Centralization Reborn
As a result of recent data breaches, proponents of centralization have gained ground in the long-running battle for control of information technology at the Veterans Affairs Department.
In the long-running battle for control of information technology at the Veterans Affairs Department, proponents of centralization have gained ground as a result of the May 3 theft of a laptop containing personal information on tens of millions of veterans and military personnel.
But centralization won't take hold easily in a department that since the early 1990s has managed technology principally at levels below headquarters. For example, the Veterans Benefits Administration, one of three that constitute the department, wrested control over data processing facilities. "VBA was having trouble delivering benefits, and the reason was the central organization was not paying attention to them," says a former VBA official.
Today it's centralization advocates who hold the advantage and can claim a martyr in Pedro Cadenas, the VA chief information security officer who resigned June 29. He left saying he never had the authority he needed. "If [VA] wants to hire security people, they need to let them do their job," he said.
VA spokesman Matt Burns says Cadenas "was trying to deflect attention from his own shortcomings." But Cadenas gained a bit more sympathy from House Veterans Affairs Committee Chairman Steve Buyer, R-Ind., who said at a June 29 hearing, "You know what-I can't blame the guy for resigning." Buyer has been a persistent VA centralization proponent.
Cadenas was not among Secretary James Nicholson's inside circle. According to Cadenas, he and Nicholson met only once, at a social event, where Nicholson's reaction was to say he had heard that Cadenas' job was important. Cadenas was not included in planning meetings the VA held to prepare for Buyer's hearing, even though the result was a June 28 memo giving added cybersecurity powers to the VA chief information officer, to whom Cadenas reported. Among powers granted to the CIO was the authority to cut off network access for employees at the three administrations.
The June 28 memo extends unprecedented powers to the agency's CIO, but the effort faces a fight in a culture resistant to centralization, say many agency observers. "The VA had to react in some fashion in order to look like they were aggressively mitigating and addressing the issue," says a House staffer who would speak only on background.
In October 2005, Nicholson signed a memo moving the IT function to a compromise "federated" model whereby the CIO will own the entire department's IT operations and maintenance functions but not application development, which remains at the administrations. Critics of the shift say the emphasis on reorganization is excessive. Supporters argue that an ingrained culture of circumventing rules makes a hard realignment necessary.
Although the CIO was empowered by the 2005 directive to oversee budgets for application projects, that was not enough for former CIO Robert McFarland, who left in late April amid bitter internal fighting. Resistance to increasing the CIO's authority-even to the federated model-extends to the highest executive levels, McFarland says. "I really rubbed the culture wrong," he adds. "There were times when it was so contentious that it was impossible to work effectively." Critics complain of an abrasive management style and say McFarland tried to effect change mostly by working with Rep. Buyer rather than VA officials. Buyer sponsored legislation giving the CIO power over all IT functions. Although his bill passed the House unanimously in November 2005, it has stalled in the Senate Veterans Affairs Committee. Sen. Larry Craig, R-Idaho, chairman of the panel, wants VA to sort out for itself its governing model, says committee spokesman Jeff Schrade. Referring to centralization and decentralization, Schrade says, "These kinds of tugs of war go back and forth in agencies and Congress."
Whether or not a more powerful CIO would have prevented the laptop theft-which took an unexpected turn June 29 when federal officials announced its recovery-is debatable. "It may have. But then again, it may not have," says the House staffer, who supports centralization. The employee whose laptop was stolen had written permission to install data analysis software for use at home, and gained authorization to access Social Security numbers, although he apparently did not follow a departmental requirement to encrypt sensitive information. "The hard work is the people in the organization," says a VA official.
The federated model's prospects are complicated by internal politics, the official says. For example, during the data theft crisis, political appointees mostly shut out civil servants, and now they are steering four positions created by the federated model at the Veterans Health Administration. The jobs appear to be wired for four people who were appointed mostly as acting deputy executive directors within the federated organization in April. They are based in Fresno, Calif.; Brooklyn, N.Y.; Vancouver, Wash.; and Long Beach, Calif. Job descriptions for permanent executive directors and the deputy CIO correlate to those locations. "Yeah, funny that," says one who requested anonymity. A former official calls the move a mistake because of the appearance of impropriety.
The four officials in question are knowledgeable and experienced, McFarland says. "I didn't write the job descriptions. Somebody in the HR department is going to have to comment on that," he says.
Dispersing key executive positions of the new federated CIO shop across the country is necessary, says McFarland. The department's IT infrastructure is scattered nationwide; even as VA consolidates its organization, it need not consolidate people, he says. "Managing a nationwide infrastructure does not require any one particular place. . . .That's part of the VA's problem," McFarland adds. "They're trying to put in too many things focused on Washington management."