Internal FBI Systems Remain at Risk

Computerworld - More than a year after the arrest of Robert Hanssen, the most damaging FBI mole in history, the bureau's security apparatus remains "at substantial risk," according to Kenneth Senser, the FBI's assistant director for security. Senser conveyed that assessment at a Senate Judiciary Committee hearing earlier this month.

Hanssen used his access to the FBI's Electronic Case File system, which contains classified information about ongoing FBI investigations, to check whether the FBI had been alerted to his espionage activities. Hanssen conducted those activities on behalf of Russia in exchange for $1.4 million in cash and diamonds.

Since Hanssen's arrest, the FBI has taken steps to enhance audit procedures for its internal computer systems, including reviewing all major case files to see who has had access to them and for what purpose, said Senser. Case agents involved in the most sensitive investigations are now responsible for resolving any unexplained file-access incidents.

"Initiation of this process is an excellent start but remains inadequate," Senser told the committee in written testimony. A new system, the Case Document Access Report (CDAR), will facilitate the case auditing process and provide the case agent and the agent's supervisor more oversight capabilities, said Senser. The CDAR is scheduled to be deployed soon.

The FBI has also moved forward on a program called Trilogy, which is designed to improve security within the bureau's overall IT backbone. As part of this architecture, the FBI plans to identify a baseline for conducting information assurance procedures and deploying tools to identify unusual activity and system vulnerabilities.

Senser's testimony came less than two weeks after an independent commission studying the Hanssen case issued its report on improving FBI security. The commission, headed by former FBI director William Webster, identified multiple shortcomings in the FBI's IT security infrastructure, including the following:

• The lack of a strategy to identify and protect critical information from insider threats.



• Classified information being stored on widely used systems.



• Failure to limit user access to sensitive databases.



• Inadequate physical security.



• Sporadic reviews of system audit logs.