this for almost three years, we need to give them the tools out there when we do this bid on this contract, and if we can purchase that insurance up there using proper algorithms, to what our exposure would be on a contract, is to go with an insurance-based product out there whereby the veteran is protected up to $25,000. That way we wouldn't have to get into the, quote, ``claims adjudication Process.'' We accept the responsibility, we, the government, have lost the data. But those are things for us as members to consider. The last point I will make before I yield to Mr. Filner is a point that the witnesses discussed, and that we have concerns about, and that is in our society, we believe in something that is very congruent, and that is if I say that you have the responsibility to do something, then it must be coupled with the authority to act. And if I were to say that you have the responsibility, but you do not have authority, it then creates a syntactic situation, meaning it results in something that is incongruent. And if you have something that incongruent, you then have an opinion that is called a heterodox. And a heterodox is something that is completely out of the norm of society's communications. So I say to the firemen, ``You have the responsibility to put out the fire, but you have no authority to hook up to city water.'' So the Secretary turns to the CIO and tells him that ``You have got the responsibility to do quality assurance; i.e., cyber security, et cetera, but that you have no authority to enforce, or tell anybody to do anything.'' I am very concerned. And I appreciate all of your testimonies. Mr. Filner, you are recognized. Mr. Filner. Thank you. Your testimonies show you have obviously great expertise. You also give us very specific recommendations, which we can act on, and that is very useful. You have tried to talk to the VA about the kind of technology that you have and the services you could provide? Mr. Cook. Yes, sir. Mr. Filner. What happened with that? Mr. Cook. We are continuing discussions with them. We are hoping to be able to provide them services. Mr. Filner. As I understood what you do, it goes beyond what their announcement was yesterday. Mr. Cook. Yes, sir. I looked at the announcement that they made. There was a small piece of that announcement that talked about looking at other breach monitoring, or breach remediation solutions. And I am assuming that that might have been looking at us, and other technologies that are available to do what we do, to which the best of my knowledge, we are the only one to do that. Mr. Filner. So they are talking to you and are going to become aware of your expertise? Mr. Cook. Yes, sir. Mr. Filner. I just read an ad for, I think Visa, and they said they have what is called ``neural technology.'' Mr. Cook. Right. Mr. Filner. They are able to provide their millions of cardholders with the knowledge if anything anomalous happens. Is that equivalent to what you are doing, or similar, or---- Mr. Cook. It is similar but different, Visa and other companies provide different modeling techniques. One is the one that you mentioned, where they can look at an account to see if I am using my credit card properly. All right, if I lived in Texas my whole life and all of a sudden I start using something overseas, and I start to buy a lot of fenceable goods, jewelry or something, that is an anomalous pattern in the account behavior, and there are technologies that do that. We are the only ones that really apply that kind of technique to an identity. So Visa and others can look at an account. We look at an identity, and look at anomalous patterns about an identity, and how it behaves, how it behaves over time, and then also how it might relate to other people. And that is the way that we are able to detect if a breached file would be misused in an organized way. Mr. Filner. Mr. Buyer was concerned about raised expectations for veterans. If we did use your system, are we giving them some of the security that they need, or the assurances that they need? Mr. Cook. You would be. You had mentioned that your credit monitoring is not going to get your criminal activity, and so when you look at a problem like fraud, you generally have to throw a couple different solutions at it, and you are still not going to get all the fraud that there is. Our technology I think will definitely detect if a fraud is misusing the file, and they are misusing it more than five or six times, in an anomalous way. We would be able to detect that misuse, and then provide that information to the VA. Mr. Filner. I thank you, and I hope we pursue that. Again, we will have to analyze competitors. If there are none, then I hope the VA will think about you. Mr. Cook. May I make one more point? Mr. Filner. Yes. Mr. Cook. On credit monitoring, and I mentioned this. Whatever solution the VA chooses, and we have talked with them about this, it is important not to publish how long that solution is going to be in place. For instance, if you're going to do credit monitoring for free for one year, anyone who took the file and has an intent to misuse a file, will sit on that for one year and one day, and then they will start to use it. So---- The Chairman. Mr. Cook, I'm sorry. These will go out under an RFP, publicly bid on, and your people are going to know. I just want to let you know the reality of government procurement. Mr. Cook. Sir. Mr. Filner. Mr. Brody, I had used the analogy for this data breach, used the ``Katrina'' situation. I mean, at first it seems like a natural disaster, and you have to deal with it. But when you look further, you could have predicted the consequences of a category five hurricane, you know what levies would have to be built, and it turned out we didn't do it. In this case too, some thief that hopefully is not going to use it stole the data. We couldn't have known that, but then if you look further, we could have prevented this disaster. I don't know if there are any policies in place to keep that data from going to the employee's home. I think you are going to have trouble, Mr. McClain, to fire this employee if there are no policies to say you can't do this. I mean, that is a real problem. But not only did VA not have policies about taking the data home, but you have outlined years and years' long indifference. So it seems to me, it's not just a natural disaster. There is accountability of management, and I assume you would hold responsible for this breach the top management people---- Mr. Brody. Oh, absolutely. I mean, as Chairman pointed out, the mismatch of accountability and authority was what we lived on a daily basis. I was the associate deputy assistant Secretary for a heterodox. Mr. Filner. He made up that word. Now you are going to use it. Mr. Brody. But even in the case of MS Blaster, for instance, that one incident where the VA networks were savaged as a result of malicious software attack, a root cause analysis was performed by the Veterans Health Administration, bringing in a distinguished doctor who had a history of doing root cause analyses, and the analysis concluded that the CIO's office was probably at fault because when it issued the warnings to put the patches in place, it didn't sufficiently convince everybody that we were really serious about putting the patches in place. Mr. Filner. When you testified to this Committee in your role as CIO, was it? Mr. Brody. CISO. Mr. Filner. CISO. Were you as frank and as open as you were just now? Were you able to be? Mr. Brody. No, I was not. Mr. Filner. Was that made clear to you? Mr. Brody. Yes. Mr. Filner. How do we get around that? It seems to me that the legislation will need to include the independence of the person. It is a difficult thing. You are in a chain of command. If the legislation is giving you authority, not from the Secretary but from the Congress, then I guess we should give you authority to testify, too, without going through OMB and everyone else. I am just trying to think ahead, what the problems could be. Mr. Brody. You are certainly thinking through all the right issues, believe me. Mr. Filner. Has a successor been chosen to you? Mr. Brody. Oh, yes. Yes, he has been in place for roughly two years. Mr. Filner. And nothing much has changed, as far as you know? Mr. Brody. No. The culture is still the culture. Mr. Filner. Your testimony is very disturbing. We knew about it, you heard me say words similar to yours. So I mean, there have been people that have been talking to you, and we have known about it. But you put it in a way that is extremely, extremely disturbing. This is all about the veterans, not about an organization, not about turf, not about covering up. It is about the veterans. They have lost a lot of confidence, obviously. And your testimony makes it apparent that there is going to have to be a broader scale of changes than just figuring out this particular problem, as bad as this is. The recent loss of data affected 13,000 people--and they offered a reward of $50,000. The VA's loss affected more than 26,000,000 people and the data could be sold for more than $500,000,000. The magnitude is incredible. But as big as it is, we can solve the technical issues, but you bring in even a broader problem. Mr. Chairman, you have been talking about this for several years. I think everybody now understands why. We have a chance as a Committee, as a Congress, to make the kind of changes that will benefit our veterans and keep them secure in the years to come. Thank you. The Chairman. Sure. I appreciate the general line of questioning, and you were very kind to me. I don't want it to be spun out there that I am upset about credit monitoring. It is monitoring-plus, so I am glad you explore the other tools that are available, and that is what we want to make sure as members, that whatever the request for proposal that goes out, that it has a broader base to it. I think that is what we need to consider as we work with our appropriators, and figure out how they are also going to be paying for this, and out of what pools of money, and where does it come from. So we don't want it to be just monitoring, it is also the other tools. To correct the record before I get to Mr. Bilirakis, you said you are the only player in this space. Are you aware of a company called Intelius? Mr. Cook. I am not. The Chairman. All right, okay. I just want to let you know there are other players in the space. Mr. Bilirakis, you are now recognized. Mr. Bilirakis. Thank you, Mr. Chairman. And I have heard that, you know, great testimony, obviously. I have heard Mr. Brody use the term ``root cause.'' We are concerned about the veterans. This is the veterans' Committee. But I think that our concerns really ought to go past that point. No, we are not talking turf, here, anything of that nature. But Dr. Spafford, you were part of this President's--acronyms for every damn thing up here. But you are part of this group, and you all worked on it for approximately a year, from what I understand. Did you all come to the conclusion that there was no authority, enforcement authority that existed among these chief information officers? Dr. Spafford. When we did our study that was not a specific question we looked at. However, in talking to people across government agencies, and our own experience, we have found that in many places, individual unit directors and military unit commanders feel that they can override policy whenever it gets in their way. And there is a problem throughout in being able to ensure that security policies and procedures are appropriately carried out. Unfortunately, without some training, the people who are making these decisions do not understand the consequences of overriding those decisions. Mr. Bilirakis. Well, PITAC of course was not designed just to look into the VA Department. It was designed for government- wide, right? Dr. Spafford. Yes, nationally. Mr. Bilirakis. In your recommendations, apparently you all failed to point out and to emphasize this lack of authority to enforce; isn't that true? Dr. Spafford. We were looking at the state of information technology across the nation, not simply in the government. And so our recommendations were for the state of cyber security as part of the national infrastructure, not simply government itself. So that was not one of the topic areas---- Mr. Bilirakis. You were basically given areas to cover, and you were limited to those areas? Dr. Spafford. Effectively so, yes. Mr. Bilirakis. But you have now come to the conclusion--and as you were speaking, Mr. Brody was shaking his head. I didn't look over at Mr. Cook--that much of the problem is, I mean, first of all, you all mentioned culture, and God knows that is a hell of a problem. Not only in the VA, but I suppose probably in all departments and agencies. But shouldn't we be concerned that apparently the lack of authority that is so very, very significant here, so very dense in this area, for crying out loud, does not exist, or apparently does not exist, or doesn't exist adequately, in all the other agencies and departments in the government? Dr. Spafford. My comments about that in particular were based on my own personal experience rather than the Committee. That was a separate report. But yes, I have seen in many agencies, including Department of Defense, there is a lack of concomitant authority to go with the responsibility. In many agencies, such as appears to be at the Veterans' Administration, and in many companies, the person who is given the responsibility for security with no authority, the real position should have a label of ``scapegoat,'' because that is all that one can do, is take the blame, if you can't effect any change. And this is all too common in the area of security because those of us who understand the risks and want to implement the changes are resisted, because it costs money. It changes the way people do things. And so it is a very common problem throughout government and industry. Mr. Bilirakis. Mr. Brody. Mr. Brody. I can only concur. My direct observation was at the Departments of Veterans Affairs, Department of Energy, and the Department of Defense. And in all three cases, direct observation, there is no authority resident with the accountability function of these senior IT officials. Mr. Bilirakis. And you all agree that this--I mean, we can talk about maybe solving or fixing this particular problem ultimately, or whatever the case may be. We are spending so much time on this that we should be spending on other veterans' matters; claims, delay in claims, and healthcare, and things of that nature. I don't know. Does the president know that that significant part of this overall picture, that lack of authority to enforce does not exist? It was not part of your report that went to him. Dr. Spafford. No, sir. Mr. Bilirakis. So he does not know? I mean, he doesn't know by virtue of this report in any case. Dr. Spafford. We were asked specifically to look at the status of cyber security research and technology transfer in the country, and how effective it was. That was the nature of that report. Mr. Bilirakis. Well, you have said that, yeah. Dr. Spafford. Yes. So as to what the president knows or does not know, I can't comment. Mr. Brody. I just find it illuminating that the same body that gave us the Federal Information Security Management Act was not aware of this mismatch of accountability and authority. Mr. Bilirakis. So you know, are we accomplishing very much of anything here? If we really don't look to the root cause, not only to the VA, I mean, this same sort of thing is going to happen in other departments and other agencies--Federal Trade Commission, we just got word, and we are hearing about other agencies or other departments. Should we have legislation--and I guess legislation is only as good as the people who are supposed to be carrying it out, that would mandate, for crying out loud, that there be some sort of authority? We are going to hear from the Counsel in a little while, I guess who is going to tell us that the authority is not there. But should we have legislation that would do it? Not just with the VA, and of course obviously, it would be something that would be applicable to all of the other Committees, which might be just enough of a reason to kill the legislation, because you know, jurisdictions assigned by other Committees do. But shouldn't we do something like that? I mean, isn't that part of the root cause, getting to the root cause of all this? Mr. Brody. I am on record with the Committee on Government Reform as pointing out that the major flaws in FISMA include the accountability versus the authority mismatch, as well as the issue of FISMA not necessarily measuring the right categories of information security. Mr. Bilirakis. And you are on record as saying, and you all are on record as saying that basically you can't ever solve this unless you take care of that particular area; is that right? Mr. Brody. Correct. Mr. Bilirakis. Yeah. Let me ask--we understand that houses in the neighborhood of where this took place have also been burglarized apparently during the same period of time. And I guess they haven't been tied--whether the same person did it, or whatever the case may be. But I think that the impression is that the person took this did not know what he or she was doing, or that they did not know what they had. Are we wrong by virtue of holding these hearings and all this publicity out there and that sort of thing? Is it likely that the thief or thieves know by now what they have in their possession? Dr. Spafford. Based on the reports that I have seen, it is entirely possible because of a delay in reporting that if the thief was only interested in the physical computer, it had already left his or her possession by the time the news was released. Mr. Bilirakis. Why would that be? Why would it have left? Dr. Spafford. They would have sold it immediately. Those kinds of tests are usually to pay money for drugs or---- Mr. Bilirakis. All right. But whoever they sold it to, the problem still potentially exists for that person, right? Dr. Spafford. Very often, those systems are completely wiped or whatever--so they can't be traced back. But the second part of your question about holding these hearings, I think are very important, and also goes to your earlier question about is something being accomplished? These kinds of problems have been happening for several years, and are going to happen more frequently. And it is very important that we all understand these problems and address them in some way. So I certainly applaud whatever you are doing in this regard. Mr. Bilirakis. Okay. Mr. Brody, you agree, Mr. Cook? Mr. Cook. I agree. If they do know that they have it, I know what I would do if I did. I would take it in the backyard and bury it. Mr. Bilirakis. You would what? Mr. Cook. I am sorry. If I knew that I had the information, I would take it in the backyard and bury it in a very deep hole. Because I think that there is so much scrutiny and so much interest in, you know, who has that file. I think there is other data that I would probably try and take---- Mr. Bilirakis. Okay. So actually then, you feel that hearings like this will tend to maybe convince the thief that they had better bury it and not try to use it. Mr. Cook. We have done analysis in different breaches, and in one of the breaches there was a public announcement that was made. And what we noticed was, after the public announcement was made, the use of the file, the use of the names went way down. So we do think the public announcement helps a good deal. A concern that I would have is that over time, that data can get out. And if that information gets out over time, all of a sudden the attachment to the VA data breach might go away, and it just becomes names and Social Security numbers. Mr. Bilirakis. Right. Mr. Cook. And if that is the case, and if that information finds its way onto the Internet, over time, veterans can see identity theft happening to them from this breach. But we don't know that. Mr. Bilirakis. Okay, thank you. I am feeling a little better. Thank you, Mr. Chairman. The Chairman. Thanks very much. Mr. Michaud, you are now recognized. Mr. Michaud. Thank you very much, Mr. Chairman, for having this hearing. I really appreciate your willingness to stay on top of it. I also want to thank the panelists. It has been very informative. Mr. Brody, you had mentioned that VHA disagreed with the draft directive 6500 regarding the medical transcription services. Can you recall what they said, and why you thought this to be a faulty reasoning for not complying with it? Mr. Brody. Yeah. I mean, in general, their position was that the language of their contract with the transcription company was sufficient control. But my office tried to point out to them that number one, they weren't monitoring or auditing whether or not the contractor was in compliance with the contract; number two, that outsourcing to a foreign company created some issues related to whether or not the individuals that had access to this data had criminal background, or potentially, ties to terrorist organizations. And number three, foreign organizations, foreign corporations deny us the ability to seek to address any issues in the U.S. courts, should it come to that. And when we pointed those things out to them, they, you know, took them under advisement, and went off and did their own thing. Mr. Michaud. Thank you. Second thing, Mr. Brody, specifically was there any information or cyber security weaknesses in the VISTA system? If so, what were they and what could be done to fix them? Mr. Brody. The Committee might find this interesting, I recall reading in the VA publication that is distributed in the hallways and near the elevators a few years ago, where there was an article on this done, and it was declared in the article by, you know, senior VA officials, how proud they were that they were able to develop Vista underground, without any involvement by the headquarters. And so I don't know what the software looks like inside Vista. I do know that as of two years ago, it had no access control whatsoever. And I don't know if that has been corrected to date. So I would encourage the Committee to potentially take a look at--maybe do a security audit of Vista, and see what they find. Mr. Michaud. Thank you. You had mentioned that you had worked with DOD and the Department of Energy, and you mentioned some of the same things about, you know, who was in charge. Did you witness similar problems with the other agencies, as far as security, that you witnessed at the VA? And does the DOE suffer from another agency's similar resistance to change, even though the authority might not have been the same; has it been that resistance in the other agencies, that culture, so to speak? Mr. Brody. Overall, yes. I mean, not to quote Yogi Berra, but their similarities are different. And that means that in the national security world, which includes DOD and DOE, there tends to be a little bit greater appreciation for, across the population, for the need to operate more securely. Nonetheless, the decentralization, especially in an environment like DOE, has created similar, fragmented security issues, as exist in many other civilian agencies. Mr. Michaud. Thank you. And is technology difficult to centralize, the IT operation within the VA, do you think? Mr. Brody. There are some complexities associated with technology, but overall, technology is not the problem. I mean, the technology complexities relate to, in the case of the VA, some of these very older systems that are no longer supported by the original manufacturer, and those just probably need to be retired or migrated. But overall, the technology part of this problem is not the hard part of the problem. It is the cultural part of this problem. Mr. Michaud. And my last question. In your opinion, do you feel that the 26 million records, is that a national, or non- national security problem? Mr. Brody. If you take the strict definition of FISMA, it is a non-national security problem. But I feel that when you begin aggregating the kinds of information that can be contained in those kinds of databases, you are very perilously close to a national security problem. Mr. Michaud. Thank you. Thank you, Mr. Chairman. I yield back the balance of my time. The Chairman. Thank you very much. Mr. Moran, you are recognized. Mr. Moran. Mr. Chairman, thank you very much. Mr. Cook, you said something in your testimony or a response to a question, I think, that caught my attention that I'd don't understand. And it dealt with the percentages of Americans that are subject to identity theft, and I think it was one and a half to three percent. And then you indicated that the veterans who were in this computer information were something less. Would you explain that to me? Mr. Cook. Sure. What I mean by that is, we have done a lot of analysis, and what we know is that the size of the breach is very important to the misuse rate of that breach. If it is misused and if you are a consumer, you want to be part of a very large breach. Because if you are part of a 26.5 million record breach, then the probability of somebody picking your name out of that fairly large hat and using your name to commit identity theft is very, very small. If you have a--and let us just say, if you put your mail in your mailbox and somebody takes your mail out, I would consider that a data breach of one. So there, you would have a very high percentage of your name being misused. So, the point I was trying to make is, we, all of us have got about a one and a half to three percent probability of identity theft happening to us during the course of a year. So the probability of identity theft happening to a veteran is one and a half to three percent, and so because now, they are part of a very large data breach, it is only going to increase very slightly for them, okay? But as a whole, it does mean that there will be more victims of identity theft in the U.S. It does mean that. Mr. Moran. What then is the value of the 26 and a half million names, the information, then, on the street? Twenty six and a half million is too much data for somebody who would be in the market for identity theft? Mr. Cook. Well, it is a lot. If you were one person, it would take you--we have done the math on it--it would take you about 12 lifetimes to use that one file. So it is a lot of data for one person to use. If they were to take it and disseminate it out on the Internet and try and sell it in packages, you know, we have heard anywhere from $25 to $75 from consumer advocate groups who have said this is what they hear. So there is a lot of dollars that they could get by selling that data, but again, if I had taken the data and I knew that it was the VA file, I would run away from it because I think there is going to be such intense scrutiny on that file, that people are going to be trying to find someone misusing that data. Mr. Moran. What is the occurrence that causes us to know at some point in time that the security has been breached, and the information is being used? What would you expect to be the first sign that there is a real problem? Mr. Cook. Well, it will be the anomalous behavior patterns that you would see in the file. For instance, there are 70, 60, 50 people in the room today. If all of our data was breached, six months from now if we all started using the same cell phone number, that would be anomalous. If half of us started living in the same apartment complex, that would be anomalous. And that is how we can detect the misuse. It is the events that happen after the breach to a specific identity, and the way that we can pull those things together. And that I think would be your first indication that somebody is actually misusing that file. Mr. Moran. And this would be announced? This would become known because some veteran would indicate something bad is happening in his or her life? Mr. Cook. That is what credit monitoring would require, is that a consumer really kind of placed their own report, and then provide that data to a central source, and that is not being done. And there would be so much noise in that, because again, we have a percentage of identity theft that is going to happen to us. It wouldn't be the consumer saying it, it would be our ability to look at the breached file, and then look within our ID network and see applications that were filed in those veterans' names, and then determine which of those applications were probably filed by the veteran, and which of those applications might have been filed by a fraud ring who has access to that file. Mr. Moran. Thank you. Mr. Brody, I think you have been asked this question, and maybe Dr. Spafford as well, but for my understanding, is there something unique about the VA that really--I mean, this happened with VA information, so the focus is on the VA. We talk about the culture, the atmosphere, the attitude. Something unique about this place or just any other government agency is the same risk as the VA---- Mr. Brody. My observation would be that we need to be careful about not focusing entirely on this incident, because again, this was discovered almost by accident. How many more of these kinds of incidents are out there and not just at the VA where we know there are no controls in place to prevent it? We know there are no controls in place at other government departments and agencies, where, you know, larger amounts of information may be on some employee's owned computer, or on some contractor's owned computer. And so maybe the attention we are drawing to this incident could be creating an opportunity for, you know, some other bad actor out there, and that would be an unfortunate turn of events. Mr. Moran. But the personnel of the VA aren't any blinder, or culturally resigned to the status quo than any other place? Mr. Brody. Not necessarily, no. Mr. Moran. Okay, thank you very much. Thank you, Mr. Chairman. The Chairman. Dr. Spafford, did you have something you wanted to say to Mr. Moran? Dr. Spafford. I was simply going to say that there are some better and some worse. A lot depends upon their individual view of the data, versus their mission. So some organizations, as Mr. Brody said, in working with national defense, will be more aware of that value. And in other places where they view that their mission--and unfortunately, this is part of the problem, why this happened. The person who lost the data viewed that his mission was to get his reports done, or get his work done, rather than protecting and serving the veterans that the agency was supposed to be involved with. And where that disconnect occurs, you have more of these problems. Mr. Moran. I would think that Mr. Buyer's leadership on this issue and the hearings that we are having, and the focus of the national attention on this issue, would cause other departments and agencies to have a desire to change their ways. Maybe that is just Kansas commonsense, but I hope it works that way in Washington, that this is the catalyst that causes us all to think that, ``My gosh, what we are doing isn't quite adequate.'' Dr. Spafford. Well, as I noted, and as Mr. Brody noted, this is not the first such incident, and these kinds of things have been going on for years. And whoever is currently in the spotlight takes a fair amount of heat, and vows never to do it again, and then someone else gets caught. Mr. Moran. Thank you, Mr. Chairman. The Chairman. Mea culpa, mea culpa, mea culpa. Ms. Herseth. Ms. Herseth. Thank you, Mr. Chairman. And I appreciate the questions that I know Mr. Michaud had a chance to pose to Mr. Brody, and Mr. Moran's line of questioning. I hope this presents an opportunity, as I explored in an earlier hearing, to evaluate whether or not we have the same weaknesses within these CIO organization across other Federal agencies, which you had an opportunity to serve in two different agencies. And that while the VA is currently the one taking the heat, that whether it is USDA, EPA, DOE, others, start taking steps, and CIOs start sharing information across agencies, and that we make the decisions in the Congress about the resources at the front, and are they going to be necessary to prevent these types of situations that cost us far more at the back end. So let me just ask one question, because I know there is probably an interest in moving to the next panel, as well. Mr. Brody, we have had some discussions here about the age of the various files within the VA. Is it technically difficult to encrypt or convert VA's older databases? Mr. Brody. It is more difficult to encrypt the databases that are on older hardware platforms, and older software operating systems that are no longer supported by any manufacturer. There are workarounds, and there are some complexities, but it is not impossible. And by and large, the technology part of this problem is not the hard part of this problem. Technology is available to solve most of the deficiencies identified by the IG and the GAO, in the VA. Ms. Herseth. So if the technology isn't the problem, it is the resources and the obstructionism that we have to overcome, that is the problem? Mr. Brody. More or less, yes. Ms. Herseth. Okay. I yield back, Mr. Chairman. Thank you. The Chairman. Thank you. I know Mr. Udall has had to step out for just a moment, so let me--we have votes that are going to occur at 12:15 to 12:30. So what I would say to Mr. McClain, I apologize but it is life on the Hill. All right, so Mr. Brody, I am going to go back to this, and we are going to get into this in the next panel with the General Counsel, about why they made certain decisions in their memoranda. But if I try to follow the logic, that FISMA is not--let me restate this. According to the most recent FISMA report, VA has no agency-wide security policy, is what the recent report says. If you were to design security policies, what would be the key components to be included in that policy? Mr. Brody. It would include the confidentiality, integrity, the availability, and the accountability, for the necessary controls on all the VA's system, including the protection of data. The Chairman. Dr. Spafford, would you agree with that? Dr. Spafford. Those would certainly be the core elements of the policy. The Chairman. What kind of training would be necessary to implement such a policy? And what kind of time are we talking about? Mr. Brody. It would depend because there will be certain roles that would have to be trained. Managers across the agency would need a certain kind of training. Practitioners responsible for actually maintaining security devices would need a certain different kind of training. And by and large, a lot of that training is in place in the VA. We had put in place, following the incident in which some computer systems containing veterans' data were purchased by the television station in Indiana, we had put in place a program of practitioner professionalization, and we took 600 people through that program and certified them. But that is 600 in a population of over 200,000, that all need a significant degree of training. The Chairman. And would we have any problems with the VA personnel policies or labor practices? Mr. Brody. Those cropped up from time to time. Yes. The Chairman. Such as? Mr. Brody. Well, I mean--the details escape me at the moment, but you know, a fact of the matter is, whenever we tried to put in place any kind of policy that affected the day- to-day life of the individual, the resistance from HR organization was fairly stiff. The Chairman. Interesting. Mr. Udall? You are recognized. Mr. Udall. Thank you, Mr. Chairman. Mr. Brody, you talked a little bit about security and issues of security, and I wanted to ask you about--under the Federal Information Security Management Act, are you comfortable with the distinctions between a national security database, and a non-national security database? And how would you define these? And with respect to the specific information that was lost there, which category does it fall into? And are there any things that we should do in order to better protect ourselves, in terms of these definitions? Mr. Brody. I would say I understand the definitions, and whether or not I am comfortable with them, I spent 10 years in the intelligence community, so I understand that when you take what would appear outwardly to be non-sensitive information and begin aggregating it so that it starts to become more sensitive, you cross a fine line into what could be classified as national security information. According to the definitions that are incorporated in FISMA, that does not apply in this case. But I would argue that the aggregation of information in VA's systems can be of significant value to those who would wish to do this country harm. Mr. Udall. And is there anything we can do to further protect in that area, other than what you have already outlined here today? Mr. Brody. Well, I mean I actually raised this issue in 2001 when I arrived at the department. And I was told that that is the responsibility of the office of security and law enforcement, and ``Thank you very much for your input.'' So again, we are dealing with the fragmented security authorities across the department. Mr. Udall. Several statements by the VA indicate that the employee who took home the data did so without authorization. If he was already authorized access to the data, what policy or regulation would have required further authorization? and do you recall if the IG or the GAO, or any other entity, ever commented on this as a weakness? Mr. Brody. I am not aware of any policy that would have prevented this. Nor am I aware of any comments by any other party. Mr. Udall. A changed management system developed after Secretary Principi attempted in 2002 to centralize the CIO function. This new system was characterized by significant non- line reporting. How well did this system work, and did that hybrid system approximate the Federated Management system recently adopted by the VA? Mr. Brody. Yeah, I would have to characterize the results of that as not in keeping with the spirit of this Committee's concerns, as addressed in 2002. Once we get to that of a line sort of authority thing, and then in the wake of the MS Blaster incident, we did an analysis internal to my office, and I am sorry that I don't have it present, but I am sure that we can probably draw it out of someone's files, where we determined specifically who had responsibility for configuration control and configuration management in the department. And it turned out that as a result of the efforts by Secretary Principi to put that memo in place in 2002, there were no less than 13 separate places by which configuration control would be managed in the department. Mr. Udall. To Dr. Spafford or Mr. Cook, do you have any comments on anything you have heard, or I have raised here? Dr. Spafford. No. Mr. Cook. No. Mr. Udall. Okay, thank you. Thank you, Mr. Chairman. I yield back. The Chairman. Mr. Brody, in your testimony you testified to something that we as a Committee had considered, and that was whether to elevate the CIO to the level of an under Secretary. And we thought about that as a Committee when we put together our legislation, and I guess looking back on it, maybe we should have. Really, our inward discussions were dealing with if you have a culture of resistance that I called the ``centurions of the status quo,'' and it is much easier for the three under secretaries to run over the CIO, especially if they can then--they all are competing to win the support of the deputy Secretary, or the Secretary. So I just want to let you know, I got your message. I embrace it, and we as a Committee are going to look back on your recommendations. Let me turn to Mr. Cook. With regard to data, when an individual feels--you know, they went to the ball game, just had their purse stolen, their pockets were picked, now it is like, ``Oh, my gosh. I had 12 credit cards in there. It is now gone. What do I do? Who do I call?'' My question to you is, what is the norm before an individual will begin to feel the bad effect? Mr. Cook. There has been some analysis on that, and FTC I think has done some of the best analysis, and another organization called Identity Theft Resource Center. I think the average--and I'm not sure of this, but I think the average is about six months before they actually see it. Because what happens is you might get an inquiry in your credit reports that you may not be aware of, because you don't have credit monitoring. And then, that account, if it is a wireless account or a credit card account, is open, and then that fraudster might use that account. Some people will take the account, buy fenceable goods, and go bad right away. Others will use that account over time, as many as 18 months, so that they can do something that the industry calls ``bust-out,'' where they can actually drive the account much higher than what the credit limit is. And so generally, consumers will find out they are a victim of identity theft because they will get a call either from their credit card issuing bank, or the wireless company, or from a collection company. So it is generally about six months, 7, 8 months out. Now, if there is a fraudster who steals an identity and uses that identity over and over and over, and that consumer happens to have consumer monitoring--this is a very small percentage of people--then they may be aware of that within as quickly as three weeks, if you will. The Chairman. All right. Our challenge here is to build a system, and at the same time take care of the veterans, and produce that product in Congress, as we work with the administration. I want to thank you for taking your time to put together your testimony, and for being here. I appreciate that. Mr. Brody, thank you. We asked you to do a job, and put a patch over one eye and we tied your good arm to your back, and you did your very best. And I know it was hard, and it was difficult. And we don't view you as a scapegoat, because the more we do our forensics, the better the understanding we have about the culture, and the problems, and the resistance to change Mr. Filner had discussed. And we are going to embrace your recommendations, along with Dr. Spafford. Once again, let me thank you for helping your country. Your testimony is insightful and valuable to us, as we formulate this legislation. Any other questions? [No response.] This panel is now excused. If we could turn to the second panel. And even though we got a warning that votes will occur. Dr. Spafford, do you have to take off? Do you have to run? Dr. Spafford, do you have to catch a flight? Dr. Spafford. Later on this evening. The Chairman. Okay, could you sit and listen to this panel? Are you going to have to take off? Dr. Spafford. No, I can---- The Chairman. That is wonderful, thank you. What I had planned to do, Dr. Spafford, is I would like you to listen to this panel, and then I am going to circle back with you--we could have a discussion. If we can't get it today, are you around Monday, at Purdue University? Dr. Spafford. No, sir, I will be at a conference---- The Chairman. At a beautiful resort? Don't answer that. Dr. Spafford. Allegedly. The Chairman. Allegedly, great. Means you're in Toledo? Sorry, nothing against Toledo. All right. Hey, hey, hey. Sitting on our second panel is the General Counsel for the Department of Veterans Affairs, Mr. Tim McClain. Mr. McClain was confirmed by the Senate as the General Counsel for the Department of Veterans Affairs in April 2001. As General Counsel, he serves as the chief legal adviser to the Secretary of Veterans' Affairs and the department's other senior leaders, and manages the Office of General Counsel, which is comprised of nearly 400 attorneys assigned throughout the United States. Mr. McClain also served as the VA Chief Management Officer from January 2005, through November 2005, responsible for the department's budget, financial policy and operations, acquisitions, material management, real property asset management, environmental policy, and business oversight. Thank you very much for being here. If you would also introduce Mr. Thompson, who accompanies you and you will then be recognized. Mr. McClain. Mr. Chairman, thank you very much. Mr. Chairman, Ranking Member, and members of the Committee, accompanying me this morning is Jack Thompson, who is the Deputy General Counsel at the VA, and he has over 30 years of service with the VA as an attorney. Also, I would like to, if I could, ask that my full statement he made a part of the record. The Chairman. All right. We do. If you will arise and give me your right hand. [Witness sworn.] The Chairman. Thank you, please be seated. Mr. McClain, you are recognized. TESTIMONY OF THE HONORABLE TIM S. MCCLAIN, GENERAL COUNSEL, U.S. DEPARTMENT OF VETERANS AFFAIRS, ACCOMPANIED BY JACK THOMPSON, DEPUTY GENERAL COUNSEL Mr. McClain. Thank you, sir. And thank you for the opportunity to discuss the legal implications of the May 3, 2006, theft from a VA employee's home, of personal identifying information concerning veteran servicemembers. This incident brings into sharp focus the Federal laws that address a similar issue; i.e., safeguarding personal information. Both the Privacy Act and the Federal Information Security Management Act, or FISMA, provide a framework for establishing agency safeguards to ensure the security and confidentiality of records. These statutes generally outline agency responsibilities, and require the agency head and senior officials to ensure compliance with the law. Since we were made aware of this terrible situation, the employees of the VA have worked tirelessly to ensure two things: one, that the normal services to veterans, including healthcare, benefits, burial, and memorial services, have continued uninterrupted. And two, that we address this situation in such a manner that it will minimize any adverse impact on a veteran. This is VA's problem, and we intend to address it as one. Secretary Nicholson has launched VA on a course that will result in VA being the gold standard for information security in Federal Government. That is no easy task. VA is so large, and with so many very vital programs, that it will take a concerted effort on every employee's part to make it happen. Just as VA transformed its health-care system from one of questionable quality in the early 1990s, to today, the recognized leader in healthcare delivery and electronic healthcare records, we are committed to leading the Federal Government in information security. Along that line, in an October 19, 2005, memorandum, Secretary Nicholson ordered the reorganization of VA's IT operations. In February 2006, the Secretary strongly advised senior agency officials at a senior management retreat that today's IT reorganization was his top priority. In that regard, on April 30th of this year, over 4000 employees were detailed to the Office of Information Technology, as part of this implementation plan. As of the end of the current fiscal year, those employees will permanently be transferred to the Office of Information Technology. This has placed all IT operations and maintenance personnel under the supervisory control of the CIO. Another major development was announced yesterday by the Secretary. That VA is committed to providing one year of free credit monitoring to individuals whose sensitive personal information, their names and Social Security numbers, may have been stolen as a result of this incident. Providing free credit monitoring will help safeguard those who may be affected, and will provide them with the peace of mind they deserve. This week, VA will solicit bids from qualified companies to provide a comprehensive credit monitoring solution. VA will ask these companies to provide expedited proposals, and be prepared to implement them rapidly, once they are under contract. Once VA hires a credit monitoring company, the department will send a detailed letter to individuals whose sensitive personal information may have been included in the stolen data. This letter will explain credit monitoring, and how those eligible can enroll or opt in for the services. The department expects to have credit monitoring services in place and the letters mailed by mid August. VA will also be soliciting bids to hire a company that provides a data breach analysis, which will look for possible misuse of the stolen VA data. The analysis will help measure the risk of the data loss, identify suspicious misuse of identity information, and expedite full assistance to affected individuals. These efforts will augment the other aggressive steps VA has already implemented in response to the unfortunate incident. As previously announced, the Secretary has already directed a series of personnel changes in the affected office within the department. The Secretary has also hired a former Maricopa County prosecutor, Richard Romley, as a special adviser for information security. He ordered the expedited completion of cyber security awareness training and privacy awareness training for all of VA employees, and also ordered an inventory of all positions requiring access to sensitive VA data. He also asked that every laptop undergo a security review. And the VA's facilities across the country, every hospital, CBOC, community outpatient clinic, regional office, national cemetery field office, and VA central office here in Washington, observe a security awareness week, beginning next Monday. Thank you, Mr. Chairman, for the opportunity to testify, and I will be glad to answer any questions from the Committee. [The statement of Mr. McClain and accompanying documents appears on p. 92.] The Chairman. All right. First, I have--have you been present during the discussions on formulating this policy to provide the free credit monitoring? Were you present at these discussions? Mr. McClain. Yes, sir. The Chairman. Okay. What does free credit monitoring mean? Mr. McClain. Well, it will be defined by the bids that are received in response to the RFP that has gone out. Credit monitoring is a package of services that are offered by, for the most part, the three major credit bureaus, and possibly others. And they have different levels of this service that you can actually purchase from them. The RFP will be requesting a very robust package for to cover the veterans, and it will be determined by actually what the bids are in response to the solicitation. The Chairman. You got my attention in your testimony when you talked about a comprehensive approach. My sensing for my colleagues is that is where our greatest interest is. And so let me go back to my earlier comments, when I heard about the, oh, credit monitoring. It has to be about more than just that. And that is also our testimony from the first panel. So now, we say, okay, we are going to invite the credit monitoring, you say we are going to do bids to do a comprehensive approach, and then we are also going to do a second--you have got two proposals that are going to be going out; is that correct? Mr. McClain. Yes, sir. The Chairman. All right, tell me a little bit more about your first proposal for a comprehensive approach. Is that sort of what the gentleman was talking about from analytics, or also Intelius does, out there in the private-sector? Mr. McClain. Sir, the comprehensive approach would be the entire--would be everything. In other words, both solicitations that go out, which would include a robust credit monitoring package, and it would include a company to come in and do the data breach analysis. The Chairman. Okay. But on a comprehensive approach, are we also saying that you are considering purchase of insurance- based product? Mr. McClain. Yes, sir, because that normally comes with your normal commercial credit monitoring package. If you were to go to any of the big three credit bureaus that would be included in the package. The Chairman. Mr. McClain, that is a big deal. I think it is a big deal. Because Congress out here just yesterday, the Judiciary Committee immediately goes out there and does the claims adjudication process. And when I brought that up, I talked to the Secretary about that. And he is like, ``Whoa, Steve, I know what you are trying to do. Let us see what is available in the commercial market.'' Even if we were to do that, do we want to keep it in-house? Would we keep it under you? Would you create a separate agency to do that? You don't want it to be organic, limited in scope, limited in time, a lot of things to think and consider about. But you can notice how heightened members are about the issue, that the Judiciary Committee would run out. So I would welcome the VA to explain this a little bit further as you are formulating this. I think that the VA is saying that we are interested in providing that financial assurance--an insurance- based product while we do this, will make veterans feel a little bit better. Would you agree? Mr. McClain. Yes, sir. And we'll be glad to. I'm certainly not the expert in the credit monitoring packages or the insurance, but we'll be glad to provide the Committee with a more detailed reasoning as to exactly what that entails. The Chairman. All right. Here is what is happening, is that not only are you learning, VA, more about this; so are we. And that we want to work with you on how you develop your comprehensive approach, as opposed to us, you know; either that or we dictate something and we don't want to have to do that. I mean, we can set parameters, but you are also going to be coming here and asking us to pay for it. Okay? With that, I yield to Mr. Filner. Mr. Filner. Mr. McClain, I think you ought to be ashamed of the testimony you just gave us. You sat through an hour and a half of testimony, detailing some very grave problems in the culture of the VA. We also heard some very technical and very specific suggestions on what we might do, including the weaknesses of just credit monitoring. And you read the same thing that you walked in with, as if you didn't hear anything, nothing is wrong, the Secretary is taking action, you are taking action, everything is fine. You have the lowest guy on administrative leave, and it is not clear that he violated any policy, anyway, and his superior resigned. We just heard of extensive management failures of VA. You don't address that. It didn't happen. You are testifying about a completely different world from the one we heard. You have the biggest breach of security of identities in the history of this country, and you haven't come to grips with this issue. Your testimony shows the very reason why we have a problem. You don't recognize anything, you don't admit anything, you don't acknowledge anything, you don't want to change anything. This is disgraceful. Given the testimony from Dr. Spafford, and Mr. Brody, and Mr. Cook, why shouldn't you and everybody above you in the chain be held responsible for the data loss? It was your memos that said there couldn't be any centralization. It was your memos that contradicted the authority of FISMA. It was your memos that said the Secretary is not going to centralize. Why should you not be fired for this incredible breach? Mr. McClain. Mr. Filner, first of all, I think that VA has taken this very seriously. I mean, this is---- Mr. Filner. The first step is to acknowledge a problem. Read your statement again and show me where you acknowledge that there were some errors in the management of your agency. Show me where. I just read your whole testimony. Not one word to show that you understand the severity of the problem. They say the first step in understanding addiction is, you have to get rid of denial. You are still in denial. Mr. McClain. Denial that there is a problem---- Mr. Filner. That there is something--in the culture of the VA management system that caused this. Mr. McClain. I believe that the Secretary has testified on more than one occasion in front of this Committee and others, saying that there was a problem, and it has made him mad as hell. Mr. Filner. I can see everybody is mad as hell sitting here. When did you hear about the data breach after May third? When did you hear about it? Mr. McClain. May 16th. Mr. Filner. You don't think that is a problem in your system? That it took you two weeks to hear something? Mr. McClain. I believe it is. Mr. Filner. So what are you doing about it? Mr. McClain. We are---- Mr. Filner. You are asking for an RFP, yet you are not doing one thing about the management, as far as I can tell. Mr. McClain. Oh, I think that---- Mr. Filner. Tell me, what are you doing? Mr. McClain. We are doing a complete review of information security in every single office in the VA. From the lessons learned from that, and this is being chaired by the deputy Secretary. From the lessons learned, we are going to move forward with implementing changes, so that there is a uniform information security policy throughout the---- Mr. Filner. What were the lessons you have learned? Mr. McClain. Sir? Mr. Filner. You said we are going to implement the lessons learned. What lessons have you learned? Mr. McClain. That we need to pay more attention to information security, that we have people out there that do not realize that what they have is a veteran's personal data in their hands, or on their laptop, and they are---- Mr. Filner. Don't talk about other people. What have you learned? I want to know what you have learned. Do you question what you did in those memos in 2003 and 2004 when you gave basically the legal rationale for not doing anything? Would you retract those, or would you redo them? Tell me what you have learned. Mr. McClain. Mr. Filner, I would not retract those. I think---- Mr. Filner. Okay, you are the problem. You are the problem. Until you admit that, it is not going to change. The Chairman. I am going to need to recess the Committee. We have six and a half minutes left. We have three votes. So after these three votes, we will return. Thank you. The Committee stands in recess. [The referenced memos are attached to Mr. McClain's prepared statement and appear on p. 96.] [Recess.] The Chairman. The VA Committee will come back to order, and I yield to the gentleman, Mr. Filner, so he may resume his line of questioning. Mr. Filner, you are now recognized. Mr. Filner. Thank you, Mr. Chairman. Thank you for waiting for us, Mr. McClain. The summary of what I was saying before is that we have a whole series of analysts who agreed on several things, and all my colleagues seemed to agree, also. The issue of authority and resources for the chief information officer or chief information security officer. And you made no comment on that. Your memos on this issue, where you debate the meaning of the word ``ensure,'' reminds me of the president who was trying to debate the meaning of ``is.'' You are looking for any reason not to get the CISO the authority he needs, and I ask you if you would retract those, and you said, ``No.'' Do you believe that we have to pass additional legislation to give the CISO authority in your department, although you say here the Secretary could do it on his own? Have you made any steps in changing that authority in the VA? Everybody agreed that is the main thing. Mr. McClain. Mr. Filner, regarding the opinions, I do believe the opinions state the state of the law at the time that those opinions were written. In other words, the issues would come in, or questions would come in, and indeed, the case of the April 7th, 2004, opinion, we had three different offices ask us to opine on the particular issue of FISMA. [The April 7, 2004, memo referred to is attached to Mr. McClain's prepared statement and appears on p. 104.] Mr. Filner. Do you think that the CISO ought to have the authority that the three panels all agreed on for good cyber security? Mr. McClain. Well, I don't---- Mr. Filner. You personally, what do you think? Why don't you ask us for legislation that would give the CISO authority? You are hiding behind all these words and these opinions. Do you think you are the General Counsel--do you think the CISO ought to have the authority to enforce the decisions that he makes? Mr. McClain. I think that if the CIO had additional authority it would probably make his particular job easier. Is that a good idea? That is really a policy discussion, and not a legal---- Mr. Filner. Other agencies have interpreted the same law as giving their CISOs that authority, right? Mr. McClain. I am not aware of that, sir. Mr. Filner. Have you asked other agencies? Did you consult other General Counsels, to see what they said? Mr. McClain. No, we didn't. Mr. Filner. It seems to me that would be a good thing to do. It looks to me that you all decided he shouldn't have authority, then you found a way to quibble with the word ``ensure.'' When Secretary Principi tried to change, he got resistance from everybody. So that is what I meant when I said you are the problem. You are the problem. You don't even believe the CISO should have authority, the way you said it, ``it is a policy issue.'' I am asking you what you think. We just had the biggest breach in the history of the government, and you are still quibbling about what the word ``ensure'' means. Should the CISO have the authority to enforce cyber security rules? Mr. McClain. Yes, in some form he should. Mr. Filner. Well, thank you. Now, would you recommend to us please, by tomorrow, what you would need when you opined that he could actually have that authority? You are the Counsel. Give us some advice on that. Give us the language. Mr. McClain. I would be glad to discuss it with your staff, Congressman Filner---- Mr. Filner. Call me. Don't talk to my staff. You're saying it would be a good thing, so make a recommendation that would make it happen, since you don't think it can happen under the existing legislation. Mr. McClain. Well, I didn't say it couldn't happen under the existing legislation. In fact, both of the opinions refer to the fact that there can be a delegation of authority. Mr. Filner. So why hasn't there been? Mr. McClain. There has been, to a certain degree, in the reorganization that is already underway. Mr. Filner. Has there been any change since May 3rd? Mr. McClain. No, I don't believe---- Mr. Filner. Of this year, since this security breach? Mr. McClain. I don't believe so. Mr. Filner. So you are not doing anything. You are not focusing on the major problems. Mr. Chairman, as I said, this is very frustrating. You have been working on this for several years. I have to admit that I didn't pay any attention to you. I should have. And I don't think that Congress did. We have now the opportunity to do what you want to do, and I think we are all going to be behind you. This is not an issue coming from the lone action of one employee. That is what you from the VA keep stressing, because you think he is going to be terminated. We heard that enforcement guidance for cyber security is at best confusing. Some say it doesn't exist. We know that Mr. Brody and others tried to get that authority; it didn't happen. It all comes back to the policies and the management who makes those policies. Nobody seems to be accepting that responsibility, Mr. McClain. Not the Secretary, not the Deputy, not you. I just can't understand what type of leaders would fail to do their jobs and then try to put the blame on everybody else. When we didn't secure an Iraqi ammo dump, the DOD blamed the troops. When FEMA failed to execute a disaster plan, they blamed the weather. Now, after years of failing to implement a clear, meaningful policy, you blame an employee for breaking some unidentified policy. Mr. Chairman, I hope that you continue what you have started, and you have backing from all of us, and the American people. We should not tolerate these policies, or the field of leadership that allows them to continue. Thank you, sir. The Chairman. Thank you. I have a further line of questioning, Mr. Michaud, but let me make this statement, and I will yield to the gentleman. If you have additional questions, do you? Mr. Michaud. Yes, I have. The Chairman. Okay. Prior to the break, I had mentioned what the colleagues with the Judiciary Committee had done with regards to setting up a separate agency to deal with claims adjudication as an administrative remedy for pathway to the tort claims, Federal Tort Claims Act. And I have asked the majority leader to hold that at the moment. It really is just a great example of the heightened awareness, Mr. McClain, that members of Congress have to, quote, ``do something,'' but that can also get you in trouble. And so I am very sincere in sharing with you, number one, what I had done with the majority leader; number two, my conversation that I just had about 10 minutes ago with Chairman Walsh. I know that the Secretary will be before this Committee on Tuesday. I plan on attending. And I will see the Secretary again on Thursday. But over this time period or the next 10 days, we want to work with you. And I took from your testimony an inference, and it is okay, and the inference is that, ``we are outside of our lane,'' and with, ``how do we deal with this? We have never had to deal with this before.'' So when you say to the Committee that, ``We are going to do an RFP, and we are interested in seeing what they are going to bring us,'' usually that is kind of backwards. We correlate these kinds of things, and let the private sector know what we want. And it is okay, I am not going to be critical of you, because we are interviewing just like you are interviewing, trying to figure out how to best deal with this, because of its scope? And also, how do we pay for it? I am not a contract lawyer. I have got to yield to you---- Mr. McClain. I'm not either, sir. The Chairman. All right. And so that is why I am not going after you on that. I am just concerned---- Mr. McClain. Well, Mr. Chairman---- The Chairman. I just want to let you know, I am concerned about what the Judiciary Committee did. So what I am saying to you, and please convey to the Secretary what the Judiciary Committee just did, I am going to hold that as much as I can, okay, with my relationship with the majority leader, to hold that. Let us craft a product that not only can we begin to monitor, but we can also place the veteran in the assurance that they are not going to have an out-of-pocket loss. We are going to have potentially a disruption of their life. This is going to be uncomfortable. But if we are able to create a product, and there are some out there that can give them up to $25,000 insurance, with regard to the loss, and we make that part of a package, I think it is exactly where the Secretary was in his conversation with me. Not by number, we did not discuss numbers. But please, I yield to the gentleman. Mr. McClain. Thank you, sir. I was just saying that I know that they're working very hard on the statement of work, which will be up with the RFP, and I am sure it will define exactly what we're looking for from the three companies, or even more. The Chairman. Well, whoever the ``they'' is, will the ``they'' communicate with our staff, and just as important, communicate with the appropriators? Mr. McClain. Yes. The Chairman. Last thing you want to have happen is put together something that you think is best, but has not been communicated with the appropriators, and you just turn to them and say, ``Pay for it.'' Mr. McClain. No, I understand. The Chairman. You know, my gosh, you are going to end up just with what they did with Denver, and they zeroed out something because there wasn't the best of communications. Mr. Michaud. Mr. Michaud. Thank you very much, Mr. Chairman. Mr. McClain, The VA directive 6504 dated June 7th of this year stated that, I quote, ``the VA employees are permitted to transport, transmit, access, and use VA data outside VA facilities only when such activity has been specifically approved by the employers' supervisor, and when appropriate security measures are taken to ensure VA information and services are not compromised,'' end of quote. How does this policy differ from what was done prior to May 3rd of this year? Mr. McClain. Congressman Michaud, I'm going to have to not get into that area because of the three pending class-action lawsuits that the actual policies and procedures that were in place at the time are at issue in each one of those lawsuits, and on advice of our attorney, Department of Justice, I can't comment on that. Mr. Michaud. Do you believe that the data involved in the May 3rd incident constituted a national security data breach, or in non-national security? Mr. McClain. I have not looked into that or rendered any particular opinion on that issue. Mr. Michaud. Ever been asked to render an opinion? Mr. McClain. I have not. Mr. Michaud. So no one at VA is looking at this issue? Mr. McClain. Well, I know that it has come up in the hearings, and someone is looking at it. But my office has not been asked to render an opinion on it. Mr. Michaud. Okay, and you have no idea who is looking at it in the VA? Because it has come up in previous hearings. Mr. McClain. I believe the--well, the office of information technology is looking into it right now. Mr. Michaud. Okay. Your memorandum of April 7th of 2004, states that FISMA does not require the Secretary to provide the CIO with the enforcement powers to the extent that he chooses to do so. However, he may delegate more authority to the CIO and it is provided for by FISMA. A couple of questions, what specific authority has the Secretary delegated prior to May 3rd of 2006? And has the Secretary delegated any additional authority since that date? And if so, to which officers? Mr. McClain. I don't believe that there was any delegation beyond the actual mandates of FISMA, and the Clinger Cohen Act, and also the Paperwork Reduction Act; kind of the three acts that really control what the CIO does. And there has been a lot of discussion on what is required at this point, and that is exactly what I was talking about before, is we're currently doing a complete inventory of all information security practices in every office in the VA. And based upon that inventory, that list of best practices and recommendations, I'm sure that there will be further action taken. Mr. Michaud. So you agree that the Secretary can delegate to the CIO the authority that he needs to make sure that these information security issues are upheld? Mr. McClain. I believe that--yes, I believe that there is sufficient authority that resides--authority that resides with the Secretary that could be delegated down. Now, the one thing, the one caveat that I want to put on it is that there was some discussion, in particular, Mr. Brody made his statement that he was frustrated that there was push-back from HR, I guess, when--relating to actual sanctions or penalties against government employees. And of course, that is a problem. When I say ``a problem,'' from an enforcement point of view. Every employee is protected by a lot of Title 5 rules and regulations in the government, and the question would be, could the CIO impose a penalty or sanction, or discipline, on say, a VHA employee that doesn't belong to the CIO? A VHA employee in the State of Washington, for example? And that would raise tremendous questions under Title 5, Title 38. And those issues would require legislation along some lines in order to accomplish the complete ability to impose sanctions. Mr. Michaud. Even if the Secretary gives him the authority? Mr. McClain. The Secretary may not have that authority because of the laws that are in place. That's why I made it a caveat. Mr. Michaud. Does the Secretary know that he has the authority to delegate a lot more than what has been delegated? Has anyone told the Secretary he has that authority? Mr. McClain. Yes. Mr. Michaud. So he is aware of it? Mr. McClain. Yes, he is. Mr. Michaud. Okay. And has he made any overtures to you that he is looking in that direction, to give all the authority that he can to the CIO? Mr. McClain. There have been quite a few discussions, as you can imagine, recently on the issue, and I'm not going to speak for the Secretary, but I believe that there may be action forthcoming. Mr. Michaud. Okay, thank you. Thank you, Mr. Chairman. I yield back. The Chairman. Thank you. Ms. Herseth. Ms. Herseth. Thank you, Mr. Chairman. I was a little confused by some of the responses. And I know I was a little late getting back in here, but let me just walk through that line of questioning of Mr. Michaud's once again. Your interpretation is that the Secretary has the authority to delegate certain responsibilities to the CIO? Mr. McClain. Yes. Ms. Herseth. And that would include enforcement authorities? Mr. McClain. Yes, certain enforcement authorities. Ms. Herseth. Certain enforcement authorities? The Chairman. Like what? Sorry. Ms. Herseth. Well--appreciate that. I think that---- Mr. McClain. That's the next question. Ms. Herseth. Let us say, which ones would not be? Mr. McClain. When I had just responded in the actual taking disciplinary action against an employee that is not within his department. In other words--let me, if I can, analogize this a little bit. The--under Title 5 of--in Federal civil service, the appropriate person to propose discipline is the employee's supervisor. And so that system is used every day, still in place, and indeed that could be used today, in order to impose discipline on an employee that does not follow published rules and regulations. Ms. Herseth. So, separate from disciplinary actions, the Secretary would have the authority to delegate any other enforcement necessary to ensure compliance by the agency with information security requirements? Mr. McClain. I believe so. I mean, there's quite a few things that the CIO could do. I mean, under FISMA and--the CIO has the authority in order to set all of the standards that are for access, for classification, for personnel, those sorts of things, in order to get onto the CIO equipment, the computer equipment, and how to use it, and what to do with it. He can-- if you're talking about enforcement--he can prevent someone from getting on, prevent someone from bringing a piece of equipment on---- Ms. Herseth. Prevent someone from obstruction? Of implementing the requirements? Mr. McClain. Yes. Yes. Ms. Herseth. Are you aware, you know, your memos have been the focus of a lot of the questions, and even some of the discussion in prior hearings? Are you aware of any similar conclusions that you drew regarding the CIO's enforcement purview of any other General Counsel in any other Federal agencies, reviewing the same type of questions that would come up about enforcement authorities of the CIO? Mr. McClain. No, actually that question was asked, and the answer is no, I'm not aware of any others. Ms. Herseth. Let me just ask a couple of questions with regard to implementation of the March 2004 Principi memorandum. Your written testimony states that it might be helpful to briefly state what the department has done to implement Secretary Principi's 2004 memorandum. You then state that on April 30th, 2006, approximately 4000 FTE's were temporarily detailed to the office of information and technology. Was that step taken to effectuate the March 2004 memorandum, which calls on then-CIO Robert McFarland, to devise a department-wide cyber security program under FISMA? Or was that a step taken to meet other department requirements or responsibilities, such as the creation of a separate information technology account, in last year's VA appropriations bill? Mr. McClain. I think it was a step in direct line with the Secretary's October 2005 decision to order an IT reorganization in the department. Ms. Herseth. And do you believe that the items you list in your testimony as addressing the March 2004 memorandum are sufficient actions to have taken in response to that memorandum, in the more than two years since it was released? Mr. McClain. I think that it is certainly a large step in the right direction. Are there other things that need to be done? Yes, and certainly the department acknowledges that there is more to be done in order to effectuate not only this memorandum, but the IT reorganization. Ms. Herseth. Do you have any thoughts on any of the recommendations Mr. Brody made in his written testimony that was submitted, most of which I think he also restated in his oral testimony today? Mr. McClain. No, I have no comment. Ms. Herseth. Would you, if you had more time to consider them? Mr. McClain. Perhaps. Ms. Herseth. I would then request from the Chairman that perhaps you could submit just any thoughts on those recommendations that he submitted to the Committee, from your experience in the last number of years here as General Counsel, on those recommendations. Mr. McClain. All right, certainly. Ms. Herseth. Thank you. I yield back. [The March 16, 2004, memo referred to is attached to Mr. McClain's prepared statement and appears on p. 103.] Mr. Filner. Point of order: do we have Counsel here? What is the definition of ``contempt of Congress?'' Those last two answers were in contempt of Congress, Mr. Counsel. They may not meet strict legal criteria, but--we sat here for two hours, asked questions of experts. They made recommendations but Mr. McClain has ``no comment,'' perhaps he will have something to say later. That is just irresponsible; that is contempt of Congress. The Chairman. All right. Mr. McClain, I have a series of questions, and it is going to follow the same lines of some issues Mr. Filner brought up, and in particular, Mr. Michaud and Ms. Herseth. I think I just got it for the first time. Ms. Herseth. Yeah, I couldn't---- The Chairman. I saw you look up. My lisp, I work through it. Mr. Filner. Now try Snyder---- The Chairman. One at a time. You are Senate-confirmed; correct? Mr. McClain. Yes, I am. The Chairman. And your title is an Assistant Secretary; right? Mr. McClain. No, my title is General Counsel. The Chairman. General Counsel, but your equivalent rank is Assistant Secretary? Mr. McClain. That's correct. The Chairman. Are you a senior government official? Mr. McClain. Depending on your---- The Chairman. Are you a senior government official? Mr. McClain. I believe I would--the position would be considered a senior government official. Yes, sir. The Chairman. Assistant Secretary. How about what is the next level down? Are they assistant, or are they deputies? Deputy Assistant Secretaries? Are they Senate confirmed? Mr. McClain. No. The Chairman. So would you say that if you are Senate confirmed, that you would be a senior government official? Mr. McClain. Probably. Yes, sir. The Chairman. Trying to figure this out. How do you see your role as General Counsel? Are you the VA's chief legal officer? Mr. McClain. Yes. The Chairman. Okay, and how do you see your role? Mr. McClain. My role is the final legal word in the department on legal issues that are brought to our attention, in interpreting laws, and interpreting regulations. I am the counsel to the department, and for the most part I provide counsel to the Secretary, the deputy, and the senior leadership. The Chairman. Deputy Secretary--so when you say ``to the department,'' access to you is going to come from the Secretary, the deputy, and the three under secretaries? Mr. McClain. When you say ``access to me?'' The Chairman. Yeah, they pick up the phone and you answer? Mr. McClain. Yes, sir, they will. The Chairman. Okay. At what point does that--I am trying to understand. I don't know the culture, so I am just trying to understand. At what point do you not pick up the phone? In other words, at what level is that at? I don't know. Mr. McClain. Well, it---- The Chairman. Everything has a hierarchy. I just don't know. Mr. McClain. Oh, for me in particular, I have an open door policy, so I pretty much answer almost everyone's telephone calls, or---- The Chairman. Yeah, but you got 400 lawyers out there. Mr. McClain. Yes, we do. The Chairman. You know, you are responsible for them all. Mr. McClain. That's right. We have about 270 in the field, and the others here in Washington. The Chairman. How long have you been the General Counsel? Mr. McClain. Since April of 2001. The Chairman. Who is your client? Mr. McClain. The department. The Chairman. Who is the department? Mr. McClain. Everyone in VA. The Chairman. I am trying to figure out meetings for which General Counsel is required to attend. They are what? What meetings are you required to attend? Mr. McClain. Pretty much any meeting that is scheduled or called for by the Secretary, Deputy Secretary. Any boards or other type of advisory Committees that I'm on, and can be invited to other meetings in the department that are scheduled by the under secretaries or an assistant secretary. The Chairman. Are there lawyers from your team that also would work for the under secretaries? Are there any---- Mr. McClain. Not directly. The Chairman. Not directly, okay. So, the way you just said that, you like having line authority over your lawyers? Mr. McClain. Yes. The Chairman. Really? I bet the CIO does, too. Mr. McClain. Probably does. Not over my lawyers, but over his employees, yes, sir. The Chairman. Who in your legal department has responsibility for cyber security? Mr. McClain. We have a--I believe it's a GS 15, who is responsible for our cyber security, primarily. But ultimately, I would be responsible for cyber security. The Chairman. Giving your reaction to my question--so do you personally and professionally have concerns that the CIO could have enforcement authority over one of your employees? Mr. McClain. No, I don't. See, when you say--as it turns out, the initial reorganization that I think was ordered back in 2002, when Admiral Gauss was the CIO, turned out that there were a few, a small number of employees that were actually transferred to the office of information technology. And my information technology employees were transferred at that time. So we're actually functioning under this program, where they are doing work for us, but they actually belong to the CIO. The Chairman. So how does it work that if you have a vulnerability in your legal department, and the CIO, who has only the authority over compliance, he can only ensure compliance, has no authority to enforce anything, he would then have to alert you that there is a vulnerability, and that you then have the authority to cure; is that how it is supposed to work? Mr. McClain. Yes. The Chairman. Okay. So when the FISMA report says that there are these 16 vulnerabilities, and the VA receives an ``F,'' fails, that then means that three under secretaries received a grade of ``F,'' would it not? Mr. McClain. I imagine so, yes. The whole department received a grade of ``F.'' The Chairman. Uh-huh. So, given the lines of authority as to who is actually responsible for enforcement, it is hard for me to imagine, as the first panel described, that when you grant responsibility without authority, you are setting a position for somebody to be a scapegoat. I don't see how the CIO could be a scapegoat if they had no authority to enforce. Therefore, there is no scapegoat. There are individuals who are responsible, and the individuals who are responsible also have the authority. That is what is hard for me in all of this. And it is hard for me when I read your opinions. That is why I called it the heterodox, because it is so incongruent of what we do in our society. Because we have a leadership hierarchy in our society, that someone is responsible, has the authority, and therefore can be held accountable. When I take something out of that, it becomes incongruent, and it defies logic. And it makes it hard for us, then, to operate a system; actually, even to perfect change. So I have some more series of questions for you. Let me go back to when I mentioned the ``F.'' As the VA's chief legal officer you are also, are you not, responsible to ensure that the VA is compliant with existing law? FISMA? Mr. McClain. I'm responsible for interpreting those laws, and how they apply to our business in the VA. Yes, sir. The Chairman. Okay, all right. So, when the FISMA report shows 16 vulnerabilities, and that the department has now received a failing grade, I would say that they are not in compliance with an existing statute. When it comes to you as the lawyer, do you worry about that or not worry about that? Mr. McClain. Well, I'm obviously concerned about it, and the question is, is it because there was inaction on the part of certain people? In other words, you would want to look at are we indeed violating a law, or not fully implementing a law? The Chairman. All right, if the VA receives a failing grade for their audit, how can that be following the law? Mr. McClain. Well, if it's not--if the law itself is not implemented within the department, you have a situation where the law is there and it's not being followed. The Chairman. Right. Well, that is what I had back in 1999, when I could not get the VA to create a CIO. You are right, we passed the laws, and we are trying to get the executive branch to implement, to execute. Does this issue of CIO authority affect the General Counsel's office in terms of control over General Counsel's IT assets? Mr. McClain. No. The Chairman. Okay. So your concerns are more on the personal side, then? Would that be correct? Mr. McClain. You mean for office of General Counsel---- The Chairman. The office of General Counsel, yes. Mr. McClain. My only concern is that I have a good IT network that I can rely on and utilize, and that my people in the field can rely on and utilize. And so, as I said, my employees that I had were transferred over to the CIO. And so we are currently operating pretty well right now under that criterion. The Chairman. All right. These memos that the members are discussing, I, in my mind, I have this visual of you conducting a brief with three under secretaries, the deputy, and the Secretary. I don't know, did that ever happen? Or you just send them memos, and people just go about their business? Mr. McClain. These particular memos--a memo of this nature would come into the office either as an e-mail request or a written request for a General Counsel opinion on how this particular law applies to this set of facts, whatever it might be. That's pretty much how these opinions were initiated. And the opinion would be worked by staff attorneys, and it would then come up the administrative chain to my office. And the opinion would then be reviewed and signed, and sent back to whoever the addressee is on the memo. In other words, the requesting office. I believe one of them was the CIO, or the assistant Secretary for Information Technology, and the Assistant Secretary for Policy and Planning. The Chairman. When you have a dispute between a matter of interpretation of law or regulation between two under secretaries, who is your client? Mr. McClain. It is the department. I simply will---- The Chairman. I don't know what that means. The two under secretaries are part of the department. The two under secretaries disagree on something. How about when the CIO disagrees with the three under secretaries? Who is the department? Mr. McClain. Well, they all are. And I don't take sides on it. The question would come to me--we have a dispute, ``I think the law should be applied this way, someone else thinks the law should be applied that way, please give us your opinion.'' And that's what we would do. It may be in the middle somewhere, it may not be exactly either person's position. The Chairman. All right, use the word ``role.'' What is the role and responsibility of the Secretary of the VA for information security under FISMA? Mr. McClain. He is ultimately responsible for ensuring that there is a system in place that ensures the security and accountability of personal information. The Chairman. Okay. And was the Secretary aware of this statutory role and responsibility? Mr. McClain. I'm sorry, I'm not sure. I would have to ask the Secretary. The Chairman. At any time, were you asked to brief the Secretary with regard to his role and responsibility in this area? Mr. McClain. No, sir. The Chairman. Okay. All right, let me power through this. Hang in here with me, all right? The General Counsel memo of August 1 of 2003 on information security to the CIO holds that, quote, ``FISMA requires the CIO to develop and implement an agency-wide security program to achieve the purposes of FISMA,'' end quote. Now that sounds pretty good. But then on the February 19th of 2004 memo, what that meant to your office was explained further. The memo suggests that enforcement language in draft directive 6500 be removed that would allow the CIO to hold individuals accountable to the CIO for noncompliance, and that would establish mandatory penalties. In addition, the memo recommended that language empowering the CIO to mandate budgetary commitments of administrations be removed because, quote, ``we are not aware of statutory authority.'' [The August 1, 2003, and February 19, 2004, memos referred to are attached to Mr. McClain's prepared statement and appear on pages 96 and 100 respectively.] The Chairman. Basically, this leaves the CIO with responsibility, but no real authority to make anything happen. That is what we have been discussing here today. So directive 6500 could have been written, could it not, to have empowered the CIO since you then state that the Secretary could have delegated that authority? Because what you have is first you go, ``there is no statutory authority,'' and the Secretary has the authority. Where was the next step of legal counsel back to the Secretary that says, ``Mr. Secretary, you can delegate if you want?'' But there was no affirmative action was ever taken. Mr. McClain. Well, I understand, Mr. Chairman, where you're going. I think the issue that I would ask is, given our opinion, and given the February 19th, 2004, memorandum, that there is no statutory authority for certain issues--and most of the issues were clustered under security clearance and suitability policies, security matters beyond that of the information and information security, and also personnel matters; human relations and labor-management issues, and the memo. And I'm talking in that memo, subparagraphs--paragraph 2A-1, and then 2A, 2B, C, and D, essentially, in that particular memo. And what we're saying is entirely consistent with all of the opinions read together, is that the current state of law does not give the CIO these particular powers or authorities. That's what the opinions are, at the point in time on the date that they were issued, what is the state of the law as applied to the set of facts that we were asked to analyze. The Chairman. Is it a curious thing that this March 16th, 2004, memo has no subject line? The Secretary's memo, March 16th, 2004, has no subject line. Isn't that a curious thing? Or I'm just being---- Mr. McClain. I note that it does not. The Chairman. You are saying, ``Steve, your attention to detail is too great?'' Mr. McClain. Well, no, I---- The Chairman. It is not a curious thing, I shouldn't make anything of it? Mr. McClain. I---- The Chairman. Okay, doesn't mean anything? Mr. McClain. No, sir. The Chairman. All right. Let me go to what you had just stated. I got FISMA right here, okay. And you are right, two lawyers can read something that can totally--we can disagree, we can agree to disagree. But I read this thing differently than how you read it. And I am looking at section 3544, ``Federal Agency Responsibilities.'' Now, you just made an interpretation that says the CIO doesn't have this responsibility, it is not granted to him by FISMA. But when I read this, section 3544-A, ``The head of each agency shall''-- okay, do you have it right there in front of you? Mr. McClain. Yes, sir, I do. The Chairman. Okay. See where it says, ``A, shall be responsible for,'' this is list A, B, and C, okay? Number two, it says ``shall ensure that senior agency officials provide information security for information and information systems that support the operation assets under their control, including,'' and goes down a whole list. Who are ``senior agency officials?'' Mr. McClain. Pretty much what we had talked about previously. Under Secretary, Assistant secretaries can be senior agency officials, and it may even go further down, and that's in relation to FISMA, and information security. Yeah. The Chairman. When I read FISMA, if I wanted to, I can read this to interpret that only a senior agency official would be an under Secretary, and exclude the CIO. Your testimony to me is that the General Counsel and the CIO is the equivalent of a senior agency official. Now, if I go back and I say, ``Okay, I accept your testimony here today that you are a senior agency official, the CIO is a senior agency official, the under Secretary is a senior agency official, and now I read this lot, I don't understand how I can get the interpretation from your memo, doing that.'' Now, if I want to parse what I read and say that a senior agency official does not apply to what, you and the CIO, then I could come up with that memo, as it has been drafted. Mr. McClain. I think the spirit of the opinion obviously is interpreting FISMA. But I think that what's important to realize, and what I get out of this, applying these sorts of requirements to senior agency officials, is that there is a department-wide requirement, and is specially imposed on senior agency officials, to ensure that this system of protection for personal information is in place and operative. It is not giving it or requiring it of a single person, or a single head in the department. It is literally spreading it out and saying, ``You're a senior agency official, you have this responsibility.'' The Chairman. The section of FISMA that makes the Secretary responsible for implementation of this statute, 3544, states that the head of each agency shall--and again, I am going to say it--``ensure that senior agency officials provide information security for information, information systems, the support the operations and assets under their control.'' Under the Secretary's March 16 memo, assuming that it had been implemented sooner than last October, wouldn't the CIO also fit under these provisions a FISMA? That is what I just asked, because he would be a senior agency official under the authority of 4000 agency employees. The reason I ask this question, Mr. McClain, is that I have this sense that these memos essentially were efforts to box the CIO. Mr. McClain. No, sir. The Chairman. Well, that is what has happened by that legal interpretation. You disagree with that? Mr. McClain. Yes, sir, I disagree with that. I don't disagree that the CIO perhaps wanted additional authority that was just simply not there in statute, but the opinion is the legal opinion as to what the law provides. The Chairman. All right. Why did it take until October 19th of 2005, over a year and a half, for the VA to take just the first step in acting on Secretary Principi's memo? A glacial pace? Mr. McClain. Sir, I don't have an answer for that. Ms. Herseth. Mr. Chairman. The Chairman. Did Mr. McFarland--yes, ma'am? Ms. Herseth. Well, before you went too far down this, may I just follow up on a---- The Chairman. Yes. Ms. Herseth. You just stated that the CIO perhaps wanted more authority than your interpretation of the statute allowed; right? Mr. McClain. Yes. Ms. Herseth. But not too long ago in response to some of the other questions--does your interpretation of the statute, however--I mean, where does the enforcement authority, or the authority that the CIO was seeking resides in the Secretary? Because getting back to this whole issue of what authorities the Secretary could have delegated, I am still trying to figure out, and I think the Chairman was raising this at the beginning of his second line of questioning, when he began again; tell me the distinction between your interpretation of the statute, and the authorities granted to the CIO, versus authorities that the Secretary has that could be delegated. Is there a distinction? Mr. McClain. Yes. Ms. Herseth. Okay. So I am going to let you explain the distinction, and then re-ask the question that I believe the Chairman did, which is, at what point could you have, or did you communicate with the Secretary about the possibility of delegating some of the authority that the CIO was seeking that the Secretary may have had to delegate, separate from an interpretation of the statute that didn't give, in your opinion, the authorities the CIO was the seeking? Mr. McClain. Let me give you one example of some additional authorities that reside in the Secretary that could have been delegated. At the Secretary's discretion, no requirement. First of all, FISMA requires the CIO to have certain responsibilities and duties and such. The Secretary could delegate further, and if--I would go back to the August, 2003 opinion, which was essentially an opinion on who has authority over the national, versus non-national type of files, and also physical security versus actual paper, that sort of thing. And the opinion was that as the law currently stood, that authority over the national type of data, if there was any in VA, and physical security, resided in the office of law enforcement, within the department. Had the Secretary desired to make a change, he could have delegated that authority to the CIO. So there was already something in place. Ms. Herseth. I yield back. The Chairman. You know I was really concerned when Bob McFarland left. And you are also quite aware of being on the inside of that, you have had three under secretaries that were pretty strong in their opinions. You are also equally strong in an opinion. The Secretary had delegated to the deputy Secretary to work this one, work this issue. And Mr. McFarland was pretty stressed, because he felt that he was not getting a concurrence with his policies. So let me ask about the directive 6500. Is directive 6500, is it still in a development or a concurrence process? Mr. McClain. I believe--and I believe that 6500 is in our EDMS system, Electronic Data Management System--Document Management System. Still, within the office of information technology, for internal concurrence within that office. The Chairman. Under your federated approach --I know you don't like the word ``box.'' All right, let me rephrase this. Under your federated model, are your present interpretations that the CIO does not have these lines of authority to enforce, is that what is going to happen in your federated model? You are going to take that present opinion that you have held for the last several years, and apply it to the federated model? Mr. McClain. Well, I think several things have changed. One is that this particular issue that we were wrestling with talked about ISOs, and in particular the March 2004 memo from Secretary Principi, I believe was a reaction, as Mr. Brody said, to the Blaster worm situation, where the CIO didn't have control, any sort of supervisory control over ISOs out in the field, and there were over 400 of them. As of April 30th of this year, with the detailing of personnel into the office of information technology, that situation no longer exists. The CIO has direct supervisory authority over the ISOs, plus the other IT backbone or maintenance type people, even in the field. The Chairman. But if I am an under Secretary at the VA, and the CIO is giving me directives on compliance where I am noncompliant in a particular area, and I ignore him, what is the CIO's recourse, legally? Mr. McClain. Legally, I'm not sure he has one. Administratively, he should bring this directly to the deputy. The Chairman. Yeah, so he has got no authority. How about if I make the CIO, the Committee here decides to follow our instincts of a couple years ago and make the CIO the equivalency of an under Secretary? Does it matter? Mr. McClain. In other words, would it change our interpretation of FISMA? The Chairman. No, we are going to change FISMA. We are not going to let this stuff happen anymore. We are going to come up with our recommendations to change so they are not subject to interpretation. But if we g+o in and we make the CIO and under Secretary equivalent, and give him lines of authority and the ability to enforce--actually, let us go to the ability to enforce. Would you say that that under Secretary, the CIO then would not have the ability to enforce anything within the jurisdictions of the other three under secretaries? Mr. McClain. No, if you passed--if Congress passed a law along the lines that you just outlined, then the law would provide the authority. The Chairman. But unless we do that, your position is it is not there; it rests with the Secretary. The Secretary can grant that authority, could he not? He can grant, he can also remove. Secretary can remove certain authorities from the other three under secretaries, could he not? Mr. McClain. Yes, he could. The Chairman. Ah-hah. Was that ever recommended to the Secretary, or the deputy? That you can remove certain authorities, you can grant authority to the CIO, but--never? Mr. McClain. I'm not aware, sir. The Chairman. Well, I could see in disciplinary actions a challenge between granting authority or powers to someone who is not of an equal, you know, if they are under the under Secretary. That is what we are going to have to do. Mr. Filner. Mr. Filner. Just a quick question, if I can. Does the VA have a policy of executive bonuses? Bonuses to the senior staff? Mr. McClain. Not to political appointees, but to Senior executive service. Mr. Filner. Okay, so you don't get a bonus? Mr. McClain. No. Mr. Filner. So none of the political appointees do? Mr. McClain. That's right. Mr. Filner. And what is the first level that may get one? Mr. McClain. Career, who are SES. Mr. Filner. Were those bonuses given last year? Mr. McClain. I imagine they were. But I have no personal knowledge of it. Mr. Filner. And when FISMA audits gave the department an ``F,'' did you take that in any way personally, or share in that responsibility? Mr. McClain. As to the department getting an ``F?'' I think the entire department has to share in that. Mr. Filner. Yes, but personally? Nothing happened to any person as a result? Nobody got pay cuts, or reprimands, or censure, or anything? Mr. McClain. Sir, I don't know. I would not normally be involved in that. Mr. Filner. But you didn't? Mr. McClain. I did not. Mr. Filner. I mean, there is simply no accountability here. The Chairman. I made a note here, Mr. Filner. When we come back here and discuss how to put together this legislation, Mr. Michaud, that we even should consider writing in our bill, we can seek compliance and say that there shall be no bonuses until the department is compliant with FISMA. If you got an ``F,'' and we are giving bonuses, we shouldn't be giving that. Maybe we can put it on a sliding scale, get them to a ``B,'' you know? You know, I haven't been beyond giving my kids money for a good grade. All right. I want to thank you for--to my colleagues for being here, and let me just say in conclusion, Mr. McClain, I know you are here today also to defend your legal department and the individuals who wrote these legal opinions. I am stressed by them. I am stressed by them because I think that they were a contributing factor, and we ended up with a legal opinion that I am going to say for the umpteenth time, that is a heterodox opinion, and it was a contributing factor in the face of 16 unmitigated deficiencies, and something has to change. And we want to work with you. Please let the Secretary know, with regard to the issue that I brought up earlier one when we were asking for that proposal, that it also included insurance. Please let him know that we are going to work cooperatively here, in a bipartisan fashion, to make sure that we hold the Judiciary product until we can let them know that we are going to work in a positive manner, okay. Mr. Michaud. Mr. Michaud. Thank you, Mr. Chairman. Just one last question, Mr. McClain. Being legal counsel to the department, and through my experience in the Maine Legislature, where the attorney general offices are legal counsel to State departments, you can take different stances in different areas. Have you, at any time, while we have been dealing with this whole issue of the CIO, given verbal legal advice to the agency that this is the way you saw the law, but you were directed, or asked by a senior official, ``I want to do this, can you justify this, as well?'' Have you ever taken-- -- Mr. McClain. No. Mr. Michaud. No? Okay, thank you. Thank you, Mr. Chairman. The Chairman. Thank you very much. All members will have five legislative business days to submit any statement that they may like. At this point, the hearing is now concluded. Thank you. [Whereupon, at 2:10 p.m., the Committee was adjourned.] [GRAPHIC] [TIFF OMITTED] T8452.001 [GRAPHIC] [TIFF OMITTED] T8452.002 [GRAPHIC] [TIFF OMITTED] T8452.003 [GRAPHIC] [TIFF OMITTED] T8452.004 [GRAPHIC] [TIFF OMITTED] T8452.005 [GRAPHIC] [TIFF OMITTED] T8452.006 [GRAPHIC] [TIFF OMITTED] T8452.007 [GRAPHIC] [TIFF OMITTED] T8452.008 [GRAPHIC] [TIFF OMITTED] T8452.009 [GRAPHIC] [TIFF OMITTED] T8452.010 [GRAPHIC] [TIFF OMITTED] T8452.011 [GRAPHIC] [TIFF OMITTED] T8452.012 [GRAPHIC] [TIFF OMITTED] T8452.013 [GRAPHIC] [TIFF OMITTED] T8452.014 [GRAPHIC] [TIFF OMITTED] T8452.015 [GRAPHIC] [TIFF OMITTED] T8452.016 [GRAPHIC] [TIFF OMITTED] T8452.017 [GRAPHIC] [TIFF OMITTED] T8452.018 [GRAPHIC] [TIFF OMITTED] T8452.019 [GRAPHIC] [TIFF OMITTED] T8452.020 [GRAPHIC] [TIFF OMITTED] T8452.021 [GRAPHIC] [TIFF OMITTED] T8452.022 [GRAPHIC] [TIFF OMITTED] T8452.023 [GRAPHIC] [TIFF OMITTED] T8452.024 [GRAPHIC] [TIFF OMITTED] T8452.025 [GRAPHIC] [TIFF OMITTED] T8452.026 [GRAPHIC] [TIFF OMITTED] T8452.027 [GRAPHIC] [TIFF OMITTED] T8452.028 [GRAPHIC] [TIFF OMITTED] T8452.029 [GRAPHIC] [TIFF OMITTED] T8452.030 [GRAPHIC] [TIFF OMITTED] T8452.031 [GRAPHIC] [TIFF OMITTED] T8452.032 [GRAPHIC] [TIFF OMITTED] T8452.033 [GRAPHIC] [TIFF OMITTED] T8452.034 [GRAPHIC] [TIFF OMITTED] T8452.035 [GRAPHIC] [TIFF OMITTED] T8452.036 [GRAPHIC] [TIFF OMITTED] T8452.037 [GRAPHIC] [TIFF OMITTED] T8452.038 [GRAPHIC] [TIFF OMITTED] T8452.039 [GRAPHIC] [TIFF OMITTED] T8452.040 [GRAPHIC] [TIFF OMITTED] T8452.041 [GRAPHIC] [TIFF OMITTED] T8452.042 [GRAPHIC] [TIFF OMITTED] T8452.043 [GRAPHIC] [TIFF OMITTED] T8452.044 [GRAPHIC] [TIFF OMITTED] T8452.045 [GRAPHIC] [TIFF OMITTED] T8452.046 [GRAPHIC] [TIFF OMITTED] T8452.063 [GRAPHIC] [TIFF OMITTED] T8452.064 [GRAPHIC] [TIFF OMITTED] T8452.065 [GRAPHIC] [TIFF OMITTED] T8452.066 [GRAPHIC] [TIFF OMITTED] T8452.074 [GRAPHIC] [TIFF OMITTED] T8452.075 [GRAPHIC] [TIFF OMITTED] T8452.076 [GRAPHIC] [TIFF OMITTED] T8452.067 [GRAPHIC] [TIFF OMITTED] T8452.068 [GRAPHIC] [TIFF OMITTED] T8452.069 [GRAPHIC] [TIFF OMITTED] T8452.070 [GRAPHIC] [TIFF OMITTED] T8452.071 [GRAPHIC] [TIFF OMITTED] T8452.072 [GRAPHIC] [TIFF OMITTED] T8452.073 [GRAPHIC] [TIFF OMITTED] T8452.047 [GRAPHIC] [TIFF OMITTED] T8452.048 [GRAPHIC] [TIFF OMITTED] T8452.049 [GRAPHIC] [TIFF OMITTED] T8452.050 [GRAPHIC] [TIFF OMITTED] T8452.051 [GRAPHIC] [TIFF OMITTED] T8452.052 [GRAPHIC] [TIFF OMITTED] T8452.053 [GRAPHIC] [TIFF OMITTED] T8452.055 [GRAPHIC] [TIFF OMITTED] T8452.056 [GRAPHIC] [TIFF OMITTED] T8452.057 [GRAPHIC] [TIFF OMITTED] T8452.058 [GRAPHIC] [TIFF OMITTED] T8452.060 [GRAPHIC] [TIFF OMITTED] T8452.061 [GRAPHIC] [TIFF OMITTED] T8452.062