Auditors blame VA data breach on security flaws

Long-standing weaknesses in the Veterans Affairs Department's information security systems were responsible for a massive data breach last month and its systems remain at risk, government auditors told a congressional panel Wednesday.

Since fiscal 1997, the VA's Inspector General Office has cited weak information security controls at the department. Both the IG and Government Accountability Office officials testified at the House Veterans' Affairs Committee hearing that the department has failed repeatedly to fully implement recommendations for improvement.

Michael Staley, VA assistant inspector general for auditing, told lawmakers that his office will be issuing a report in July regarding the scope of the early May incident. Previously, he said, individual IT centers within the department focused on resolving IG suggestions, but those recommendations were never implemented departmentwide.

"We continue to report these systemic issues," Staley said. "You need a comprehensive report to be sure that these recommendations are implemented at each [agency] site."

A 34-year VA employee had been taking agency data to his Aspen Hill, Md., home without authorization for three years until May 3, when his personal computer and an external hard drive were stolen. They contained personal information about 26.5 million people, including most of the nation's veterans and active-duty military service members.

VA officials took steps late last month to initiate the employee's firing, along with that of senior officials responsible for overseeing him.

GAO, the IG office and former administration officials have long recommended that the VA pursue a more centralized approach to managing technology -- a suggestion that has been a source of contention on Capitol Hill and within the department.

The department's "federated" IT management model, adopted last year, gives the chief information officer line-item budget control, but critics, including House Veterans' Affairs Committee Chairman Steve Buyer, R-Ind., argue that the department needs to move toward a centralized model.

Linda Koontz, GAO's director of information management issues, said in her testimony (GAO-06-866T) that the department's CIO needs veto authority over department procedures "that just don't make sense."

"I think it is up to the secretary to make sure that the CIO has the support to make the realignment happen," she said at Wednesday's hearing.

Buyer said Congress may need to strengthen the enforcement side of the law governing federal computer security -- the 2002 Federal Information Security Management Act --because there are no consequences for noncompliance.

"This is not something that can be quickly fixed," Buyer said. "The VA's internal controls have been grossly inadequate for a number of years."

Last week, VA Secretary James Nicholson told reporters that the incident was a result of "one person, by being careless, violating our procedures."

Rep. Bob Filner, D-Calif., who has called for Nicholson's resignation, said the agency's response to the data breach has been "pathetic" and the incident has become "the Katrina of the Veterans Administration."