Today the U.S. Department of Justice (DOJ) released the “The Federal Bureau of Investigation’s Control Over Weapons and Laptop Computers Follow-Up Audit” report.
As you can tell by my post title, this should be a very embarrassing report for the FBI.
An alarmingly large number of laptops containing sensitive information seem to be routinely lost or misplaced. Some key excerpts from the report:
“The OIG’s 2002 report on the FBI disclosed significant losses of weapons and laptop computers and examined the adequacy of the FBI’s response to these losses. The report concluded that the FBI’s procedures to prevent the loss of such equipment were not adequate. Specifically, we found that the FBI:
• identified 212 functional weapons, 142 inoperable training weapons, and 317 laptop computers as lost, missing, or stolen for our 28-month review period.
• did not always report the missing items to the DOJ or enter lost and stolen weapons and laptop computers into the National Crime Information Center (NCIC) database.2
• did not have policies in place that required reporting lost or stolen laptop computers to its Office of Professional Responsibility (OPR), nor was the FBI investigating the loss of this equipment in a timely manner.
• had not established deadlines for reporting losses, was not conducting physical inventories as required, and was not reconciling its property records to its financial records.
• did not ensure that exit procedures were regularly followed for separating employees to ensure that they returned all issued property, including FBI-issued weapons.
• could not provide documentation to establish whether excessed laptop computers were properly disposed of as required.
To help address these deficiencies, we made 10 recommendations, including that the FBI establish firm deadlines for reporting lost or stolen weapons and laptop computers. The FBI agreed with each of our recommendations and outlined a plan for taking corrective action.”
Note these were audit findings from 2002…5 years ago.
Let’s see how things look now…
“Our audit found that the FBI has not taken sufficient corrective action on several recommendations outlined in our 2002 audit report to address the issue of missing and stolen equipment. Perhaps most troubling, the FBI could not determine in many cases whether the lost or stolen laptop computers contained sensitive or classified information. Such information may include case information, personal identifying information, or classified information on FBI
operations.
Prior to our follow-up audit the FBI did not maintain records indicating which of its laptop computers actually contained sensitive or classified information. Moreover, during this follow-up review, the FBI could not identify for us the contents of many of the lost and stolen laptops, including whether they contained sensitive or classified information.”
Maintaining an inventory of not only computers, but also of where personally identifiable information (PII) is stored, including on mobile computers, should be a basic part of an effective information security and privacy program, and most certainly part of an agency such as the FBI’s program.
“The FBI revised its policy to require that employees report lost or stolen weapons and laptop computers to their division office within 5 days after discovery of the loss.”
Why isn’t immediate reporting of lost or stolen weapons and computers required? Why can the reported loss wait for 5 days until reporting to management?
“Division offices, in turn, are required to submit a Form FD-500 to the FBI’s Finance Division and the Asset Management Unit within 10 days of the loss.”
And 10 more days can pass by before report to the central agency? Why? This sounds like the practices I saw within organizations around 10 years ago when lost laptops were only viewed as a physical security and insurance issue…the data stored upon them was never given a second thought. Why are the FBI’s procedures like those from a previous decade?
“Of the 160 missing laptop computers, the FBI was able to provide Forms FD-500 for 152 laptops. Eight laptops were missing the required form. Of the 152 that were reported using a Form FD-500, we found:
• 24 laptop losses were reported using an outdated Form FD-500. The old form did not capture critical information such as the date of loss, NCIC entry, and whether OPR was notified.
• 107 laptop losses were reported on the new Form FD-500. However, 82 of the 107 new Forms FD-500 were incomplete because the individual preparing the form did not enter critical information such as the date of loss, NCIC entry, and whether OPR was notified.
‚Ä¢ 38 laptop losses were reported late‚Äîmore than the required 10 days‚Äîthus possibly delaying timely investigation into the circumstances of the loss.”
It appears there is little to no training or other type of awareness for proper procedures within the division offices. Or, perhaps there are no documented procedures?
“Our review of the 152 Forms FD-500 for lost and stolen laptops revealed that 101 were identified as not containing sensitive or classified information, 43 were not marked as either containing or not containing sensitive or classified information, and 8 were marked as containing sensitive or classified information.”
Hmm…I wonder what the definition of “sensitive or classified information” is within the FBI? Is personally identifiable information (PII) somewhere outside that definition? Isn’t it hard to believe 101 laptops would have no PII? The report then added 2 more to the total that contained sensitive or classified information based upon some follow-up review.
The report included a table showing the date of loss, type of loss, nature of loss, office reporting the loss, whether or not the data was encrypted, and the contents. Three of the laptops reportedly had the data encrypted; the remaining 7 were “unknown,” which most probably means it was not encrypted; most people using the laptops, or at least the tech folks supporting them, should know if the laptops used encryption. It was not known what was on 6 of the laptops. The laptop users didn’t even know? 6 of the 10 with PII were stolen; 4 lost.
“According to the OPR and Inspection Division records, the FBI investigated 6 of the 10 laptop losses that were known to contain sensitive or classified information. Of the six laptop losses that were investigated, one resulted in a 3-day suspension, two investigations were pending as of February 2006, and three resulted in no action taken against the employee. The FBI did not investigate the remaining four losses, including the loss of laptop computers that contained personal identifying information of FBI personnel and software for creating identification badges.”
Isn’t the FBI supposed to be one of the nation’s leading investigatory government agencies? But they did not investigate 4 laptops they knew contained sensitive or classified information? Isn’t the FBI involved in investigating many of the reported laptop privacy breaches we read so much about in the news? Are they really doing anything in these investigations if they are not even doing their own investigations?
“As noted above, the Forms FD-500 for 43 of the 51 laptop computers did not indicate, as required, whether the laptops contained sensitive or classified information. The employees who completed the forms did not check the box to indicate whether sensitive or classified information was on the laptop, nor did the Accountable Property Officer or the Asset Management Unit complete that section of the form when it was submitted. Moreover, the forms that were completed did not contain an adequate description of the information contained on the laptops.”
The report is 121 pages long, but the above should give you a good idea of the type of information within. The bulk of the report is the audit details for each of the lost or stolen weapons and laptops.
As I read through the report I went from concern to worry about how FBI investigations are conducted. Doesn’t this worry you? Doesn’t the lack of accountability for the agency that has access to some of the largest databases of PII that exist raise questions about how that information is or is not appropriately used if they cannot even fill out laptop loss forms correctly? Are they using the PII databases only for appropriate ways and valid investigations?
I support the U.S. government and the goals for the government agencies, including the FBI. I support the efforts and goals of Infragard. But these documented longterm problems with just this one issue of inadequate laptop security and accountability could be just the tip of the iceberg for many other potentially greater security problems with the entire information security program. The privacy of millions of people could be at risk considering their stockpile of PII, and great negative impacts could result. I hope not, but I would certainly like to see a privacy impact assessment performed on the FBI data handling practices. If their other security practices are adequate, it should be something they would be willing to do.
Tags: awareness and training, FBI, government, identity theft, Information Security, IT compliance, laptop theft, lost laptop, policies and procedures, privacy, privacy breach