Weak data-security at the FBI network

30/05/2007 Written by Martin Arnsteiner

A new report con­cern­ing the state of secu­rity at the FBI net­work was cre­ated in April and released yes­ter­day. US inde­pen­dent audit office (Gov­ern­ment Account­abil­ity Office –GAO) accuses heavy lacks in the con­fig­u­ra­tion of the inter­nal police net­work FBI.

The FBI has closed com­puter net­works, in which infor­ma­tion about all aspects of the police work is exchanged. The GAO found out with its exam­i­na­tion that the inter­nal data secu­rity pro­grams are incom­plete and insuf­fi­cient. The audit office stated that the net­work and the devices are not con­fig­ured cor­rectly to pre­vent unau­tho­rized data access. In some places the FBI missed to restrict access checks and to grad­u­ate the access autho­riza­tions to safety level of the users. Because of this, user data could have been accessed although they were not allowed to do so.

Fur­ther on, the fed­eral police failed in using strong encryp­tion tech­niques in order to pro­tect their data. Also soft­ware patches for servers and work­sta­tions have been imple­mented too slowly by the FBI Admins, whereby well-​known safety gaps had remained longer open in the sys­tems than necessary.

A very sub­stan­tial point of crit­i­cism in the report deals with “weak­nesses”, which became unfor­tu­nately vir­u­lent in times of free offi­cial data gath­er­ing: inter­nal log­ging and observ­ing of the own accesses to sen­si­tive data. The report con­cludes: “If you sum­ma­rize all the found weak­nesses there is an increased risk, that data could be given to unau­tho­rized per­son­nel or data being manipulated.”

The audit office rec­om­mends the FBI to con­vert their own IT-​security poli­cies with the nec­es­sary consequence.