[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
ACADEMIC AND LEGAL IMPLICATIONS OF VA'S DATA LOSS
=======================================================================
HEARING
before the
COMMITTEE ON VETERANS' AFFAIRS
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
__________
JUNE 22, 2006
__________
Printed for the use of the Committee on Veterans' Affairs
Serial No. 109-56
______
U.S. GOVERNMENT PRINTING OFFICE
28-452 WASHINGTON : 2007
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON VETERANS' AFFAIRS
STEVE BUYER, Indiana, Chairman
MICHAEL BILIRAKIS, Florida LANE EVANS, Illinois, Ranking
TERRY EVERETT, Alabama BOB FILNER, California
CLIFF STEARNS, Florida LUIS V. GUTIERREZ, Illinois
DAN BURTON, Indiana CORRINE BROWN, Florida
JERRY MORAN, Kansas VIC SNYDER, Arkansas
RICHARD H. BAKER, Louisiana MICHAEL H. MICHAUD, Maine
HENRY E. BROWN, JR., South Carolina STEPHANIE HERSETH, South Dakota
JEFF MILLER, Florida TED STRICKLAND, Ohio
JOHN BOOZMAN, Arkansas DARLENE HOOLEY, Oregon
JEB BRADLEY, New Hampshire SILVESTRE REYES, Texas
GINNY BROWN-WAITE, Florida SHELLEY BERKLEY, Nevada
MICHAEL R. TURNER, Ohio TOM UDALL, New Mexico
JOHN CAMPBELL, California JOHN T. SALAZAR, Colorado
James M. Lariviere, Staff Director
C O N T E N T S
__________
June 22, 2006
Page
Academic and Legal Implications of VA's Data Loss................ 1
OPENING STATEMENTS
Chairman Steve Buyer............................................. 1
Prepared statement of Chairman Buyer......................... 50
Hon. Bob Filner, a Representative in Congress from the State of
California..................................................... 3
Hon. Ginny Brown-Waite, a Representative in Congress from the
State of Florida, prepared statement of........................ 55
Hon. Corrine Brown, a Representative in Congress from the State
of Florida, prepared statement of.............................. 57
Hon. Sylvestre Reyes, a Representative in Congress from the State
of Texas, prepared statement of................................ 61
Hon. Stephanie Herseth, a Representative in Congress from the
State of South Dakota, prepared statement of................... 63
Hon. Tom Udall, a Representative in Congress from the State of
New Mexico, prepared statement of.............................. 65
WITNESSES
Brody, Bruce A., Vice President, Information Security, INPUT,
Reston, VA, and former Associate Deputy Assistant Secretary for
Cyber and Information Security, U.S. Department of Veterans
Affairs........................................................ 7
Prepared statement of Mr. Brody.............................. 76
Cook, Mike, Co-Founder, ID Analytics, San Diego, CA.............. 11
Prepared statement of Mr. Cook............................... 85
McClain, Hon. Tim S., General Counsel, U.S. Department of
Veterans Affairs............................................... 29
Prepared statement of Mr. McClain............................ 92
Spafford, Eugene H., Ph.D., Professor and Executive Director,
Purdue University Center for Education and Research in
Information Assurance and Security (CERIAS), West Lafayette,
IN; Chair, U.S. Public Policy Committee, Association for
Computer Machinery (USACM); and Member, Board of Directors,
Computing Research Association (CRA)........................... 5
Prepared statement of Dr. Spafford........................... 67
MATERIAL SUBIMTTED FOR THE RECORD
Statements:
Kappelman, Leon A., Ph.D., Professor of Information Systems,
Director Emeritus, Information Systems Research, Fellow,
Texas Center for Digital Knowledge; Associate Director,
Center for Quality and Productivity, Information Technology
and Decision Sciences Department, College of Business
Administration, University of North Texas.................. 110
Post-hearing written Committee questions and the responses:
Chairman Buyer to U.S. Department of Veterans Affairs........ 111
Chairman Buyer to Mr. Bruce A. Brody (INPUT)................. 118
Chairman Buyer to Mr. Mike Cook (ID Analytics)............... 121
THE ACADEMIC AND LEGAL IMPLICATIONS OF THE VA'S DATA LOSS
----------
THURSDAY, JUNE 22, 2006
U.S. House of Representatives,
Committee on Veterans Affairs,
Washington, DC.
The Committee met, pursuant to call, at 10:35 a.m., in Room
334, Cannon House Office Building, Hon. Steve Buyer [Chairman
of the Committee] presiding.
Present: Representatives Buyer, Bilirakis, Moran, Brown of
South Carolina, Miller, Brown-Waite, Filner, Snyder, Michaud,
Herseth, Strickland, Reyes, Berkley, Udall, Salazar.
The Chairman. The full Committee of the House will come to
order, June 22nd, 2006.
Good morning, ladies and gentlemen. We are here today to
receive testimony on best practices from experts in the field
of information security and data breaches. We will also hear
from the Department of Veterans Affairs' General Counsel about
the legal implication of the VA's information security breach
and data loss.
This hearing is part of a series that will help us
determine how to understand the scope of the problems, so we
can then proceed to assist in the correction of these concerns
of the department. We are systematically examining key aspects
of the security breach, and reviewing best practices, and
thinking in the realm of information security.
Last week, we heard testimony from the VA inspector general
and from the Government Accounting Office, who provided
historical context. The context is a sobering. Even as far back
as 1997 the GAO had begun to examine these problems, and then
in 2002, they recommended the VA centralize its IT security
management functions and establish an information security
program. The VA's own inspector general has gone on the record
with a similar litany of warnings that have been largely if not
completely ignored. The VA's assistant inspector general for
audit told us the IG has reported VA information security
controls as a material weakness in its annual consolidated
financial statements, since fiscal year 1997 audit.
VA's IT Information Security Management Act audits have
identified significant information security vulnerabilities
since fiscal year 2001. A reasonable person might ask what the
VA is waiting for. The IG and GAO, our investigations have
shown, are not alone in their support for centralized IT
management. On June 8th, I held a roundtable discussion with
information technology experts from business, including Goldman
Sachs, EMC Corporation, Visa, Citigroup, Tri-West, and American
Bankers Association. At my invitation attending also was the
chairman of the military quality of life and veterans'
appropriations Subcommittee, Jim Walsh.
These experts offered candid appraisals, and emphasized the
importance of centralized information security management. None
from a good business sense could endorse the VA's approach, the
federated model, which still shows a significant degree of
decentralization. One of the experts said, quote, ``I see the
federated approach as an excuse for lack of controls.''
As part of our approach, the Subcommittee on disability
assistance and memorial affairs held a hearing on Tuesday, on
information security at the Veterans' Benefits Administration.
Yesterday, the Subcommittee on health examined how the
Veterans' Health Administration maintains security and
integrity with electronic health records of patients. Both
systems face challenges. We are aware of problems with the
Benefits Administration. The VA IG has testified at VHA, tens
of thousands of VA's health records have been sent by
unencrypted e-mail, and were made vulnerable to interception.
Problems with uncontrolled access to data, password protection,
and even a failure to terminate access for long-departed
employees, made the conditions for additional disasters. The
more we learn about the awful results of decentralization, in
contrast to the bright promises offered by some VA officials,
the more we see the system has no departmental standards. And
more important, the system, if you call it that, does not
identify who is in charge of developing policy, implementing
policy, or enforcing policy.
It does not have to be this way. Today, experts from the
academic world will also provide insights into the cutting edge
information security theories and concepts. The recent passing
of management expert, Professor Peter Drucker, reminds us that
not all expertise is to be found in the world of practice. We
have much to learn from those who earn their pay strictly from
the work in their minds.
We will then turn to the department's General Counsel, the
Honorable Tim McClain, who will provide testimony regarding the
legal implications of VA's data breach. I will also be
interested in learning more about the legal review process for
VA's information security directive for the past three years.
Also, I want to learn more about the adequacy of the VA's legal
authority to provide credit counseling and compensation to
veterans affected by the loss of their personal information.
Next week, completing a series of hearings, the full
Committee will receive testimony from former VA chief
information officers. And finally, we will hear from Secretary
of Veterans' Affairs Nicholson, and the department's senior
leadership, with an update on the progress being made in the
department. So please be sure to note these important dates on
your schedule.
This weekend, we learned that a laptop stolen from a
contractor working for the city of Washington DC, compromised
sensitive information on thousands of city employees. While we
are now seeing that data security has broad implications across
the country and across government, what we would like to see is
VA moving from worst disaster to best practice.
We look forward to your testimony. I recognize the Ranking
Member for any comments that he might have. Mr. Filner.
[The statement of Chairman Buyer appears on p. 50.]
Mr. Filner. Thank you, Mr. Chairman, and as we said last
week, thank you for embarking on this series of oversight
hearings. I don't think it's any accident that the VA announced
finally some proactive measures yesterday. I think it's the
calendar that you have outlined, reporting will have to be
done, that has sparked some activities. I think this is the way
that we, Congress, must proceed in terms of oversight, so I
thank you so much.
As you have pointed out, we have to figure out what
happened, how it happened, how to prevent it, who was
responsible, and of course, what can be done in the future. As
Chairman Buyer has pointed out, on many occasions, we have
heard that long-standing problems in cyber and information
security went uncorrected at the VA for unconscionably long
times. We have heard testimony before this Committee that the
problem lies within the VA's culture of resistance to change,
including being impervious to change in, of all arenas,
information security. One written statement at a previous
hearing offered a rationale for the resistance of VA, a desire
to avoid accountability.
Mr. Chairman, last week you and Dr. Snyder both noted
apparent problems and conflict with the General Counsel
opinions in 2003 and 2004. The net effect of these opinions,
and we will hear what the General Counsel says, was to create
confusion at VA regarding aspects of enforcement authority for
information security. How could this happen if the Federal
Information Security Management Act of 2002 was created just to
resolve these very problems? And we have seen evidence of the
difficulty of implementing change in the IT culture at VA.
For me, as for you, Mr. Buyer, the most illustrative
example of that resistance was Secretary Principi's failed
directive to centralize control of the IT under the chief
information officer. His was the right solution, but it never
happened. When the edicts of the Secretary and his team are
ignored by the agency, it is time for the Secretary to clean
house. In this case, I and a number of my colleagues will be
pleased to help move that process along.
All too often, we hear about policy changes at VA that are
in the works, or we hear about half solutions and changes that
are just around the corner. Problems were raised about the HR
links program, but substantive solutions were never
implemented. HR links was a good idea, but leadership was
needed, and there was none. The result: about a third of a
billion-dollar loss to taxpayers.
VETSNET will automate critical functions associated with
the compensation and ratings awards, if it is ever fully
implemented. But I note that the future tense is always used to
address hopeful solutions to VETSNET, for over a decade, now.
The core FLS is another example of a major information
technology failure in the multi-hundred million dollars loss
range, and the root cause I think is evident: mismanagement at
the top.
We must move the entrenched culture inside the agency to
conform to what is best for the entire agency and for veterans.
That is why we are here. At a minimum, as is often suggested by
the Inspector General, implementation of a robust and
standardized policy would be helpful. That has yet to happen.
At our last full Committee hearing, Mr. Michaud referred to
a threat by an offshore-based subcontractor to post medical
information about 30,000 veterans on the Internet. Yet, when
Committee staff asked about the off-shoring of medical
transcript and services in previous years, they were told that
there was no evidence of such activity. The IG now seems to
have found ample evidence in a report released last week.
This indirection and indifference by the Veterans'
Administration regarding its protection of sensitive
information must halt. We need to have straight shooting with
Congress and with the American people.
Finally, Mr. Chairman, the magnitude of the loss of the 26
million records, plus apparently hundreds of thousands of
others, is breathtaking. It looks like we are moving in a
proactive way, although we have yet to see what contractor will
win the contract. I hope we don't give the contract to
Halliburton. In fact, one of the companies that is here today
has offered the public service of doing it for very little, if
any, cost to taxpayers.
So we must assure that any promises we make to fix the
problem can actually be kept. We must set expectations for
veterans that can be delivered, and have the willpower to keep
those promises. Let us keep the faith with our veterans. Thank
you, Mr. Chairman.
The Chairman. Thank you very much.
Our first panel includes Dr. Eugene Spafford, Ph.D., who is
a professor of computer science and is Executive Director for
the Center of Education and Research in Information Assurance
and Security, at Purdue University. Next, we have Mr. Bruce
Brody, Vice President of Information Security for INPUT, and
former Associate Deputy Assistant Secretary for Cyber and
Information Security with U.S. Department of Veterans Affairs.
And finally, we have Mike Cook, Vice President of ID Analytics.
Dr. Spafford, personally I want to thank you for--often,
the Federal government has turned to you for your Council. We
did in the mid-1990s, with the DOD. You assisted the Department
of Air Force, you have helped out with the FBI, we have turned
to your expertise in regard to NSA, and once again we are now
turning to you, and you don't hesitate. And so there is
something inside that says, ``Yes, I have knowledge, I have
some expertise, and I am willing to help my country.'' And you
have been there, and you have also served on the president/s
advisory. I welcome all the members--how many of these do you
have, or can you gain access to?
Dr. Spafford. I believe we have about 50 or 70 of them out
there.
The Chairman. You have about 50 or 70 of them out there?
You are only here by yourself? You have somebody with you,
staff?
Dr. Spafford. There is somebody here, yes.
The Chairman. Well, somebody go out there and get one of
these to Tim McClain for me right now, while he can flip
through this. Tim, have you seen this before?
Mr. McClain. No, sir, I haven't.
The Chairman. It is very interesting. If you would grab
that box, I want to make sure everybody, all of my colleagues
have this.
Look how it is titled: ``Cyber Security, a Crisis of
Prioritization.'' The president put these experts together.
[The report is being retained in the Committee files and
can be found on the internet at: http://www.nitrd.gov/pitac/
reports/20050301_cybersecurity/cybersecurity.pdf.]
Dr. Spafford, you are recognized.
STATEMENTS OF EUGENE H. SPAFFORD, PH.D., PROFESSOR AND
EXECUTIVE DIRECTOR, CENTER FOR EDUCATION AND RESEARCH IN
INFORMATION ASSURANCE AND SECURITY, PURDUE UNIVERSITY, WEST
LAFAYETTE, IN, CHAIR, U.S. PUBLIC POLICY COMMITTEE, ASSOCIATION
FOR COMPUTING MACHINERY, AND MEMBER, BOARD OF DIRECTORS,
COMPUTING RESEARCH ASSSOCIATION; MR. BRUCE A. BRODY, VICE
PRESIDENT, INFORMATION SECURITY, INPUT, RESTON, VA, AND FORMER
ASSOCIATE DEPUTY ASSISTANT SECRETARY FOR CYBER AND INFORMATION
SECURITY, U.S. DEPARTMENT OF VETERANS AFFAIRS; AND MR. MIKE
COOK, CO-FOUNDER, ID ANALYTICS, SAN DIEGO, CA
STATEMENT OF EUGENE SPAFFORD
Dr. Spafford. Thank you, Chairman Buyer and Members of the
Committee. It is my pleasure to be here to attempt to help in
this case. We are here because of the significant breach of
security and privacy at the Veterans' Administration. That
incident has obviously exposed many people to increased risk of
identity theft, credit fraud, and other kinds of criminal
activities. I would like to point out, however, that it is more
than a financial impact that is potentially there. In addition,
some of our active-duty personnel and veterans may find
themselves denied security clearances, or find their names
added to the TSA's no-fly list, because somebody else has
misused their identity. And if you have ended up on the no-fly
list and tried to get off, you know how difficult that is. And
they may also have to criminal warrants or civil actions
because others have committed crimes in their name.
This problem is not unique to the Veterans' Administration,
however. A recent article in ``Computer World'' noted that
since the start of 2005, there have been nearly 200 similar
incidents, resulting in significant disclosure of personal
information, with nearly 90 of those incidents occurring since
the beginning of this year. The total number of records
disclosed by all of these incidents to date is 88 million. What
is more, those are only the detected and reported incidents.
The actual number is certainly much larger.
For decades, professionals in the field of information
security have been warning about the dangers of weak security,
careless handling of data, lax enforcement policies, and
insufficient funding for both law enforcement and research.
This is similar to what you have been hearing from the
Inspector General of the Veterans' Administration. Our warnings
and cautions have largely been dismissed, however, as unfounded
or too expensive to address. Unfortunately, we are now seeing
the results of that lack of attention with incidents such as
what happened at the VA.
In addition, we have seen new levels of sophisticated
computer viruses and spyware emerging, increasing cyber
activity by organized crime around the world, and significant
failures of security across a wide variety of public sector
entities and government agencies. In the brief time that I have
for my verbal remarks, I want to make special note of one
particular failure present in this case that you have already
identified. There is no centralized position that has all of
the three components that are necessary to effectively manage
information security: resources, accountability, and authority.
There should be either the CIO or CISO, Chief Information
Security Officer, who has adequate funding and trained
personnel to carry out a comprehensive security plan. That
office, and the management above it, must be held accountable
for failures to satisfy necessary standards, and successfully
pass audits.
Last of all, that same office must have authority to make
changes, shut down systems if necessary, and sanction employees
for cause. There are other information security problems at the
VA and elsewhere in the government which were not directly
involved in the May disclosure incident, but could prove
problematic later. It is beyond the scope of this testimony to
describe all of them. It is also beyond the scope of this
testimony to summarize the magnitude of cyber threats currently
facing our information infrastructure, including the Veterans'
Administration. There are a number of reports describing these
threats, and I can summarize simply by saying the situation is
poor, and getting worse. Regrettably, I believe the situation
is going to get worse because the problems have been ignored
and neglected for too long to be quickly remedied.
As a member of academia, I wanted to say that we can offer
few immediate solutions. Although we have several good programs
at many colleges and universities across the United States, we
are producing too small a number of students to meet the
demand. Exacerbating this is a lack of resources. Outside of a
few underfunded programs through the National Science
Foundation that award competitive grants to faculty, and a few
congressionally directed allocations to a few university
projects around the country, there is almost no funding for
basic research, capacity development, or infrastructure
acquisition, for the programs working in information security.
As an example, the center I direct at Purdue University,
CERIAS, is the nation's leading center in multidisciplinary
information security research and education, with over 80
faculty, and we are graduating nearly 25 percent of the
nation's Ph.D.'s in information security. CERIAS, in its nine-
year lifetime, has never received any government support,
although some individual faculty receive funding from agencies
such as the NSF for individual research.
As is the case with many of my peer institutions, our
ability to make progress in education and research is limited
by a severe lack of resources. In February, 2005, as Chairman
Buyer noted, the President's Information Technology Advisory
Committee issued this report, based on hearings and
considerable study by many experts, myself included. That
report was entitled ``Cyber Security, a Crisis of
Prioritization.'' It described the nature of the problems with
cyber security, and some of the trends. It also analyzed the
inadequate Federal response to those challenges. It outlined in
some detail an agenda to begin to address some of our cyber
security problems. The response to that report was similar to
other reports that have been issued over the years. Only one of
the four recommendations has been acted upon, and PITAC was
disbanded.
I encourage members of the Committee to carefully read the
PITAC cyber security crisis report. I participated in the
research and writing of that document, and it goes into
considerable detail about problems such as those faced at the
VA, and issues behind our cyber security deficit, as well as
making some concrete suggestions on how those issues might be
addressed. I have also included some other recommendations in
my written testimony, including a comprehensive list of
recommendations for data privacy protection, as developed by
the ACM's U.S. public policy Committee.
I welcome your questions and working with you to help
address these problems. Thank you.
[The statement of Dr. Spafford appears on p. 67.]
The Chairman. Thank you very much. Did all the members
receive one of these? Everybody has got one? All right, thank
you.
Mr. Brody, you are now recognized.
Mr. Brody. Mr. Chairman, Representative Filner, and members
of the Committee, my name is Bruce Brody. As a veteran, I am
very grateful for the opportunity to address this distinguished
Committee today. With the Chair's permission, I will provide a
brief overview, and then submit a longer statement for the
record.
The Chairman. Hearing no objection, so ordered. Dr.
Spafford, did you have a written statement that you would like
to be submitted for the record?
Dr. Spafford. He has it.
The Chairman. Mr. Cook, do you have a written statement you
would like submitted for the record? All right. Hearing no
objection, so ordered. All the statements will be submitted for
the record.
STATEMENT OF BRUCE BRODY
Mr. Brody. I am the Vice President for Information Security
at INPUT, a market research firm based in Reston, Virginia.
From 2001 to 2004, I was the Associate Deputy Assistant
Secretary for Cyber and Information Security at the Department
of Veterans Affairs. And from 2004 until January of this year,
I was the associate chief information officer for cyber
security at the Department of Energy. I believe that I am the
only person ever to have served as the chief information
security officer at two Cabinet-level departments.
Like the members of this Committee and my fellow veterans,
I view the loss of personal information of more than 26 million
veterans as willful disregard for responsible behavior, and
blatant contempt for established Federal security and privacy
requirements by senior VA leadership. I urge this Committee to
look very carefully at the following factors, which I believe
contributed to the decades of information security and privacy
neglect at the VA, that have been documented by the Inspector
General and the Government Accountability Office.
First, someone with appropriate substantive expertise must
be empowered to set and enforce privacy and cyber security
requirements, which will include the physical security
requirements for how such records are maintained, and the
personal security requirements for who is allowed access to
such records. When I was first introduced to this Committee in
April of 2001, I thought that the Secretary had hired me for
that purpose. However, the apparent authorities invested in the
CIO under the Clinger Cohen Act, and the Paperwork Reduction
Act, and both the CIO and the CISO in the Computer Security Act
of 1987, the Government Information Security Reform Act of
2000, and finally, in the Federal Information Security
Management Act of 2002, were not accepted by VA's leadership. I
quickly learned that the department's chief information officer
only had authority to advise, encourage, support, and persuade
the administrations, insofar as information technology programs
were concerned.
In addition, I learned that the CIO had no authority to
direct compliance. These points were captured in a memorandum
from the assistant General Counsel dated October 6, 2000.
Difficulties with this advise, encourage, support, and persuade
approach to the CIO's management authority were raised at a
March 12th, 2002, oversight Committee hearing by both Chairman
Buyer and Ranking Member Carson, questioning the ability of the
then-CIO to get the job done without line authority.
Later that year, Secretary Principi took actions to direct
the centralization, and enhance line authority of the CIO
function, presumably acting on the recommendations of this
Committee. But unfortunately, the Secretary's direction met
with bureaucratic inertia and cultural resistance, and was
never fully implemented.
Subsequent to my arrival at the VA, the Government
Information Security Reform Act, followed by the Federal
Information Security Management Act, were enacted in 2000 and
2002, respectively. Not being an attorney, I cannot offer legal
opinions about what the words of these statutes mean. I can
only apply common sense to the purpose of these important
pieces of legislation. It seemed to me that after all was said
and done, and the opinion of the assistant General Counsel
issued in October 2000 was correct, then the Congress went
through nonsensical amounts of effort to produce the
legislation and provide such detail concerning specific
responsibilities. It became all the more apparent that
clarification was needed, following the MS Blaster malicious
software incident in the second half of 2003.
In advance of what proved to be a serious malicious
software attack represented by MS Blaster, my office provided
the necessary alerts, and also distributed notification
concerning the necessary patches, throughout the VA enterprise.
These alerts were widely ignored, and VA networks were savaged
as a result. The apparent authorities invested in the CIO in
the Clinger Cohen Act, and in the CIO and CISO in FISMA, did
not seem to be accepted by VA or its leadership.
As a result, I concluded that there was no longer any point
in attempting to introduce cyber security changes in the VA
unless there was a clear statement of authority to do so. That
was when I requested the General Counsel opinion about FISMA
authorities for the CIO and the CISO.
Just prior to the MS Blaster attack, I had requested a
clarification from the General Counsel concerning the
responsibilities of the CIO under FISMA for national security
and non-national security information and information systems.
In a memorandum signed by the General Counsel, dated August
1st, 2003, it was reinforced that the various security
functions of the department, specifically information security,
physical security, and personnel security, would remain under
the authority of their respective offices. According to the
memorandum, the CIO was allowed to issue policies pertaining to
information security, but the daily operations of security
clearance determinations, investigations, physical storage, and
related activities wouldn't be placed under the purview of the
CIO.
Subsequent to the MS Blaster attack, I requested a
clarification from the General Counsel concerning the authority
of the CIO to enforce compliance with security legislation and
relations. In a memorandum signed by the General Counsel on
April 7th, 2004, it was asserted that the CIO cannot order or
enforce compliance with information security requirements.
Because FISMA used the word ``ensure,'' instead of the word
``enforce,'' the General Counsel stated that the only recourse
for the CIO when a security requirement was violated was to
complain to the Secretary.
The result of these two opinions was extremely unfortunate
for the department. In effect, the first of these memos
fragmented security authorities, and the second said that the
CIO had no authority to enforce policies or to hold people
accountable for violating policies. These memos accurately
captured and reinforced the culture of the department, where
resistance to central authority, and doing business according
to hundreds of different local practices, have always been the
norm.
In day-to-day operations, these memos ensured that the
fragmentation of security authorities enabled the lack of
background investigation for individuals with access to VA
networks, systems, resources; the unchecked access to VA
information by foreign corporations and foreign nationals,
limited to nonexistent logical and physical access controls for
major medical systems; the disruption and denial of service
from malicious software attacks such as MS Blaster, and
hundreds of other negative information security findings, as
highlighted in the reports of the independent public auditor,
the Inspector General, and the government accountability
office.
I would ask the Committee if it agrees that the Clinger
Cohen Act and FISMA do not require a Secretary, CIO, and CISO,
to set and enforce the security requirements of the FISMA
legislation? If FISMA and the Clinger Cohen Act did not convey
the authority and accountability for enforcing security and
privacy requirements, perhaps the Congress needs to amend these
bills to so state. My personal experience is that the mismatch
of authority and accountability from the CIO and CISO affect
other departments, agencies, to the same extent as affects the
VA. And I encourage legislative action to clarify this
situation and possibly prevent more serious incidents from
occurring.
But the bottom line for the VA was that the two General
Counsel memos reinforced the VA culture. And the VA culture is
the root cause of this problem. The VA culture can be
highlighted even further in the paper trail of nonconcurrences
on VA directive 6500, the information security program.
My second recommendation is that policies, procedures, and
assignments of accountability regarding security, and privacy
issues, cannot be held hostage to the individual interests of
the senior officials whose concurrence must be obtained prior
to review by the Secretary. In this regard, I invite the
Committee's attention to the paper trail of nonconcurrence on
VA directive 6500, the information security program.
On January 16th, 2004, VHA non-concurred on VA directive
6500, disagreeing with a blanket approach to background
investigations, opposing any requirement to ensure that
corporations having access to VA systems and data be American-
owned--in other words, subject to U.S. policy, and within the
reach of U.S. courts, if U.S. laws are breached.
VHA also opposed any requirements that visitor personnel be
escorted at VA facilities, and resisted the ability of the
associate deputy assistant Secretary for cyber and information
security to establish mandatory penalties for noncompliance.
VHA's nonconcurrence specifically dealt with the offshoring
of sensitive information, such as medical records or
transcriptions. Other significant nonconcurrences on VA
directive 6500 are included in my written testimony for the
record.
The memos by the General Counsel and paper trail of
nonconcurrence on VA directive 6500 are indicative of a culture
of resistance to central authority, and refusal to accept
anything other than business as usual. They also highlight the
decentralized authority enjoyed by the administrations and
program offices, who are empowered to define the role and
authority of the CIO as they see fit in order to perpetuate
their parochial interests.
Most of all, these documents make it clear that the CIO and
the subordinate CISO have no authority to do anything other
than to issue policies. Now on top of that, they can only issue
policies that the administrations and program offices allow
them to issue through the concurrence process. Once issued, the
CIO and CISO have no authority to enforce these watered-down
policies that they are permitted to put in place.
As a third recommendation, let me suggest to you that the
CIO budget, including cyber security and privacy budgets,
cannot be held hostage by the administrations and program
offices. Since funds are not directly appropriated to the CIO
by Congress, security and privacy initiatives depend on the
funding support of the very offices that have historically been
the cause of the problems being addressed.
Fourth, I recommend you create a legislative requirement
that would suspend all executive and senior bonuses in the VA
until the environment for which the executive is responsible
receives a clean bill of security health from the IG and the
competent senior official placed in charge of security. There
are more than 26 million veterans and active duty personnel who
are uncertain that the loss of their personal information will
bring them financial harm. These veterans deserve better,
because they have served our country well. Unfortunately, the
VA has not served them well, and the VA must make necessary
amends. If the VA cannot reinvent itself and change its culture
dramatically, then I would beg the Congress to do it for them,
and to do it for our Nation's deserving veterans.
Mr. Chairman, that concludes my statement. Thank you for
the opportunity to appear here.
[The statement of Mr. Brody appears on p. 76.]
The Chairman. Thank you, Mr. Brody. Mr. Cook, you are now
recognized.
STATEMENT OF MIKE COOK
Mr. Cook. Chairman Buyer, Representative Filner, and
esteemed members of the Committee, thank you for inviting ID
Analytics to testify----
The Chairman. Mr. Cook, can you turn that microphone on,
and pull it close to you, please? Thank you.
Mr. Cook. It wasn't on, I apologize. Thank you for inviting
ID Analytics to testify on ways to help victims of the recent
Veterans' Affairs data breach. My name is Mike Cook. I am a
cofounder of ID Analytics, a San Diego-based company focused
exclusively on stock and identity fraud. I have worked in the
field of credit risk and fraud prevention for 20 years. ID
analytics helps stop identity fraud through our identity
network, a real-time identity fraud prevention system formed
through a consortium of leading companies dedicated to
protecting their customers from identity fraud.
Our ID network gathers information from applications for
credit, change of address, and other identity risk information
from companies, including half the top 10 U.S. banks, almost
all major wireless carriers, and a leading retail card issuer.
Hundreds of times each day our technology helps stop fraudsters
from obtaining credit services and merchandise in innocent
consumers' names.
We think it's important to make you aware that ID analytics
does not market or sell the data we collect in the ID network
for any purpose, to anyone.
I am here today because ID analytics has unique expertise
and knowledge of data breaches and their risk. Today, we are
the only public or private entity that has studied the harm
resulting from actual data breaches. Should any Committee
member have interest, I would be happy to provide a copy of our
white paper analyzing the harm from four actual well-publicized
data breaches involving more than 500,000 breached consumer
identities.
I would first like to put this breach into context. At this
point, no one knows the scope of risk the veterans are facing.
The most dangerous data breaches are targeted thefts, where the
thief committed the breach solely for the purpose of taking the
consumer data. In this case, the purpose of the theft is
unclear. Was the thief targeting a laptop, or the data held on
it? I don't believe we know that answer today.
If the data is misused, we can expect it to be misused in
the following ways: its likely fraudsters will mainly attack
the credit card industry. Stolen identities are an asset that
sophisticated fraudsters can get the best rate of return by
fraudulently obtaining credit cards, and then making fenceable
purchases. Secondly, because the file contains so many
identities, it is likely that the fraudsters will use the
stolen identities once or twice and never again, to increase
their approval rate. Low use rates of individual veteran
identities will make detection more difficult for the lending
community. Again, if the data is misused, sophisticated
fraudsters will spread the misuse of identities across
differing locations within a city, or even across different
States, to avoid detection.
The worst-case scenario is that the veteran file finds its
way to a public distribution source, such as the Internet. If
this happens, stolen identities will lose their connection to
the VA data breach, and groups of fraudsters might actively
trade that data among the broad community. Subsequently, more
people might have access, and could misuse those identities on
a grander scale. We know from additional research conducted
earlier this year, the misuse rate of data traded on the
Internet can climb substantially and exceed the average rate of
identity theft of 1.5 percent.
Some consumer advocates estimate the value of the stolen
identity ranges from $25-$75, depending upon the available
personal information associated with that identity. So because
of the value of the data itself, wide distribution should be a
concern, and should drive a real sense of urgency to try to
recover the stolen data as fast as possible.
So what can the VA do now? Over the course of the last
year, ID Analytics has developed breach monitoring technology.
With this technology, the VA can answer three essential
questions about the data breach. The first question the VA can
answer is, is the breached data being misused by fraudsters
today? Secondly, if it is being misused, can we identify the
specific veterans harmed by this misuse, and provide them with
additional victim assistance? And thirdly, if the breached file
is being misused, in what locations are those breached consumer
identities being misused, so that law enforcement can stop the
misuse, and potentially recover the breached data file?
How does this technology work? Simply put, when thieves
used a breached file, they leave tracks. In order to obtain
credit or other goods, in a veteran's name, a fraudster would
have to manipulate that veteran's identity information on a new
account application. For instance, if a fraudster applies for a
credit card in a veteran's name, the fraudster needs to change
the address so he or she can collect the new credit card from
the bank. The fraudster will change the veteran's phone number
for personal and employment verification purposes. He or she
may use the same addresses and phone numbers to commit identity
theft against other identities that were part of that same
breach.
Our ID network, which receives hundreds of thousands of
applications and other identity risk events per day, can
identify these types of anomalous changes and relationships
across a breached file, regardless of the size of the breached
file. We believe this technology can be significant to the
Department of Veterans Affairs for the following reasons: it
can help identify any organized misuse of the personal data
that has happened so far. The analysis can quickly identify
veterans who may have been victimized, so that additional
victim assistance can be expedited to them. It can actively
monitor the file for possible misuse. This technology can help
provide law enforcement a way to identify those individuals who
have either stolen the files or have misused it to commit
identity theft, to stop further misuse and to recover the lost
file.
The analysis can help determine if the file was in use by
more than one individual, or one cohesive group. And finally,
breach monitoring provides a deterrent effect, once publicly
announced. Thieves should be aware that if they try to misuse
any data from the VA data breach, they do so at their own
peril.
Thank you again, Mr. Chairman, for the opportunity to
present this testimony.
[The statement of Mr. Cook appears on p. 85.]
The Chairman. All right. I have two areas I want to touch
on, and then I am going to yield to my colleagues.
Yesterday, when the VA made their announcement of credit
monitoring, I don't know too much beyond that, nor do I know
where they are going or how they define it. My first reaction
was, I was concerned. And let me explain why I was concerned.
The concern is that, are we creating a false expectancy
among the veterans that the VA is now going to just be doing
credit monitoring, and when I look at my current reports, I'm
safe, that somehow that is going to provide a safe haven. And
that is the reason I did not issue a statement yesterday. I
couldn't stand up and cheer, because I still have great fears.
So let me turn to you, and I want you to tell me, ``Steve,
I agree with you,'' or ``I disagree with you, you should cheer
about this.'' Because here, we take it down to the next step,
is that if they know what they are doing, they are going to
take this, and it is going to be synthetic identity theft. So
Mr. Cook, as you identified that you look at the granulation of
the information and then you begin to change it a little bit;
so I take Dr. Eugene Spafford, I get your Social Security
number, and I got your address, and know what your wife's name
is. So I make the application, but I change the last two digits
of your Social Security number. So now, I obtained a credit
card and begin to make purchases. I do other things that spoil
your life, Dr. Spafford, but if all I am doing is monitoring
the credit report, then no serious action by me is not going to
show up on the credit report, as I understand.
So now, let me yield to the panel, and say, ``Steve, you
get it right,'' or ``Steve, you got it wrong.''
Mr. Cook. Chairman Buyer, we've done a lot of analysis on
fraud and how criminals use data. And I don't believe the
people, if they use this data, are going to perpetrate
synthetic fraud. The reason for that is synthetic fraud is when
you don't have any data available to you. So fraudsters could
go out and use a name, and create a valid Social Security
number, as we have seen, by a method such as Social Security
number tumbling, to enable them to get past a validity check.
People who perpetrate synthetic fraud do that because they
don't have access to data, and the analysis we have done shows
that if they perpetrate synthetic fraud, they do not perpetrate
identity theft.
So I would probably disagree and say I don't think
synthetic fraud is going to be the case here. I think it is
going to be identity theft, and I think that credit monitoring
might help those consumers who take the credit monitoring up on
that offer. It may help them detect some of the fraud that is
happening to them. But it is not going to be the only solution
that is available to them. Here is the reason for that: credit
monitoring is going to tell you that you had an application
that was filed in your name. By that point, it is probably too
late. Because as I said in my opening statement, if these guys
who took the file are sophisticated enough and use it the right
way, they will use the identity once or twice, and never again.
So by the time that monitoring alerts get to the consumer, it
is already out there and there is nothing more they can do
about it.
So I think credit monitoring has its place for consumers.
If you think about consumers, we all have about a one and a
half to three percent chance of having identity theft happen to
us. The chance of veterans having identity theft happening to
them because of this breached file is far less than that, just
because of the magnitude of it. So I think credit monitoring is
fine for consumers, if they can afford it. But we think there
are better technologies to detect if there is misuse; if there
is misuse, to locate where it is so you can go and try to
recover the file; and thirdly, to really detect if there is
misuse for a specific veteran, and then you can help that
veteran out.
Dr. Spafford. Mr. Chairman, monitoring detects after
something has occurred, as Mr. Cook already mentioned. But
credit fraud is not the only concern that should be present. As
I noted in my comments, we now have all of this information on
individuals who have ably served their country, and that
information can be used to get replacement identification
cards, passports, driver's licenses, and other information, for
individuals to have a clean record, or even a trusted record,
to go out and cause trouble; that when they run up a criminal
record or misbehavior under those identities, it is not going
to show up in a credit report, but more likely in a criminal
report or a civil action. And monitoring is not going to
prevent that, or even assist that.
The Chairman. All right. I mean, if I--by way of consumer
products, and if in fact we are into the marketplace to
purchase a consumer product, my sensing is that we don't want
to just monitor. We want to do data verification, we want to be
able to look at identity verification, and examine perhaps even
insurance-based products. Because we have a choice: either--
gosh, I threw out this suggestion and wow, judiciary Committee
runs off yesterday, and they create the claims adjudication
process. All I said was we were thinking about it. Isn't that
amazing about this institution? It is in consideration and
boom, they go off and they do it. Now I have got to tell them,
``Wait a minute.'' So I just want all of you to know, when you
read about this today, we are going to put all this a little on
hold, so we can understand all this a little bit better.
This is what we need to know from the VA, and I am not
going to go with you on this one, unless you are prepared to
talk about it today, but if there is a product out there
whereby we got to monitor this for almost three years, we need
to give them the tools out there when we do this bid on this
contract, and if we can purchase that insurance up there using
proper algorithms, to what our exposure would be on a contract,
is to go with an insurance-based product out there whereby the
veteran is protected up to $25,000. That way we wouldn't have
to get into the, quote, ``claims adjudication Process.'' We
accept the responsibility, we, the government, have lost the
data. But those are things for us as members to consider.
The last point I will make before I yield to Mr. Filner is
a point that the witnesses discussed, and that we have concerns
about, and that is in our society, we believe in something that
is very congruent, and that is if I say that you have the
responsibility to do something, then it must be coupled with
the authority to act. And if I were to say that you have the
responsibility, but you do not have authority, it then creates
a syntactic situation, meaning it results in something that is
incongruent.
And if you have something that incongruent, you then have
an opinion that is called a heterodox. And a heterodox is
something that is completely out of the norm of society's
communications. So I say to the firemen, ``You have the
responsibility to put out the fire, but you have no authority
to hook up to city water.'' So the Secretary turns to the CIO
and tells him that ``You have got the responsibility to do
quality assurance; i.e., cyber security, et cetera, but that
you have no authority to enforce, or tell anybody to do
anything.'' I am very concerned.
And I appreciate all of your testimonies. Mr. Filner, you
are recognized.
Mr. Filner. Thank you. Your testimonies show you have
obviously great expertise. You also give us very specific
recommendations, which we can act on, and that is very useful.
You have tried to talk to the VA about the kind of
technology that you have and the services you could provide?
Mr. Cook. Yes, sir.
Mr. Filner. What happened with that?
Mr. Cook. We are continuing discussions with them. We are
hoping to be able to provide them services.
Mr. Filner. As I understood what you do, it goes beyond
what their announcement was yesterday.
Mr. Cook. Yes, sir. I looked at the announcement that they
made. There was a small piece of that announcement that talked
about looking at other breach monitoring, or breach remediation
solutions. And I am assuming that that might have been looking
at us, and other technologies that are available to do what we
do, to which the best of my knowledge, we are the only one to
do that.
Mr. Filner. So they are talking to you and are going to
become aware of your expertise?
Mr. Cook. Yes, sir.
Mr. Filner. I just read an ad for, I think Visa, and they
said they have what is called ``neural technology.''
Mr. Cook. Right.
Mr. Filner. They are able to provide their millions of
cardholders with the knowledge if anything anomalous happens.
Is that equivalent to what you are doing, or similar, or----
Mr. Cook. It is similar but different, Visa and other
companies provide different modeling techniques. One is the one
that you mentioned, where they can look at an account to see if
I am using my credit card properly. All right, if I lived in
Texas my whole life and all of a sudden I start using something
overseas, and I start to buy a lot of fenceable goods, jewelry
or something, that is an anomalous pattern in the account
behavior, and there are technologies that do that.
We are the only ones that really apply that kind of
technique to an identity. So Visa and others can look at an
account. We look at an identity, and look at anomalous patterns
about an identity, and how it behaves, how it behaves over
time, and then also how it might relate to other people. And
that is the way that we are able to detect if a breached file
would be misused in an organized way.
Mr. Filner. Mr. Buyer was concerned about raised
expectations for veterans. If we did use your system, are we
giving them some of the security that they need, or the
assurances that they need?
Mr. Cook. You would be. You had mentioned that your credit
monitoring is not going to get your criminal activity, and so
when you look at a problem like fraud, you generally have to
throw a couple different solutions at it, and you are still not
going to get all the fraud that there is. Our technology I
think will definitely detect if a fraud is misusing the file,
and they are misusing it more than five or six times, in an
anomalous way. We would be able to detect that misuse, and then
provide that information to the VA.
Mr. Filner. I thank you, and I hope we pursue that. Again,
we will have to analyze competitors. If there are none, then I
hope the VA will think about you.
Mr. Cook. May I make one more point?
Mr. Filner. Yes.
Mr. Cook. On credit monitoring, and I mentioned this.
Whatever solution the VA chooses, and we have talked with them
about this, it is important not to publish how long that
solution is going to be in place. For instance, if you're going
to do credit monitoring for free for one year, anyone who took
the file and has an intent to misuse a file, will sit on that
for one year and one day, and then they will start to use it.
So----
The Chairman. Mr. Cook, I'm sorry. These will go out under
an RFP, publicly bid on, and your people are going to know. I
just want to let you know the reality of government
procurement.
Mr. Cook. Sir.
Mr. Filner. Mr. Brody, I had used the analogy for this data
breach, used the ``Katrina'' situation. I mean, at first it
seems like a natural disaster, and you have to deal with it.
But when you look further, you could have predicted the
consequences of a category five hurricane, you know what levies
would have to be built, and it turned out we didn't do it.
In this case too, some thief that hopefully is not going to
use it stole the data. We couldn't have known that, but then if
you look further, we could have prevented this disaster. I
don't know if there are any policies in place to keep that data
from going to the employee's home. I think you are going to
have trouble, Mr. McClain, to fire this employee if there are
no policies to say you can't do this. I mean, that is a real
problem.
But not only did VA not have policies about taking the data
home, but you have outlined years and years' long indifference.
So it seems to me, it's not just a natural disaster. There is
accountability of management, and I assume you would hold
responsible for this breach the top management people----
Mr. Brody. Oh, absolutely. I mean, as Chairman pointed out,
the mismatch of accountability and authority was what we lived
on a daily basis. I was the associate deputy assistant
Secretary for a heterodox.
Mr. Filner. He made up that word. Now you are going to use
it.
Mr. Brody. But even in the case of MS Blaster, for
instance, that one incident where the VA networks were savaged
as a result of malicious software attack, a root cause analysis
was performed by the Veterans Health Administration, bringing
in a distinguished doctor who had a history of doing root cause
analyses, and the analysis concluded that the CIO's office was
probably at fault because when it issued the warnings to put
the patches in place, it didn't sufficiently convince everybody
that we were really serious about putting the patches in place.
Mr. Filner. When you testified to this Committee in your
role as CIO, was it?
Mr. Brody. CISO.
Mr. Filner. CISO. Were you as frank and as open as you were
just now? Were you able to be?
Mr. Brody. No, I was not.
Mr. Filner. Was that made clear to you?
Mr. Brody. Yes.
Mr. Filner. How do we get around that? It seems to me that
the legislation will need to include the independence of the
person. It is a difficult thing. You are in a chain of command.
If the legislation is giving you authority, not from the
Secretary but from the Congress, then I guess we should give
you authority to testify, too, without going through OMB and
everyone else. I am just trying to think ahead, what the
problems could be.
Mr. Brody. You are certainly thinking through all the right
issues, believe me.
Mr. Filner. Has a successor been chosen to you?
Mr. Brody. Oh, yes. Yes, he has been in place for roughly
two years.
Mr. Filner. And nothing much has changed, as far as you
know?
Mr. Brody. No. The culture is still the culture.
Mr. Filner. Your testimony is very disturbing. We knew
about it, you heard me say words similar to yours. So I mean,
there have been people that have been talking to you, and we
have known about it. But you put it in a way that is extremely,
extremely disturbing. This is all about the veterans, not about
an organization, not about turf, not about covering up. It is
about the veterans. They have lost a lot of confidence,
obviously. And your testimony makes it apparent that there is
going to have to be a broader scale of changes than just
figuring out this particular problem, as bad as this is. The
recent loss of data affected 13,000 people--and they offered a
reward of $50,000. The VA's loss affected more than 26,000,000
people and the data could be sold for more than $500,000,000.
The magnitude is incredible. But as big as it is, we can solve
the technical issues, but you bring in even a broader problem.
Mr. Chairman, you have been talking about this for several
years. I think everybody now understands why. We have a chance
as a Committee, as a Congress, to make the kind of changes that
will benefit our veterans and keep them secure in the years to
come. Thank you.
The Chairman. Sure.
I appreciate the general line of questioning, and you were
very kind to me. I don't want it to be spun out there that I am
upset about credit monitoring. It is monitoring-plus, so I am
glad you explore the other tools that are available, and that
is what we want to make sure as members, that whatever the
request for proposal that goes out, that it has a broader base
to it. I think that is what we need to consider as we work with
our appropriators, and figure out how they are also going to be
paying for this, and out of what pools of money, and where does
it come from. So we don't want it to be just monitoring, it is
also the other tools.
To correct the record before I get to Mr. Bilirakis, you
said you are the only player in this space. Are you aware of a
company called Intelius?
Mr. Cook. I am not.
The Chairman. All right, okay. I just want to let you know
there are other players in the space.
Mr. Bilirakis, you are now recognized.
Mr. Bilirakis. Thank you, Mr. Chairman. And I have heard
that, you know, great testimony, obviously. I have heard Mr.
Brody use the term ``root cause.'' We are concerned about the
veterans. This is the veterans' Committee. But I think that our
concerns really ought to go past that point. No, we are not
talking turf, here, anything of that nature. But Dr. Spafford,
you were part of this President's--acronyms for every damn
thing up here. But you are part of this group, and you all
worked on it for approximately a year, from what I understand.
Did you all come to the conclusion that there was no authority,
enforcement authority that existed among these chief
information officers?
Dr. Spafford. When we did our study that was not a specific
question we looked at. However, in talking to people across
government agencies, and our own experience, we have found that
in many places, individual unit directors and military unit
commanders feel that they can override policy whenever it gets
in their way. And there is a problem throughout in being able
to ensure that security policies and procedures are
appropriately carried out. Unfortunately, without some
training, the people who are making these decisions do not
understand the consequences of overriding those decisions.
Mr. Bilirakis. Well, PITAC of course was not designed just
to look into the VA Department. It was designed for government-
wide, right?
Dr. Spafford. Yes, nationally.
Mr. Bilirakis. In your recommendations, apparently you all
failed to point out and to emphasize this lack of authority to
enforce; isn't that true?
Dr. Spafford. We were looking at the state of information
technology across the nation, not simply in the government. And
so our recommendations were for the state of cyber security as
part of the national infrastructure, not simply government
itself. So that was not one of the topic areas----
Mr. Bilirakis. You were basically given areas to cover, and
you were limited to those areas?
Dr. Spafford. Effectively so, yes.
Mr. Bilirakis. But you have now come to the conclusion--and
as you were speaking, Mr. Brody was shaking his head. I didn't
look over at Mr. Cook--that much of the problem is, I mean,
first of all, you all mentioned culture, and God knows that is
a hell of a problem. Not only in the VA, but I suppose probably
in all departments and agencies. But shouldn't we be concerned
that apparently the lack of authority that is so very, very
significant here, so very dense in this area, for crying out
loud, does not exist, or apparently does not exist, or doesn't
exist adequately, in all the other agencies and departments in
the government?
Dr. Spafford. My comments about that in particular were
based on my own personal experience rather than the Committee.
That was a separate report. But yes, I have seen in many
agencies, including Department of Defense, there is a lack of
concomitant authority to go with the responsibility. In many
agencies, such as appears to be at the Veterans'
Administration, and in many companies, the person who is given
the responsibility for security with no authority, the real
position should have a label of ``scapegoat,'' because that is
all that one can do, is take the blame, if you can't effect any
change. And this is all too common in the area of security
because those of us who understand the risks and want to
implement the changes are resisted, because it costs money. It
changes the way people do things. And so it is a very common
problem throughout government and industry.
Mr. Bilirakis. Mr. Brody.
Mr. Brody. I can only concur. My direct observation was at
the Departments of Veterans Affairs, Department of Energy, and
the Department of Defense. And in all three cases, direct
observation, there is no authority resident with the
accountability function of these senior IT officials.
Mr. Bilirakis. And you all agree that this--I mean, we can
talk about maybe solving or fixing this particular problem
ultimately, or whatever the case may be. We are spending so
much time on this that we should be spending on other veterans'
matters; claims, delay in claims, and healthcare, and things of
that nature.
I don't know. Does the president know that that significant
part of this overall picture, that lack of authority to enforce
does not exist? It was not part of your report that went to
him.
Dr. Spafford. No, sir.
Mr. Bilirakis. So he does not know? I mean, he doesn't know
by virtue of this report in any case.
Dr. Spafford. We were asked specifically to look at the
status of cyber security research and technology transfer in
the country, and how effective it was. That was the nature of
that report.
Mr. Bilirakis. Well, you have said that, yeah.
Dr. Spafford. Yes. So as to what the president knows or
does not know, I can't comment.
Mr. Brody. I just find it illuminating that the same body
that gave us the Federal Information Security Management Act
was not aware of this mismatch of accountability and authority.
Mr. Bilirakis. So you know, are we accomplishing very much
of anything here? If we really don't look to the root cause,
not only to the VA, I mean, this same sort of thing is going to
happen in other departments and other agencies--Federal Trade
Commission, we just got word, and we are hearing about other
agencies or other departments. Should we have legislation--and
I guess legislation is only as good as the people who are
supposed to be carrying it out, that would mandate, for crying
out loud, that there be some sort of authority? We are going to
hear from the Counsel in a little while, I guess who is going
to tell us that the authority is not there.
But should we have legislation that would do it? Not just
with the VA, and of course obviously, it would be something
that would be applicable to all of the other Committees, which
might be just enough of a reason to kill the legislation,
because you know, jurisdictions assigned by other Committees
do. But shouldn't we do something like that? I mean, isn't that
part of the root cause, getting to the root cause of all this?
Mr. Brody. I am on record with the Committee on Government
Reform as pointing out that the major flaws in FISMA include
the accountability versus the authority mismatch, as well as
the issue of FISMA not necessarily measuring the right
categories of information security.
Mr. Bilirakis. And you are on record as saying, and you all
are on record as saying that basically you can't ever solve
this unless you take care of that particular area; is that
right?
Mr. Brody. Correct.
Mr. Bilirakis. Yeah. Let me ask--we understand that houses
in the neighborhood of where this took place have also been
burglarized apparently during the same period of time. And I
guess they haven't been tied--whether the same person did it,
or whatever the case may be. But I think that the impression is
that the person took this did not know what he or she was
doing, or that they did not know what they had. Are we wrong by
virtue of holding these hearings and all this publicity out
there and that sort of thing? Is it likely that the thief or
thieves know by now what they have in their possession?
Dr. Spafford. Based on the reports that I have seen, it is
entirely possible because of a delay in reporting that if the
thief was only interested in the physical computer, it had
already left his or her possession by the time the news was
released.
Mr. Bilirakis. Why would that be? Why would it have left?
Dr. Spafford. They would have sold it immediately. Those
kinds of tests are usually to pay money for drugs or----
Mr. Bilirakis. All right. But whoever they sold it to, the
problem still potentially exists for that person, right?
Dr. Spafford. Very often, those systems are completely
wiped or whatever--so they can't be traced back. But the second
part of your question about holding these hearings, I think are
very important, and also goes to your earlier question about is
something being accomplished? These kinds of problems have been
happening for several years, and are going to happen more
frequently. And it is very important that we all understand
these problems and address them in some way. So I certainly
applaud whatever you are doing in this regard.
Mr. Bilirakis. Okay. Mr. Brody, you agree, Mr. Cook?
Mr. Cook. I agree. If they do know that they have it, I
know what I would do if I did. I would take it in the backyard
and bury it.
Mr. Bilirakis. You would what?
Mr. Cook. I am sorry. If I knew that I had the information,
I would take it in the backyard and bury it in a very deep
hole. Because I think that there is so much scrutiny and so
much interest in, you know, who has that file. I think there is
other data that I would probably try and take----
Mr. Bilirakis. Okay. So actually then, you feel that
hearings like this will tend to maybe convince the thief that
they had better bury it and not try to use it.
Mr. Cook. We have done analysis in different breaches, and
in one of the breaches there was a public announcement that was
made. And what we noticed was, after the public announcement
was made, the use of the file, the use of the names went way
down. So we do think the public announcement helps a good deal.
A concern that I would have is that over time, that data can
get out. And if that information gets out over time, all of a
sudden the attachment to the VA data breach might go away, and
it just becomes names and Social Security numbers.
Mr. Bilirakis. Right.
Mr. Cook. And if that is the case, and if that information
finds its way onto the Internet, over time, veterans can see
identity theft happening to them from this breach. But we don't
know that.
Mr. Bilirakis. Okay, thank you. I am feeling a little
better. Thank you, Mr. Chairman.
The Chairman. Thanks very much. Mr. Michaud, you are now
recognized.
Mr. Michaud. Thank you very much, Mr. Chairman, for having
this hearing. I really appreciate your willingness to stay on
top of it. I also want to thank the panelists. It has been very
informative.
Mr. Brody, you had mentioned that VHA disagreed with the
draft directive 6500 regarding the medical transcription
services. Can you recall what they said, and why you thought
this to be a faulty reasoning for not complying with it?
Mr. Brody. Yeah. I mean, in general, their position was
that the language of their contract with the transcription
company was sufficient control. But my office tried to point
out to them that number one, they weren't monitoring or
auditing whether or not the contractor was in compliance with
the contract; number two, that outsourcing to a foreign company
created some issues related to whether or not the individuals
that had access to this data had criminal background, or
potentially, ties to terrorist organizations. And number three,
foreign organizations, foreign corporations deny us the ability
to seek to address any issues in the U.S. courts, should it
come to that.
And when we pointed those things out to them, they, you
know, took them under advisement, and went off and did their
own thing.
Mr. Michaud. Thank you. Second thing, Mr. Brody,
specifically was there any information or cyber security
weaknesses in the VISTA system? If so, what were they and what
could be done to fix them?
Mr. Brody. The Committee might find this interesting, I
recall reading in the VA publication that is distributed in the
hallways and near the elevators a few years ago, where there
was an article on this done, and it was declared in the article
by, you know, senior VA officials, how proud they were that
they were able to develop Vista underground, without any
involvement by the headquarters. And so I don't know what the
software looks like inside Vista. I do know that as of two
years ago, it had no access control whatsoever. And I don't
know if that has been corrected to date. So I would encourage
the Committee to potentially take a look at--maybe do a
security audit of Vista, and see what they find.
Mr. Michaud. Thank you. You had mentioned that you had
worked with DOD and the Department of Energy, and you mentioned
some of the same things about, you know, who was in charge. Did
you witness similar problems with the other agencies, as far as
security, that you witnessed at the VA? And does the DOE suffer
from another agency's similar resistance to change, even though
the authority might not have been the same; has it been that
resistance in the other agencies, that culture, so to speak?
Mr. Brody. Overall, yes. I mean, not to quote Yogi Berra,
but their similarities are different. And that means that in
the national security world, which includes DOD and DOE, there
tends to be a little bit greater appreciation for, across the
population, for the need to operate more securely. Nonetheless,
the decentralization, especially in an environment like DOE,
has created similar, fragmented security issues, as exist in
many other civilian agencies.
Mr. Michaud. Thank you. And is technology difficult to
centralize, the IT operation within the VA, do you think?
Mr. Brody. There are some complexities associated with
technology, but overall, technology is not the problem. I mean,
the technology complexities relate to, in the case of the VA,
some of these very older systems that are no longer supported
by the original manufacturer, and those just probably need to
be retired or migrated. But overall, the technology part of
this problem is not the hard part of the problem. It is the
cultural part of this problem.
Mr. Michaud. And my last question. In your opinion, do you
feel that the 26 million records, is that a national, or non-
national security problem?
Mr. Brody. If you take the strict definition of FISMA, it
is a non-national security problem. But I feel that when you
begin aggregating the kinds of information that can be
contained in those kinds of databases, you are very perilously
close to a national security problem.
Mr. Michaud. Thank you. Thank you, Mr. Chairman. I yield
back the balance of my time.
The Chairman. Thank you very much. Mr. Moran, you are
recognized.
Mr. Moran. Mr. Chairman, thank you very much.
Mr. Cook, you said something in your testimony or a
response to a question, I think, that caught my attention that
I'd don't understand. And it dealt with the percentages of
Americans that are subject to identity theft, and I think it
was one and a half to three percent. And then you indicated
that the veterans who were in this computer information were
something less. Would you explain that to me?
Mr. Cook. Sure. What I mean by that is, we have done a lot
of analysis, and what we know is that the size of the breach is
very important to the misuse rate of that breach. If it is
misused and if you are a consumer, you want to be part of a
very large breach. Because if you are part of a 26.5 million
record breach, then the probability of somebody picking your
name out of that fairly large hat and using your name to commit
identity theft is very, very small. If you have a--and let us
just say, if you put your mail in your mailbox and somebody
takes your mail out, I would consider that a data breach of
one. So there, you would have a very high percentage of your
name being misused. So, the point I was trying to make is, we,
all of us have got about a one and a half to three percent
probability of identity theft happening to us during the course
of a year.
So the probability of identity theft happening to a veteran
is one and a half to three percent, and so because now, they
are part of a very large data breach, it is only going to
increase very slightly for them, okay? But as a whole, it does
mean that there will be more victims of identity theft in the
U.S. It does mean that.
Mr. Moran. What then is the value of the 26 and a half
million names, the information, then, on the street? Twenty six
and a half million is too much data for somebody who would be
in the market for identity theft?
Mr. Cook. Well, it is a lot. If you were one person, it
would take you--we have done the math on it--it would take you
about 12 lifetimes to use that one file. So it is a lot of data
for one person to use. If they were to take it and disseminate
it out on the Internet and try and sell it in packages, you
know, we have heard anywhere from $25 to $75 from consumer
advocate groups who have said this is what they hear. So there
is a lot of dollars that they could get by selling that data,
but again, if I had taken the data and I knew that it was the
VA file, I would run away from it because I think there is
going to be such intense scrutiny on that file, that people are
going to be trying to find someone misusing that data.
Mr. Moran. What is the occurrence that causes us to know at
some point in time that the security has been breached, and the
information is being used? What would you expect to be the
first sign that there is a real problem?
Mr. Cook. Well, it will be the anomalous behavior patterns
that you would see in the file. For instance, there are 70, 60,
50 people in the room today. If all of our data was breached,
six months from now if we all started using the same cell phone
number, that would be anomalous. If half of us started living
in the same apartment complex, that would be anomalous. And
that is how we can detect the misuse. It is the events that
happen after the breach to a specific identity, and the way
that we can pull those things together. And that I think would
be your first indication that somebody is actually misusing
that file.
Mr. Moran. And this would be announced? This would become
known because some veteran would indicate something bad is
happening in his or her life?
Mr. Cook. That is what credit monitoring would require, is
that a consumer really kind of placed their own report, and
then provide that data to a central source, and that is not
being done. And there would be so much noise in that, because
again, we have a percentage of identity theft that is going to
happen to us. It wouldn't be the consumer saying it, it would
be our ability to look at the breached file, and then look
within our ID network and see applications that were filed in
those veterans' names, and then determine which of those
applications were probably filed by the veteran, and which of
those applications might have been filed by a fraud ring who
has access to that file.
Mr. Moran. Thank you.
Mr. Brody, I think you have been asked this question, and
maybe Dr. Spafford as well, but for my understanding, is there
something unique about the VA that really--I mean, this
happened with VA information, so the focus is on the VA. We
talk about the culture, the atmosphere, the attitude. Something
unique about this place or just any other government agency is
the same risk as the VA----
Mr. Brody. My observation would be that we need to be
careful about not focusing entirely on this incident, because
again, this was discovered almost by accident. How many more of
these kinds of incidents are out there and not just at the VA
where we know there are no controls in place to prevent it? We
know there are no controls in place at other government
departments and agencies, where, you know, larger amounts of
information may be on some employee's owned computer, or on
some contractor's owned computer. And so maybe the attention we
are drawing to this incident could be creating an opportunity
for, you know, some other bad actor out there, and that would
be an unfortunate turn of events.
Mr. Moran. But the personnel of the VA aren't any blinder,
or culturally resigned to the status quo than any other place?
Mr. Brody. Not necessarily, no.
Mr. Moran. Okay, thank you very much. Thank you, Mr.
Chairman.
The Chairman. Dr. Spafford, did you have something you
wanted to say to Mr. Moran?
Dr. Spafford. I was simply going to say that there are some
better and some worse. A lot depends upon their individual view
of the data, versus their mission. So some organizations, as
Mr. Brody said, in working with national defense, will be more
aware of that value. And in other places where they view that
their mission--and unfortunately, this is part of the problem,
why this happened. The person who lost the data viewed that his
mission was to get his reports done, or get his work done,
rather than protecting and serving the veterans that the agency
was supposed to be involved with. And where that disconnect
occurs, you have more of these problems.
Mr. Moran. I would think that Mr. Buyer's leadership on
this issue and the hearings that we are having, and the focus
of the national attention on this issue, would cause other
departments and agencies to have a desire to change their ways.
Maybe that is just Kansas commonsense, but I hope it works that
way in Washington, that this is the catalyst that causes us all
to think that, ``My gosh, what we are doing isn't quite
adequate.''
Dr. Spafford. Well, as I noted, and as Mr. Brody noted,
this is not the first such incident, and these kinds of things
have been going on for years. And whoever is currently in the
spotlight takes a fair amount of heat, and vows never to do it
again, and then someone else gets caught.
Mr. Moran. Thank you, Mr. Chairman.
The Chairman. Mea culpa, mea culpa, mea culpa.
Ms. Herseth.
Ms. Herseth. Thank you, Mr. Chairman. And I appreciate the
questions that I know Mr. Michaud had a chance to pose to Mr.
Brody, and Mr. Moran's line of questioning. I hope this
presents an opportunity, as I explored in an earlier hearing,
to evaluate whether or not we have the same weaknesses within
these CIO organization across other Federal agencies, which you
had an opportunity to serve in two different agencies. And that
while the VA is currently the one taking the heat, that whether
it is USDA, EPA, DOE, others, start taking steps, and CIOs
start sharing information across agencies, and that we make the
decisions in the Congress about the resources at the front, and
are they going to be necessary to prevent these types of
situations that cost us far more at the back end.
So let me just ask one question, because I know there is
probably an interest in moving to the next panel, as well. Mr.
Brody, we have had some discussions here about the age of the
various files within the VA. Is it technically difficult to
encrypt or convert VA's older databases?
Mr. Brody. It is more difficult to encrypt the databases
that are on older hardware platforms, and older software
operating systems that are no longer supported by any
manufacturer. There are workarounds, and there are some
complexities, but it is not impossible. And by and large, the
technology part of this problem is not the hard part of this
problem. Technology is available to solve most of the
deficiencies identified by the IG and the GAO, in the VA.
Ms. Herseth. So if the technology isn't the problem, it is
the resources and the obstructionism that we have to overcome,
that is the problem?
Mr. Brody. More or less, yes.
Ms. Herseth. Okay. I yield back, Mr. Chairman. Thank you.
The Chairman. Thank you. I know Mr. Udall has had to step
out for just a moment, so let me--we have votes that are going
to occur at 12:15 to 12:30. So what I would say to Mr. McClain,
I apologize but it is life on the Hill.
All right, so Mr. Brody, I am going to go back to this, and
we are going to get into this in the next panel with the
General Counsel, about why they made certain decisions in their
memoranda. But if I try to follow the logic, that FISMA is
not--let me restate this. According to the most recent FISMA
report, VA has no agency-wide security policy, is what the
recent report says. If you were to design security policies,
what would be the key components to be included in that policy?
Mr. Brody. It would include the confidentiality, integrity,
the availability, and the accountability, for the necessary
controls on all the VA's system, including the protection of
data.
The Chairman. Dr. Spafford, would you agree with that?
Dr. Spafford. Those would certainly be the core elements of
the policy.
The Chairman. What kind of training would be necessary to
implement such a policy? And what kind of time are we talking
about?
Mr. Brody. It would depend because there will be certain
roles that would have to be trained. Managers across the agency
would need a certain kind of training. Practitioners
responsible for actually maintaining security devices would
need a certain different kind of training. And by and large, a
lot of that training is in place in the VA. We had put in
place, following the incident in which some computer systems
containing veterans' data were purchased by the television
station in Indiana, we had put in place a program of
practitioner professionalization, and we took 600 people
through that program and certified them. But that is 600 in a
population of over 200,000, that all need a significant degree
of training.
The Chairman. And would we have any problems with the VA
personnel policies or labor practices?
Mr. Brody. Those cropped up from time to time. Yes.
The Chairman. Such as?
Mr. Brody. Well, I mean--the details escape me at the
moment, but you know, a fact of the matter is, whenever we
tried to put in place any kind of policy that affected the day-
to-day life of the individual, the resistance from HR
organization was fairly stiff.
The Chairman. Interesting. Mr. Udall? You are recognized.
Mr. Udall. Thank you, Mr. Chairman. Mr. Brody, you talked a
little bit about security and issues of security, and I wanted
to ask you about--under the Federal Information Security
Management Act, are you comfortable with the distinctions
between a national security database, and a non-national
security database? And how would you define these? And with
respect to the specific information that was lost there, which
category does it fall into? And are there any things that we
should do in order to better protect ourselves, in terms of
these definitions?
Mr. Brody. I would say I understand the definitions, and
whether or not I am comfortable with them, I spent 10 years in
the intelligence community, so I understand that when you take
what would appear outwardly to be non-sensitive information and
begin aggregating it so that it starts to become more
sensitive, you cross a fine line into what could be classified
as national security information. According to the definitions
that are incorporated in FISMA, that does not apply in this
case. But I would argue that the aggregation of information in
VA's systems can be of significant value to those who would
wish to do this country harm.
Mr. Udall. And is there anything we can do to further
protect in that area, other than what you have already outlined
here today?
Mr. Brody. Well, I mean I actually raised this issue in
2001 when I arrived at the department. And I was told that that
is the responsibility of the office of security and law
enforcement, and ``Thank you very much for your input.'' So
again, we are dealing with the fragmented security authorities
across the department.
Mr. Udall. Several statements by the VA indicate that the
employee who took home the data did so without authorization.
If he was already authorized access to the data, what policy or
regulation would have required further authorization? and do
you recall if the IG or the GAO, or any other entity, ever
commented on this as a weakness?
Mr. Brody. I am not aware of any policy that would have
prevented this. Nor am I aware of any comments by any other
party.
Mr. Udall. A changed management system developed after
Secretary Principi attempted in 2002 to centralize the CIO
function. This new system was characterized by significant non-
line reporting. How well did this system work, and did that
hybrid system approximate the Federated Management system
recently adopted by the VA?
Mr. Brody. Yeah, I would have to characterize the results
of that as not in keeping with the spirit of this Committee's
concerns, as addressed in 2002. Once we get to that of a line
sort of authority thing, and then in the wake of the MS Blaster
incident, we did an analysis internal to my office, and I am
sorry that I don't have it present, but I am sure that we can
probably draw it out of someone's files, where we determined
specifically who had responsibility for configuration control
and configuration management in the department. And it turned
out that as a result of the efforts by Secretary Principi to
put that memo in place in 2002, there were no less than 13
separate places by which configuration control would be managed
in the department.
Mr. Udall. To Dr. Spafford or Mr. Cook, do you have any
comments on anything you have heard, or I have raised here?
Dr. Spafford. No.
Mr. Cook. No.
Mr. Udall. Okay, thank you. Thank you, Mr. Chairman. I
yield back.
The Chairman. Mr. Brody, in your testimony you testified to
something that we as a Committee had considered, and that was
whether to elevate the CIO to the level of an under Secretary.
And we thought about that as a Committee when we put together
our legislation, and I guess looking back on it, maybe we
should have. Really, our inward discussions were dealing with
if you have a culture of resistance that I called the
``centurions of the status quo,'' and it is much easier for the
three under secretaries to run over the CIO, especially if they
can then--they all are competing to win the support of the
deputy Secretary, or the Secretary. So I just want to let you
know, I got your message. I embrace it, and we as a Committee
are going to look back on your recommendations.
Let me turn to Mr. Cook. With regard to data, when an
individual feels--you know, they went to the ball game, just
had their purse stolen, their pockets were picked, now it is
like, ``Oh, my gosh. I had 12 credit cards in there. It is now
gone. What do I do? Who do I call?'' My question to you is,
what is the norm before an individual will begin to feel the
bad effect?
Mr. Cook. There has been some analysis on that, and FTC I
think has done some of the best analysis, and another
organization called Identity Theft Resource Center. I think the
average--and I'm not sure of this, but I think the average is
about six months before they actually see it. Because what
happens is you might get an inquiry in your credit reports that
you may not be aware of, because you don't have credit
monitoring. And then, that account, if it is a wireless account
or a credit card account, is open, and then that fraudster
might use that account. Some people will take the account, buy
fenceable goods, and go bad right away. Others will use that
account over time, as many as 18 months, so that they can do
something that the industry calls ``bust-out,'' where they can
actually drive the account much higher than what the credit
limit is.
And so generally, consumers will find out they are a victim
of identity theft because they will get a call either from
their credit card issuing bank, or the wireless company, or
from a collection company. So it is generally about six months,
7, 8 months out.
Now, if there is a fraudster who steals an identity and
uses that identity over and over and over, and that consumer
happens to have consumer monitoring--this is a very small
percentage of people--then they may be aware of that within as
quickly as three weeks, if you will.
The Chairman. All right. Our challenge here is to build a
system, and at the same time take care of the veterans, and
produce that product in Congress, as we work with the
administration. I want to thank you for taking your time to put
together your testimony, and for being here. I appreciate that.
Mr. Brody, thank you. We asked you to do a job, and put a
patch over one eye and we tied your good arm to your back, and
you did your very best. And I know it was hard, and it was
difficult. And we don't view you as a scapegoat, because the
more we do our forensics, the better the understanding we have
about the culture, and the problems, and the resistance to
change Mr. Filner had discussed.
And we are going to embrace your recommendations, along
with Dr. Spafford. Once again, let me thank you for helping
your country. Your testimony is insightful and valuable to us,
as we formulate this legislation.
Any other questions?
[No response.]
This panel is now excused. If we could turn to the second
panel. And even though we got a warning that votes will occur.
Dr. Spafford, do you have to take off? Do you have to run? Dr.
Spafford, do you have to catch a flight?
Dr. Spafford. Later on this evening.
The Chairman. Okay, could you sit and listen to this panel?
Are you going to have to take off?
Dr. Spafford. No, I can----
The Chairman. That is wonderful, thank you. What I had
planned to do, Dr. Spafford, is I would like you to listen to
this panel, and then I am going to circle back with you--we
could have a discussion. If we can't get it today, are you
around Monday, at Purdue University?
Dr. Spafford. No, sir, I will be at a conference----
The Chairman. At a beautiful resort? Don't answer that.
Dr. Spafford. Allegedly.
The Chairman. Allegedly, great. Means you're in Toledo?
Sorry, nothing against Toledo. All right. Hey, hey, hey.
Sitting on our second panel is the General Counsel for the
Department of Veterans Affairs, Mr. Tim McClain. Mr. McClain
was confirmed by the Senate as the General Counsel for the
Department of Veterans Affairs in April 2001. As General
Counsel, he serves as the chief legal adviser to the Secretary
of Veterans' Affairs and the department's other senior leaders,
and manages the Office of General Counsel, which is comprised
of nearly 400 attorneys assigned throughout the United States.
Mr. McClain also served as the VA Chief Management Officer
from January 2005, through November 2005, responsible for the
department's budget, financial policy and operations,
acquisitions, material management, real property asset
management, environmental policy, and business oversight.
Thank you very much for being here. If you would also
introduce Mr. Thompson, who accompanies you and you will then
be recognized.
Mr. McClain. Mr. Chairman, thank you very much. Mr.
Chairman, Ranking Member, and members of the Committee,
accompanying me this morning is Jack Thompson, who is the
Deputy General Counsel at the VA, and he has over 30 years of
service with the VA as an attorney. Also, I would like to, if I
could, ask that my full statement he made a part of the record.
The Chairman. All right. We do. If you will arise and give
me your right hand.
[Witness sworn.]
The Chairman. Thank you, please be seated. Mr. McClain, you
are recognized.
TESTIMONY OF THE HONORABLE TIM S. MCCLAIN, GENERAL COUNSEL,
U.S. DEPARTMENT OF VETERANS AFFAIRS, ACCOMPANIED BY JACK
THOMPSON, DEPUTY GENERAL COUNSEL
Mr. McClain. Thank you, sir. And thank you for the
opportunity to discuss the legal implications of the May 3,
2006, theft from a VA employee's home, of personal identifying
information concerning veteran servicemembers.
This incident brings into sharp focus the Federal laws that
address a similar issue; i.e., safeguarding personal
information. Both the Privacy Act and the Federal Information
Security Management Act, or FISMA, provide a framework for
establishing agency safeguards to ensure the security and
confidentiality of records. These statutes generally outline
agency responsibilities, and require the agency head and senior
officials to ensure compliance with the law. Since we were made
aware of this terrible situation, the employees of the VA have
worked tirelessly to ensure two things: one, that the normal
services to veterans, including healthcare, benefits, burial,
and memorial services, have continued uninterrupted. And two,
that we address this situation in such a manner that it will
minimize any adverse impact on a veteran. This is VA's problem,
and we intend to address it as one.
Secretary Nicholson has launched VA on a course that will
result in VA being the gold standard for information security
in Federal Government. That is no easy task. VA is so large,
and with so many very vital programs, that it will take a
concerted effort on every employee's part to make it happen.
Just as VA transformed its health-care system from one of
questionable quality in the early 1990s, to today, the
recognized leader in healthcare delivery and electronic
healthcare records, we are committed to leading the Federal
Government in information security.
Along that line, in an October 19, 2005, memorandum,
Secretary Nicholson ordered the reorganization of VA's IT
operations. In February 2006, the Secretary strongly advised
senior agency officials at a senior management retreat that
today's IT reorganization was his top priority. In that regard,
on April 30th of this year, over 4000 employees were detailed
to the Office of Information Technology, as part of this
implementation plan. As of the end of the current fiscal year,
those employees will permanently be transferred to the Office
of Information Technology. This has placed all IT operations
and maintenance personnel under the supervisory control of the
CIO.
Another major development was announced yesterday by the
Secretary. That VA is committed to providing one year of free
credit monitoring to individuals whose sensitive personal
information, their names and Social Security numbers, may have
been stolen as a result of this incident. Providing free credit
monitoring will help safeguard those who may be affected, and
will provide them with the peace of mind they deserve. This
week, VA will solicit bids from qualified companies to provide
a comprehensive credit monitoring solution. VA will ask these
companies to provide expedited proposals, and be prepared to
implement them rapidly, once they are under contract. Once VA
hires a credit monitoring company, the department will send a
detailed letter to individuals whose sensitive personal
information may have been included in the stolen data. This
letter will explain credit monitoring, and how those eligible
can enroll or opt in for the services. The department expects
to have credit monitoring services in place and the letters
mailed by mid August. VA will also be soliciting bids to hire a
company that provides a data breach analysis, which will look
for possible misuse of the stolen VA data. The analysis will
help measure the risk of the data loss, identify suspicious
misuse of identity information, and expedite full assistance to
affected individuals.
These efforts will augment the other aggressive steps VA
has already implemented in response to the unfortunate
incident. As previously announced, the Secretary has already
directed a series of personnel changes in the affected office
within the department. The Secretary has also hired a former
Maricopa County prosecutor, Richard Romley, as a special
adviser for information security. He ordered the expedited
completion of cyber security awareness training and privacy
awareness training for all of VA employees, and also ordered an
inventory of all positions requiring access to sensitive VA
data. He also asked that every laptop undergo a security
review. And the VA's facilities across the country, every
hospital, CBOC, community outpatient clinic, regional office,
national cemetery field office, and VA central office here in
Washington, observe a security awareness week, beginning next
Monday.
Thank you, Mr. Chairman, for the opportunity to testify,
and I will be glad to answer any questions from the Committee.
[The statement of Mr. McClain and accompanying documents
appears on p. 92.]
The Chairman. All right. First, I have--have you been
present during the discussions on formulating this policy to
provide the free credit monitoring? Were you present at these
discussions?
Mr. McClain. Yes, sir.
The Chairman. Okay. What does free credit monitoring mean?
Mr. McClain. Well, it will be defined by the bids that are
received in response to the RFP that has gone out. Credit
monitoring is a package of services that are offered by, for
the most part, the three major credit bureaus, and possibly
others. And they have different levels of this service that you
can actually purchase from them. The RFP will be requesting a
very robust package for to cover the veterans, and it will be
determined by actually what the bids are in response to the
solicitation.
The Chairman. You got my attention in your testimony when
you talked about a comprehensive approach. My sensing for my
colleagues is that is where our greatest interest is. And so
let me go back to my earlier comments, when I heard about the,
oh, credit monitoring. It has to be about more than just that.
And that is also our testimony from the first panel. So now, we
say, okay, we are going to invite the credit monitoring, you
say we are going to do bids to do a comprehensive approach, and
then we are also going to do a second--you have got two
proposals that are going to be going out; is that correct?
Mr. McClain. Yes, sir.
The Chairman. All right, tell me a little bit more about
your first proposal for a comprehensive approach. Is that sort
of what the gentleman was talking about from analytics, or also
Intelius does, out there in the private-sector?
Mr. McClain. Sir, the comprehensive approach would be the
entire--would be everything. In other words, both solicitations
that go out, which would include a robust credit monitoring
package, and it would include a company to come in and do the
data breach analysis.
The Chairman. Okay. But on a comprehensive approach, are we
also saying that you are considering purchase of insurance-
based product?
Mr. McClain. Yes, sir, because that normally comes with
your normal commercial credit monitoring package. If you were
to go to any of the big three credit bureaus that would be
included in the package.
The Chairman. Mr. McClain, that is a big deal. I think it
is a big deal. Because Congress out here just yesterday, the
Judiciary Committee immediately goes out there and does the
claims adjudication process. And when I brought that up, I
talked to the Secretary about that. And he is like, ``Whoa,
Steve, I know what you are trying to do. Let us see what is
available in the commercial market.''
Even if we were to do that, do we want to keep it in-house?
Would we keep it under you? Would you create a separate agency
to do that? You don't want it to be organic, limited in scope,
limited in time, a lot of things to think and consider about.
But you can notice how heightened members are about the issue,
that the Judiciary Committee would run out. So I would welcome
the VA to explain this a little bit further as you are
formulating this. I think that the VA is saying that we are
interested in providing that financial assurance--an insurance-
based product while we do this, will make veterans feel a
little bit better. Would you agree?
Mr. McClain. Yes, sir. And we'll be glad to. I'm certainly
not the expert in the credit monitoring packages or the
insurance, but we'll be glad to provide the Committee with a
more detailed reasoning as to exactly what that entails.
The Chairman. All right. Here is what is happening, is that
not only are you learning, VA, more about this; so are we. And
that we want to work with you on how you develop your
comprehensive approach, as opposed to us, you know; either that
or we dictate something and we don't want to have to do that. I
mean, we can set parameters, but you are also going to be
coming here and asking us to pay for it. Okay?
With that, I yield to Mr. Filner.
Mr. Filner. Mr. McClain, I think you ought to be ashamed of
the testimony you just gave us. You sat through an hour and a
half of testimony, detailing some very grave problems in the
culture of the VA. We also heard some very technical and very
specific suggestions on what we might do, including the
weaknesses of just credit monitoring. And you read the same
thing that you walked in with, as if you didn't hear anything,
nothing is wrong, the Secretary is taking action, you are
taking action, everything is fine. You have the lowest guy on
administrative leave, and it is not clear that he violated any
policy, anyway, and his superior resigned. We just heard of
extensive management failures of VA. You don't address that. It
didn't happen. You are testifying about a completely different
world from the one we heard.
You have the biggest breach of security of identities in
the history of this country, and you haven't come to grips with
this issue. Your testimony shows the very reason why we have a
problem. You don't recognize anything, you don't admit
anything, you don't acknowledge anything, you don't want to
change anything. This is disgraceful.
Given the testimony from Dr. Spafford, and Mr. Brody, and
Mr. Cook, why shouldn't you and everybody above you in the
chain be held responsible for the data loss? It was your memos
that said there couldn't be any centralization. It was your
memos that contradicted the authority of FISMA. It was your
memos that said the Secretary is not going to centralize. Why
should you not be fired for this incredible breach?
Mr. McClain. Mr. Filner, first of all, I think that VA has
taken this very seriously. I mean, this is----
Mr. Filner. The first step is to acknowledge a problem.
Read your statement again and show me where you acknowledge
that there were some errors in the management of your agency.
Show me where. I just read your whole testimony. Not one word
to show that you understand the severity of the problem. They
say the first step in understanding addiction is, you have to
get rid of denial. You are still in denial.
Mr. McClain. Denial that there is a problem----
Mr. Filner. That there is something--in the culture of the
VA management system that caused this.
Mr. McClain. I believe that the Secretary has testified on
more than one occasion in front of this Committee and others,
saying that there was a problem, and it has made him mad as
hell.
Mr. Filner. I can see everybody is mad as hell sitting
here.
When did you hear about the data breach after May third?
When did you hear about it?
Mr. McClain. May 16th.
Mr. Filner. You don't think that is a problem in your
system? That it took you two weeks to hear something?
Mr. McClain. I believe it is.
Mr. Filner. So what are you doing about it?
Mr. McClain. We are----
Mr. Filner. You are asking for an RFP, yet you are not
doing one thing about the management, as far as I can tell.
Mr. McClain. Oh, I think that----
Mr. Filner. Tell me, what are you doing?
Mr. McClain. We are doing a complete review of information
security in every single office in the VA. From the lessons
learned from that, and this is being chaired by the deputy
Secretary. From the lessons learned, we are going to move
forward with implementing changes, so that there is a uniform
information security policy throughout the----
Mr. Filner. What were the lessons you have learned?
Mr. McClain. Sir?
Mr. Filner. You said we are going to implement the lessons
learned. What lessons have you learned?
Mr. McClain. That we need to pay more attention to
information security, that we have people out there that do not
realize that what they have is a veteran's personal data in
their hands, or on their laptop, and they are----
Mr. Filner. Don't talk about other people. What have you
learned? I want to know what you have learned. Do you question
what you did in those memos in 2003 and 2004 when you gave
basically the legal rationale for not doing anything? Would you
retract those, or would you redo them? Tell me what you have
learned.
Mr. McClain. Mr. Filner, I would not retract those. I
think----
Mr. Filner. Okay, you are the problem. You are the problem.
Until you admit that, it is not going to change.
The Chairman. I am going to need to recess the Committee.
We have six and a half minutes left. We have three votes. So
after these three votes, we will return. Thank you. The
Committee stands in recess.
[The referenced memos are attached to Mr. McClain's
prepared statement and appear on p. 96.]
[Recess.]
The Chairman. The VA Committee will come back to order, and
I yield to the gentleman, Mr. Filner, so he may resume his line
of questioning. Mr. Filner, you are now recognized.
Mr. Filner. Thank you, Mr. Chairman. Thank you for waiting
for us, Mr. McClain.
The summary of what I was saying before is that we have a
whole series of analysts who agreed on several things, and all
my colleagues seemed to agree, also. The issue of authority and
resources for the chief information officer or chief
information security officer. And you made no comment on that.
Your memos on this issue, where you debate the meaning of the
word ``ensure,'' reminds me of the president who was trying to
debate the meaning of ``is.'' You are looking for any reason
not to get the CISO the authority he needs, and I ask you if
you would retract those, and you said, ``No.''
Do you believe that we have to pass additional legislation
to give the CISO authority in your department, although you say
here the Secretary could do it on his own? Have you made any
steps in changing that authority in the VA? Everybody agreed
that is the main thing.
Mr. McClain. Mr. Filner, regarding the opinions, I do
believe the opinions state the state of the law at the time
that those opinions were written. In other words, the issues
would come in, or questions would come in, and indeed, the case
of the April 7th, 2004, opinion, we had three different offices
ask us to opine on the particular issue of FISMA.
[The April 7, 2004, memo referred to is attached to Mr.
McClain's prepared statement and appears on p. 104.]
Mr. Filner. Do you think that the CISO ought to have the
authority that the three panels all agreed on for good cyber
security?
Mr. McClain. Well, I don't----
Mr. Filner. You personally, what do you think? Why don't
you ask us for legislation that would give the CISO authority?
You are hiding behind all these words and these opinions. Do
you think you are the General Counsel--do you think the CISO
ought to have the authority to enforce the decisions that he
makes?
Mr. McClain. I think that if the CIO had additional
authority it would probably make his particular job easier. Is
that a good idea? That is really a policy discussion, and not a
legal----
Mr. Filner. Other agencies have interpreted the same law as
giving their CISOs that authority, right?
Mr. McClain. I am not aware of that, sir.
Mr. Filner. Have you asked other agencies? Did you consult
other General Counsels, to see what they said?
Mr. McClain. No, we didn't.
Mr. Filner. It seems to me that would be a good thing to
do. It looks to me that you all decided he shouldn't have
authority, then you found a way to quibble with the word
``ensure.'' When Secretary Principi tried to change, he got
resistance from everybody. So that is what I meant when I said
you are the problem. You are the problem. You don't even
believe the CISO should have authority, the way you said it,
``it is a policy issue.'' I am asking you what you think. We
just had the biggest breach in the history of the government,
and you are still quibbling about what the word ``ensure''
means. Should the CISO have the authority to enforce cyber
security rules?
Mr. McClain. Yes, in some form he should.
Mr. Filner. Well, thank you. Now, would you recommend to us
please, by tomorrow, what you would need when you opined that
he could actually have that authority? You are the Counsel.
Give us some advice on that. Give us the language.
Mr. McClain. I would be glad to discuss it with your staff,
Congressman Filner----
Mr. Filner. Call me. Don't talk to my staff. You're saying
it would be a good thing, so make a recommendation that would
make it happen, since you don't think it can happen under the
existing legislation.
Mr. McClain. Well, I didn't say it couldn't happen under
the existing legislation. In fact, both of the opinions refer
to the fact that there can be a delegation of authority.
Mr. Filner. So why hasn't there been?
Mr. McClain. There has been, to a certain degree, in the
reorganization that is already underway.
Mr. Filner. Has there been any change since May 3rd?
Mr. McClain. No, I don't believe----
Mr. Filner. Of this year, since this security breach?
Mr. McClain. I don't believe so.
Mr. Filner. So you are not doing anything. You are not
focusing on the major problems.
Mr. Chairman, as I said, this is very frustrating. You have
been working on this for several years. I have to admit that I
didn't pay any attention to you. I should have. And I don't
think that Congress did. We have now the opportunity to do what
you want to do, and I think we are all going to be behind you.
This is not an issue coming from the lone action of one
employee. That is what you from the VA keep stressing, because
you think he is going to be terminated. We heard that
enforcement guidance for cyber security is at best confusing.
Some say it doesn't exist. We know that Mr. Brody and others
tried to get that authority; it didn't happen.
It all comes back to the policies and the management who
makes those policies. Nobody seems to be accepting that
responsibility, Mr. McClain. Not the Secretary, not the Deputy,
not you. I just can't understand what type of leaders would
fail to do their jobs and then try to put the blame on
everybody else. When we didn't secure an Iraqi ammo dump, the
DOD blamed the troops. When FEMA failed to execute a disaster
plan, they blamed the weather. Now, after years of failing to
implement a clear, meaningful policy, you blame an employee for
breaking some unidentified policy.
Mr. Chairman, I hope that you continue what you have
started, and you have backing from all of us, and the American
people. We should not tolerate these policies, or the field of
leadership that allows them to continue. Thank you, sir.
The Chairman. Thank you. I have a further line of
questioning, Mr. Michaud, but let me make this statement, and I
will yield to the gentleman. If you have additional questions,
do you?
Mr. Michaud. Yes, I have.
The Chairman. Okay. Prior to the break, I had mentioned
what the colleagues with the Judiciary Committee had done with
regards to setting up a separate agency to deal with claims
adjudication as an administrative remedy for pathway to the
tort claims, Federal Tort Claims Act. And I have asked the
majority leader to hold that at the moment.
It really is just a great example of the heightened
awareness, Mr. McClain, that members of Congress have to,
quote, ``do something,'' but that can also get you in trouble.
And so I am very sincere in sharing with you, number one, what
I had done with the majority leader; number two, my
conversation that I just had about 10 minutes ago with Chairman
Walsh. I know that the Secretary will be before this Committee
on Tuesday. I plan on attending. And I will see the Secretary
again on Thursday.
But over this time period or the next 10 days, we want to
work with you. And I took from your testimony an inference, and
it is okay, and the inference is that, ``we are outside of our
lane,'' and with, ``how do we deal with this? We have never had
to deal with this before.''
So when you say to the Committee that, ``We are going to do
an RFP, and we are interested in seeing what they are going to
bring us,'' usually that is kind of backwards. We correlate
these kinds of things, and let the private sector know what we
want. And it is okay, I am not going to be critical of you,
because we are interviewing just like you are interviewing,
trying to figure out how to best deal with this, because of its
scope? And also, how do we pay for it?
I am not a contract lawyer. I have got to yield to you----
Mr. McClain. I'm not either, sir.
The Chairman. All right. And so that is why I am not going
after you on that. I am just concerned----
Mr. McClain. Well, Mr. Chairman----
The Chairman. I just want to let you know, I am concerned
about what the Judiciary Committee did. So what I am saying to
you, and please convey to the Secretary what the Judiciary
Committee just did, I am going to hold that as much as I can,
okay, with my relationship with the majority leader, to hold
that. Let us craft a product that not only can we begin to
monitor, but we can also place the veteran in the assurance
that they are not going to have an out-of-pocket loss. We are
going to have potentially a disruption of their life. This is
going to be uncomfortable. But if we are able to create a
product, and there are some out there that can give them up to
$25,000 insurance, with regard to the loss, and we make that
part of a package, I think it is exactly where the Secretary
was in his conversation with me. Not by number, we did not
discuss numbers.
But please, I yield to the gentleman.
Mr. McClain. Thank you, sir. I was just saying that I know
that they're working very hard on the statement of work, which
will be up with the RFP, and I am sure it will define exactly
what we're looking for from the three companies, or even more.
The Chairman. Well, whoever the ``they'' is, will the
``they'' communicate with our staff, and just as important,
communicate with the appropriators?
Mr. McClain. Yes.
The Chairman. Last thing you want to have happen is put
together something that you think is best, but has not been
communicated with the appropriators, and you just turn to them
and say, ``Pay for it.''
Mr. McClain. No, I understand.
The Chairman. You know, my gosh, you are going to end up
just with what they did with Denver, and they zeroed out
something because there wasn't the best of communications.
Mr. Michaud.
Mr. Michaud. Thank you very much, Mr. Chairman.
Mr. McClain, The VA directive 6504 dated June 7th of this
year stated that, I quote, ``the VA employees are permitted to
transport, transmit, access, and use VA data outside VA
facilities only when such activity has been specifically
approved by the employers' supervisor, and when appropriate
security measures are taken to ensure VA information and
services are not compromised,'' end of quote.
How does this policy differ from what was done prior to May
3rd of this year?
Mr. McClain. Congressman Michaud, I'm going to have to not
get into that area because of the three pending class-action
lawsuits that the actual policies and procedures that were in
place at the time are at issue in each one of those lawsuits,
and on advice of our attorney, Department of Justice, I can't
comment on that.
Mr. Michaud. Do you believe that the data involved in the
May 3rd incident constituted a national security data breach,
or in non-national security?
Mr. McClain. I have not looked into that or rendered any
particular opinion on that issue.
Mr. Michaud. Ever been asked to render an opinion?
Mr. McClain. I have not.
Mr. Michaud. So no one at VA is looking at this issue?
Mr. McClain. Well, I know that it has come up in the
hearings, and someone is looking at it. But my office has not
been asked to render an opinion on it.
Mr. Michaud. Okay, and you have no idea who is looking at
it in the VA? Because it has come up in previous hearings.
Mr. McClain. I believe the--well, the office of information
technology is looking into it right now.
Mr. Michaud. Okay. Your memorandum of April 7th of 2004,
states that FISMA does not require the Secretary to provide the
CIO with the enforcement powers to the extent that he chooses
to do so. However, he may delegate more authority to the CIO
and it is provided for by FISMA. A couple of questions, what
specific authority has the Secretary delegated prior to May 3rd
of 2006?
And has the Secretary delegated any additional authority
since that date? And if so, to which officers?
Mr. McClain. I don't believe that there was any delegation
beyond the actual mandates of FISMA, and the Clinger Cohen Act,
and also the Paperwork Reduction Act; kind of the three acts
that really control what the CIO does.
And there has been a lot of discussion on what is required
at this point, and that is exactly what I was talking about
before, is we're currently doing a complete inventory of all
information security practices in every office in the VA. And
based upon that inventory, that list of best practices and
recommendations, I'm sure that there will be further action
taken.
Mr. Michaud. So you agree that the Secretary can delegate
to the CIO the authority that he needs to make sure that these
information security issues are upheld?
Mr. McClain. I believe that--yes, I believe that there is
sufficient authority that resides--authority that resides with
the Secretary that could be delegated down. Now, the one thing,
the one caveat that I want to put on it is that there was some
discussion, in particular, Mr. Brody made his statement that he
was frustrated that there was push-back from HR, I guess,
when--relating to actual sanctions or penalties against
government employees. And of course, that is a problem. When I
say ``a problem,'' from an enforcement point of view. Every
employee is protected by a lot of Title 5 rules and regulations
in the government, and the question would be, could the CIO
impose a penalty or sanction, or discipline, on say, a VHA
employee that doesn't belong to the CIO? A VHA employee in the
State of Washington, for example?
And that would raise tremendous questions under Title 5,
Title 38. And those issues would require legislation along some
lines in order to accomplish the complete ability to impose
sanctions.
Mr. Michaud. Even if the Secretary gives him the authority?
Mr. McClain. The Secretary may not have that authority
because of the laws that are in place. That's why I made it a
caveat.
Mr. Michaud. Does the Secretary know that he has the
authority to delegate a lot more than what has been delegated?
Has anyone told the Secretary he has that authority?
Mr. McClain. Yes.
Mr. Michaud. So he is aware of it?
Mr. McClain. Yes, he is.
Mr. Michaud. Okay. And has he made any overtures to you
that he is looking in that direction, to give all the authority
that he can to the CIO?
Mr. McClain. There have been quite a few discussions, as
you can imagine, recently on the issue, and I'm not going to
speak for the Secretary, but I believe that there may be action
forthcoming.
Mr. Michaud. Okay, thank you.
Thank you, Mr. Chairman. I yield back.
The Chairman. Thank you. Ms. Herseth.
Ms. Herseth. Thank you, Mr. Chairman. I was a little
confused by some of the responses. And I know I was a little
late getting back in here, but let me just walk through that
line of questioning of Mr. Michaud's once again.
Your interpretation is that the Secretary has the authority
to delegate certain responsibilities to the CIO?
Mr. McClain. Yes.
Ms. Herseth. And that would include enforcement
authorities?
Mr. McClain. Yes, certain enforcement authorities.
Ms. Herseth. Certain enforcement authorities?
The Chairman. Like what? Sorry.
Ms. Herseth. Well--appreciate that. I think that----
Mr. McClain. That's the next question.
Ms. Herseth. Let us say, which ones would not be?
Mr. McClain. When I had just responded in the actual taking
disciplinary action against an employee that is not within his
department. In other words--let me, if I can, analogize this a
little bit. The--under Title 5 of--in Federal civil service,
the appropriate person to propose discipline is the employee's
supervisor. And so that system is used every day, still in
place, and indeed that could be used today, in order to impose
discipline on an employee that does not follow published rules
and regulations.
Ms. Herseth. So, separate from disciplinary actions, the
Secretary would have the authority to delegate any other
enforcement necessary to ensure compliance by the agency with
information security requirements?
Mr. McClain. I believe so. I mean, there's quite a few
things that the CIO could do. I mean, under FISMA and--the CIO
has the authority in order to set all of the standards that are
for access, for classification, for personnel, those sorts of
things, in order to get onto the CIO equipment, the computer
equipment, and how to use it, and what to do with it. He can--
if you're talking about enforcement--he can prevent someone
from getting on, prevent someone from bringing a piece of
equipment on----
Ms. Herseth. Prevent someone from obstruction? Of
implementing the requirements?
Mr. McClain. Yes. Yes.
Ms. Herseth. Are you aware, you know, your memos have been
the focus of a lot of the questions, and even some of the
discussion in prior hearings? Are you aware of any similar
conclusions that you drew regarding the CIO's enforcement
purview of any other General Counsel in any other Federal
agencies, reviewing the same type of questions that would come
up about enforcement authorities of the CIO?
Mr. McClain. No, actually that question was asked, and the
answer is no, I'm not aware of any others.
Ms. Herseth. Let me just ask a couple of questions with
regard to implementation of the March 2004 Principi memorandum.
Your written testimony states that it might be helpful to
briefly state what the department has done to implement
Secretary Principi's 2004 memorandum. You then state that on
April 30th, 2006, approximately 4000 FTE's were temporarily
detailed to the office of information and technology. Was that
step taken to effectuate the March 2004 memorandum, which calls
on then-CIO Robert McFarland, to devise a department-wide cyber
security program under FISMA? Or was that a step taken to meet
other department requirements or responsibilities, such as the
creation of a separate information technology account, in last
year's VA appropriations bill?
Mr. McClain. I think it was a step in direct line with the
Secretary's October 2005 decision to order an IT reorganization
in the department.
Ms. Herseth. And do you believe that the items you list in
your testimony as addressing the March 2004 memorandum are
sufficient actions to have taken in response to that
memorandum, in the more than two years since it was released?
Mr. McClain. I think that it is certainly a large step in
the right direction. Are there other things that need to be
done? Yes, and certainly the department acknowledges that there
is more to be done in order to effectuate not only this
memorandum, but the IT reorganization.
Ms. Herseth. Do you have any thoughts on any of the
recommendations Mr. Brody made in his written testimony that
was submitted, most of which I think he also restated in his
oral testimony today?
Mr. McClain. No, I have no comment.
Ms. Herseth. Would you, if you had more time to consider
them?
Mr. McClain. Perhaps.
Ms. Herseth. I would then request from the Chairman that
perhaps you could submit just any thoughts on those
recommendations that he submitted to the Committee, from your
experience in the last number of years here as General Counsel,
on those recommendations.
Mr. McClain. All right, certainly.
Ms. Herseth. Thank you. I yield back.
[The March 16, 2004, memo referred to is attached to Mr.
McClain's prepared statement and appears on p. 103.]
Mr. Filner. Point of order: do we have Counsel here? What
is the definition of ``contempt of Congress?'' Those last two
answers were in contempt of Congress, Mr. Counsel. They may not
meet strict legal criteria, but--we sat here for two hours,
asked questions of experts. They made recommendations but Mr.
McClain has ``no comment,'' perhaps he will have something to
say later. That is just irresponsible; that is contempt of
Congress.
The Chairman. All right. Mr. McClain, I have a series of
questions, and it is going to follow the same lines of some
issues Mr. Filner brought up, and in particular, Mr. Michaud
and Ms. Herseth. I think I just got it for the first time.
Ms. Herseth. Yeah, I couldn't----
The Chairman. I saw you look up. My lisp, I work through
it.
Mr. Filner. Now try Snyder----
The Chairman. One at a time.
You are Senate-confirmed; correct?
Mr. McClain. Yes, I am.
The Chairman. And your title is an Assistant Secretary;
right?
Mr. McClain. No, my title is General Counsel.
The Chairman. General Counsel, but your equivalent rank is
Assistant Secretary?
Mr. McClain. That's correct.
The Chairman. Are you a senior government official?
Mr. McClain. Depending on your----
The Chairman. Are you a senior government official?
Mr. McClain. I believe I would--the position would be
considered a senior government official. Yes, sir.
The Chairman. Assistant Secretary. How about what is the
next level down? Are they assistant, or are they deputies?
Deputy Assistant Secretaries? Are they Senate confirmed?
Mr. McClain. No.
The Chairman. So would you say that if you are Senate
confirmed, that you would be a senior government official?
Mr. McClain. Probably. Yes, sir.
The Chairman. Trying to figure this out. How do you see
your role as General Counsel? Are you the VA's chief legal
officer?
Mr. McClain. Yes.
The Chairman. Okay, and how do you see your role?
Mr. McClain. My role is the final legal word in the
department on legal issues that are brought to our attention,
in interpreting laws, and interpreting regulations. I am the
counsel to the department, and for the most part I provide
counsel to the Secretary, the deputy, and the senior
leadership.
The Chairman. Deputy Secretary--so when you say ``to the
department,'' access to you is going to come from the
Secretary, the deputy, and the three under secretaries?
Mr. McClain. When you say ``access to me?''
The Chairman. Yeah, they pick up the phone and you answer?
Mr. McClain. Yes, sir, they will.
The Chairman. Okay. At what point does that--I am trying to
understand. I don't know the culture, so I am just trying to
understand. At what point do you not pick up the phone? In
other words, at what level is that at? I don't know.
Mr. McClain. Well, it----
The Chairman. Everything has a hierarchy. I just don't
know.
Mr. McClain. Oh, for me in particular, I have an open door
policy, so I pretty much answer almost everyone's telephone
calls, or----
The Chairman. Yeah, but you got 400 lawyers out there.
Mr. McClain. Yes, we do.
The Chairman. You know, you are responsible for them all.
Mr. McClain. That's right. We have about 270 in the field,
and the others here in Washington.
The Chairman. How long have you been the General Counsel?
Mr. McClain. Since April of 2001.
The Chairman. Who is your client?
Mr. McClain. The department.
The Chairman. Who is the department?
Mr. McClain. Everyone in VA.
The Chairman. I am trying to figure out meetings for which
General Counsel is required to attend. They are what? What
meetings are you required to attend?
Mr. McClain. Pretty much any meeting that is scheduled or
called for by the Secretary, Deputy Secretary. Any boards or
other type of advisory Committees that I'm on, and can be
invited to other meetings in the department that are scheduled
by the under secretaries or an assistant secretary.
The Chairman. Are there lawyers from your team that also
would work for the under secretaries? Are there any----
Mr. McClain. Not directly.
The Chairman. Not directly, okay. So, the way you just said
that, you like having line authority over your lawyers?
Mr. McClain. Yes.
The Chairman. Really? I bet the CIO does, too.
Mr. McClain. Probably does. Not over my lawyers, but over
his employees, yes, sir.
The Chairman. Who in your legal department has
responsibility for cyber security?
Mr. McClain. We have a--I believe it's a GS 15, who is
responsible for our cyber security, primarily. But ultimately,
I would be responsible for cyber security.
The Chairman. Giving your reaction to my question--so do
you personally and professionally have concerns that the CIO
could have enforcement authority over one of your employees?
Mr. McClain. No, I don't. See, when you say--as it turns
out, the initial reorganization that I think was ordered back
in 2002, when Admiral Gauss was the CIO, turned out that there
were a few, a small number of employees that were actually
transferred to the office of information technology. And my
information technology employees were transferred at that time.
So we're actually functioning under this program, where they
are doing work for us, but they actually belong to the CIO.
The Chairman. So how does it work that if you have a
vulnerability in your legal department, and the CIO, who has
only the authority over compliance, he can only ensure
compliance, has no authority to enforce anything, he would then
have to alert you that there is a vulnerability, and that you
then have the authority to cure; is that how it is supposed to
work?
Mr. McClain. Yes.
The Chairman. Okay. So when the FISMA report says that
there are these 16 vulnerabilities, and the VA receives an
``F,'' fails, that then means that three under secretaries
received a grade of ``F,'' would it not?
Mr. McClain. I imagine so, yes. The whole department
received a grade of ``F.''
The Chairman. Uh-huh. So, given the lines of authority as
to who is actually responsible for enforcement, it is hard for
me to imagine, as the first panel described, that when you
grant responsibility without authority, you are setting a
position for somebody to be a scapegoat. I don't see how the
CIO could be a scapegoat if they had no authority to enforce.
Therefore, there is no scapegoat. There are individuals who are
responsible, and the individuals who are responsible also have
the authority.
That is what is hard for me in all of this. And it is hard
for me when I read your opinions. That is why I called it the
heterodox, because it is so incongruent of what we do in our
society. Because we have a leadership hierarchy in our society,
that someone is responsible, has the authority, and therefore
can be held accountable. When I take something out of that, it
becomes incongruent, and it defies logic. And it makes it hard
for us, then, to operate a system; actually, even to perfect
change.
So I have some more series of questions for you. Let me go
back to when I mentioned the ``F.''
As the VA's chief legal officer you are also, are you not,
responsible to ensure that the VA is compliant with existing
law? FISMA?
Mr. McClain. I'm responsible for interpreting those laws,
and how they apply to our business in the VA. Yes, sir.
The Chairman. Okay, all right. So, when the FISMA report
shows 16 vulnerabilities, and that the department has now
received a failing grade, I would say that they are not in
compliance with an existing statute. When it comes to you as
the lawyer, do you worry about that or not worry about that?
Mr. McClain. Well, I'm obviously concerned about it, and
the question is, is it because there was inaction on the part
of certain people? In other words, you would want to look at
are we indeed violating a law, or not fully implementing a law?
The Chairman. All right, if the VA receives a failing grade
for their audit, how can that be following the law?
Mr. McClain. Well, if it's not--if the law itself is not
implemented within the department, you have a situation where
the law is there and it's not being followed.
The Chairman. Right. Well, that is what I had back in 1999,
when I could not get the VA to create a CIO. You are right, we
passed the laws, and we are trying to get the executive branch
to implement, to execute.
Does this issue of CIO authority affect the General
Counsel's office in terms of control over General Counsel's IT
assets?
Mr. McClain. No.
The Chairman. Okay. So your concerns are more on the
personal side, then? Would that be correct?
Mr. McClain. You mean for office of General Counsel----
The Chairman. The office of General Counsel, yes.
Mr. McClain. My only concern is that I have a good IT
network that I can rely on and utilize, and that my people in
the field can rely on and utilize. And so, as I said, my
employees that I had were transferred over to the CIO. And so
we are currently operating pretty well right now under that
criterion.
The Chairman. All right. These memos that the members are
discussing, I, in my mind, I have this visual of you conducting
a brief with three under secretaries, the deputy, and the
Secretary. I don't know, did that ever happen? Or you just send
them memos, and people just go about their business?
Mr. McClain. These particular memos--a memo of this nature
would come into the office either as an e-mail request or a
written request for a General Counsel opinion on how this
particular law applies to this set of facts, whatever it might
be. That's pretty much how these opinions were initiated. And
the opinion would be worked by staff attorneys, and it would
then come up the administrative chain to my office. And the
opinion would then be reviewed and signed, and sent back to
whoever the addressee is on the memo. In other words, the
requesting office. I believe one of them was the CIO, or the
assistant Secretary for Information Technology, and the
Assistant Secretary for Policy and Planning.
The Chairman. When you have a dispute between a matter of
interpretation of law or regulation between two under
secretaries, who is your client?
Mr. McClain. It is the department. I simply will----
The Chairman. I don't know what that means. The two under
secretaries are part of the department. The two under
secretaries disagree on something. How about when the CIO
disagrees with the three under secretaries? Who is the
department?
Mr. McClain. Well, they all are. And I don't take sides on
it. The question would come to me--we have a dispute, ``I think
the law should be applied this way, someone else thinks the law
should be applied that way, please give us your opinion.'' And
that's what we would do. It may be in the middle somewhere, it
may not be exactly either person's position.
The Chairman. All right, use the word ``role.'' What is the
role and responsibility of the Secretary of the VA for
information security under FISMA?
Mr. McClain. He is ultimately responsible for ensuring that
there is a system in place that ensures the security and
accountability of personal information.
The Chairman. Okay. And was the Secretary aware of this
statutory role and responsibility?
Mr. McClain. I'm sorry, I'm not sure. I would have to ask
the Secretary.
The Chairman. At any time, were you asked to brief the
Secretary with regard to his role and responsibility in this
area?
Mr. McClain. No, sir.
The Chairman. Okay. All right, let me power through this.
Hang in here with me, all right?
The General Counsel memo of August 1 of 2003 on information
security to the CIO holds that, quote, ``FISMA requires the CIO
to develop and implement an agency-wide security program to
achieve the purposes of FISMA,'' end quote. Now that sounds
pretty good. But then on the February 19th of 2004 memo, what
that meant to your office was explained further. The memo
suggests that enforcement language in draft directive 6500 be
removed that would allow the CIO to hold individuals
accountable to the CIO for noncompliance, and that would
establish mandatory penalties. In addition, the memo
recommended that language empowering the CIO to mandate
budgetary commitments of administrations be removed because,
quote, ``we are not aware of statutory authority.''
[The August 1, 2003, and February 19, 2004, memos referred
to are attached to Mr. McClain's prepared statement and appear
on pages 96 and 100 respectively.]
The Chairman. Basically, this leaves the CIO with
responsibility, but no real authority to make anything happen.
That is what we have been discussing here today. So directive
6500 could have been written, could it not, to have empowered
the CIO since you then state that the Secretary could have
delegated that authority? Because what you have is first you
go, ``there is no statutory authority,'' and the Secretary has
the authority. Where was the next step of legal counsel back to
the Secretary that says, ``Mr. Secretary, you can delegate if
you want?'' But there was no affirmative action was ever taken.
Mr. McClain. Well, I understand, Mr. Chairman, where you're
going. I think the issue that I would ask is, given our
opinion, and given the February 19th, 2004, memorandum, that
there is no statutory authority for certain issues--and most of
the issues were clustered under security clearance and
suitability policies, security matters beyond that of the
information and information security, and also personnel
matters; human relations and labor-management issues, and the
memo. And I'm talking in that memo, subparagraphs--paragraph
2A-1, and then 2A, 2B, C, and D, essentially, in that
particular memo.
And what we're saying is entirely consistent with all of
the opinions read together, is that the current state of law
does not give the CIO these particular powers or authorities.
That's what the opinions are, at the point in time on the date
that they were issued, what is the state of the law as applied
to the set of facts that we were asked to analyze.
The Chairman. Is it a curious thing that this March 16th,
2004, memo has no subject line? The Secretary's memo, March
16th, 2004, has no subject line. Isn't that a curious thing? Or
I'm just being----
Mr. McClain. I note that it does not.
The Chairman. You are saying, ``Steve, your attention to
detail is too great?''
Mr. McClain. Well, no, I----
The Chairman. It is not a curious thing, I shouldn't make
anything of it?
Mr. McClain. I----
The Chairman. Okay, doesn't mean anything?
Mr. McClain. No, sir.
The Chairman. All right. Let me go to what you had just
stated. I got FISMA right here, okay. And you are right, two
lawyers can read something that can totally--we can disagree,
we can agree to disagree. But I read this thing differently
than how you read it. And I am looking at section 3544,
``Federal Agency Responsibilities.'' Now, you just made an
interpretation that says the CIO doesn't have this
responsibility, it is not granted to him by FISMA. But when I
read this, section 3544-A, ``The head of each agency shall''--
okay, do you have it right there in front of you?
Mr. McClain. Yes, sir, I do.
The Chairman. Okay. See where it says, ``A, shall be
responsible for,'' this is list A, B, and C, okay? Number two,
it says ``shall ensure that senior agency officials provide
information security for information and information systems
that support the operation assets under their control,
including,'' and goes down a whole list. Who are ``senior
agency officials?''
Mr. McClain. Pretty much what we had talked about
previously. Under Secretary, Assistant secretaries can be
senior agency officials, and it may even go further down, and
that's in relation to FISMA, and information security. Yeah.
The Chairman. When I read FISMA, if I wanted to, I can read
this to interpret that only a senior agency official would be
an under Secretary, and exclude the CIO. Your testimony to me
is that the General Counsel and the CIO is the equivalent of a
senior agency official. Now, if I go back and I say, ``Okay, I
accept your testimony here today that you are a senior agency
official, the CIO is a senior agency official, the under
Secretary is a senior agency official, and now I read this lot,
I don't understand how I can get the interpretation from your
memo, doing that.'' Now, if I want to parse what I read and say
that a senior agency official does not apply to what, you and
the CIO, then I could come up with that memo, as it has been
drafted.
Mr. McClain. I think the spirit of the opinion obviously is
interpreting FISMA. But I think that what's important to
realize, and what I get out of this, applying these sorts of
requirements to senior agency officials, is that there is a
department-wide requirement, and is specially imposed on senior
agency officials, to ensure that this system of protection for
personal information is in place and operative. It is not
giving it or requiring it of a single person, or a single head
in the department. It is literally spreading it out and saying,
``You're a senior agency official, you have this
responsibility.''
The Chairman. The section of FISMA that makes the Secretary
responsible for implementation of this statute, 3544, states
that the head of each agency shall--and again, I am going to
say it--``ensure that senior agency officials provide
information security for information, information systems, the
support the operations and assets under their control.'' Under
the Secretary's March 16 memo, assuming that it had been
implemented sooner than last October, wouldn't the CIO also fit
under these provisions a FISMA? That is what I just asked,
because he would be a senior agency official under the
authority of 4000 agency employees.
The reason I ask this question, Mr. McClain, is that I have
this sense that these memos essentially were efforts to box the
CIO.
Mr. McClain. No, sir.
The Chairman. Well, that is what has happened by that legal
interpretation. You disagree with that?
Mr. McClain. Yes, sir, I disagree with that. I don't
disagree that the CIO perhaps wanted additional authority that
was just simply not there in statute, but the opinion is the
legal opinion as to what the law provides.
The Chairman. All right. Why did it take until October 19th
of 2005, over a year and a half, for the VA to take just the
first step in acting on Secretary Principi's memo? A glacial
pace?
Mr. McClain. Sir, I don't have an answer for that.
Ms. Herseth. Mr. Chairman.
The Chairman. Did Mr. McFarland--yes, ma'am?
Ms. Herseth. Well, before you went too far down this, may I
just follow up on a----
The Chairman. Yes.
Ms. Herseth. You just stated that the CIO perhaps wanted
more authority than your interpretation of the statute allowed;
right?
Mr. McClain. Yes.
Ms. Herseth. But not too long ago in response to some of
the other questions--does your interpretation of the statute,
however--I mean, where does the enforcement authority, or the
authority that the CIO was seeking resides in the Secretary?
Because getting back to this whole issue of what authorities
the Secretary could have delegated, I am still trying to figure
out, and I think the Chairman was raising this at the beginning
of his second line of questioning, when he began again; tell me
the distinction between your interpretation of the statute, and
the authorities granted to the CIO, versus authorities that the
Secretary has that could be delegated. Is there a distinction?
Mr. McClain. Yes.
Ms. Herseth. Okay. So I am going to let you explain the
distinction, and then re-ask the question that I believe the
Chairman did, which is, at what point could you have, or did
you communicate with the Secretary about the possibility of
delegating some of the authority that the CIO was seeking that
the Secretary may have had to delegate, separate from an
interpretation of the statute that didn't give, in your
opinion, the authorities the CIO was the seeking?
Mr. McClain. Let me give you one example of some additional
authorities that reside in the Secretary that could have been
delegated. At the Secretary's discretion, no requirement.
First of all, FISMA requires the CIO to have certain
responsibilities and duties and such. The Secretary could
delegate further, and if--I would go back to the August, 2003
opinion, which was essentially an opinion on who has authority
over the national, versus non-national type of files, and also
physical security versus actual paper, that sort of thing. And
the opinion was that as the law currently stood, that authority
over the national type of data, if there was any in VA, and
physical security, resided in the office of law enforcement,
within the department.
Had the Secretary desired to make a change, he could have
delegated that authority to the CIO. So there was already
something in place.
Ms. Herseth. I yield back.
The Chairman. You know I was really concerned when Bob
McFarland left. And you are also quite aware of being on the
inside of that, you have had three under secretaries that were
pretty strong in their opinions. You are also equally strong in
an opinion. The Secretary had delegated to the deputy Secretary
to work this one, work this issue. And Mr. McFarland was pretty
stressed, because he felt that he was not getting a concurrence
with his policies.
So let me ask about the directive 6500. Is directive 6500,
is it still in a development or a concurrence process?
Mr. McClain. I believe--and I believe that 6500 is in our
EDMS system, Electronic Data Management System--Document
Management System. Still, within the office of information
technology, for internal concurrence within that office.
The Chairman. Under your federated approach --I know you
don't like the word ``box.'' All right, let me rephrase this.
Under your federated model, are your present interpretations
that the CIO does not have these lines of authority to enforce,
is that what is going to happen in your federated model? You
are going to take that present opinion that you have held for
the last several years, and apply it to the federated model?
Mr. McClain. Well, I think several things have changed. One
is that this particular issue that we were wrestling with
talked about ISOs, and in particular the March 2004 memo from
Secretary Principi, I believe was a reaction, as Mr. Brody
said, to the Blaster worm situation, where the CIO didn't have
control, any sort of supervisory control over ISOs out in the
field, and there were over 400 of them.
As of April 30th of this year, with the detailing of
personnel into the office of information technology, that
situation no longer exists. The CIO has direct supervisory
authority over the ISOs, plus the other IT backbone or
maintenance type people, even in the field.
The Chairman. But if I am an under Secretary at the VA, and
the CIO is giving me directives on compliance where I am
noncompliant in a particular area, and I ignore him, what is
the CIO's recourse, legally?
Mr. McClain. Legally, I'm not sure he has one.
Administratively, he should bring this directly to the deputy.
The Chairman. Yeah, so he has got no authority. How about
if I make the CIO, the Committee here decides to follow our
instincts of a couple years ago and make the CIO the
equivalency of an under Secretary? Does it matter?
Mr. McClain. In other words, would it change our
interpretation of FISMA?
The Chairman. No, we are going to change FISMA. We are not
going to let this stuff happen anymore. We are going to come up
with our recommendations to change so they are not subject to
interpretation. But if we g+o in and we make the CIO and under
Secretary equivalent, and give him lines of authority and the
ability to enforce--actually, let us go to the ability to
enforce. Would you say that that under Secretary, the CIO then
would not have the ability to enforce anything within the
jurisdictions of the other three under secretaries?
Mr. McClain. No, if you passed--if Congress passed a law
along the lines that you just outlined, then the law would
provide the authority.
The Chairman. But unless we do that, your position is it is
not there; it rests with the Secretary. The Secretary can grant
that authority, could he not? He can grant, he can also remove.
Secretary can remove certain authorities from the other three
under secretaries, could he not?
Mr. McClain. Yes, he could.
The Chairman. Ah-hah. Was that ever recommended to the
Secretary, or the deputy? That you can remove certain
authorities, you can grant authority to the CIO, but--never?
Mr. McClain. I'm not aware, sir.
The Chairman. Well, I could see in disciplinary actions a
challenge between granting authority or powers to someone who
is not of an equal, you know, if they are under the under
Secretary. That is what we are going to have to do.
Mr. Filner.
Mr. Filner. Just a quick question, if I can. Does the VA
have a policy of executive bonuses? Bonuses to the senior
staff?
Mr. McClain. Not to political appointees, but to Senior
executive service.
Mr. Filner. Okay, so you don't get a bonus?
Mr. McClain. No.
Mr. Filner. So none of the political appointees do?
Mr. McClain. That's right.
Mr. Filner. And what is the first level that may get one?
Mr. McClain. Career, who are SES.
Mr. Filner. Were those bonuses given last year?
Mr. McClain. I imagine they were. But I have no personal
knowledge of it.
Mr. Filner. And when FISMA audits gave the department an
``F,'' did you take that in any way personally, or share in
that responsibility?
Mr. McClain. As to the department getting an ``F?'' I think
the entire department has to share in that.
Mr. Filner. Yes, but personally? Nothing happened to any
person as a result? Nobody got pay cuts, or reprimands, or
censure, or anything?
Mr. McClain. Sir, I don't know. I would not normally be
involved in that.
Mr. Filner. But you didn't?
Mr. McClain. I did not.
Mr. Filner. I mean, there is simply no accountability here.
The Chairman. I made a note here, Mr. Filner. When we come
back here and discuss how to put together this legislation, Mr.
Michaud, that we even should consider writing in our bill, we
can seek compliance and say that there shall be no bonuses
until the department is compliant with FISMA. If you got an
``F,'' and we are giving bonuses, we shouldn't be giving that.
Maybe we can put it on a sliding scale, get them to a ``B,''
you know? You know, I haven't been beyond giving my kids money
for a good grade.
All right. I want to thank you for--to my colleagues for
being here, and let me just say in conclusion, Mr. McClain, I
know you are here today also to defend your legal department
and the individuals who wrote these legal opinions. I am
stressed by them. I am stressed by them because I think that
they were a contributing factor, and we ended up with a legal
opinion that I am going to say for the umpteenth time, that is
a heterodox opinion, and it was a contributing factor in the
face of 16 unmitigated deficiencies, and something has to
change.
And we want to work with you. Please let the Secretary
know, with regard to the issue that I brought up earlier one
when we were asking for that proposal, that it also included
insurance. Please let him know that we are going to work
cooperatively here, in a bipartisan fashion, to make sure that
we hold the Judiciary product until we can let them know that
we are going to work in a positive manner, okay.
Mr. Michaud.
Mr. Michaud. Thank you, Mr. Chairman.
Just one last question, Mr. McClain. Being legal counsel to
the department, and through my experience in the Maine
Legislature, where the attorney general offices are legal
counsel to State departments, you can take different stances in
different areas. Have you, at any time, while we have been
dealing with this whole issue of the CIO, given verbal legal
advice to the agency that this is the way you saw the law, but
you were directed, or asked by a senior official, ``I want to
do this, can you justify this, as well?'' Have you ever taken--
--
Mr. McClain. No.
Mr. Michaud. No? Okay, thank you. Thank you, Mr. Chairman.
The Chairman. Thank you very much. All members will have
five legislative business days to submit any statement that
they may like. At this point, the hearing is now concluded.
Thank you.
[Whereupon, at 2:10 p.m., the Committee was adjourned.]
[GRAPHIC] [TIFF OMITTED] T8452.001
[GRAPHIC] [TIFF OMITTED] T8452.002
[GRAPHIC] [TIFF OMITTED] T8452.003
[GRAPHIC] [TIFF OMITTED] T8452.004
[GRAPHIC] [TIFF OMITTED] T8452.005
[GRAPHIC] [TIFF OMITTED] T8452.006
[GRAPHIC] [TIFF OMITTED] T8452.007
[GRAPHIC] [TIFF OMITTED] T8452.008
[GRAPHIC] [TIFF OMITTED] T8452.009
[GRAPHIC] [TIFF OMITTED] T8452.010
[GRAPHIC] [TIFF OMITTED] T8452.011
[GRAPHIC] [TIFF OMITTED] T8452.012
[GRAPHIC] [TIFF OMITTED] T8452.013
[GRAPHIC] [TIFF OMITTED] T8452.014
[GRAPHIC] [TIFF OMITTED] T8452.015
[GRAPHIC] [TIFF OMITTED] T8452.016
[GRAPHIC] [TIFF OMITTED] T8452.017
[GRAPHIC] [TIFF OMITTED] T8452.018
[GRAPHIC] [TIFF OMITTED] T8452.019
[GRAPHIC] [TIFF OMITTED] T8452.020
[GRAPHIC] [TIFF OMITTED] T8452.021
[GRAPHIC] [TIFF OMITTED] T8452.022
[GRAPHIC] [TIFF OMITTED] T8452.023
[GRAPHIC] [TIFF OMITTED] T8452.024
[GRAPHIC] [TIFF OMITTED] T8452.025
[GRAPHIC] [TIFF OMITTED] T8452.026
[GRAPHIC] [TIFF OMITTED] T8452.027
[GRAPHIC] [TIFF OMITTED] T8452.028
[GRAPHIC] [TIFF OMITTED] T8452.029
[GRAPHIC] [TIFF OMITTED] T8452.030
[GRAPHIC] [TIFF OMITTED] T8452.031
[GRAPHIC] [TIFF OMITTED] T8452.032
[GRAPHIC] [TIFF OMITTED] T8452.033
[GRAPHIC] [TIFF OMITTED] T8452.034
[GRAPHIC] [TIFF OMITTED] T8452.035
[GRAPHIC] [TIFF OMITTED] T8452.036
[GRAPHIC] [TIFF OMITTED] T8452.037
[GRAPHIC] [TIFF OMITTED] T8452.038
[GRAPHIC] [TIFF OMITTED] T8452.039
[GRAPHIC] [TIFF OMITTED] T8452.040
[GRAPHIC] [TIFF OMITTED] T8452.041
[GRAPHIC] [TIFF OMITTED] T8452.042
[GRAPHIC] [TIFF OMITTED] T8452.043
[GRAPHIC] [TIFF OMITTED] T8452.044
[GRAPHIC] [TIFF OMITTED] T8452.045
[GRAPHIC] [TIFF OMITTED] T8452.046
[GRAPHIC] [TIFF OMITTED] T8452.063
[GRAPHIC] [TIFF OMITTED] T8452.064
[GRAPHIC] [TIFF OMITTED] T8452.065
[GRAPHIC] [TIFF OMITTED] T8452.066
[GRAPHIC] [TIFF OMITTED] T8452.074
[GRAPHIC] [TIFF OMITTED] T8452.075
[GRAPHIC] [TIFF OMITTED] T8452.076
[GRAPHIC] [TIFF OMITTED] T8452.067
[GRAPHIC] [TIFF OMITTED] T8452.068
[GRAPHIC] [TIFF OMITTED] T8452.069
[GRAPHIC] [TIFF OMITTED] T8452.070
[GRAPHIC] [TIFF OMITTED] T8452.071
[GRAPHIC] [TIFF OMITTED] T8452.072
[GRAPHIC] [TIFF OMITTED] T8452.073
[GRAPHIC] [TIFF OMITTED] T8452.047
[GRAPHIC] [TIFF OMITTED] T8452.048
[GRAPHIC] [TIFF OMITTED] T8452.049
[GRAPHIC] [TIFF OMITTED] T8452.050
[GRAPHIC] [TIFF OMITTED] T8452.051
[GRAPHIC] [TIFF OMITTED] T8452.052
[GRAPHIC] [TIFF OMITTED] T8452.053
[GRAPHIC] [TIFF OMITTED] T8452.055
[GRAPHIC] [TIFF OMITTED] T8452.056
[GRAPHIC] [TIFF OMITTED] T8452.057
[GRAPHIC] [TIFF OMITTED] T8452.058
[GRAPHIC] [TIFF OMITTED] T8452.060
[GRAPHIC] [TIFF OMITTED] T8452.061
[GRAPHIC] [TIFF OMITTED] T8452.062
�