VA info security chief says he had impossible task

The chief information security officer for the Veterans Affairs Department, who resigned Thursday and was subsequently placed on paid administrative leave for his final two weeks of employment, said Friday that he had been prevented from fixing the department's information security weaknesses.

CISO Pedro Cadenas, in an interview with Government Executive, said that the department's recently crafted IT policy changes placed the responsibility for fixing years of neglect directly on his shoulders.

"I just can't do this anymore," Cadenas said. "My conscience and professionalism will not let me stay …. If these agencies want to hire security people they need to let them do their job."

Cadenas said that in three years and seven months working to change the department's IT security policies and procedures, he was never given authority to implement any improvements.

He said last month's data theft incident only exacerbated his frustration with being cut out of the decision-making process. He added that during his tenure at the department, he met VA Secretary James Nicholson only once, at a social event. After Cadenas introduced himself, Nicholson reportedly said that he heard that Cadenas' job was important.

"The department has no interest in doing the right thing," Cadenas said. "I was trained to do things the right way, not the good old boy way. I am having personal difficulty looking veterans in the eye and telling them that things will be OK."

He said he decided to resign Wednesday night and has no future job opportunities lined up.

A June 28 directive from Nicholson gives additional powers to the VA's chief information officer, in addition to the authority granted in the department's IT reorganization. It delegates "complete responsibility and complete authority," including that for establishing system access standards, ordering departmentwide compliance and reporting any failures to comply.

Cadenas, who worked directly for the CIO, said much of that responsibility would have been in turn delegated to him.

Nicholson said Thursday that the department is "really making some changes to the system" of information security and the handling of information in response to last month's catastrophic data breach.

"It's not going to surprise me if there are other people that choose to resign because their lifestyle or habits of work are going to change," Nicholson said. "There are some people that will decide to accommodate that, and there are some that will decide not to."

Cadenas' resignation is effective July 13 but, he said, acting VA Chief Information Officer Bob Howard called him Friday morning and informed him that he was being placed on administrative leave for his remaining time because "they thought it was within the best interest of the department."

House Veterans' Affairs Committee Chairman Steve Buyer, R-Ind., said he "can't blame [Cadenas] for resigning."

"If it is the people who are supposed to be perfecting these changes and they are fighting against the culture and they are the ones who are leaving, maybe the wrong people are leaving," Buyer said.

Cadenas' hasty departure comes amid questions regarding VA's attempt to fire the employee responsible for the data breach last month that exposed sensitive personal information on 26.5 million veterans. The laptop computer and external hard drive stolen from the employee's home in early May have since been recovered, and it does not appear the data was accessed.

Lawmakers on Thursday largely approved of the VA's efforts to resolve long-standing information security weaknesses, but questioned the wisdom and legal authority of the department to dismiss the 34-year GS-14 data analyst.

They expressed concern that the employee is being unfairly blamed for the incident by VA political appointees and said the attempt to dismiss him for "gross negligence" and the unauthorized removal of agency equipment will create a chilling effect on other employees' willingness to come forward with information on future data breaches.

A VA chronology of the incident shows that the employee informed his supervisors within one hour of discovering that the computer and external hard drive containing the data had been stolen. It took VA officials 13 days to notify Nicholson.

Internal agency documents reveal that the employee had approval from agency officials as early as 2002 to use the software designed to work with the large data files from home and access the Social Security numbers. He also had permission to take the laptop computer and hard drive out of the agency's headquarters.

Nicholson said Thursday that the employee, who has retained an attorney, will receive the "fair hearing that he's entitled to."

Nicholson said he wanted to avoid putting "a chilling effect on others that may make a mistake" inhibiting them from coming forward.

Amid the news Thursday that the stolen equipment had been recovered came the revelation that two additional security breaches at the VA had occurred. Nicholson told lawmakers that two veterans' identifications were misused after data on 66 veterans was stolen from an auditor's car in Minneapolis in 2005. The auditor locked a laptop and paper files in a trunk, and the car was stolen.

Then on May 5, a tape containing information on 16,500 legal cases went missing from an Indianapolis regional counsel's office. Nicholson assured lawmakers that the veterans involved in the cases have been notified and will be eligible for credit monitoring and insurance.

Buyer asked VA officials if anyone else knew of other data breaches that had not been brought to the attention of Congress. Deputy Secretary Gordon Mansfield said yes, and CIO Howard brought a list to the witness table.

Buyer asked how many incidents, and when it became clear Mansfield could not calculate that, he asked how many pages of potential incidents VA is investigating. Mansfield flipped through 10 pages, counting outloud. Heather Greenfield of National Journal's Technology Daily contributed to this report.