A Review of FBI Security Programs

More documents

Recommendations

Info

is a good first step toward enhancing the role and visibility of the security program. The Bureau must, however, fully staff and implement the proposed program. 33 The Commission recommends that the FBI consolidate in the Office of Security all security functions now spread across Headquarters and the field. The FBI’s security program, in sharp contrast to other agencies’ security organization, is fragmented, with responsibilities residing in eight Headquarters divisions and fifty-six field offices. Many agencies within the Intelligence Community have consolidated their security programs to effectuate a Defense-in-Depth strategy, under which all aspects of security (for example, personnel and INFOSEC programs) are part of an integrated program. Best practices in the Intelligence Community separate information systems security from day-to-day computer operations. The Office of Security is the logical focal point for efforts to ensure the security of the Bureau’s information systems. It should be responsible for validating security measures to ensure the confidentiality, integrity, and availability of intelligence information and for all operations that protect information and information systems, including intrusion detection, vulnerability assessments, real-time auditing and monitoring, and incident response. 34 The Commission also recommends that the Office be responsible for security at Headquarters and Quantico, including responsibility for FBI police, access control, construction design security, technical surveillance countermeasures, and physical and Security Division also represents the Bureau on multi-agency committees on security. 33 Under the restructuring, the Security Division and the Counterintelligence Division, which is responsible for conducting counterespionage investigations, will report to different Executive Assistant Directors. It is critical that these Divisions work together on current and proactive internal espionage investigations. 34 DOJ’s Security and Emergency Planning Staff (SEPS) is responsible for developing security policy and overseeing its implementation in Department components, such as the FBI. Although we have not examined SEPS in detail, the program seems to suffer from many of the structural weaknesses that led us to recommend creation of an Office of Security in the Bureau, weaknesses such as inadequate resources and insufficient stature within the Department’s structure. We recommend that the Department address this issue. -93-
technical security countermeasures. The FBI should follow the lead of other agencies and consolidate within the Office of Security responsibility for initial background investigations for new employees, contractors, and linguists, as well as periodic re-investigations. The polygraph component of the clearance process should be placed within the Office of Security. Finally, the FBI must enhance within the Office integrated information tracking and analytical capabilities. Unlike other federal agencies, the Bureau is unable to conduct indepth analyses of personnel data to identify potential counterintelligence concerns or anomalies that could result in the compromise of sensitive information. The ability to perform this function depends on the creation and maintenance of databases to collect security information, as well as automated tools to extrapolate and interpret that data. The Analytical Integration Unit (AIU) established by the Security Countermeasures Branch in May 2001 is a positive first step toward developing this capability. The Unit was initially created to analyze potential derogatory information about personnel with access to the Bureau’s most sensitive information. Eventually, the AIU will be responsible for integrating security information with counterintelligence, resolving anomalies, analyzing problem cases and performing detailed financial analysis. Bureau management anticipates that the AIU will be responsible for reporting programs covering financial disclosures, foreign travel, foreign contacts, outside employment and roommates. We endorse the enhancement of this Unit. II. Responsibility For Security Policy Should Be Vested In The Office of Security And Managed By A Security Policy Board The FBI’s approach to security policy has been as fragmented as its security programs. Because no single component is responsible for policy, critical gaps in security programs have developed. Some of the more severe weaknesses result from unwritten security policies, often implemented without input from the Security Countermeasures Branch. The Office of Security should be responsible for ensuring that FBI components -94-
Page 1 and 2:
U.S. Department of Justice A Review
Page 3 and 4:
Commission for the Review of FBI Se
Page 5 and 6:
Contents Executive Summary ........
Page 7 and 8:
The Commission for the Review of FB
Page 9 and 10:
in FBI security programs that will
Page 11 and 12:
Unlike other Intelligence Community
Page 13 and 14:
INTRODUCTION I could have been a de
Page 15 and 16:
un by an officer in the Soviet mili
Page 17 and 18:
establishment, U.S. penetration of
Page 19 and 20:
operatives he had exposed as double
Page 21 and 22:
Hanssen was indicted on twenty-one
Page 23 and 24:
een transferred to FBI Headquarters
Page 25 and 26:
Gardens. The rebellious colonies di
Page 27 and 28:
Furthermore, in spite of Hanssen’
Page 29 and 30:
others.” In calling for the estab
Page 31 and 32:
have discovered in FBI security pro
Page 33 and 34:
The following is a compressed compi
Page 35 and 36:
I. Security Investigations And Adju
Page 37 and 38:
DOCUMENT SECURITY I. Classified Na
Page 39 and 40:
of Central Intelligence Directives
Page 41 and 42:
II. The Office of Security Should D
Page 43 and 44:
INFORMATION SYSTEMS SECURITY (INFOS
Page 45 and 46:
Robert Hanssen’s espionage demons
Page 47 and 48:
een filled, the persons assigned of
Page 49 and 50:
with the preliminary damage assessm
Page 51 and 52:
FBI was investigating him. 13 While
Page 53 and 54:
focus. 14 As a result of inadequate
Page 55 and 56:
in unrestricted administrative case
Page 57 and 58: On October 3, 2001, an Electronic C
Page 59 and 60: senior FBI officials responsible fo
Page 61 and 62: percent of the amount sought. 16 Th
Page 63 and 64: information security policies that
Page 65 and 66: PERSONNEL SECURITY I think that [my
Page 67 and 68: The Commission conducted a detailed
Page 69 and 70: The PSU is also responsible for adm
Page 71 and 72: Unit for new applicants, the Person
Page 73 and 74: various elements is spread througho
Page 75 and 76: addressed. These interviews are ess
Page 77 and 78: identified, these individuals can b
Page 79 and 80: overextended and potentially at ris
Page 81 and 82: The FBI’s polygraph program was i
Page 83 and 84: awareness programs relating to poly
Page 85 and 86: DOCUMENT SECURITY Security was lax
Page 87 and 88: Much of Robert Hanssen’s espionag
Page 89 and 90: Room. In the same year, the FBI Mai
Page 91 and 92: Given the ubiquity of ACS, Headquar
Page 93 and 94: (SCI). Before being given access to
Page 95 and 96: eceived in the wake of recent terro
Page 97 and 98: under minimum security controls. Th
Page 99 and 100: carriers receive timely security cl
Page 101 and 102: with the true scope of improper act
Page 103 and 104: SECURITY STRUCTURE . . . [I]f I had
Page 105 and 106: In general, we found serious weakne
Page 107: executive will ensure constant focu
Page 111 and 112: Eighty-five percent of those office
Page 113 and 114: months training in investigations,
Page 115 and 116: accounts cancelled. A six-hour secu
Page 117 and 118: Unfortunately, reporting to securit
Page 119 and 120: security violations should be subje
Page 121 and 122: and training. -106-
Page 123 and 124: Robert Hanssen’s treachery is hei
Page 125 and 126: Glossary of Acronyms Acronym ACS AD
Page 127 and 128: Acronym GSR HERU HIT HCS HQ HUMINT
Page 129 and 130: Acronym OPM OPR OPSEC ORCON OSI OST
Page 131 and 132: COMMISSION CHARTER
Page 133 and 134: time equivalent government personne
Page 135 and 136: WILLIAM H. WEBSTER, the Commission
show all

A Review of FBI Security Programs

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?