Cyber Eye: The trick to security: Make it easy
The case of rogue agent Robert Hanssen shows that the FBI apparently forgot two basic rules of intelligence.
The first rule: Never trust a spy'they're sneaky. The second: Information security must be user-friendly or the users won't use it.
A commission headed by former CIA and FBI director William H. Webster spent a year examining bureau security measures after Hanssen's arrest in February 2001. The commission reported that Hanssen gathered most of his information from the Automated Case Support system, developed in 1995 to store all FBI case files, including intelligence cases.
Although file access can be restricted to those with a need to know, Hanssen had little trouble browsing thousands of files he had no legitimate reason to see.
'It does not appear that Hanssen possessed system administrator access or that he hacked into any files,' the commission concluded. He got in because ACS is so user-unfriendly and agents so poorly trained that they just didn't bother to restrict files.
'Many, particularly at headquarters, are unaware that the restriction capability even exists,' the commission said.
The New York field office refused to upload certain information because it worried about ACS security. Instead of uploading reports, one program manager at the FBI's engineering research facility merely filed notices that hard copies of reports were available, the commission found.
Things got worse after Sept. 11. Senior FBI managers removed access restrictions on many cases because the restrictions were hindering investigators.
Even if the bureau were to reinstate restrictions, the commission said, 'returning these cases to their previous security status has been likened to putting toothpaste back into a tube.'
The maddening part is that ACS access restrictions apparently work fine. But they're hard to use, and agents responsible for filing cases aren't trained about them.
There almost always is a trade-off between security and performance or convenience. Users have to learn to live with that trade-off. But if it gets too hard to live with, they will find a way around it or do without it.
At that point, investing in security becomes a wasted effort'sometimes with tragic results.