Prepared Testimony ofGood morning, Chairman Leahy, Senator Hatch and other members of the Committee. I am pleased to appear this morning to discuss the very important matter of the review of the FBI Security Program and its transformation to a world-class operation capable of addressing the formidable threats facing the Bureau, a process that began in late Fall 1999 and accelerated after the arrest of Robert Hanssen. The recent arrests of Hanssen and James Hill should leave no doubt that there are committed adversaries with the intent and capability to harm the interests of the FBI and the United States. As the premier domestic agency conducting criminal, counterintelligence, and counterterrorism investigations, the FBI is an attractive target for a wide variety of opponents who continuously strive to impede investigative operations, obtain sensitive information, and initiate and implement reprisal actions against Bureau personnel or facilities For this very reason, the details I provide in this public briefing will be very general to prevent outlining a roadmap for those persons intent on harming our country's interests. Suffice it to say, that we have conducted a detailed analysis and, as I will outline, identified and began addressing 15 categories of security areas that need to be bolstered, redesigned or, in some cases, established for the first time. I am available to present, in a closed session, a more substantive description of both those areas of the FBI Security Program that require intense focus and the detailed enhancement plan we have formulated to improve the Bureau's security posture. Your staffs have received an in-depth briefing of the problem areas identified and the actions being taken.
Kenneth H. Senser
Acting Deputy Assistant Director
Security Programs and Countermeasures
Federal Bureau of Investigation
Before the Senate Committee on the Judiciary
Reforming FBI Management: The Views from Inside and Out"
July 18, 2001
In late March 2001, Director Freeh took a number of internal security enhancement actions to include the appointment of a task force of Assistant Directors (ADs) to ensure the complete identification and effective implementation of a number of interim security enhancements begun shortly after Hanssen's arrest. Director Freeh also charged this task force, chaired by Bob Dies, AD Information Resources Division, with identifying and implementing any other interim changes that may be appropriate to enhance the FBI's Security Program and are sufficiently urgent so as to not await the outcome of either Judge Webster's review or that of the Department of Justice Inspector General.
In mid-April 2001, the security task force concluded that the FBI as a foundation for a robust internal security program must have a single executive manager responsible and accountable for the entire security "enterprise" The existing security program function was fragmented throughout a number of different divisions and there was nobody overseeing the various security "puzzle pieces". The initial recommendation of the task force to Deputy Director Tom Pickard was that the existing security program be separated from the National Security Division as a stand-alone entity, reporting to the Deputy Director, and that an executive manager be identified to specifically direct and be accountable for the security program The task force also recommended that a Formal process be established to consistently establish, implement, technically support, enforce, and educate personnel regarding security policy. Deputy Director Pickard and Director Freeh immediately adopted these recommendations.
I was then selected to lead the total transformation of the FBI's Security Program, as well as, oversee its day-to-day operations. I am a Senior Intelligence Service officer detailed to the FBI from the Central Intelligence Agency (CIA). My ) 8-year career with the CIA has been exclusively within the security field and I have served assignments in the disciplines of personnel, technical, physical, and protective security The original purpose of my detail assignment, initiated in October 1999, was to serve as a deputy and advisor to the FBI Security Programs Manager. The 15 months between the start of my detail assignment and the arrest of Hanssen gave me the unique opportunity to view the FBI's security apparatus using the lens of an "outsider". As I will mention later, other outside experts have been detailed to the FBI to assist in this critical endeavor.
My responsibilities include identifying the necessary security processes ("puzzle pieces") and ensuring that each one has an "owner". The process owners will develop the security policy statements and other supporting documentation which will require the approval of at least two FBI executives, one of which will always be mine, before final review and approval by the Deputy Director or Director.
An effective security program utilizes the principles of risk management. It is impractical and cost prohibitive to attempt to remove all risk from operations. Risk management is the process of selecting and implementing countermeasures to achieve an acceptable level of risk at a reasonable cost. Applying risk management within the security discipline involves the collection and evaluation of accurate and detailed information pertaining to:
- The nature and value of assets being protected.When countermeasures are applied to mitigate the risk, they are done so in a layered manner. These layers, or "rings of security", are constructed from the outermost perimeter to the asset itself. Countermeasures must be integrated and considered in a systems approach. To do otherwise potentially allows the adversary to identify the vulnerabilities that were not properly addressed, thereby negating the positive effect of the countermeasures that were applied.
- The degree of a specific type of threat.
- The extent of the related vulnerabilities.
- The identification and evaluation of risks.
- A cost-benefit analysis of countermeasures to mitigate specific selected risks.
Pre-Hanssen Security Review
In early 2000, the Security Program initiated a self-assessment of its Program. There was a recognition that the Program was fragmented and dispersed across several different divisions. It lacked an integrated vision and security initiatives were often poorly coordinated, inefficient, and not as effective as possible. Additionally, seven areas within the Program requiring greater focus were identified. The Security Program established a Program Plan designed to address these deficiencies. Various management and operational processes were initiated or modified to improve the delivery of security services.
As a result of this review, Deputy Director Pickard established the FBI Security Council in May 2000 to facilitate the development and maintenance of a unified, strategic security vision. The purpose of the Council was to address Bureau-wide operational and policy issues that impact the FBI Security Program. The Council discussed a number of issues, to include; the status of FBI efforts to certify and accredit its information systems; strategies to improve information assurance; and options for consolidating responsibilities in various areas, such as, communications security and background investigations.
Post Arrest Actions
In the wake of the arrest of Robert Hanssen on espionage charges, Director Freeh asked Judge William H. Webster to conduct a thorough review of the FBI's internal security functions and procedures and to recommend improvements. As a former FBI Director, CIA Director, and Director of Central Intelligence, Judge Webster is, of course, uniquely qualified to undertake this review. Judge Webster has assembled an impressive team of highly credentialed individuals to assist him in conducting this review Those members are: Clifford L. Alexander, Jr., Griffin B. Bell, William S. Cohen, Robert B. Fiske, Jr., Thomas S. Foley, and Carla A. Hills. The FBI is committed to providing Judge Webster and his team complete and timely access to FBI records, personnel, and resources to complete this task.Judge Webster has also established a team of investigative attorneys to assist in this review. Those attorneys are currently conducting interviews and reviewing documents in order to formulate recommendations to improve FBI security policies and procedures. We welcome their recommendations and are committed to implementing them as expeditiously as possible. I maintain regular contact with representatives of the review team to keep them informed of proposed security enhancement initiatives.
The following interim security enhancements have been initiated:
Enhanced Computer Audit Procedures. Some of the FBI's most sensitive information is contained in electronic case files in the Automated Case System. Access is determined both by one's assignment and restrictions placed when the case is opened or data entered.
Director Freeh instructed our personnel to implement regular reviews on our most sensitive cases -reviews that can highlight all individuals who have looked at the case files -- so that the case agents and their supervisors can be responsible for assuring these cases are being accessed by only those with a need to know.
The FBI's Electronic Case File (ECF) Document Access Report (DAR) shows accesses to all documents in a particular case file for a specific period of time. The DAR shows the user who conducted the captured activity, the date and time, and the actions taken (e.g., list serials, view text, print, or download). Case Agents assigned to the most sensitive investigations will review the DARs every 90 days and, with their supervisors, will be responsible for resolving unexplained accesses. As part of the resolution process, the Agent and his supervisor may decide that more frequent monitoring of a specific case is warranted to determine whether accesses were anomalous and accidental or repeated and unauthorized.
This procedure should act as a strong deterrent as well as identify unusual entries into sensitive files. It will not stymie the flow of information necessary for effective counterintelligence. If this monitoring system had been in place, Hanssen would have known that every time he accessed a case or program as a result of "surfing," his entry would have been identified to the case Agent and questioned. And even though Hanssen did not conduct an unusual number of searches against FBI records, the fact that he was conducting these searches at all would have been immediately apparent and raised suspicions.
Expanded Polygraph Program. Currently, the FBI conducts polygraphs of all new employees prior to them beginning their service. In addition, individuals with access to certain sensitive programs or cases are polygraphed and, of course, the polygraph is used during serious internal inquiries to resolve unexplained anomalies and ambiguities.
As an interim measure, we identified for periodic polygraph examination those individuals who, by the nature of their assignment, have broad access to the FBI's most sensitive information. This includes any level of employee in any occupation who has access to our most sensitive information, such as data base administrators. In addition, we are conducting polygraph examinations of those employees leaving for and returning from permanent foreign assignments. These polygraph examinations are essentially complete. A more significant proposal for expanding the polygraph program is currently being reviewed by the AD security task force.
Judge Webster will closely examine the entire polygraph issue to include random polygraphs and inclusion of the polygraph as part of the five-year reinvestigation every employee now undergoes.
As there are elsewhere in the Intelligence Community, there will be unexplainable false positives and, as we saw in the Ames case, false negatives. On balance, however, we believe the potential for damage to be done by traitors outweighs these concerns. Accordingly, Director Freeh implemented this interim step with the full expectation that Judge Webster will examine this issue in its entirety and make further recommendations.
Enhanced Reinvestigation Analysis. In order to practice sound risk management, the FBI will devote additional resources to the reinvestigation process of those employees assigned to positions with sensitive access. Director Freeh mandated that an enhanced analysis capability within the Security Program be established to conduct security adjudications and to resolve any anomalies resulting from the reinvestigations of persons with access to the most sensitive FBI information A separate unit was established within the Security Program for this purpose 'The unit will also serve as the point for CI security integration. It is in the process of being staffed. A cadre of nine contractors (retired FBI Special Agents) is already onboard and preparing their analytical work to support this program.
Other Measures Implemented. In addition to the ongoing efforts discussed above, Director Freeh directed implementation of the following changes to facilitate the continued incorporation of security into the FBI culture so that it is recognized as an integral part of operations:
- The security officer(s) in each Field Office will report directly to the Assistant Director in Charge or Special Agent in Charge to ensure that security issues are afforded the appropriate level of Executive attention.Interagency Support. Professional security officers from the Central Intelligence Agency (CIA) and the National Security Agency (NSA) have been detailed to the Security Program to assist in:
- Each Assistant Director in Charge and Special Agent in Charge will establish a Security Council, modeled ion the FBI Security Council, to provide a forum for addressing security issues affecting their components. These Security Councils will include both support and Special Agent personnel and will provide a broad representation of the respective Field Offices and Headquarters components.
- The Training Division, in conjunction with the Security Program, will provide a greater focus on security, particularly with regard to operational security, during FBI Special Agent and new employee training programs.
- The Security Program conducted a Bureau-wide training conference for Security Officers in June at Quantico to ensure that Security Officers are better prepared to exercise their important responsibilities. The Security Officers were also given the opportunity to meet with representatives of the Webster Commission to discuss the security situation at the FBI.
Security Education and Awareness:
(1) developing the security education and awareness program;
(2) reviewing the handling, storing and processing of Sensitive Compartmented Information (SCI); and,
(3) establishing a professional career development and training proposal for the FBI Security Officer. In addition, FBI field Security Officers are currently TDY to headquarters to assist in this effort.
- In coordination with the Inspection Division, a "Back to Basics" training day is scheduled throughout the FBI to address the critical issues facing the FBI, to include security. A lesson plan has been developed to ensure important security policy and procedures are consistently and clearly understood by all FBI employees.SCI Security:
- Security Education and Awareness training materials are being sent to FBI field offices from other intelligence community members to establish a resource library that will enhance employee awareness of security procedures. Creation of FBI specific security awareness materials are underway.
- The FBI is currently reviewing its SCI handling procedures to ensure compliance with intelligence community standards. This effort is being led by a CIA officer that includes a written survey of all SCI activities in the FBI.Professional Development and Training for the FBI Security Officers:
- Understanding the need for SCI access by senior FBI officials, two Sensitive Compartmented Information Facilities (SCIFs) are being constructed and accredited on the 7th floor of FBI headquarters. In addition, six Secure Working Areas (SWAs) are being established to ensure secure and ready access to SCI materials reviewed by the Director, Deputy Director, and Assistant Directors.
- An updated Security Officer's Manual has been produced that includes a "cookbook" to assist the security officer in implementing security policies and procedures. This practitioners's guide will address the immediate training needs for the FBI field Security Officer.The Future
- A study is underway to evaluate the process for selection, retention, and development of highly skilled candidates for the FBI Security Officer positions. An examination of a career path for professional Security Officer is being conducted.
Using the seven focus areas identified during the pre-Hanssen review of the FBI Security Program, I have overseen the development of a detailed, comprehensive, and integrated set of security enhancement initiatives. Nothing yet discovered subsequent to the arrests of Hanssen or Hill change the need for the security enhancements already identified. The enhancement initiatives have been assigned to 15 prioritized categories. It will take time to transform the FBI Security Program. While the initiatives are prioritized, it will not be effective to cut the proposal into pieces. They are interdependent. Additionally, I anticipate that other security deficiencies will be discovered as our comprehensive review, and those of Judge Webster and the Department of Justice Inspector General, continues.
No security program can absolutely prevent a "trusted insider" from making the decision to compromise this organization and the country. However, it is our goal to provide a significant level of deterrence; potentially influencing those persons who are thinking logically. We also intend to create a system that will result in the ability to more swiftly detect those persons who do choose to compromise sensitive information and to minimize the damage resulting from the compromise. To be successful, we must and are changing the security "culture" at the FBI. It will also take this Committee's support.
Mr. Chairman, I appreciate the opportunity to address the Committee and look forward to our continued collaboration to reach our mutual goal of a secure FBI. Only then can we achieve the success necessary to ensure the continued security of this great nation.