Issue No. 02 - March/April (2005 vol. 3)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2005.41
FBI'S Virtual Case File Living in Limbo
When the US Federal Bureau of Investigation (FBI) gave the green light to an information technology (IT) overhaul more than four years ago, it was bound to trigger security and privacy concerns.
Yet, after recently coming under intense scrutiny from the US National Research Council, not to mention Congress, and having to shelve most, if not all, of its technological initiatives, nary a whimper is coming from the FBI about the current status of the project that came in with such a bang.
Why is so little known about the project's next steps? And should the uncertainty surrounding the FBI's plans with respect to its IT overhaul raise any security and privacy concerns?
The US National Academy of Sciences' in-depth study of the project, A Review of the FBI's Trilogy Information Technology Modernization Program ( http://books.nap.edu/catalog/10991.html), outlines the factors that contributed to the failure of the Trilogy program and its accompanying application software, Virtual Case File (VCF).
Although the report details many reasons for the initiative's failure—from too much outsourcing to vendors who didn't understand the FBI's IT needs to US law enforcement agencies' radical shift to counterterrorism in the post-9/11 period—several questions remain.
Speaking on condition of anonymity, a source with in-depth knowledge of the report's findings shed light on some of these questions.
The source believes security measures will be a key consideration in whatever the FBI decides to do to revamp its IT infrastructure; external attacks aren't as worrisome as possible exposure to internal vulnerabilities.
"Hacking into a top secret network is tough, but it doesn't mean that it can't happen," our source says. "What is more likely is an internal problem."
In fact, the report recommends that the FBI "immediately develop plans that address recovery of data and functionality in the event that essential technology services come under denial-of-service attacks"—for example, viruses and pervasively replicated software bugs.
According to the source, "Everybody knows the FBI is running Windows; it's a matter of public record. What happens when someone violates procedure and brings in an infected floppy?
"What they showed us was not reassuring, but maybe they do have a plan. We just don't know. It is entirely possible that security could be compromised in that instance."
Furthermore, any new program will have to strike a tenuous balance between allowing for crucial information sharing and keeping classified information top secret.
"We just don't know how they will achieve this," our source says. "But the report's recommendation of having two separate systems (one with shared access and one requiring special security clearance) seems to be the most logical way to go."
As for what the future holds for the FBI's IT infrastructure, there appears to be more conjecture than certainty, but one thing seems definite: there will be a next phase.
"Something's going to happen somewhere along the line," the source says. "The FBI can't use ACS [Automated Case Support] forever."
According to the report, the FBI has progressed significantly in some areas of IT modernization, particularly in updating computing hardware and baseline software, as well as deploying its networking infrastructure.
The FBI has also started adopting some recommendations from the report. For example, whatever updated IT system the FBI decides to use, it will almost certainly deploy it in phases, with a backup plan firmly intact, rather than in a flash-cutover implementation.
Regarding flash cutover, "it usually looks cheaper, but it never is," the source says. "My guess is [that the FBI] will maintain ACS, at least partially, until full implementation of a new system is completed."