Testimony of Kenneth H. Senser, Acting Deputy Assistant
Director, Security Programs and Countermeasures, FBI
Before the Senate
Judiciary Committee
July 18, 2001
"Review of the FBI Security
Program and its Transformation"
Good morning, Chairman Leahy,
Senator Hatch and other members of the Committee. I am pleased
to appear this morning to discuss the very important matter
of the review of the FBI Security Program and its transformation
to a world-class operation capable of addressing the formidable
threats facing the Bureau, a process that began in late Fall
1999 and accelerated after the arrest of Robert Hanssen. The
recent arrests of Hanssen and James Hill should leave no doubt
that there are committed adversaries with the intent and capability
to harm the interests of the FBI and the United States. As
the premier domestic agency conducting criminal, counterintelligence,
and counterterrorism investigations, the FBI is an attractive
target for a wide variety of opponents who continuously strive
to impede investigative operations, obtain sensitive information,
and initiate and implement reprisal actions against Bureau
personnel or facilities. For this very reason, the details
I provide in this public briefing will be very general to
prevent outlining a roadmap for those persons intent on harming
our country's interests. Suffice it to say, that we have conducted
a detailed analysis and, as I will outline, identified and
began addressing 15 categories of security areas that need
to be bolstered, redesigned or, in some cases, established
for the first time. I am available to present, in a closed
session, a more substantive description of both those areas
of the FBI Security Program that require intense focus and
the detailed enhancement plan we have formulated to improve
the Bureau's security posture. Your staffs have received an
in-depth briefing of the problem areas identified and the
actions being taken.
Background
In late March 2001, Director
Freeh took a number of internal security enhancement actions
to include the appointment of a task force of Assistant Directors
(ADs) to ensure the complete identification and effective
implementation of a number of interim security enhancements
begun shortly after Hanssen's arrest. Director Freeh also
charged this task force, chaired by Bob Dies, AD Information
Resources Division, with identifying and implementing any
other interim changes that may be appropriate to enhance the
FBI's Security Program and are sufficiently urgent so as to
not await the outcome of either Judge Webster's review or
that of the Department of Justice Inspector General.
In mid-April 2001, the security
task force concluded that the FBI as a foundation for a robust
internal security program must have a single executive manager
responsible and accountable for the entire security "enterprise".
The existing security program function was fragmented throughout
a number of different divisions and there was nobody overseeing
the various security "puzzle pieces". The initial
recommendation of the task force to Deputy Director Tom Pickard
was that the existing security program be separated from the
National Security Division as a stand-alone entity, reporting
to the Deputy Director, and that an executive manager be identified
to specifically direct and be accountable for the security
program. The task force also recommended that a formal process
be established to consistently establish, implement, technically
support, enforce, and educate personnel regarding security
policy. Deputy Director Pickard and Director Freeh immediately
adopted these recommendations.
I was then selected to lead
the total transformation of the FBI's Security Program, as
well as, oversee its day-to-day operations. I am a Senior
Intelligence Service officer detailed to the FBI from the
Central Intelligence Agency (CIA). My 18-year career with
the CIA has been exclusively within the security field and
I have served assignments in the disciplines of personnel,
technical, physical, and protective security. The original
purpose of my detail assignment, initiated in October 1999,
was to serve as a deputy and advisor to the FBI Security Programs
Manager. The 15 months between the start of my detail assignment
and the arrest of Hanssen gave me the unique opportunity to
view the FBI's security apparatus using the lens of an "outsider".
As I will mention later, other outside experts have been detailed
to the FBI to assist in this critical endeavor.
My responsibilities include
identifying the necessary security processes ("puzzle
pieces") and ensuring that each one has an "owner".
The process owners will develop the security policy statements
and other supporting documentation which will require the
approval of at least two FBI executives, one of which will
always be mine, before final review and approval by the Deputy
Director or Director.
Basic Security
An effective security program
utilizes the principles of risk management. It is impractical
and cost prohibitive to attempt to remove all risk from operations.
Risk management is the process of selecting and implementing
countermeasures to achieve an acceptable level of risk at
a reasonable cost. Applying risk management within the security
discipline involves:
- The collection and evaluation
of accurate and detailed information pertaining to:
- The nature and value
of assets being protected.
- The degree of a specific
type of threat.
- The extent of the related
vulnerabilities.
- The identification and evaluation
of risks.
- A cost-benefit analysis of
countermeasures to mitigate specific selected risks.
When countermeasures are applied
to mitigate the risk, they are done so in a layered manner.
These layers, or "rings of security", are constructed
from the outermost perimeter to the asset itself. Countermeasures
must be integrated and considered in a systems approach. To
do otherwise potentially allows the adversary to identify
the vulnerabilities that were not properly addressed, thereby
negating the positive effect of the countermeasures that were
applied.
Pre-Hanssen Security Review
In early 2000, the Security
Program initiated a self-assessment of its Program. There
was a recognition that the Program was fragmented and dispersed
across several different divisions. It lacked an integrated
vision and security initiatives were often poorly coordinated,
inefficient, and not as effective as possible. Additionally,
seven areas within the Program requiring greater focus were
identified. The Security Program established a Program Plan
designed to address these deficiencies. Various management
and operational processes were initiated or modified to improve
the delivery of security services.
As a result of this review,
Deputy Director Pickard established the FBI Security Council
in May 2000 to facilitate the development and maintenance
of a unified, strategic security vision. The purpose of the
Council was to address Bureau-wide operational and policy
issues that impact the FBI Security Program. The Council discussed
a number of issues, to include; the status of FBI efforts
to certify and accredit its information systems; strategies
to improve information assurance; and options for consolidating
responsibilities in various areas, such as, communications
security and background investigations.
Post Arrest Actions
In the wake of the arrest of
Robert Hanssen on espionage charges, Director Freeh asked
Judge William H. Webster to conduct a thorough review of the
FBI's internal security functions and procedures and to recommend
improvements. As a former FBI Director, CIA Director, and
Director of Central Intelligence, Judge Webster is, of course,
uniquely qualified to undertake this review. Judge Webster
has assembled an impressive team of highly credentialed individuals
to assist him in conducting this review. Those members are:
Clifford L. Alexander, Jr., Griffin B. Bell, William S. Cohen,
Robert B. Fiske, Jr., Thomas S. Foley, and Carla A. Hills.
The FBI is committed to providing Judge Webster and his team
complete and timely access to FBI records, personnel, and
resources to complete this task. Judge Webster has also established
a team of investigative attorneys to assist in this review.
Those attorneys are currently conducting interviews and reviewing
documents in order to formulate recommendations to improve
FBI security policies and procedures. We welcome their recommendations
and are committed to implementing them as expeditiously as
possible. I maintain regular contact with representatives
of the review team to keep them informed of proposed security
enhancement initiatives.
The following interim security
enhancements have been initiated:
Enhanced Computer Audit Procedures. Some of the FBI's most sensitive information is
contained in electronic case files in the Automated Case System.
Access is determined both by one's assignment and restrictions
placed when the case is opened or data entered.
Director Freeh instructed our
personnel to implement regular reviews on our most sensitive
cases -- reviews that can highlight all individuals who have
looked at the case files -- so that the case agents and their
supervisors can be responsible for assuring these cases are
being accessed by only those with a need to know.
The FBI's Electronic Case File
(ECF) Document Access Report (DAR) shows accesses to all documents
in a particular case file for a specific period of time. The
DAR shows the user who conducted the captured activity, the
date and time, and the actions taken (e.g., list serials,
view text, print, or download).
Case Agents assigned to the
most sensitive investigations will review the DARs every 90
days and, with their supervisors, will be responsible for
resolving unexplained accesses. As part of the resolution
process, the Agent and his supervisor may decide that more
frequent monitoring of a specific case is warranted to determine
whether accesses were anomalous and accidental or repeated
and unauthorized.
This procedure should act as
a strong deterrent as well as identify unusual entries into
sensitive files. It will not stymie the flow of information
necessary for effective counterintelligence. If this monitoring
system had been in place, Hanssen would have known that every
time he accessed a case or program as a result of "surfing,"
his entry would have been identified to the case Agent and
questioned. And even though Hanssen did not conduct an unusual
number of searches against FBI records, the fact that he was
conducting these searches at all would have been immediately
apparent and raised suspicions.
Expanded Polygraph Program. Currently, the FBI conducts polygraphs of all
new employees prior to them beginning their service. In addition,
individuals with access to certain sensitive programs or cases
are polygraphed and, of course, the polygraph is used during
serious internal inquiries to resolve unexplained anomalies
and ambiguities.
As an interim measure, we identified
for periodic polygraph examination those individuals who,
by the nature of their assignment, have broad access to the
FBI's most sensitive information. This includes any level
of employee in any occupation who has access to our most sensitive
information, such as data base administrators. In addition,
we are conducting polygraph examinations of those employees
leaving for and returning from permanent foreign assignments.
These polygraph examinations are essentially complete. A more
significant proposal for expanding the polygraph program is
currently being reviewed by the AD security task force.
Judge Webster will closely examine
the entire polygraph issue to include random polygraphs and
inclusion of the polygraph as part of the five-year reinvestigation
every employee now undergoes.
As there are elsewhere in the
Intelligence Community, there will be unexplainable false
positives and, as we saw in the Ames case, false negatives.
On balance, however, we believe the potential for damage to
be done by traitors outweighs these concerns. Accordingly,
Director Freeh implemented this interim step with the full
expectation that Judge Webster will examine this issue in
its entirety and make further recommendations.
Enhanced Reinvestigation
Analysis. In order to practice sound risk management, the
FBI will devote additional resources to the reinvestigation
process of those employees assigned to positions with sensitive
access. Director Freeh mandated that an enhanced analysis
capability within the Security Program be established to conduct
security adjudications and to resolve any anomalies resulting
from the reinvestigations of persons with access to the most
sensitive FBI information. A separate unit was established
within the Security Program for this purpose. The unit will
also serve as the point for CI-security integration. It is
in the process of being staffed. A cadre of nine contractors
(retired FBI Special Agents) is already onboard and preparing
their analytical work to support this program.
Other Measures Implemented. In addition to the ongoing efforts discussed above,
Director Freeh directed implementation of the following changes
to facilitate the continued incorporation of security into
the FBI culture so that it is recognized as an integral part
of operations:
- The security officer(s) in
each Field Office will report directly to the Assistant
Director in Charge or Special Agent in Charge to ensure
that security issues are afforded the appropriate level
of Executive attention.
- Each Assistant Director in
Charge and Special Agent in Charge will establish a Security
Council, modeled on the FBI Security Council, to provide
a forum for addressing security issues affecting their components.
These Security Councils will include both support and Special
Agent personnel and will provide a broad representation
of the respective Field Offices and Headquarters components.
- The Training Division, in
conjunction with the Security Program, will provide a greater
focus on security, particularly with regard to operational
security, during FBI Special Agent and new employee training
programs.
- The Security Program conducted
a Bureau-wide training conference for Security Officers
in June at Quantico to ensure that Security Officers are
better prepared to exercise their important responsibilities.
The Security Officers were also given the opportunity to
meet with representatives of the Webster Commission to discuss
the security situation at the FBI.
Interagency Support. Professional security officers from the Central
Intelligence Agency (CIA) and the National Security Agency
(NSA) have been detailed to the Security Program to assist
in:
- developing the security education
and awareness program;
- reviewing the handling, storing
and processing of Sensitive Compartmented Information (SCI);
and,
- establishing a professional
career development and training proposal for the FBI Security
Officer. In addition, FBI field Security Officers are currently
TDY to headquarters to assist in this effort.
Security Education and Awareness:
- In coordination with the
Inspection Division, a "Back to Basics" training
day is scheduled throughout the FBI to address the critical
issues facing the FBI, to include security. A lesson plan
has been developed to ensure important security policy and
procedures are consistently and clearly understood by all
FBI employees.
- Security Education and Awareness
training materials are being sent to FBI field offices from
other intelligence community members to establish a resource
library that will enhance employee awareness of security
procedures. Creation of FBI specific security awareness
materials are underway.
SCI Security:
- The FBI is currently reviewing
its SCI handling procedures to ensure compliance with intelligence
community standards. This effort is being led by a CIA officer
that includes a written survey of all SCI activities in
the FBI.
- Understanding the need for
SCI access by senior FBI officials, two Sensitive Compartmented
Information Facilities (SCIFs) are being constructed and
accredited on the 7th floor of FBI headquarters. In addition,
six Secure Working Areas (SWAs) are being established to
ensure secure and ready access to SCI materials reviewed
by the Director, Deputy Director, and Assistant Directors.
Professional Development
and Training for the FBI Security Officers:
- An updated Security Officer's
Manual has been produced that includes a "cookbook"
to assist the security officer in implementing security
policies and procedures. This practitioners's guide will
address the immediate training needs for the FBI field Security
Officer.
- A study is underway to evaluate
the process for selection, retention, and development of
highly skilled candidates for the FBI Security Officer positions.
An examination of a career path for professional Security
Officer is being conducted.
The Future
Using the seven focus areas
identified during the pre-Hanssen review of the FBI Security
Program, I have overseen the development of a detailed, comprehensive,
and integrated set of security enhancement initiatives. Nothing
yet discovered subsequent to the arrests of Hanssen or Hill
change the need for the security enhancements already identified.
The enhancement initiatives have been assigned to 15 prioritized
categories. It will take time to transform the FBI Security
Program. While the initiatives are prioritized, it will not
be effective to cut the proposal into pieces. They are interdependent.
Additionally, I anticipate that other security deficiencies
will be discovered as our comprehensive review, and those
of Judge Webster and the Department of Justice Inspector General,
continues.
Summary
No security program can absolutely
prevent a "trusted insider" from making the decision
to compromise this organization and the country. However,
it is our goal to provide a significant level of deterrence;
potentially influencing those persons who are thinking logically.
We also intend to create a system that will result in the
ability to more swiftly detect those persons who do choose
to compromise sensitive information and to minimize the damage
resulting from the compromise. To be successful, we must and
are changing the security "culture" at the FBI.
It will also take this Committee's support.
Mr. Chairman, I appreciate the
opportunity to address the Committee and look forward to our
continued collaboration to reach our mutual goal of a secure
FBI. Only then can we achieve the success necessary to ensure
the continued security of this great nation.
|