U.S. Department of Justice

A Review of FBI Security Programs

Commission for Review of FBI Security Programs

March 2002

Commission for the Review of FBI Security Programs
United States Department of Justice
950 Pennsylvania Avenue, NW, Room 1521
Washington, DC 20530
(202) 616-1327 Main
(202) 616-3591 Facsimile

March 31, 2002

The Honorable John Ashcroft
Attorney General
United States Department of Justice
950 Pennsylvania Avenue, N.W.
Washington, D.C. 20530

Dear Mr. Attorney General:

In March 2001, you asked me to lead a Commission to study security programs within the Federal Bureau of Investigation. Your request came at the urging of FBI Director Louis Freeh, who had concluded that an outside review was critical in light of the then recently discovered espionage by a senior Bureau official.

In discharging my duties, I turned to six distinguished citizens as fellow Commissioners and to a staff of highly qualified professionals. I want to acknowledge the diligence with which my colleagues pursued the complex matters within our mandate. The Commission took its responsibilities seriously. It was meticulous in its investigation, vigorous in its discussions, candid in sharing views, and unanimous in its recommendations.

When I agreed to chair the Commission, you promised the full cooperation and support of the Department of Justice and the FBI. That promise has been fulfilled. I would like to thank the Department’s Security and Emergency Planning Staff for the expert help they gave us, and I especially commend the cooperation of Director Mueller and FBI personnel at every level, who have all been chastened by treachery from within.

I am pleased to submit the report of the Commission for the Review of FBI Security Programs.

Sincerely,

William H. Webster

Commission for the Review of FBI Security Programs

William H. Webster, Chairman

Commissioners

Clifford L. Alexander, Jr.
Griffin B. Bell
William S. Cohen
Robert B. Fiske, Jr.
Thomas S. Foley
Carla A. Hills

Commission Staff

Michael E. Shaheen Jr.
Director and Chief Counsel

Richard M. Rogers
Deputy Chief Counsel

George Ellard
Deputy Chief Counsel

Charles Alliman
Joshua G. Berman
Donald R. Bailey
Steven E. Baker
Thomas E. Boyle
Robert R. Chapman
David E. Conway
David H. Cogdell
Charles W. Dixon
Kevin A. Forder
Daniel W. Gillogly
Currie C. Gunn
William B. Hackenson
Zachary J. Harmon
Alan Hechtkopf
Terry J. Ihnat
 Carl Jaworski
Wilbur J. Hildebrand, Jr.
Marcia Hurtado
Willard F. Kelchner
Michael D. Kushin
Dale Long
Daniel W. McElwee, Jr.
John W. Mildner
Marie A. O’Rourke
Gail A. Ospedale
Claudia Peacock
Iqbal N. Qazi
Kevin M. Reinhard
Stephen C. Stachmus
Cinthia Trask
Wayne A. Van Dine
Norman A. Van Dam

Contents

Executive Summary

Introduction

Recommendations

Information Systems Security

Personnel Security

Document Security

Security Structure

Conclusion

Glossary

Commission Charter

The Commission

List Of Appendices

EXECUTIVE SUMMARY

The Commission for the Review of FBI Security Programs was established in response to possibly the worst intelligence disaster in U.S. history: the treason of Robert Hanssen, an FBI Supervisory Special Agent, who over twenty-two years gave the Soviet Union and Russia vast quantities of documents and computer diskettes filled with national security information of incalculable value.

As shocking as the depth of Hanssen’s betrayal is the ease with which he was able to steal material he has described as “tremendously useful” and “remarkably useful” to hostile foreign powers. Hanssen usually collected this material in the normal routine of an FBI manager privy to classified information that crossed his desk or came up in conversation with colleagues. Before going to some prearranged “drops” with Soviet and Russian agents, Hanssen would simply “grab[] the first thing [he] could lay [his] hands on.” In preparation for other acts of espionage, which he might have months to anticipate, Hanssen was more systematic. He was proficient in combing FBI automated record systems, and he printed or downloaded to disk reams of highly classified information. Hanssen also did not hesitate to walk into Bureau units in which he had worked some time before, log on to stand-alone data systems, and retrieve, for example, the identities of foreign agents whom US intelligence services had compromised, information vital to American interests and even more immediately vital to those whose identities Hanssen betrayed.

During our review of FBI security programs, we found significant deficiencies in Bureau policy and practice. Those deficiencies flow from a pervasive inattention to security, which has been at best a low priority. In the Bureau, security is often viewed as an impediment to operations, and security responsibilities are seen as an impediment to career advancement.

Until the terrorist attacks in September 2001, the FBI focused on detecting and prosecuting traditional crime, and FBI culture emphasized the priorities and morale of criminal components within the Bureau. This culture was based on cooperation and the free flow of information inside the Bureau, a work ethic wholly at odds with the compartmentation characteristic of intelligence investigations involving highly sensitive, classified information.

In a criminal investigation, rules restricting information are perceived as cumbersome, inefficient, and a bar to success. A law-enforcement culture grounded in shared information is radically different from an intelligence culture grounded in secrecy. The two will never fully co-exist in the Bureau unless security programs receive the commitment and respect the FBI gives criminal investigations. Even the latter, employing their own sensitive information and confidential sources, will benefit from improved security.

The focus on criminal investigations as the core function of the FBI and the perception of those investigations as the surest path to career advancement has had an important consequence: operational imperatives will normally and without reflection trump security needs. For instance, senior Bureau management recently removed certain security based access restrictions from the FBI’s automated system of records, the principal computer system Hanssen exploited, because the restrictions had hindered the investigation of the terrorist attacks. This decision might make a great deal of sense operationally; however, it was made essentially without consulting the Bureau’s security apparatus. One result, surely unforeseen and unintended, was general access within the Bureau to information obtained through warrants under the Foreign Intelligence Surveillance Act. The use of that information in criminal investigations is tightly restricted by Constitutional considerations and Department of Justice guidelines. Highly classified FISA information, unidentified as to source and generally disseminated to FBI investigators, violates the basic security principle that such information should be circulated only among those who “need to know.”

Operational efficiency is important, especially when our country might be under terrorist siege, and tightening controls on classified information will come with a cost to efficiency and resources. With this in mind and recognizing that we cannot eliminate intelligence efforts directed against us, the Commission attempted to recommend changes in FBI security programs that will minimize the harm those who betray us can do and shorten the time between their defection and detection. Accordingly, the recommendations we make are intended to address significant flaws in the process through which the Bureau generates and implements security policy and protocols for classified information. We believe that, if these recommendations are followed, a workplace culture will be established that recognizes security lapses as significant, restricts access to particular items of classified information to those who need them to perform their jobs, and makes disloyal employees more quickly visible. If these goals are met, the FBI will strike a sound balance between security and operational efficiency.

To this end, we focused our investigation on four areas: the structure of the Bureau’s security programs and the policies and procedures designed to ensure the integrity of its personnel, information systems, and documents.

An important component of our work consisted of gathering information about security organization in other agencies so that we could incorporate into our recommendations “best-practices” within the Intelligence Community. Other agencies have substantially enhanced the responsibility and visibility of their security programs within the past few years, often as a consequence of intelligence penetrations. Although the FBI has begun to take steps to improve security, senior management has not fully embraced the changes necessary to bring Bureau security programs up to par with the rest of the Intelligence Community. In general, FBI security programs fall short of the Community norm.

To correct these deficiencies, the Bureau’s security function must be given stature, resources, and visibility, and Bureau senior management must commit to a security program as a core FBI function. Accordingly, our principal structural recommendation is that the FBI establish an independent Office of Security, led by a senior executive reporting to the Director, responsible for developing and implementing all Bureau security programs. The Office of Security must have the authority to take critical security issues to the Director and speak with the Director’s support.

The Commission also recommends that the FBI consolidate its security functions, which, in sharp contrast to other agencies, are fragmented, with security responsibilities spread across eight Headquarters divisions and fifty-six field offices. Consolidating security functions under a senior executive leading the new Office of Security will prompt management to focus on security, resolve conflicts between operational and security objectives, and foster Headquarters and field coordination.

The Bureau’s Office of Security must develop programs to address information system security. Presently, no unit within the FBI adequately addresses this function, a failure whose consequences can be seen in Hanssen’s perfidy. Bureau personnel routinely upload classified information into widely accessed databases, a form of electronic open storage that allows essentially unregulated downloading and printing. This practice once again violates the most basic security principal: only personnel with security clearances who need to know classified information to perform their duties should have access to that information. In spite of the practically unrestricted access many Bureau employees have to information affecting national security, the FBI lags far behind other Intelligence Community agencies in developing information security countermeasures. For instance, an informationsystem auditing program would surely have flagged Hanssen’s frequent use of FBI computer systems to determine whether he was the subject of a counterintelligence investigation.

We also recommend significant changes in the background investigations potential Bureau personnel undergo before receiving initial security clearances and in the periodic reinvestigations on-board personnel undergo for security concerns. We believe that all personnel should be subject to financial disclosure obligations and that those with access to certain particularly sensitive information and programs should take counterintelligence scope polygraph examinations during their reinvestigations.

Unlike other Intelligence Community agencies, the FBI does not foster the career development of security professionals. Security responsibilities are often foisted onto agents as collateral duties, which they eagerly relinquish to return to criminal investigations that promise career advancement. Career tracks should be developed for Security Officers to professionalize these positions and make them attractive.

Bureau security training programs for new agents and on-board personnel are also in great need of improvement. The new Office of Security must develop effective, mandatory security education and awareness programs for all personnel.

The Bureau does not have a viable program for reporting security incidents to Headquarters. Currently, several components play uncoordinated roles in detecting, investigating, and assessing security violations; no single entity has authority to coordinate, track, and oversee security violations and enforce compliance. The Bureau is unable to identify or profile components and personnel who engage in multiple security violations, even when they constitute a pattern. The new Office of Security must address these deficiencies.

The FBI’s approach to security policy has been as fragmented as the operation of its security programs. Because no single component is responsible for security policy, critical gaps in security programs have developed. Some of the weakest links in security have resulted from unwritten policies and from implementation of security policies without input from security program managers. The FBI should emulate other agencies by embedding security policy development into its management structure to ensure that security programs are recognized and respected and that security is not inappropriately sacrificed to operational objectives.

Our report is critical of the FBI and with justification. However, we recognize that the Bureau has taken many steps, in light of Robert Hanssen’s treason, to improve security. Furthermore, in consistently finding the Bureau’s security policy and practice deficient when compared with security at other entities within the Intelligence Community, we do not mean to single out the FBI for criticism. The security programs in most agencies to which we turned to develop a best-practices model have resulted from radical restructuring made necessary as one after another agency discovered that its core had been penetrated by disloyal employees working for foreign interests. Had the FBI learned from the disasters these agencies experienced, perhaps Hanssen would have been caught sooner or would have been deterred from violating his oath to the Bureau and his country. But it is equally true that, had those agencies learned from disturbing patterns of espionage across the Intelligence Community, other treacherous moles might have been caught or deterred. Consequently, in addition to the particular recommendations about Bureau policies we make in our Report, we also make a more global recommendation: a system should be established whereby security lapses in particular entities lead to improved security measures throughout the entire Intelligence Community.

In sum, we do not mean to gainsay the steps the Bureau has taken since Hanssen’s arrest to safeguard national security information. Many of those steps have been significant, as has the Bureau’s cooperation as we conducted our review. However, before the Bureau can remedy deficiencies in particular security programs, it must recognize structural deficiencies in the way it approaches security and institutional or cultural biases that make it difficult for the FBI to accept security as a core function.

INTRODUCTION

In March 2001, Attorney General John Ashcroft established a Commission for the Review of FBI Security Programs to analyze and recommend improvements to security programs within the Federal Bureau of Investigation. The review was occasioned by the discovery of espionage of perhaps unparalleled scope committed by Robert Hanssen, an FBI Supervisory Special Agent, who over a span of twenty-two years gave the Soviet Union and Russia vital information affecting United States security.1

Hanssen began his Bureau career in January 1976 and served continuously as an FBI agent until his arrest in February 2001. For most of this time, Hanssen worked in the Bureau’s Intelligence Division, later known as the National Security Division, both at FBI Headquarters and in the New York City Office. In his capacity as an investigator and as a Bureau manager, Hanssen had access to the most sensitive classified information about the foreign intelligence and counterintelligence activities of the FBI and other agencies in the U.S. Intelligence Community.

In March 1979, Hanssen was detailed to the Soviet Counterintelligence Division within the Bureau’s New York City office to help establish an automated counterintelligence data base. In the same year, he started to cooperate with Soviet intelligence after he had been assigned as a Special Agent to a Soviet Foreign Counterintelligence squad in New York. Hanssen claims that his motivation was economic: the pressure of supporting a growing family in New York City on an inadequate Bureau salary. His aim was to “get a little money” from espionage and then “get out of it.”

In 1979, Hanssen “walked” a document into the offices of a company in New York run by an officer in the Soviet military intelligence service. The document contained information about the Bureau’s penetration of a Soviet residential complex.

Hanssen made two other “drops” during this initial period of espionage, for which he received around $20,000. In a letter to the Soviets complaining that the first of three payments was insufficient, Hanssen revealed that he was an FBI agent. During one of these drops, he gave the Soviets a list of known and suspected Soviet intelligence officers that had come to him, in his words, “in the normal course of business,” which included supervising an automated data system and creating a monthly report summarizing his Division’s response to Soviet intelligence operations. Hanssen also identified a Soviet officer as “Top Hat,” a defector-in-place for the United States and the highest ranking military intelligence officer ever to spy for the West.2 Hanssen disclosed Top Hat’s identity because he feared that the Soviet officer might be a threat to him.

Hanssen communicated with the Soviets through encoded radio transmissions, using a “one-time pad,” a practically unbreakable cipher he created.

When Hanssen was transferred to FBI Headquarters in Washington, D.C. in 1981, he cut off contact with the Soviets and told his wife, priest, and attorney about his espionage. Federal authorities were unaware of the first period of espionage before Hanssen began to cooperate with the government after his arrest.

In 1981, Hanssen was assigned to the Budget Unit in the Intelligence Division at Headquarters, where he prepared the Bureau’s Congressional Budget Justification Books, covering all FBI intelligence and counterintelligence operations. In 1983, Hanssen became a Supervisory Special Agent in the Soviet Analytical Unit in the Intelligence Division, and, in 1985, he transferred to a field supervisory position in the Soviet Counterintelligence Division in the New York City Office.

In April 1985, Aldrich Ames, a CIA intelligence officer responsible for monitoring the recruitment of Soviet officials, walked into the Soviet Embassy in Washington and disclosed the identities of several officials who had offered their services to the agency, thus beginning an espionage career that would span nine years. Hanssen and Ames’ treason would give Soviet intelligence services important dual sources for many critical pieces of intelligence, especially the identity of Soviet intelligence officers whom American intelligence services had co-opted.

Hanssen’s second period of espionage began in October 1985 and continued after he was transferred in August 1987 to the Soviet Analytical Unit within the Intelligence Division. In 1985, nine days after Hanssen had assumed his New York City position, he wrote to a senior KGB intelligence operator to inform him that he would soon receive “a box of documents [containing] certain of the most sensitive and highly compartmented projects of the U.S. Intelligence Community.” Hanssen asked for $100,000 in return for the documents (he would receive $50,000), and he warned that, “as a collection” the documents pointed to him. Hanssen had particular concerns about his safety:

During the second span of espionage, Hanssen surrendered a “complete compendium of double-agent operations.” An internal FBI report issued in this period noted serious compromises and disruptions in the Bureau’s recruitment, recruitment-in-place, and double agent operations. The report raised the possibility that the KGB had “somehow acquired inside or advance knowledge of [Bureau] operations.”

Hanssen also disclosed the Director of Central Intelligence Congressional Budget Justifications for several fiscal years, the FBI’s technical penetration of a Soviet establishment, U.S. penetration of Soviet satellite transmissions, U.S. attempts to recruit Soviet intelligence officers, a limitation in NSA’s ability to read Soviet communications, detailed evaluations of FBI double-agent operations, and other extraordinarily sensitive intelligence operations. For instance, Hanssen revealed that U.S. State Department diplomat, Felix Bloch, was under investigation for espionage on behalf of the Soviet Union. Bloch’s Soviet handlers warned him about the investigation, and he was able to avoid prosecution.

Hanssen told his handlers in a November 1985 note that “[e]ventually, [he] would appreciate an escape plan” because “[n]othing lasts forever.” He later suggested that they communicate through a “microcomputer `bulletin board,’” a suggestion the Soviets apparently did not accept.

In 1987, Hanssen started to transmit information and receive payments by establishing near his home in northern Virginia several “dead drops” or pre-arranged, hidden locations for clandestine exchanges that made it unnecessary for him to meet Soviet intelligence officers.

In 1988, Hanssen gave the Soviets the first of many computer diskettes he would use to transmit information and documents. At a minimum, the information and documents were classified Secret and contained warnings like the following from the cover sheet to a comprehensive review of Soviet penetration of the U.S. Intelligence Community, a review that Hanssen compromised:

IN VIEW OF THE EXTREME SENSITIVITY OF THIS DOCUMENT, THE UTMOST CAUTION MUST BE EXERCISED IN ITS HANDLING. THE CONTENTS INCLUDE A COMPREHENSIVE REVIEW OF SENSITIVE SOURCE ALLEGATIONS AND INVESTIGATIONS OF PENETRATION OF THE FBI BY THE SOVIET INTELLIGENCE SERVICES, THE DISCLOSURE OF WHICH WOULD COMPROMISE HIGHLY SENSITIVE COUNTERINTELLIGENCE OPERATIONS AND METHODS. ACCESS SHOULD BE LIMITED TO A STRICT NEED-TO-KNOW BASIS.

In 1989, the KGB presented several awards to the intelligence officers involved in the Hanssen operation, including the coveted Order of the Red Banner, the Order of the Red Star, and the Medal for Excellent Service.

Hanssen left the Soviet Analytical Unit in May 1990 when he was promoted to the Bureau’s Inspection staff. Among other duties, Hanssen was charged with assisting in the review of FBI legal attaché offices in embassies across the globe. Hanssen’s Soviet handlers offered their congratulations on his promotion: “We wish You all the very best in Your life and career.” Having assured Hanssen that their communications mechanisms would remain in place, the Soviets advised him: “[D]o Your new job, make Your trips, take Your time.” Hanssen’s espionage continued after he joined the Inspection staff.

At the end of his tour on the Inspection staff in July 1991, Hanssen became a program manager in the Soviet Operations Section of the Intelligence Division at Headquarters, a unit designed to counter Soviet espionage in the United States.

In December 1991, he left extremely sensitive, classified documents at a drop site, along with a note telling his Soviet handlers that he had been promoted to a position of increased authority. Hanssen also provided information about classified technical and operational matters, and he proposed a new communications plan, by which he would communicate directly with the KGB using a computer loaded with advanced technology set up in a private office not subject to electronic surveillance. Shortly thereafter, Premier Gorbachev resigned, and the Soviet Union collapsed. Hanssen, who knew of a massive internal FBI mole hunt, decided to disengage from his espionage activity, he claims, because of feelings of guilt.

In January 1992, Hanssen became Chief of the National Security Threat List Unit in the Intelligence Division. That Unit was charged with helping to re-align U.S. counterintelligence activities in light of the dissolution of the Soviet Union.

In 1993, Hanssen attempted to reestablish contact by approaching a Russian military intelligence officer in a garage in an apartment complex near Washington, D.C. Hanssen says that he wanted to understand why Russian military intelligence continued to use operatives he had exposed as double agents. Hanssen brought to this meeting summaries of all open Russian military intelligence, double-agent cases. He identified himself as “Ramon Garcia,” the pseudonym he had used during the first period of espionage. The Russian intelligence officer apparently knew nothing about Garcia and rebuffed Hanssen’s attempt to start a conversation. In a protest about the incident, the Russian government asserted that the person who had approached their officer identified himself as a disaffected FBI agent. The Bureau opened a case in response to the Russian protest, which Hanssen followed on the FBI’s investigative database, the Automated Case Support system.

With the exception of the unsuccessful attempt to contact the intelligence officer, Hanssen had no contact with Russian intelligence until October 1999 when he began his third period of espionage by sending the KGB an encrypted message on a computer disk. At first, there was no response to the message, but eventually a signal was given. Hanssen went to a drop site and received instructions and $50,000 in cash.

At the time, Hanssen was “running up credit card debt,” some of which he had rolled into a home mortgage during two refinancings; some of his six children were in college; and “financial pressures” were creating (in a phrase Hanssen adopted during a debriefing) an “atmosphere of desperation.” Hanssen has claimed that his mortgage payments had grown so high that he “was losing money every month and the debt was growing.” Consequently, he set a “financial goal” for himself: obtain $100,000 from the Russians to pay down his debt.

When the third period of espionage began, Hanssen was FBI liaison to the State Department’s Office of Foreign Missions, responsible for conveying highly classified information and documents between State and FBI Headquarters, among other duties. From his office at State, Hanssen continued to have complete access to the FBI’s Automated Case Support system, from which he obtained most of the information he passed to the Russians during this period.

In October 1999, after the first drop in the third period of espionage, for which Hanssen received $50,000, his Russian handlers proposed two more drops, one in November 2000, the other in April 2001. Hanssen tried to move the first drop up to June 2000, complaining that the Russians were “wast[ing]” him: Hanssen was trying to generate income. He attempted a drop in June, but retrieved the material after the Russians failed to pick it up.

In November 2000, Hanssen once again communicated concern to the KGB about his security and raised questions about the future:

In January 2001, Hanssen, who was then under suspicion, was transferred from the State Department to FBI Headquarters so that he could be closely monitored. Shortly thereafter, Hanssen would later claim, he came to believe that a tracking transmitter had been placed in his car. Despite these concerns, he went to another drop, where he was apprehended and arrested on February 18, 2001. Hanssen brought to the final drop an encrypted letter on a disk:

Hanssen was indicted on twenty-one counts of espionage, conspiracy to commit espionage, and attempted espionage. Fourteen counts provided for the death penalty as the maximum punishment upon conviction. The remaining counts called for life in prison as the maximum penalty. On July 3, Hanssen pled guilty to fifteen counts. He is awaiting sentencing.

In November 2000, three months before his arrest, Hanssen gave the Russians “the largest package [of documents he] ever produced,” between 500 and 1,000 sheets of photocopied material. He downloaded to disks from the FBI’s Automated Case Support system a great deal of the information he divulged in this final period:

Documents – whether downloaded or printed – were reproduced in their entirety and with sufficient information on their face to identify them as Bureau documents. Hanssen, who was known for his technical computer proficiency, had himself developed several data “systems” for the Bureau, for example, a system for up-loading FBI internal memoranda and conducting key-word searches.4 Before leaving material at drops for his handlers, Hanssen would scan the Bureau’s systems to see whether the FBI had identified the locations as drop sites. He would also run his name in the systems to determine whether he was a subject of an investigation.

Hanssen installed unauthorized software on his office computers, an action counter to Bureau regulations. While he was serving as FBI liaison to the State Department, a password-breaking program was discovered on his hard drive. When questioned about this at the time, Hanssen explained that he had to re-configure his FBI computer system at State to install a color printer, but that he could not do so without the password of a systems administrator, who was not often available. Consequently, Hanssen said, he broke the administrator’s password and solved the problem. Hanssen was not disciplined for this conduct.

On at least one occasion, Hanssen hacked into the computer of a Bureau colleague. In 1992, he downloaded a classified document from the hard drive of the Chief of the Bureau’s Soviet Intelligence Section, purportedly to demonstrate security weaknesses in the computer system.5 Hanssen attempted unsuccessfully to interest his handlers in contemporary technology. Early on, he suggested to the Soviets that they communicate by e-mail and later he urged them to purchase a personal digital assistant so that he could “beam” messages and classified documents to them. On occasion, Hanssen’s handlers were unable to break through the encryption and other security mechanisms Hanssen installed on the discs he passed to them.

Hanssen also used non-technical methods to obtain the material he compromised. Sometimes he learned information at lunches with colleagues or “in passing,” and he routinely reproduced documents on FBI photocopiers and walked out of Bureau facilities with them. Hanssen also habitually walked into meetings uninvited when classified information was being discussed. After he left the National Security Division, he visited former colleagues, discussed classified matters with agents and analysts, and passed this information to his handlers. He also visited former State Department colleagues, after he had been transferred to FBI Headquarters. His last recorded visit came nine days before his arrest.

Hanssen had no difficulty collecting sensitive information. Before going to one dead drop, he simply “grabbed the first thing [he] could lay [his] hands on.” However, he “tried to stay with things that [his handlers] would find tremendously useful, immediately useful, . . . remarkably useful.” On one occasion, Hanssen took a volume from Headquarters containing Top Secret and Special Access Program information about an extraordinarily important program for use in response to a nuclear attack. Hanssen photographed the material in the back seat of his automobile and returned the volume to the Bureau.

Over the course of his espionage, Hanssen received two Rolex watches and about $600,000 in cash and diamonds from Soviet and Russian intelligence services. About $800,000 was purportedly deposited in a Moscow bank on Hanssen’s behalf. The FBI also recovered $50,000 from a drop site.

Hanssen led an apparently frugal life, using some of the money he received for espionage on home improvements and private schooling for his six children. He also spent a significant sum on an exotic dancer, whose life, Hanssen claims, he was trying to reform. Over twenty-two years and more than forty passes, Hanssen turned over to Soviet and Russian intelligence an estimated twenty-six diskettes and 6,000 pages of classified information. Although we have not been called upon to conduct a damage assessment of this betrayal, the affidavit filed in support of the criminal complaint against Hanssen does not exaggerate when it describes the information Hanssen betrayed as having “extraordinary importance and value.”

While Hanssen’s misdeeds are so shocking as to be in some fundamental sense inexplicable, his conduct is not as rare as citizens of a free and democratic society would hope. The Commission has received testimony that since the nineteen-thirties every U.S. agency involved with national security has been penetrated by foreign agents, with the exception of the Coast Guard. Eighty employees of the federal government and companies with which it contracted were convicted of espionage between 1982 and 1999.6 According to open-source material, 117 American citizens were prosecuted for espionage between 1945 and 1990 or clear evidence existed of their guilt; the reported cases of espionage doubled from the 1950s to the 1970s and then doubled again in the 1980s. Of course, this data does not include espionage that has not been detected or reported. Money appears to be the major motive in these cases; and most of these spies volunteered their services to foreign intelligence agencies.7

The practice of tradecraft by our adversaries, including the use of defectors-in-place, should come as no surprise. Though the ancients did not have computer diskettes, they did have the means to transmit covert information vital to “national” security. Herodotus, for instance, tells us about a Greek living in Persia, who alerted Sparta to Xerxes’ invasion plans by smuggling information on a piece of wood covered with wax. The Bible is also replete with instances of espionage, including Yahweh’s instruction to Moses to send spies into the land of Canaan. The account of the harlot Rahab sheltering Israelite spies and betraying the city of Jericho might be the first documented instance of a “safe house.”

Thus, history teaches us to expect spies among us and to anticipate that some of those spies will be of us. Espionage has not been invented by our recent adversaries, and it is not a sign of our political or moral decline. In fact, we have been beset by spies from within even before we had a Constitution to unite us. For instance, Edward Bancroft, a New England physician who served as secretary to the commission the American colonies sent to France during the Revolutionary War, was a confidant of Benjamin Franklin, an indispensable agent of John Adams, and a British spy. Bancroft sent London weekly communications written in invisible ink and placed in a hole in a tree in the Tuileries Gardens. The rebellious colonies did not have to wait long for other disastrous betrayals, and, indeed, from our Country’s early history on, the name Benedict Arnold has signified a traitor from within.

Recognizing that we cannot eliminate espionage efforts against us, the Commission has attempted to recommend changes in FBI security programs that will minimize the harm that those who betray us can do to our national security and minimize the time between their defection and detection. To achieve these goals, we focused our attention on four areas: the structure of the Bureau’s security programs and the policies and procedures designed to ensure the integrity of its personnel, information systems, and documents.

We also examined security programs in federal entities other than the FBI: the CIA, NSA, the Department of State, and the Air Force’s Office of Special Investigations. We looked at these entities to develop a “best-practices” model we could use to assess the Bureau’s security programs, and we specifically focused on the Office of Special Investigations because, like the FBI, it has intelligence and law-enforcement functions that must be carefully delineated.

We will present our findings in the chapters to come and in much greater detail in classified appendices. In sum, we found serious deficiencies in most security programs we analyzed within the Bureau. When compared with best practices within the Intelligence Community, FBI security programs fall far short. It should be noted, however, that security programs in the CIA, NSA, the Department of State, and other elements within the U.S. Intelligence Community have undergone top-to-bottom reviews and re-structuring in the relatively recent past as a result of significant, though belatedly discovered compromises. Simply naming a few of these double agents is chilling:

Thus, although our report is highly critical of fundamental practices and policies governing sensitive information within the Bureau, it would be a mistake to single out that entity for criticism. The FBI has not been alone in finding itself betrayed by trusted employees willing to imperil their country for money or some other venal or twisted political consideration. Furthermore, at least some of the critical deficiencies we found in Bureau policies have been replicated in other federal agencies. For instance, we observed critical deficiencies in the process by which the Bureau conducts background checks for security clearances, a finding sadly mirrored in a 1999 GAO study concluding that ninety-two percent of Department of Defense security investigations in the period studied were deficient.8

Furthermore, in spite of Hanssen’s purported proficiency with electronic storage systems, the methods he used to betray his country have been practiced by others with little technical knowledge. For instance, over seven years ago, the CIA Inspector General concluded that Aldrich Ames’ access to computer “terminals that had floppy disk capabilities represented a serious system vulnerability”:

National security would have been better served if deficiencies found in one agency had led other agencies to review their own practices. Unfortunately, security reform usually occurs in an agency only after it has been severely compromised. For instance, after allegations surfaced that China had obtained nuclear warhead designs from an employee of the Los Alamos National Laboratory, the Department of Energy’s programs for protecting classified information were thoroughly reviewed and found severely wanting. Again, these findings are sadly similar to the deficiencies we found in the FBI’s security programs. Had the Bureau taken advantage of the review of DOE procedures, had DOE taken advantage of reforms at the Central Intelligence Agency in light of Ames’ defection, had the CIA taken advantage of reforms at the Department of State after a security compromise there, the entire Intelligence Community would have benefitted.

The Intelligence Community as a whole has failed to learn from history, a failure that is mirrored in the fragmented security policy governing members of that community. Each agency is responsible for implementing its own security system in compliance with government-wide mandates. The Bureau’s security policies, for instance, are an amalgam of its own traditional practices and a sometimes imperfect reflection of a slough of Executive Orders, National Security Directives, Presidential Decision Directives, Director of Central Intelligence Directives, Congressional enactments, and other mandates.

We are not the first to note the lack of a system to ensure that security policy is implemented properly in the Intelligence Community and that members of that community learn from their brethren’s mistakes. In 1994, a Joint Security Commission declared that:

Consequently, in a report to the Secretary of Defense and the Director of Central Intelligence, the Joint Commission recommended that a security executive committee be established to “unify security policy development; serve as a mechanism for coordination, dispute resolution, evaluation, and oversight; and provide a focal point for Congressional and public inquiries regarding security policy. . . .” Almost a decade earlier, the Senate Select Committee on Intelligence asserted that “more needs to be done to ensure that agencies learn from each other’s experiences and that progress achieved in one area can have benefits for others.” In calling for the establishment of a comprehensive National Security Program, the Committee warned:

And it has continued to occur in the sixteen years since the Select Committee issued its report. Consequently, in addition to the particular recommendations about Bureau policies that we make in our report, we offer a more global recommendation: a system should be established whereby security lapses in a particular entity lead to improved security measures throughout the entire Intelligence Community. Determining how this system should be structured is outside our mandate, but the need for it is obvious.

Our report contains many recommendations for changes in the FBI’s policies and practices. We are pleased to see that the Bureau has already begun to examine its security programs and has independently implemented some of our recommendations. Critics often assert that the problems we have examined, as well as other well publicized missteps the Bureau has taken in recent years, are the product of a culture ingrained within the FBI that will make meaningful reform impossible. We found many instances of Bureau employees affording respect to deficient practices simply because they are Bureau practices and other instances when state-of-the-art practices in other agencies were rejected simply because they were not Bureau practices. However, the vast majority of FBI employees with whom we spoke have been shaken by Hanssen’s treason; they are acutely aware of the damage he has done to the country and to the reputation of the institution they love; and they seem to understand the necessity of reforming inadequate practices. The reaction of other agencies recently betrayed from within shows that organizations that instill esprit in their members can change when chastened to the core, and we have observed first-hand the degree to which Hanssen’s crimes have shaken the Bureau as a whole, particularly those employees who are part of the Intelligence Community.

There is another “cultural” dimension to the security deficiencies we observed in the Bureau. Until the terrorist attacks in September 2001, the FBI focused on detecting and prosecuting traditional crime. That focus created a culture that emphasized the priorities and morale of criminal components within the Bureau, which offered the surest paths for career advancement. This culture extolled cooperation and the free flow of information inside the Bureau, a work ethic wholly at odds with the compartmentation characteristic of intelligence investigations involving highly sensitive, classified information.

In a criminal investigation, rules restricting information are perceived as cumbersome, inefficient, and a bar to success. However, when a criminal investigation is compromised, usually only a discrete prosecution with a limited set of victims is at risk. In sharp contrast, when an intelligence program is compromised, as Hanssen’s case demonstrates, our country’s ability to defend itself against hostile forces can be put at risk.

A law-enforcement culture grounded in shared information is radically different from an intelligence culture grounded in secrecy. Whether the two can co-exist in one organization is a difficult question, but they will never do so in the FBI, unless the Bureau gives its intelligence programs the same resources and respect it gives criminal investigations, which, employing its own sensitive information and confidential sources, would also benefit from improved security.

Implementation of the changes necessary to secure vital information within the Bureau’s universe will require continuous dedication, not momentary attention, so that neither bureaucratic inertia nor tight focus on the latest national crisis the FBI faces will permanently divert resources from structural defects that must be cured. Consequently, we also recommend that, within six months, the Bureau submit to Congressional intelligence oversight committees, through the Attorney General, a plan addressing the weaknesses we have discovered in FBI security programs and our recommendations. We also urge that the Bureau submit to the committees annual reports for the next three years on its efforts to implement that plan. We note that the Central Intelligence Agency, in the wake of Ames’ defection, issued such reports, apparently to great effect.

The Commission wishes to thank the members of its staff, whose effort is reflected in this report. Our country will make a serious error if it does not capitalize on this effort. Neglect of the systems undergirding national security can lead to consequences so severe and so horrific that, in our view, the political structure is duty bound to respond.

RECOMMENDATIONS

The following is a compressed compilation of the recommendations in our Report. Because the recommendations addressing security weaknesses in the Bureau’s information systems are often arcane, we placed them in the technical appendices and have limited the INFOSEC portions of this summary to broad policy recommendations.

GENERAL

I. A System Should Be Established So That Significant Security Lapses In An Entity Within The Intelligence Community Lead To Improved Security Measures Across The Community

II. The Bureau Should Within Six Months Submit To Congressional Intelligence Oversight Committees, Through The Attorney General, A Plan Addressing Weaknesses In Its Security Programs, And It Should Submit Annual Reports On Its Efforts To Implement That Plan

INFORMATION SECURITY

I. Comprehensive, Consistent, And Centrally Coordinated INFOSEC Policies Should Be Adopted

The FBI does not have a well-defined, comprehensive INFOSEC policy or clearly written guidance explaining how current policy is to be implemented. Responsibility for curing this problem should be vested in a new Office of Security. Having established an INFOSEC policy, the Bureau must also create security guidelines and system specific plans.

II. INFOSEC Education And Training Must Be Implemented

The FBI lacks adequate INFOSEC education and training programs. Classified information stored on some of the Bureau’s most widely utilized systems is not sufficiently protected because users lack training on critical security features. Implementation of a general INFOSEC education and training program may take some time, but the Bureau must immediately train users on the security features of the Automated Case Support system because this system poses a tremendous risk to national security information.

III. Key INFOSEC Positions Must Be Filled And Supported

Many key INFOSEC positions have not been filled, and some have been filled by persons lacking essential experience and training. Persons assigned to these positions must be given the time, authority, and support necessary to perform their duties.

IV. The FBI Must Institutionalize A Formal, Tailored Process To Certify And Accredit Computer Systems

The FBI must define a certification and accreditation process that comports with governing directives and is tailored to meet Bureau needs. This process must consider the security implications of interfaces among connected systems and between systems and other components, such as workstations. Persons tasked to certify FBI systems should have the requisite expertise; they should not review their own work product or report to system builders and operators.

V. The FBI Should Develop A Comprehensive, Prioritized Plan To Address Security Shortcomings

The Bureau must define the security environment it wants to create to protect information by identifying relevant policies, specific threats, and secure usage assumptions. The Bureau must determine threats that existing security countermeasures do not counter and information protection policies that are not being enforced, and it must select programs, tools, and technologies to sustain its security environment.

PERSONNEL SECURITY

I. Security Investigations And Adjudications Should Be Consolidated In A New Office Of Security

The process by which the FBI currently conducts background investigations, adjudicates cases, and grants security clearances is fragmented, resulting in duplicative efforts, wasted resources, and unaddressed security issues.

I. The Personnel Security Process Should Be Automated

The Bureau’s system for processing and tracking investigations, reinvestigations, adjudications, and clearances is paper-driven and inadequate. The FBI should create a system to track personnel so that they are identified for reinvestigations and their clearances are up-to-date.

II. BICS Investigations Should Be Thorough

The Background Investigation Contract Service (BICS) should ensure that its Special Investigators (SIs) are skilled and conduct thorough investigations. BICS should avoid a checklist approach to investigations. SI reports should be detailed, highlighting and explaining potential security problems. The SI reporting process should be automated. Responsibility for Personal Security Interviews should be removed from field offices and given to BICS SIs.

III. Adjudicator Training Should Be Improved

The Bureau should give adjudicators extensive training to ensure that they comply with Director of Central Intelligence Directives and internal mandates. Adjudicators should be trained to recognize incomplete background investigations, and they should request additional coverage when necessary.

I. Stricter Controls Should Be Placed On Interim Clearances

The interim clearance process for contract employees lacks adequate controls, resulting in interim clearances granted without full-scope investigations, a practice that can lead to high-risk personnel cleared with insufficient vetting. The Bureau should implement tighter controls on personnel granted interim clearance, limiting facility access and minimizing contact with FBI employees and assets.

VI. The FBI Should Adopt A Financial Disclosure Program And Develop A Technical Structure To Support Financial Monitoring

The FBI should comply with Executive Order 12968 by requiring employees and contractors to complete financial disclosure forms. The Bureau should also develop a personnel and technical infrastructure to support financial monitoring. Information from financial disclosure forms and an automated analysis should be available in employee reinvestigations and security investigations.

VII. The FBI Should Implement A Counterintelligence Polygraph Program And Create An Infrastructure To Support The Program

The FBI should adopt a counterintelligence polygraph examination, focused on espionage and restricted to reinvestigations of personnel with access to Sensitive Compartmented Information and special programs. The Bureau should develop a quality control program and educate personnel about the polygraph’s security function and the limited nature of the counterintelligence examination.

DOCUMENT SECURITY

I. Classified National Security Documents Should Be Handled And Stored In SCIFs And Secure Areas And Available Only To Those With A Need To Know

The Bureau should train its personnel to recognize that compartmentation and needto- know principles apply even in Secure Areas and SCIFs.

II. The Security Access Control Badge System And The FBI Police Program Should Be Strengthened

Employees should be required to “badge into” SACS areas on hardware that requires a PIN number and records the passage of every badge, including all car-pool passengers. Gold badges and executive-escorted-visitor badges should be eliminated. FBI police should match the photograph on every SACS badge entering Headquarters with the bearer of the badge and conduct aperiodic checks of vehicles and persons leaving Headquarters to emphasize the gravity of document security. The police force should be brought to full strength and given an enhanced security role.

III. The Bureau Should Enhance Protections On The Handling, Copying, And Disposing Of Classified Material

The FBI should bring its written policy statements on these matters into compliance with Director of Central Intelligence Directives and Executive Orders. The revised policy should eliminate confusion about “working documents” and copies of classified documents obtained through electronic systems. Headquarters employees should receive detailed guidance about moving classified information around the building and should be prohibited from leaving classified material unattended, except in approved Secure Areas or Sensitive Compartmented Information Facilities (SCIFs). After-hours protocols for securing computers and classified material should be established. Bureau photocopiers, particularly in SCIFs and Secure Areas, should not be operable without PIN numbers. Photocopying classified material should be held to a minimum, and copies should be subject to the same controls as originals. A time limit for maintaining copies of classified documents should be established. Security risks in the destruction of Secret waste off-site should be eliminated.

IV. Written Guidance On Top Secret And Sensitive Compartmented Information Should Be Current, Clear, And In Compliance With Director Of Central Intelligence Directives And Executive Orders

FBI manuals and policy statements should incorporate changes made over time by Bureau Electronic Communications and should comply with Director of Central Intelligence Directives, especially in describing SCIF operations. Written policies should provide clear and specific guidance to Security Officers, who are sometimes unaware of policy because they do not know how to locate it.

V. The Operations Of The Special File Room Should Be Improved By Eliminating Unnecessary Classified Material And Enhancing Staffing, Training, And Equipment

The Bureau should destroy all documents within the Special File Room(SFR) eligible for destruction. Profiles should be adopted to control the amount of information intelligence agencies send the Bureau. SFR employees should receive improved, recurring formal training, in addition to on-the-job mentoring, and Headquarters personnel should be trained to take advantage of SFR document indexing services.

VI. SCIF Operations Must Be Improved By Promulgating Clear, Enforceable Rules And Providing Training For SCIF Tenants

The operation of Bureau SCIFs across the country is inconsistent and sometimes improper. SCIF operations should be controlled by clearly written guidelines, as Director of Central Intelligence Directives require, and training for SCIF personnel should be improved. SCIF accreditation, daily operations, and periodic reviews require much greater resources than are currently allotted.

VII. The FBI Should Consider Adopting The Human Intelligence Control System

The Bureau should consider adopting the Human Intelligence Control System, a system of compartmenting human source information developed by the CIA. If it does adopt this approach, it should publish clear, written policies effecting those controls, and it should train personnel who will use them.

I. The FISA Process Should Be Simplified, And Access To FISA Information In ACS Should Be Restricted

The process implementing the Foreign Intelligence Surveillance Act (FISA) should be streamlined to reduce the number of persons involved and the complexity of the process. The Bureau should implement a system of electronic links with the Department of Justice to enhance the security of the FISA process and allow simultaneous review. Responsibility for FISA packages should be centralized in an FBI FISA Unit. The training of field security officers who monitor FISA carrier security should be improved, and trust receipts should be used whenever possible. Personnel handling FISA on the Automated Case Support system should be trained in the use of access restrictions. The ability to print and download FISA information on ACS should be restricted.

I. A Central Security Authority Must Coordinate And Oversee All Document And Physical Security Violations And Compliance Activity

A central security authority with the ability to profile and identify individuals and components engaging in patterns of security violations will make it easier for the Bureau to detect habitual violators. Currently, several components play uncoordinated roles in detecting, investigating, and assessing security violations; no single entity has authority to coordinate, track, and oversee security violations and enforce compliance. A central authority responsible for coordinating security issues among all FBI entities, with the authority to rescind security clearances, will create a powerful incentive for employees to comply with good security practices. A database should be developed so that patterns of security violations by individuals or components can be detected.

I. FBI Policy Manuals Should Require Security Coordination

To bolster this central security authority, manuals addressing physical security violations should be updated and reconciled. The manuals should require that suspected, possible, and actual losses and compromises of classified information be reported to appropriate components. The manuals should explain categories of security violations and levels of punishment and specify how the Bureau components that respond to possible security violations should coordinate their efforts.

SECURITY STRUCTURE

I. FBI Security Programs Should Be Integrated In An Office Of Security That Reports To The Director

The Bureau’s security programs are weak and fragmented. The Bureau should restructure an integrated security program within an independent Office of Security, reporting to the Director. All security functions should be consolidated within that Office, including security policy making. Security policies should be reviewed and implemented through a senior executive security policy board, chaired by the head of the Office, that includes DOJ’s Security Officer.

II. The Office of Security Should Develop A Professional Security Staff Through Enhanced Selection, Retention, And Training Programs

The FBI does not have a professional security staff or a career-enhancing training program for security specialists. In addition to developing and training a security staff, the Bureau should introduce professional career tracks for security professionals and for information technology security specialists.

III. The Office Of Security Should Implement Comprehensive Employee Security Education And Awareness Programs

The Office should maintain a full-time professional training staff to develop and implement security education and awareness programs for all employees. The staff should disseminate information on security responsibilities and create user-friendly computer sites for security information. Security should be an integral part of the curriculum at the FBI Academy. The Office of Security and the Information Resources Division should jointly develop training programs in information-system security. Mandatory executive management training programs should be conducted. Compliance with security policies and programs should be a component of annual performance appraisals of all managers and Security Officers.

IV. The Office Of Security Should Develop A Centralized Security Violation Reporting Program

The FBI’s review of security violations is fragmented and inadequate. The Bureau should develop a reporting program, which describes security violations and establishes clear procedures for investigating security violations. The program should be accompanied by recurring notice to employees and recurring security education. The program should require written documentation of security violations and mandatory reporting of all violations to the Office of Security, where they should be tracked on a secure centralized database. Automated analytical functions for collected data should be installed.

V. The Office Of Security Should Audit Security Programs.

The FBI does not adequately review its fragmented security programs. The Office of Security should periodically review and audit all security programs and systems. Office personnel should be detailed to the Inspection Division as needed to ensure meaningful audits of security programs.

INFORMATION SYSTEMS SECURITY (INFOSEC)

INFORMATION SYSTEMS SECURITY (INFOSEC) Robert Hanssen’s espionage demonstrated in a public and convincing way that the Bureau’s information systems security controls are inadequate. Information under the Bureau’s control is exceedingly important to national security and must be protected. The FBI must also exchange information with intelligence agencies, and intelligence sources, both current assets and prospective recruits, will play increasingly prominent roles in the Bureau’s mission. Consequently, the FBI must take immediate steps to restore confidence in its ability to protect its sources and the information they disclose.

Our analysis of FBI information system security (INFOSEC) policy and practice is three-fold. This unclassified section of the Report will illustrate some of the analytic themes and recurring weaknesses discovered in our review of Bureau information systems. Appendix A, classified, expands on those themes by explaining the methodology we employed and our more interesting findings and conclusions. The remaining INFOSEC appendices are for the technical reader and provide, we hope, an expert analysis that can help the Bureau translate policy and allocation choices into improved information systems security.12

Our analysis is premised on a component of “best practices” in the Intelligence Community, the “Defense-in-Depth” concept, a set of principles that, instead of using all available resources to build, for example, a thirty-foot perimeter wall to protect a building, would erect a ten-foot fence, install locks on doors and windows, and purchase a safe for the most valuable assets. This layered approach mitigates the vulnerabilities in any one security feature by establishing a number of defensive layers that must be breached. By increasing the risk of detection, these layers of security act as a deterrent to espionage. Whether the compromised insider is deterred by the risk of detection or actually thwarted by a security layer, the Defense-in-Depth approach restricts a compromised insider’s unauthorized access to data.

In the course of our review, we identified a wide range of problems affecting the FBI’s computer systems and INFOSEC programs, which we will briefly summarize, saving a detailed discussion for the appendices.

As varied as the FBI’s computer security problems may be, they all flow from a pervasive inattention to security, which has been at best a low priority in recent years. At the Bureau, security is often viewed as an impediment to operations, and security roles and responsibilities are viewed as counterproductive to career advancement. Management often does not support INFOSEC programs, which receive insufficient resources. As FBI computer systems were modified over the years to adapt to evolving operational demands, program priorities and resource allocations clearly favored operational over security needs. FBI personnel tasked with computer security were expected to gauge the security implications of these changes and modify security programs to accommodate them with few resources and minimal guidance.

This is not to fault Bureau personnel charged with building, modifying, and securing information systems. They are following well worn paths at the FBI, and much of what has been accomplished with insufficient time and resources is commendable. FBI management faces the same resource allocation issues that all large organizations face, and allocations have often been driven by external pressures and crises. Items perceived as having low priority, such as computer security, receive little attention.

This portion of our Report will concentrate on the FBI’s Automated Case Support system, which Hanssen exploited almost exclusively in his last period of espionage, and on Trilogy, an ambitious, but limited plan to upgrade certain Bureau computer networks and information systems. This discussion is intended as an illustration of the broader findings we make in the appendices about the Bureau’s information systems. The discussion will also illustrate the vulnerability of extraordinarily sensitive information within the FBI, the Bureau’s failure to instill security consciousness in its personnel, and the tension between operational needs and security imperatives.

THE AUTOMATED CASE SUPPORT SYSTEM (ACS)

Deployed in 1995, ACS is one of several applications residing on the Bureau’s investigative mainframe and is intended to contain information ranging from unclassified to Secret. ACS is the FBI’s investigative system of records and is comprised of three subsystems: a case indexing system; a case management system; and a system to store and retrieve text documents. Information related to all FBI investigations and cases, including criminal and intelligence cases, is stored on ACS. The system allows FBI personnel to open and assign cases, set and assign leads, store text of documents (for example, investigative reports and memoranda of interview), and index, search, and retrieve these documents. ACS also contains a considerable store of administrative data, such as personnel and Office of Professional Responsibility files.

Several, nearly universal complaints about ACS relate to the general unfriendliness of the system and the perceived absence of security. Many FBI agents avoid ACS, often by delegating ACS functions to support staff. Many agents distrust ACS, and, in defiance of Bureau policy, refuse to upload into the system the most sensitive information in their possession.

Hanssen’s Use Of ACS

Bureau personnel have reviewed audit logs recording Hanssen’s activity on FBI computer systems and have identified thousands of files that he accessed and downloaded or displayed long enough to view or print. Almost all of these files resided on ACS. It remains unclear how many files Hanssen actually exploited by providing them or the information they contain to his contacts.

Hanssen was able to mine ACS data quite effectively. An FBI employee associated with the preliminary damage assessment noted that Hanssen compromised over fifty FBI human sources and potential recruits and many technical sources. As a result of Hanssen’s exploitation of ACS, several sources were executed or imprisoned. The Bureau also pulled other sources out of the field and terminated a number of technical programs and projects. FBI sources apparently fear that information Hanssen passed will lead to their discovery, and their handlers can do little to assuage these fears. The handlers are concerned that their credibility could never withstand another blow like the one Hanssen dealt. In addition to human and technical sources, Hanssen compromised critical information housed on ACS about U.S. intelligence capabilities. Through ACS, Hanssen also developed a particularly clever scheme to ensure that information he sent by mail to his Russian contacts was not intercepted.

Hanssen’s interest was often piqued by descriptions in ACS of documents to which user access had been restricted. FBI employees uploading restricted documents to ACS often complete an unrestricted descriptive data field called “Attributes.” Hanssen found the synopses in the Attribute fields for restricted documents “very revealing.”

Hanssen’s computer expertise also helped him exploit ACS. He mastered ACS search engines, finding ways to navigate around security restrictions. For instance, ACS administrators have created a list of “stop words,” terms that are not indexed in the ACS search engine. If a user attempts to conduct a search using a stop word, for example, “Secret,” the search engine will not find the term, even though it may appear in the text of many documents. To get around these restrictions, Hanssen drew on his extensive knowledge of National Security Division programs, practices, and personnel to frame queries. A Supervisory Special Agent explained that the entire Washington Field Office technical program was open to Hanssen because he was sophisticated enough to search particular files related to the program.

Hanssen employed only his ordinary ACS rights to access information. As a Headquarters Supervisory Special Agent, he had access to cases normally restricted to personnel in the field offices in which they originated. It does not appear that Hanssen possessed system administrator access or that he hacked into any files. Hanssen successfully searched for unrestricted confidential information in ACS administrative cases, information to which access was probably restricted when placed in substantive case files. The FBI has determined that, of the many documents Hanssen accessed on ACS, about 500 should have been more restricted than they were, a failure that could have stemmed from ignorance of the restriction capabilities or misunderstanding of how they work. However, while some ACS information was accessible to Hanssen because it had not been properly restricted, much of it was generally available.

As a result of this failure to restrict cases appropriately, Hanssen was able to access an ACS counterespionage case file on an investigation of a potential spy within the U.S. Intelligence Community. Based on information in the file, Hanssen pieced together the identity of the target of the investigation. He also deduced that the Bureau had closed the case when he learned through ACS that the FBI had removed surveillance devices from the target’s home. Observing that no new documents had been added to the ACS file, Hanssen confirmed that the investigation had been closed, alerting him that the Bureau might turn its attention elsewhere – and potentially to him.

Hanssen also attempted to use ACS to ascertain whether the Bureau was investigating him or his espionage. He searched for documents containing his name spelled several different ways, his home address, names of agents in FBI espionage squads, code names of espionage investigations, Russian/Soviet counterintelligence restricted cases, and terms such as “espionage.” He also searched for documents pertaining to “dead drops” and for administrative files to determine if resources had been allocated to surveil the locations he used as drops. Any one of these searches might have alerted an auditor that Hanssen had at the least unusual interests, some beyond his need to know; and many of these queries (or combinations thereof) should have alerted an auditor that Hanssen was curious whether the FBI was investigating him.13 While it does not appear that Hanssen learned of the investigation mounted against him, these searches did not alert the Bureau to his misconduct because computer audit logs generally go unreviewed.

Access Restrictions On ACS Case Files

In the appendices, we review sophisticated INFOSEC countermeasures associated with ACS, such as identification and authentication, session controls, and audit capabilities. However, the most important security device from the perspective of the average user is the ability to restrict access to ACS case files.

Most, if not all members of the Bureau community have access to ACS, the FBI’s investigative system of records, into which all case-related documents are supposed to be uploaded. However, not everyone with ACS access has access to every file in the system. While all Bureau employees have Top Secret clearances, no employee needs to know about every investigation. The need-to-know principle is often overlooked at the FBI, but it remains prominent in highly sensitive investigations, such as those involving human sources and counterespionage efforts like the one that snared Hanssen. Many Bureau personnel working on such cases believe that there is no reason to share all classified information with every ACS user in the FBI’s global community. To address this reasonable concern, ACS was designed with a capability to restrict access to case files.

Access may be restricted when files are initially opened. There are two general types of access restrictions. A case may be restricted to a list of persons with roles in the case. This is referred to as a “P” restriction. A case may also be restricted to personnel in the field office where the case originated. This restriction to the office of origin is referred to as an “O” restriction.

ACS system defaults are set to designate a newly opened case as O, P, or unrestricted based on the case classification number. For instance, Office of Professional Responsibility cases are automatically opened as O cases and thus restricted to the office of origin. Asset cases, that is, cases involving human sources of intelligence, are automatically opened as P cases and thus restricted to persons with roles in the case. Until recently, Special Agents could request that a case unrestricted under its case classification be opened as an O or P case. The support person opening the case would override the default associated with that classification and restrict the case as instructed by the case agent.

If a case is O or P restricted (by default or designation), FBI employees lacking access rights who pull the case up in an ACS search will not be able to read certain information. With some case classifications, for instance, cases relating to foreign counterintelligence assets, the employee lacking access will not even know that a case exists. Instead, a “silent hit” will be generated to advise the case agent overseeing the case that an employee lacking access rights attempted to search for or view the case. When used properly, O and P restrictions appear to bar unauthorized access effectively. In fact, the Bureau has encountered difficulties when a P file is needed, but no employee with access to the case is available.

Unfortunately, the FBI has failed to train ACS users on case-file restrictions adequately. Headquarters has not implemented a comprehensive, centralized training program, and field offices have been left to piece ACS training together. As a result, users often fail to restrict investigative case files properly. As we have seen, Hanssen took advantage of this security failure to access approximately five hundred case files that had not been appropriately restricted.

Headquarters does offer some ACS training, although mostly for information management assistants. It is unclear how widely this offering is advertised or taken advantage of. Field personnel aware of the course offerings have noted that resource limitations make it difficult to take advantage of the training. Therefore, some field offices have independently taken initiatives to increase the ACS proficiency of their users. The Washington Field Office, for instance, offers its ACS users a few hours of training to complement what they learn on the job. The training has an operational, not an INFOSEC focus.14

As a result of inadequate training, many users do not completely understand case file restrictions. Many, particularly at Headquarters, are unaware that the restriction capability even exists. An information management specialist at the FBI’s Engineering Research Facility estimated that fifty percent of the agents she supports, many of whom have transferred from Headquarters, were unaware of this capability until she informed them. Once informed, the agents instructed her to restrict by designation approximately half their cases. Even ACS trainers, the persons most knowledgeable about ACS, have disparate views about how the restrictions operate. There is clearly a great deal of confusion about this security capability, which has likely resulted in its misapplication or at least inconsistent application.

One consequence of this confusion is that the FBI population generally has little confidence in ACS as a secure system for storing classified information. The ineffective application of ACS file restrictions has resulted in a number of horror stories about exposure of confidential files on ACS and has fueled a general apprehension about the system’s INFOSEC weaknesses.

Even before the revelations concerning Hanssen’s combingACS for marketable data, some FBI personnel routinely chose not to upload certain information into ACS. For instance, it is common knowledge within the Bureau that the New York Field Office (NYFO) generally refuses to upload certain types of national-security information. NYFO intelligence agents have confirmed that this is the case. In 1995, NYFO personnel were asked to assess ACS as a pilot system before it was deployed, and they developed significant concerns about security. An intern from the Massachusetts Institute of Technology was given ordinary user access and challenged to discover system vulnerabilities. In an afternoon, the intern accessed a number of restricted files.

NYFO intelligence agents have also long worried that, if they were to upload all caserelated information, as required, not only would restricted files be at risk of compromise, but information contained in unrestricted files viewed in the aggregate might create complete pictures that should not be disseminated throughout the Bureau. These agents also believe that it is possible to ascertain user passwords by employing ACS system tools.

Skepticism about ACS security is not limited to NYFO. At the Engineering Research Facility, a program manager operating a Top Secret/SCI program noted that his unit does not upload into ACS even sanitized versions of the unit’s reports. Instead, the unit uploads only verification that a report exists and requires that prospective readers request the report in hard copy. Personnel in the Washington and Indianapolis field offices also expressed concerns about uploading classified information into ACS, particularly asset information, and often they do not upload that information.

Several ACS users described a common situation that could result in the inadvertent exposure of files intended to be restricted. Documents uploaded to ACS may be attached to multiple case files. Frequently, a document is sent to a substantive case file, which may be restricted, and to an administrative file, which often is not. Thus, the uploaded document is restricted when serialized in the substantive case file, but not when serialized in the unrestricted administrative file. For example, NYFO intelligence agents pointed out that classified information from the Washington Field Office’s annual asset reports can be found in unrestricted administrative case files. These reports provide considerable detail about foreign intelligence assets, including their identities and activities.

The FBI’s counterespionage efforts have been undermined by this lack of confidence. According to a Unit Chief, personnel charged with investigating espionage allegations generally do not upload case file information into ACS. The Chief also noted that they do not even solicit help with leads on ACS because on one occasion, when a lead was sent to a field office, new agents who covered the lead – unaware of the unit’s avoidance of ACS – uploaded information without restricting it. By complying with the FBI directive to upload, but apparently unaware of how ACS file restrictions operate, these agents compromised classified information. Other members of counterespionage units noted that databases have been created, separate from the FBI’s established systems, to collect, analyze, and protect data. These databases, which may exist throughout the FBI, operate outside the supervision of the Bureau’s security apparatus.

Hanssen’s espionage has increased suspicion of ACS among Bureau personnel. Many persons interviewed suggested that the little confidence they had in ACS as a secure system of records evaporated after Hanssen. NYFO personnel feel vindicated for resisting Bureau policy that information be uploaded into ACS, and personnel in the Washington and Indianapolis Field Offices are frustrated for having sometimes uploaded information. Russian intelligence units in the Washington Field Office were apparently hard hit by Hanssen’s misconduct. Many of their sources were compromised. By contrast, only two human assets operated out of NYFO were put in jeopardy. These sources were imperiled because information concerning them was extracted from NYFO hard copy documents sent to other field offices as leads and uploaded into ACS. It is not unusual for NYFO information to appear in ACS in this manner.

It is difficult to gauge whether confidence in ACS can be restored. Some persons interviewed have suggested that confidence is shattered beyond repair and that the FBI will need to deploy a new, or at least renamed, more user-friendly system. Many interviewees asserted that the Criminal Investigation Division and the National Security Division should be given separate investigative systems to support their missions and security needs. Whatever approach the FBI takes, it must solicit input from user communities, particularly those who have resisted uploading information into ACS, to determine what is needed to restore confidence. If the user communities are willing to work with ACS and its case restrictions, the FBI must commit to defining clearly which cases should be restricted and at what level. The Bureau must also educate its users regarding the policy and procedures for restricting cases, and this policy must be enforced. Users should expect to be questioned when they access files as to which they have no apparent need to know.

Shaken confidence in ACS and skepticism about the security of information housed in it undermine the mandate that all case-related information be uploaded into ACS. As the FBI’s investigative system of records, ACS is intended to store the Bureau’s institutional knowledge. If case files, or even entire cases, are purposely not uploaded, the FBI’s institutional knowledge is less complete and investigations may suffer because potentially helpful information is available only to the few who are aware of it.

In short, ACS’s integrity as a repository for the FBI’s investigative case files has been compromised. The hard and bitter fact also remains that Hanssen was able to exploit the Bureau’s investigative system of records with little difficulty and was able to compromise information of incalculable value to national security.

The Decision To Remove Restrictions On ACS

In the wake of the terrorist attacks in September 2001, FBI senior management significantly altered Bureau policy on ACS case file restrictions. This decision may have extraordinary importance for national security and the Bureau’s ability to construct cases that can be prosecuted. The manner in which the decision was made also confirms that, within the FBI, operational imperatives often trump security needs, which played no apparent role in the decisional calculus.

On October 3, 2001, an Electronic Communication (EC), approved by the Deputy Director and five other senior officials, was sent from the Director’s office to all FBI Divisions. This EC, titled “Restricting Cases in ACS,” reinforced long standing policy that all cases must be entered into ACS, and it fundamentally changed policy by mandating that no case be restricted by designation or deliberately not uploaded without approval of an Assistant Director.

To explain this policy change, the EC noted that case file restrictions had hampered PENTTBOM, the international investigation of the terrorist attacks. Apparently, agents assigned to pursue leads in PENTTBOM had been frustrated by restrictions limiting access to potentially relevant case files, and FBI senior management had determined that the agents’ frustration was well grounded.

This EC was soon followed by another, dated October 10, 2001, declaring that, on the evening of October 10, the FBI’s Information Resources Division would remove certain ACS case restrictions. Pursuant to the new policy, three case classifications that had been automatically restricted as P cases lost this default protection, leaving eight P case classifications. The list of O restricted case classifications was reduced to six. Sixteen previously defaulted O case classifications lost that protection, including domestic security, hostage taking, and international terrorist investigations. Existing and new cases falling within the remaining eight P and six O case classifications would remain restricted. However, all existing cases not falling within these classifications would lose their restrictions that evening, unless an Assistant Director decided otherwise. The new policy affects not only cases previously entitled to default restrictions, but also cases that agents had opened or would otherwise open with designated restrictions. Thus, ACS users were given less than a day to learn about the EC, review restrictions on their cases, and solicit approval from a Headquarters Assistant Director to maintain restrictions on particular cases.

The decision to loosen ACS restrictions was made essentially without the involvement of the Security Countermeasures Branch, the Bureau’s security apparatus.

The security consequences of this policy are difficult to assess. Obviously, many cases previously restricted by default or designation are now open to the full universe of ACS users. Substantial sensitive source material is now unrestricted. For example, while informant and asset files remain restricted, it is likely that at least some of the other case files to which source information is attached are now unrestricted.

While this new policy retained restrictions on tax and most grand jury information, other confidential information was not afforded continued protection. For instance, information collected pursuant to the Foreign Intelligence Surveillance Act (FISA) historically has been housed in restricted cases. There are complicated procedures – many driven by executive policy, but some predicated on case and constitutional law – governing the use of FISA information in criminal cases. Accordingly, problems may arise in making FISA information generally accessible throughout a system employed by agents conducting criminal investigations.15 And a point more central to our mandate is again true: highly classified information has been made available to a range of Bureau personnel far broader than those who need to know it.

Having implemented this decision, there is little the FBI can do to reverse it. For example,ACS does not have a separate case classification for investigations employing FISA information. Consequently, while a terrorism case (now unrestricted) might include FISA information, not all terrorism cases will. Therefore, it will be very difficult to identify all cases that include FISA information, particularly now that the information is generally available and may have been picked out for use in other (perhaps even criminal) cases.

Even if the Bureau were to reinstate restrictions on certain existing cases, the case files have been generally available on ACS for some time; returning these cases to their previous security status has been likened to putting toothpaste back into a tube. Even if senior FBI officials responsible for this policy change considered all its implications before making it, they failed to solicit the input of key security personnel, whose views might have informed their decision. Although the change may be defensible, the manner in which it was made sends a clear signal that the FBI’s security organization is irrelevant during an operational crisis.

TRILOGY

The Bureau’s current effort to upgrade a number of its computer networks and systems reveals many of the inadequacies in its approach to information security.

For the past several years, the FBI has requested that Congress appropriate funding to upgrade its computer systems, and upgrade proposals have evolved in response to Congressional concerns. In November 2000, Congress allocated $379 million for Trilogy, the most recent proposal.

As the name implies, the Trilogy upgrade is composed of three parts. One component involves a substantial replacement of the Bureau’s telecommunications and network infrastructure. Another will implement a platform of products to make FBI computers more user friendly and to provide more centralized system management capabilities. The final component will upgrade some applications, such as the Automated Case Support system.

Trilogy is not a comprehensive upgrade. A number of networks and systems will not be affected. Only the largest networks and most widely utilized systems will be improved. A senior Information Officer likened the Bureau’s existing systems to “an old car broken down in a ditch.” The purpose of Trilogy is to get the old car out of the ditch, not to provide the FBI with state-of-the-art information systems.

Trilogy does present a considerable opportunity for security enhancement. For example, it contemplates a separation of the telecommunication backbones of the existing networks that could greatly improve their security. Intrusion detection technologies at the network level have also been considered to enhance the ability to monitor misconduct. The -FBI contemplates that security features in existing networks and systems will migrate to their upgraded successors. New hardware and software implemented through Trilogy will come with limited built-in security features, and an effort, called Information Assurance, is underway to propose additional security features for the upgrade.

FBI Trilogy personnel originally anticipated that the upgrade would take approximately three years to implement. Because of pressures to complete the upgrade more quickly, an aggressive schedule was devised to implement Trilogy in about two years, by June 2003. The project was proceeding according to this schedule when in October 2001, the Bureau’s Director ordered that the schedule be compressed. At present, two of Trilogy’s three components are scheduled to be completed by July 2002, and the third, by February 2003.

A program manager has told Commission staff that security concerns have gained prominence in the Trilogy upgrade in the wake of Hanssen’s espionage, although the principal focus of the program is still clearly operational. The focus on functional improvements – “getting the old car out of the ditch” – confirms that priority will be given to operational needs. In addition, given the accelerated Trilogy schedule, design and time constraints will not permit the FBI to focus on security enhancements. It is common in the computer industry for security measures to fall by the wayside when schedules are compressed. However, given the FBI’s current computer security posture, the present course is problematic; even the very rush to complete the upgrade project could enable a compromised insider to introduce holes in the system that could be exploited later.

Already, the Trilogy staff has determined that key security enhancements will not be implemented through the project. Proposed Information Assurance (IA) security enhancements, which may or may not address many security needs, are not included within the plan and will have to be integrated into the Trilogy infrastructure later. Currently, these measures have not received funding, though it may be imminent, albeit at only fifty-five percent of the amount sought. 16

The approach to implementing IA technologies merits discussion. The IA Program will select a number of security technologies and then canvass prospective products and vendors. After evaluating products and vendors, Program managers plan to discuss with Trilogy computer scientists whether selected products are compatible with the Trilogy infrastructure in place at that point. A more effective approach would be for the Program to identify threats to information on systems upgraded by Trilogy and then select appropriate countermeasures to address the threats. This analysis should have been performed in the original Trilogy design process.

If Trilogy, IA, and Security Countermeasures program managers do not coordinate effectively, the FBI faces a considerable threat of disjointed security countermeasures and wasted resources. The introduction of Trilogy alone will not improve the FBI’s security posture and will offer little to reduce the time between defection and detection of compromised employees. If the FBI decides to implement security countermeasures after Trilogy has been designed and deployed, it will face the difficult task of assessing whether the new security countermeasures comport with Trilogy system design and the security requirements of data owners. Moreover, subsequent security additions likely will require that the FBI re-certify and re-accredit computer systems, an expensive and time consuming operation.17

RECOMMENDATIONS

This section of the Commission’s Report will not contain specific recommendations that the FBI should implement. Recommendations for improving information security tend to be arcane, and we have reserved them for the technical appendices that accompany this report. Instead, we offer five broad INFOSEC recommendations, which flow, not simply from the shortcomings in ACS and Trilogy, but from the many specific recommendations and findings about the other systems and programs discussed in the appendices.

First, the Bureau must establish comprehensive, consistent, and centrally coordinated INFOSEC policies. To implement these policies, the FBI also must create guideline-level documentation and system-specific security plans.

Second, the Bureau must implement adequate INFOSEC education and training. Classified information stored on some of the FBI’s most widely utilized systems is not sufficiently protected because users lack guidance on critical system security features. While implementation of a comprehensive INFOSEC education and training program will take time, the Bureau must find a way to educate users immediately on ACS security features. As Hanssen’s betrayal has shown, ACS poses a tremendous risk to information affecting national security.

Third, the Bureau must fill key INFOSEC positions, and the persons assigned to these roles must be given the time, authority, and support necessary to perform their duties.

Fourth, the Bureau must define and institutionalize a formal process to certify and accredit all computer “systems,” as that term is defined in Director of Central Intelligence Directive 6/3.

Finally, the Bureau must perform the analysis necessary to develop a comprehensive, prioritized plan to address security shortcomings. The framework for this analysis is straightforward. The FBI must define the information security environment it wants to create by identifying information policies, specific threats, and secure usage assumptions. The Bureau must assess threats that existing security countermeasures do not counter and information security policies that are not being enforced. The FBI can then select programs, tools, and technologies to sustain its security environment.18

Only the Bureau has sufficient information about its mission, threats, security objectives, and resources to perform this critical analysis and select security countermeasures suited to its needs. In this section of the Report and in the appendices, the Commission highlights numerous security shortcomings the FBI may need to address. Some of these problems are egregious, and corrective actions are straightforward and urgently needed.

The Bureau will have to make policy decisions about the nature of its mission and the amount of resources that will be devoted to security at each stage in the INFOSEC analysis that we recommend. Those decisions will open some avenues and close others. Certain programs, tools, and technologies will become wise investments; others, inappropriate or beyond fiscal reach. Again, the important point is not that any particular INFOSEC technology be adopted, but that the Bureau develop and follow an INFOSEC plan consonant with its mission and resources. We hope that our assessment will help the Bureau accomplish this task.

CONCLUSION

The FBI’s INFOSEC problems flow from a pervasive inattention to security. Given a culture that views security as an impediment to operations, it is unsurprising that FBI computer security programs receive insufficient resources and management support. This neglect is evident at all levels, from the absence of clear, documented INFOSEC policy to the failure to educate and train computer users in the security features of their systems.

Currently, the Bureau is redefining its mission to reflect a heightened need for intelligence. Until the FBI develops and commits to a protection strategy that reflects basic security principles, such as “Need to Know” and “Defense in Depth,” other intelligence agencies and sources may question its ability to protect critical information, which will in fact remain vulnerable to espionage. Hanssen’s crimes exposed the FBI’s internal weaknesses. It is essential that the Bureau take rapid but appropriate steps to restore confidence in the security of its information and to protect that information from compromise.

We hope that this analysis of the Bureau’s INFOSEC posture illuminates how security penetrations like Hanssen’s are possible and how disastrous they can be, especially when operational imperatives hold unquestioned sway over security needs. With this analysis as a backdrop, we will now review the Bureau’s personnel and document security programs and then turn to the Bureau’s security structure.

PERSONNEL SECURITY

PERSONNEL SECURITY

The Commission conducted a detailed review of the Bureau’s personnel security programs, focusing on the initial investigation of applicants for employment, the process by which access and security clearances are granted, and the reinvestigation program for onboard personnel. We also examined the Bureau’s financial disclosure and polygraph programs.

Detecting compromised employees and preventing penetration by hostile outsiders are the paramount goals of personnel security programs. A comprehensive personnel security system must allocate substantial resources to assess applicants and monitor employees and other personnel, focusing on those with access to critical information. Set forth below and in greater detail in the Personnel Security Appendix are a series of findings and recommendations, aimed at improving personnel security within the Bureau.

INVESTIGATION, ADJUDICATION, AND CLEARANCE PROGRAMS

The FBI uses a complex background investigation process to make determinations or “adjudications” of whether past and current conduct of employees and contractors suggests future unreliability. Under federal regulations, the Bureau employs this process in determining whether employees and contractors should have security clearances and access to FBI facilities. Failure to comply with these regulations and flaws in the investigation and adjudication process can lead to imprudently granted clearances and access and to devastating security weaknesses.

All employees are initially cleared at the Top Secret level, and every member of the workforce is supposed to undergo a reinvestigation and clearance determination every five years. Interim clearances are also granted for those who need immediate facilities access, including non-Bureau personnel, such as task-force members and contractors.

The FBI conducts a dual adjudication of its applicants. First, a determination is made as to the suitability of applicants for hiring. Individuals are evaluated on their character and integrity, as well as their professional skills. A separate determination is made on security questions. Suitability and security issues are reviewed in different entities, the Administrative Services Division for the former and the National Security Division for the latter.

Before October 1, 2001, the investigation, adjudication, and clearance process operated as described below. After October 1, the FBI began to implement a series of changes in its personnel security programs. We support these efforts, but believe that the Bureau must fully acknowledge structural weaknesses in the program it is attempting to revamp before it can be successfully modified.

Applicants

The Bureau Applicant Employment Unit (BAEU) in the Administrative Services Division administers the applicant program and makes suitability determinations. Special Agent and support personnel applicants submit applications to field offices and must complete skill tests, drug tests, and polygraph examinations before background investigations are initiated.

Field offices conduct Personal Security Interviews and “scope” applicant cases for investigative coverage, that is, they determine the extent of the investigation necessary. The scoping is forwarded to the Background Investigation Contract Service at Headquarters, which distributes the work among Special Investigators, who conduct an investigation described later in this section.

When field work, name traces, and record checks have been completed, a BAEU analyst determines the applicant’s suitability for employment. If an applicant is found suitable, the case is sent to the Personnel Security Unit (PSU) in the National Security Division for clearance adjudication.

On-Board Personnel

The PSU is also responsible for administering the reinvestigation program for FBI employees. A 1994 inspection found that the FBI reinvestigation process, which consisted of a file review, local record checks, and credit report review, was not in compliance with Intelligence Community standards. The reinvestigation process now includes full-field background investigations back to the time of the last investigation. Polygraph testing became a component of reinvestigations after Hanssen’s arrest.

Before Hanssen’s arrest, PSU handled reinvestigations and clearance adjudications for all employees. Since then, problematic reinvestigations, particularly cases involving employees who hold particularly sensitive positions or have access to Sensitive Compartmented Information, are diverted to the Analytical Integration Unit, created in response to Hanssen’s arrest to provide deeper analysis to cases posing heightened security issues.

Personnel Security Assistants scope the re-investigative work and send leads to field offices where record checks, Personal Security Interviews, and polygraph examinations are conducted. The Background Investigation Contract Service conducts the background investigation.

Completed investigative reports are sent for adjudication to Personnel Security Specialists, who do not have investigative experience and receive only on-the-job training. The specialists rely on adjudication guidelines that summarize relevant Executive Orders and Director of Central Intelligence Directives. The analysis underlying adjudications is often superficial.

Non-FBI Personnel

The Industrial Security Unit (ISU) within the National Security Division adjudicates security clearances for a wide range of non-FBI personnel, such as task-force members, contractors, chaplains, and private attorneys, who need access to facilities or classified information.

Because time is sometimes critical, field Security Officers complete certain checks and conduct Personal Security Interviews before Headquarters security processing begins. If initial checks are favorable, Headquarters ISU may grant interim security clearances.

Of particular note are contract linguists the FBI hires to meet operational demands. Linguists involved with counterintelligence matters receive a full-field background investigation and a polygraph examination before they receive access to FBI facilities or classified information. The majority of linguists are used solely in criminal matters and may be granted escorted access to facilities before receiving security clearances.

ISU also grants interim clearances, if initial checks are favorable, to contractors, such as janitors and vendors, who need access to FBI facilities but not to classified information. These individuals, known as “unclassified contractors,” are cleared at the Secret level because FBI facilities often permit open storage of classified material.

Executive Order 12968 mandates that background investigations be completed within 180 days after an interim clearance has been granted. Until recently, investigations for the majority of contractor interim clearances were overdue, and, thus, many contractors working in FBI facilities did not have final security clearances. An estimated fifty percent of the contractors end their FBI association before background investigations have been completed. Field offices are responsible for alerting Headquarters when non-FBI personnel are due for reinvestigation, but often they do not. ISU has no system to track non-FBI personnel due for reinvestigation. Because of an inadequate tracking system, many reinvestigations are missed completely.

The Background Investigation Contract Service (BICS)

BICS was established in 1991 to conduct background investigations and reinvestigations. It is a component of the FBI, which hires and manages around 1,700 Special Investigators (SIs), mostly retired FBI agents, throughout the country.

Once BICS receives work from a “customer” -- the Bureau Applicant Employment Unit for new applicants, the Personnel Security Unit for employee five-year reinvestigations, and the Industrial Security Unit for non-FBI personnel -- BICS scopes leads and assigns work to SIs, along with work orders setting out the investigation and the time it will take.19 SIs are instructed not to deviate from the work order. They must inform Case Managers of derogatory information they develop and seek approval for additional interviews in response to that information.

Although most SIs are former criminal investigators, many have limited experience in background investigations. Since they are contractors, they receive no formal training, but are given an investigative procedures manual and a four-hour orientation.

In conducting investigations, SIs must use the FBI reporting format and a procedure known as CARLABFAD, an investigative approach introduced during J. Edgar Hoover’s tenure as Director, covering nine topics: the subject’s Character, Associates, Responsibility, Loyalty, Ability, Bias and prejudice, Financial responsibility, Alcohol use, and Drug use. SIs, who are former FBI agents, sometimes simply ask interviewees, who are current agents, whether subjects of investigations are CARLABFAD.

When SIs complete their investigations, they usually dictate reports to one of four typing centers around the country. BICS Case Managers review SI reports for completeness and may request that missed coverage be completed. They have no adjudicative responsibilities; they only see a small part of the investigative process, and they rarely deal directly with adjudicators, who can request expanded coverage.

For the most part, BICS background investigations and reinvestigations meet the standards set down in Executive Orders and Director of Central Intelligence Directives and in some respects surpass them. Problems exist, however. Hanssen’s 1996 reinvestigation highlights a number of deficiencies in BICS investigations and the Bureau’s adjudication process. One supervisor told an SI that Hanssen was in the “doghouse” with an Assistant Director about an issue related to a foreign intelligence service. The SI did not follow up on this comment or determine whether it referred to a counterintelligence issue. A co-worker described Hanssen as a “maverick,” who had his “own ideas on things” and did not always “toe the line” with management. The SI failed to probe these comments. Another reference described Hanssen as “intense” with a “mixed reputation,” and a supervisor stated that he was an “unusual” character. In neither case did the SI pursue these comments. Foreign travel and contacts were not addressed, although a reference commented that Hanssen was a friend of a Soviet defector. Hanssen’s Personal Security Interview conducted by an NSD Security Officer also lacked depth in its coverage of counterintelligence issues. The Personnel Security Interview did not refer to foreign contacts or financial matters.

Hanssen’s background reinvestigation also failed to develop details about his finances, an area that Hanssen himself identified to Commission staff as critical. Two references commented that Hanssen’s children attended college on academic scholarships, and another asserted that Hanssen’s wife came from a wealthy family who assisted the Hanssens. A fourth reference stated that Hanssen had money troubles. BICS did not ask that these disparate comments be explored, and PSU made no effort to determine Hanssen’s true financial condition.

RECOMMENDATIONS

I. Security Investigations and Adjudications Should Be Consolidated In A New Office Of Security

Security clearance decisions are governed by Executive Orders and Director of Central Intelligence Directives that are extensive and detailed. Background investigations must comply with these mandates and fully develop issues as to character and trustworthiness. The process by which the FBI currently conducts background investigations, adjudicates cases, and grants clearances is fragmented; responsibility for various elements is spread throughout Headquarters and the field, with no entity in control. For instance, scoping is currently performed by field security officers, Headquarters analysts, and BICS managers. This fragmentation results in duplicative efforts and wasted resources, missed leads, and unaddressed security issues.20

Security adjudications should occur in the new Office of Security detailed later in this Report.

II. The Personnel Security Process Should Be Automated

The system for processing investigations, reinvestigations, and adjudications is paperdriven and barely automated. For the most part, forms, investigative reports, summaries, and adjudicative material are distributed in hard copy. Lack of automation creates inefficiencies that can add weeks to the investigation process.

FBI investigation and adjudication processes should be automated. Personnel should be able to submit applications and investigation and reinvestigation material electronically. The BICS process should also be automated and integrated with the application, investigation, and reinvestigation programs, and a reliable system for tracking contractor clearance statuses should be developed.

III. BICS Investigations Should Be Thorough

Special Investigators (SIs) sometimes fail to investigate issues thoroughly, as is evident in Hanssen’s reinvestigation. This results in adjudicators having less than complete information or ignoring some issues altogether.

BICS must improve the quality of its SIs. Inexperience in background investigations and, in some cases, inability lead to incomplete and inadequate investigations that do not cover adjudicative guidelines or comply with regulations. SIs frequently employ a checklist approach, content to touch upon subject areas, rather than explore them comprehensively. Case Managers, supervisors, and quality control specialists must insist that BICS SIs go beyond the CARLABFAD approach and conduct thorough interviews. Contracts with SIs who do not perform well should not be renewed.

I. The BICS Process Should Be Revamped

Fault does not lie entirely with the