29 May 2007

FBI Network Insecurity

The Government Accountability Office (GAO) released a report on an audit it conducted of security on one of the FBI's networks earlier this year. It found a number of problems, which is not surprising. The Bureau has made a significant effort to improve network security in the last few years, just as it has worked hard to improve its computer operations in general. To the Bureau's credit, the CIO. Zalmai Azmi, concurs with much of what GAO wrote. His disagreement with the report can be regarded as a matter of interpretation: "The FBI does not agree that it has placed sensitive information at an unacceptable risk...." The key word is "unacceptable," which is one of those words that looks different in the eye of each beholder.

The reaction of the FBI Public Affairs Office is another matter. The press release gives the impression that the GAO ignored vigorous efforts by the FBI to fix the problems. Indeed, the first paragraph gives the impression that the FBI was on top of the problems even before GAO looked at them. It was not. The awareness of security is growing at the Bureau, but the bureaucracy--renowned even in the Federal government for moving like sludge--makes it difficult to make bureau-wide improvements. Security policies are incomplete or poorly enforced. As the report states, patch management is ineffective. Again, as the report states, some of the prerequisites for effective security are not in place. A prime example is the absence of either an up-to-date risk assessment or a complete inventory of what is on the network. In short, the FBI knows neither what it needs to protect nor what it needs to protect itself from. Moreover, the monitoring capability, cited by the CIO as one of the improvements made in the last few years, is being dismantled. That is hardly the sign of an agency taking proactive steps to improve network security.

The progress the Bureau has made in recent years to secure its networks has been significant. Some strong measures have been taken; awareness of the need for security has spread, most significantly, among people working on the networks. What the GAO report points out is that much remains to be done. The risk may or may not be unacceptable. It is higher than it should be, particularly for an agency like the FBI.

No comments: