Brody testified recently before Congress on the topic following the VA's massive security breach in May. In an interview with Computerworld, Brody -- currently a lead security analyst at Reston, Va.-based consultancy Input -- talked about the report by the inspector general (IG) on the agency's security breach. Excerpts from that interview follow:
What do you think of the IG's report? This is what I expected from a number of standpoints. It is stuff that had to be said, and I compliment the IG for pointing fingers at some of the right issues. But it is a little underwhelming. This is very typical of the VA IG. If you go back to 2003 to the MS Blaster malicious attack, and if you read the IG's report, it points fingers at all the symptoms instead of all the underlying causes. When you point at symptoms like fragmented security polices -- there's a reason why security policies are fragmented and those need to be highlighted so they can be eliminated.
[This report] points fingers at all the symptoms instead of all the underlying causes. The IG did not write about the root cause of the problem and did not say what they are doing to fix the problem.
Why are security policies so fragmented? What are the underlying causes? The reason is the [VA's] general counsel wrote two memos in August of 2003 and April 2004 that fragmented security at the VA into little stovepipes and fiefdoms. In August 2003, I asked the general counsel for his opinion on who had responsibility under the Federal Information Security Management Act (FISMA) for information security. The opinion came back that information security and all other functions were to remain with their respective organizations. So that made it fragmented.
In April 2004, the question I asked was whether the CIO had authority to enforce security under FISMA, and the general counsel said the CIO had no authority at all and Congress was absolutely livid. The [opinions] were very protective of the existing culture and, obviously, that is the core problem. That is the part the IG missed for the second time in as many crises.
What exactly happened with the Blaster report? The IG concluded that the central office, when it issued directions to patch all the systems in the enterprise, did not convince everybody that they were serious. Think of how ludicrous that is. That office had no authority. You can read the general counsel's memo on the subject. Not only that: When you issue memos to patch your system and nobody does it, doesn't that tell you that you have cultural problems there? I had authority to fix about 1,000 workstations that at the time were under me. The department had about 250,000 systems. I know that Blaster savaged the VA network, but the people managing those networks got off without even a slap on their wrists.
What impact do you think the latest report will have? The No. 1 root cause is the culture of decentralized authority and a fierce resistance to centralized authority. I didn't see that really highlighted. What this report is going to do is stimulate administrative changes that will result in a few people at headquarters being forced into retirement. That does not change the culture.
The latest report specifically points to lapses on the part of the information security office. Shouldn't they take at least some of the responsibility? The fact of the matter is that office has no authority and the IG knows it. What they are looking for are convenient people to hang this on. The information security office had nothing to do with this.
So in your opinion what are the changes that really need to be made? I said in my testimony that it will take five things. The most important of those is you take away all executive bonuses in that department -- effective yesterday -- on a guilty-until-proven innocent basis. You only allow those bonuses to be issued to senior executives when the environment that the executive has purview over receives a clean bill of health from a competent security authority. That would be No. 1. Do it today. No. 2, they need an under secretary level CIO so that the CIO is co-equal with the cultural custodians that are the other under secretaries. That person needs a full and formal seat at the executive table in all the decision-making matters. There are a variety of other things. I would certainly establish a massive effort where I send teams out to check if security policies are being properly implemented. Decades and decades of neglect and a fierce resistance to centralized authority are the root causes for this.