FBI IT Security Vulnerable To Insider Attack, GAO Finds

A GAO study of the FBI's IT security shows that the bureau has weaknesses that leave it wide open to insider abuses.
The FBI's internal security network is "ineffective" and leaves the agency vulnerable to an insider attack, according to a Government Accountability Office report issued Thursday.

The GAO, a federal agency that acts as the investigative arm of Congress, reported that security controls over the FBI's critical internal network were not up to the task of protecting the agency's information and information resources. Gregory Wilshusen, director of the GAO's Information Security Issues, concluded in a letter to Rep. James Sensenbrenner Jr. that the investigative agency has not implemented key safeguards.

The FBI, according to a statement from the GAO, agreed with many of the recommendations but disagreed with the "characterization of risk to its information" and noted that it has made significant strides in reducing risks. The GAO, however, stated that increased risks remain.

The GAO undertook the study at the request of the House Judiciary Committee.

"FBI information system security weaknesses have been exploited by insiders in the past," wrote Wilshusen. "The U.S. Secret Service, along with the CERT Coordination Center, studied insider threats, and stated in a May 2005 report that 'insiders pose a substantial threat by virtue of their knowledge of, and access to, employer systems and/or databases.' The espionage of Robert Hanssen, a former FBI agent, illustrated how an insider can take advantage of inadequacies in the bureau's information system security controls."

In a more recent case, Leandro Aragoncillo -- a career Marine who had served under two vice presidents in the White House and an FBI analyst -- pleaded guilty to stealing information from the FBI's own database while on the job. His arrest marked the end of what prosecutors called a "criminal conspiracy against the United States that spanned the globe."

According to the GAO report, the FBI does not consistently configure network devices and services to prevent unauthorized insider access; identify and authenticate users to prevent unauthorized access; enforce the principle of least privilege to ensure that authorized access was necessary and appropriate; and apply strong encryption techniques to protect sensitive data. The report also shows that the agency failed to log, audit, or monitor security-related events; protect the physical security of its network; and patch key servers and workstations in a timely manner.

"Taken collectively, these weaknesses place sensitive information transmitted on the network at risk of unauthorized disclosure or modification, and could result in a disruption of service, increasing the bureau's vulnerability to insider threats," wrote Wilshusen.

The FBI's security weaknesses existed, in part, because the agency has not fully implemented key information security program activities for the critical network reviewed, according to the GAO report.

"Shortcomings exist with certain program elements for the network, including an outdated risk assessment, incomplete security plan, incomplete specialized security training, insufficient testing, untimely remediation of weaknesses, and inadequate service continuity planning," the report stated. "Without a fully implemented program, certain security controls will likely remain inadequate or inconsistently applied."

The report went on to recommend that the FBI take several steps to rectify its security problems. The GAO advised that the bureau take eight steps, including developing a comprehensive inventory of the current network operating environment, updating the network security plan, ensuring that all network users receive security awareness training and that all users with significant security responsibilities receive specialized training, and correcting identified weaknesses in a timely manner.

"Until FBI ensures that the information security program associated with the network is fully implemented, there is limited assurance that its sensitive data will be adequately protected against unauthorized disclosure or modification or that network services will not be interrupted," the report concludes. "These weaknesses leave the bureau vulnerable to insider threats."

Editor's Choice
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
John Edwards, Technology Journalist & Author
John Edwards, Technology Journalist & Author
James M. Connolly, Contributing Editor and Writer