The Federal Bureau of Investigation's internal network security practices are a mess, according to a report by the General Accountability Office.
In a report released on Thursday, the GAO said "certain information security controls over the critical internal network reviewed were ineffective in protecting the confidentiality, integrity, and availability of information and information resources."
Given the FBI's history of information technology problems I suppose this isn't too surprising. However, you'd think the FBI would at least get security right. The GAO outlines a laundry list of failures.
Among them, the FBI failed:
- To configure network devices and services to prevent unauthorized insider access;
- To identify and authenticate users to prevent unauthorized access;
- To enforce the principle of least privilege to ensure authorized access was necessary;
- To use strong encryption techniques;
- To log, audit and monitor security events;
- To protect the physical security of its network;
- And to patch key servers in a timely manner.
Add these failures up and the FBI is way vulnerable to insider threats, said the GAO. Overall, the FBI developed an information security program to prevent external attacks, but the network the GAO inspected was left untouched. The FBI's CIO and deputy CIO agreed with the GAO's technical recommendations, but argued that the bureau didn't put sensitive data at risk.
The GAO said:
Shortcomings exist with certain program elements for the network, including an outdated risk assessment, incomplete security plan, incomplete specialized security training, insufficient testing, untimely remediation of weaknesses, and inadequate service continuity planning. Without a fully implemented program, certain security controls will likely remain inadequate or inconsistently applied.
The GAO said preventing insider threats is critical and cited former agent Robert Hanssen, who exploited the FBI's systems to track espionage investigations, as an example of what can go wrong.
The GAO recommended that the FBI director take the following remedial steps:
- Develop an inventory of the current network environment;
- Update the network's risk assessment;
- Develop technical standards for access control;
- Update the network security plan;
- Ensure all users have security awareness training;
- Correct identified weaknesses;
- And develop continuity plan that addresses the network.