House panel passes Veterans Affairs cybersecurity bill

Legislation approved by a U.S. House of Representatives committee Thursday would elevate the positions of chief information officer (CIO) and chief information security officer (CISO) at the U.S. Department of Veterans Affairs (VA) in an attempt to avoid data breaches like the early May theft of a laptop and hard drive from a VA analyst's home.

Even though law enforcement authorities recovered the hardware in late June, about eight weeks after the theft, the data loss brought to a head long-time cybersecurity problems at the VA, members of the House Veterans Affairs Committee said during a series of hearings since late May.

Computer forensic analysis suggested the personal records of 26.5 million military veterans and their spouses on the laptop and hard drive were not accessed by thieves, the VA said. But a decentralized IT structure, coupled with a lack of CIO and CISO authority, leaves the VA vulnerable, several witnesses, including former VA CISOs, have said.

"Obviously, we cannot fully change the organization through mandates, but we can affect its culture," said Representative Bob Filner, a California Democrat. "This [bill] is a milestone in what has been a very arduous journey."

The Veterans Identity and Credit Security Act, the product of several committee members, would create a new position of under secretary of information services at the VA, with that person serving as the CIO. Reporting directly to the CIO would be the CISO. Right now, the VA CIO position is an assistant secretary, three steps below the agency's head, and the promotion would move the CIO to a direct report of the deputy secretary, who then would report directly to VA Secretary R. James Nicholson.

The bill, which passed the committee on a voice vote, would require the VA to report data breaches in a timely way to Congress, instead of the 13 days it took for the VA to report the hardware theft. The bill would require the VA to find independent agencies or companies to conduct risk analysis of any data breaches.

The bill would allow victims of VA data breaches to ask for help in the form of services such as credit protection, and it would require the VA to look into using new personal identification numbers instead if Social Security numbers to identify veterans.

Also, the bill would establish a scholarship program for computer science and information security students in doctoral programs. The program, worth US$200,000 annually and available to up to five students each year, would pay for tuition, with students required to give two years of service to the VA for every year of tuition paid.

Only one of the scholarship recipients each year could be current employees of the VA. "This is so we can get some new blood in the VA's IT department," said Representative Steve Buyer, an Indiana Republican and chairman of the committee.

The bill would have to be approved by the full House and the U.S. Senate before becoming law.