computerwoche.de

Archiv

Former VA exec discusses agency's security

14.07.2006
Bruce Brody served as the associate deputy assistant secretary for cyber and information security at the Department of Veteran Affairs (VA) between 2001 and 2004. It was a role, he said this week, that had very little real authority or enforcement clout because of the highly decentralized nature of the agency and a fierce cultural resistance to central authority.

Brody testified recently before Congress on the topic following the VA's massive security breach in May. In an interview with Computerworld, Brody -- currently a lead security analyst at Reston, Va.-based consultancy Input -- talked about the report by the inspector general (IG) on the agency's security breach. Excerpts from that interview follow:

What do you think of the IG's report? This is what I expected from a number of standpoints. It is stuff that had to be said, and I compliment the IG for pointing fingers at some of the right issues. But it is a little underwhelming. This is very typical of the VA IG. If you go back to 2003 to the MS Blaster malicious attack, and if you read the IG's report, it points fingers at all the symptoms instead of all the underlying causes. When you point at symptoms like fragmented security polices -- there's a reason why security policies are fragmented and those need to be highlighted so they can be eliminated.

[This report] points fingers at all the symptoms instead of all the underlying causes. The IG did not write about the root cause of the problem and did not say what they are doing to fix the problem.

Why are security policies so fragmented? What are the underlying causes? The reason is the [VA's] general counsel wrote two memos in August of 2003 and April 2004 that fragmented security at the VA into little stovepipes and fiefdoms. In August 2003, I asked the general counsel for his opinion on who had responsibility under the Federal Information Security Management Act (FISMA) for information security. The opinion came back that information security and all other functions were to remain with their respective organizations. So that made it fragmented.

In April 2004, the question I asked was whether the CIO had authority to enforce security under FISMA, and the general counsel said the CIO had no authority at all and Congress was absolutely livid. The [opinions] were very protective of the existing culture and, obviously, that is the core problem. That is the part the IG missed for the second time in as many crises.