The FBI has been given a dressing down by the US Government Accountability Office (GAO) over its network security.
In a report entitled "FBI Needs to Address Weaknesses in Critical Network", the GAO said that the FBI was not doing enough to guard its law enforcement data from insider threats.
The GAO had this to say about the spooks' security systems:
"Certain information security controls over the critical internal network reviewed were ineffective in protecting the confidentiality, integrity, and availability of information and information resources.
Specifically, FBI did not consistently (1) configure network devices and services to prevent unauthorized insider access and ensure system integrity; (2) identify and authenticate users to prevent unauthorized access; (3) enforce the principle of least privilege to ensure that authorized access was necessary and appropriate; (4) apply strong encryption techniques to protect sensitive data on its networks; (5) log, audit, or monitor security-related events; (6) protect the physical security of its network; and (7) patch key servers and workstations in a timely manner. Taken collectively, these weaknesses place sensitive information transmitted on the network at risk of unauthorized disclosure or modification, and could result in a disruption of service, increasing the bureau’s vulnerability to insider threats."
In a press release, responding to the GAO criticisms, John Miller, FBI assistant director for public affairs, admitted that the dressing down was valid, but said the FBI was already taking action on it:
"The majority of the issues and recommendations brought up in the GAO report have been previously identified by the FBI through our own audits and internal controls. The report omitted the fact that the FBI already has corrective action plans in place that proactively and aggressively address information security issues," said Miller.
Considering the number of attacks against governmental systems by hackers and by other governments, I wonder how much information has been compromised?