Another Government Computer Security Breech – FBI

Except this time, it looks like there was incompetence in the FBI that prompted the security breech.

A government consultant, using computer programs easily found on the Internet, managed to crack the FBI’s classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III.

The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program and details on counterespionage activity, according to documents filed in U.S. District Court in Washington. As a direct result, the bureau said it was forced to temporarily shut down its network and commit thousands of man-hours and millions of dollars to ensure no sensitive information was lost or misused.

Just so there is no misunderstanding (though I’m sure there will be lots of bad articles and conjectures on this) this was not an Internet hack into the system, but rather a government contractor encouraged to hack the system by a local FBI office. This system is a intranet, physically separated by encryption from the Internet, similar to the military SIPRNET. But all the physical separation is useless if there is someone on the inside.

Colon, 28, an employee of BAE Systems who was assigned to the FBI field office in Springfield, Ill., said in court filings that he used the passwords and other information to bypass bureaucratic obstacles and better help the FBI install its new computer system. And he said agents in the Springfield office approved his actions.

The incident is only the latest in a long string of foul-ups, delays and embarrassments that have plagued the FBI as it tries to update its computer systems to better share tips and information. Its computer technology is frequently identified as one of the key obstacles to the bureau’s attempt to sharpen its focus on intelligence and terrorism.

It is difficult separating need-to-know from the increasing availability of information for those with access to classified material.

An FBI spokesman declined to discuss the specifics of the Colon case. But the spokesman, Paul E. Bresson, said the FBI has recently implemented a “comprehensive and proactive security program” that includes layered access controls and threat and vulnerability assessments. Beginning last year, all FBI employees and contractors have had to undergo annual information security awareness training.

Colon pleaded guilty in March to four counts of intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States. He could face up to 18 months in prison, according to the government’s sentencing guidelines. He has lost his job with BAE Systems, and his top-secret clearance has also been revoked.

I put this into the category of “the stupid shall be punished,” or maybe the unlucky.

The bottom line here is that the FBI’s supposedly secure law enforcement classified intranet was easily hacked by support personnel with the assistance of local FBI officials. And what is happening to them, as they were equally as culpable? A letter of reprimand? This was an inside job. But I wonder whether some drug cartel with huge amounts of cash hasn’t managed to do something similar. They have managed to buy off Police Departments in the Southwest, if Rep. Tom Tancredo (R-CO) is to be believed.

Bottom of the barrel: When I bounced this against a computer security friend of mine who works government systems, he responded “So a guy named Colon found the FBI’s backdoor?”

UPDATE (James Joyner): Dan Drezner observes, “The administration seems to be obsessed with protecting data from journalists. I’d much prefer it if they were obsessed with protecting their data from hackers.” While this is a bit unfair–this sort of thing is rather below the span of control of the president and his cabinet–the overall sentiment is right. We’ve had enough incidences of these breaches now that improved measures are needed, pronto.

FILED UNDER: Science & Technology, Terrorism, Uncategorized, , , , ,
Richard Gardner
About Richard Gardner
Richard Gardner is a “retired” Navy Submarine Officer with military policy, arms control, and budgeting experience. He contributed over 100 pieces to OTB between January 2004 and August 2008, covering special events. He has a BS in Engineering from the University of California, Irvine.

Comments

  1. Matt says:

    At least the guy’s a contractor.

    I heard a VA official being interviewed the other day and he said the person who took the laptop home with all of the veteran’s data couldn’t be fired at this point because of civil service rules.

  2. DC Loser says:

    The insider threat is always the greatest threat to sensitive computer systems.

  3. S.M. Stirling has an interesting alternate history time line series of books that bears on this. It assumes southern diehards go to South Africa after the ‘late unpleasantness’, start up and empire and by the time of WWII are a major force that leaves them and the US in a permanent cold war. In the series, he postulates the development of computer technology where the ability to prevent hacking was considered the prime requirement for computers. All programs the computer would use were installed in the factory on a ROM (that is read only memory, so no chance to ever change or upgrade). Obviously that slows computer development. But the hacking would then be shifted to trying to get “back doors” into the factory ROM. Once you had one, the security procedures that prevented hacking would also mean that every machine had to be scrapped since there was no way to put in a workaround or update the ROM.

    Testing out systems and finding vulnerabilities like this are what you are supposed to do before going operational. It shouldn’t be done on the instigation by a lone local agent, but that probably speaks more about bureaucratic inability to explore potential problems at the central office than anything else.

  4. kent says:

    That’s “breach.”

    Unless there is a loaded meaning I’m missing. 😉