GAO says FBI's critical networks vulnerable to misuse
The FBI has made important strides since 2002 in securing its networks; the GAO says that sensitive and critical information transmitted on these networks is still not secure
In the olddays they said “Physicians, heal thyselves.” Nowadays they would say: “Intelligence and law enforcement organizations, implement IT security programs and critical netsworks enhancements.” This, more or less, is what the Government Accountability Office (GAO) is telling the FBI. In a recent report, the watch-dog organizations charged the FBI with failing fully to implement its IT security program with the result being that critical networks for exchanging law enforcement information remain vulnerable to misuse or interruption.
FBI officials, responding to the GAO report, accepted many of the report’s recommendations but disputed the GAO’s characterization of the risk associated with failing to implement to IT security program. The FBI pointed to various measures it has implemented during the past five years to bolster its network and IT security, highlighting, for example, the establishment of a 24-hour security watch center.
FBI CIO Zalmai Azmi said that since the FBI activated the Information Assurance Section of its Security Division in April 2002, that organization has brought the bureau from the status of having only 8 percent of its IT systems accredited to having 100 percent of its systems accredited, as required by the Federal Information Security Management Act (FISMA).
The audit agency provided a separate classified report in addition to its public report, which is titled “Information Security: FBI Needs to Address Weaknesses in Critical Network.”
Washington Technology’s Wilson Dizard reports that the GAO found that the FBI failed consistently to:
* Configure network devices and services to prevent unauthorized insider access and ensure system integrity
* Identify and authenticate users to prevent unauthorized access
* Enforce the principle of least privilege to ensure that authorized access was necessary and appropriate
* Apply strong encryption techniques to protect sensitive data on its networks
* Log, audit, or monitor security-related events
* Protect the physical security of its network
* Patch key servers and workstations in a timely manner
“Taken collectively, these weaknesses place sensitive information transmitted on the network at risk of unauthorized disclosure or modification, and could result in a disruption of service, increasing the bureau’s vulnerability to insider threats,” according to the GAO.
