[ISN] Report: FBI Loses 3 To 4 Laptops Every Month

From: InfoSec News (alerts@private)
Date: Mon Feb 12 2007 - 23:20:45 PST


http://www.informationweek.com/news/showArticle.jhtml;?articleID=197005446

By Sharon Gaudin
InformationWeek
Feb 12, 2007 

Three to four laptops are lost or stolen from the FBI every month, 
according to a report issued this month from the Justice Department's 
Inspector General.

While 116 FBI laptops were reported lost and 44 were reported stolen in 
the last 44 months, the agency is doing better than it was five years 
ago, the DOJ's audit said of one of the nation's top investigative 
agencies. Another audit, conducted in 2002, showed that in a 28-month 
period 300 FBI laptops had been lost and 17 had been stolen.

At least seven of the computers were issued to FBI divisions that handle 
some of the most sensitive information related to national security. Six 
were assigned to the Counter-Intelligence Division and one was assigned 
to the Counterterrorism Division. Yet, the FBI did not know what these 
computers contained, including whether or not they held sensitive or 
classified information.

"This is a significant deficiency," the report states. "Some of these 
laptops may have contained classified or sensitive information, such as 
personally identifiable information or investigative case files. Without 
knowing the contents of these lost and stolen laptop computers, it is 
impossible for the FBI to know the extent of the damage these losses 
might have had on its operations or on national security."

The missing laptops include one that was reported stolen from a Boston 
field office that contained software for creating identification badges. 
Reports say it was encrypted. Another laptop was reported stolen from 
the FBI's own security division. While it, too, was encrypted, it 
contained a system security plan for an electronic access control 
system. However, it's not known if a laptop stolen from the FBI Academy 
at the U.S. Marine Corps Base Quantico in Virginia was encrypted. That 
machine contained the names, addresses, and telephone numbers for FBI 
personnel.

Ken van Wyk, principal consultant with KRvW Associates and formerly with 
the Defense Information Systems Agency, says it's important to separate 
the lost computers from the information on them. "It's disconcerting, 
but as someone who travels with electronic gear all the time, I can tell 
you we're targeted," he adds. "But a lot of agencies, and I've got to 
believe that includes the FBI, are using whole-disk encryption. The 
chances of a thief being able to break it are very slim. The risk, at 
that point, is extremely low."

Van Wyk adds that while the FBI obviously should tighten up its 
security, he thinks the agency's computer loss rate would match up to 
that of most large companies. "It's inevitable," he says.

According to the audit report, the FBI investigated six of the 10 laptop 
losses that were known to contain sensitive or classified information. 
Of those six, one resulted in a three-day suspension, two investigations 
were pending when the report was filed, and three resulted in no action 
taken against the employee. The FBI did not investigate the remaining 
four losses, including the loss of the laptop computers that contained 
personal identifying information of FBI personnel and software for 
creating identification badges

FBI Assistant Director John Miller said in a written statement that it 
is notable that the agency reduced the rate of lost computers.

"The OIG [Office of Inspector General] determined that when compared 
with figures from 2002, there has been a 349% reduction in the average 
number of weapons lost or stolen in a given month and a 312% reduction 
in the loss or theft of laptop computers," said Miller, noting that he 
disagrees with some of the audit's findings. "Nonetheless, we 
acknowledge more needs to be done to ensure the proper handling of the 
loss and theft of weapons and laptops, and the information maintained on 
them.

"While the Inspector General acknowledged that the loss of certain 
resources is inevitable in an organization the size of the FBI, we 
nevertheless stand committed to increasing institutional and personal 
accountability to further increase the progress we have made in 
minimizing the loss of firearms and information technology components," 
added Miller.

The Inspector General's report also audited the number of weapons that 
have been lost or stolen from the FBI. In the first audit, 354 weapons 
had been lost or stolen, and in this second audit, the number dropped to 
160. Forty-eight functional weapons were lost, 94 functional weapons 
were stolen, and 18 training weapons were lost.

In 2001, the U.S. Attorney General requested that the Office of the 
Inspector General conduct audits over the control of weapons and laptops 
within the FBI, the U.S. Drug Enforcement Administration, the Federal 
Bureau of Prisons, and the U.S. Marshals Service. The report on the FBI 
disclosed "significant losses" of weapons and computers so a follow-up 
audit was requested.

The FBI had the greatest number of losses, as well as the most 
significant deficiencies in controls, of all the DOJ components reviewed 
in the 2002 audits, according to the report.

This article was modified on February 12 to include a comment from a 
consultancy group.


______________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Mon Feb 12 2007 - 23:41:47 PST