"IV. Summary of the FBI's Security Programs During Hanssen's Career
The Hanssen case highlighted significant, longstanding deficiencies in the FBI's internal security program, many of which were brought to the attention of FBI management over the years but were not corrected. Historically, the FBI has not been in compliance with Executive Orders, Justice Department regulations, and Intelligence Community standards regarding internal security. Although we found that the FBI has taken many important steps to improve its internal security program since Hanssen's arrest - including the implementation of a counterintelligence-focused polygraph examination program, the development of a financial disclosure program, and the creation of a Security Division - some of the most serious weaknesses still have not been fully remedied. These weaknesses expose the FBI to the risk of future serious compromises by another mole.
Before Hanssen's arrest, the FBI's security program was based on trust. Rather than taking the sort of proactive steps adopted by other Intelligence Community components - such as requiring regular counterintelligence polygraph examinations, financial disclosures, and meaningful background reinvestigations, and utilizing audit functions regarding computer usage - the FBI trusted that its employees would remain loyal throughout their careers. The Hanssen case shows the danger of that approach.
In our review, we observed serious deficiencies in nearly every aspect of the FBI's internal security program, from personnel security, to computer security, document security, and security training and compliance. These deficiencies led to the absence of effective deterrence to espionage at the FBI and undermined the FBI's ability to detect an FBI mole. Moreover, the absence of deterrence played a significant role in Hanssen's decision to commit espionage. As he explained during debriefings: "[I]f I had thought that the risk of detection was very great, I would never have done it." Hanssen also exploited many of these weaknesses - particularly in document and computer security - to pass sensitive information to the KGB.
With respect to personnel security, Hanssen was never subject to a wide variety of basic security techniques and procedures that could have deterred or perhaps uncovered his espionage. For example, Hanssen was never asked to submit to a polygraph examination during his 25-year FBI career, despite his extraordinarily broad access to extremely sensitive human and technical intelligence information from across the Intelligence Community. After [CIA Agent Aldrich] Ames's 1994 arrest [for selling US secrets to the Russians undetected for 9 years], FBI National Security Division managers argued for an a periodic, random polygraph program, but the FBI's most senior management rejected that request, largely because of concerns regarding false positives. Hanssen's arrest in 2001 finally prodded the FBI to make a polygraph examination part of the standard five-year background reinvestigation. According to the FBI, by June 2003 it had also expanded its polygraph program by implementing a periodic, random polygraph examinations.
Hanssen likewise was never asked to complete a detailed financial disclosure form during his FBI career. During our interviews, Hanssen identified meaningful financial disclosure as the security technique that would have provided the greatest deterrence to his espionage. As it was, Hanssen felt comfortable depositing thousands of dollars of the KGB's cash in a passbook savings account - listed in his own name - at a bank located a block away from FBI Headquarters. He also safely invented stories about family wealth and successful investments to explain his spending.
The FBI reported in July 2003 [two years after Hanssen's arrest] that a financial disclosure program "will be implemented within the next month."
Given that financial gain is often an important motive for committing espionage, developing a credible financial disclosure program is a critical element in improving the FBI's personnel security with respect to both deterrence and detection.
Hanssen received his first - and only - background reinvestigation in 1996, 20 years after he had joined the FBI.
The FBI has conceded that a number of "red flags" emerged during Hanssen's reinvestigation that were not resolved. The FBI's perfunctory background reinvestigation of Hanssen was not atypical, however. The system in place for background reinvestigations discouraged thoroughness. The principal investigators were not given access to the necessary source materials, such as the employee's personnel file, security file, and credit reports, and they primarily interviewed references supplied by the employee. They did not interview the employee. Moreover, the principal investigators merely collected information; they were not required to provide analysis or to make investigative recommendations. As a result, information developed through background reinvestigations received little analysis.
In committing espionage, Hanssen exploited serious weaknesses in the FBI's document and information security. His access to classified national security information - for both hard copies and computer files - was subject to little control or monitoring throughout his FBI career. As a result, he walked out of the FBI with copies and originals of some of the U.S. government's most sensitive classified material - including numbered Top Secret documents - with little fear of being stopped or detected. The FBI's inability to account for its most sensitive documents and failure to limit this information to those with a "need to know" has been noted both by the OIG and by the FBI's internal reviews in the past, but remains uncorrected. [More proof if needed that the FBI is unable to police itself.] This deficiency is significant with respect to both deterrence and detection, because the FBI's inability to account for its most sensitive documents makes an access-based investigation for an FBI mole extremely difficult to pursue. The starting point for any such investigation is a list of those employees who had access to a compromised operation; at the FBI, that determination is often impossible to make.
During his last period of espionage, Hanssen used the FBI's ACS [Automated Case Support] computer system to track the FBI's most sensitive espionage investigations - including the investigation that was looking for him. Hanssen also routinely searched the system for references to his own name and home address, and to the signal and drop sites that he used, to assure himself that he was not under investigation. Hanssen conducted thousands of searches for highly sensitive information that he had no conceivable "need to know," without fear that a computer audit would reveal his misconduct. As with his record of cash deposits, it would have been difficult for Hanssen to invent an innocent explanation for his repeated searches regarding his name, address, and signal and drop sites. Even more significantly, an audit of Hanssen's ACS activity would have identified him as someone worthy of investigation.
The serious security flaws in the FBI's ACS system - which have been discussed in prior OIG reviews and internal FBI inspection reports - have been apparent since the system's inception in 1995, but have not been remedied. Access restrictions are subject to ready override by Headquarters personnel who, like Hanssen, have no "need to know" about the sensitive operations the access restrictions are designed to protect. The system is likewise prone to human error, with documents concerning highly sensitive operations - such as the Hanssen investigation - being made available to any curious user because of improper uploading or inadequate restriction codes. The ACS system's audit function, mandated by Justice Department regulations and a principal tool against unauthorized usage as well as espionage, was rarely utilized before Hanssen's arrest.
Today, more than two years after Hanssen's arrest, the ACS system remains insecure and vulnerable to misuse. [As of Feb. 2005, ACS hadn't been replaced]. The current audit program relies on case agent review rather than third-party auditing. Moreover, the program has only retroactive effect; case agents do not receive real-time notice when someone seeks unauthorized access to their cases. The "need to know" principle is not adequately applied in the computer context within the Counterintelligence Division; all Headquarters Counterintelligence Division agents have access to all cases in the Division whether or not their section or unit is connected to the case. Finally, the system's susceptibility to human error has not been remedied. In response to the OIG's findings regarding the ACS system, the FBI reported in July 2003 that "attempting technical changes to improve ACS security would not be a smart business decision" in light of plans to implement a new automated case system known as the Virtual Case File (VCF). The FBI stated that the first delivery of VCF is scheduled for December 2003. [As of 2/3/2005, VCF still was not operational]. In developing and implementing VCF, it is vital for the FBI to rectify the types of security flaws that have been evident in the ACS system for many years."...
[Ed. note: As of 2/3/2005, FBI's new VCF system was still not in use: "The Virtual Case File-- a case management application for improving efficiency and records management -- is not yet available to our personnel. Mr. Chairman, no one is more frustrated and disappointed than I at the delays we have encountered in deploying VCF." FBI Director Robert Mueller]
(continuing): "The FBI's lax approach to personnel and information security also was apparent in its handling of security violations. Hanssen's career was replete with security breaches, none of which were documented in his personnel or security file
or (with one exception) reported to the FBI's Office of Professional Responsibility, the Security Programs Manager, the NSD's Security Countermeasures Section, the Justice Department Security Officer, or any other central location for review and consideration of appropriate disciplinary action. While these security breaches did not necessarily show that Hanssen was engaged in, or was predisposed to engage in, espionage, they demonstrated that he was unfit to have access to sensitive information. Our review revealed unwillingness within the FBI to report security violations and take them seriously, even when highly sensitive information was involved. The Hanssen case also highlighted the absence of a centralized reporting program for security violations at the FBI, as well as the absence of a unit at FBI Headquarters responsible for collecting derogatory information concerning FBI employees, particularly in the counterintelligence context. In July 2003, the FBI reported that a security incident program had been instituted that will be managed by a new Security Compliance Unit. According to the FBI, the Security Division and the Counterintelligence Division will meet on a monthly basis to discuss counterintelligence-related issues.
Many of the security issues that emerged from our review of the Hanssen case stem from deficiencies in training. For example, FBI personnel specialists responsible for employee background reinvestigations did not have the necessary analytical training to assess issues that commonly arise during background investigations. FBI employees using the ACS system did not have sufficient knowledge and training to use the security controls that were built into the system to regulate access to sensitive cases. FBI employees were not knowledgeable regarding the requirements for handling classified materials, particularly at the Sensitive Compartmented Information (SCI) level. And employees and supervisors were not properly trained in how to report and document security violations. We believe that the FBI will not see significant improvement in its internal security until its employees are better trained on security issues.
In sum, the absence of adequate security controls at the FBI made espionage too easy for Hanssen to commit. Because of inadequate document security, he felt comfortable removing thousands of pages of classified documents from FBI offices. Because of lax controls over even the most sensitive information and violations of the "need to know" principle, he knew that he could compromise [murder] the FBI's most important Soviet/Russian assets [also known as human beings] and operations with little risk that the loss of these cases would be traced to him. Because of inadequate computer security, he felt free to conduct thousands of searches on the ACS system for references to himself and for information concerning the FBI's most sensitive counterintelligence cases.
Because of the absence of financial disclosure, he felt comfortable depositing thousands of dollars in espionage proceeds into his bank accounts. Because of the absence of polygraph examinations for onboard employees, he never had to confront the issue of what would happen when he failed polygraph questions aimed at determining whether he was or had ever been an agent of a foreign power. And because of a flawed and inadequate background reinvestigation program, he never had to fear that the FBI would uncover spending and other behavior inconsistent with his position at the FBI.
The defects in the FBI's security program were the product of decades of neglect. Historically, FBI management did not allot sufficient resources to security and rejected internal recommendations - for example, in the polygraph area - to make necessary improvements to the program. As a consequence, following Hanssen's arrest, the FBI faced enormous challenges in the areas of personnel, computer, and document security. While the FBI has made progress in many of these areas, in others - particularly computer security - problems have not been fully remedied and significant work still needs to be done. The FBI's Security Division must receive appropriate resources and support to ensure that the security program is significantly improved.
V. The Failure to Deter and Detect Hanssen's Espionage
The FBI's failure to deter and detect Hanssen's espionage over a more than 20-year period cannot be attributed to any individual FBI employee or small group of FBI supervisors....At the same time, we found overarching problems in the FBI's internal security efforts. Most of the deficiencies discussed in our report are of longstanding vintage and reflect the cumulative decisions of many FBI employees, including the Directors and senior managers who failed to remedy serious flaws in the FBI's personnel, document, and information security programs; the Directors and senior managers who failed to devote sufficient resources and attention to the penetration issue in the 1980s and early 1990s, and failed to resolve how important FBI human sources and operations had been compromised [a euphemism for being murdered]; the unwillingness of line personnel working on the espionage investigation of the CIA suspect to reconsider initial conclusions and judgments in the face of investigative failures, and senior managers' failure to insist that they be revisited; the failure of senior managers to ensure that accurate information was supplied to the Justice Department concerning the investigation of the CIA suspect; the supervisors and colleagues who ignored Hanssen's pattern of security violations and his obvious lack of suitability for handling sensitive information; and the managers who provided such lax supervision of Hanssen that he was able to spend much of his time on non-work related matters, or worse, committing espionage. These were widespread failings.
We believe that what is needed at the FBI is a wholesale change in mindset and approach to internal security. The FBI must recognize and take steps to account for the fact that FBI employees have committed espionage in the past and will likely do so in the future. A unit at the FBI must be responsible for asking every day whether there is evidence that the FBI has been penetrated, and the FBI's internal security program must shift from a program relying on trust to a program based on deterrence and detection."...