Why FBI Computer Force Ain't Fat

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/politics/0,1283,54850,00.html

By Michelle Delio 
2:00 a.m. Sep. 3, 2002 PDT 

The carefully coiffed men wearing suspiciously shiny shoes are at 
every major computer security convention. 

They are there to remind hackers that law enforcement is always 
interested in their activities. They are also there to encourage 
security experts to become special agents. 

But after responding to the agency's appeals for computer security 
experts, aspiring G-men hackers sadly say that their names will never 
appear on the FBI's Most Wanted Job Applicants list. 

Although their technical abilities should allow them to qualify easily 
as agents, their ethics, age and/or physical fitness levels excluded 
them. 

Mike Sweeny, fueled by renewed patriotism after Sept. 11, wanted to 
offer his 20-plus years of experience in computer security to the FBI. 
But he was disheartened by job requirements that required him to have 
a college degree, be under 37 years old, morally irreproachable ... 
and physically fit. 

"They will not consider you unless you can carry your M16 through the 
physical fitness course without killing yourself in the process," 
Sweeny, maintainer of the PacketAttack website, said. "Most of the 
geeks I know view exercise as carrying the 80-ounce cola, pager and 
cell phone all at the same time." 

The FBI does have non-agent positions for people who are highly 
skilled in areas such as computer forensics (collecting evidence from 
computers). Those who don't qualify for agent positions can still 
serve as civilian employees, according to an FBI spokeswoman. 

But "in the FBI, if you're not an agent, you're on the bottom of the 
food chain," Richard Forno, an independent security consultant, said. 

The FBI admittedly needs help with its technical systems. The agency 
recently requested $76 million just to get their databases in order -- 
to convert some of the roughly 1 billion documents sitting in file 
cabinets into an electronic and easily searchable system. 

The agency has also requested an additional $730 million, over the 
$400 million originally budgeted, to implement "Project Trilogy" -- a 
general technology update intended to bring the FBI computer systems 
into the 21st century. 

The project was dubbed Trilogy because it's the third attempt to 
upgrade the FBI's technology into a system that would be truly useful. 

Computer security experts stress the FBI also needs to upgrade its 
hiring requirements if the agency really wants to attract experts. 
Besides the physical specimen specifications, many who are skilled 
enough to be able to protect a network from sophisticated attacks 
would probably not be ethically acceptable to the FBI. 

"In order to be a good computer security person, you must think like a 
black-hat hacker and be able to understand the tools and methods of 
the dark side," Sweeny said. "Right there, you are in a very gray 
area, in the feds' opinion." 

Job requirements for an agent also require an applicant to have a 
felony-free, just-say-no history. 

"One question on the application asked if you'd smoked pot more than 
15 times," Sweeny recalled. "Fifteen times? What's up with that? 
Fifteen is the magic number?" 

"If the feds want the hackers bad enough, then yes, they should peel 
away the red tape which now prevents them from working directly for 
the government," security consultant Rob Rosenberger said. "But hiring 
practices suck in the fed's computer security arena, just like they 
suck in every other fed arena." 

Rosenberger added that even if a person were an acceptable job 
applicant, it would not guarantee that the person would work with 
computers. 

"You won't get a position in computer security until you've worked at 
least five years on the beat, preferably in physical investigations," 
Rosenberger said. "They'll grudgingly let you past if you just do 
forensics, but they feel you really should chase bad guys with a gun 
before you chase bad guys with a computer." 




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.