Sensitive information on millions of U.S. military personnel and veterans remains at grave risk because of weak security controls that have not yet been fixed, government investigators said Wednesday.
In testimony to Congress, the Government Accountability Office and Veterans Affairs inspector general detailed ignored warnings, weak management and lax rules in their review of VA information security following the theft of 26.5 million military personnel's private data last month.
They found that the Veterans Affairs Department routinely failed to control and monitor employee access to private information, did not restrict users to "need-to-know" data and often waited too long to terminate accounts when an employee quit or was fired.
The investigators also said the VA lacked a clear chain of command in enforcing security, noting the agency will need dramatically stronger leadership under VA Secretary Jim Nicholson to force reform after five years of repeated warnings about security.
Up to now, VA officials have not been held accountable for lax security and "there need to be consequences," the GAO said, without specifying whom.
"Much work remains to be done," Linda Koontz, a director on information management at GAO, told the House Veterans Affairs Committee. "Only through strong leadership, sustained management commitment and effort, disciplined processes, and consistent oversight can VA address its persistent, long-standing control weaknesses."
She explained that the VA culture is highly resistant to change, and that the primary official in charge of security, the chief information officer, lacks power to enforce security rules. "It is up to the secretary to make sure the CIO has the support," Koontz said.
Lawmakers from both parties expressed dismay.
"This was a disaster waiting to happen," said Rep. Bob Filner, D-Calif., the acting top Democrat on the House panel. "Between all the lines, there was a failure of management. At the very top. The secretary hasn't taken control of the problem and he should be held accountable."
Added Rep. Michael Bilirakis, R-Fla.: "In seeing where the buck stops, really it stops with the head of the VA."
Responding to the charges, VA spokesman Matt Burns said Nicholson has worked to centralize control over information security since becoming VA secretary in February 2005.
"The secretary is working diligently to ensure that VA employees are adequately trained in IT security, and that the department continues to aggressively implement stronger policies and procedures to prevent such an unfortunate incident from happening again," Burns said.
Congress is trying to determine whether the VA took proper steps to guard against the unauthorized disclosure of personal information in what has become one of the nation's largest security breaches. The May 3 theft at a VA data analyst's home involved names, birth dates and Social Security numbers.
The agency has acknowledged that the longtime midlevel employee — who has since been fired — improperly took the information home on an unsecured personal laptop for three years, apparently without his supervisor's knowledge.
Since then, Nicholson has pledged several security initiatives, including additional training and a ban on employees using personal laptops to access the VA network. He also has hired a former Arizona prosecutor, Richard Romley, as a special adviser for information security, a new three-month post that will make additional recommendations.
But in their testimony Wednesday, government investigators said the problem was long-standing and much more widespread.
They pointed to repeated occasions in the last year in which VA employees passed along veterans' medical information via unencrypted e-mail or were allowed to freely log into the VA secure network in their off-duty hours or even after they've been terminated.
In other instances, files were not adequately segregated or password-protected, making it easy for hackers to access the sensitive information.
When the VA was told of problems over the years, often it would make spotty improvements but fail to address reform agency-wide. The agency also has yet to put in place a security response program to monitor suspicious logon activity, said Michael Staley, an assistant VA inspector general.
"These conditions place sensitive information, including financial data and sensitive veteran medical and benefit information, at risk, possibly without detection of inadvertent or deliberate misuse, fraudulent use, improper disclosure or destruction," Staley said.