Testimony of Mark Tanner, Information Resources Manager
(IRM), FBI
Before the Committee
on Governmental Reform, Subcommittee on Government Management,
Information, and Technology
United States House of Representatives
September 11, 2000
"Computer
Security"
Good morning, Mr. Chairman and
Members of the Subcommittee. Thank you for inviting me here
to discuss the FBI's efforts in the area of computer security.
The FBI shares your conviction that computer security is of
vital concern. That concern is manifested in a variety of
levels --- first, the concern within the FBI itself as to
how the FBI collects and handles sensitive and personal information;
the concern as a member of the U S. intelligence community
where there is a growing awareness and desire to achieve a
collaborative sharing of intelligence information while at
the same time securing highly sensitive and classified sources
and techniques; the concern as a member of the law enforcement
community often called upon to investigate, identify and apprehend
those responsible for hacking into Government systems and
critical infrastructures of this nation; and the concern a
Federal law enforcement agency called upon to investigate
computer and computer-related crimes as diverse as a pedophile
seeking to prey on a youngster, Internet fraud crimes which
victimize all elements of our society including persons and
businesses, and those who would seek to enrich themselves
by illegally manipulating stock prices.
The FBI's internal computer
policies and practices present a somewhat unusual picture
as far as Federal agencies are concerned. The FBI is, as I
have stated, an agency charged with the investigation of many
computer-related crimes and it is charged with the conduct
of all counterintelligence activities in the United States.
In addition, the FBI operates several systems on which state
and local law enforcement agencies have come to rely as a
necessity. As such, the FBI must operate both classified and
unclassified systems, and many of those unclassified systems
have strong requirements for the protection of personal data
about American citizens as well as a need to maintain instant
availability. In addition, the nature of some of the unclassified
systems presents special requirements in that the data represent
information gathered through a variety of methods each requiring
its own specialized method of handling and protecting the
information. These methods include the use of Federal Grand
Jury subpoenas and are thus subject to the requirements of
Rule 6(e) of the Federal Rules of Criminal Procedure, material
identifiable as Federal Taxpayer information and thus subject
to specialized handling and disclosure requirements, as well
as other specialized requirements. Of course the specific
requirements of classified information material, obtained
as a result of Title 50 (FISA) activities or by other intelligence
community agencies, must also be respected.
To accomplish these tasks, the
FBI operates 35 general support systems and 12 major applications.
Twenty-four of the 35 general support systems are classified.
Six of the 12 major applications are classified. Therefore,
the FBI operates 30 national security systems. It should be
noted that the vast majority of the FBI's classified systems
are currently internal systems and thus do not have external
connections to non-secure/unclassified systems.
The FBI's information systems
security policy is codified in our Manual of Investigative
Operations, Part II, Section 35. A copy of this policy has
previously been made available to this subcommittee. The policy
is a compilation of requirements from a number of sources
which are outlined in Section 35-11 of this policy. In general,
let me state that because of the variety of types of systems
used by the FBI, our practice, where practical, involves using
a hierarchical approach to any requirement from these sources
based on the respective system's criticality and risk. This
is to avoid any possible confusion about whether or not a
system should follow this or that set of rules and regulations.
To choose any other course of action would be folly.
The FBI's policy is coordinated
by the Information Systems Security Unit (ISSU) which is part
of our National Security Division (NSD). ISSU works closely
with both of the Department of Justice entities which oversee
the classified and unclassified computer systems. In addition,
ISSU maintains a good working relationship with national entities
responsible for computer security policy such as the NSTISSC
and NIST and the Security Policy Board to ensure that the
latest information is available.
There are many challenges which
face the FBI in today's computerized world. One of the biggest
challenges involves the rapidly changing environment and the
rapidly changing world in which we all live. New technologies
are moving to the marketplace at a frenetic pace; old technologies
are undergoing metamorphosis. Each of these new products presents
particular problems and a careful and thoughtful analysis
to ensure that the FBI continues to maintain a policy which
recognizes the business needs of the computerized world while
still practicing meaningful security practices.
The FBI is currently practicing
a risk management approach in the certification and accreditation
of its computer systems. As I have previously stated, most
FBI systems are internal and not connected to non-secure/unclassified
systems. This isolation permits some sense of comfort in that
systems not connected to the outside are far less vulnerable
to compromise and attack. In this manner, our approach has
been to identify those systems which pose the largest risk
in terms of their data and the sensitivity of that data. Those
systems are approached before systems which play a lesser
role in either their data or their sensitivity. The FBI is
currently engaged in a series of activities which will hopefully
lead to the speedy completion of certification and accreditation
activities of all systems. Resources have been loaned to the
FBI from the Department of Justice and additional assistance
is being sought from the U. S. intelligence community under
their ICAP program.
Moreover, the ISSU has undertaken
a series of steps to ensure that system owners and developers
assume some of the initial and continuing responsibilities
for a system. ISSU has developed and made available to all
other FBI employees templates of system security plans and
examples of risk assessments so that the efforts of the other
entities will be more productively focused while at the same
time lifting the operational and/or consulting efforts. In
addition, ISSU has undertaken to develop a robust computer
security education program for all users of systems.
Future direction of the FBI's
information systems security program include a focusing of
the security requirements as an initial and life cycle requirement
of all systems by the system owners and developers. By insuring
that security is "built into" all systems and that
the continuing costs are specifically identified as a separate
line in proposals, the FBI will continue to meet the expectations
of the American public and this Congress as to computer security.
As the FBI increases its connections to external systems,
additional demands will be placed on those responsible for
security. These responsibilities include such methodologies
as network operating/monitoring centers to include intrusion
detection.
In conclusion, let me reiterate
that the FBI appreciates the interest of this Subcommittee,
indeed the interest of all parts of the Congress, in this
area where we share your interests and concerns. Our efforts
will continue to ensure that all computer systems, including
those of the FBI, meet the expectations of the American public
to appropriately protect that information which must be protected,
while at the same time sharing that information which may
be shared. The FBI respects the trust placed in it by the
American public and this Congress and will do its utmost to
continue that trust.
Thank you.
|