VA info security chief says he had impossible task

The chief information security officer for the Veterans Affairs Department, who resigned Thursday and was subsequently placed on paid administrative leave for his final two weeks of employment, said Friday that he had been prevented from fixing the department's information security weaknesses.

CISO Pedro Cadenas, in an interview with Government Executive, said that the department's recently crafted IT policy changes placed the responsibility for fixing years of neglect directly on his shoulders.

"I just can't do this anymore," Cadenas said. "My conscience and professionalism will not let me stay …. If these agencies want to hire security people they need to let them do their job."

Cadenas said that in three years and seven months working to change the department's IT security policies and procedures, he was never given authority to implement any improvements.

He said last month's data theft incident only exacerbated his frustration with being cut out of the decision-making process. He added that during his tenure at the department, he met VA Secretary James Nicholson only once, at a social event. After Cadenas introduced himself, Nicholson reportedly said that he heard that Cadenas' job was important.

"The department has no interest in doing the right thing," Cadenas said. "I was trained to do things the right way, not the good old boy way. I am having personal difficulty looking veterans in the eye and telling them that things will be OK."

He said he decided to resign Wednesday night and has no future job opportunities lined up.

A June 28 directive from Nicholson gives additional powers to the VA's chief information officer, in addition to the authority granted in the department's IT reorganization. It delegates "complete responsibility and complete authority," including that for establishing system access standards, ordering departmentwide compliance and reporting any failures to comply.

Cadenas, who worked directly for the CIO, said much of that responsibility would have been in turn delegated to him.

Nicholson said Thursday that the department is "really making some changes to the system" of information security and the handling of information in response to last month's catastrophic data breach.

"It's not going to surprise me if there are other people that choose to resign because their lifestyle or habits of work are going to change," Nicholson said. "There are some people that will decide to accommodate that, and there are some that will decide not to."

Cadenas' resignation is effective July 13 but, he said, acting VA Chief Information Officer Bob Howard called him Friday morning and informed him that he was being placed on administrative leave for his remaining time because "they thought it was within the best interest of the department."

House Veterans' Affairs Committee Chairman Steve Buyer, R-Ind., said he "can't blame [Cadenas] for resigning."

"If it is the people who are supposed to be perfecting these changes and they are fighting against the culture and they are the ones who are leaving, maybe the wrong people are leaving," Buyer said.

Cadenas' hasty departure comes amid questions regarding VA's attempt to fire the employee responsible for the data breach last month that exposed sensitive personal information on 26.5 million veterans. The laptop computer and external hard drive stolen from the employee's home in early May have since been recovered, and it does not appear the data was accessed.

Lawmakers on Thursday largely approved of the VA's efforts to resolve long-standing information security weaknesses, but questioned the wisdom and legal authority of the department to dismiss the 34-year GS-14 data analyst.

They expressed concern that the employee is being unfairly blamed for the incident by VA political appointees and said the attempt to dismiss him for "gross negligence" and the unauthorized removal of agency equipment will create a chilling effect on other employees' willingness to come forward with information on future data breaches.

A VA chronology of the incident shows that the employee informed his supervisors within one hour of discovering that the computer and external hard drive containing the data had been stolen. It took VA officials 13 days to notify Nicholson.

Internal agency documents reveal that the employee had approval from agency officials as early as 2002 to use the software designed to work with the large data files from home and access the Social Security numbers. He also had permission to take the laptop computer and hard drive out of the agency's headquarters.

Nicholson said Thursday that the employee, who has retained an attorney, will receive the "fair hearing that he's entitled to."

Nicholson said he wanted to avoid putting "a chilling effect on others that may make a mistake" inhibiting them from coming forward.

Amid the news Thursday that the stolen equipment had been recovered came the revelation that two additional security breaches at the VA had occurred. Nicholson told lawmakers that two veterans' identifications were misused after data on 66 veterans was stolen from an auditor's car in Minneapolis in 2005. The auditor locked a laptop and paper files in a trunk, and the car was stolen.

Then on May 5, a tape containing information on 16,500 legal cases went missing from an Indianapolis regional counsel's office. Nicholson assured lawmakers that the veterans involved in the cases have been notified and will be eligible for credit monitoring and insurance.

Buyer asked VA officials if anyone else knew of other data breaches that had not been brought to the attention of Congress. Deputy Secretary Gordon Mansfield said yes, and CIO Howard brought a list to the witness table.

Buyer asked how many incidents, and when it became clear Mansfield could not calculate that, he asked how many pages of potential incidents VA is investigating. Mansfield flipped through 10 pages, counting outloud. Heather Greenfield of National Journal's Technology Daily contributed to this report.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.


When you download a report, your information may be shared with the underwriters of that document.