[ISN] The FBI's Upgrade That Wasn't

From: InfoSec News (alerts@private)
Date: Sun Aug 20 2006 - 23:45:12 PDT


http://www.washingtonpost.com/wp-dyn/content/article/2006/08/17/AR2006081701485.html

By Dan Eggen and Griff Witte
Washington Post Staff Writers
August 18, 2006; A01

As far as Zalmai Azmi was concerned, the FBI's technological
revolution was only weeks away.

It was late 2003, and a contractor, Science Applications International
Corp. (SAIC), had spent months writing 730,000 lines of computer code
for the Virtual Case File (VCF), a networked system for tracking
criminal cases that was designed to replace the bureau's antiquated
paper files and, finally, shove J. Edgar Hoover's FBI into the 21st
century.

It appeared to work beautifully. Until Azmi, now the FBI's technology
chief, asked about the error rate.

Software problem reports, or SPRs, numbered in the hundreds, Azmi
recalled in an interview. The problems were multiplying as engineers
continued to run tests. Scores of basic functions had yet to be
analyzed.

"A month before delivery, you don't have SPRs," Azmi said. "You're
making things pretty. . . . You're changing colors."

Within a few days, Azmi said, he warned FBI Director Robert S. Mueller
III that the $170 million system was in serious trouble. A year later,
it was dead. The nation's premier law enforcement and counterterrorism
agency, burdened with one of the government's most archaic computer
systems, would have to start from scratch.

The collapse of the attempt to remake the FBI's filing system stemmed
from failures of almost every kind, including poor conception and
muddled execution of the steps needed to make the system work,
according to outside reviews and interviews with people involved in
the project.

But the problems were not the FBI's alone. Because of an open-ended
contract with few safeguards, SAIC reaped more than $100 million as
the project became bigger and more complicated, even though its
software never worked properly. The company continued to meet the
bureau's requests, accepting payments despite clear signs that the
FBI's approach to the project was badly flawed, according to people
who were involved in the project or later reviewed it for the
government.

Lawmakers and experts have faulted the FBI for its part in the failed
project. But less attention has been paid to the role that the
contractor played in contributing to the problems. A previously
unreleased audit -- completed in 2005 and obtained by The Washington
Post -- found that the system delivered by SAIC was so incomplete and
unusable that it left the FBI with little choice but to scuttle the
effort altogether.

David Kay, a former SAIC senior vice president who did not work on the
program but closely watched its development, said the company knew the
FBI's plans were going awry but did not insist on changes because the
bureau continued to pay the bills as the work piled up.

"SAIC was at fault because of the usual contractor reluctance to tell
the customer, 'You're screwed up. You don't know what you're doing.  
This project is going to fail because you're not managing your side of
the equation,' " said Kay, who later became the chief U.S. weapons
inspector in Iraq. "There was no one to tell the government that they
were asking the impossible. And they weren't going to get the
impossible."

Mueller, whose inability to successfully implement VCF marks one of
the low points of his nearly five-year tenure as FBI director, has
accepted some of the blame. "I did not do the things I should have
done to make sure that was a success," he told reporters last month.

SAIC, which declined three requests for comment, told Congress last
year that it tried to warn the FBI that its "trial and error" approach
to the project would not work but said that it perhaps was not
forceful enough with the bureau.

Whoever is at fault, five years after the Sept. 11, 2001, terrorist
attacks and more than $600 million later, agents still rely largely on
the paper reports and file cabinets used since federal agents began
chasing gangsters in the 1920s.


1980s Technology

Even before the Sept. 11 attacks, the FBI had developed a plan,
Trilogy, to address its chronic technology problems. The program was
made up of three main components: a new computer network, thousands of
new personal computer stations and, at its heart, the software system
that would come to be known as VCF.

The FBI wanted its agents to work in a largely paperless environment,
able to search files, pull up photos and scan for information at their
own PCs. The old system was based on fusty mainframe technology, with
a text-only "green screen" that had to be searched by keywords and
could not store or display graphics, photos or scanned copies of
reports.

What's more, most employees had no PCs. They relied instead on shared
computers for access to the Internet and e-mail. A type of memo called
an electronic communication had to be printed out on paper and signed
by a supervisor before it was sent. Uploading a single document took
12 steps.

The setup was so cumbersome that many agents stopped using it,
preferring to rely on paper and secretaries. Technologically, the FBI
was trapped in the 1980s, if not earlier.

"Getting information into or out of the system is a challenge," said
Greg Gandolfo, who spent most of his 18-year FBI career investigating
financial crimes and public corruption cases in Chicago, Little Rock
and Los Angeles. "It's not like 'Here it is, click' and it's in there.  
It takes a whole series of steps and screens to go through."

Gandolfo, who now heads a unit at FBI headquarters that fields
computer complaints, said the biggest drawback is the amount of time
it takes to handle paperwork and input data. "From the case agent's
point of view, you want to be freed up to do the casework, to do the
investigations, to do the intelligence," he said.

At the start, the software project had relatively modest goals -- and
much lower costs. When SAIC beat out four competitors to win the
contract in June 2001, the company said it would be earning $14
million in the first year of a three-year deal to update the FBI's
case-management system.

For SAIC, the contract was relatively minor. The firm, owned by 40,000
employee shareholders, is one of the nation's largest government
contractors. The 2001 attacks were a boon to its fortunes, helping to
boost its annual revenue, now more than $7 billion.

At the FBI, the impact of the attacks was equally significant but
certainly less auspicious. As revelations emerged that the bureau had
missed clues that could have revealed the plot, its image suffered.  
Its long-outdated information technology systems drew particular
scrutiny.

"Prior to 9/11, the FBI did not have an adequate ability to know what
it knew," a report by the staff of the Sept. 11 commission concluded.  
"The FBI's primary information management system, designed using 1980s
technology already obsolete when installed in 1995, limited the
Bureau's ability to share its information internally and externally."

The problems continued to hamper the bureau after the attacks as well:  
To transmit photographs of the 19 Sept. 11 hijackers and other
suspects to field offices, headquarters had to fax copies or send
compact discs by mail, because the system would not allow them to
e-mail a photo securely.

In the months after the terrorist attacks, overhauling the
case-management system became one of the bureau's top priorities.  
Deadlines were moved up, requirements grew, and costs ballooned.

Along the way, the FBI made a fateful choice: It wanted SAIC to build
the new software system from scratch rather than modifying
commercially available, off-the-shelf software. Later, the company
would say the FBI made that decision independently; FBI officials
countered that SAIC pushed them into it.

More than two years after Sept. 11, when a team of researchers from
the National Research Council showed up to review the status of
Trilogy, FBI officials assured them that the bureau had made great
strides. That was true in part: By early 2004, two of the three main
pillars of the program -- thousands of new PCs and an integrated
hardware network -- were well on the way to being delivered and
installed.

But, as the researchers soon learned, the heart of the makeover, VCF,
remained badly off track. In its final report, in May 2004, the NRC
team warned that the program was "currently not on a path to success."

The review team from the NRC, which is affiliated with the National
Academy of Sciences, was made up of more than a dozen scientists and
engineers from top universities and leading technology companies, all
of them independent of the FBI and its contractors.

The report observed that the rollout of the new case-management
software had been poorly planned nearly from the beginning. Months
after the program was supposed to be complete, it remained riddled
with shortcomings:

* Agents would not be able to take copies of their cases into the
  field for reference.

* The program lacked common features, such as bookmarking or
  histories, that would help agents navigate through millions of
  files.

* The system could not properly sort data.

* Most important, the FBI planned to launch the new software all at
  once, with minimal testing beforehand. Doing so, the NRC team
  concluded, could cause "mission-disruptive failures" if the software
  did not work, because the FBI had no backup plan.

"That was a little bit horrifying," said Matt Blaze, a professor of
computer science at the University of Pennsylvania and a member of the
review team. "A bunch of us were planning on committing a crime spree
the day they switched over. If the new system didn't work, it would
have just put the FBI out of business."

The NRC team found plenty of blame to go around, starting with the FBI
itself.

Like many government agencies, the bureau had been drained of much of
its top talent as skilled managers left for the higher salaries and
reduced bureaucracy of the private sector. By 2001, when the VCF
program was born, the FBI had few people in house with the expertise
to develop the kind of sophisticated information technology systems
that it would need. As a result, the agency had been turning
increasingly to private contractors for help, a process that only
hastened the flow of talent out the door at FBI headquarters.

"In essence, the FBI has left the task of defining and identifying its
essential operational processes and its IT concept of operations to
outsiders," the NRC researchers concluded. "The FBI lacks experienced
IT program managers and contract managers, which has made it unable to
deal aggressively or effectively with its contractors."

Daniel Guttman, a fellow at Johns Hopkins University who specializes
in government contracting law, said: "This case just shows the
government doesn't have a clue. Yet the legal fiction is that the
government knows what it's doing and is capable of taking charge. The
contractors are taking advantage of that legal fiction."

In the end, the FBI's failure to police the contractors would lead to
disastrous results.

After the disappointing preview of VCF in late 2003 by Azmi, who was
then an adviser to Mueller tasked with reviewing the system, the FBI
scrambled to rescue the project. The Aerospace Corp., a federally
funded research-and-development firm in El Segundo, Calif., was hired
for $2 million in June 2004 to review the program and come up with a
"corrective action plan."

The conclusion: SAIC had so badly bungled the project that it should
be abandoned.

In a 318-page report, completed in January 2005 and obtained by The
Post under the Freedom of Information Act, Aerospace said the SAIC
software was incomplete, inadequate and so poorly designed that it
would be essentially unusable under real-world conditions. Even in
rudimentary tests, the system did not comply with basic requirements,
the report said. It did not include network-management or archiving
systems -- a failing that would put crucial law enforcement and
national security data at risk, according to the report.

"From the documents that define the system at the highest level, down
through the software design and into the source code itself, Aerospace
discovered evidence of incompleteness, lack of follow-through, failure
to optimize and missing documentation," the report said.

Others joined Aerospace in highlighting SAIC's role in the failure.  
The NRC report complains that the contractor dealt with Trilogy as a
"business as usual" program, without regard to its importance to
national security.

Matthew Patton, a programmer who worked on the contract for SAIC, said
the company seemed to make no attempts to control costs. It kept 200
programmers on staff doing "make work," he said, when a couple of
dozen would have been enough. The company's attitude was that "it's
other people's money, so they'll burn it every which way they want
to," he said.

Patton, a specialist in IT security, became nervous at one point that
the project did not have sufficient safeguards. But he said his bosses
had little interest. "Would the product actually work? Would it help
agents do their jobs? I don't think anyone on the SAIC side cared
about that," said Patton, who was removed from the project after three
months when he posted his concerns online.

Azmi said that "in terms of having a lot of money, we were just coming
out of 9/11, and at that time there was a lot of pressure on the FBI
to develop capabilities for storing information and actually, for lack
of better words, connecting the dots. If SAIC took advantage of that,
I would say shame on them."

Mueller has also criticized SAIC, telling Congress that the software
it produced "was not what it should be in order to make it the
effective tool for the FBI, and it requires us now to go a different
route."

One FBI manager estimated that the scope of the Trilogy project as a
whole expanded by 80 percent since it began, according to a February
2005 report by Justice Department Inspector General Glenn A. Fine.

SAIC has consistently said that it was trying to meet the FBI's needs
but that its efforts were undermined by the bureau's chronic
indecision. Executive Vice President Arnold Punaro submitted testimony
to Congress in February 2005 that cited 19 government personnel
changes in three years that kept the program's direction in flux.

FBI officials, he said, took a "trial and error, 'we will know it when
we see it' approach to development." Punaro said the company warned
bureau officials that such a method would not work, but he
acknowledged that SAIC did not do enough to get the FBI's attention.

"We clearly failed to get the cumulative effect of these changes
across to the FBI consumer," he said.

Punaro also faulted Aerospace, saying that its study was based on an
earlier version of VCF software and that the firm "did not bring a
sufficient understanding of the uniqueness, complexity and scope of
the FBI undertaking to evaluate our product."


Starting Over, Again

By 2004, even as the news grew worse behind the scenes, FBI officials
struggled to put an optimistic spin on their software upgrade.

In March, testifying before a House subcommittee, Mueller said that
the FBI had experienced "a delay with the contractor" but that the
problem had been "righted." He said he expected that "the last piece
of Virtual Case File would be in by this summer."

Two months later, Azmi -- who had been named the bureau's chief
information officer -- pushed back the estimate further, predicting
that SAIC would deliver the product in December.

But the problems continued to mount. The FBI and SAIC feuded over
change orders, system requirements and other issues, according to an
investigative report later prepared for the House Appropriations
Committee. The FBI also went ahead with a $17 million testing program
for the system, one of many missed opportunities to cut its losses,
according to the House report.

Azmi defends the attempt to save VCF and calls the decision to abandon
it in early 2005 "probably the toughest" of his career.

The decision to kill VCF meant that the FBI's 30,000-plus employees,
including more than 12,000 special agents, had to continue to rely on
an "obsolete" information system that put them at "a severe
disadvantage in performing their duties," according to the report by
Fine, of the Justice Department.

"The urgent need within the FBI to create, organize, share and analyze
investigative leads and case files on an ongoing basis remains unmet,"  
Fine's office concluded.

Maureen Baginski, the FBI's former executive assistant director of
intelligence, said the lack of a modern case-management system could
hurt the bureau when time is of the essence. Agents and analysts need
the new system, she said, to quickly make connections across cases --
especially when they are tackling complex challenges such as
unraveling a terrorist plot.

Last year, FBI officials announced a replacement for VCF, named
Sentinel, that is projected to cost $425 million and will not be fully
operational until 2009. A temporary overlay version of the software,
however, is planned for launch next year.

The project's main contractor, Lockheed Martin Corp., will be paid
$305 million and will be required to meet benchmarks as the project
proceeds. FBI officials say Sentinel has survived three review
sessions and is on budget and on schedule.

SAIC is not involved. FBI officials say they are awaiting an audit by
a federal contracting agency before deciding whether to attempt to
recoup costs from the company.

In a follow-up to its reviews, Fine's office warned in March that the
FBI is at risk of repeating its mistakes with Sentinel because of
management turnover and weak financial controls. But Azmi and other
FBI officials say Sentinel is designed to be everything VCF was not,
with specific requirements, regular milestones and aggressive
oversight.

Randolph Hite, who is reviewing the program for the Government
Accountability Office, said: "When you do a program like this, you
need to apply a level of rigor and discipline that's very high. That
wasn't inherent in VCF. My sense is that it is inherent in Sentinel."

But no one really knows how much longer the bureau can afford to wait.

"We had information that could have stopped 9/11," said Sen. Patrick
J. Leahy (Vt.), the ranking Democrat on the Senate Judiciary
Committee. "It was sitting there and was not acted upon. . . . I
haven't seen them correct the problems. . . . We might be in the 22nd
century before we get the 21st-century technology."

2006 The Washington Post Company


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Sun Aug 20 2006 - 23:51:22 PDT