FBI Bureaucracy Hobbles Tech Adoption

By Deborah Gage  |  Posted 2002-09-11

In the same month the twin towers fell, supervisors at the FBI's Computer Analysis Response Team ordered 83 copies of a software program that reveals the contents of images and files deleted from hard drives on personal computers, as well as visits to Web sites and the destinations of e-mail messages sent from those machines.

The software, known as Encase, had been used by several government agencies to process evidence seized during investigations of terrorist activity after Sept. 11. Earlier this year, Encase helped find the murderers of Wall Street Journal reporter Daniel Pearl. His captors had sent e-mails to government and news organizations on a computer later seized by the Pakistani police.

Encase is easy to use. Examiners attach a small cable, known as a dongle, to the parallel or USB port on a target computer or enter through the computer's Network Interface Card. The connection allows investigators to preview the contents of a hard drive and to create a virtual image. The drive's original data is undisturbed.

Encase is a leader in its field, according to Charles Kolodgy, research manager for International Data Corp.'s Internet Security Program. Plus, it meets court-accepted standards for technical evidence, a critical factor in prosecuting or defending a case.

But the software was not used by the analytical response unit, which investigates such computer-related crimes as child pornography. It got a cold shoulder from the FBI, which appears to prefer to build similar software itself.

Despite a six-month backlog in collecting computer-based evidence for court cases, the FBI held up the distribution of those 83 licenses, according to a letter written in February by Marc Zwillinger, a Kirkland & Ellis attorney who represents Guidance Software, Encase's manufacturer.

By February, the chief of the team's unit, Mark Pollitt, was trying to block Encase, according to Zwillinger's letter, which was circulated to several government agencies and viewed by Baseline. Pollitt's goal, according to the lawyer's missive, was to preclude the software from being published in the FBI's Standard Operating Procedures, which lay out which products—whether software, hardware, or guns—the FBI has tested and validated for internal use.

Meanwhile, the FBI continues to try to develop its own alternative to Encase, called the Automated Computer Examination System (ACES). Whether it is available is unknown.

Putting already-available (and already-ordered) commercial software through the wringer is one small example of the many issues the Bureau faces as it struggles to bring its information systems out of what Robert Chiaradio, a former FBI Executive Assistant Director, describes as "a 1950s-style office culture." Chiaradio retired in June to manage KPMG Consulting's Homeland Security practice.

Two highly critical reports released in March allege the FBI's information systems are in complete disarray.

DOJ Inspector General Glenn Fine, who investigated the FBI's misplacement of more than 1,000 documents related to the Oklahoma City bombing, described how multiple databases were used for tracking documents, with information kept on multiple forms that were handled in multiple ways. Procedures for numbering documents varied from field office to field office. A paper system for tracking documents competed with the FBI's Automated Case Support (ACS), which manages case files online.

And the Webster Commission—established by Attorney General John Ashcroft in March 2001 to study the FBI's security programs, after former agent Robert Hanssen was arrested for espionage—described how in November 2000 Hanssen took advantage of the deficiencies in ACS, which Hanssen called "criminal negligence," to steal between 500 and 1,000 documents that he passed to the Russians. Hanssen read unrestricted descriptions of restricted documents and figured out how to write queries that circumvented "stop words," or words that the FBI search engine was instructed not to find.

Although Hanssen was technically adept, he also found documents that the commission said should have been restricted, despite the fact that many agents did not understand how to do so. In September 2000, the commission said, the FBI discovered it was operating at least 50 computer systems, 30 of which contained classified information, and the bureau subsequently discovered several more. Hanssen compromised over 50 human sources, many of whom were imprisoned or executed.

The Encase Case

Citing the six-month backlog in evidence gathering, former FBI Director Louis Freeh in February 2000 requested $2.8 million to continue developing ACES, the alternative to Encase. The FBI believes that using outside source-code risks compromise by foreign agents who could insert back doors in the code that transmit classified information.

But in a separate letter sent in April 2002, to Attorney General Ashcroft, Rep. Adam Schiff, the California Democrat representing Guidance's district, claimed that ACES had not kept pace with modern technology and that the FBI had canceled it. Schiff served in the Los Angeles U.S. Attorney's office and in 1990 prosecuted Richard Miller, the first FBI agent to be indicted for spying for the Soviet Union.

Schiff claimed that the FBI's pursuit of ACES "while superior, cost-effective software was commercially available" might be partially responsible for the backlog.

At the same time, FBI agents in the field were using Encase without permission, according to sources close to the bureau, shifting funds to find the money to buy software licenses and training from Guidance Software.

Greg Motta, an attorney in the FBI's Office of General Counsel, declines to discuss the specifics of Zwillinger's letter, although he says there is a "timeliness issue" with Zwillinger's accusations. Motta says the FBI is not prohibiting agents from using Encase, even though the software is not internally tested and approved.

"Our protocol indicates that when one of the internally validated tools is not operating properly, examiners are allowed to use nonvalidated tools so long as they verify the results," Motta says. "The FBI has a collaborative process for testing and evaluating products that transcends any one individual and that we are constantly re-evaluating."

Motta also disputes Schiff's contention that ACES has been discontinued. "ACES is like Microsoft Windows—there are a bunch of applications thrown in. The degree to which the FBI needs to document examinations is sometimes far in excess of what the local police department [i.e. Encase users] would want."

Zwillinger counters that he is "encouraged" that the bureau is softening on its devotion to developing the same or similar technology in-house. "They say now they are completely open-minded, and are evaluating the use of Encase in the future. Given the challenges posed by increasing cyberthreats and immense quantities of computer evidence, the FBI seems to be refocusing on the nature of its mission."

Chiaradio, however, says that until a couple of years ago, agents routinely developed their own code or shifted funds to conceal purchases of unsanctioned hardware and software.

"Agents, out of frustration at not getting the right automation support, improvised and overcame," he says. "That's why the FBI has 42 investigative stovepipe applications." ACS, for example, is one of five main FBI investigative application systems—only in April did agents get minimal searching capabilities across four of them.

One former agent who asked not to be named says that "caring public servants" in the FBI are hamstrung by federal budget cycles, government procurement rules that require agencies to plan purchases years in advance, and the impossibility of developing software fast enough to keep up with private industry.

"A headquarters guy like Pollitt would be in a position of having to say what's best for the FBI as an institution," the agent says. "But in today's investigations, it's hard to wait for something perfect if anything is offered in the meantime. 'Perfect' becomes the enemy of 'good.' "

FBI Director Robert Mueller, like his predecessor Louis Freeh, is bringing in what Chiaradio calls "a straighter army"—people like Wilson Lowery, who replaces Chiaradio and who carried out former IBM CEO Lou Gerstner's blueprint for transforming IBM from a company with 150 separate financial systems into one with common processes; Darwin John, CIO, who spent 12 years managing IT systems for the Mormon Church and who replaces Bob Dies, hired by Freeh to join the bureau in July of 2000 from IBM; and Sherry Higgins, Trilogy Systems Advisor, who has served as both the CIO and CTO of Lucent.

In August, Higgins testified before a Senate Judiciary subcommittee on the progress of Trilogy, the FBI's latest plan to upgrade its information systems, for which Congress in November 2000 allocated $379 million. Funding has since been increased.

In its current form, Trilogy will provide PCs, printers and scanners for every FBI office, upgrade some FBI networks, improve security, and migrate data from the FBI's five investigative applications into a single Virtual Case File. This will allow agents to use a standard Web browser to submit and track documents (including multimedia files), search the FBI's entire data warehouse with one query, and possibly mine data from other agencies as well.

Astonished senators who watched Higgins use function keys to navigate through 12 green screens to get to a document in ACS demanded to know why Trilogy can't be completed before June 2004. But Higgins has slowed portions of Trilogy by about 15 months since she joined the FBI in March. The Webster Commission said the FBI was trying to move Trilogy so fast, it could not possibly integrate good security into the system.

Guidance President John Patzakis, meanwhile, declines to comment on the FBI, saying Guidance hopes to work with all federal agencies to ensure that the best possible forensic tools are available, whether from inside the government—or outside.

Additional reporting by John McCormick and Elizabeth Bennett