[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
ONCE MORE INTO THE DATA BREACH: THE SECURITY OF PERSONAL INFORMATION
AT FEDERAL AGENCIES
=======================================================================
HEARING
before the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
__________
JUNE 8, 2006
__________
Serial No. 109-159
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
http://www.house.gov/reform
_____
U.S. GOVERNMENT PRINTING OFFICE
28-759 PDF WASHINGTON : 2006
_________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government
Printing Office Internet: bookstore.gpo.gov Phone: toll free
(866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250 Mail:
Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON GOVERNMENT REFORM
TOM DAVIS, Virginia, Chairman
CHRISTOPHER SHAYS, Connecticut HENRY A. WAXMAN, California
DAN BURTON, Indiana TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania
GIL GUTKNECHT, Minnesota CAROLYN B. MALONEY, New York
MARK E. SOUDER, Indiana ELIJAH E. CUMMINGS, Maryland
STEVEN C. LaTOURETTE, Ohio DENNIS J. KUCINICH, Ohio
TODD RUSSELL PLATTS, Pennsylvania DANNY K. DAVIS, Illinois
CHRIS CANNON, Utah WM. LACY CLAY, Missouri
JOHN J. DUNCAN, Jr., Tennessee DIANE E. WATSON, California
CANDICE S. MILLER, Michigan STEPHEN F. LYNCH, Massachusetts
MICHAEL R. TURNER, Ohio CHRIS VAN HOLLEN, Maryland
DARRELL E. ISSA, California LINDA T. SANCHEZ, California
JON C. PORTER, Nevada C.A. DUTCH RUPPERSBERGER, Maryland
KENNY MARCHANT, Texas BRIAN HIGGINS, New York
LYNN A. WESTMORELAND, Georgia ELEANOR HOLMES NORTON, District of
PATRICK T. McHENRY, North Carolina Columbia
CHARLES W. DENT, Pennsylvania ------
VIRGINIA FOXX, North Carolina BERNARD SANDERS, Vermont
JEAN SCHMIDT, Ohio (Independent)
------
David Marin, Staff Director
Lawrence Halloran, Deputy Staff Director
Teresa Austin, Chief Clerk
Phil Barnett, Minority Chief of Staff/Chief Counsel
C O N T E N T S
----------
Page
Hearing held on June 8, 2006..................................... 1
Statement of:
Johnson, Clay, III, Deputy Director for Management, Office of
Management and Budget; R. James Nicholson, Secretary,
Department of Veterans Affairs, accompanied by Tim McClain,
General Counsel, Department of Veterans Affairs, and Robert
Howard, Senior Adviser to the Deputy Secretary and
Supervisor, Office of Information and Technology,
Department of Veterans Affairs; David M. Walker,
Comptroller General, Government Accountability Office;
William E. Gray, Deputy Commissioner for Systems, Social
Security Administration; and Daniel Galik, Chief Mission
Assurance and Security Services, Internal Revenue Service,
Department of Treasury..................................... 13
Galik, Daniel............................................ 69
Gray, William E.......................................... 59
Johnson, Clay, III....................................... 13
Nicholson, R. James...................................... 18
Walker, David M.......................................... 31
Letters, statements, etc., submitted for the record by:
Clay, Hon. Wm. Lacy, a Representative in Congress from the
State of Missouri, prepared statement of................... 102
Cummings, Hon. Elijah E., a Representative in Congress from
the State of Maryland, prepared statement of............... 100
Davis, Chairman Tom, a Representative in Congress from the
State of Virginia, prepared statement of................... 4
Dent, Hon. Charles W., a Representative in Congress from the
State of Pennsylvania, prepared statement of............... 96
Galik, Daniel, Chief Mission Assurance and Security Services,
Internal Revenue Service, Department of Treasury, prepared
statement of............................................... 71
Gray, William E., Deputy Commissioner for Systems, Social
Security Administration, prepared statement of............. 61
Johnson, Clay, III, Deputy Director for Management, Office of
Management and Budget, prepared statement of............... 15
Nicholson, R. James, Secretary, Department of Veterans
Affairs, prepared statement of............................. 22
Schmidt, Hon. Jean, a Representative in Congress from the
State of Ohio, prepared statement of....................... 98
Walker, David M., Comptroller General, Government
Accountability Office, prepared statement of............... 33
Waxman, Hon. Henry A., a Representative in Congress from the
State of California, prepared statement of................. 8
ONCE MORE INTO THE DATA BREACH: THE SECURITY OF PERSONAL INFORMATION AT
FEDERAL AGENCIES
----------
THURSDAY, JUNE 8, 2006
House of Representatives,
Committee on Government Reform,
Washington, DC.
The committee met, pursuant to notice, at 10:41 a.m., in
room 2154, Rayburn House Office Building, Hon. Tom Davis
(chairman of the committee) presiding.
Present: Representatives Tom Davis, Shays, Mica, Gutknecht,
Souder, LaTourette, Platts, Marchant, Dent, Schmidt, Waxman,
Sanders, Cummings, Kucinich, Clay, Van Hollen, and Norton.
Staff present: David Marin, staff director; Ellen Brown,
legislative director and senior policy counsel; Chas Phillips,
policy counsel; Rob White, communications director; Andrea
LeBlanc, deputy director of communications; Victoria Proctor,
senior professional staff member; Teresa Austin, chief clerk;
Sarah D'Orsie, deputy clerk; Kristin Amerling, minority general
counsel; Adam Bordes and Anna Laitin, minority professional
staff members; Earley Green, minority chief clerk; and Jean
Gosa, minority assistant clerk.
Chairman Tom Davis. The committee will come to order.
Secure information is the lifeblood of effective government
policy and management, yet Federal agencies continue to
hemorrhage vital data. Recent losses of critical electronic
records compel us to ask: What is being done to protect the
sensitive digital identities of millions of Americans, and how
can we limit the damage when personal data does go astray? In
early May, a Veterans Affairs employee reported the theft of
computer equipment from his home, equipment that stored more
than 26 million records containing personal information. While
he was authorized to access those records, he was not part of
any formal telework program.
VA leadership delayed acting on the report for almost 2
weeks, while millions were at risk of serious harm from
identity theft. And since admitting to the largest data loss by
a Federal agency to date, the VA has been struggling to
determine the exact extent of the breach. Just yesterday we
learned the lost data includes information on over 2 million
active duty and Reserve personnel as well as veterans. So the
security of those currently serving in the military may have
been compromised, and the bond of trust owed to those who
served has been broken. And that is just only the latest in a
long string of personal information breaches in the public and
private sectors, including financial institutions, data
brokerage companies and academic institutions. Just recently, a
laptop computer containing information on nearly 300 Internal
Revenue Service employees and job applicants, including data
such as fingerprints, names, Social Security numbers and dates
of birth, was lost while in transit on an airline flight,
according to reports. These breaches illustrate how far we have
to go to reach the goal of strong uniform government-wide
information security policies and procedures.
On this committee, we have been focused on government-wide
information management and security for a long time. The
Privacy Act and E-Government Act of 2002 outline the parameters
for the protection of personal information. These incidents
highlight the importance of establishing and following security
standards for safeguarding personal information. They also
highlight the need for proactive security breach notification
requirements for organizations, including Federal agencies that
deal with sensitive personal information. I know other
committees have been working on the requirements for the
private sector. Federal agencies present unique requirements
and challenges, and it is my hope that we can work to
strengthen personal data protections through regulatory changes
and any needed legislative fixes.
The Federal Information Security Management Act of 2002
[FISMA], requires Federal agencies to provide protections for
agency data and information systems to ensure their integrity,
confidentiality and availability. FISMA requires each agency to
create a comprehensive risk-based approach to agency-wide
information security management. It is intended in part to make
security management an integral part of everyday operations.
Some complain that FISMA is a little more than a paperwork
exercise, an analog answer to a digital problem. This latest
incident disproves that complaint. FISMA requires agencies to
notify agency inspectors general and law enforcement among
others when a breach occurs, promptly. It appears VA didn't
comply with that requirement. Each year, the committee releases
scorecards based on information provided by chief information
officers and inspectors general in their FISMA reports. This
year, the scores for many departments remained unacceptably low
or dropped precipitously. The Veterans Affairs Department
earned an F the second consecutive year and the fourth time in
the last 5 years the department received a failing grade. The
Federal Government overall received a whopping D-plus, although
several agencies improved their information security or
maintained a consistently high level of security from previous
years, including the Social Security Administration.
Today the committee wants to discuss how we can improve the
security of personal information held or controlled by Federal
agencies. In my view, these efforts should include
strengthening FISMA and adding penalties, incentives, or
proactive notification requirements. OMB will discuss
government-wide efforts to improve data security. GAO will
highlight areas in which the protection of consumer information
can be enhanced. In this context, we will focus on security at
the Veterans Affairs, Social Security Administration and the
IRS. VA Secretary Nicholson will discuss the details of that
department's potentially catastrophic data breach. Officials
from the IRS and Social Security Administration will describe
the experiences and efforts of those agencies which stand as
guardians of the largest storehouses of taxpayer information.
Government information systems hold personal information about
millions of citizens, including health records, military
service histories, tax returns and retirement accounts. E-
commerce, information sharing, online tax filing are
commonplace. If the Federal Government is going to be a trusted
traveler on the information super highway, critical data on
millions of citizens should not be able to go missing after a
trip around the Beltway in a back seat of some government
worker's car. And that is kind of where we are.
So we appreciate everybody being here.
Secretary Nicholson, you are new to the VA, and I know this
has come up, and you are trying to deal with it. We appreciate
your being here today and sharing your thoughts.
Mr. Waxman.
[The prepared statement of Chairman Tom Davis follows:]
[GRAPHIC] [TIFF OMITTED] 28759.001
[GRAPHIC] [TIFF OMITTED] 28759.002
Mr. Waxman. Thank you, Mr. Chairman.
I'm pleased you are holding this hearing on Federal data
security. Last month, the sensitive data on 26.5 million
veterans and active duty members of the military were stolen
from the Department of Veterans Affair. Everybody has heard
about this, but I think we need to examine it carefully and
learn from this experience. The administration needs to provide
the public with a thorough accounting regarding the VA
incident, and it must detail how it will ensure that no future
breaches will occur with respect to the tremendous volume of
information the Veterans Administration and other Federal
agencies maintain on Americans across the country.
The recent VA data breach represents a violation of trust
of remarkable magnitude. The administration's failure to
protect against such an incident and its delayed response may
have made millions of men and women who currently serve or have
served in uniform vulnerable to identity theft and other
potentially costly misuse of their information.
Unfortunately, this breach does not come as a surprise.
Consider for example GAO's July 2005 assessment of information
security in the Federal Government. GAO stated: Pervasive
weaknesses threaten the integrity, confidentiality, and
availability of Federal information and information systems.
These weaknesses exist primarily because agencies have not yet
fully implemented strong information security management
programs. These weaknesses put Federal operations and assets at
risk of fraud, misuse and destruction. In addition, they place
financial data at risk of unauthorized modification or
destruction, sensitive information at risk of inappropriate
disclosure and critical operations at risk of disruption. So we
had a warning as of July 2005, and indeed in this year, March
of this year, in its annual scorecard evaluation, this
committee gave the Federal Government a government-wide grade
of D-plus, and the VA received a grade of F.
Well, remarkably and regrettably, the Bush administration
has repeatedly shown questionable commitment to protecting the
privacy of American citizens. For example, last December, we
learned that the President had authorized warrantless
eavesdropping on Americans' e-mails and phone calls despite
Federal laws prohibiting this practice. Just this week, the
Washington Post reported that, ``since the Federal medical
privacy requirements went into effect in 2003, the
administration has received nearly 20,000 complaints alleging
violations but has not imposed a single civil fine and has
prosecuted just two criminal cases.''
Well, I hope the administration will view the VA data
breach as impetus for placing higher priority on privacy issues
relating to the sensitive data it collects and maintains on
Americans. You would think that the General Accounting Office
report in July 2005 which was so damning should have been a
wake-up call. Now we have another wake-up call where the data
has actually been surreptitiously available to others that
could do harm to the veterans whose data may be used against
them. Well, I hope we will give a higher priority on privacy
issues because technology advances facilitate the sharing of
information, and as we develop new ways to use data on
individuals to further important goals such as terrorism
prevention, we must be vigilant about protecting Americans'
privacy rights. In the short term, the government must do
everything possible to address expeditiously, any harm
resulting to the individuals whose data was stolen. The VA
Secretary has taken several steps to provide information to
veterans about the breach, but the administration should be
doing more to support the affected veterans and active service
members.
I recently joined Representative Salazar and over 100 other
colleagues in urging President Bush to request emergency
funding for free credit monitoring and additional free credit
reports for veterans and others whose information was
compromised. For our part, Congress should consider measures,
such as the Veterans Identity Protection Act of 2006 which
Representative Salazar has introduced. This bill would require
the Department of Veterans Affairs to certify that it has
notified all affected individuals. It would also direct the VA
to provide free credit monitoring services and reports to each
affected individual. We must also determine exactly what went
wrong at the VA, not only to know what happened but to prevent
future breaches. To that end, there is an ongoing joint
investigation by the inspector general, the Department of
Justice and local law enforcement, and I hope that today's
hearing will advance our understanding of this issue.
Finally, the VA data breach should underscore the
importance of ensuring implementation of sound information-
security practices government-wide. The reports from the Office
of Management and Budget and the Government Accountability
Office show that some agencies, some agencies are making
progress on this front. The A-plus grade this committee gave
the Social Security Administration this year underscores that
large agencies with aging systems and vast amounts of sensitive
data can comply with Federal information security requirements.
I want to thank all the witnesses for taking time to appear
before the committee today. I look forward to hearing from them
about the issues raised by the VA data breach. I hope this will
not just be another hearing, another wake-up call that is
ignored and that we find ourselves with similar breaches of
privacy as we unfortunately have seen with the veterans in this
country.
Chairman Tom Davis. Thank you.
Members will have 7 days to submit opening statements for
the record.
[The prepared statement of Hon. Henry A. Waxman follows:]
[GRAPHIC] [TIFF OMITTED] 28759.003
[GRAPHIC] [TIFF OMITTED] 28759.004
[GRAPHIC] [TIFF OMITTED] 28759.070
[GRAPHIC] [TIFF OMITTED] 28759.071
[GRAPHIC] [TIFF OMITTED] 28759.072
Chairman Tom Davis. We will move to our panel.
We have the Honorable Clay Johnson III, the Deputy Director
for Management, Office of Management and Budget; the Honorable
R. James Nicholson, Secretary of the Department of Veterans
Affairs, accompanied by Tim McClain, who is the General Counsel
of the Department of Veterans Affairs, and Robert Howard, the
senior adviser to the Deputy Secretary and Supervisor, Office
of Information and Technology, Department of Veterans Affairs;
the Honorable David Walker, the Comptroller General, Government
Accountability Office; William E. Gray, the Deputy Commissioner
for Systems, Social Security Administration; and Mr. Daniel
Galik, Chief Mission Assurance and Security Services for the
IRS, Department of Treasury.
It is our policy to swear all witnesses in before they
testify. So, including Mr. McClain and Mr. Howard, if you would
rise and raise your right hands.
[Witnesses sworn.]
Chairman Tom Davis. We will start with you, Mr. Johnson,
and we will move straight down. Thank you very much.
STATEMENTS OF CLAY JOHNSON III, DEPUTY DIRECTOR FOR MANAGEMENT,
OFFICE OF MANAGEMENT AND BUDGET; R. JAMES NICHOLSON, SECRETARY,
DEPARTMENT OF VETERANS AFFAIRS, ACCOMPANIED BY TIM MCCLAIN,
GENERAL COUNSEL, DEPARTMENT OF VETERANS AFFAIRS, AND ROBERT
HOWARD, SENIOR ADVISER TO THE DEPUTY SECRETARY AND SUPERVISOR,
OFFICE OF INFORMATION AND TECHNOLOGY, DEPARTMENT OF VETERANS
AFFAIRS; DAVID M. WALKER, COMPTROLLER GENERAL, GOVERNMENT
ACCOUNTABILITY OFFICE; WILLIAM E. GRAY, DEPUTY COMMISSIONER FOR
SYSTEMS, SOCIAL SECURITY ADMINISTRATION; AND DANIEL GALIK,
CHIEF MISSION ASSURANCE AND SECURITY SERVICES, INTERNAL REVENUE
SERVICE, DEPARTMENT OF TREASURY
STATEMENT OF CLAY JOHNSON III
Mr. Johnson. Mr. Chairman and members of the committee,
thank you. I'm here to speak about the adequacy or inadequacy
of existing laws, regulations and policies regarding privacy,
information security and data breach notification. I'm here
because we have had an unprecedented security breach causing
the loss of personal data concerning millions of people.
Generally, at OMB, we believe we have sound laws, policies
and standards related to this topic. But we can and must do a
much, much better job of implementing them. We have policies
and standards that call for encryption and passwords to protect
data taken offsite via laptops, for instance. But we obviously
need to do a better job of abiding by them. We must do a better
job of holding ourselves accountable for implementing existing
policies and holding each employee accountable for performing
their assigned responsibilities.
In the short term, as the Deputy Director for Management, I
have instructed agencies to remind each employee of their
specific responsibilities for safeguarding personally
identifiable information and the relevant rules and penalties.
I have instructed them to review and appropriately strengthen
the means by which they hold their bureaus and people
accountable for adhering to existing security guidelines, and I
have instructed them to ensure that they are reporting all
security incidences as required by law.
Our inspectors general are already reviewing the adequacy
of their data security oversight. As chair of the PCIE and the
ECIE, the two inspector general associations. I will make sure
that IG oversight is consistent with the high level of
accountability called for in this matter.
Longer term, the Federal Government is already implementing
a 2004 Presidential Directive to develop and utilize
information cards that will be used to control access to
government computer systems and physical facilities. It will
take several years to implement this new initiative.
OMB, all executive branch agencies and employees, and the
inspectors general community have a shared responsibility to
minimize the risk of harm associated with our use of this type
of data. I am committed to working with Congress to ensure our
information security policies and procedures are what they need
to be and, most importantly, that we are all held accountable
for following them. Thank you.
[The prepared statement of Mr. Johnson follows:]
[GRAPHIC] [TIFF OMITTED] 28759.005
[GRAPHIC] [TIFF OMITTED] 28759.006
[GRAPHIC] [TIFF OMITTED] 28759.007
Chairman Tom Davis. Thank you very much.
Secretary Nicholson, thanks for being with us.
STATEMENT OF R. JAMES NICHOLSON
Secretary Nicholson. Mr. Chairman, ranking member, members,
I want to thank you for holding this hearing. I think it is
very timely, and I thank you for the invitation to appear here
before you to provide you with a report and an assessment of
current events at the Department of Veterans Affairs.
In that context, I will also present a brief overview of VA
security policies along with the Department's views on the
adequacy of current regulation legislation, regulations and
policies regarding privacy, information security and data
breach notification. Facts surrounding the recent data breach
at VA are well known to you through their coverage in the
media. I will briefly recap them, though, before reviewing with
you the actions that I have taken in response and what we have
learned and are learning as a result and what we need to be
doing as we go forward.
A 34-year VA employee, a VA analyst, took home electronic
data files from the VA. He was not authorized to do so, but he
had been in the practice of doing it for 3 years. On May 3,
that employee's home was broken into in what appears to local
law enforcement to be a routine breaking and entering. His
laptop computer and hard drive containing the VA data were
stolen. These data contained identifying information on up to
26.5 million veterans, some spouses and dependents. It is
important to note that the data did not include any of the VA's
electronic health records.
On June 1, independent forensic experts that we retained,
confirmed that there was some data pertaining to active duty,
Guard and Reserve troops. On June 5, we learned through ongoing
analysis and through data matching and discussions with the
Department of Defense that private information on over 2
million active duty, Guard and Reserves may have also been
included. As I stated in my testimony before the House and the
Senate Committees on Veterans Affairs recently, I am totally
outraged at the loss of this data and the fact that an employee
would put so many people at risk by taking it home in violation
of existing VA policies.
I'm also gravely concerned about the timing of the
Department's response once the burglary did become known. I
accept responsibility for this. I am in charge of this
Department. I have never been so disappointed and angry at
people, but it is my responsibility also now to fix this. And
just as the health care system, the VA has risen to be a
paradigm of integrated health care in our country and it has
done so in a relatively short period of time, I think that we
can make the same of the VA and data security, and I'm
committed to doing that because it's doable. It won't be easy,
and it won't be overnight because we are going to have to
change a culture.
Full-scale investigations into this matter remain ongoing.
Authorities believe it's unlikely the perpetrators targeted the
items stolen because of any knowledge of the data contents. We
remain hopeful that this was a common random theft and that no
use will be made of this data. However, certainly we cannot
count on that. And because we are committed to keeping our
veterans and our service members informed, we have established
call centers with call numbers to provide information which we
have promulgated in many different ways, including a letter to
each of the known affected people. We've dedicated a Web site
that provides answers to any concerned veteran, service member
or family member. These are updated as additional information
becomes available to us regarding this theft and what it might
entail.
From the moment I was informed, the VA began taking all
possible steps to protect and inform our veterans. On May 31st
I named Maricopa County District Attorney Richard Romley,
formerly district attorney, as my new special adviser for
information security reporting directly to me. Mr. Romley
shares my commitment to cutting through the bureaucracy to
provide the results our Nation's veterans and service members
deserve and expect. I have initiated several actions to
strengthen our privacy and data security programs. On May 24th,
we launched the Data Security Assessment and Strengthening
Program, a high-priority focus plan to strengthen our data
privacy and security procedures. On May 26th, I directed my top
leadership to reenforce each VA manager of their duty to
protect sensitive information. I've instructed all employees to
complete privacy and cyber security training by June 30th.
Further, I have convened a task force of VA senior leadership
to review all aspects of information security, inventory all
positions requiring access to sensitive VA data and ensure that
personnel have the appropriate current security clearances. On
June 6th, 2 days ago, I issued a VA information technology
directive entitled, Safeguarding Confidential and Privacy Act-
Protected Data at Alternative Work Locations. I also issued a
separate directive under the under secretary of benefits
suspending the practice of permitting veterans' benefits
employees to remove files for claims from their regular work
stations in order to adjudicate claims from alternative work
locations, including their homes.
During the week of June 26th, VA facilities across the
country and including Guam, Manila and the Puerto Rican islands
at every hospital, clinic, regional office, national cemetery,
field office and our central office will stand down for
Security Awareness Week. Managers throughout the VA will review
information security and reenforce privacy obligations and
responsibilities with their staff. I've also ordered that every
laptop in the VA undergo a security review to ensure that all
security and virus software is current. The review will include
removal of any unauthorized information or software. I have
also ordered that no personal laptop or computer equipment will
be allowed to access the VA's virtual private network or be
used for any official business.
You asked that I review the VA's data security policies and
procedures. I believe these have been shared with you and your
staff and they are discussed in my written testimony. They
include: VA Directive 6502, issued on June 30, 2003 on our
privacy program; Directive 5011 dated September 22, 2005,
providing specific policies and procedures for the approval of
alternative workplace arrangements and teleworking.
One existing guideline, Security Guideline for Single-User
Remote Access, will be published very soon as a VA directive.
This document sets the standards for access, use and
information security including physical security, incident
reporting and responsibilities. I believe that the policies we
have and the legislation under which they are promulgated is
generally adequate. But it is, Mr. Chairman, too hard in my
opinion to discipline people in the Civil Service. It is too
hard to impose sanctions. I have multiple examples of that I
can give you of people at each strata of leadership in the VA
who, due to the cultural lapses, have violated the existing
policies. I think something that this committee and the
Congress should look at is HIPA, the Health Information
Portability Accounting Act, which has teeth in it for
violations of health information breaches, and I think we
should consider putting the same kind of teeth into an
enforcement mechanism for the compromising and the careless and
negligent handling of personal information, putting it under
the same category of enforcement.
Another that I think needs to be considered is that while
we have a system in the government of doing background
investigations for people to whom we will give access to
classified information, we do not have a similar screen for
those to whom we will give enormous amounts of data. And I will
use--this is my wallet. This is a hard drive that holds 60
gigabytes; 60 gigabytes will hold 12 times the information that
was compromised in our data breach. This will hold the personal
information of the population of the United States, and it fits
very easily into my vest pocket.
So obviously what we need to do is know more about the
people who have access. This employee who took this home, as I
said, worked for 34 years with the VA. He has not had a
background check for 32 years. He did, by the way, this year
sign the annual requirement for security awareness.
So it is clear that we need to put some teeth behind the
obvious needs that also exist at the VA for more training,
education and enforcement and the ascertainment of the culture
of the people that we are giving access. This has been a
painful lesson for me at the VA.
Ultimately our success in changing this is going to depend
on changing the culture, and that depends on our ability to
change the attitudes of our people. It is our obligation to do
this, to ensure that they have the right training, that they
are instilled with the sense of discipline and the commitment
to be careful in their trusteeship of this data, and we have an
obligation on, collectively, I believe, at the governmental
level to ensure the character and the vulnerability of people
that have access in important work for caring for our veterans
and all of the other people in this government. This is a
personal priority of mine. Indeed, I believe it needs a
crusade. This is an emergency. It is an emergency at the VA,
and it should be an emergency in our society.
Last night I was approached by a university president who
recognized me to tell me about a data breach that they'd just
had--I can't divulge--but a very prestigious university and its
recommendations. So this is unfortunately rampant and we need
to have better tools in the way of approaching it. Significant
change in the way the VA manages its infrastructure ironically
was put into place by me last October. Part of the reason the
VA I think has gotten so lapse is that it is decentralized and
it is spread all over this country, as you know. I made a major
policy decision and we are centralizing information technology,
and that is undergoing significant cultural resistance but we
are going to do that and that was underway and that will also
assist us in this broader goal and it will include both cyber
and information security and privacy. We will stay focused on
these problems until they're fixed and we will take direct and
immediate action to address and alleviate people's concerns.
With greater control comes greater accountability. Mr.
Chairman, I remain cognizant that we are accountable not only
to you, the Congress, but also to our Nation's veterans and our
service members. And, Mr. Chairman, that concludes my
statement. Thank you for this opportunity.
[The prepared statement of Secretary Nicholson follows:]
[GRAPHIC] [TIFF OMITTED] 28759.008
[GRAPHIC] [TIFF OMITTED] 28759.009
[GRAPHIC] [TIFF OMITTED] 28759.010
[GRAPHIC] [TIFF OMITTED] 28759.011
[GRAPHIC] [TIFF OMITTED] 28759.012
[GRAPHIC] [TIFF OMITTED] 28759.013
[GRAPHIC] [TIFF OMITTED] 28759.014
[GRAPHIC] [TIFF OMITTED] 28759.015
[GRAPHIC] [TIFF OMITTED] 28759.016
Chairman Tom Davis. Thank you, Mr. Secretary. And now we'll
hear from General Walker.
STATEMENT OF DAVID M. WALKER
Mr. Walker. Thank you, Mr. Chairman. I assume that the
entire statement will be included in the record and therefore I
will move to summarize.
I appreciate the opportunity to be here today to discuss
the key challenges that Federal agencies face in safeguarding
certain personal and sensitive information that's in their
custody and taking action when that information is compromised.
As we've just heard, there have been circumstances in the
past where such information has been compromised, and I think
it is important to note that this is a matter of increasing
concern both in the public and the private sector and breaches
have occurred all too frequently in the private and the public
sector. As we look forward, I think it is important to keep in
mind that Federal agencies are subject to security and privacy
laws that are aimed in part at preventing security breaches,
including breaches that could result in identity theft.
The major requirements of the protection of personal
privacy by Federal agencies come from two laws: The Privacy Act
of 1974 and the E-Government Act of 2002. The Federal
Information Security Management Act of 2002, FISMA, also
addresses the protection of personal information in the context
of securing Federal agency information and information systems.
Federal laws to date have not required agencies to report
security breaches to the public, although breach notification
has played an important role in the context of security
breaches in the private sector. A number of actions can and
should be taken in order to help safeguard against the
possibility that personal information maintained by government
agencies is inadvertently compromised.
First, agencies should conduct privacy impact assessments
and, second, agencies should ensure that they have a robust
security program in place. In the course of taking a more
strategic approach in adopting these two particular measures to
protect privacy and enhance security over personal information,
agencies should also consider several other specific actions,
including limiting the collection of personal information,
limiting data retention, limiting access to personal
information and conducting appropriate training of persons who
do have access, and considering using technological controls
such as encryption when data needs to be stored on mobile
devices, and other measures.
Irrespective of the preventative measure that James put in
place data breaches are possible and may occur. However, in the
event that an incident does occur agencies must respond quickly
in order to minimize potential harm that could be imposed by
identity theft. Applicable law such as the Privacy Act
currently do not require agencies to notify individuals of
security breaches involving their personal information.
However, doing so allows those affected the opportunity to take
steps to protect themselves against the dangers of identity
theft. Breach notification is also important in that it can
help an organization address key privacy rights of individuals
and in the government notifying somebody like OMB, helps to
obtain a better understanding of the government-wide challenges
associated with this area.
Public disclosure of major data breaches is a key step to
ensuring that organizations are held accountable for personal
protection of information. At the same time, care needs to be
taken to avoid requiring agencies to notify the public of
trivial security incidents.
In summary, agencies can and should take a number of
actions to help guard against the possibility that data bases
of personal, sensitive information aren't inadvertently
compromised. Furthermore, when such compromises do occur, it is
important that appropriate notification steps be taken.
We at GAO are attempting to lead by example as well, and I
must note, Mr. Chairman, that I met with my own CIO about these
issues and am comfortable that we are taking appropriate steps,
but I have also instructed them to take a couple of additional
steps in light of some of the recent events that have occurred.
I would also note that with the additional proliferation of
teleworking and with the additional use of laptop computers in
the government that this becomes an increasing challenge and
one of significant concern and interest. As Congress considers
legislation requiring agencies to notify individuals or the
public about security breaches, we think it is important to
ensure that there are specific criteria that are defined for
the incidents that merit public notification. Congress may also
want to consider a two-tier reporting requirement in which all
Federal Government security breaches are reported to OMB and
affected individuals regarding the nature of the violation and
the risk imposed.
Furthermore, Congress should consider requiring OMB to
provide guidance to agencies on how to develop programs and
remedies to affected individuals.
And last, Mr. Chairman and members of the committee, I
would say on listening to the two colleagues who presented
before myself, you may want to think about whether or not there
should be additional requirements for restricting access to
sensitive information or conducting mandatory training and
monitoring with regard to those who do have access for
requiring reporting to OMB to the extent there is a significant
breach within the Federal Government, and as the Secretary
mentioned, make sure that there are tough sanctions for
violators.
We need to have incentives. We need to have transparency,
and we need to have an accountability mechanism, and if we
don't have all three of those the system won't work.
Thank you very much.
[The prepared statement of Mr. Walker follows:]
[GRAPHIC] [TIFF OMITTED] 28759.017
[GRAPHIC] [TIFF OMITTED] 28759.018
[GRAPHIC] [TIFF OMITTED] 28759.019
[GRAPHIC] [TIFF OMITTED] 28759.020
[GRAPHIC] [TIFF OMITTED] 28759.021
[GRAPHIC] [TIFF OMITTED] 28759.022
[GRAPHIC] [TIFF OMITTED] 28759.023
[GRAPHIC] [TIFF OMITTED] 28759.024
[GRAPHIC] [TIFF OMITTED] 28759.025
[GRAPHIC] [TIFF OMITTED] 28759.026
[GRAPHIC] [TIFF OMITTED] 28759.027
[GRAPHIC] [TIFF OMITTED] 28759.028
[GRAPHIC] [TIFF OMITTED] 28759.029
[GRAPHIC] [TIFF OMITTED] 28759.030
[GRAPHIC] [TIFF OMITTED] 28759.031
[GRAPHIC] [TIFF OMITTED] 28759.032
[GRAPHIC] [TIFF OMITTED] 28759.033
[GRAPHIC] [TIFF OMITTED] 28759.034
[GRAPHIC] [TIFF OMITTED] 28759.035
[GRAPHIC] [TIFF OMITTED] 28759.036
[GRAPHIC] [TIFF OMITTED] 28759.037
[GRAPHIC] [TIFF OMITTED] 28759.038
[GRAPHIC] [TIFF OMITTED] 28759.039
[GRAPHIC] [TIFF OMITTED] 28759.040
[GRAPHIC] [TIFF OMITTED] 28759.041
[GRAPHIC] [TIFF OMITTED] 28759.042
Chairman Tom Davis. Thank you very much.
Mr. Gray.
STATEMENT OF WILLIAM E. GRAY
Mr. Gray. Chairman Davis, Representative Waxman and members
of the committee, thank you for inviting me here this morning
to discuss government data security at the Social Security
Administration. As SSA Deputy Commissioner for Systems, I
appreciate the opportunity to talk about the ongoing challenge
of safeguarding the personal information that the public counts
on us to protect.
As you know, Mr. Chairman, the Social Security Board's
first regulation published in 1937 dealt with confidentiality
of SSA's records. Our policies predate and are consistent with
the Privacy Act, and while the technologies we employ to ensure
the safety and privacy of our records has changed dramatically
over the 70-year history of our program, our commitment to the
American people and maintaining the confidentiality of our
records has remained constant.
We nurture a security conscious culture throughout the
agency from the executive level down. Every time an SSA
employee logs on to his or her work station, and that includes
the Commissioner of Social Security, a banner pops up warning
that unauthorized attempts to access, upload or otherwise alter
SSA's data are strictly prohibited and subject to disciplinary
and/or criminal prosecution. In effect, every SSA employee sees
that message every day he or she comes to work.
We use state-of-the-art software that carefully restricts
our employees' access to data. Using this software, we ensure
the employees only have access to the information they need to
perform their jobs. The software allows us to audit and monitor
the actions of individual employees, and it provides us with
the means to investigate allegations of misuse.
Every year every SSA employee must read the Sanctions for
Unauthorized Systems Access Violations, which we developed to
secure the integrity and privacy of personal information
contained in the computer systems. This memorandum advises SSA
employees of the category of security violations and the
minimum recommended sanctions. Annually, all employees are
required to read and sign the acknowledgment statement
indicating that they have read and understood the sanctions.
Our Flexiplace agreements require adherence to our
information management in the electronic security procedures
for safeguarding data and data bases. While each Flexiplace
agreement is different, they share different basic
requirements. The agreements generally contain provisions that
require participating employees to maintain lockable storage
for securing files at the alternate duty site. They also
require participating employees to protect government records
from unauthorized access, theft and damage in addition to
requiring protection from unauthorized disclosure in accordance
with the Privacy Act and other Federal laws restricting
disclosure of the information we maintain.
A violation of the conditions set forth in the agreements
results in disciplinary action. Penalties may range from
reprimand to removal, depending on the seriousness of the
violation.
Despite our best efforts in establishing policy and
procedures and enforcing these procedures, no system of
safeguards is immune from human error. We use these rare
occurrences to review and strengthen our security precautions.
At SSA, our approach to data security is multi-faceted. It
involved numerous policy and hardware and software safeguards.
Even with all of the measures and safeguards we use, we cannot
rest and be satisfied that we've plugged every hole. We
continue to monitor, test, and evaluate what we are doing to
prevent, detect and mitigate any potential threat. We strive to
create and maintain a security conscious culture. We continue
to try to stay abreast of all threats and vulnerabilities
associated with emerging technologies, and our goal is to keep
up with best practice approaches related to information
security.
We have recently reemphasized with all employees the
critical importance of safeguarding personal information, and
we've directed managers to reinforce this point with their
employees. In light of recent events, we are also conducting
the review of our response procedures and protocols.
Mr. Chairman, Commissioner Barnhart and I recognize that
data security is an ongoing challenge and critical component of
our mission. We look forward to continuing to work with the
committee to assure the American people that we are doing all
that we can to maintain the security of the information
entrusted to us.
Thank you for the opportunity to speak before this
committee, and I am happy to answer any questions.
[The prepared statement of Mr. Gray follows:]
[GRAPHIC] [TIFF OMITTED] 28759.043
[GRAPHIC] [TIFF OMITTED] 28759.044
[GRAPHIC] [TIFF OMITTED] 28759.045
[GRAPHIC] [TIFF OMITTED] 28759.046
[GRAPHIC] [TIFF OMITTED] 28759.047
[GRAPHIC] [TIFF OMITTED] 28759.048
[GRAPHIC] [TIFF OMITTED] 28759.049
[GRAPHIC] [TIFF OMITTED] 28759.050
Chairman Tom Davis. Thank you very much.
Mr. Galik.
STATEMENT OF DANIEL GALIK
Mr. Galik. Good morning, Mr. Chairman, Mr. Waxman and
members of the committee. I am pleased to be with you this
morning to discuss IRS's efforts relative to information
technology security and the privacy of both employee and
taxpayer information. Commissioner Everson regrets that he
could not be here today as he is out of the country on travel
that was scheduled several weeks ago.
Taxpayer and employee privacy is of foremost concern to the
IRS. We are charged with protecting the most critical
information about virtually every American. Taxpayer data is
subject to much higher statutory protection and safeguards.
IRS's security policy guidance requires the mandatory use of
encryption to protect all taxpayers and other sensitive,
personally identifiable information that may be contained in
IRS's computer systems. We continue to update our systems and
our training so that employees who have access to sensitive
information are aware of the steps they must take to prevent
that information from being compromised.
This job has never been tougher, specifically in an agency
like the IRS. We have more than 82,000 full-time and 12,000
part-time employees. We also have a large mobile work force
that utilizes laptops and other portable storage devices, and
they are authorized to have taxpayer and sensitive information
with themselves at locations outside of IRS office space.
By focusing on both privacy and security, we have made
significant progress in upgrading our system to respond to the
security challenges we face in this new age. Consider the
following: We have achieved the green status on the President's
management agenda fiscal year 2000 scorecard with over 90
percent of our major systems having successfully completed
security certification and accreditation. In early 2004, very
few of the IRS's major information systems had not completed
security accreditation.
We make use of a defense and security approach with over
100 firewalls and several intrusion detection devices on our
computer systems. We operate our own computer security incident
response center that monitors all network activity 24 hours per
day. There is no evidence that any IRS systems, including the
master files of all taxpayer data, have ever been successfully
penetrated or compromised by external attacks. Cracking our
system requires more than bypassing a single barrier. All IRS
computers are equipped with multiple data protection tools that
allow IRS users to encrypt all IRS taxpayer data and all other
sensitive information that they may have on their computers,
including their laptops.
In light of the incident at the VA, the IRS is aggressively
reviewing all policies, processes and training to ensure IRS
users know how to use the encryption tools and are aware of the
penalties of violation of policies. It is important to note
that the laptops used by all IRS personnel working in the field
are equipped with software applications that automatically
encrypt all taxpayer and other personal and sensitive
information.
We have also been proactive not only in the area of
security but also on our commitment to privacy. Almost 1 year
ago we implemented OMB to designate senior officials to
privacy. Despite all of this we know that we are still
vulnerable to computer theft and loss, especially since our
agents need to use laptops in the performance of their duties
outside of IRS premises.
For example, recently an IRS employee checked a laptop as
checked baggage on a commercial air flight. The laptop did not
make it to the proper destination. We determined that the
laptop contained the names, Social Security numbers and dates
of birth of 291 IRS job applicants and employees. We reported
this security breach to our Inspector General and law
enforcement, which are currently conducting an investigation.
We have attempted to call each of the individuals as
information was on the laptop, and we also sent a letter to
inform them of the missing data and to guide them on how to
watch for suspicious activity. We are also taking additional
steps to ensure this does not happen again.
In summary, Mr. Chairman, we at the IRS take privacy and
security of both taxpayer and employee information as one of
our highest priorities. We have taken numerous steps to make
sure that our systems are not breached, but because so much of
our work is done offsite we have a heavy reliance on laptops
and other portable mass storage devices. While we remain
vulnerable to one of those devices being lost or stolen, we are
making every effort to ensure that any data on such a device is
encrypted and of no use to anyone.
The Treasury Department and IRS look forward to continuing
to work with the committee to ensure we are doing everything
possible to protect taxpayer information and privacy.
I appreciate the opportunity to appear today. I'll be happy
to answer any questions.
[The prepared statement of Mr. Galik follows:]
[GRAPHIC] [TIFF OMITTED] 28759.051
[GRAPHIC] [TIFF OMITTED] 28759.052
[GRAPHIC] [TIFF OMITTED] 28759.053
[GRAPHIC] [TIFF OMITTED] 28759.054
[GRAPHIC] [TIFF OMITTED] 28759.055
[GRAPHIC] [TIFF OMITTED] 28759.056
[GRAPHIC] [TIFF OMITTED] 28759.057
[GRAPHIC] [TIFF OMITTED] 28759.058
[GRAPHIC] [TIFF OMITTED] 28759.059
Chairman Tom Davis. I want to thank all of you very much.
Twenty-six million veterans' records, a million active duty
records, 300 tax records. And I am just troubled with the
number and the scope of losses. We have a lot of laws
protecting secure information. Personal information really
seems to fall into a different category and maybe we have to
give it, you know, rethink how we deal with this.
To all of you, I guess I'd ask, what assurances can you
give this committee and the American public that personal and
sensitive data in Federal IT systems are secure to access,
control staff are being trained in security practices and the
breaches will be detected quickly and those responsible for
sloppy data handling will be punished?
Mr. Johnson. The question is what assurances can we give?
We need to give them a greater level of assurance than they
have now obviously. OMB needs to be held accountable for
ensuring that all agencies have plans that they deem
acceptable, that OMB and Congress deems acceptable and they
implement this plan and they do what they say they are going to
do, and there are various ways of doing that: Reporting
mechanisms, details of reporting, frequency of reporting. There
are a lot of mechanisms for doing that.
I think we are doing more and more of that with the present
agenda. A lot of our government-wide initiatives, security
clearance reform. Where we are doing a better and better job of
holding agencies accountable is for implementing some new way
of doing business and we need to employ that here to
everybody's satisfaction. We need to make sure we have a plan,
agencies have a plan to do what's the right thing and that they
then follow through and implement that plan as promised.
Chairman Tom Davis. I mean, Secretary Nicholson, you came
in with your plan of what you were trying to do proactively to
prevent this in your agency. Let me ask for the employee who
was involved, he's terminated at this point; is that correct?
Secretary Nicholson. That's correct.
Chairman Tom Davis. What was the lag time of when this was
stolen and when he notified his superiors? Do you know?
Secretary Nicholson. He notified his superiors the day that
he discovered that it had been stolen.
Chairman Tom Davis. OK. And did they--how long did it take
to get to you?
Secretary Nicholson. Thirteen days.
Chairman Tom Davis. OK. Obviously you are dealing with that
in your Department, aren't you.
Secretary Nicholson. Yes, sir.
Chairman Tom Davis. We don't know what is out there, but
time is critical in a case like this. Have the police
department, the local police department been involved in any
leads on--have they put any pressure into this knowing what's
at stake?
Secretary Nicholson. Yes. It's a well-known fact this
happened in Montgomery County, MD, and the local law
enforcement people turned to it immediately.
Chairman Tom Davis. There are a series of burglaries in
that area.
Secretary Nicholson. There were a series of burglaries with
the same pattern, and they believe that these were young
burglars whose goal was to get computers and computer
peripheral equipment from other houses like they did this
house. They took laptops and hard drives, overlooked other sort
of valuable or semi-valuable things to get this computer
equipment. They further think that their MO is to take these
things, clean them up, actually to erase them and fence them
into a market for college campuses and high schools where they
pick this stuff up pretty cheap. We have no assurance of that.
Chairman Tom Davis. All right.
Secretary Nicholson. By the way, the FBI is intensely
involved now, as our Inspector General. They have had a few
leads. They've apprehended a few people who have committed
these burglaries but they didn't have--we have the serial
numbers of this equipment and we checked it against some of the
equipment but it didn't match.
Chairman Tom Davis. But the answer is the locals with
Federal help now have intensified what would have been a
routine investigation. I want to be assured that we are doing
everything at all levels to try to close this out. That would
be the win/win if we could close this out, find the
perpetrators, find the missing disks and be able to bring this
to closure.
Secretary Nicholson. Indeed.
Chairman Tom Davis. Data breach laws at the State level
which require companies to inform individuals whom the
organizations exposes a breach of their personal information
have really improved our understanding of this problem.
Congress is carrying a national breach standard, but currently
there is no requirement to notify citizens in the case of a
breach, the Federal agencies notify when a breach of personal
information occurs on a Federal Government data base, and what,
if any, guidelines exist to determine if a breach requires a
notification? How do you determine what's trivial, and General
Walker, do you have any thoughts on that and should we consider
a Federal agency breach notification law?
Mr. Walker. The answer is yes, I think you should consider
a Federal agency breach notification law, one that would
require notification of affected individuals as well as notify
OMB to obtain an understanding of what might be going on on a
government-wide basis. I think one has to be careful to make
sure that you do have some criteria laid out to meaningfully
differentiate between certain events that don't represent a
real risk of identity theft. For example, there may have been
something that was misplaced for a short period of time that's
been recovered. Obviously, that's not something you want to
have a broad based notification on. And we would be happy to
work with this committee to come up with some potential
criteria. But yes, it is something you need to consider.
You may well also want to consider whether or not you want
to require agencies to have certain things. For example, to
restrict access to certain sensitive information, to have
mandatory training and monitoring with regard to individuals
who do have access to certain reporting requirements, which we
just talked about; and you may also want to think about whether
or not there need to be tougher sanctions here than might exist
under current law.
Chairman Tom Davis. Thank you.
Mr. Gray. I wanted to say under Social Security if there's
a data breach, we would always notify. It is part of our policy
to notify the claimant and work with them.
Chairman Tom Davis. Mr. Sanders.
Mr. Sanders. Thank you very much for holding this important
hearing. Before I get into the thrust of the issue today I did
want to respond to something Secretary Nicholson said. We
talked about the improvements in VA health care and I concur
with you. But, Mr. Secretary, remember just last year your
administration denied VA health care access to over 250,000
priority 8 veterans, including those who had fought in World
War II. You wanted to raise--double the cost of prescription
drugs for our veterans. You also wanted to increase fees
substantially, which would probably have thrown hundreds of
thousands of other veterans of VA health care and the veterans
organizations also understand that the Bush administration is
significantly underfunding the VA and the needs of our
veterans.
Now in terms of this issue today, it is really difficult to
imagine with all of the money we spend on security at the
Federal level every year how what appears to have been a garden
variety burglary in suburban Maryland could result in a breach
of the personal information of over 26 million American
veterans, including, it appears, over 2 million American
military personnel.
You know we have about 300 million people in our country.
What we are looking at is a breach of privacy for approximately
10 percent of the American population, and if you look at the
adult population it is probably 15 or 20 percent, at one time,
an unprecedented and extremely dangerous breach of privacy for
tens of millions of Americans.
According to a variety of experts quoted in yesterday's
Washington Post, this breach could enable the holder of this
information to, ``create a zip code for where each of the
service members and their families live and if it fell into the
wrong hands could potentially put them at jeopardy of being
targeted.''
These experts, including those at the Center for Strategic
and International Studies, have expressed concern that this
released information could, ``reach foreign governments and
their intelligence services or other hostile forces, allowing
them to target their service members and families.''
One anonymous Defense official quoted in the Post called
the extent of the battle, ``monumental.''
This is serious business. I think we all understand that.
Mr. Waxman and Mr. Davis have raised some very important
issues. Mr. Secretary, my question for you is, it is obvious, I
think there is no disagreement here, that we have to make sure
that this never happens again. We have to do a much, much
better job in protecting the privacy in the records of all of
the American people, including those in the military and our
veterans, but this is my question for you.
After all is said and done, after hopefully we do all of
these things, if--and we certainly hope this does not happen--
if there is a breach of privacy, if in fact identity theft does
happen and if in fact you know how--what a terrible situation
would be of theft. People spend years and years working to
recover. I am on the Financial Services Committee. We've heard
horrendous testimony from people for years and years who have
tried to clear their names as other people have stolen their
identities. It would seem to me that given what has happened
and the responsibility for it at the VA, what are you going to
do to protect 28 or 30 million Americans whose identity theft
may be at risk if in fact that happens? Are you going to come
to Congress and say we will ask for money to make sure that we
will provide the financial resources necessary and the legal
resources necessary to protect those tens and tens of millions
of people whose identity was released?
Secretary Nicholson. I think that's a very good, very
important question. And we--so far what we have done, we've
notified every person whose identity that we have and with the
cooperation of the IRS because the addresses we do not have we
matched them against Social Security without a violation of
their privacy and we were able to--we sent a letter to every
affected person, and in that letter we give them one notice
that this has happened and the steps that they can take and the
steps--and we've coordinated closely with the three major
credit agencies that there are in the United States who make
available to every citizen upon a call or an e-mail or a fax a
free credit check and a credit alert. So that they can
implement that immediately. If they have any questions about
how to do that or need assistance----
Mr. Sanders. And that's fine. I am aware of that. But
here's the question. If--and we hope it does not happen, but if
it does happen, you know, the identity theft is a horrible
thing. We have heard testimony year after year from people who
have tried to clear their names and convince creditors that
they have not racked up these bills. It's a terrible
experience. If that happens, are you going to come before
Congress and say we have to take responsibility for the
financial expenses incurred by veterans for the legal expenses?
Are you going to come before Congress and ask for that help, or
are you going to let the men and women in our military have to
cope with this by themselves?
Secretary Nicholson. I can tell you, Congressman Sanders,
our No. 1 priority really in everything that we do at the VA is
the veteran, what's best for our veteran, and we now have
active service members that we would include in that priority.
So what unfolds will be guided by that principle.
We also, I would mention to you, have, and this was not in
place before this came to the light of day, a new Presidential
task force on identity theft and very ironically had a meeting
set for this task force and I serve on it. The first meeting
was accelerated and met the first day that we disclosed this
information. And that task force will also consider this
question because it's a very important question.
I had a meeting yesterday afternoon with the veterans
service organizations, leadership, 15 or 20 of them. We had the
same discussion.
Mr. Sanders. I think they have initiated a lawsuit against
you; isn't that correct?
Secretary Nicholson. One group of them has initiated,
others have issued statements saying that's not the answer to
this.
Mr. Sanders. My hope, Mr. Secretary, is that in fact you
will do everything that you can, that in case there is identity
theft taking place that you do everything you can to protect
financially and legally our veterans, that you will come before
Congress if you need the money to do that.
Chairman Tom Davis. Thank you very much. Mr. Gutnecht.
Mr. Gutknecht. Thank you, Mr. Chairman. I guess I am
becoming a little more or less confused about this from this
testimony, because what I've been reading in the papers is
there was a very serious security breach and that millions of
names were out there floating in space. What I am hearing
today, Mr. Nicholson, is that's not exactly the case, at least
we don't know that yet. Let me review what we've learned today
to make sure I am on the same page.
An employee against the policy of the VA took their laptop
computer home. That laptop computer was stolen. We don't know
what happened to the data that probably was on that laptop, but
so far none of that data has appeared in cyberspace as far as
we know; is that correct?
Secretary Nicholson. That's correct, Congressman. I just
would add that they took a laptop, some computer disks and
downloaded it into a hard drive and the hard drive was stolen
also.
Mr. Gutknecht. I am going to be clear on this. Who
downloaded it or who downloaded it to the hard drive?
Secretary Nicholson. The employee, the subject employee.
Mr. Gutknecht. But the people who stole it, we don't know
what they did with that data?
Secretary Nicholson. That's correct.
Mr. Gutknecht. So I think we have to be careful not to get
too far ahead of ourselves in terms of real damage. So far
there is no evidence that any of these people have actually
sustained any real damage; is that correct?
Secretary Nicholson. That is correct.
Mr. Gutknecht. And in testimony you said that you are going
to implement even tougher policies. The employee who was
involved has been fired. What else has happened in terms of the
agency not only to sort of cure this problem but to hopefully
prevent this kind of a problem in the future--not only in your
department; this could happen in any department, couldn't it?
Secretary Nicholson. Yes, it could. His--the Acting
Assistant Secretary in that department has been let go. The
principal Deputy Assistant Secretary has been let go. We are
rebuilding that department and the Office of Policy and Plans.
They have a very bright, recently acquired Navy admiral that
the President has now announced that we've recruited. We have
tremendous opportunity in the private sector and he has a great
background. He's teamed up to come in if confirmed to take over
to rebuild that department.
We are reviewing all of our existing rules, regulations and
laws, and that is another reason I welcome the opportunity to
come here not because it is pleasant to you in light of what's
happened, it is my responsibility, but we need to put some more
teeth into the enforcement of this because the attitude is far
too laissez faire. And I would add that in the discussion that
just ensued where we talked about having some teeth in HIPPA
and not having teeth in FISMA, in HIPPA there is also a
requirement to disclose to people if their identity has been
accidentally or intentionally compromised, where there is not
in FISMA. Let's put it in there. Just another step, and then we
need to start enforcing some of this so we set some examples.
Mr. Gutknecht. Let me--I can't resist the opportunity, Mr.
Gray, I want to come back to a question that keeps coming up
relative to Social Security, and that is we are having some
rather heated debates in Washington about illegal immigration.
And I have heard employers say that one of the real problems we
have is a lot of people are using false Social Security
numbers. How does the Social Security Administration deal with
that because I have heard there may be three different
employees using the same Social Security numbers. How does that
not come back to the----
Mr. Gray. One of the tools that we fielded last year was
the Social Security number verification system that allows an
employee who they hire to enter the information into a Web
based application and verify that person's Social Security
number really doesn't belong to them to give them a tool in
making sure that Social Security number and those wages are
reported correctly. In addition to that, as employers report
wages throughout the year we do checks to try to make sure that
we associate the wages appropriately with the person's Social
Security number.
Mr. Gutknecht. Are you saying right now we don't have
multiple employees using the same Social Security number?
Mr. Gray. No, I am not saying that.
Mr. Gutknecht. How would you find that out?
Mr. Gray. When the wage earner--when the employer reports
come in we can have multiple employers showing multiple wages
on the same Social Security number. We try to investigate that.
Mr. Shays [presiding]. I'm going to interrupt. Mr. Waxman
needs his time before the vote time.
Mr. Waxman. Thank you, Mr. Chairman. As I understand it, we
have had on the books since 1974 laws to protect privacy and
another law in 2002. The General Accountability Office has been
giving grades to agencies about how well they're doing in
meeting requirements.
Isn't that correct?
Mr. Walker. I think this committee is the one that gives
the grades. We do, however, look at computer security as part
of our audit of the financial statements, and that is a
material weakness area for many agencies.
Mr. Waxman. In fact, this committee gave the Veterans
Administration an F in terms of security for this kind of data.
Secretary Nicholson, you blame this on obviously employees
being fired, on the culture, on people just not doing what
they're supposed to be doing, but that doesn't sound to me like
we are really getting to the heart of it. It is sort of passing
the buck. Now it sounds like you are also going to seize this
opportunity to clamp down, and I appreciate that. But I just
want you to know how bureaucratic it all sounds. We have Mr.
Johnson from the Office of Management and Budget. You are the
Secretary. You are Secretary for only a short period of time
and you blame the fact that an employee had been there for a
long time. I don't know what relevance that has except we need
to find out who has access within the VA to the type of
information that was stolen. Do you know how many people have
access to this type of information?
Secretary Nicholson. Congressman Waxman, I don't think I
could give you right now the exact number, but I will tell you
that quite a few people do. We have a system of authorized
telecommuting and teleworking that is a product of
encouragement of the Federal Government.
Mr. Waxman. How many VA employees have the capacity to
download this information unencrypted onto personal computers?
Secretary Nicholson. Well, the--of the subject information
it would--I couldn't give you the exact number right now but
that number would not be real high because this was a--out of
what is called a BURALS file, which is an acronym for this
system. He was working on a project at his home and using the
entire data base. Not many would have that.
Mr. Waxman. You explained that individual. Do you know how
many employees have such unencrypted information on personal
hard drives outside of the VA offices now?
Secretary Nicholson. Yes. I think that 35, roughly 35,000
employees of the VA have some level of accessing data and
working it on laptops or computers at home, much of it through
the VPM, the Virtual Personal Network.
Mr. Waxman. That's a large number of people that have this
information out. You have said that what we need to do is--I
hope you'll take charge of those 35,000 people or so that had--
--
Secretary Nicholson. As I said in my testimony, we are
doing a survey right now to see who all has access, why they
have access, and what access they have, inventorying the entire
system.
Mr. Waxman. The story seems to have changed. First we were
told only veterans and some spouses were affected and then
about 50,000, but no more active duty personnel were affected.
And then on Tuesday we learned that 80 percent of the active
duty military may have been impacted. Was any medical
information on any of these veterans, on active duty members
compromised?
Secretary Nicholson. No, sir.
Mr. Waxman. How about disability ratings?
Secretary Nicholson. Some of them had a disability
classification index in part of their line. But on the medical
question there were no--no medical records were compromised in
this at all. There were about 300 people that we have
ascertained through the forensic work that we are doing that
have an annotation, a medical annotation next to their name.
And I'll give you an example because I looked at all of these.
One of them said asthmatic. Another herniated disc. It is fewer
than 300 but nearly 300 have that degree of annotation next to
their name.
Mr. Waxman. I see my time has expired. Thank you, Mr.
Secretary. Mr. Chairman.
Mr. Shays. Thank you very much.
I'd first like to ask GAO is this something that should
have shown up in our radar screen? We can throw bricks at the
administration and we can throw bricks at the Department. But
is this something where GAO could have alerted us better? Or
you did alert us or combination of both? What's an honest
assessment of why all of a sudden we seem to be outraged and
shocked by what's happened?
Mr. Walker. I think both the GAO and Inspector General have
both in this case been charged with the responsibility for
auditing personal statements of respected agencies as well as
U.S. Government overall. There are serious security challenges.
So many agencies----
Mr. Shays. Same security channel. Say we are finding
terrorists, it's more helpful when we are fighting Islamic
terrorists we know are not from Iceland.
Mr. Walker. I think the key, Mr. Chairman, we have a lot
more controls over classified information and taxpayer
information and, as Secretary Nicholson mentioned, there are
now sort of the controls under HIPPA for health information.
There is a gap here, and the gap is with regard to certain
sensitive information that could end up improperly being
disclosed, and I think one of the things we need to look at is
not--clearly agencies should be taking steps on their own but
Congress may want to consider requiring certain steps.
Mr. Shays. That's helpful information, but sometimes
Congress will get blamed. Sometimes Congress will get blamed
because we didn't do something. We look at the testimony and
the department head says we have all of the money we needed to
get the job done. You need to refer to someone.
Mr. Walker. If I can. Thank you. I've been advised we have
not issued a report directly on this. However, in the conduct
of our audits we have noticed weaknesses in this area before so
it was one of a number of material controls.
Mr. Shays. But weaknesses specifically with people taking
information out?
Mr. Walker. Weaknesses with the potential for information
to be compromised, not that it actually was compromised.
Mr. Shays. What strikes me, you know, I heard the Secretary
say he was outranked. He should be outranked because it is
beyond stupid to take out sensitive documents. But I have a
sense that is a common practice. So obviously we've all been a
little asleep. The department heads have been asleep. The White
House has been asleep. Congress has been asleep and now we are
trying to deal with it, and all I wanted to know is there's
been no specific outlining that we have this kind of problem.
And you are coming forward and obviously saying we need to deal
with this issue? You are also saying we have had security. We
need to maintain security. Mr. Johnson, tell me, when you heard
that this happened at the Department of Veterans Affairs? Anger
would probably be one way to describe it, but were you
surprised or did you start to say, my gosh, you know, is this
just the tip of the iceberg?
Mr. Johnson. No. I was surprised. I am told that there are
dozens of security breaches involving a laptop, for instance,
nothing, though--a year. None of these involve 26, 27 million
names. So this is the hundred-year storm of security breaches.
So the magnitude of it is the alarming thing. There are
breaches. There will be breaches. And in spite, no matter
however we spend and how tightly we resecure this, the more we
secure it, the more responsible, the fewer the number of
breaches, whenever we have one we need to respond accordingly,
figure out what caused the problem and deal with it. But it was
the number of names that was truly alarming to everyone.
Mr. Shays. If it's anticipated that this was a common
theft, they weren't really looking for this bit of information
and that's one of the opinions out there. Is it a strongly held
opinion on the part of folks that are investigating this?
Secretary Nicholson. Yes, sir. I would say, Mr. Chairman,
that it is quite commonly held among the law enforcement
investigating communities.
Mr. Shays. Is it something where we can simply offer a
significant reward to contact a certain person with no--that
they return this with no prosecution? I mean, because what's at
stake is so significant. Do we have the capability to say, you
know, you stole the computer but, by the way, you have
something that will cost us billions of dollars to deal with
and provide some incentive for them to return it with no
prosecution if they do? Do we have the capability to do that?
Secretary Nicholson. We do not have the capability. That
was discussed at our hearings in the GAO committee. But I will
say that a $50,000 reward has been posted by the Montgomery
County, MD law enforcement community.
Mr. Walker. As I mentioned earlier, and you may or may not
have been here.
Mr. Shays. I was trying to be in a vote.
Mr. Walker. I understand. I was briefed by my own CIO with
regard to our own procedures and there are two things that I
think people can think about in this area right now
irrespective of whether or not Congress takes any action.
Specifically to encrypt all sensitive information of the
type that we are talking about. That doesn't mean encrypt all
information, but encrypt this type of sensitive information.
And all--or prevent the ability to download and/or copy certain
types of sensitive information. Those are things that can and
should be done now. Because the fact is we are moving to use
technology more. More and more government employees have
laptops because they are mobile, because the government is
promoting Flexiplace and things of that nature. So we need to
take these steps to minimize the risk.
Mr. Shays. My Government Reform subcommittee oversees
Defense and State Department hearings about classified material
and we had DOD testing that 50 percent should be reclassified,
50 percent more than we should classify, we had the outside
group saying we classified 90 percent more than we should. Then
we had a hearing on all of these sensitive but not classified,
which anyone could classify, and then we have a breach like
this which clearly should never have gotten out of someone's
office. So it blows you away and some of the secret stuff that
I look at would make you laugh because there is nothing secret
about it and something like this is huge and it just--when you
went to look at it in your own operation, did you get a candid
response from anyone who said, hey, boss, we sometimes take out
stuff, too, or do you have confidence within your own
department that this couldn't happen?
Mr. Walker. I have confidence. We have extensive procedures
in checks and balances. For example, when we have this type of
sensitive information, we typically end up having a separate
hard drive that we lock up. We have computers at GAO. The
people can only use computers at GAO for this type of
situation. You could theoretically have somebody who willfully
and intentionally, however, wants to abuse the system, and
that's why we've never had that, I might note. But that's why I
am saying what else can we do to even try to deal with that
situation. Even if you have all of these other checks and
balances, that's why I come back to encrypt this type of
information and/or possibly as a supplement prevent the copying
and/or downloading of this type of information.
Mr. Shays. Let me conclude with this and then go to Mr.
Mica.
Is the biggest concern that people will be careless or that
they will actually be devious and go beyond careless? What is
the big concern? Maybe you could comment as well.
Secretary Nicholson. I think the bigger concern, Mr.
Chairman, is carelessness. That's the instant case. This person
wasn't being deviant. They were working on a project that he
had been doing that for 3 years, taking the data home and
working.
Mr. Shays. How long do you think it's going to take you to
resolve this problem, not get the information back but make
sure it doesn't happen again?
Secretary Nicholson. I think that it won't happen overnight
but it is very doable and we are under way. It is something
that absolutely has to be done, but I don't know that you were
here, but we are going to need some tools for enforcement and
you were touching on it a minute ago when we require----
Mr. Shays. I don't want to repeat the record. Yes, Mr.
Johnson, and I apologize.
Mr. Johnson. I'd like to point out that--follow up on what
Mr. David Walker was talking about. It is currently the
standard that all data, sensitive data on laptops be encrypted.
That is the standard. It's just not enforced. We don't hold
agencies, ourselves accountable for that being the case.
Mr. Shays. Thank you.
Mr. Mica.
Mr. Mica. Thank you, Mr. Chairman, and I am not here really
to beat up on these witnesses. In fact, I know three of them
fairly well. You have three probably of the most dedicated,
capable, public servants. Watched Clay Johnson and his
experience over the years and Secretary Nicholson, incredible
representative of the United States, and his tenure, and now
incredible advocate for our veterans. Then I have known Mr.
Walker since--I don't want to say since he was in diapers but
for a long time. Although you look pretty old these days, Dave.
But the problem is not these capable administrators or the
other witnesses you have. The problem is advances in
technology, and I would venture to say since you know on this
disk you have millions and millions of pieces of information
and pretty soon we'll have it probably in something the size of
the thumbnail, and I would venture to say that not a day goes
by that someone from your agencies or congressional staffers
don't take laptops home or someplace else and we are at risk.
What we had here was a theft, a criminal act. But we do
have to keep the laws and the rules up with technology, and
that's what we are always having trouble with in Congress.
Laptops didn't even exist. Cell phones, I was in the cell phone
business and I was a pioneer in 1987, something like that.
That's not that long ago. So keeping up with it.
So I have a couple of questions. I left it after a bit, but
did we do our job? I see that even the President did in August
2004 a directive that actually directed OMB to take the lead
here. I did read that--we have two responsibilities. One is
protecting data and what to protect and then, well, what to
protect and unprotecting it. And how we protect is so
important.
OK. Clay, you were responsible. You're still the lead
agency in this, in setting the----
Mr. Johnson. In some HSPD1 identification cards.
Mr. Mica [continuing]. Security of information for the
agencies. Did you--have you sent out a--so you have sort of
taken a lead in this? And then I read that while 20 percent of
the government systems are certified and accredited, this is
agency security planning. That means 20 percent are not. Do you
monitor this? Is that your responsibility?
Mr. Johnson. Yes.
Mr. Mica. Who isn't the 20 percent? It says 80 percent of
the government systems.
Mr. Johnson. I can get you that information.
Mr. Mica. I think that's important to find out where the
gaps are.
Do you have enough legislative authority to do what you
need to do to make certain there is compliance? Because I know
these agencies--we have dozens of agencies and they are all
going their own way. Do you have enough legal authority from
the Congress to set standards?
And then the other thing, too--the important thing here,
too, is reporting back an incident. And I read you directed
your staff to have Homeland Security chief information officer
counsel to identify the appropriate detail and schedule for
distributing a periodic government-wide incident report. That
is getting information back on incident.
Mr. Johnson. Yes, sir.
Mr. Mica. You pick them, and do you have enough authority
and do they have enough authority to get compliance? And then
the concern of the chairman was the timeline of information and
reporting. Would you answer that elongated question?
Mr. Johnson. As to the second question, the reason why we
refer to DHS, they are the cybersecurity office. They are the
lead on cybersecurity. So that's why this reporting is to them.
And it's my understanding it is not clear as it needs to be how
we record different kinds of breaches, and we need to be sure
that it's real clear----
Mr. Mica. Do you have a systemwide standard right now? OK,
a breach has occurred. What's the reporting? Is that----
Mr. Johnson. We have that now, but the reporting is
inconsistent and I'm not sure that they're all--it's equally
clear to all agencies. So we need to make sure that it is.
Mr. Mica. Do you have the authority to require that? Not
require; you are just requesting. It is a ``may'' rather than a
``shall.''
Mr. Johnson. I don't know. I think of them as being the
same. But maybe somebody else would think of them differently,
but----
Mr. Mica. Again it is nice to beat up--we pass the laws and
then sometimes we allow you to pass the rules. But we have to
make certain that somebody has the authority and responsibility
for this, both the----
Mr. Johnson. I think one of the things we can do is, in
general, I think we have the laws and the regulations we need.
We don't need to assume that, though. We should go and make
sure that maybe there's--we have 95 percent of what we need but
we need extra teeth in it, as the Secretary talked about, over
here and over here. So we need to review that. I bet we'll find
a couple of additional things we need to do. But the big
opportunity and the big challenge here is to enforce and be
held accountable, all of us, for abiding by the laws and
regulations and processes and procedures and standards that are
already on the books.
Mr. Mica. Thank you.
Chairman Tom Davis. Thank you.
Mr. Souder.
Mr. Souder. Thank you.
What's happened here is basically every conservative's
nightmare about consolidation of information in the Federal
Government; what would happen. And I was pleased to see in your
testimony, and then, Secretary Nicholson, you responded to it
because you said that in addition to informing all concerned--I
was a little concerned. Mr. Johnson just said that he didn't
think there were necessarily new laws, and you've been saying
we need new laws because, for example, in your statement you
say this may violate Federal law and could result in
administrative, civil, or criminal penalties. This is something
Congress should act on immediately because when we talk about
disincentives to take things home and to not follow the rules,
you can sit through seminars but if there's no consequence--so
I was glad to see you make that point.
I have one technical followup question to Mr. Gutknecht.
You said that there is some reason to believe this is a
computer fencing firm basically. Was the disc inside the
computer or did they also collect discs that are lying around
the site?
Secretary Nicholson. I'm having a little trouble hearing
you. Was your question----
Mr. Souder. Regarding the theft, the statement said there's
speculation that this may be a group of people who basically
fence computers, steal the computers. But you made the
statement that the drive--was that in the computer, or did they
take it in particular, or did they take the other information
and there may be a secondary market going on?
Secretary Nicholson. There was a laptop and a hard drive.
They weren't at that time connected. They took both of those
and did not take the discs.
Mr. Souder. So only the discs that were inside the
equipment are what they have?
Secretary Nicholson. We don't know--we don't know what was
loaded in his laptop.
Mr. Souder. We don't know that the information has been
stolen----
Secretary Nicholson. He told us that he had downloaded
these discs into the hard drive. We obviously don't have the
hard drive either. That's what was stolen. But we do have the
discs. And he brought those to us and that's what's been
undergoing this forensic analysis is the holdings that are, you
know, developed.
Mr. Souder. Thank you. Because what that means is that
somebody has to actively download to do that, and there has to
be another step in the process here.
Mr. Johnson, Congressman Sanders raised the question to
Secretary Nicholson, but those of us who have been here a long
time know that this is really--a lot have known--the question.
If indeed we start to identify that in fact this information is
being used, it is outrageous that many low-income veterans and
veterans would have to pay for the credit reports. Would OMB
back up the Veterans Administration in coming to Congress and
saying look, we need some money because the veterans shouldn't
have to fund this because it's a government error, not their
error?
Mr. Johnson. We agree totally with Secretary Nicholson that
our highest priority is to find the best way to serve the
veterans and the active military personnel who are at risk of
being harmed here, and that means figuring out the best way to
do that and then doing it.
Mr. Souder. You agree it's not their financial
responsibility to try to figure this out; that the government
made the error, they didn't?
Mr. Johnson. I would agree with that. But, again, that's
not just financial response--our responsibility or not. It's
all the ways we can serve them.
Mr. Souder. It's broader than that.
Mr. Johnson. Yes, sir.
Mr. Souder. But if you don't have--if you're already trying
to figure out how to cover your health care, you're already
trying to figure out how to cover your housing, you don't have
much income, asking to do multiple credit reports to track--
like it's their responsibility that they lost it when it was
the government's--is a big deal right now.
Mr. Johnson. Right.
Mr. Souder. And I wanted to ask Mr. Walker--and this may
also come back to you, Mr. Johnson--that most identity theft in
the United States right now isn't related to trying to steal
the person's full identity, or even for financial purposes.
It's related to the fact that we have Social Security numbers
being stolen for illegal--by illegal immigrants who need a job,
many of them in my district. In 1 month they took down three
green card manufacturers who were producing with stolen Social
Security numbers.
Not only related to this latest with the Veterans
Administration, but in the other agencies where there's theft,
do you know, or are there recommended policies, or how do we
interrelate this theft with ICE, with CBT, with the Coyotes and
other groups that are networking in large groups of people,
fencing operations for stolen Social Security numbers? Do we
have a systemic way of addressing where--if this shows up?
Because this isn't just going to show up with somebody in a
bank account somewhere. Maybe it would indirectly, later on in
a Social Security number; if one of the veteran's Social
Security numbers are stolen, something is going to come in
under FICA relatively, you know, down the road here. But it
seems like one of the first points of contact should be that an
alert should go out to ICE, and so we're watching whatever kind
of networks we have where these Social Security numbers might
pop up.
Mr. Walker. I'll have to reflect on that, Congressman. I
will say this: that one of the major problems that we have is
when Social Security numbers are intentionally or inadvertently
disclosed, and that provides a basis under which individuals
who engage in certain other activities that can result in
identity theft. And I think one of the things we're willing to
do is to make sure that when you have SSNs, that type of
information either, A, isn't used for an identifier; or, B, if
it is, that it's encrypted in some way so that people can't
attain access to that. Presumably the VA is taking steps to try
to ascertain whether or not some of this information might be
compromised, you know, through sampling techniques, through the
type of communications that you're talking about with selected
Federal authorities. I think that's important because--that
they be proactive in that regard. And if it turns out that it
looks like there are some that have been, and hopefully they
will never be, but if it turns out, then it comes back to your
question: What are you going to do for everybody with regard to
credit reports and credit monitoring? But we may not get to
that point.
Mr. Souder. But my question was, really, wouldn't the first
logical place that you would be trying to track whether this
has been stolen, looking--since it's the No. 1 reason Social
Security numbers would be stolen--would be to work with ICE,
CBP, and looking at illegal immigration, which then the
secondary tail would be through FICA reports.
One of my friends--Congressman Gutknecht referred to it--
had four other people on her Social Security account. And when
she went to apply for a credit card, it was very difficult for
her with the Social Security Administration to try to prove who
she was. And if we have all these veterans going through this,
one of the first places we should look at are who's likely to
be using these numbers; not just bank accounts, but who's
likely to be stealing them?
And I wonder, is that recognized in the government that
this is the first place we ought to be looking, financial
services right behind it, Social Security right behind it, but
this is likely to be the first place it's going to show up in a
fencing operation for Social Security numbers?
Mr. Walker. I think you make a very good point. I mean, one
of the hot debates right now is the immigration debate. To the
extent that people can get a valid Social Security number, it's
a way that they might be able to obtain, you know, employment
and other types of opportunities. So it's a good point that I
think needs to be followed up on.
Mr. Souder. Thank you.
Chairman Tom Davis. Mr. LaTourette.
Mr. LaTourette. Thank you very much, Mr. Chairman, for
having this hearing. And to all of the witnesses, thank you for
coming.
Just, first, a commercial: A number of committees are
working in the Congress on data security and H.R. 3997, which
is the financial services product, would in fact cover this
situation and would, in fact, provide all of these veterans
with 6 months of free file monitoring. So I would ask you, Mr.
Johnson, if you would share that with Mr. Portman. It's the
only bill that does that.
But Secretary Nicholson, I appreciate your being here, but
I need to share a story with you because one of the fights
we've had on that bill is I've always argued that a data
security breach is different than identity theft. One doesn't
always lead to the other. And when you lose a laptop, you don't
necessarily have to notify everybody about what's going on.
But I have a constituent. His name is Steven Michael. He's
33 years old. He lives in Ashtabula, OH. He served for 3 years
in the Army during the Gulf war, and he receives an $873
disability check each month from the Veterans Administration
because he has a heart condition. On June 1st, exactly 1 week
ago, he withdrew money from his account at a local ATM and
noticed that his balance didn't reflect the deposit of his
monthly VA check, which is made through direct deposit. He
immediately called the VA's 800 number and checked on the
status of the payment. The automated system said that the
records couldn't be accessed at this time; so he waited and
actually spoke to a real live person. He provided his personal
information to verify his identity and explained that his VA
disability check wasn't in his account. He was stunned to learn
that it, in fact, had been put in a new account, his new
account. He inquired, what new account? The woman from the VA
said that it was a new account he had on file. He told her he
had not set up a new account and gave her the last four digits
of his existing account. Of course, it didn't come close to
matching his new account. She assured him that the problem
would be corrected. He asked if he should visit the VA office
in Cleveland. She asked if he was close, and he said he could
get in his car. And he then drove 45 minutes to Cleveland. He
went to the original VA office and provided them with a copy of
his account. He was told that the numbers were from his old
account. He stressed that it was his current and only account
and that his accurate information was entered. He was told that
it could take 7 days to process.
He then asked the folks at the VA if this could be related
to theft of the laptop containing the information that's the
subject of this hearing. He was given a toll-free number, 800-
333-4636. Mr. Michael is rightly concerned about this, and he
wonders how his direct deposit form could be changed or why it
happened on the heels of the reports of the stolen laptop. He
believes whoever did this must have had his name, address, and
Social Security number. He doesn't believe this is a simple
computer glitch because his monthly disability check has been
deposited in the same account for years. He is even more
disturbed that his bank informed him that it was possible
someone phoned in the new direct deposit information to a bogus
bank account, his new account, in the State of Michigan.
If you could, Secretary Nicholson, can you give me a sense
of whether this is possibly related to the stolen laptop or if
my constituent is another unfortunate victim of identity theft?
Secretary Nicholson. Or both.
Mr. LaTourette. Or both.
Secretary Nicholson. First I would tell you, Congressman,
that is the first incidence I've heard of that affecting a
veteran since this has come to light. I would like to get, you
know, that information and we will follow that up on an
individual basis. So that is the only one.
Now, it is a fact that every year in this country, 1 to 3
percent of the people suffer from identity theft. Last year, 9
million Americans did, causing them an average of 28 hours of
time to straighten it out at an average cost of $5,600, almost
all of which was borne by the affected creditors, not the
consumers.
We have been talking to a company that specializes in
trying to find the derivative source of identity theft, the
company happens to be called ID Analytics, because we have that
same concern; because 1 to 3 percent of our veteran population
are going to be victims of this anyway due to the statistical
distribution, and we want to know what's sourcing this. So we
will followup with that one and we have not yet entered into an
arrangement with this company to monitor this population, but
we are seriously looking at it.
Mr. LaTourette. I very much appreciate your answer. And to
be very, very fair, I will tell you that currently the
constituent is in our district office filling out some forms
necessary for the regional office to help. And my caseworkers
say that they've never seen the VA move so fast--I will tell
you that--in response to this report.
And as someone who wrote the identity theft legislation
here when we reauthorized the Fair Credit Reporting Act, I'm
well aware of the difficulties and the horrible stories that
come out of stealing someone's identity.
But I wanted to bring this to your attention for a couple
of reasons. One, so you know that you may have one now out of
these 28 million people. Two, to please ask that you, through
your offices here, make sure that the folks in Cleveland stay
on top of this, because obviously this veteran is concerned
that the two are related. And if they're not related, then I
think it's good news for the VA. If it is related, I think
you've got a problem.
I thank you, Mr. Chairman.
Chairman Tom Davis. Thank you very much. I just have a
couple more questions and then if anyone else has one.
Mr. Nicholson, let me just ask the Secretary, Federal
telework programs allow employees and contractors to work
remotely. They're good programs. They're seen as a key
ingredient of continuity of operations, emergency planning,
especially for extended periods of disruption, whether it's a
terrorist attack, avian flu. Was this individual participating
in an authorized telework program?
Secretary Nicholson. No, sir. He was not.
Chairman Tom Davis. Are there steps that should be taken as
a matter of course to ensure that benefits of teleworks are not
eroded by the security risk? It gives us a chance to rethink
that and continue to make it--I believe we want telework to
grow, but this is a reminder sometimes that there are
limitations.
Secretary Nicholson. Yes, I think it does. I think it
raises to a silhouette that we need to examine this program to
see that, you know, the abuses are not taking place, we are not
making it too easy for these abuses. And that is where the
people thing kicks in as well as the requirements that data be
encrypted and that we monitor it more closely with enforcement
for violators.
Chairman Tom Davis. Mr. Johnson, does OMB have the
authority and the resources it needs to set and enforce
government-wide information security programs, or do you need
additional authority here, do you think?
Mr. Johnson. In general, I think we have sufficient
authority, but we ought to review it. We ought to look through
it.
Chairman Tom Davis. I think we are willing to give you, in
light of this, so you seize on every opportunity--if you would
look at that and come back and make sure we give you the tools
you need to do it.
Mr. Johnson. Right.
Chairman Tom Davis. I know your dedication to this, but I
want to make sure you've got all the tools.
And also what's the position regarding the merits of data
breach legislation requiring agencies to notify affected
individuals of compromises in their privacy or their personal
information? If legislation is enacted, what methods should be
used to determine whether and how to notify individuals with
security breaches? And will all of you work with us on
legislation? Obviously, it's a big deal with Social Security
and IRS.
General Walker.
Mr. Walker. We'll be happy to work with you, Mr. Chairman.
Let me also mention in addition to telework, which you just
talked about, which could cause increasing risk, even if a
person is not on telework, they may travel and take their
laptop with them. In addition to that, they may take work home
at night or on the weekend, which would not be part of the
telework. So we need to look at this issue as a separate and
distinct challenge that has to be addressed irrespective of
whether they're on telework.
Chairman Tom Davis. That's a good point. Mr. Johnson, will
you work with us on this, too?
Mr. Johnson. I look forward to it.
Chairman Tom Davis. This is a good wakeup call.
I guess my last question would be to all of you. In your
opinions, individually and collectively, do our departments
provide the CIO and its organizational components with
sufficient resources to establish and maintain an effective
agencywide security program? We hold the CIA's feet to the fire
every year with our scorecards on FISMA. We hold them
responsible for agency security. Do they actually have the
authority to get the job done or do you think this is agency to
agency?
General Walker, let me ask you first. You kind of have a
government-wide perspective.
Mr. Walker. I think there are variances by agency. I mean,
one of the keys is that under the legislation, the CIO is
supposed to be reporting directly to the agency head. Is that
happening in form or is that happening in substance? Obviously,
there are different levels of resource allocations, not only
financial resources but human resources. Do they have enough
people with the right kind of skills and knowledge to be able
to get the job done?
The example I gave earlier when this issue came up, I
pulled the CIO in my office and talked to him directly about
what are we doing and everything else we need to do. I don't
know if that happens----
Chairman Tom Davis. Let me just get each agency to just
respond briefly. I mean, how is the relationship with the CIO?
Do they have the authority they need in your agency?
Mr. Gray. From the Social Security Administration I think
they do have the authority--that our CIO does have the
authority he needs to do the job effectively. I think we also
have the resources we need within the agency to do that.
Mr. Galik. Yes, Mr. Chairman, I agree. I think the CIO does
have that authority and our organization has a direct link to
the Commissioner of the IRS to pursue anything that needs to be
pursued.
Chairman Tom Davis. Mr. Secretary.
Secretary Nicholson. I would say, Mr. Chairman, the answer
to VA is no; that the CIO has not enough authority to go with
his responsibility. But that is in transformation as of last
October. And we're centralizing the IT function, creating a new
career field where it has been decentralized out into these
hundreds of hospitals and the other facilities. We're pulling
that back in. So that is really progressing and we'll cure
that.
Chairman Tom Davis. You've only been there a short time but
I appreciate the headway you're making there.
And, Clay, let me just ask you, I mean government-wide you
see the variance too. You have Karen Evans, I think, in your
shop that helps oversee this. I know what we need to do and how
you foster that relationship between the CIO and the agency
heads; but wouldn't you agree with me that is very critical in
all of these areas?
Mr. Johnson. It's critical. I don't think we have a
resource problem, which is another question you asked. We spend
$65 billion a year on IT; $4.5 billion of that is on security.
So we're spending a lot of money on this. The question is are
we backing it up with the kind of determination that the
Secretary has demonstrated here to really make that stick, is
the key.
Chairman Tom Davis. Let me thank all of you for your time
here, answering a lot of questions. There's a lot of anxiety
over this, and we'll continue to monitor it. But you've been
forthcoming today with your answers and we appreciate it.
The hearing's adjourned.
[Whereupon, at 12:33 p.m., the committee was adjourned.]
[The prepared statements of Hon. Charles W. Dent, Hon. Jean
Schmidt, Hon. Elijah E. Cummings, and Hon. Wm. Lacy Clay
follow:]
[GRAPHIC] [TIFF OMITTED] 28759.060
[GRAPHIC] [TIFF OMITTED] 28759.061
[GRAPHIC] [TIFF OMITTED] 28759.062
[GRAPHIC] [TIFF OMITTED] 28759.063
[GRAPHIC] [TIFF OMITTED] 28759.064
[GRAPHIC] [TIFF OMITTED] 28759.065
[GRAPHIC] [TIFF OMITTED] 28759.068
[GRAPHIC] [TIFF OMITTED] 28759.069
�