Despite changes and improvements made since the terrorist attacks in the U.S. on Sept. 11, 2001, core parts of the U.S. Federal Bureau of Investigation (FBI)’s IT infrastructure remain vulnerable, making it harder for field agents to help protect the nation from future threats.
That’s one of the main findings of an FBI information technology audit issued Tuesday by the Office of the Inspector General (OIG) in the U.S. Department of Justice, which has been studying the FBI’s progress in updating its IT capabilities.
The 178-page report said that 11 “major internal control weaknesses” were found in a 1990 audit and were “still applicable 12 years later,” including mainframe investigative systems that are “labour intensive, complex, untimely and non-user friendly.”
Although progress has been made in improving the security of investigative and administrative mainframe systems at FBI headquarters and at another data centre, additional security gaps remain, according to the latest audit. “These repeated deficiencies indicate that, in the past, FBI management had not paid sufficient attention to improving its IT program,” the audit said.
The OIG report recommends that the FBI take three steps to make additional improvements, including the development of specific procedures to follow up on past OIG audit recommendations and ensure that they are implemented to increase security and improve the resources available to FBI field agents. The OIG also called on the FBI to ensure that its new Automated Response and Compliance System database, which is used to track IT improvements and provide real-time status information to FBI executive managers, is kept up to date and can track needed improvements.
FBI managers must also be held accountable for taking corrective actions in the future to make sure the work is completed, the report said.
The OIG audit cited concerns about the agency’s IT security policies, procedures and standards; system and network backup and restoration controls; password and log-on management; system auditing management; and system patching.
The report labelled those security vulnerabilities as “high-to-moderate risk” flaws in the security of the FBI’s administrative and investigative mainframe computer systems.
Paul Martin, a deputy in the OIG’s office, said audits of the FBI and other federal agencies are conducted on a regular basis to provide oversight and perspective on progress being made within government departments. “We do believe strongly that the FBI needs to move into the 21st century, or even the 20th century, in order to equip (its) agents with the tools they need to do their jobs better,” he said. “They’re making strides, but they have further to go.”
Paul Bresson, an FBI spokesman, said the agency “agrees with many of the recommendations in the report.
“Many of them, we’re already working on,” he said. “There are still deficiencies, but we have made significant progress over the years in upgrading our IT.”
The FBI has been working on an IT modernization project called Trilogy for several years. That effort involves upgrading the FBI’s hardware and software, networks and user applications. The ongoing project now has a price tag of about US$596 million, up from an expected cost of US$380 million. A key part of the project is the creation of a Web-based “Virtual Case File” case management system that will replace five existing investigative applications.