Panel to examine VA computer security practices

The committee that gave the Veterans Administration an "F" for its computer security practices plans a hearing June 8 to ask for an update on the department's reforms.

House Government Reform Committee Staff Director Dave Marin said the focus of the hearing will be whether tighter laws are needed to prevent another incident like the security breach in which personal data on 26.5 million veterans was stolen from a department employee's home.

"It's one thing to have regulations on paper and another to police them," Marin said.

Since another hearing last week in the House Judiciary Committee, Congress has updated a data protection bill, H.R. 4127, to include federal agencies, not just private companies. The provision would require written notification of security breaches, but would not subject the feds to same regulations companies could face.

This week, Veterans Affairs Secretary Jim Nicholson announced Deputy Assistant Secretary Michael McLendon would step down. The data analyst whose laptop and disks were stolen in a home burglary has been dismissed. His acting department head, Dennis Duffy, has been placed on administrative leave.

On Wednesday, Nicholson named attorney Richard Romley as his new special adviser for information security.

Nicholson said he was angry that employees did not tell him of the May 3 burglary until May 16. The public, and veterans, found out about the security problem May 22. Pending legislation would carry fines for companies for every day the public is not notified.

The veterans' department said data containing Social Security numbers was not encrypted.

The hearing will ask whether it should be.

"The cost and speed of encryption need to be considered, but we need to err on the side of protection," Marin said.

"The technology exists today to secure this information," said Paul Kurtz, executive director of the Cyber Security Industry Alliance. He said encryption is much more user friendly than it was three years ago.

Chris Parkerson, a data security manager at RSA Security, said encrypting the personal data on the 26.5 million veterans in such a case would have taken "a matter of seconds."

He said encrypting becomes more complicated and slower when the system is complicated like in a financial transaction. Parkerson said often companies try to encrypt too much, like an entire hard drive, rather than just the personal data. He said that could cause encryption to slow down a process ten times.

But he said solving the problem in the veterans' department security breach is easy -- and cheap.

"There are tons of products on the market than can do that that are very inexpensive. We're talking a few hundred bucks to lock down a few laptops," Parkerson said.

That may be good news, as Nicholson has told Congress the cost of fixing the data theft could be "way north of $100 million."

CSIA said the hope is this latest security breach will motivate Congress to clean up current loopholes in existing federal law about requirements to secure information and notify people of breaches.

"We need clarity on Capitol Hill sooner rather than later," Kurtz said.