FBI infrastructure: Less secure than your corporate network

The FBI doesn't use even the most basic network security techniques, such as protecting against insider threats, patching its servers, or using strong encryption techniques, according to a report from the federal Government Accounting Office (GAO). In fact, if the report is to be believed, the FBI's network appears to be less secure than your corporate network.

The GAO conducted a security assessment for one of the FBI's critical networks, and the results weren't pretty. The FBI, it found, didn't properly authenticate users, log and audit security-related events, protect the physical network, use strong encryption, or patch servers and workstations in a timely way.

The end result, the reports notes, is that "Taken collectively, these weaknesses place sensitive information transmitted on the network at risk of unauthorized disclosure or modification, and could result in a disruption of service, increasing the bureau’s vulnerability to insider threats."

Why is the FBI behind the eight ball here? The GAO report is scathing. It concludes the FBI has "an outdated risk assessment, incomplete security plan, incomplete specialized security training, insufficient testing, untimely remediation of weaknesses, and inadequate service continuity planning."

If the people in charge of the FBI's network worked in the private sector, they'd probably be thrown out on their ears.

Making things worse is that these problems have been known literally for years. Back in 2001, the FBI discovered that agent Robert Hanssen had exploited the FBI's information security weaknesses and sold informaiton about the FBI’s most sensitive espionage investigations. Right after that, a commission studied the FBI's security program and "found significant deficiencies in bureau information security policies and practices," according to the GAO.

Not much, apparently, was done.

In 2005, the U.S. Secret Service and the CERT Coordination Center did another security study and found that "insiders pose a substantial threat by virtue of their knowledge of, and access to, employer systems and/or databases."

What was done? You guessed it. Not much.

Now we have yet one more report coming to the same conclusion. Given the general level of mediocrity of the people who have run federal agencies over the last several years, don't expect anything to be done in response to this most recent report. When it comes to Washington these days, one thing is clear: There's no such thing as accountability.