Auditors from the U.S. Department of Justice (DOJ) reported this week that during a 44-month period ending in September 2005, the FBI lost 61 laptops containing either sensitive information or information the FBI was unable to confirm as sensitive.
The findings were part of a recently published report penned by the Office of the Inspector General (OIG) on lost and stolen weapons and laptops. During the three-and-a-half year period examined by OIG auditors, the FBI lost 160 laptops.
Of those, 10 contained sensitive or classified information that included case details, personal identifying information or classified information on FBI operations. One laptop, which was reported as stolen, contained software used to make FBI identification badges. Though three of these 10 machines were encrypted, the FBI could not confirm whether the rest had cryptographic solutions installed.
Most disconcerting to OIG auditors, however, were the 51 laptops that contained information that the FBI was unable to quantify or categorize.
“This is a significant deficiency. Some of these laptops may have contained classified or sensitive information, such as personally identifiable information or investigative case files,” the OIG report read. “Without knowing the contents of these lost and stolen laptop computers, it is impossible for the FBI to know the extent of the damage these losses might have had on its operations or on national security.”
Among these laptops, six were assigned to the bureau's Counterintelligence Division and one was assigned to the Counterterrorism Division.
“Yet, the FBI did not know the contents of these computers or whether they contained sensitive or classified information,” the OIG reported.
Most IT security professionals agree that laptop loss and theft is unavoidable in any organization.
“Computer loss is a fact of life,” said John Livingston, CEO of Absolute Software. “This is a really hard problem to solve, because you’re dealing with thousands of different notebook computers and knowing what’s on each individual computer is a challenge for any IT department. So what we suggest is having an encryption solution (and) having a tracking and recovery solution so that if you do get into trouble you can do something after the fact.”
In the case of the FBI, IT professionals within that organization manage more than 26,000 laptops at any given time. Most security professionals from government agencies and beyond would agree with Livingston about the difficulties faced in tracking information assets on these machines, said Tom Bennett of Oakley Networks.
“We just had a customer roundtable and we had eight of the top (federal) agency security heads in on this discussion, and this is one of the issues that came up several times,” Bennett said.
He explained that IT security practitioners in government and private organizations must find ways to better track the information contained within lost or stolen devices.
“I really think that the proof is in the pudding. I think companies have to find some sort of mechanism to do one of two things,” he said. “Either establish that no data manipulation has taken place since the laptop was lost — even if it was encrypted — or have some way of ensuring that certain types of activities indicative of somebody trying to break into the data would result in an automatic destruct.”
The findings published this week by OIG were based on a similar study conducted in 2002. In response to the publication of audit findings, the FBI was quick to point out improvements made since the initial survey of missing laptops.
“It is notable that the inspector general has concluded the FBI has made significant progress in decreasing the rate of loss for laptops,” FBI Assistant Director John Miller said on Monday. “The OIG determined that when compared with figures from 2002, there has been a 312-percent reduction in the loss or theft of laptop computers.”
The main thrust of OIG findings was that even though overall theft and loss has reduced, the FBI is still sorely lacking in timely reporting of missing laptops and their contents. In addition to failures in categorizing data in 30 percent of missing laptops, the FBI also fell short when it came to reporting laptop loss to the appropriate interagency organizations.
For example, the security team at DOJ Computer Emergency Response Team (DOJCERT) considers any unexpected, unplanned event that could have a negative impact on IT resources as an “incident,” making most — if not all — of the 160 incidents reportable. But the FBI only submitted one incident report to DOJCERT regarding missing laptops during the entire period audited by the OIG.
FBI officials acknowledged the weaknesses in its current processes and vowed to right the ship.
“While the Inspector General acknowledged that the loss of certain resources is inevitable in an organization the size of the FBI, we nevertheless stand committed to increasing institutional and personal accountability to further increase the progress we have made in minimizing the loss of firearms and information technology components,” Miller said. “We appreciate the work done by the OIG and agree with the majority of their recommendations. We have or will be implementing those recommendations.”
Click here to email West Coast Bureau Chief Ericka Chickowski.