FBI to require lie detector tests on its systems administrators

[InfoSec News <isn () C4I ORG>]

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO58852,00.html

By DAN VERTON
March 22, 2001

The FBI last week quietly expanded its use of the polygraph to cover
systems administrators and all other employees with access to
sensitive computer networks and databases, marking the first time that
IT specialists in the government have been singled out for the
controversial lie detector test.

FBI Director Louis Freeh issued a memorandum last week that put the
new policy into effect immediately, said agency spokesman Bill Carter.
"The director notified all employees that interim changes have been
made to the FBI security program, including an expansion of the use of
the polygraph to cover employees in sensitive areas," Carter said. To
date, the FBI's polygraph policy has been used to conduct periodic
tests of employees at random.

The change in policy is a direct response to the Feb. 18 arrest of
Robert Phillip Hanssen in one of the most damaging spy scandals in the
bureau's history. Hanssen, a career FBI agent with access to highly
classified counterintelligence databases, is accused of spying for
Russia since 1985 and giving Russian intelligence agents details about
U.S. intelligence sources and electronic surveillance operations (see
story).

However, the Hanssen case is unique in that the computer-savvy
counterintelligence agent used his access to the FBI's Electronic Case
File system, which contains classified information about ongoing FBI
investigations, to check whether the bureau had been alerted to his
activities. Although Hanssen and his Russian handlers relied heavily
on traditional spying methods, such as "dead drops" for exchanging
packages anonymously, the case is being touted by the FBI and IT
security experts as a harsh lesson in the growing threat to corporate
data by insiders.

As a result, the new FBI policy also includes what Carter called
technical "enhancements" to the bureau's ability to monitor and
analyze the computer activity of employees in sensitive areas of the
bureau and to detect "anomalies."

Steven Aftergood, who runs the Project on Government Secrecy at the
Federation of American Scientists in Washington, said he thinks this
the first case where system administrators have been singled out to
take the polygraph. It's also clear, he said, that the revised testing
policy is a direct reaction to the FBI's failure to monitor Hanssen's
online activities in real time before he could do damage.

Still, it's unclear, pending the release of an ongoing independent
review of the Hanssen case, whether the new polygraph policy will
remain in effect.

"It's a bit of a compromise," said Aftergood. "There is a cultural
resistance to the polygraph that is different at the FBI than at the
CIA. A polygraph is something that is given to new employees and
suspected criminals, not to employees in good standing."

Polygraphs are used regularly at the CIA as a hiring tool and as a
method of uncovering spies within the agency. Employees are hooked up
to a machine that records pulse, heart and breathing rates during a
series of questions. Changes in those rates are then recorded and used
to determine truthfulness.

However, while polygraphs have been an important tool over the years
in catching people who have betrayed national secrets, experts are
split on their accuracy and acknowledge they can finger honest people
as well as criminals and spies. Convicted CIA spy Aldrich Ames, for
example, passed his polygraph examinations.

"I think there will be problems and cases where employees are tripped
up by the tests," said Aftergood. "But the bureau as a whole will
adapt."

Alan Paller, director of research at the SANS Institute, a security
research organization in Bethesda, Md., characterized the increased
focus on internal security and personnel monitoring as "the Carnivore
effect," referring to the FBI's controversial system for e-mail
monitoring (see story).

"People have discovered that system administrators have unfettered
access to all the most private information being passed through their
systems," said Paller. "With it comes a sense that there ought to be
some controls on what they see and what they do with it. [However,] I
have not yet seen any consensus on what they are going to do about
these new discoveries."

John Pescatore, an analyst at Stamford, Conn.-based Gartner Group
Inc., said although he can see the benefit of subjecting systems
administrators to polygraphs, he doesn't see polygraph testing
becoming widespread.

"It is expensive and intrusive," said Pescatore, adding that the
national security community on average only does them every five years
because of cost. However, "the average time at a job of a system
administrator is less than three years," he said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".