[ISN] Why FBI Computer Force Ain't Fat

From: InfoSec News (isnat_private)
Date: Tue Sep 03 2002 - 23:54:11 PDT

  • Next message: InfoSec News: "RE: [ISN] Our raid on Downing St."

    http://www.wired.com/news/politics/0,1283,54850,00.html
    
    By Michelle Delio 
    2:00 a.m. Sep. 3, 2002 PDT 
    
    The carefully coiffed men wearing suspiciously shiny shoes are at 
    every major computer security convention. 
    
    They are there to remind hackers that law enforcement is always 
    interested in their activities. They are also there to encourage 
    security experts to become special agents. 
    
    But after responding to the agency's appeals for computer security 
    experts, aspiring G-men hackers sadly say that their names will never 
    appear on the FBI's Most Wanted Job Applicants list. 
    
    Although their technical abilities should allow them to qualify easily 
    as agents, their ethics, age and/or physical fitness levels excluded 
    them. 
    
    Mike Sweeny, fueled by renewed patriotism after Sept. 11, wanted to 
    offer his 20-plus years of experience in computer security to the FBI. 
    But he was disheartened by job requirements that required him to have 
    a college degree, be under 37 years old, morally irreproachable ... 
    and physically fit. 
    
    "They will not consider you unless you can carry your M16 through the 
    physical fitness course without killing yourself in the process," 
    Sweeny, maintainer of the PacketAttack website, said. "Most of the 
    geeks I know view exercise as carrying the 80-ounce cola, pager and 
    cell phone all at the same time." 
    
    The FBI does have non-agent positions for people who are highly 
    skilled in areas such as computer forensics (collecting evidence from 
    computers). Those who don't qualify for agent positions can still 
    serve as civilian employees, according to an FBI spokeswoman. 
    
    But "in the FBI, if you're not an agent, you're on the bottom of the 
    food chain," Richard Forno, an independent security consultant, said. 
    
    The FBI admittedly needs help with its technical systems. The agency 
    recently requested $76 million just to get their databases in order -- 
    to convert some of the roughly 1 billion documents sitting in file 
    cabinets into an electronic and easily searchable system. 
    
    The agency has also requested an additional $730 million, over the 
    $400 million originally budgeted, to implement "Project Trilogy" -- a 
    general technology update intended to bring the FBI computer systems 
    into the 21st century. 
    
    The project was dubbed Trilogy because it's the third attempt to 
    upgrade the FBI's technology into a system that would be truly useful. 
    
    Computer security experts stress the FBI also needs to upgrade its 
    hiring requirements if the agency really wants to attract experts. 
    Besides the physical specimen specifications, many who are skilled 
    enough to be able to protect a network from sophisticated attacks 
    would probably not be ethically acceptable to the FBI. 
    
    "In order to be a good computer security person, you must think like a 
    black-hat hacker and be able to understand the tools and methods of 
    the dark side," Sweeny said. "Right there, you are in a very gray 
    area, in the feds' opinion." 
    
    Job requirements for an agent also require an applicant to have a 
    felony-free, just-say-no history. 
    
    "One question on the application asked if you'd smoked pot more than 
    15 times," Sweeny recalled. "Fifteen times? What's up with that? 
    Fifteen is the magic number?" 
    
    "If the feds want the hackers bad enough, then yes, they should peel 
    away the red tape which now prevents them from working directly for 
    the government," security consultant Rob Rosenberger said. "But hiring 
    practices suck in the fed's computer security arena, just like they 
    suck in every other fed arena." 
    
    Rosenberger added that even if a person were an acceptable job 
    applicant, it would not guarantee that the person would work with 
    computers. 
    
    "You won't get a position in computer security until you've worked at 
    least five years on the beat, preferably in physical investigations," 
    Rosenberger said. "They'll grudgingly let you past if you just do 
    forensics, but they feel you really should chase bad guys with a gun 
    before you chase bad guys with a computer." 
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Sep 04 2002 - 02:06:49 PDT