http://www.informationweek.com/news/showArticle.jhtml;?articleID=197005446 By Sharon Gaudin InformationWeek Feb 12, 2007 Three to four laptops are lost or stolen from the FBI every month, according to a report issued this month from the Justice Department's Inspector General. While 116 FBI laptops were reported lost and 44 were reported stolen in the last 44 months, the agency is doing better than it was five years ago, the DOJ's audit said of one of the nation's top investigative agencies. Another audit, conducted in 2002, showed that in a 28-month period 300 FBI laptops had been lost and 17 had been stolen. At least seven of the computers were issued to FBI divisions that handle some of the most sensitive information related to national security. Six were assigned to the Counter-Intelligence Division and one was assigned to the Counterterrorism Division. Yet, the FBI did not know what these computers contained, including whether or not they held sensitive or classified information. "This is a significant deficiency," the report states. "Some of these laptops may have contained classified or sensitive information, such as personally identifiable information or investigative case files. Without knowing the contents of these lost and stolen laptop computers, it is impossible for the FBI to know the extent of the damage these losses might have had on its operations or on national security." The missing laptops include one that was reported stolen from a Boston field office that contained software for creating identification badges. Reports say it was encrypted. Another laptop was reported stolen from the FBI's own security division. While it, too, was encrypted, it contained a system security plan for an electronic access control system. However, it's not known if a laptop stolen from the FBI Academy at the U.S. Marine Corps Base Quantico in Virginia was encrypted. That machine contained the names, addresses, and telephone numbers for FBI personnel. Ken van Wyk, principal consultant with KRvW Associates and formerly with the Defense Information Systems Agency, says it's important to separate the lost computers from the information on them. "It's disconcerting, but as someone who travels with electronic gear all the time, I can tell you we're targeted," he adds. "But a lot of agencies, and I've got to believe that includes the FBI, are using whole-disk encryption. The chances of a thief being able to break it are very slim. The risk, at that point, is extremely low." Van Wyk adds that while the FBI obviously should tighten up its security, he thinks the agency's computer loss rate would match up to that of most large companies. "It's inevitable," he says. According to the audit report, the FBI investigated six of the 10 laptop losses that were known to contain sensitive or classified information. Of those six, one resulted in a three-day suspension, two investigations were pending when the report was filed, and three resulted in no action taken against the employee. The FBI did not investigate the remaining four losses, including the loss of the laptop computers that contained personal identifying information of FBI personnel and software for creating identification badges FBI Assistant Director John Miller said in a written statement that it is notable that the agency reduced the rate of lost computers. "The OIG [Office of Inspector General] determined that when compared with figures from 2002, there has been a 349% reduction in the average number of weapons lost or stolen in a given month and a 312% reduction in the loss or theft of laptop computers," said Miller, noting that he disagrees with some of the audit's findings. "Nonetheless, we acknowledge more needs to be done to ensure the proper handling of the loss and theft of weapons and laptops, and the information maintained on them. "While the Inspector General acknowledged that the loss of certain resources is inevitable in an organization the size of the FBI, we nevertheless stand committed to increasing institutional and personal accountability to further increase the progress we have made in minimizing the loss of firearms and information technology components," added Miller. The Inspector General's report also audited the number of weapons that have been lost or stolen from the FBI. In the first audit, 354 weapons had been lost or stolen, and in this second audit, the number dropped to 160. Forty-eight functional weapons were lost, 94 functional weapons were stolen, and 18 training weapons were lost. In 2001, the U.S. Attorney General requested that the Office of the Inspector General conduct audits over the control of weapons and laptops within the FBI, the U.S. Drug Enforcement Administration, the Federal Bureau of Prisons, and the U.S. Marshals Service. The report on the FBI disclosed "significant losses" of weapons and computers so a follow-up audit was requested. The FBI had the greatest number of losses, as well as the most significant deficiencies in controls, of all the DOJ components reviewed in the 2002 audits, according to the report. This article was modified on February 12 to include a comment from a consultancy group. ______________________________________ Subscribe to the InfoSec News RSS Feed http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Mon Feb 12 2007 - 23:41:47 PST