Security issues dominate confirmation of VA technology chief
- By Wilson P. Dizard III
- Sep 26, 2006
The Senate Veterans' Affairs Committee likely will vote later today to confirm Robert T. Howard as the Veterans Affairs Department's assistant secretary for information and technology and CIO, according to committee chairman Larry E. Craig (R-Idaho).
But committee members of both parties emphasized during a confirmation hearing this morning that their committee expects improvements in the scandal-prone department's headline-grabbing IT security lapses.
Craig cited IT security lapses
in recent months ranging from mislaid veterans' data, poor data security at the department's contractors and insecure notebook PCs.
'If you are confirmed, you will be expected to lead VA in certain areas, not just support the agency's mission,' Craig told Howard at the hearing. 'Most importantly, you will be expected to bring VA up to the 'gold standard' of federal IT security that secretary [R. James] Nicholson has said he expects to achieve.'
Howard has performed many CIO duties
since Nicholson appointed him supervisor of the Office of Information and Technology when the previous technology chief, Robert McFarland, left in April.
Formerly, Howard was a member of the U.S. Army for 33 years. He retired as a major general. Later, Howard went to work as a vice president and general manager at Cubic Corp. of San Diego.
In his testimony and during a question and answer session with the committee members, Howard presented the department's latest version of its IT security upgrade plan, now known as the Data Security-Assessment and Strengthening of Controls Program. 'This is VA's high-priority program designed to remedy the many security deficiencies that have been uncovered,' Howard told the panel.
Chairman Craig confronted Howard, saying, 'Let's cut to the chase. Some people are arguing that these 322 [IT security upgrade] tasks are simply rearranging the deck chairs on the Titanic.'
Howard responded, 'That is absolutely not the case.' He described how the department's leadership has been conducting a series of briefings presented by the directors of its various divisions at which the officials describe the status of IT security in their organizations.
'We have left the [Veteran's Health Administration] for last [in the briefing series] because they have a huge amount of contracts,' Howard said. The briefing series also will cover VA contractors, he said.
Howard emphasized various steps that the department has taken already to upgrade its IT security, including installing encryption software on some 15,000 notebooks. According to Howard, only a few hundred department notebooks have not yet been encrypted, as a result of software conflicts, and that problem is being worked out.
But congressional sources said Howard's count of the unsecured notebooks was misleading because it did not include privately owned computers that can access the VA network.
Howard said the department plans to replace those notebooks with government-furnished equipment in fiscal 2007.
The department also has upgraded its process for reporting data security breaches, Howard said. 'Our guidance to the field is when there is doubt, report it and we will deal with it,' he said. Information about security breaches goes up to the deputy secretary and VA secretary offices, as well as to the national Computer Emergency Response Team, Howard said.
Howard cited other IT security upgrades such as automated methods of scanning USB ports and preventing their use to transfer data. 'But you have to be careful about that, because you don't want to shut down a hospital.'
After summarizing the department's various technical projects to improve its IT security, Howard said, 'This is a people issue. We can go nuts with technology but this is a people issue,' he said, emphasizing steps to improve security awareness.
Howard conceded that the department is not progressing quickly to synchronize its systems with the Pentagon's. 'We have not put enough emphasis on that,' he said.
Howard defended the department's IT centralization plans under questioning by Sen. Patty Murray (D-Wash.), who asked if the plan would drive a wedge between the IT staff and other department officials. Howard responded that the department's staff, especially the physicians, had been assured that they would continue to receive IT support.
'The fact of the matter is that [the centralization plan's success] boils down to performance,' Howard said. 'The physicians want performance.'