FBI takes on systems security demons
- By Wilson P. Dizard III
- Sep 25, 2003
If the FBI is to meet the challenge of becoming a counterintelligence hub for homeland defense'a mission spawned by the Bush administration's war on terrorism and a string of reputation-shattering spy cases'the bureau must revamp its systems to assure data is accessible but not easily misused.
Bureau officials believe they are on the right path with the FBI Technology Infusion Program.
According to a security strategy the bureau released to GCN, the FBI plans to apply tightened security rules under a defense-in-depth approach, 'where there does not exist any single safeguard or point-of-failure between the user and the information.'
The bureau also intends to centralize communications and the configuring, monitoring and management of software and hardware in use across the FBI.Not so fast
But bureau critics voiced skepticism of the plan.
The challenge of operating in a world where the FBI shares intelligence with many other agencies is huge, said James Carafano, a senior research fellow at the Heritage Foundation of Washington.
'We are basically using the same counterintelligence tools we have always used, which were designed to look internally,' the former federal prosecutor said. 'There really is no national counterintelligence strategy that is designed to look holistically at everyone we share information with and the ways the system can be infiltrated and abused.'
In its security strategy, the FBI said it will use contractors to support an Enterprise Security Operations Center that will continuously monitor the bureau's IT infrastructure. The center will provide vulnerability scanning and intrusion detection, as well as threat tracking, the bureau said.
The center will work in parallel with the bureau's Enterprise Operations Center, which monitors 'the health and welfare as well as maintenance of the FBI IT infrastructure. The ESOC, by contrast, will provide the key security functions needed to assure the confidentiality, integrity and availability of the FBI IT infrastructure,' the bureau said.
To help it meet the goals in its plan, the FBI recently awarded Lockheed Martin Corp. a five-year, $140 million contract to overhaul security on the bureau's systems and networks. Under the contract, the company's IT division will build a new enterprisewide security architecture.Who's got clearance?
But a source close to the bureau's IT staff questioned whether the FBI supervisors would have the expertise to manage the contract staff. 'The question is, will the FBI be able to enforce the requirement that every Lockheed Martin employee be cleared at the top-secret level? The department lacks the human resources to check the work of its contractors,' the source said.
FBI spokesman Paul Bresson said that although security clearances 'sometimes do represent a challenge,' the bureau is 'adequately addressing' the contractor management issue.
In its description of security upgrade plans, the FBI said it would establish accountability for systems use by authenticating all users who access the bureau's information assets. The security plan lays out a role-based access control policy where classified data is available to users on a need-to-know basis.
But the source said the FBI's automated case file system lacks these security features. The loopholes allowed former FBI agent Robert J. Hanssen to breach FBI systems and manipulate files during his spy career [GCN, Aug. 25, Page 12]. And, the problems still persist, the source said.
Other agencies, such as the Social Security Administration and State Department, have implemented methods to monitor employees' use of their systems. State has been able to detect unusual access patterns in its Consular Lookout and Support System since the mid-1990s.
Similarly, SSA monitors its employees' access to Social Security files and has nabbed employees accessing files to capture and sell Social Security numbers.
Track record is an issue for the bureau, Carafano said. 'The FBI has yet to demonstrate that it can manage a sophisticated IT modernization program,' he said. 'Right now, it is clear there is a long way to go.'
The FBI must deal with personnel and cultural issues as well as technology issues as it seeks to improve its systems security, and Carafano predicted it would take years to upgrade the bureau's security skills and technology adequately.
'If you look at the FBI's enterprise architecture, that appears to make sense. But the devil is in lots and lots and lots of details,' he said. 'These are less leadership than management issues, and the FBI's track record in that is not good.'