A critical Federal Bureau of Investigation network for sharing law enforcement and investigative information is at risk of being misused or having its services interrupted, according to an audit released this week.
The Government Accountability Office report (PDF) on an unnamed FBI “critical network” says that the FBI’s failure to fully implement information technology security requirements left weaknesses in the network which “place sensitive information transmitted on the network at risk of unauthorized disclosure or modification, and could result in a disruption of service, increasing the bureau’s vulnerability to insider threats.”
The report specifically mentioned Robert Hanssen, an FBI agent who used his insider access to obtain and sell secrets to the Soviet Union, saying that the weaknesses in the network could allow another insider to commit similar espionage. Hanssen relied on technology weaknesses to obtain his information, which resulted in many FBI agents working overseas being executed. Hanssen is now serving a life sentence without possibility of parole.
But the FBI’s chief information officer, responding to the report, said that the network weaknesses did not constitute an unacceptable risk of disclosure or unauthorized use.
The audit found that “FBI did not consistently (1) configure network devices and services securely to prevent unauthorized insider access; (2) identify and authenticate users to prevent unauthorized access; (3) enforce the principle of least privilege to ensure that authorized access was necessary and appropriate; (4) apply strong encryption techniques to protect sensitive data on its networks; (5) log, audit, or monitor security-related events; (6) protect the physical security of its network; and (7) patch key servers and workstations in a timely manner.”
In a separate classified report, GAO made specific recommendations on how to better secure the network.
“Today, when an FBI agent sits down at her desk and logs on to the computer, she is connected at the ‘secret’ level to a fast, secure system that allows her to send e-mails, photographs and documents to any other agent or analyst in the Bureau — across the country and around the world,” FBI director Robert S. Mueller III told Congress last year.
“For ‘top secret’ communications, we have deployed the Top Secret/Sensitive Compartmented Information Operational Network, or SCION. Nearly 4,000 personnel have been trained on the SCION and associated Intelligence Community systems. This system is the backbone for FBI personnel to coordinate, collaborate, disseminate and conduct research on analysis with the Intelligence Community.”
The FBI’s Investigative Data Warehouse, part of its Trilogy IT modernization project, allows virtually every FBI agent to access almost a billion counterterrorism and law enforcement records from what used to be several dozen discrete databases.