A Review of FBI Security Programs
A Review of FBI Security Programs
A Review of FBI Security Programs
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>FBI</strong> contemplates that security features in existing networks and systems will migrate to their<br />
upgraded successors. New hardware and s<strong>of</strong>tware implemented through Trilogy will come<br />
with limited built-in security features, and an effort, called Information Assurance, is<br />
underway to propose additional security features for the upgrade.<br />
<strong>FBI</strong> Trilogy personnel originally anticipated that the upgrade would take<br />
approximately three years to implement. Because <strong>of</strong> pressures to complete the upgrade more<br />
quickly, an aggressive schedule was devised to implement Trilogy in about two years, by<br />
June 2003. The project was proceeding according to this schedule when in October 2001,<br />
the Bureau’s Director ordered that the schedule be compressed. At present, two <strong>of</strong> Trilogy’s<br />
three components are scheduled to be completed by July 2002, and the third, by February<br />
2003.<br />
A program manager has told Commission staff that security concerns have gained<br />
prominence in the Trilogy upgrade in the wake <strong>of</strong> Hanssen’s espionage, although the<br />
principal focus <strong>of</strong> the program is still clearly operational. The focus on functional<br />
improvements – “getting the old car out <strong>of</strong> the ditch” – confirms that priority will be given<br />
to operational needs. In addition, given the accelerated Trilogy schedule, design and time<br />
constraints will not permit the <strong>FBI</strong> to focus on security enhancements. It is common in the<br />
computer industry for security measures to fall by the wayside when schedules are<br />
compressed. However, given the <strong>FBI</strong>’s current computer security posture, the present course<br />
is problematic; even the very rush to complete the upgrade project could enable a<br />
compromised insider to introduce holes in the system that could be exploited later.<br />
Already, the Trilogy staff has determined that key security enhancements will not be<br />
implemented through the project. Proposed Information Assurance (IA) security<br />
enhancements, which may or may not address many security needs, are not included within<br />
the plan and will have to be integrated into the Trilogy infrastructure later. Currently, these<br />
measures have not received funding, though it may be imminent, albeit at only fifty-five<br />
-50-