[Infowarrior] - Interview with FBI CIO on FBI IT woes

Fri Jul 14 08:39:07 EDT 2006

FBI's CIO faces agency's tech challenges

By Anne Broache
http://news.com.com/FBIs+CIO+faces+agencys+tech+challenges/2008-1028_3-60941
46.html

Story last modified Fri Jul 14 04:00:06 PDT 2006

When Zalmai Azmi took the job of the FBI's chief information officer three
years ago, he had a daunting task ahead of him: steering the agency's rocky
computer modernization project back on course.

The results so far have been mixed. Last year, the FBI was forced to abandon
its initial plans to create a so-called Virtual Case File system, with FBI
Director Robert Mueller admitting to Congress that more than $100 million
had been wasted. In addition, a series of damming reports have described
slipshod management and missing equipment.

Now, however, the FBI is trying again with a project named Sentinel that's
designed to succeed a paper-intensive system that relies on 1980s mainframe
technology. In March, the FBI awarded Lockheed Martin the contract for
Sentinel's development, which is estimated at $305 million over six years.

Azmi, an Afghan native, came to the FBI from the Executive Office of the
U.S. Attorneys, where he was responsible for developing and carrying out a
multi-year IT transformation plan.

CNET News.com spoke with Azmi about Sentinel's direction, the existing
cumbersome systems and recent reports that a contractor hacked the FBI's
computers.

Q: The FBI spent over $100 million on a system that ultimately had to be
abandoned. Earlier this year, government auditors faulted the bureau for
wasting millions of dollars on "questionable contractor costs" and misplaced
equipment from earlier stages of the upgrade process. How can you be sure
that taxpayer money won't go to waste again?

Azmi: The GAO audit was specific to the Trilogy program and not specifically
to the Virtual Case File. Sentinel is more akin to VCF than it was (to)
Trilogy because Trilogy was the deployment of our network, desktops,
laptops, scanners, printers, a lot of moving parts and a lot of computers.
Sentinel is different. It's not going to supply any desktops or laptops or
anything like that, it's more of an application we will make available to
our users through Web technology or through a Web browser.

Regardless of that, a lot has changed since the Virtual Case File program
was envisioned.

Now we have an enterprise architecture in place...We have the governance
process to do that project from cradle to grave. As we go through that
process, there are specific control gates and reviews and a proof of project
to move to the next step. We have an investment management board in
place...to make sure we're investing in technologies that the bureau needs,
technologies that are what our vision needs, and technologies that are
budgeted for and envisioned for in enhancing the FBI's future mission.

We do have a very strict certification and accreditation policy or program
in place for security, so every program has to go through what we call a C&A
process. We also have a Life Cycle Management directive in place, which
means that every program has to be developed according to a set of standards
within the bureau, and those standards are reviewed and monitored through
the governance process to make sure our contractors and our vendors are
following the policies, methodologies that we have put in place.
With our current mission of national security and cybersecurity, it is
imperative for us to have the latest and greatest tools within the bureau.

>From the perspective of agents and analysts doing their day-to-day work, how
urgent is it that the FBI modernize its case-management system? If the
system itself dates back to the 1980s, why weren't upgrades started sooner?

Azmi: Information technology has to be revamped on a regular basis. Within
the government, the best practices, every three to four years we have to
replace our computers, and every five or maybe six years our servers. So
there's a refresh cycle for the technology because it's constantly changing.
With our current mission of national security and cybersecurity, it is
imperative for us to have the latest and greatest tools within the bureau.
And that's why there's a sense of urgency, we need to have those critical
tools at the disposal of our agents and analysts to do their job, and that
urgency will remain. We're looking at new technologies every single year to
enhance our mission.

The FBI's case-management system seems to be keyboard-based and
paper-intensive, slowing down the process of accessing records. What are
some of the complaints that FBI users have made about the way the case
management system works, and how would the new system address those
concerns?

Azmi: The existing automated case system that we have, which is called ACS,
is a mainframe application, what we call a green screen, because it's
command driven. You have to put commands in there, you have to do everything
manually. It is true we don't have any mouse interaction with that version
of automated case system. It is not taking advantage of modern technology.
For example it's probably going to take about 13 function keys or pressing
of the keys on the keyboard to load a document into the mainframe in
comparison to what you are probably aware or familiar with when you go into
your e-mail and see an attached document. It's a couple of clicks and the
document is on its way thru to the receiver.

The new technology, the central program that we will be implementing is a
program based on Web technologies. It is a service-oriented architecture,
meaning each capability of the program will be provided as a service in
terms of information management, document management, search capabilities,
reporting capabilities, those will be all services that we will provide
through this application. But also the benefit of this approach is the same
services can be used by other applications throughout the enterprise. In a
nutshell, the new Sentinel is going to be akin to an AOL or a Yahoo Web page
where you go and information is available to you through your searches,
through your data entry, and you move forward to the daily work.

The other part of the challenge was the uploading of the documents. It was
also the process of electronically routing documentation. Currently, if we
are in one of our resident agencies and we do that paperwork, that paperwork
requires a signature of our supervisor. Basically we have to put that file
in an envelope, we have to mail it to our field office where our supervisor
is going to take a look at it, maybe sign it, maybe comment on it, or
whatever, so in my view that is a delay in time. With our new system, that
process will be seamless...because you work online, you just forward the
e-mail, that document, to your supervisor who is going to approve it and
move forward. So there's time saving in there, there's accountability for
the document at any given time. It's not going to get lost in the mail, and
there will be also a chain of custody. At any given time you will know who
has that document, the critical capabilities that we are missing currently.

What made the FBI decide on Lockheed Martin as the primary contractor this
March? Will there be other companies working on Sentinel as well?

Azmi: The contract was completed under the National Institutes of Health's
(procedure). There were a number of vendors that actually bid on this, and
Lockheed was the one that was selected based on their proposal and their
strategy for developing this program. Lockheed has a number of
(subcontractors) under it, about 10 primary subs are working with Lockheed
to support Lockheed in this endeavor. (Some of them are Accenture, Computer
Sciences Corp. and CACI.)

The Washington Post recently reported that a former contractor broke into
secret FBI systems without proper authorization. The contractor that broke
in, working from a field office in Virginia, apparently took advantage of an
antiquated security mechanism (/etc/passwd files in cleartext) that the
private sector abandoned a decade ago. Why was the FBI so behind? Do you
plan changes in security with Sentinel?

Azmi: It's two different issues--first of all, let me clarify that the
individual who had access to our networks was a privilege that was granted
to him because he was part of our system administrative staff when he was
deploying Trilogy, so he already had access to the system, took advantage of
those privileges, so that's how he was caught.

Sentinel is actually an application that has its own security mechanism,
which is different and actually does not even relate to the case in
Springfield at all, because we manage passwords and security in Sentinel
much different than what happened in Springfield. Springfield was (about)
access to the network, and Sentinel is access to an application, two
different things.

Statements were made that this guy cracked the passwords and that's how he
gained access to the network. That's not true. He had the privilege already
to the network, and he abused that privilege and that's how he was caught...

We knew of the vulnerability, and we also are protecting our password files,
but the fact that this guy had the administrative rights to our system,
that's what made it vulnerable, and that's why we call it insider threats.
It's very difficult to defend against that, it's almost like you shouldn't
give anybody administrative rights, but who's going to manage the system? So
there's a balance you always have to reach.