On the 62nd anniversary of D-Day, June 6, 1944, when the United States Armed Forces as part of the Allied Forces including Britain and Canada, landed on the beaches of Normandy, France and helped free France and much of Europe from the strongholds of Nazi Germany, there is no better time than to remember the sacrifices of all U.S. military members and their families. And such sacrifice should serve as a reminder that it is the absolute obligation of the U.S. government and its people to not only honor their memories, but to assure them the security of their most vital information, either while still serving in the armed forces or as retired military.
However, all U.S. veterans discharged after 1975 learned just prior to Memorial Day 2006 that their most crucial personal information from the Department of Veterans Affairs had been stolen and still remains in the public domain. Since the revelation, announced by Secretary of Veteran’s Affairs, R. James Nicholson, on May 22, 2006, that names, dates of birth, Social Security numbers, including phone numbers and addresses had been stolen on as many 26.5 million service members and some of their spouses, such information did not even include the total amount of information or number of other service members’ information that has since been discovered.
It all started when on May 3, 2006 a 30-year career senior-level information technology specialist in the Office of Policy of Veteran’s Affairs (VA) was in violation of security procedure. He took home a laptop computer, which belonged to the VA. He had been working on an annual study about veterans’ demographics. It was also revealed that unbeknownst to his supervisors that he had been doing such for three years, including downloading unencrypted information from his home.
The laptop contained a hard drive with the information and he also took home computer disks and a flash memory stick. The employee reported the purported break-in of his Aspen Hill, MD home to the local Montgomery County police in addition to Michael H. McLendon, VA Deputy Assistant Secretary for Policy of the theft shortly after it occurred. Law enforcement considers the theft to be a random burglary, but its ramifications of the theft represent the largest personal identification breach which includes Social Security numbers, in U.S. history, in either the public or private sectors.
Also, the timeline of those in the chain of command at the VA has only added to increased criticism of the questionable and lax fundamental security at the VA, documented for at least five years. On May 5, 2006, Dennis M. Duffy, Acting Assistant Secretary for Policy Planning and Preparedness was told of the theft. On May 9, 2006 Duffy then informed VA Chief of Staff Thomas Bowman, and suggested that senior management notify veterans that security on their information had been compromised. But Bowman waited until May 10, 2006 to inform Deputy Secretary Gordon Mansfield, the VA’s No.2 official. Neither Duffy nor Mansfield advised Secretary Nicholson until May 16, 2006.
VA Inspector General, George Opfer, testified on May 25, 2006 before the House of Representatives Committee on Veteran’s Affairs, the Senate Veteran’s Affairs Committee as well as the Senate Committee on Homeland Security and Governmental Affairs, stating that “while attending a routine meeting at the VA’s Central Office, heard another Information Security Officer that a VA employee’s home had been burglarized and that VA electronic records may have been stolen.” Obviously IG Opfer was spared the information as well.
IG Opfer put in motion a criminal investigation on May 12, 2006 within the VA and the employee was interviewed on May 15, 2006. The local police had been investigating the theft since May 3, 2006 but the Federal Bureau of Investigation (FBI) was not apprised until May 17, 2006, the day after Nicholson was advised. Nicholson then briefed U.S. Attorney General, Alberto Gonzales, the Chairman of the Federal Trade Commission, Deborah Platt Majoras, along with co-chairs of the President’s Identity Theft Task Force. And lastly, the U.S. Congress was advised on May 22, 2006 when the public announcement was made.
Now the details of this timeline may seem like more information than one need know, however it is indicative of the dysfunction of information oversight and security controls including the chain of command which exists within the culture of the VA and its 235,000 employees. Since the initial speculation of missing information, it has been learned that additional identifications of numerous other veterans as well as active-duty personnel is also missing. The data includes personnel discharged prior to 1975 who put in claims to the VA for any number of services, disabled veterans discharged prior to 1975 who receive healthcare through the VA, over 6,700 records of World War II veterans who participated in chemical testing programs for mustard gas and biological weaponry, along with diagnostic codes pertaining to an unidentified number of disabled veterans.
The active-duty personnel information considered missing as of June 6, 2006 now includes more than 1 million National Guard and Army Reserve members, which includes at least 55,000 serving at least their second active-duty tours in Iraq and at least 30,000 active-duty Navy personnel who completed their first enlistment terms prior to 1991. But now it is confirmed that as many as 1.1 million active-duty troops from all of the armed forces are at risk of identity theft.
Since the theft findings, the data analyst has been fired with full benefits and severance pay, Deputy Assistant Secretary McLendon resigned from his post, and Acting Assistant Secretary Duffy, acting head of the Division for Policy Planning and Preparedness was put on administrative leave. Secretary Nicholson, serving as Secretary of the VA since 2005, has also hired Rick Romley as his new advisor for information security who will assist Nicholson with reforming the VA’s policies and procedures on information security for a minimum period of three months. Romley is a former Maricopa County, AZ attorney, Vietnam Veteran and high profile former Republican National Party Chairman in the state of Arizona.
The long history of security flaws within the VA does not come as news to many within the Government Accountability Office (GAO), or within the VA’s Office of the Inspector General. And for that reason, it makes it even more difficult for lawmakers to fathom. “The chronology that you gave us is absolutely baffling. It’s just inconceivable that there were such long delays.” Senator Susan Collins (R-Maine), Chairwoman of the Senate Homeland Security and Government al Affairs, stated such during IG Opfer’s May 25th testimony before the committee.
Senator Collins’ remarks are all the more remarkable given other occasions over the past year when she and her committee have reiterated such phraseology concerning other bureaucratic missteps which took place by the former Director of the Federal Emergency Management Agency (FEMA), Michael Brown, during his testimony on Hurricane Katrina recovery efforts and during hearings regarding the Committee of Foreign Investments in the U.S. (CFIUS) and its approval of the government of Dubai’s purchase of several U.S. ports’ operations without considering its full ramifications or advising members of Congress.
The VA was among eight agencies given a failing grade for computer security practices in 2005 by the GAO. But since 2001 the VA Inspector General’s Office has advised the VA that its information access controls are materially weak, creating substantial risk and serious vulnerabilities which remain uncorrected.
Such vulnerabilities are far simpler to correct than one might think as the failure to encrypt files sent electronically or placed on disks and the allowance of access to information by unauthorized personnel are among the VA’s security violations. And although federal privacy security policies are based upon the Privacy Act of 1974 and the 2002 Federal Information Security Management Act, along with further legislation pending, it remains up to employees to adhere to policies and procedures, no matter how many more are put in place.
Due to the interconnectivity of massive federal agencies it becomes even more necessary for diligence in protecting data and computer systems. In fact, had not the employee who took the laptop reported the theft, there would have been no way for the VA to have known of the breach of information. Yet, given each agency’s own policies in place concerning data protection the differences in practice are wide ranging. The Senate is looking to centralize such data protections not only within an agency but federally, as well as requiring notifications to those whose information has been breached. Such notification presently is only required by a handful of states and with respect to the financial industry or data credit brokers only.
It is however important to note other cases of security breaches within the VA over the past few years. In April 2006 military computers containing personnel records were found being sold at a bazaar outside a U.S. military base in Afghanistan. In September 2005, thieves stole personnel information on deployed soldiers from Fort Carson, CO. Records on more than 560,000 troops, veterans and dependents was stolen in December of 2002 from computers at a healthcare provider located in Arizona. All such data was in unencrypted databases. In addition, military personnel’s physical papers and ID’s have been stolen from military personnel outside of as well as within the VA.
The costs of setting up systems to notify military personnel, help military personnel access credit reports, and the potential help they will need in becoming whole again should identity theft become an issue and damage credit and loss of identity, is initially estimated to cost between $25 million and $100 million. And unfortunately, the funding will be coming out of the Veteran’s Affairs budget, when over the next five years the 2007 pending legislation will call for over $8 billion less in allocations, needed to build hospitals and new clinics now. With nearly 20,000 wounded already from the War in Iraq, it is inconceivable to be cutting budgets at this time at the VA.
The severity of the VA breach is much clearer when compared with a stolen credit card number. Usually the victim need only cancel the credit card account. But with the loss of a birth date combined with a Social Security number the thief has access to not only one’s assets but can continue to borrow funds, take out a mortgage and establish additional credit card accounts. Additionally, legal status for those not legally in the U.S. can be assumed by the theft of one’s Social Security number.
Secretary Nicholson has since directed all VA employees to complete the annual VA Cyber
Sadly, these measures were meant to have been followed all along. And now, is of little consolation at this late date, for our present and fallen heroes.
Copyright ©2006 Diane M. Grassi