New VA CIO comes under microscope amid allegations of cronyism, mismanagement

2013_11_warren Stephen “Steph” Warren, CIO, Dept. of Veterans Affairs.

Stephen Warren, the new chief information officer at the Department of Veterans Affairs, is coming under increasing scrutiny as Congress seeks answers to hundreds of questions about the agency’s IT security protections.

A spokesperson for VA confirmed to FedScoop that since Oct. 23, the agency has received nearly 400 questions from the House Committee on Veterans’ Affairs Subcommittee on Oversight and Investigations, which has launched a sustained inquiry into VA IT security protections in the aftermath of a series of hacker intrusions in 2010 by at least nine nation state-supported hacker groups.


“We take this matter seriously and intend to work with the committee,” the spokesperson said in a statement. “Given the volume of requests, it will take time to provide accurate and thorough information.”

But FedScoop’s investigation into the contentious relationship between VA and the Republican-controlled House shows there are as many questions about VA’s IT management and leadership as there are about the technical vulnerabilities that may continue to put at risk the personal information of millions of veterans and their families.

And the common thread shared by all these questions is Stephen “Steph” Warren.

Who is Steph Warren?

In interviews with a half dozen former senior VA officials, all of whom spoke on condition of anonymity because they currently provide consulting services to the federal government, two competing portraits of Warren emerge.


Supporters of Warren describe a highly intelligent, skilled federal manager who has become the unfortunate focus of a political witch hunt. His detractors, however, paint a picture of a senior IT leader who rules by fiat, can be condescending to staff and disdainful of congressional authority, and has maintained an unusually close and questionable relationship with the VA’s Office of the Inspector General.

So who is Steph Warren and is he being treated fairly? VA did not respond to FedScoop’s request to interview Warren for this story.

Sources, who spoke to FedScoop on condition of anonymity, said the congressional investigation into VA’s IT security posture has nearly crippled the 8,000-strong IT organization at the agency. And while senior officials on Capitol Hill said the list of “yes or no” questions should be easy to answer, one former official characterized the current situation as a “lockdown.”

“The organization is frozen by the need to protect Warren,” said a former senior IT official who’s had direct interactions with Warren. “I’m astounded by his lack of respect for members of Congress,” the source added, referring to Warren’s inability or unwillingness to answer congressional questions about information security at VA during a hearing in June.

It was at that hearing some say Warren came dangerously close to perjury when he attempted to answer questions about an earlier statement by VA Secretary Eric Shinseki that “VA security posture was never at risk” during the time period when multiple state-sponsored hacker groups are known to have penetrated the VA network. Warren, who helped write the statement for Shinseki, took responsibility for what he characterized as vague language.


“I was not clear in my language,” Warren told the committee. “And I take ownership of that.”

A question of style

A former assistant secretary at VA characterized Warren as a “very smart, very effective federal leader who definitely has the big picture.” But where Warren can often get in trouble is usually a question of personal style, the official said.

“He has stylistic concerns,” the official said, summing up Warren’s shortcomings to an overly intellectual approach to the issues and to interpersonal relationships. “Some people interpret his responses as condescending,” the official said. “He doesn’t always have patience for others.”

But some credit Warren, along with Roger Baker, former CIO at VA and Warren’s former boss, with dismantling what they described as nothing short of a criminal enterprise.


“There were literally pyramid schemes in place,” said the former assistant secretary, referring to past relationships between former senior IT officials and the contractors who supported the agency. “Roger and Steph broke up that whole corrupt practice and forced IT contractors to deliver on time and on budget. The IT enterprise went kicking and screaming, and I’m sure there are still those that are disgruntled. For better or worse, Steph bears the brunt.”

But another senior official who has since left the agency for the private sector characterized the leadership environment throughout OIT and OIG as management by “intimidation and cronyism” and accused Warren of creating a culture of fear to get his way.

“Steph tends to use the IG instead of management” to overcome serious challenges, the official said.

And that can be problematic, said the former assistant secretary. “The VA inspector general has the most broad law enforcement authority in the government. They can come and arrest me or you,” the official said.

But another official claims Warren has forged a close working relationship with the VA’s IG office by pushing IT contracts through for IG that were not subject to onerous security assessments or evaluations for enterprise architecture compliance.


“The OIG … thought they were independent. Steph cut the deal so they have been protecting each other,” the official said.

Surprisingly, Warren was the subject of a March 2010 IG investigation into improper travel reimbursements, but seems to have avoided punishment.

The investigation, obtained by FedScoop, shows Warren improperly charged the federal government for more than $2,000 in travel expenses for a personal vacation he took in 2008 with his wife and other family members to the U.K. aboard the Queen Mary II.

Emails obtained by the IG showed although Warren had scheduled business meetings in the U.K. during the trip, his wife had informed a friend the couple would be staying at the Plaza on the River in London “courtesy of the USGovt.”

Warren did not seek reimbursement for his tickets aboard the Queen Mary II, but he did request and receive reimbursement for $1,260 covering five nights of lodging in London and Scotland, for which he could only produce receipts totaling $785.84. He also requested and received $857.25 per diem.


The IG report concluded Warren “misused travel funds when he improperly sought reimbursement for lodging and per diem while on personal travel” and recommended to VA it force Warren to pay back the money. The report, however, did not require the agency to inform the IG of what corrective actions were taken.

The spokesperson for VA did not address FedScoop’s questions about what, if any, corrective actions were taken in the matter.

The former assistant secretary who knows Warren was “shocked” by news of the investigation and said they knew nothing of it until now. “He’s the last person I would expect to have done something like that. It just doesn’t make sense.”

The incident seems to be part of a long history of management problems that exist throughout VA. Congress is currently investigating two agency events held last year near Disney World in Orlando to the tune of more than $6 million, including $154,000 in travel reimbursements for contractors and more than $37,000 in travel for VA employees who arrived in Orlando early or stayed longer than necessary.

A former senior official attributed many of the problems to the size of the VA bureaucracy and poor leadership at the levels below Shinseki. It is “very difficult to institute and enforce agencywide policies,” the source said.


Peter Levin is one of the few Warren defenders who was willing to go on the record for this story. Levin, former chief technology officer at VA, said there’s “not a shred of truth” to any of the allegations of mismanagement by Warren. “Any implication that Warren is not in charge or anything other than an effective manager is nonsense,” Levin said.

Levin also took issue with those who have claimed there are serious IT security problems at VA. “The VA system is extremely secure. It is not perfectly secure, but I would have answered [Congress’] questions exactly the same way,” he said, referring to Warren’s June testimony before the House.

Levin said he is “infuriated” by what he characterized as a typical Washington political witch hunt.

“Steph works around the clock. He gets a lot done,” said the former assistant secretary. “He may have dug in his heels. After all, he knows there are snipers on the roof.”

Latest Podcasts