FBI to require lie detector tests on systems administrators
http://computerworld.com/cwi/story/0,1199,NAV47_STO58852_NLTpm,00.html
By DAN VERTON
(March 22, 2001) The FBI last week quietly expanded its use of the
polygraph to cover systems administrators and all other employees with
access to sensitive computer networks and databases, marking the first
time that IT specialists in the government have been singled out for the
controversial lie detector test.
FBI Director Louis Freeh issued a memorandum last week that put the new
policy into effect immediately, said agency spokesman Bill Carter. "The
director notified all employees that interim changes have been made to the
FBI security program, including an expansion of the use of the polygraph
to cover employees in sensitive areas," Carter said. To date, the FBI's
polygraph policy has been used to conduct periodic tests of employees at
random.
The change in policy is a direct response to the Feb. 18 arrest of Robert
Phillip Hanssen in one of the most damaging spy scandals in the bureau's
history. Hanssen, a career FBI agent with access to highly classified
counterintelligence databases, is accused of spying for Russia since 1985
and giving Russian intelligence agents details about U.S. intelligence
sources and electronic surveillance operations (see story).
However, the Hanssen case is unique in that the computer-savvy
counterintelligence agent used his access to the FBI's Electronic Case
File system, which contains classified information about ongoing FBI
investigations, to check whether the bureau had been alerted to his
activities. Although Hanssen and his Russian handlers relied heavily on
traditional spying methods, such as "dead drops" for exchanging packages
anonymously, the case is being touted by the FBI and IT security experts
as a harsh lesson in the growing threat to corporate data by insiders.
As a result, the new FBI policy also includes what Carter called technical
"enhancements" to the bureau's ability to monitor and analyze the computer
activity of employees in sensitive areas of the bureau and to detect
"anomalies."
Steven Aftergood, who runs the Project on Government Secrecy at the
Federation of American Scientists in Washington, said he thinks this the
first case where system administrators have been singled out to take the
polygraph. It's also clear, he said, that the revised testing policy is a
direct reaction to the FBI's failure to monitor Hanssen's online
activities in real time before he could do damage.
Still, it's unclear, pending the release of an ongoing independent review
of the Hanssen case, whether the new polygraph policy will remain in
effect.
"It's a bit of a compromise," said Aftergood. "There is a cultural
resistance to the polygraph that is different at the FBI than at the CIA.
A polygraph is something that is given to new employees and suspected
criminals, not to employees in good standing."
Polygraphs are used regularly at the CIA as a hiring tool and as a method
of uncovering spies within the agency. Employees are hooked up to a
machine that records pulse, heart and breathing rates during a series of
questions. Changes in those rates are then recorded and used to determine
truthfulness.
However, while polygraphs have been an important tool over the years in
catching people who have betrayed national secrets, experts are split on
their accuracy and acknowledge they can finger honest people as well as
criminals and spies. Convicted CIA spy Aldrich Ames, for example, passed
his polygraph examinations.
"I think there will be problems and cases where employees are tripped up
by the tests," said Aftergood. "But the bureau as a whole will adapt."
Alan Paller, director of research at the SANS Institute, a security
research organization in Bethesda, Md., characterized the increased focus
on internal security and personnel monitoring as "the Carnivore effect,"
referring to the FBI's controversial system for e-mail monitoring (see
story).
"People have discovered that system administrators have unfettered access
to all the most private information being passed through their systems,"
said Paller. "With it comes a sense that there ought to be some controls
on what they see and what they do with it. [However,] I have not yet seen
any consensus on what they are going to do about these new discoveries."
John Pescatore, an analyst at Stamford, Conn.-based Gartner Group Inc.,
said although he can see the benefit of subjecting systems administrators
to polygraphs, he doesn't see polygraph testing becoming widespread.
"It is expensive and intrusive," said Pescatore, adding that the national
security community on average only does them every five years because of
cost. However, "the average time at a job of a system administrator is
less than three years," he said.
_____________________________
Stay hungry,
--J. R.
Useless hypotheses:
consciousness, phlogiston, philosophy, vitalism, mind, free will
This archive was generated by hypermail 2b30 : Mon May 28 2001 - 09:59:42 MDT