A Review of FBI Security Programs
A Review of FBI Security Programs
A Review of FBI Security Programs
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
some <strong>FBI</strong> personnel routinely chose not to upload certain information into ACS. For<br />
instance, it is common knowledge within the Bureau that the New York Field Office (NYFO)<br />
generally refuses to upload certain types <strong>of</strong> national-security information. NYFO<br />
intelligence agents have confirmed that this is the case. In 1995, NYFO personnel were<br />
asked to assess ACS as a pilot system before it was deployed, and they developed significant<br />
concerns about security. An intern from the Massachusetts Institute <strong>of</strong> Technology was<br />
given ordinary user access and challenged to discover system vulnerabilities. In an<br />
afternoon, the intern accessed a number <strong>of</strong> restricted files.<br />
NYFO intelligence agents have also long worried that, if they were to upload all caserelated<br />
information, as required, not only would restricted files be at risk <strong>of</strong> compromise, but<br />
information contained in unrestricted files viewed in the aggregate might create complete<br />
pictures that should not be disseminated throughout the Bureau. These agents also believe<br />
that it is possible to ascertain user passwords by employing ACS system tools.<br />
Skepticism about ACS security is not limited to NYFO. At the Engineering Research<br />
Facility, a program manager operating a Top Secret/SCI program noted that his unit does not<br />
upload into ACS even sanitized versions <strong>of</strong> the unit’s reports. Instead, the unit uploads only<br />
verification that a report exists and requires that prospective readers request the report in<br />
hard copy. Personnel in the Washington and Indianapolis field <strong>of</strong>fices also expressed<br />
concerns about uploading classified information into ACS, particularly asset information, and<br />
<strong>of</strong>ten they do not upload that information.<br />
Several ACS users described a common situation that could result in the inadvertent<br />
exposure <strong>of</strong> files intended to be restricted. Documents uploaded to ACS may be attached to<br />
multiple case files. Frequently, a document is sent to a substantive case file, which may be<br />
restricted, and to an administrative file, which <strong>of</strong>ten is not. Thus, the uploaded document is<br />
restricted when serialized in the substantive case file, but not when serialized in the<br />
unrestricted administrative file. For example, NYFO intelligence agents pointed out that<br />
classified information from the Washington Field Office’s annual asset reports can be found<br />
-44-