The U.S. Department of Veterans Affairs' (VA's) offer of free credit monitoring to the 26.5 million military veterans affected by a recent data theft is not enough to fix the problem, the chairman of a U.S. congressional committee said Thursday.
The VA announced Wednesday it would offer a year of free credit monitoring to the potential victims of identity theft after a laptop and external hard drive containing a database with personal information on 26.5 million veterans and their spouses were stolen from a VA analyst's home in early May. But Representative Steve Buyer, chairman of the House Veterans Affairs Committee, said the VA offer was only one step the agency needs to take to protect the identities of U.S. veterans.
"Are we facing a false expectation [of security] among veterans?" Buyer said during a committee hearing Thursday. "I couldn't stand up and cheer because I still have great fears."
The VA continues to say it has no reason to believe the burglar targeted the data, and it is unlikely that the incident has led to ID theft thus far.
Three computer security experts agreed with Buyer, saying credit fraud was only one potential problem veterans could face. The stolen information -- containing names, Social Security numbers, dates of birth and some limited health information -- could wind up in the hands of criminals who give false identities to law enforcement officers. Veterans could lose security clearances or be put the U.S. Transportation Security Administration's no-fly list because of mistaken identities, said Eugene Spafford, executive director of the Center for Education and Research in Information Assurance and Security at Purdue University.
Spafford and Bruce Brody, a former chief information security officer (CISO) at the VA, both said the VA has long resisted calls from Congress and government auditors to centralize its IT security functions. The VA's three major divisions continue to control their own IT functions, and the agency's CISO and chief information officer (CIO) lack the authority to enforce security policies, said Brody, now vice president for information security at Input Inc., a research and consulting firm.
The VA has ignored multiple warnings to centralize its IT management going back to the late 1990s, Brody said. Twice, the VA general counsel's office issued memos saying the VA CIO and CISO lack the authority to enforce data security policies. The general counsel's office argued that the U.S. Federal Information Security Management Act (FISMA), passed by Congress in 2002, allowed agency cybersecurity officers to "ensure" but not "enforce" security measures.
The VA CIO and CISO have "no authority" to enforce cybersecurity practices. "The VA has not served [veterans] well," Brody said.
Buyer and other committee members repeated earlier criticisms that the VA has continued to operate a decentralized IT structure, despite multiple recommendations to the contrary. "A reasonable person might ask what the VA is waiting for," Buyer said.
Updated with correction.