Info security a low priority for FBI, report finds
- By William Jackson
- May 30, 2002
The report says of convicted spy Robert Hanssen: 'It does not appear that Hanssen possessed system administrator access or that he hacked into any files.'
A study of Robert Hanssen's exploits at the FBI faults the bureau for a 'pervasive inattention to security' and a culture that views information security as an impediment.
The renegade agent's espionage 'demonstrated in a public and convincing way that the bureau's information systems security controls are inadequate,' concluded the new report from an independent commission headed by former FBI and CIA director William H. Webster.
But the commission also found that even eight months after Hanssen's arrest'following the Sept. 11 terrorist attacks'senior FBI officials often lifted access restrictions to the bureau's Automated Case Support system, a primary source of Hanssen's stolen information. The controls apparently slowed investigation of the World Trade Center and Pentagon bombings.
'The decision to loosen ACS restrictions was made essentially without the involvement of the Security Countermeasures Branch,' said the report, A Review of FBI Security Programs.
Attorney general John Ashcroft ordered the study in March of last year, following Hanssen's arrest on charges of selling information to Russia.
Commenting on ACS and the bureau's Trilogy program to upgrade information and telecommunications systems, the commission concluded that Trilogy is underfunded and that 'key security enhancements will not be implemented through the project' but added on later.
The FBI did not respond to specific findings of the report. In a statement, FBI director Robert S. Mueller called it 'instructive on the importance and urgency with which the FBI must treat its security.
'I agree we have much more to do, but I am confident we are on track to accomplish what this report envisions.'
The bureau created ACS, deployed in 1995, to serve as a central repository for unclassified and secret case information. It incorporated systems for case indexing and management and document retrieval. Files can be restricted several ways.
'When used properly, restrictions appear to bar unauthorized access effectively,' the report said.
But ACS was so difficult to use and users so untrained that some information posted to case files with restricted access was routinely cross-posted to administrative files without restrictions.No hacking
That was how Hanssen, using only his ordinary ACS rights, accessed thousands of files in which he had no legitimate interest.
'It does not appear that Hanssen possessed system administrator access or that he hacked into any files,' the report said.
Hanssen also used ACS to look for indications that he was under investigation. His searches could have alerted an auditor, but computer logs rarely were reviewed.
Prior to Hanssen's arrest, many FBI agents hesitated to use ACS because of its security flaws, the commission said, and faith in it might now be fatally undermined.
The Trilogy update is unlikely to soothe those concerns. The report quoted a senior FBI information officer as comparing the bureau's systems to 'an old car broken down in a ditch.'No state-of-the-art IT
The report concluded that 'the purpose of Trilogy is to get the old car out of the ditch, not to provide the FBI with state-of-the-art information systems.'
The unclassified version of the commission's report can be found on the Web at www.usdoj.gov/05publications/websterreport.pdf
Besides Webster, the commission included former Army secretary Clifford L. Alexander; former attorney general Griffin B. Bell; former Defense secretary William S. Cohen; Robert B. Fiske Jr., former independent counsel for the Whitewater investigation; former House speaker and ambassador to Japan Thomas S. Foley; and former Housing and Urban Development secretary Carla A. Hills.
William Jackson is freelance writer and the author of the CyberEye blog.