While the Federal Bureau of Investigation (FBI) has been busy extending its surveillance over Americans through the use of "national security letters" and stepped-up surveillance techniques, its own computer networks are increasingly vulnerable to attacks and critical misfires from both inside and out, a study finds.
A new report issued today by the Government Accountability Office (GAO) found that one of the computer networks the FBI uses to share information within its own ranks and among other law enforcement agencies had numerous weaknesses and problems that could seriously impair the FBI's ability to gather data in the event of a disruption.
"Certain information security controls over the critical internal network reviewed were ineffective in protecting the confidentiality, integrity, and availability of information and information resources," the GAO reported.
"These weaknesses existed, in part, because FBI had not fully implemented key information security program activities for the critical network reviewed...Without a fully implemented program, certain security controls will likely remain inadequate or inconsistently applied," the report stated.
The GAO had been commissioned by former House Judiciary chairman James Sensenbrenner to analyze the FBI's information security efforts as part of the agency's ongoing modernization and upgrading of its computer systems, dubbed "Trilogy."
The GAO report specifically referenced the case of former agent Robert Hanssen, who exploited his insider access at the agency to gain information on the FBI's high-level investigations, and sold the data to the Soviets for many years until he was caught in 2001.
Among the GAO's findings:
• The FBI did not adequately ensure that only authorized personnel had access to the network, increasing the likelihood that data could fall into the wrong hands.
• FBI information security officers allowed professionals higher levels of access to the network than they needed to do their jobs.
• The FBI failed to encrypt or protect sensitive information at many junctures.
• The agency did not have a "continuity of operations" plan in place in case the network suffered a failure or disruption.
In a response to the report, FBI chief information officer Zalmai Azmi concurred with many of the recommendations the GAO made, but took exception to their characterization of the agency's security weaknesses.
"The FBI does not agree that it has placed sensitive information at an unacceptable rishttp://www.gao.gov/new.items/d07368.pdf?source=rak of unauthorized disclosure, modification, or insider threat exploitation," Azmi wrote. "Since...the implementation of the Trilogy modernization effort, the FBI has made significant strides in reducing these risks."
Azmi had the dubious honor of presiding over the failure of the upgrade of the FBI's antiquated and burdensome "Virtual Case File" system. The upgrade, handled by defense contracting giant SAIC, cost taxpayers $170 million and produced a system that was deemed incomplete and unusable by internal audits.
The FBI continues to gamely press on with introducing high-tech elements to its crimefighting mandate, however. The agency is currently pushing ahead with plans to upgrade its biometric identification system and increase interoperability with similar programs in use at Homeland Security.
