A former Veterans Affairs Department official on Thursday blasted the department for not centralizing its information security decision-making and enforcement responsibilities.

    "In a memo signed by general counsel in 2004, it was ordered that the chief information officer cannot assure information security rules and compliance," said Bruce Brody, VA's former associate deputy assistant secretary for cyber and information security. "The only thing he could do was to complain to the secretary."

    Brody, now a vice president with information security firm Input, was one of four panelists called to testify about the legal ramifications of the department's recent data breaches. The personal information of multiple millions of veterans and active-duty military are vulnerable as a result of careless handling by the department.

    The first well-known incident this year occurred when a report surfaced that a VA analyst had a work laptop stolen from his home. The computer contained data on 26.5 million veterans.

    "These memos actively capture and convey the spirit of the department," Brody added, characterizing it as bureaucratic and resistant to change.

    The result was a fragmentation of authority to enforce compliance with federal computer security laws, he said. "The mismatch of CIO and [chief information security officer] authority is harmful and needs to be fixed to prevent further problems."

    Like other departments, the VA must comply with privacy law as well as the Federal Information Security Management Act. The second law requires agencies to report to Congress and the White House quarterly and annually to certify that they have vetted and inventoried their systems. They also must train their staffs in information security awareness.

    A high-profile Purdue University computer science professor who is an expert on information security backed Brody.

    "There is no centralized point of authority to ensure that rules, procedures and good practices are instituted and observed," Eugene Spafford said. "There is no centralized position that has all three components necessary to effectively manage information security: resources, accountability and authority."

    He said the authority to make changes to information security policies and to fire staff for bad behavior should be consolidated in one officer.

    "I just want to let you know, I got your message. I embrace it, and we as a committee are going to look at your recommendations," House Veterans' Affairs Committee Chairman Steve Buyer, R-Ind., told Brody.

    Buyer also said he was not satisfied with the department's announcement Wednesday that it will provide free credit monitoring for those affected bythe data breach. Buyer and witnesses noted that potential identity thieves could create criminal records in addition to bad credit records for the affected individuals.

    Buyer also criticized the House Judiciary Committee for passing a bill, H.R. 5520, on Thursday. The bill would create a special office to deal with veterans' claims resulting from identity theft. He implicitly criticized the committee for moving the legislation without consulting his panel.

    "It's inconsiderate," he said.

—Sarah Lai Stirland, Tech Daily

The event was also covered in Computer World.