Q&A: Robert T. Howard
VA IT Transformer
Improving and Protecting VA Information Systems
.jpg)
Robert T. Howard
Assistant Secretary for Information and Technology
Department of Veterans Affairs
Robert (Bob) Howard was nominated by President George W. Bush to serve as assistant secretary for information and technology in the Department of Veterans Affairs on September 26, 2006, and was confirmed by the Senate on September 30, 2006.
As assistant secretary for information and technology, Howard serves as the department’s chief information officer, advising the secretary of Veterans Affairs on all matters pertaining to acquisition and management of IT systems. He is responsible for overseeing the operation of VA’s computer systems and telecommunication networks that support medical, benefit and cemetery activities as well as staff support functions of the department.
Prior to his nomination, he retired as a major general from the U.S. Army in 1996 and spent the next nine years in the private sector with the Cubic Corporation. With Cubic, he served as a vice president and general manager of the Analysis and Learning Technologies Division directing a variety of programs in support of U.S. and foreign governments. A major aspect of this work focused on assisting a number of former communist states in Central/Eastern Europe and the Caucasus with defense reform, restructuring and modernization.
A native of Everett, Mass., his 33-year career in the Army began in 1963. While on active duty, Howard served in a variety of command and staff assignments in the continental United States, Europe and Asia, with two tours of duty in Vietnam. His assignments included command of both an engineer battalion and brigade in the 82nd Airborne Division and XVIII Airborne Corps, respectively, as well as staff positions focusing on systems analysis, modeling and simulation, strategic planning and financial management. In his last active duty assignment, Howard served as the deputy assistant secretary of the U.S. Army for budget.
His academic experience includes service as an assistant professor of mathematics at the U.S. Military Academy and as a professorial lecturer for the American University.
Howard’s civil engineering education includes a graduate degree from Texas A&M University and an undergraduate degree from Northeastern University in Boston. He also holds a master’s degree in Military Art and Science from the Army Command and General Staff College and is a 1984 graduate of the National War College.
Q: When you came onboard VA transformation had really just started. How would you judge the progress so far?
A: The Office of Information and Technology has made significant progress over the last calendar year. The VA transformation, as you called it, can be summed up in four words: VA IT Management System. The decision to realign the VA IT Management System was made to correct long-standing deficiencies in the decentralized IT system. A big step in that direction was the assignment of more than 6,000 IT employees, who now report directly to me. We also have an IT appropriation and our new organizational structure and governance process have been approved by the secretary. We are in the process of implementing all of that.
Bottom line is—we are on track.
Q: You mentioned the structure is in place, can you frame how the structure differs now from where it was?
A: Well, before, we had an organization that was difficult to work with. It was hard to figure out what people were really in charge of. So what we have done is create a clearer organization. Visualize five pillars, if you will… The first pillar on the left is oversight, the next manages the plan, the next manages the resources, followed by managing what is built; the last on the right is to control and improve operations.
The plan is to have a deputy assistant secretary, or DAS, in charge of each one of those areas. The first pillar is entitled Information Protection & Risk Management followed, in order from left to right, by Enterprise Strategy; Policy, Plans & Programs; IT Resource Management; Enterprise Development; and Enterprise Operations & Infrastructure.
Within this organization, it is very clear what the responsibilities are. For example, the first DAS I mentioned [oversight—deputy assistant secretary for information protection and risk management] is responsible for cyber security, privacy, incident response, risk management, business continuity and so on. The enterprise strategy offices are the forward thinkers— they are looking to the future. The resource people deal with the day-to-day budget execution, asset management and human resource management concerns.
Enterprise development is focused on developing and bringing on new applications, like modernizing our electronic record system.
The last office is operating the networks in the field, security in the field, and is where the bulk of the people are within this organization—out in the field.
Another important part of that organization is oversight and compliance capability—separate from the IG [inspector general]—that conducts both announced and unannounced assessments, in the area of security and privacy.
This is the new organization and we are currently implementing it. It will be very different. When you look at the federal government, there is no other organization like it in the area of information and technology.
Q: You mentioned you had people in place. Do you consider this phase to be complete?
A: Not really. For example, while the secretary has approved the DAS positions, we still have to go to Congress to get legislative authority to formally create those positions. We are doing that right now.
We are still selecting people for key jobs and expect this will take a while. The plan is to finalize all this by the summer of 2008.
Q: As far as the funding level that you have been given, is it adequate to do the job you have been asked to do, or are there shortcomings that will have to be addressed?
A: We received the appropriation in 2006 and this will be the first year that we’re really dealing with it for a full year under the new organization. So, there are a lot of unknowns. For example, what are the actual requirements? Now that we are a consolidated, coordinated group, what are the efficiencies that we can glean as a result of this? Do we need the amount we have? Do we need more? Do we need less?
We are working through all of that right now, so I’m reluctant to go to Capitol Hill and tell them I need another $200 million when I may not.
I believe we’re OK for FY07. In the 2008 timeframe, we think we’re a little tight, but we might be OK. The thing that we do worry about is the ability to ramp up modernization of some of our applications. This is one constraint we face.
Another issue, quite honestly, is that our record has not been very good with Capitol Hill. So until we prove ourselves to them, they may not be receptive to additional funding. So far, in the area of development, we have not yet done this. We dragged out VetsNet for a long time and, in the past, have not shown the progress we had hoped, but this has improved.
We have efforts underway to bring programs up more quickly to prove that we can operate effectively.
Q: As far as accomplishments since you took over about a year ago, what stands out for you?
A: I think that our biggest accomplishments have been in the area of information protection. That being said, we still have much more to accomplish.
We have a lot of initiatives on the way from encryption to better ways to train people, better protection of our networks, better monitoring capabilities. We are testing a lot of software products that will help foster improvements in this area.
We’ve made some headway in convincing people throughout the VA that information protection is very important—not just within OI&T, but throughout the organization. In fact, the secretary has been very, very helpful in this regard. We’ve put a full court press in this area for the obvious reasons.
But despite our efforts, the incidents continue. Information protection is everyone’s job, 24 hours a day, 7 days a week.
We’ve also made a good deal of progress in setting up our plan for field operations. Cooperation at the facilities—the CIOs, the information security officers (ISOs) and the privacy officers have been strengthened. I refer to them as the facility triumvirate, if you will. At the facility level, these three people are key to making things happen in the IT areas.
While there are many other accomplishments, these are perhaps the highlights. Those we’ve made have been primarily in the area of information protection. The compliance capability we have established has been very, very effective. It’s probably going to be the initiative that proves to be the most valuable for increasing the awareness of the protection of information throughout the VA.
It’s a very aggressive schedule that we’re on and as I mentioned, both announced and unannounced inspections are taking place, so that will be very helpful.
Q: Conversely, as a follow-on, what are some vulnerabilities you see?
A: The biggest vulnerability is any situation where access to large amounts of information is required. One example would be research activity and analysis, such as actuarial work that has to be done for budget formulation. These activities tend to use and require massive amounts of information.
The research business within the VA has been very successful. We brought on cures, medications and medical procedures that have been revolutionary. The VA is, in fact, the leader in a lot of the research that takes place in the medical arena. So we don’t want to impact that, but at the same time, we know that the research activities did not operate the way they should with respect to the protection of sensitive information in the past.
We have a lot of activity going on trying to improve our procedures. But what I’m pointing out is—any area that deals with large amounts of information is a vulnerability.
Contractors are another area of concern. We know that contractors who support the VA need to be assessed in terms of what they’re doing, what they’re doing it with, and where they’re working, particularly if they’re dealing with sensitive information. We’ve just begun to examine those activates and put procedures in place so we can keep a watchful eye over all of that.
Non-IT devices—medical devices—are another vulnerable area. The reason I mention this is that you can have a medical device that has the potential to store large amounts of information. They can have large memory capability.
In the medical arena, you can’t just encrypt everything in sight. If you do, you might have to run it back through the FDA [Food and Drug Administration,] which can be a lengthy process. This represents a vulnerability. For example, we recently had a pulmonary machine stolen—not for the medical capabilities, but for the computer. That computer happened to have three years worth of patient data on it—and there was no reason for that. The information did not have to be kept on that device. All that was needed were basic procedures to clear off the information. This is a good example of a vulnerable area where you need everyone to be responsible, not just IT personnel.
While we’re on this subject, the biggest vulnerability is people being careless. We will only fix our problems when we get everyone operating responsibly. This is why we have such a full court press on educating people and getting everyone to perform their jobs responsibly.
Q: You mentioned the announced and unannounced assessments, are these relatively new aspects of security?
A: Yes. These are only a couple of months old. We’ve put a very good person in charge of that—a retired Army colonel who used to be the security person for the military district of Washington. In fact, he ran the security operation for President Ford’s funeral.
We are working now to fill out his teams as they are conducting assessments.
Q: Comments have recently been made about the number of cyber attacks on the DoD and government computer sites. When you are looking at protection systems are you working in conjunction with industry or are your requirements so different that you have to have systems development specifically for you?
A: We leverage as much technology as we can.
As for the cyber attacks, we monitor those. We have a facility that monitors those attacks and you would not believe how extensive they are.
This underscores the importance of protecting the firewall and the Internet gateways. It’s a big problem. We conduct penetration tests ourselves. A special team performs those assessments after I personally approve each one. This is our effort to continue to protect ourselves from all of those that are attacking us.
The loss of information through the theft of a computer is one thing—for the most part they’re after the computer itself. On the other hand, a cyber attack is a deliberate attempt to steal information and is extremely serious. The attacks seem to target mainly the medical information like our research efforts.
Our protection effort has our top priority.
Q: How do you go about making sure that people only have access to the level of information they need to access—no more and no less? With such a large and spread out system this must be difficult.
A: This is a very difficult issue. In fact, a key subset of that is administrative rights.
We are about to make some decisions regarding who has administrative rights. Basically, if you are not a person in the information technology business, you will no longer have administrative rights—we may make some exceptions, but they will be very few.
Now there are some issues associated with these decisions that we are trying to work through. This is an example of an area that is being tightened up—all related to access. If you are an administrative person, you have a lot of access—that’s why we are attacking this first.
Q: Is it possible to track the individual pieces of hardware that represent storage devices and therefore a vulnerability?
A: That’s hard to do. To track a stolen piece of equipment you’re really talking about a LoJack-like solution. That’s very expensive and, quite honestly, is probably not worth it.
What we would much prefer is to move into an environment where you don’t have sensitive information on individual computers. This is a more likely solution when you begin to operate out of data centers for example. Basically, you would not permit the downloading of information on a desktop or laptop or anything. There are controls you can put in place for this.
This is where we want to head ultimately. It will take a while for us to get there.
We’re already beginning to move towards operations out of data centers. Banks and eBay work like this. They don’t have information on their laptops or desktops. They operate remotely out of data centers. Once we get there, you won’t need to track the computer due to information security issues, only from an asset management point of view.
Right now, if someone steals a VA computer that has been encrypted, it’s less of a concern. It is unfortunate that we’ve lost a piece of equipment that might be worth $1,500, but at least we don’t have concerns about veterans’ personal information being compromised. This condition exists with VA computers right now.
By the way, we are looking to improve our asset management as well. For example, we have the capability to disable a Blackberry remotely if it’s lost. This is the way we want to operate.
Q: In the VA facilities—both health care and administrative locations—are there bandwidth problems that you have with all of the equipment items co-mingling in close confines?
A: First of all, we know full well that the future is in the wireless arena. We need to begin doing better at adopting wireless methods of operations.
The problem we have though is an infrastructure problem. Even wireless takes infrastructure. You can’t operate wireless in a building unless the building is properly configured and this is the problem. If someone were to ask me how much money it would take to completely outfit all of the facilities within the VA so you could operate remotely—I don’t have the answer. A study has not yet been done and the study itself would be very expensive. To have a contractor go through each facility and get a good handle on what it would take to get the wireless infrastructure would take time and money. That being said, we know we have to do it. The situation is worrisome because the price tag will be rather stiff.
Bar code technology, for example, operates in a wireless environment. The doctors are pushing for this capability. As we bring forward this great technology, we also need to bring the infrastructure ahead of it.
Q: Turning from technology for a minute. Do you have to compete with the private sector for the skilled people you need to maintain and advance IT within the VA?
A: It is very tough, particularly in the [Washington] D.C. area. We have difficulty attracting really good, talented people because of the obvious salary base. The other thing is that government organizations get a lot scrutiny, much more so than private sector. These jobs can be very difficult.
Keeping good people onboard is difficult. The money being one issue and the other, for those higher in the organization, is functioning within the beltway. With everything that goes on, it’s difficult. It requires a pretty thick skin.
We do have a bonus arrangement in place to try and address some of the money issues, but that’s about it.
Q: Is there anything else you would like to add?
A: Yes, I would like to say that, in spite of everything I’ve told you, it’s remarkable how dedicated the folks are here at the VA. We just had a big conference in Jacksonville, Fla., on information security—INFOSEC 2007. We had almost 1,000 attendees. Security and privacy officers from throughout the VA were there. The secretary came down, as did a key doctor from the research side to talk about the changes taking place in the research arena on the protection of information.
The bottom line is that you could really sense the energy in that room.
They are all very dedicated to trying to improve the IT situation. You just can’t say enough about them. Their efforts mean that we will be successful. There is nothing that will happen without good people. You can encrypt everything in sight, but if your people are not engaged, it isn’t going to happen. ♦