The Webster Commission Report: A Review of FBI Security Programs

The Webster Commission Report:

A Review of FBI Security Programs

Executive Summary

The Commission for the Review of FBI Security Programs was established in response to possibly the worst intelligence disaster in U.S. history: the treason of Robert Hanssen, an FBI Supervisory Special Agent, who over twenty-two years gave the Soviet Union and Russia vast quantities of documents and computer diskettes filled with national security information of incalculable value.

As shocking as the depth of Hanssen's betrayal is the ease with which he was able to steal material he has described as "tremendously useful" and "remarkably useful" to hostile foreign powers. Hanssen usually collected this material in the normal routine of an FBI manager privy to classified information that crossed his desk or came up in conversation with colleagues. Before going to some prearranged "drops" with Soviet and Russian agents, Hanssen would simply "grab[] the first thing [he] could lay [his] hands on." In preparation for other acts of espionage, which he might have months to anticipate, Hanssen was more systematic. He was proficient in combing FBI automated record systems, and he printed or downloaded to disk reams of highly classified information. Hanssen also did not hesitate to walk into Bureau units in which he had worked some time before, log on to stand-alone data systems, and retrieve, for example, the identities of foreign agents whom US intelligence services had compromised, information vital to American interests and even more immediately vital to those whose identities Hanssen betrayed.

During our review of FBI security programs, we found significant deficiencies in Bureau policy and practice. Those deficiencies flow from a pervasive inattention to security, which has been at best a low priority. In the Bureau, security is often viewed as an impediment to operations, and security responsibilities are seen as an impediment to career advancement.

Until the terrorist attacks in September 2001, the FBI focused on detecting and prosecuting traditional crime, and FBI culture emphasized the priorities and morale of criminal components within the Bureau. This culture was based on cooperation and the free low of information inside the Bureau, a work ethic wholly at odds with the compartmentation characteristic of intelligence investigations involving highly sensitive, classified information.

In a criminal investigation, rules restricting information are perceived as cumbersome, inefficient, and a bar to success. A law-enforcement culture grounded in shared information is radically different from an intelligence culture grounded in secrecy. The two will never fully co-exist in the Bureau unless security programs receive the commitment and respect the FBI gives criminal investigations. Even the latter, employing their own sensitive information and confidential sources, will benefit from improved security.

The focus on criminal investigations as the core function of the FBI and the perception of those investigations as the surest path to career advancement has had an important consequence: operational imperatives will normally and without reflection trump security needs. For instance, senior Bureau management recently removed certain security based access restrictions from the FBI's automated system of records, the principal computer system Hanssen exploited, because the restrictions had hindered the investigation of the terrorist attacks. This decision might make a great deal of sense operationally; however, it was made essentially without consulting the Bureau's security apparatus. One result, surely unforeseen and unintended, was general access within the Bureau to information obtained through warrants under the Foreign Intelligence Surveillance Act. The use of that information in criminal investigations is tightly restricted by Constitutional considerations and Department of Justice guidelines. Highly classified FISA information, unidentified as to source and generally disseminated to FBI investigators, violates the basic security principle that such information should be circulated only among those who "need to know."

Operational efficiency is important, especially when our country might be under terrorist siege, and tightening controls on classified information will come with a cost to efficiency and resources. With this in mind and recognizing that we cannot eliminate intelligence efforts directed against us, the Commission attempted to recommend changes in FBI security programs that will minimize the harm those who betray us can do and shorten the time between their defection and detection. Accordingly, the recommendations we make are intended to address significant flaws in the process through which the Bureau generates and implements security policy and protocols for classified information. We believe that, if these recommendations are followed, a workplace culture will be established that recognizes security lapses as significant, restricts access to particular items of classified information to those who need them to perform their jobs, and makes disloyal employees more quickly visible. If these goals are met, the FBI will strike a sound balance between security and operational efficiency.

To this end, we focused our investigation on four areas: the structure of the Bureau's security programs and the policies and procedures designed to ensure the integrity of its personnel, information systems, and documents.

An important component of our work consisted of gathering information about security organization in other agencies so that we could incorporate into our recommendations "best-practices" within the Intelligence Community. Other agencies have substantially enhanced the responsibility and visibility of their security programs within the past few years, often as a consequence of intelligence penetrations. Although the FBI has begun to take steps to improve security, senior management has not fully embraced the changes necessary to bring Bureau security programs up to par with the rest of the Intelligence Community. In general, FBI security programs fall short of the Community norm.

To correct these deficiencies, the Bureau's security function must be given stature, resources, and visibility, and Bureau senior management must commit to a security program as a core FBI function. Accordingly, our principal structural recommendation is that the FBI establish an independent Office of Security, led by a senior executive reporting to the Director, responsible for developing and implementing all Bureau security programs. The Office of Security must have the authority to take critical security issues to the Director and speak with the Director's support.

The Commission also recommends that the FBI consolidate its security functions, which, in sharp contrast to other agencies, are fragmented, with security responsibilities spread across eight Headquarters divisions and fifty-six field offices. Consolidating security functions under a senior executive leading the new Office of Security will prompt management to focus on security, resolve conflicts between operational and security objectives, and foster Headquarters and field coordination.

The Bureau's Office of Security must develop programs to address information system security. Presently, no unit within the FBI adequately addresses this function, a failure whose consequences can be seen in Hanssen's perfidy. Bureau personnel routinely upload classified information into widely accessed databases, a form of electronic open storage that allows essentially unregulated downloading and printing. This practice once again violates the most basic security principal: only personnel with security clearances who need to know classified information to perform their duties should have access to that information. In spite of the practically unrestricted access many Bureau employees have to information affecting national security, the FBI lags far behind other Intelligence Community agencies in developing information security countermeasures. For instance, an informationsystem auditing program would surely have flagged Hanssen's frequent use of FBI computer systems to determine whether he was the subject of a counterintelligence investigation.

We also recommend significant changes in the background investigations potential Bureau personnel undergo before receiving initial security clearances and in the periodic reinvestigations on-board personnel undergo for security concerns. We believe that all personnel should be subject to financial disclosure obligations and that those with access to certain particularly sensitive information and programs should take counterintelligence scope polygraph examinations during their reinvestigations. Unlike other Intelligence Community agencies, the FBI does not foster the career development of security professionals. Security responsibilities are often foisted onto agents as collateral duties, which they eagerly relinquish to return to criminal investigations that promise career advancement. Career tracks should be developed for Security Officers to professionalize these positions and make them attractive.

Bureau security training programs for new agents and on-board personnel are also in great need of improvement. The new Office of Security must develop effective, mandatory security education and awareness programs for all personnel.

The Bureau does not have a viable program for reporting security incidents to Headquarters. Currently, several components play uncoordinated roles in detecting, investigating, and assessing security violations; no single entity has authority to coordinate, track, and oversee security violations and enforce compliance. The Bureau is unable to identify or profile components and personnel who engage in multiple security violations, even when they constitute a pattern. The new Office of Security must address these deficiencies.

The FBI's approach to security policy has been as fragmented as the operation of its security programs. Because no single component is responsible for security policy, critical gaps in security programs have developed. Some of the weakest links in security have resulted from unwritten policies and from implementation of security policies without input from security program managers. The FBI should emulate other agencies by embedding security policy development into its management structure to ensure that security programs are recognized and respected and that security is not inappropriately sacrificed to operational objectives.

Our report is critical of the FBI and with justification. However, we recognize that the Bureau has taken many steps, in light of Robert Hanssen's treason, to improve security. Furthermore, in consistently finding the Bureau's security policy and practice deficient when compared with security at other entities within the Intelligence Community, we do not mean to single out the FBI for criticism. The security programs in most agencies to which we turned to develop a best-practices model have resulted from radical restructuring made necessary as one after another agency discovered that its core had been penetrated by disloyal employees working for foreign interests. Had the FBI learned from the disasters these agencies experienced, perhaps Hanssen would have been caught sooner or would have been deterred from violating his oath to the Bureau and his country. But it is equally true that, had those agencies learned from disturbing patterns of espionage across the Intelligence Community, other treacherous moles might have been caught or deterred. Consequently, in addition to the particular recommendations about Bureau policies we make in our Report, we also make a more global recommendation: a system should be established whereby security lapses in particular entities lead to improved security measures throughout the entire Intelligence Community.

In sum, we do not mean to gainsay the steps the Bureau has taken since Hanssen's arrest to safeguard national security information. Many of those steps have been significant, as has the Bureau's cooperation as we conducted our review. However, before the Bureau can remedy deficiencies in particular security programs, it must recognize structural deficiencies in the way it approaches security and institutional or cultural biases that make it difficult for the FBI to accept security as a core function.