Full Committee Hearing

Information Security – Part III

Date: September 23, 1998
Time: 10:00am
Location: Senate Dirksen Building, SD-342

On September 23, 1998, the Full Committee examined whether private information held by the Federal government – information relating to one’s identification, finances and health – is susceptible to unauthorized access and manipulation by computer “hackers.” While the hearing discussed all Federal agencies and at the hearing GAO released a report on Information Security-Serious Weaknesses Place Critical Federal Operations and Assets at Risk, the main focus was on the Department of Veterans Affairs and the Social Security Administration.

The Committee first heard testimony from James Huse, Acting Social Security Administration (SSA) IG and Edward Ryan, Special Agent in Charge, New York field office, SSA IG. Experts say most computer crime is committed by employees authorized to use the system. Huse and Ryan discussed criminal cases where SSA employees, including field office benefit authorizers and claims handlers, stole or illegally manipulated data on SSA computers. They focused on a series of prosecutions known as “Operation Pinch” where 14 corrupt SSA employees were recently convicted for their part in a widespread credit card fraud ring centered in New York. IG agents were able to determine that the SSA employees sold identity information on 20, 000 people whose credit cards were fraudulently activated by a West African crime ring, resulting in bank losses of at least $70 million.

The Committee then heard from GAO witnesses, Gene Dodaro, Bob Dacey, and Keith Rhodes, regarding overall computer security in Federal government agencies and specifically about GAO’s assessment of the computer security and results of penetration testing performed at SSA and VA. GAO was able, during the penetration testing at VA, to gain the level of access that would have allowed them to alter, disclose or delete sensitive information, such as financial data and personal information on veterans’ medical records and benefit payments. The most disturbing fact is that GAO’s penetration went undetected because the VA does not have a monitoring system. The penetration testing of the SSA exposed vulnerabilities in the SSA’s computer system to both external and internal intrusions. These types of weakness place at risk private information: Social Security numbers, earnings, disabilities, and benefits.

The Committee also heard from Administration witnesses, Harold Gracey, Acting Assistant Secretary for Information & Technology, Department of Veterans Affairs; and John Dyer, Principal Deputy Commissioner, Social Security Administration. Both Mr. Gracey and Mr. Dyer admitted their agencies have weaknesses and each stated that their agency will do everything to address GAO’s recommendations.