[Senate Hearing 109-772]
[From the U.S. Government Publishing Office]
S. Hrg. 109-772
NOMINATION OF ROBERT T. HOWARD TO BE ASSISTANT SECRETARY FOR
INFORMATION AND TECHNOLOGY, DEPARTMENT OF
VETERANS AFFAIRS
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON VETERANS' AFFAIRS
UNITED STATES SENATE
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 26, 2006
__________
Printed for the use of the Committee on Veterans' Affairs
Available via the World Wide Web: http://www.access.gpo.gov/congress/
senate
U.S. GOVERNMENT PRINTING OFFICE
32-202 PDF WASHINGTON : 2007
------------------------------------------------------------------
For sale by Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2250. Mail: Stop SSOP,
Washington, DC 20402-0001
COMMITTEE ON VETERANS' AFFAIRS
Larry E. Craig, Idaho, Chairman
Arlen Specter, Pennsylvania Daniel K. Akaka, Hawaii, Ranking
Kay Bailey Hutchison, Texas Member
Lindsey O. Graham, South Carolina John D. Rockefeller IV, West
Richard M. Burr, North Carolina Virginia
John Ensign, Nevada James M. Jeffords, (I) Vermont
John Thune, South Dakota Patty Murray, Washington
Johnny Isakson, Georgia Barack Obama, Illinois
Ken Salazar, Colorado
Lupe Wissel, Majority Staff Director
Bill Brew, Minority Staff Director
C O N T E N T S
----------
September 26, 2006
SENATORS
Page
Craig, Hon. Larry E., Chairman, U.S. Senator from Idaho.......... 1
Isakson, Hon. Johnny, U.S. Senator from Georgia.................. 3
Murray, Hon. Patty, U.S. Senator from Washington................. 3
Salazar, Hon. Ken, U.S. Senator from Colorado.................... 4
Prepared statement........................................... 5
WITNESSES
Howard, General Robert T., Nominee to be Assistant Secretary for
Information and Technology, Department of Veterans Affairs..... 6
Prepared statement........................................... 7
Questionnaire............................................... 9
NOMINATION OF ROBERT T. HOWARD TO BE ASSISTANT SECRETARY FOR
INFORMATION AND TECHNOLOGY, DEPARTMENT OF
VETERANS AFFAIRS
----------
TUESDAY, SEPTEMBER 26, 2006
U.S. Senate,
Committee on Veterans' Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 10 a.m., in room
SR-418, Russell Senate Office Building, Hon. Larry E. Craig,
Chairman of the Committee, presiding.
Present: Senators Craig, Isakson, Murray, and Salazar.
OPENING STATEMENT OF HON. LARRY E. CRAIG, CHAIRMAN, U.S.
SENATOR FROM IDAHO
Chairman Craig. Good morning, ladies and gentlemen, and
welcome to the Senate Committee on Veterans' Affairs.
The Committee meets this morning to consider the nomination
of Robert Howard to serve as Assistant Secretary for
Information and Technology at the Department of Veterans
Affairs.
Not long ago, I think if I had asked a group of veterans or
Senators what the most important positions at the Department
were, I would probably have heard Secretary, Under Secretary
for Health and Benefits, and maybe Assistant Secretary for
Financial Management. And while all of those positions are
still of utmost importance to the operation of VA, I think all
of us here today would concede that the job for which we are
now considering this nominee has taken an increased
significance.
I am not just speaking of the high-profile lapses of IT
security that may have made the news lately. They are
important, too, and I will touch upon them in a moment. But, I
am talking about the reality that VA would probably come to a
grinding halt without all of the IT services that make it run
every single day. Whether it is online application for health
care services and benefits, electronic transfers of payments to
our deserving beneficiaries, or the highly touted electronic
health records system that has brought VA national acclaim. VA
simply cannot live without IT every moment of every day. It is,
as they say in management terms, an essential support function.
Having said that, General Howard, if you are confirmed, you
will be expected to lead VA in certain areas, not just support
the agency's mission. Most importantly, you will be expected to
bring VA up to the gold standard of Federal IT security that
Secretary Nicholson has said he expects to achieve.
The events of the past few months were disturbing to all of
us. Employees carelessly putting sensitive information on
portable hard drives and taking it home, VA contractors failing
to adequately secure hardware containing VA's information, and
laptop computers in the hands of thousands of employees still
present us with daily challenges. All of this is happening
while VA is undergoing a massive management restructuring in
the IT department.
I want to make it clear that I am not suggesting that VA's
employees or contractors intentionally compromised VA data. But
as you and I have discussed, General Howard, I think VA and the
Federal Government as a whole need a wake-up call and a
cultural change with respect to information security.
We need to impress upon our employees and our contractors
that information is not just power; it is a priceless commodity
to many people. So we need to handle it, work with it, and
guard it like the valuable commodity that it is.
General Howard, today I hope to hear what your plan is to
identify the shortcomings in VA's IT programs, what needs to be
done to correct those deficiencies, and what is a responsible
timeframe for accomplishing those goals and bringing VA up to
that gold standard. I also hope to be reassured that
restructuring and IT security challenges will not tie the hands
of the 200,000 VA employees. I understand, as do many of my
colleagues, that we could have perfect security by ensuring no
one uses VA's data. But that, of course, would be unreasonable.
We also need to allow access to data while ensuring that we
know exactly where it is going, who is viewing it, and whether
it is being misused. That is an incredible challenge. But I
think you are up to the job.
General Howard comes before the Committee with an
impressive resume and a very distinguished record of Government
service. He holds a master's degree in civil engineering, and
is a highly decorated Vietnam veteran who rose to the level of
Major General in the United States Army before retiring from
active duty in 1996. He spent several years in the private
sector after retiring from the Army. During this time, he
worked with Eastern European countries to help them harness
technology in order to emerge from communist hold and join the
democratic capitalistic societies of the world.
General Howard, we welcome you to the Committee. After my
colleagues have given any opening comments, I will ask you to
rise and be sworn in, as is required under the rules of the
Committee, and, of course, to introduce any family member that
you have with you today.
With that, there we go. Order of entry, I will turn to my
colleague from Georgia, Senator Isakson.
Johnny?
STATEMENT OF HON. JOHNNY ISAKSON,
U.S. SENATOR FROM GEORGIA
Senator Isakson. Thank you, Mr. Chairman.
I had the privilege of meeting with General Howard last
week on Thursday, and had an in-depth discussion based on the
experiences I have had in the technology area in running a
department of our State government as well as in a private
sector business. And I have to tell you, I was very impressed
with his knowledge of software, the potential pitfalls in terms
of that, and also very much impressed with his understanding
that the reporting of failures in technology need to be with
the same speed that technology itself delivers information. And
that was very important to me because of the experience we had
at VA with the lost computer and the tardiness with which the
chain of command responded.
I just wanted to say at the outset before the testimony
that I was very impressed with the meeting. I am very impressed
with the General, and I think he will make an outstanding
contribution to the Veterans' Administration.
Chairman Craig. Johnny, thank you very much.
Now, let me turn to Senator Patty Murray of Washington.
Patty?
STATEMENT OF HON. PATTY MURRAY,
U.S. SENATOR FROM WASHINGTON
Senator Murray. Thank you, Mr. Chairman. I want to thank
you and Ranking Member Akaka, for holding today's hearing. I
know he is traveling back from Hawaii and wished he could have
been here.
General Howard, I want to thank you for coming before us
today. I look forward to hearing about your plan to help build
the IT system that our veterans need and deserve.
But before I discuss your nomination, I wanted to mention
to the Committee a recent article from the Associated Press
that really should concern every one of us on this Committee.
It suggests that the VA has no plan to deal with the influx of
veterans from Iraq and Afghanistan. It states that, ``More than
one-third of Iraq and Afghanistan veterans seeking medical
treatment from the Veterans Health Administration report
symptoms of stress or other mental disorders, a tenfold
increase in the last 18 months, according to a VA study.''
The article says that veterans are facing ``long waits for
doctor appointments, staffing shortages, and lack of equipment
and medical centers run by the Veterans Affairs Department. It
mentions in the article that a soldier from Virginia Beach,
Virginia, who was having a hard time sleeping after he returned
from Iraq was told he would have to wait 2\1/2\ months for an
appointment at the VA facility.
Now, here is a servicemember in need, and all the VA could
say to him is, ``Get in line and wait 75 days.'' I find that
pretty disgraceful.
When you look at the numbers, you can really see a crisis
in the making because just over half a million veterans have
served in Iraq and Afghanistan and have separated from the
military. Of those, 185,000 are currently seeking care at our
VA medical centers; 150,000 of them are applying for benefits;
and more than 100,000 have sought help at our Vet Centers. If
the system is already straining, as the AP article told us,
then the bulk of the trouble is still yet to come.
We have nearly a million servicemembers who have served in
Iraq and Afghanistan but have yet to separate. They are coming
down the pipeline into a VA system that is already overwhelmed,
and we have to figure out how we are going to serve those
veterans.
The numbers are really staggering. The doctors at Walter
Reed have stated that 16 percent of all injured servicemembers
have eye injuries. Many of them have come with traumatic brain
injuries. And we have one-third that are seeking mental health
care. According to the VA's own report, nearly 60,000 Iraq and
Afghanistan vets have ill-defined conditions. And if you have
been on this Committee long enough, you will know that some of
those symptoms sound very familiar to what we later called the
Gulf War syndrome in the first Gulf War.
So, Mr. Chairman, I am very concerned. The numbers show
that a crisis is coming, and so far we have not seen a plan
from the VA on how we are going to deal with that. I hope that
this Committee can bring Secretary Nicholson before us, find
out what the plan is, and what help he needs from all of us to
meet those needs. And I hope that we can have that hearing when
we come back so that we can take steps that we need to meet our
veterans' needs.
General Howard, you and I had a chance to visit. I really
appreciate that. As you know, I have some concerns under the
new reorganization that the VA is not collaborating with the
Health Administration, the Benefits Administration, and
Memorial Affairs. And I am also concerned that we are not
bringing in the best IT staff to fill some of our current
openings. I am also concerned that the VA leadership in
Washington, DC, from what I am hearing, is disconnected from
field operations. I hope to hear how you can help us address
those situations.
I am sure you are aware of the article from GovEx.com,
dated August 1st, that raises many concerns about VA
operations. It outlines a world where everyone is pointing
fingers, and it says what the VA really needs is a world where
everyone is working together. I look forward to hearing from
you today on how you can help make that world work together and
not point fingers.
Thank you, Mr. Chairman.
Chairman Craig. Patty, thank you very much.
Now, let me turn to Senator Ken Salazar of Colorado.
Ken?
STATEMENT OF HON. KEN SALAZAR,
U.S. SENATOR FROM COLORADO
Senator Salazar. Mr. Chairman, I have a statement that I
will submit.
Chairman Craig. Fine.
Senator Salazar. I will just make two quick comments.
First of all, General Howard, congratulations and I look
forward to working with you as we deal with the information
technology issues which have been so much at the forefront of
what the VA has had to deal with in the last year.
And, second of all, Mr. Chairman, I agree with Senator
Murray that I think it would be a good thing for us, perhaps
after the election, to get together with Secretary Nicholson
and others from the VA so that we can look ahead to see what
kinds of challenges we are going to be dealing with, with the
influx of veterans coming home from both Iraq and Afghanistan.
Thank you, Mr. Chairman.
[The prepared statement of Senator Salazar follows:]
Prepared Statement of Hon. Ken Salazar, U.S. Senator from Colorado
Thank you, Chairman Craig and Senator Akaka, for holding today's
hearing. I also want to acknowledge Mr. Robert Howard, the President's
nominee to be Assistant Secretary for Information and Technology in the
Department of Veterans Affairs. Thank you, Mr. Howard, for coming
before this Committee today to discuss several critical issues that
directly impact veterans in Colorado and across the Nation.
We have heard a lot about the VA's handling of information and
technology this year both about the greater opportunities it presents
to us and the greater responsibility it demands from us. I look forward
to hearing directly from the President's nominee to be the Department's
Chief Information Officer about how the VA can better manage these
opportunities and responsibilities.
Specifically, we need to know what the Office of Information and
Technology can do to help safeguard our veterans' personal information.
In addition to hearing about the steps OIT has taken in response to
this spring's data theft, I would like to know what impact the recent
reorganization of the Office of Information and Technology will have on
the ability of the Department to provide information security.
I understand that this reorganization will involve consolidating
many of the Department's IT professionals under the OIT, increasing the
number of personnel operating under your office from 350 to nearly
6,000. This is a huge increase, and I am interested in hearing about
both the potential benefits and potential drawbacks of such a dramatic
overhaul.
Finally, I would like to discuss how the information and technology
resources that OIT has at its disposal can be used to better serve
veterans who are living in rural or geographically remote areas.
With the technological advances we have seen over the past ten to
twenty years, including the growth of the Internet, there is enormous
potential for government to use technology to improve the way we
provide services to our citizens. I believe we have only begun to
scratch the surface of that potential.
While I understand that VA's Office of Information and Technology
is only one piece of the puzzle, I would like to hear Mr. Howard's
ideas on how we can use technology to bridge the physical gap that
exists between veterans living in rural communities and the VA
facilities that are in some cases located hundreds of miles away. These
tools have already begun to change the way the Americans interact with
their government, and I am excited at the vast opportunities they
present for the future.
Again, I would like to thank Chairman Craig and Senator Akaka for
holding this hearing, and to thank Mr. Howard for sharing his views
with the Committee today. I look forward to discussing these and other
issues that are important to our Nation's veterans.
Chairman Craig. Well, thank you. I appreciate those
suggestions from both of you.
General Howard, Senator Akaka, our Ranking Member, is not
with us today. As Patty mentioned, he is returning from a
successful primary election in the State of Hawaii and will
join us later on in the day.
I want the Committee to know that I intend to convene the
Committee off the floor this afternoon to vote to report the
nominee to the full Senate. I do not think any of us, I would
hope, would want to hold back getting this man on board and at
work on an issue that all of us have opined about in our
comments this morning as it relates to building a strong IT
system within the VA. That is assuming that all goes well in
the balance of the hearing, of course, and I would hope we
could do that sometime today or, if we have a vote, around the
noon hour.
With that, General, if you will please rise. Do you swear
or affirm that the testimony you are about to give to this
Committee will be the truth, the whole truth, and nothing but
the truth, so help you God?
General Howard. I do.
Chairman Craig. Thank you. Please proceed, and as I
mentioned in my opening comment, if you have family with
you, please introduce them to the Committee.
General Howard. Sir, I have a statement. Do I have time to
read that?
Chairman Craig. You do have time to read that.
STATEMENT OF ROBERT T. HOWARD, NOMINEE TO BE ASSISTANT
SECRETARY FOR INFORMATION AND TECHNOLOGY,
DEPARTMENT OF VETERANS AFFAIRS
General Howard. Mr. Chairman and Members of the Committee,
good morning, and thank you for the opportunity to testify
today. It is indeed an honor to be nominated by President Bush
to be the Assistant Secretary for Information and Technology at
the Department of Veterans Affairs and to appear before you
today. I would like to thank the President for nominating me,
and Secretary Nicholson for expressing confidence in my
abilities by supporting this nomination.
My dedication to the United States military is marked by a
history of service and commitment. In 1963, I left Everett,
Massachusetts, and entered the U.S. Army to embark upon a
career spanning 33 years. During my time of service, I
developed a deep respect and appreciation for those who serve
in our Armed Forces--and their families. Personal sacrifice and
devotion to duty is routine among members of the military, so
they deserve our unwavering support both while wearing the
uniform and when they transition into the community of
veterans. I am privileged to work for them and support that
critically important mission stated many years ago by President
Lincoln: ``To care for him who shall have borne the battle and
for his widow and orphan.'' For me, time has come full circle--
from a long career in active military service to now assisting
our Nation's veterans through public service.
As you know, I have been the supervisor of the Office of
Information and Technology within the VA since early May 2006,
so I am very familiar with all the work that must be
accomplished to form a new, significantly expanded organization
and to also remedy the deficiencies that exist within the area
of data security. I am confident that my experience in the U.S.
Army and in the private sector with the Cubic Corporation, has
helped hone the skills required to lead the organization
effectively and contribute to the successful accomplishment of
a wide variety of important tasks.
The reorganization of IT within the VA is a major event
that will result in more standard processes and better
interoperability across the Department. I am totally committed
to its successful implementation and improving our performance,
not only in the area of operations and maintenance, but in
developmental programs as well.
The reorganization will assist us in many ways, including
the area of data security where the most difficult work
resides--work that is especially important to our veterans.
Secretary Nicholson has clearly stated that he wants the
Department of Veterans Affairs to become the gold standard for
all of Government in the area of information security.
Achievement of that goal involves many activities of the
Department, but it must involve the completion of all actions
associated with the Data Security-Assessment and Strengthening
of Controls Program.
This is VA's high-priority program designed to remedy the
many security deficiencies that have been uncovered.
Because of its importance, I have provided the Committee
staff copies of the action plan associated with this program.
This is a living document that will guide our work. Its
successful execution is, without question, my highest priority.
In VA we want to create an environment where veteran and VA
employee information is treated with respect and is protected
with a high degree of rigor.
I realize the position of Assistant Secretary for
Information and Technology will involve very difficult work. I
am fully prepared for this since I know I have the full support
of the VA leadership. I also know that you are committed to
helping us in any way you can.
If confirmed, I will strive to position VA's Office of
Information and Technology to be the leader among Federal IT
organizations in providing secure, high-quality, and
responsive service to supported organizations in meeting
business needs by leveraging state-of-the-art technologies and
building a high-performing workforce dedicated to the success
of those they serve.
I will continue to remain thoroughly familiar with the
issues facing the Department and give my very best effort to
work diligently and to faithfully advise the Secretary and the
Deputy Secretary and to keep you informed of progress on a
timely basis.
With me today are my wife, Ciretta, originally from Revere,
Massachusetts, and my youngest daughter, Laura Glaub, from
Woodbridge, Virginia. I am very grateful for their constant
love and support and to many other family members and friends
whose support has been steadfast for many years.
Also present today is Deputy Secretary Mansfield, whose
strong support is greatly appreciated.
Thank you again, Mr. Chairman and Members of the Committee,
for your consideration of my nomination. I would be happy to
answer any questions you may have.
[The prepared statement of General Howard follows:]
Prepared Statement of Robert T. Howard, Nominee to be Assistant
Secretary for Information and Technology, Department of Veterans
Affairs
Mr. Chairman, Senator Akaka, and Members of the Committee,
good morning, and thank you for the opportunity to testify
today. It is indeed an honor to be nominated by President Bush
to be the Assistant Secretary for Information and Technology at
the Department of Veterans Affairs and to appear before you
today. I would like to thank the President for nominating me,
and Secretary Nicholson for expressing confidence in my
abilities by supporting this nomination.
My dedication to the United States military is marked by a
history of service and commitment. In 1963, I left Everett,
Massachusetts, and entered the U.S. Army to embark upon a
career spanning 33 years. During my time of service, I
developed a deep respect and appreciation for those who serve
in our Armed Forces--and their families. Personal sacrifice and
devotion to duty is routine among members of the military, so
they deserve our unwavering support both while wearing the
uniform and when they transition into the community of
veterans. I am privileged to work for them and support that
critically important mission stated many years ago by President
Lincoln: ``To care for him who shall have borne the battle and
for his widow and orphan.'' For me, time has come full circle--
from a long career in active military service to now assisting
our Nation's veterans through public service.
I have been the supervisor of the Office of Information and
Technology within the VA since early May 2006, so I am very
familiar with all the work that must be accomplished to form a
new, significantly expanded organization and to also remedy the
deficiencies that exist within the area of data security. I am
confident that my experience in the U.S. Army and in the
private sector with the Cubic Corporation, has helped hone the
skills required to lead the organization effectively and
contribute to the successful accomplishment of a wide variety
of important tasks.
The reorganization of IT within the VA is a major event
that will result in more standard processes and better
interoperability across the Department. I am totally committed
to its successful implementation and improving our performance,
not only in the area of operations and maintenance, but in
developmental programs as well.
The reorganization will assist us in many ways,including
the area of data security where the most difficult work
resides--work that is especially important to our veterans.
Secretary Nicholson has clearly stated that he wants the
Department of Veterans Affairs to become the gold standard for
all of Government in the area of information security.
Achievement of that goal involves many activities of the
Department, but it must involve the completion of all actions
associated with the Data Security-Assessment and Strengthening
of Controls Program (DS-ASC).
This is VA's high-priority program designed to remedy the
many security deficiencies that have been uncovered.
Because of its importance, I have provided the Committee
staff copies of the action plan associated with this program--
this is a living document that will guide our work. Its
successful execution is, without question, my highest priority.
In VA we want to create an environment where veteran and VA
employee information is treated with respect and is protected
with a high degree of rigor.
I realize the position of Assistant Secretary for
Information and Technology will involve very difficult work. I
am fully prepared for this since I know I have the full support
of the VA leadership. I also know that you are committed to
helping us in any way you can.
If confirmed, I will strive to position VA's Office of
Information and Technology to be the leader among Federal IT
organizations in providing secure, high-quality, and responsive
service to supported organizations in meeting business needs by
leveraging state-of-the-art technologies and building a high-
performing workforce dedicated to the success of those they
serve.
I will continue to remain thoroughly familiar with the
issues facing the Department and give my very best effort to
work diligently and to faithfully advise the Secretary and
Deputy Secretary and to keep you informed of progress on a
timely basis.
With me today are my wife, Ciretta, originally from Revere,
Massachusetts, and my youngest daughter, Laura Glaub, from
Woodbridge, Virginia. I am very grateful for their constant
love and support and to many other family members and friends
whose support has been steadfast for many years.
Thank you again, Mr. Chairman and Members of the Committee,
for your consideration of my nomination. I would be happy to
answer any questions you may have.
[GRAPHIC] [TIFF OMITTED] 32202.001
[GRAPHIC] [TIFF OMITTED] 32202.002
[GRAPHIC] [TIFF OMITTED] 32202.003
[GRAPHIC] [TIFF OMITTED] 32202.004
[GRAPHIC] [TIFF OMITTED] 32202.005
[GRAPHIC] [TIFF OMITTED] 32202.006
Chairman Craig. General, thank you very much for that
testimony. Let us get to the questions because I think all of
us are, as we have expressed, very concerned about the task at
hand and before you.
You have made available this printout that I find is
fascinating. I wish I understood it.
[Laughter.]
Chairman Craig. Because I am not quite sure of the 322
tasks by number, where we are, and what it will mean when we
get there. But I suspect you do, and maybe you will be able to
tell us a bit about that.
Certainly, your leadership credentials are not at question
at this point at all. However, can you talk to us a bit about
your technical qualifications for the position, what
experiences do you have in the management of IT programs that
will help us ensure VA's Office of Information and Technology's
success, and what all of this means?
General Howard. Yes, sir. Sir, actually, as an engineer, of
course, I am very comfortable in the technical arena. But I
have had a number of assignments over the years which directly
relate to information technology and the production of
computer-based products. One in particular was as a brigadier
out at Fort Leavenworth, Kansas, where I led an organization
called TRADOC Analysis Command.
What we did there, we were responsible for the cost and
operational effectiveness analysis for the U.S. Army dealing
with modernization of weapons systems, and also assisting in
the training area as well.
What we did is we built computer models that were used to
evaluate future weapons systems based against existing
platforms. There were a number of types of these, and we not
only wrote the code, we developed the mathematical algorithms
in order to define the particular activity of the weapons
system. And I had quite a few folks working for me out there, a
large group, in fact, down at White Sands Missile Range, a
number of them computer coders, and the systems engineers.
So those 2 years out at Fort Leavenworth were very helpful
in that regard in terms of the production of computer-based
products.
We also built training simulations and, again, this was in
the late 1980s. In that time training simulations had really
begun to be used by the military and it is routine today. We
built a number of those simulations to include production of
the scenarios, the scripting of the particular documentation
that needed to be coded, and then go through the coding process
to produce the various training products that were then used by
field commanders to train their commanders and staffs.
Most recently, with the Cubic Corporation, my division was
involved in the production of educational and training
technologies, computer-based products that we used, interactive
products, Web-based products that were designed for both
training and education in a number of areas.
The other aspect of my division at Cubic, as you mentioned,
was helping countries in Eastern and Central Europe become more
Westernized and improve their systems in the military. A number
of them were heavily involved in introduction of information
technology systems. In particular, three countries--Czech
Republic, Slovak Republic, and Hungary--we directly assisted
them in bringing on more modern IT systems to support them in a
number of areas, from personnel to logistics, force design, and
a number of other areas as well. So that briefly is some
background relating to information technology and the
production of computer-based products.
Sir, with respect to the plan itself, I have my copy.
I do not have one under my pillow, but I probably should.
Sir, quite frankly, as you have seen this----
Chairman Craig. Let's cut to the chase. Some are arguing
out there in the field that the 322 so designated tasks here
are simply a rearranging of the deck chairs on the deck of the
Titanic.
General Howard. Sir, that is absolutely not the case.
Chairman Craig. OK.
General Howard. As you see, believe it not, they are
actually 100 percent indicated by some of these.
This program began shortly after the breach in May. It was
directed by the Deputy Secretary, and we began putting together
a list of actions that needed to be taken, actions that needed
to be completed. And more than anything else, that is what this
is. At least we know what needs to be done.
We began to lay down timelines, as you can see. Some of
them, obviously, continue to be adjusted as we know more about
what we are dealing with. But with respect to the completion of
these, one of the most important facets of this was the first
phase, the assessment phase. We began very early on, as the
dates indicate, by assessment briefings from all the
administrations and the staff sections within the VA. These
briefings were chaired by the Deputy Secretary, and they had to
be given by the principal in charge. There were some minor
cases where deputies gave the presentation, but we insisted on
senior officials standing up and telling us what were the
conditions regarding information security within their
organization.
This was very revealing. We went through all of that, as
you can see on the front page, and what we are into now is
doing the same thing with all the administrations and staff
agencies, staff sections, with non-VA organizations.
For example, we have contractors working for us. What are
the conditions under which they operate? Do they work with
sensitive information? Is it properly protected?
We are in the process of having these briefings right now.
In fact, just yesterday, we had two more, and the day before,
we had VBA. There are just a couple left.
We left VHA for last because they have got a huge amount of
contracts, a very difficult situation, so we let them have as
much time as they could to prepare for that.
We are moving through the assessment phase, but we are also
moving into other areas as well. You will notice the second
phase of this program is the strengthening of controls portion,
and that is broken down into three sections:
Management activities, like, for example,
updating our directives, and we have got several of those
complete and a number already in draft form, and we will share
those with you as they get completed. That is in the management
area.
In the technical area, we have a number of
activities going on, particularly in the area of encryption and
understanding additional actions that can be taken to better
control the communications and the passing of sensitive
information within the VA, but do that in a way that we do not
shut down the operation. Sir, you mentioned that yourself as a
key concern, and you are exactly right. That is a difficult
balance. We need to tighten up, but at the same time we have
got things we have got to accomplish. And we recognize that.
The laptop encryption is just about complete. In
fact, we have encrypted almost 15,000 laptops over the last
couple of weeks. There is a small number that we were not able
to encrypt, less than a hundred, and one of the reasons for
that, particular computers were not able to accept the Guardian
Edge software. We are working both with the manufacturer of the
computer--Micron and Guardian Edge--trying to solve that. But
in the meantime, those laptops are secure. They are not being
used. These are VA laptops.
As you know, we have non-VA laptops that are being used,
and our objective there ultimately is to replace those with
Government-furnished equipment. That is going to take a while.
It is a task on this plan for fiscal year 2007. The reason it
is in 2007 is we know that would cost us money, but we also
need to think through how we actually want to do that.
So that is the goal, but those individuals using personal
laptops already know that they are required to protect
sensitive information that passes through those laptops. That
is per a directive that we have already published, Directive
6504, which in fact, prescribes that.
There are a number of other activities further down the
list that we are already working on. A big area that we are
thinking through is additional technologies to bring into the
VA to further protect computers and the infrastructure,
techniques that are already out there. We have been talking to
a number of companies. We have not put out any RFPs yet. But
there are technologies available that you do not even know they
are there, that help us visualize what is happening with
respect to the passing of information.
But these are technologies that we must understand to be
sure we go forward and ask for any additional support. So that
is important.
There are also abilities to shut down USB ports. In fact,
that is already going on at various facilities throughout the
VA where you can control the use of USB devices simply by
shutting down the port. People are not able to plug in a thumb
drive and pull out the information.
Now, again, you have got to be careful with that because
people have to operate, and you cannot shut the hospital down
by just turning off all the access that physicians and other
staff members might need.
So, sir, that is kind of a summary of what this is all
about.
Chairman Craig. Thank you very much.
Let me turn to Senator Isakson. Johnny?
Senator Isakson. Thank you, Mr. Chairman.
The breach that came to our attention earlier this year was
the physical transfer of a hard drive or a laptop off the VA
premises to a home. That is not an electronic transfer. That is
a physical transfer. I assume the control has been put in place
to no longer allow that to take place within the VA. Is that
correct?
General Howard. Sir, that is not allowed unless you have
specific permission, for example, if we are transferring files
from one hospital to another and, in fact, that does happen.
You are actually physically moving media, whether they are CDs
or back-up tapes or whatever. But it must be approved, and it
must be done under certain circumstances. Those are now spelled
out in Directive 6504, which I mentioned. We have a lot of
directives we need to clean up and to publish. Directive 6504
was one of the first ones right after the breach that we put in
place as quick as we could. And, we may need to adjust it in
some ways, but, quite frankly, it is a very good directive, and
the folks in the field are paying attention to it.
Senator Isakson. If I remember correctly, it was 21 or 22
days from the time the laptop was lost and the time Secretary
Nicholson was advised of the breach. What has been put in place
in terms of the chain of command to ensure that lapses or
breaches like that quickly rise to the level they should in
terms of the administration?
General Howard. Sir, right now we have a much improved
reporting process. Quite frankly, at the time there really was
not a very good reporting process at all. It was haphazard.
There was no structure to it. Since that time, we have
established a very good process for reporting incidents. In
fact, our guidance to the field is when in doubt, report it. No
matter how small it is, no matter how insignificant, get it
reported and then we will deal with it.
We have also insisted that security incidents and privacy
incidents get reported to one place, and that is the Security
Operations Center, which produces daily reports.
These daily reports go all the way to the Secretary and the
Deputy Secretary and a number of other senior officials each
day. There are certain mandates in place, like, for example, we
must report incidents to the US-CERT within 1 hour, and we meet
that. We might miss it every now and then, but that is an
objective that we have.
So with this reporting mechanism, we believe we do have
visibility over activities that are taking place that should
not be. Quite frankly, as I have talked with a number of your
staff, there is always the concern about what do you do in
terms of follow-up and punishment and that sort of thing. We
have, in fact, taken action in some cases, but we have also got
to be very careful about that because we do not want to shut
down and make people too concerned about reporting things. That
is a balance issue.
We have to look at every case. But clearly, in cases where
it was not just a careless act but a deliberately negligent
act, that they knew they should not do, in that case we have
taken action.
Senator Isakson. One last question. The physical transfer
of information which we have been addressing is one way to lose
it. The electronic transfer is another way, and that can happen
in two ways--either from within the agency to the outside or a
hacker coming into the inside.
Just briefly, are you monitoring the internal operations to
catch any transfer out? And do we have a security system in
terms of the hacking incident?
General Howard. Sir, we do not have a system where you have
100 percent visibility over every single thing that goes on in
transfer of information from computers. That is a very
difficult environment to put in place. Do we have total control
over someone being able to go into a sensitive database, pull
information out, put it on a piece of media or a thumb drive or
whatever and walk out the door? That can happen. There are
directives in place, though, that prohibit that. As I mentioned
to you, in some cases we have begun to shut down USB ports and
things like that to better control. But, quite frankly, sir,
the best way to really achieve 100 percent compliance to ensure
the situation where that does not occur, is through making sure
every single employee understands and lives up to their
responsibilities. This is a people issue. It really is.
We can go nuts with technical solutions, but the bottom
line is the people involved. And some of them are pretty
clever. They will figure out a way to get at it unless we make
sure we continue to communicate to them. And they understand
how important it is, and my feeling right now throughout the VA
there is heightened awareness. There is no question about that.
We see it in some of the reports coming in and, in fact, the
actions that are being taken.
So 100 percent, probably impossible. But we do need to do
all we can to prevent that from happening.
Senator Isakson. Well, my time is up, but I think you are
saying what I was trying to--100 percent is impossible for
practical reasons. However, random monitoring is not, and it is
important that the people within the agency understand that
random monitoring is going on, just to protect the integrity of
the system. And I assume you are doing that.
General Howard. Sir, you are exactly right. In fact, we are
actually doing random cyber penetration as well. So those
activities do go on, but it is sporadic.
Senator Isakson. Thank you.
Chairman Craig. Thank you very much, Senator Isakson.
Senator Murray?
Senator Murray. Thank you.
General Howard, I understand that there was recently an
incident in the VA system that put eight of our VA medical
centers in the Northwest network at risk. Apparently, there was
some untested software that was added to the system, and as a
result, it broke many of the VA applications, including the
VA's health data repository.
From what I understand, that still has not been fixed.
Could you tell the Committee what happened, why it has not been
fixed, and what we are doing to ensure it will not happen
again?
General Howard. Ma'am, I am not familiar with that in great
detail. I believe I know the situation you are talking about,
though, where a patch was put in place on the network which
caused some problems with CPRS.
I believe that has been fixed, but I cannot be sure. I will
get back with you on that, if you do not mind.
Senator Murray. My understanding is that it has not been
fixed yet, so if you could get back to me and let me know why
and, more importantly, how can we make sure that does not
happen again.
General Howard. Right.
Senator Murray. I understand that the new model of
reorganization that you are talking about can create quite a
divide between the IT folks at headquarters and people who work
out in the field. How are you going to ensure that our veterans
who are counting on getting services get seamless,
uninterrupted service?
General Howard. Ma'am, first of all, there is a strong
communication effort going on right now with respect to making
sure the folks understand what is about to happen, and to
reassure those who need the IT support that the IT individuals
who supported them in the past are not going anywhere. They are
still there. They are dedicated to the support of the mission,
that is, whether it is health or benefits or actually the core
missions of the Department.
We have communicated that to the IT individuals who, at
least up to now, have been detailed to us and come October 1
the permanent transfer will take place.
Continuous communication, both through the IT community and
through the three administrations and staff sections is very,
very important. But the fact of the matter is it is going to
boil down to performance. We can talk and explain all we want,
but the physicians out there, they want support, they want
performance, and we understand that. And I am committed to make
sure that they get the support, the same response, and
hopefully, better response than they got before.
Senator Murray. Since you are going to have a more
centralized model, how are you going to ensure that some of the
field-level CIOs and directors are going to have input?
General Howard. We are already in communication--again,
they have been detailed to me already, so we have dialogue
going on. We have broken the country into four regions. We have
regional directors for each of those locations. They, in turn,
supervise CIOs, who were formerly VISN CIOs or RO CIOs. And
those individuals have further connectivity down into the
facilities. So there is an organization already in place that
will become permanent on October 1 to help organize that.
We have set things up so we have a reasonable span of
control. For example, there are four regions, and in each of
those regions we have a number of CIOs reporting to that
regional director.
Senator Murray. I hope as you implement it you keep that in
mind and make sure that those lines of communication are open.
General Howard. Extremely important. You are absolutely
right, and believe me, I understand that and am committed to
that.
Senator Murray. Are you bringing in the best of the best
when it comes to IT and IT management?
General Howard. We are in the hiring process right now. As
part of the IT realignment, I have been provided over 500 FTE
empty spaces that we are now in the process of filling. Finding
quality people, of course, is always difficult, but we have
several that are moving and are being hired. But we have a
great deal more to do in that area.
Senator Murray. One last question. I think this whole
unfortunate data loss system really showed us that the VA lacks
some strong policies and directives regarding information
technology acquisition and usage. How is this reorganization
that you are talking about going to solve problems like the
lack of strong IT architecture and cyber security concerns and
the ability to invest soundly in IT?
General Howard. Ma'am, no question that the IT
reorganization is going to help a lot. I control the network
now--at least come effective October 1. The network, the
activities are not permitted to plug into the network without
our authorization. There is no doubt--in fact, I have seen
already some of the impact that we are going to feel in the
months and years to come.
A good example is the laptop encryption. In the last
several weeks, we have encrypted almost 15,000 laptops. That
went smooth as can be. We had a great deal of cooperation from
facility IT people, the VISN CIOs, all of the folks that we
were just talking about. There were teams put together,
tremendous dialogue back and forth, e-mails flying all over the
place, a great deal of cooperation and organization that
permitted us to do that.
Now, I do not know for sure, but my guess is if we had not
had this organization in place, even from a detailed
standpoint, we would have had a much difficult job. We have
much better control and are making sure encryption is put in
place where it is needed, patches are put in place; they cannot
resist because we control the network.
Senator Murray. Thank you, Mr. Chairman.
Chairman Craig. Thank you, Senator Murray.
General, most of the attention VA's IT program has received
lately has been centered around IT security and its
development. However, the issue of VA-DOD information sharing
and exchange still remains, to my understanding, an unsolved
problem.
Are we ever going to see the day when VA's records and
DOD's records can be freely exchanged from one system to
another in a secure manner? And from your perspective, why have
we not accomplished that goal yet?
General Howard. Sir, I believe that is possible. I am not
intimately familiar with the DOD system, ALDA. I am familiar
with HealtheVet, the system in the VA. Those two systems are
not interoperable, but there is a great deal of interaction
going on with DOD. We have the JEC Committee and a number of
other committees in place where there is a good deal of
dialogue regarding that particular issue.
Why hasn't it been done? We probably have not put enough
emphasis on it. We probably have not really focused on a
particular subset. In the case of HealtheVet, there are a
number of sub-applications that we can perhaps focus on and
really get a success story there, working with DOD. Hopefully,
we will be able to do that. To the degree I can influence that,
I will, and to demonstrate that we really can produce an
electronic health record that is interoperable, where data can
be exchanged. I believe it is possible, but not without a lot
of hard work.
I think you know that in the case of VA, our system is
based on an older code that we want to bring into a more
modernized environment and work with DOD as we move forward in
that respect.
The President's Executive Order is a pretty clear mandate
with respect to interoperability. So to speak, the burner has
been turned up on making things more interoperable.
Chairman Craig. I think if we really want to claim seamless
transition, part of the fabric in that seam, if you will, is
this ability to move records and not duplicate and have them
applicable. It simply makes an awful lot of sense to me, and I
am quite sure it does to the active member/veteran in their
transition.
I know the FBI recovered the stolen laptop and all of the
data we originally feared might be lost, and the FBI is
confident the information was not accessed or compromised.
Still, some veterans out there are worried that their
personal information will be used to steal their money, their
ID, and their privacy.
What do you say to those veterans who come to you with that
concern?
General Howard. Sir, in that particular case, I, too, have
a very high degree of confidence that the information was not
disturbed. I do not think they have to worry about that at all.
Chairman Craig. Well, there are other questions I could ask
you, but in general, I think you have covered the waterfront of
the issue in response to either me or my colleagues. So let me
ask you two remaining questions.
Do you have any conflicts of interest that you have not
fully disclosed to the Committee?
General Howard. None, sir.
Chairman Craig. Do you know of any other matters which, if
known to the Committee, might affect the Committee's
recommendations to the Senate with respect to your nomination?
General Howard. None, sir.
Chairman Craig. Do you agree to appear before the Committee
at such times and concerning such matters as the Committee
might request for as long as you serve in the position for
which you seek nomination?
General Howard. Yes, I do, sir.
Chairman Craig. Well, I thank you very much for your
openness and your frankness. It appears that you are living up
to your reputation of understanding not only what has been
accomplished, but what is to be accomplished over the next
while, because I, too, agree with the Secretary. We want to
make the IT of VA a gold standard for our Government to follow.
We are proud of the success with our electronic medical
records. They represent to the health care systems of this
country a leadership position, a role, and it is now recognized
that through those, quality health care has been dramatically
enhanced. We want to be able to turn to the veterans in very
short order and say that we have transformed the culture and
the systems of the VA, and to assure them that their
information that is held by VA is safe and secure, usable,
accessible, and all of the other values for its presence.
So we thank you very much again for your attendance this
morning, and as I said in my opening comments, we will attempt
over the course of the day to move expeditiously so that your
nomination can be considered by the whole Senate before we
recess.
Again, General Howard, thank you very much, and to your
wife and daughter, we are pleased that they were able to attend
your confirmation hearing.
General Howard. Thank you, Mr. Chairman.
Chairman Craig. Thank you. The Committee will stand
adjourned.
[Whereupon, at 10:55 a.m., the Committee was adjourned.]
�