FBI relies on outdated security guides, sources say

One of the FBI's most pressing reasons for seeking a case management system to replace the antiquated Automated Case Support system: Robert Hanssen, the former agent now serving a life sentence for treason.

Hanssen exploited the system's poor security to track his pursuers. His sophisticated use of ACS helped him evade capture when he sold secrets to Moscow.

But the Virtual Case File project the bureau planned as ACS' replacement also suffered from severe security weaknesses, according to IT experts close to the program.

During its development of VCF, the FBI relied primarily on two manuals that together govern bureau security procedures. The Manual of Investigative Operations and Guidelines (MIOG) sets rules for investigations, and the Manual of Administrative Operations and Procedures defines methods of running the FBI's internal affairs.

The FBI issued its first edition of investigative manual in January 1978 and has updated it frequently since then'most recently in November.

But the bureau has not brought up IT security to current standards in either of the two manuals, sources said.

'The FBI was working off an old manual,' said one IT professional who used the investigative manual. Parts of the manual's security sections dated back to 1995, the source said, and those sections were still in use five years later.

'The MIOG was their only approved document for policy,' the IT professional said. 'They have an excellent security staff that is trying to get the bureau updated, but they are so far behind.'

Because FBI officials relied on the two manuals to evaluate and approve changes and upgrades that would have improved VCF's security, the system's security features did not include recently developed technologies.

For instance, Hanssen was able to smuggle some of the most sensitive secrets he stole out of FBI headquarters on electronic media that exploited the extra, unused space in files and on disks. Routine manipulation of the files and disks would not have shown that they contained any data, much less secret data, according to subsequent analyses.

'MIOG was written for their mainframes,' the IT analyst said of the FBI's security guidelines. 'The risks and vulnerabilities have changed, but they have an old-school mentality.'

The FBI's Security Division is developing an updated security manual that will address more current vulnerabilities, an FBI official said.

Additionally, the bureau's desire to avoid leaks has hobbled its ability to adopt new technology. For example, the FBI recently began using a proprietary hardware search engine from Google Inc. of Mountain View, Calif. Other agencies in the intelligence community adopted the technology more than a year ago.

But FBI officials held up the certification and accreditation of the Google search engine hardware because they were concerned that it would be too effective in ferreting out information that had been improperly entered into the bureau's systems, a bureau IT official said.

'To me, that's a red herring,' another official said.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above