A Review of FBI Security Programs

More documents

Recommendations

Info

FBI contemplates that security features in existing networks and systems will migrate to their upgraded successors. New hardware and software implemented through Trilogy will come with limited built-in security features, and an effort, called Information Assurance, is underway to propose additional security features for the upgrade. FBI Trilogy personnel originally anticipated that the upgrade would take approximately three years to implement. Because of pressures to complete the upgrade more quickly, an aggressive schedule was devised to implement Trilogy in about two years, by June 2003. The project was proceeding according to this schedule when in October 2001, the Bureau’s Director ordered that the schedule be compressed. At present, two of Trilogy’s three components are scheduled to be completed by July 2002, and the third, by February 2003. A program manager has told Commission staff that security concerns have gained prominence in the Trilogy upgrade in the wake of Hanssen’s espionage, although the principal focus of the program is still clearly operational. The focus on functional improvements – “getting the old car out of the ditch” – confirms that priority will be given to operational needs. In addition, given the accelerated Trilogy schedule, design and time constraints will not permit the FBI to focus on security enhancements. It is common in the computer industry for security measures to fall by the wayside when schedules are compressed. However, given the FBI’s current computer security posture, the present course is problematic; even the very rush to complete the upgrade project could enable a compromised insider to introduce holes in the system that could be exploited later. Already, the Trilogy staff has determined that key security enhancements will not be implemented through the project. Proposed Information Assurance (IA) security enhancements, which may or may not address many security needs, are not included within the plan and will have to be integrated into the Trilogy infrastructure later. Currently, these measures have not received funding, though it may be imminent, albeit at only fifty-five -50-
percent of the amount sought. 16 The approach to implementing IA technologies merits discussion. The IA Program will select a number of security technologies and then canvass prospective products and vendors. After evaluating products and vendors, Program managers plan to discuss with Trilogy computer scientists whether selected products are compatible with the Trilogy infrastructure in place at that point. A more effective approach would be for the Program to identify threats to information on systems upgraded by Trilogy and then select appropriate countermeasures to address the threats. This analysis should have been performed in the original Trilogy design process. If Trilogy, IA, and Security Countermeasures program managers do not coordinate effectively, the FBI faces a considerable threat of disjointed security countermeasures and wasted resources. The introduction of Trilogy alone will not improve the FBI’s security posture and will offer little to reduce the time between defection and detection of compromised employees. If the FBI decides to implement security countermeasures after Trilogy has been designed and deployed, it will face the difficult task of assessing whether the new security countermeasures comport with Trilogy system design and the security requirements of data owners. Moreover, subsequent security additions likely will require that the FBI re-certify and re-accredit computer systems, an expensive and time consuming operation. 17 16 The IA Program requested approximately $114 million and expects to receive roughly $64 million. Accordingly, a number of security tools originally sought will not be implemented. 17 As of September 2000, the FBI had certified and accredited eight computer systems. Bureau and DOJ security components were unaware that the FBI was operating more than these eight systems until a representative of the Information Resources Division testified before the Senate Select Committee on Intelligence in September 2000 that the FBI was operating at least fifty computer systems, of which approximately thirty processed classified information. The Bureau has since identified numerous additional systems, many of which contain classified information. -51-
Page 1 and 2:
U.S. Department of Justice A Review
Page 3 and 4:
Commission for the Review of FBI Se
Page 5 and 6:
Contents Executive Summary ........
Page 7 and 8:
The Commission for the Review of FB
Page 9 and 10: in FBI security programs that will
Page 11 and 12: Unlike other Intelligence Community
Page 13 and 14: INTRODUCTION I could have been a de
Page 15 and 16: un by an officer in the Soviet mili
Page 17 and 18: establishment, U.S. penetration of
Page 19 and 20: operatives he had exposed as double
Page 21 and 22: Hanssen was indicted on twenty-one
Page 23 and 24: een transferred to FBI Headquarters
Page 25 and 26: Gardens. The rebellious colonies di
Page 27 and 28: Furthermore, in spite of Hanssen’
Page 29 and 30: others.” In calling for the estab
Page 31 and 32: have discovered in FBI security pro
Page 33 and 34: The following is a compressed compi
Page 35 and 36: I. Security Investigations And Adju
Page 37 and 38: DOCUMENT SECURITY I. Classified Na
Page 39 and 40: of Central Intelligence Directives
Page 41 and 42: II. The Office of Security Should D
Page 43 and 44: INFORMATION SYSTEMS SECURITY (INFOS
Page 45 and 46: Robert Hanssen’s espionage demons
Page 47 and 48: een filled, the persons assigned of
Page 49 and 50: with the preliminary damage assessm
Page 51 and 52: FBI was investigating him. 13 While
Page 53 and 54: focus. 14 As a result of inadequate
Page 55 and 56: in unrestricted administrative case
Page 57 and 58: On October 3, 2001, an Electronic C
Page 59: senior FBI officials responsible fo
Page 63 and 64: information security policies that
Page 65 and 66: PERSONNEL SECURITY I think that [my
Page 67 and 68: The Commission conducted a detailed
Page 69 and 70: The PSU is also responsible for adm
Page 71 and 72: Unit for new applicants, the Person
Page 73 and 74: various elements is spread througho
Page 75 and 76: addressed. These interviews are ess
Page 77 and 78: identified, these individuals can b
Page 79 and 80: overextended and potentially at ris
Page 81 and 82: The FBI’s polygraph program was i
Page 83 and 84: awareness programs relating to poly
Page 85 and 86: DOCUMENT SECURITY Security was lax
Page 87 and 88: Much of Robert Hanssen’s espionag
Page 89 and 90: Room. In the same year, the FBI Mai
Page 91 and 92: Given the ubiquity of ACS, Headquar
Page 93 and 94: (SCI). Before being given access to
Page 95 and 96: eceived in the wake of recent terro
Page 97 and 98: under minimum security controls. Th
Page 99 and 100: carriers receive timely security cl
Page 101 and 102: with the true scope of improper act
Page 103 and 104: SECURITY STRUCTURE . . . [I]f I had
Page 105 and 106: In general, we found serious weakne
Page 107 and 108: executive will ensure constant focu
Page 109 and 110: technical security countermeasures.
Page 111 and 112:
Eighty-five percent of those office
Page 113 and 114:
months training in investigations,
Page 115 and 116:
accounts cancelled. A six-hour secu
Page 117 and 118:
Unfortunately, reporting to securit
Page 119 and 120:
security violations should be subje
Page 121 and 122:
and training. -106-
Page 123 and 124:
Robert Hanssen’s treachery is hei
Page 125 and 126:
Glossary of Acronyms Acronym ACS AD
Page 127 and 128:
Acronym GSR HERU HIT HCS HQ HUMINT
Page 129 and 130:
Acronym OPM OPR OPSEC ORCON OSI OST
Page 131 and 132:
COMMISSION CHARTER
Page 133 and 134:
time equivalent government personne
Page 135 and 136:
WILLIAM H. WEBSTER, the Commission
show all

A Review of FBI Security Programs

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?