When data walks

After VA's loss, agencies revisit the job of controlling data, people

'The reorganization and consolidation of the infrastructure ... will give them a better opportunity to put good controls in place.'

Henrik G. de Gyor

The recent theft of data on 26.5 million veterans sends agencies a chilling message: Lock down your own data security and privacy policies immediately or you might wind up with confidential data walking out your own door. The Veterans Affairs Department probably is not the only agency whose security and privacy policies have gaping holes, government and industry experts agree.

The Office of Management and Budget said as much in a memo to agencies shortly after VA announced the theft of electronic data late last month.

OMB urged agencies to scrutinize all administrative, technical and physical means to safeguard personally identifiable information, correct any gaps, and remind all employees of their responsibility to protect that information and the penalties for violating the rules.

Federal privacy and security policies are based in large part on the Privacy Act of 1974, the E-Government Act of 2002 and the Federal Information Security Management Act. Agency officials are to detail any corrective actions in their annual FISMA reports.

'Securing private and sensitive information requires constant vigilance. All agencies must continually work to ensure that they are FISMA compliant, and that means training employees to comply with tough security measures,' an OMB spokeswoman said.

Despite its quick reaction to the announcement of the data theft, OMB privacy guidance generally remains vague, said Ari Schwartz, associate director for the Center for Democracy and Technology.

The Government Accountability Office has written time and again that OMB should demonstrate stronger leadership in telling agencies what they need to do, he said.

Clear policies needed

'OMB needs to go back and review general privacy policy, make it more clear, and provide best practices,' Schwartz said.

The credibility of an agency's privacy and security depends in large part on employees adhering to policies and procedures. If agencies are decentralized, as VA is, compliance is a matter of supervisors and assistant secretaries vouching for their adherence, but no central office enforces them. Even though OMB required agencies to name a chief privacy officer in February 2005, most experts agree it hasn't made a big difference.

And VA's experience demonstrates that policies without teeth can't keep sensitive data safe.

VA secretary Jim Nicholson told lawmakers that employees have not followed some of his predecessors' directives, 'directives that some employees did not interpret as being mandatory or operative to them.' VA reps vowed to tighten data security policies immediately.

'I can promise you that we will do everything in our power to make clear what is appropriate and inappropriate use of data by our employees,' he told lawmakers at a recent House Veterans Affairs Committee hearing.

Fallout from the breach claimed its first personnel casualty last week, when deputy assistant secretary for policy Mike McLendon resigned effective June 2. VA also placed acting assistant secretary for policy and planning Dennis Duffy on administrative leave. He was replaced by Paul Hutter, assistant general counsel for management and operations.

VA also has begun procedures to dismiss the data analyst who caused the data breach by taking the files home; the data was stolen along with a notebook PC and disks when his home was burglarized in early May. The data contained the names, Social Security numbers, dates of birth, and, in many cases, the addresses and telephone numbers of veterans discharged since 1975, and of some spouses a VA spokesman said. Some deceased veterans' data also was included.

But in a May 5 memo, VA privacy officer Mark Whitney said that the data was stored in a specialized format used for manipulation and analysis, and likely would have been difficult for the thieves to access.

Members of Congress were unanimous during recent hearings in their concern that agencies across government fail to adequately safeguard personal data.

'It could just as easily have involved other departments and agencies. I believe the data breach is indicative of broader information security and privacy problems throughout the government,' said Sen. Daniel Akaka (D-Hawaii), ranking member of the Senate Veterans' Affairs Committee.

Other agencies also could be at risk, said Sen. Ken Salazar (D-Colo.), a member of the Senate Veterans Affairs Committee. What was impossible 20 years ago to do with the data of 26.5 million people is now very possible, he said.

'Part of what we are seeing here is that policy and oversight of information has not kept pace with technological capacity,' he said.

Sen. John Isakson (R-Ga.), a member of the Senate veterans' committee, urged a governmentwide rule that any breach of secure information should be immediately reported to the department secretary.

VA, ironically, may already have a plan, said Robert McFarland, former VA CIO who left April 28.

The theft occurred just as VA was taking the first steps to change the decentralized structure of its IT organization. VA has begun to centralize IT operations and budget authority under the department CIO, as Congress mandated last fall. IT development will remain with VA's health, benefits and burial administrations.

CIO controls hardware, OSes

All computing assets and operating system software are moving under the department CIO's office. One of the benefits is that VA will apply access controls, encryption techniques and digital safeguards across the department, McFarland said.

'They're on the right track with the reorganization and consolidation of the infrastructure, because that will give them a better opportunity to put good controls in place,' he said, expressing confidence that VA would make the needed changes. Robert Howard, who had been responsible for the office since McFarland resigned, has been named acting CIO.

It's been difficult to implement controls consistently in an environment where individual administrations owned their own data and infrastructure, he said. And it's very difficult to know when someone is not following policies'such as encrypting data when it leaves the premises'when there is no control of the assets and access.

'You can train and train and train. But you don't know how often those kinds of situations are violated by not having the ability to monitor, because the infrastructure is so widely spread,' McFarland said.

House Veterans' Affairs Committee chairman Steve Buyer (R-Ind.), author of the legislation to centralize VA's IT authority, said VA's decentralized structure directly contributed to the lax data security and length of time it took to notify the chain of command. VA has been unable to enforce privacy and security because no one person or office has final authority, he said.

Nicholson last week hired Richard Romley, former county attorney in Maricopa County, Ariz., to serve as his special adviser for information security. He will focus only on information security and report directly to Nicholson.

Buyer believes other agencies should also centralize their IT environment.

'There should be a presidential directive to empower CIOs to have authority over plans and budgets,' he said after a recent hearing.

Buyer, however, foresees problems with VA's federated plan of centralization because its stovepiped administrations will still own IT development.

'That's where the problems have been occurring. You have too many keys out there,' he said, adding IT development should also be under the department CIO.

Buyer plans to hold his next hearing related to the data theft before the VA inspector general reports on his administrative investigation, and he will call former VA CIOs John Gauss and McFarland to testify.

The theft occurred in early May after the VA data analyst took sensitive electronic data to his home in Montgomery County, Md. The analyst had taken data home over the last three years to work on data-intensive projects. He had authority to access the confidential data but not to take it from the department, Nicholson said.

'You have a [department] cybersecurity organization that theoretically can enforce, but they don't control the assets or [individual administration] security folks, so they don't have control,' McFarland said.

Other agencies are decentralized in their systems and controls, and there are many legacy systems in stovepiped environments similar to VA, McFarland said.

'Everyone's going to be forced to look at this,' he said.

Additionally, privacy policy in VA does not reside with security but within the policies and plans organization. Despite a policy that data should be encrypted if taken outside the network, there was no ability to enforce or provide checks and balances, said a government source who did not wish to be named.

'It was just another policy that people may have been aware of,' the source said.
Under IT centralization, privacy will come under the CIO's operational governance and be subject to enforcement by VA's Office of Cyber and Information Security, but it will take time, McFarland said.

'The problem is, no one knows where privacy fits. It's probably different in different agencies,' the government source said.

Across government, agencies need to get better control over their policies to safeguard personally identifiable information, CDT's Schwartz said. To start with, they have to know where all their information resides.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above