Finding 2:  Improvements to Information Sharing

Following the September 11, 2001, terrorist attacks on the United States, the FBI Director established as the FBI’s highest priority the prevention of future attacks.  The Director realized that the FBI’s antiquated IT systems, weaknesses in intelligence analysis and dissemination, and the existing CTD organizational structure itself were adversely affecting the FBI’s ability to share intelligence and other information both internally and externally.  In response to these recognized weaknesses, the FBI has taken, or is in the process of taking, various steps to more effectively share information within the FBI, with the intelligence community, and with state and local law enforcement authorities.  Although many of the FBI’s efforts to improve information and intelligence sharing are ongoing, we found that progress is being made along several fronts: 1) modernizing the FBI’s IT systems, including a TS/SCI LAN, 2) establishing a professional intelligence capability, 3) reorganizing the CTD and establishing or expanding interagency task forces and other offices in part to allow for better information sharing both internally and externally, and 4) developing Concepts of Operations for improving the FBI’s intelligence program, including information sharing.

Information Technology

        As discussed in Finding 1, the FBI’s archaic information systems have been the main impediment to the FBI’s intelligence-sharing efforts.  The majority of the FBI officials interviewed during our audit agreed that the FBI’s limited and obsolete information systems, lack of compatibility with systems used by the rest of the intelligence community, and the lack of secure systems certified at the TS and SCI levels crippled intelligence sharing within the FBI and to and from the intelligence community.  All the officials with whom we spoke expected that the IT improvements underway will greatly improve the FBI’s ability to share intelligence and other information.  To manage the all-important IT modernization effort, the Director hired seasoned IT professionals from outside the FBI.

        Trilogy is the overarching IT project designed to modernize the FBI’s systems.  Trilogy is intended to upgrade the FBI’s:  1) hardware and software – referred to as the Information Presentation Component, 2) communication networks – referred to as the Transportation Network Component, and 3) five most important investigations applications – referred to as the User Applications Component.  In March 2003, the FBI Director announced that the Trilogy wide area network deployment had been completed.  According to the FBI, the Trilogy network replaces the FBI’s outdated local area and wide area networks.  The Trilogy network will enable new applications, such as the VCF, to replace the FBI’s obsolete ACS case management system and lays the foundation for electronic information sharing with other agencies.  The VCF is part of the user applications component of Trilogy.  As described by the FBI, the VCF is the FBI’s first real change in workflow and processes away from the legacy of paper and the processes of the 1950s.  The FBI expects the VCF, scheduled to come on line in December 2003, to change the way agents and analysts perform their duties and to provide a model for further consolidation of systems and data.  In addition to Trilogy and the VCF, the FBI is working on the development of the Secure Counterterrorism Prototype Environment (SCOPE).  FBI officials told us that SCOPE will provide the FBI with data warehousing and data mining capability.

        Subsequent to the September 11 attacks, the FBI focused on the need to share information both internally and externally.  Recognizing its requirement for a secure system that is certified for processing TS/SCI level material, the FBI began a TS/SCI LAN project in February 2002.  The TS/SCI LAN is not part of Trilogy, but the same wide area network supports both systems.  According to the project manager, the FBI analysts found that given the paper-intensive aspect of the FBI’s intelligence operation and the lack of a secure means of disseminating intelligence electronically, there was no assurance that everyone who needed to see intelligence information actually received it.  The analysts also found that it was difficult to track information.  The TS/SCI information-sharing problem was reported to the FBI Chief Information Officer at that time, a report was presented to the Director, the project was approved, and a budget was authorized.

        The project manager told us that the TS/SCI LAN is a pilot project.  She explained that the TS/SCI LAN is an external system that interfaces with the secure Joint Worldwide Intelligence Communications System (JWICS) and other classified systems used by the intelligence community.  Everyone using the system can connect with the intelligence community and send classified material back and forth through CT-Link and other secure systems with e-mail capabilities.  Access to other classified systems can be approved as needed.

        The implementation of the TS/SCI LAN pilot was to be accomplished through the deployment of [CLASSIFIED INFORMATION REDACTED] terminals in three phases, to be completed in June 2003.  The project manager said the FBI met its June 2003 goal for completing the project.  After the LAN is successfully tested, the FBI plans to expand the pilot to the New York and Washington field offices.  The field office expansion will be a separate project with a separate architecture.  To conserve time and money, the project managers decided to use an existing DOD system that was already accredited and certified for TS/SCI.

        Phase I, for [CLASSIFIED INFORMATION REDACTED] users, mainly intelligence analysts in the CTD, included engineering, design, development, hardware and software procurement, installation, testing, preliminary accreditation, and certification testing.  Phase I was completed in December 2002.  The TS/SCI LAN received interim authority to operate based on:  documenting a security plan, identifying an information systems security officer, documenting the audit policy, and work on security risks as identified by the FBI’s security staff.  The system was certified and accredited at a protection level 2.²⁴  The level 2 certification and accreditation was approved, although the system was tested at a protection level 3 and the FBI is planning to eventually operate at level 3.

        During Phase II of the pilot project, another [CLASSIFIED INFORMATION REDACTED] users were added in the CTD and in the Counterintelligence Division, the user requirements were reviewed, a Configuration Management Plan was developed, and the System Security Plan was completed.  An FBI official told us that the Security Plan is, and will continue to be, a “living document” that will change with enhancements and requests made for system adjustments.  In March 2003, Phase II was completed, and the FBI installed 21 more workstations than initially planned.  At the time of our audit in March 2003, a total of [CLASSIFIED INFORMATION REDACTED] workstations were up and running, and the pilot project was in its third and final phase.  During this phase, the implementation strategy calls for the installation of about [CLASSIFIED INFORMATION REDACTED] more workstations mainly in the CTD and in the Counterintelligence Division, for a total of at least [CLASSIFIED INFORMATION REDACTED] workstations.

        The TS/SCI LAN pilot project is a critical step toward improving the FBI’s information-sharing capability.  At the time of our audit, the pilot project appeared to be meeting its time and performance goals over the approximately 18-month project period.  However, we did not independently assess the cost, schedule, and performance of the pilot project or determine user satisfaction.  Expanding the TS/SCI LAN to the FBI’s field offices will be an ambitious and costly endeavor that should be closely monitored by FBI management.

Intelligence Analysis and Dissemination

        The FBI has undertaken several initiatives to develop and professionalize its intelligence operation and to improve information sharing within the intelligence community.  These methods include personnel exchanges with other federal agencies, particularly the CIA, developing a cadre of professional intelligence analysts and Reports Officers, and establishing an Office of Intelligence independent of the CTD.²⁵

        The exchange of personnel with the CIA is one of the primary means by which the two agencies have attempted to improve their cooperation.  According to an FBI Assistant Director, the exchange of personnel has brought to the FBI a highly qualified group of counterterrorism and intelligence experts to share their expertise.  As of March 2003, the following CIA employees were detailed to the FBI:  4 managers, 25 analysts, and 30 full-time and 6 part-time officers to JTTFs throughout the country.  In commenting on a draft of this report in September 2003, FBI officials stated that nearly all of the CIA personnel detailed to FBI headquarters have returned to the CIA.

        The CIA is also represented on the National JTTF (NJTTF) in FBI headquarters, allowing for the direct exchange of information among the participating agencies.  Before and after the 2001 terrorist attacks, CIA mangers have served as Deputy Section Chiefs in the FBI, and FBI managers have served as Deputy Directors of the CIA’s CTC.  In May 2004, both the CIA’s CTC and the FBI’s CTD are expected to co-locate to further facilitate information sharing between the two agencies.  Since May 1, 2003, CIA and FBI representatives have also served together in the Terrorist Threat Integration Center (TTIC).  The CIA representatives at FBI headquarters and at the JTTFs have access to classified CIA computer systems and intelligence.  However, as mentioned previously, at the time of our audit the FBI’s systems did not allow for the dissemination of TS or SCI information, nor was there any interface between FBI systems and the CIA’s classified systems.  Therefore, information is exchanged between FBI and CIA representatives through conversation, exchange of written intelligence products, and information taken from computer systems, cables, and other documents.  Also, the two agencies share information twice daily through secure video teleconferences, which will be discussed in Finding 3 of this report.

        The FBI is in the process of hiring analysts and Reports Officers for headquarters and field offices and has developed or revised position descriptions and established formal career paths to attract qualified personnel.  However, the entire intelligence community is competing for qualified applicants.  The FBI’s plans for analysts have been evolving since completion of our audit work.  According to the Counterterrorism Division Administrative and Resource Unit, as of March 2003 the FBI planned to have five types of positions involved in the FBI’s intelligence work: 1) Intelligence Specialists, 2) Operations Specialists, 3) Reports Officers, 4) Technical Information Specialists, and 5) Case Management Assistants.  At that time, the goal of the CTD was to hire a total of [CLASSIFIED INFORMATION REDACTED] support personnel, including [CLASSIFIED INFORMATION REDACTED] Intelligence Assistants, [CLASSIFIED INFORMATION REDACTED] Intelligence Operations Specialists, and [CLASSIFIED INFORMATION REDACTED] Intelligence Research Specialists, among others.  Existing Intelligence Research Specialists, who were in grades GS-9 through GS-14, would be called Intelligence Specialists with promotion potential increased up to GS–15.  Personnel hired for this position would be required to have college degrees.  The former Intelligence Operations Specialist position was to be divided into two new positions:  Operations Specialist and Reports Officer.  These positions were to span grades GS–9 through GS-14.  GS-9/11/12 Technical Information Specialists would be data miners who extract information from databases.  The former Investigations Assistants would be called Case Management Assistants at the GS–6/7/8 level and would perform less complex searches and data extraction based on leads from the field offices.  The position descriptions had been written for the GS-14 and GS-15 positions, and position descriptions for the other grades were in the process of being written at the time of our audit work.  A table detailing the status of the hiring process as of March 2003 can be found in Appendix 3.

        The FBI’s September 2003 Concept of Operations on “Human Talent for Intelligence Production” – developed since the Office of Intelligence assumed responsibility for the hiring, training, and promotion of analysts and Reports Officers – modified the CTD’s approach to the hiring and career path of the analysts.  The plan for analysts encompasses three positions and does not address the formerly-planned Technical Information Specialist and Case Management Assistant positions.  The three positions discussed in the current plan are:  Operations Specialists, Reports Officers, and Intelligence Analysts.  In commenting on a draft of this report, FBI officials stated that the utilization of other supporting positions was being evaluated.  Also, the officials clarified that the Intelligence Analyst and Reports Officer positions have full performance levels to GS-14, with competitive promotion to GS-15 possible in headquarters.  The plan suggests the same grade structure for the Operations Specialist position, which currently has a full performance level of GS-14 at headquarters and GS-13 in the field offices.  According to the plan, analysts who do not currently have a college degree will be encouraged to complete a 4-year degree program.

        According to the Chief of the CT Administration and Resources Unit, hiring qualified people for the new Reports Officer positions has been very difficult, despite 60 applicants for each vacancy, because the only analogous position exists in the CIA.  In order to hire the best possible personnel, the FBI’s plan is to start from the bottom up and hire people at the lower grade levels and train them as Reports Officers.  The FBI is also exploring the use of the Presidential Management Intern program to fill the positions.  In February 2003, the Chief estimated that it will take from 12 to 18 months to fully staff the Terrorism Reports and Requirements Section.  In addition, the Chief stated that although the FBI has a deployment plan to locate Reports Officers in the field offices as well as headquarters, a position description for the field Reports Officer position had not yet been developed.  The deployment plan calls for locating four to five Reports Officers in the larger field offices, such as New York and Washington, and one to two in the other field offices.

        While the FBI has identified the types of analyst positions required to enhance its intelligence analysis and reporting capabilities, established career paths, and was in the process of writing position descriptions, the actual hiring of the analysts has been problematic and slow. The reasons for the lack of timely hiring center on identifying qualified applicants and doing the required background investigations necessary for the appropriate security clearances.²⁶

        As of March 2003, the FBI was in the process of developing a training program for the newly hired Reports Officers and analysts.  The FBI was considering the CIA’s model of selecting the analyst, providing formal training, and then placing the person on the job.  Training was to include a 2-week course at the FBI’s College of Analytical Studies and at least a 30-day assignment at FBI headquarters.²⁷  At the time of our audit, the FBI Training Division was working on a curriculum for analysts at the College of Analytical Studies, which will offer introductory, intermediate, and advanced courses.  Some courses were already available – for example, a 1-day Arabic course intended to familiarize analysts with Islamic culture.  The planned training includes bringing subject matter experts from the CIA to offer training.

        In a further step to improve the FBI’s intelligence capabilities and overall management, in April 2003 the Director named an National Security Agency (NSA) executive as the Executive Assistant Director for Intelligence, and an FBI Special Agent in Charge was promoted to Assistant Director of the new Office of Intelligence (OI), which is now a separate office from the CTD.

        During his March 4, 2003, testimony before the Senate Committee on the Judiciary, the Director reported that the Executive Assistant Director for Intelligence was first and foremost responsible for ensuring that the FBI had the optimum strategies, structure, and policies in place to support the FBI’s counterterrorism mission.  The Director stated that the OI will cover all types of intelligence activities including counterterrorism, counterintelligence, criminal, and cyber and will be responsible for ensuring that the FBI is sharing information with its federal, state, and local partners.  Further, OI was to be responsible for:  1) establishing and managing the careers and career development of analysts and Reports Officers throughout the FBI, 2) managing the FBI’s intelligence requirements process, and 3) establishing and managing newly designated intelligence units composed of agents and Reports Officers located in each of the FBI field offices.  The Assistant Director for Intelligenceanticipated that the OI would task field office intelligence units to develop collection strategies to meet the FBI’s intelligence requirements.  In addition, the Assistant Director for Intelligence told us that the OI will have a Confidential Sources component to centralize under a standard policy the development and use of all human sources involving both criminal and terrorist activities.

        Analysts and Reports Officers are physically located in the CTD (and certain other operating divisions and offices) and are under the operational control of the division.  The OI will exercise administrative control over the analysts and Reports Officers and will manage their careers, including hiring, training, promotion, and placement.  FBI officials said they did not anticipate any organizational friction over the split between operational and administrative control of the analysts and the Reports Officers.

Reorganization of the Counterterrorism Division

        In part to improve counterterrorism operations and intelligence analysis and in part to enhance the exchange of information, in June 2002 the FBI began reorganizing the CTD and expanding the number of sections from two to nine.  (See the CTD organizational chart of page 7 of this report.)  The nine sections are located among two operational branches and one analysis branch under separate Deputy Assistant Directors.  While the reorganization of the CTD itself represents a desire to improve information sharing, a number of sections and units began individual initiatives to enhance information-sharing processes.  Because the reorganization illustrates one of the Director’s key efforts to improve the flow of information both within the FBI and externally, a detailed description of each section and its initiatives for sharing intelligence information follows.

        The Counterterrorism Operations Branch

        The Deputy Assistant Director for the Counterterrorism Operations Branch manages the following five sections:  1) the Terrorist Financing Operations Section (TFOS), 2) Domestic Terrorism Operations Section (DTOS), 3) International Terrorism Operations Section I (ITOS I), 4) International Terrorism Operations Section II (ITOS II), and 5) Terrorism Reports and Requirement Section (TRRS).

        The TFOS is an operating section that supports the other CTD operational sections by providing information on terrorist financing.  This section was formed in response to the need for a more comprehensive, centralized approach to investigating terrorist financial matters.  The TFOS mission is to identify, investigate, prosecute, disrupt, and incrementally dismantle all terrorist-related financial and fund-raising activities.  The section is composed of four units:  Radical Fundamentalist Financial Investigative Unit, Domestic WMD and Global Financial Investigations Unit, Global Extremist Financial Investigations Unit, and Financial Intelligence Analysis Unit.

        At the time of our audit, the TFOS was in the process of identifying public, private, and government sources of information on terrorist financing.  TFOS documents stated that in its efforts to improve the sharing of information within and outside the FBI, the TFOS was working on: 1) conducting a national and international outreach initiative to share information on terrorist financing methods with the financial and law enforcement communities, 2) developing capabilities to predict trends and patterns associated with terrorist activities, and 3) contacting the financial services industry in order to facilitate the exchange of knowledge and data concerning potential terrorist financial activities.  In addition, according to TFOS managers, the section has established extensive liaison with key federal agencies and with state and local law enforcement agencies.  The TFOS shares financing data and analyses with the intelligence community.  To improve its working relationship with the JTTFs, the TFOS was in the process of identifying and training Terrorist Financing Coordinators to be located within each JTTF.²⁸  The coordinator is to ensure the consistent flow of terrorist financing information to and from the JTTFs.  Further, the Financial Intelligence Analysis Unit of TFOS was acquiring project management software for managing tasks and assigning accountability.  The Unit Chief stated that the software would help him manage and improve the sharing of information related to terrorist financing and would be compatible with the FBI’s new Trilogy system.

        The DTOS is one of the two sections remaining from the previous CTD structure.  Under the new CTD organization, the DTOS is composed of the following four units: 

• Domestic Terrorism Operations – is responsible for investigating all domestic terrorist cases (not foreign-based or foreign supported terrorists), from right wing anti-government and white supremacist groups to left wing animal rights and environmental extremists and others such as the Macheteros revolutionaries in Puerto Rico.

• WMD/Unconventional Threats Operations Unit – assesses terrorist threats involving WMD and performs related investigations.

• WMD/Unconventional Threat Countermeasures Unit – is responsible for providing training and policy guidance to other FBI offices and to state and local first responders.

• Special Events Unit – works with the U.S. SecretService and the Federal Emergency Management Agency in coordinating security for special events. 

        The FBI applies a broad definition of terrorism in the types of matters covered by the DTOS.  In addition to domestic terrorists who might seek to create mass casualties to further their anti-government views, the DTOS also monitors and investigates any criminal activities associated with animal rights, environmental, and anti-abortion extremists, as well as by certain social protestors.  According to the Section Chief, the activities of these types of social extremist groups have become more violent over the years.  The Section Chief cited as an example the Animal Liberation Front’s attacks against animal testing laboratories to protest animal testing.

        To the extent that the FBI seeks to maximize its counterterrorism resources to deal with radical Islamic fundamentalist terrorism, WMD, and domestic groups or individuals that may seek mass casualties, we believe that FBI management should consider the benefit of transferring responsibility for criminal activity by social activists to the FBI’s Criminal Investigative Division.  Although the activities of such groups fall under the FBI’s definition of domestic terrorism, a more focused definition may allow the FBI to more effectively target its counterterrorism resources.  In commenting on a draft of this report, FBI officials disagreed that any part of the DTOS investigative activities, including property crime, should be considered for transfer to the Criminal Investigative Division.  The officials stated that the activities of radical groups and individuals fall within the definition of domestic terrorism in Title 18, U.S.C. 2331(5).  The officials further commented that domestic radicals have caused economic harm, and such groups use methods similar to international terrorists such as in the areas of operational and communication security, fund raising, and money transfers.

        To reduce manager’s span of control, in the summer of 2002 the former ITOS was split into two separate operating sections.  ITOS I was assigned al-Qaeda and other Sunni-type terrorist groups.  The section is composed of the following three units:  Regional/Extraterritorial, Continental United States (CONUS) I, and CONUS II.  The ITOS I Section Chief told us that his section shares information with state and local law enforcement authorities primarily through the JTTFs.  The fact that all JTTF members hold security clearances allows for the exchange of classified intelligence information.  The JTTFs in turn provide information to FBI headquarters; FBI counterterrorism squads provide information on leads or investigations in the form of Urgent Reports and/or the more formal and slower EC.  Information from the intelligence community arrives in the section [CLASSIFIED INFORMATION REDACTED].  However, according to the Section Chief, [CLASSIFIED INFORMATION REDACTED] from the intelligence community were not necessarily distributed to those FBI employees who needed the information.  Pending IT improvements that may resolve the problem, at the time of our audit ITOS I was setting up a system so that when communications arrive at the FBI [CLASSIFIED INFORMATION REDACTED] would ensure that the information was forwarded to the proper FBI section.

The ITOS II is responsible for operations dealing with terrorism groups and State sponsors of terrorism other than Al-Qaeda and other Sunni fundamentalists.  ITOS II has the following three units.

• Global Operations Unit – [CLASSIFIED INFORMATION REDACTED].

• Iran/Hizballah Unit – [CLASSIFIED INFORMATION REDACTED].

• Middle East Operations Unit – [CLASSIFIED INFORMATION REDACTED].

        The ITOS II has a CIA manager serving as Deputy Section Chief, and an FBI manager is detailed to the CIA’s CTC as a Deputy Director.  According to the Section Chief, this interagency exchange facilitates coordination with the intelligence community at large.  Not only does information sharing take place face to face, but [CLASSIFIED INFORMATION REDACTED].  As with the CIA, a DOD representative is also located at the ITOS II, and an FBI employee is assigned to DOD.  At the time of our audit, the FBI reported [CLASSIFIED INFORMATION REDACTED].

        The ITOS II Section Chief told us that there are no restrictions on the sharing of information with other agencies in the intelligence community.  He added that all parties recognize that some information is unique to an agency and its mission and that sources and methods may be deleted from the information.

        Because the FBI does not have a system that allows for electronic review of all FBI documents, the ITOS II was experimenting with a quasi-electronic review using the existing internal e-mail system.  Under this “work-around” system, a supervisor receives an e-mail with the document in question as an attachment.  If the supervisor wants to make a change, he/she will be able to confirm that he/she has reviewed the document through an e-mail.  Legal documents, highly classified information, and Foreign Intelligence Surveillance Act (FISA) related documents continue to be reviewed only as hard copies.

        The TRRS is a new section designed to provide the FBI with an intelligence collection, analysis, and reporting capability.  Although not fully staffed at the time of our audit, the section was led by an experienced CIA manager.  When fully staffed, it will be composed of the following five units:  Reports Policy and Asset Vetting Unit; Radical Fundamentalist Extremist Collection, Evaluation, Dissemination Unit; Global Middle East Extremist Collection, Evaluation, Dissemination Unit; WMD Unconventional Threat Collection, Evaluation, Dissemination Unit; and Domestic Collection, Evaluation, Dissemination Unit.

        The TRRS is working with the CTD headquarters sections, field offices, Legal Attaches abroad, the intelligence community, and other customers to identify and address intelligence requirements and gaps.  At the time of our review, the TRRS had produced and disseminated within the FBI and to intelligence agencies numerous products, including about 350 Intelligence Information Reports (IIRs).  The IIRs will be further described and discussed in Finding 3 of this report.

        The TRRS Section Chief is working on several initiatives to fully develop the TRRS and its analysts and Reports Officers.  For example, she was developing a training plan for the Reports Officers, had written a position description, was developing a proposal for a formal career path, and planned to develop a policy manual to make the section a professional intelligence reporting organization similar to the CIA’s reporting operation.

        The Operational Support Branch

        The Deputy Assistant Director of the Operational Support Branch manages the CTD’s administrative and resource functions, FBI detailees to other agencies, and the Foreign Terrorist Tracking Task Force, which is discussed later in this section of the report.  The branch also manages the Counterterrorism Operational Response Section and the National Threat Center Section. 

One main element of the Counterterrorism Operational Response Section is the NJTTF.²⁹  About 30 federal agencies are represented in the NJTTF.  Participants include the intelligence agencies, DOD, Internal Revenue Service, DHS, and the Washington Metropolitan Police Department.  According to the FBI, NJTTF members have security clearances and receive all intelligence and other information that their FBI counterparts receive.  As part of its efforts to improve information sharing with state and local law enforcement, the FBI plans to establish a fellowship program to bring officers from different states into the NJTTF so they can see first hand what information is and is not available.  The NJTTF also conducts special projects to share the results with state and local law enforcement agencies, such as determining:  1) the characteristics of “lone wolf” offenders, and 2) what can be done to identify terrorist sleeper cells.  The NJTTF is also responsible for the “Gateway” or St. Louis pilot project, an effort to create a data warehouse of FBI, state, and local investigative case information for access by the FBI and participating state and local law enforcement agencies.  Further details on the “Gateway” project are in Appendix 4.

        After the September 11 terrorist attacks, the FBI established an Executive Watch in the SIOC to allow FBI executives to receive updates and information about terrorist events around the clock.  Since then, a central threat unit evolved, and the National Threat Center Section (NTCS) was established in late 2002 and then reconfigured early in 2003 to include the:  1) Threat Monitoring Unit, 2) Terrorist Watch and Warning Unit, and 3) Counterterrorism Watch Unit (CT Watch).  Although the NTCS has neither an investigative nor an analytical role, the section performs limited initial analysis to determine the validity of a threat and which operational unit needs to be notified for investigation or other operational response.  The NTCS also provides input to the Director’s Briefing, including the Threat Matrix.  The Director’s Briefing and the Threat Matrix are discussed in Finding 3 of this report.

        According to the Chief of the Threat Monitoring Unit, the unit was initially known as the Threat Analysis Operations Group and, because all of the September 11 attacks involved hijacked aircraft, the group tracked only aviation threats.  Eventually the group begancollecting data on all threats.  Under the CTD reorganization, the Threat Analysis Operations Group became the Threat Monitoring Unit with expanded responsibilities for threat monitoring and information sharing.  The Threat Monitoring Unit is neither an operational unit nor an analytical unit, since the unit does not initiate leads or have a role in prosecutions.  An FBI official described it as a “conduit.”  The mission of the Threat Monitoring Unit is to ensure that operational units within the FBI and agencies with counterterrorism responsibilities outside of the FBI receive information on terrorist threats.  According to the Unit Chief, once information on a threat is passed to the appropriate operational unit, the Threat Monitoring Unit continues to communicate with the operational unit until the threat reaches one of four outcomes:  1) mitigation, 2) determination the threat is not credible, 3) the threat is investigated to the point where there are no more actionable leads, or 4) the threatened event actually occurs.

        The Unit Chief told us that the Threat Monitoring Unit created a database of all credible threats it had received since September 11, 2001.  The database includes a description of each threat and its resolution.  As of March 2003, the unit had chronicled about 2,500 threats in this database.  The system has key word search capability and [CLASSIFIED INFORMATION REDACTED].  Currently, the database is only available within the FBI.  However, the Threat Monitoring Unit is planning to disseminate the data [CLASSIFIED INFORMATION REDACTED].

        The Terrorist Watch and Warning Unit, established in March 2002, is responsible for providing state and local law enforcement agencies with warnings about terrorist threats and for maintaining the FBI’s Terrorist Watch List in the National Crime Information Center (NCIC) system.  The unit also has input to the color-coded threat warning system managed by the DHS.  To accomplish its mission of sharing FBI information with state and local law enforcement agencies nationwide, the unit disseminates weekly unclassified Intelligence Bulletins, Quarterly Threat Assessments, and periodic National Law Enforcement Telecommunications System (NLETS) messages to state and local law enforcement agencies on a “law enforcement sensitive” basis.  The information disseminated in these products includes background on terrorist groups, their activities, and their methods of operating.  These products will be further described and discussed in Finding 3 of this report.

        The Terrorist Watch and Warning Unit’s Terrorist Watch List responsibilities entail placing names of terrorist suspects from the FBI’s Violent Gang and Terrorist Offender File into the NCIC for access by law enforcement officers who, through traffic stops or arrests, may encounter a terrorist suspect.  In addition to the name of the possible terrorist, the NCIC entry includes guidance of what action the law enforcement officer should take:  detain the person, arrest the person, or call the local JTTF.  As of March 2003, there were approximately 5,000 names listed in the Terrorist Offender section of the Violent Gang and Terrorist Offender File.  Of those 5,000, about 2,500 are international terrorism suspects, about 1,300 are detainees, and about 1,200 are domestic terrorism suspects.  The list is continuously updated.

        The CT Watch Unit receives and screens incoming threat information.  The staffing of CT Watch includes a watch commander, two watch officers, two Intelligence Operations Specialists, two investigation research specialists, one representative from the Threat Monitoring Unit, one representative from the Terrorist Watch and Warning Unit, and two supervisory special agents.  The watch commander, watch officer, and Intelligence Operations Specialist positions are staffed 24 hours a day, 7 days a week.  All other positions are staffed 16 hours a day, 7 days a week.

        According to the Chief of the CT Administrative and Resource Unit, the NTCS assumed responsibility for both the SIOC staff and facility in March 2003.  The Chief of the NTCS had pointed out that although the SIOC was not initially intended to be a counterterrorism operations center, roughly 95 percent of the events that have required the use of the SIOC facility have been related to terrorism.

In addition to each unit’s initiatives, the Chief of the NTCS told us that he is in the process of writing a concept of operations that will outline a system for the flow of information within the section.  He said he also is developing a protocol to scrub information on intelligence sources and methods from the threats database to allow the information to be placed [CLASSIFIED INFORMATION REDACTED] for dissemination outside of the FBI.

        The Counterterrorism Analysis Branch

        The third branch in the current CTD organization is the Counterterrorism Analysis Branch.  The Deputy Assistant Director for Counterterrorism Analysis manages the Counterterrorism Analysis Section and the Communication Exploitation Section.  The branch also includes a Strategic Assessment and Analysis Unit, Production and Publications Unit, and Presidential Support Group (subsequently transferred to the Office of Intelligence).

        As with the TRRS, at the time of our audit the Counterterrorism Analysis Section was in the process of being formed to help bring to the FBI a more comprehensive and professional intelligence analysis capability.  The section was managed by an experienced CIA official on detail to the FBI and had 25 CIA analysts on one-year details to support the CTD’s operational sections, chiefly ITOS I, ITOS II, and DTOS.  To permanently staff the section, the FBI was in the process of recruiting analysts and providing them with a career path.  When fully staffed, the section is expected to have the following five units:  Domestic Sunni Extremist Unit, Shia/Middle East Analysis Unit, Foreign Links/Global Targets Analysis Unit, Domestic Terrorism Analysis Unit, and WMD and Emerging Weapons Analysis Unit.

        The Communication Exploitation Section was established [CLASSIFIED INFORMATION REDACTED].  The section has four units:  [CLASSIFIED INFORMATION REDACTED].

        According to the Section Chief, [CLASSIFIED INFORMATION REDACTED].  The Section Chief told us that any information gleaned is immediately shared among three organizations:  the CIA for Outside Continental U.S. (OCONUS) leads on terrorists, the FBI for CONUS leads, and the DOD for force protection.

        [CLASSIFIED INFORMATION REDACTED].  The Section Chief told us that the FBI partners with [CLASSIFIED INFORMATION REDACTED].

        [CLASSIFIED INFORMATION REDACTED].  The Section Chief told us that [CLASSIFIED INFORMATION REDACTED].  He added that any threat-related information is then disseminated, [CLASSIFIED INFORMATION REDACTED], to FBI units responsible for issuing warnings and taking operational action.  [CLASSIFIED INFORMATION REDACTED].

        At the time of our audit, [CLASSIFIED INFORMATION REDACTED] was in the process of building the necessary infrastructure to better manage and disseminate intelligence.  The unit was responsible for setting up [CLASSIFIED INFORMATION REDACTED].  The Section Chief told us that an upcoming [CLASSIFIED INFORMATION REDACTED].  The system will allow an FBI headquarters supervisor to track the progress of a field office in the following areas:  [CLASSIFIED INFORMATION REDACTED]?  This initiative, which affects eight FBI divisions, had been approved at the Executive Assistant Director level and at the time of our audit was awaiting the approval of the Deputy Director.

Task Forces

        As indicated previously in this report, the FBI has established several types of task forces to aid its ability to perform its high-priority mission of preventing terrorist attacks and to facilitate the sharing of information with participating federal, state, and local agencies.  In addition to the NJTTF discussed earlier in this section of the report are the local and the regional JTTFs and the Foreign Terrorist Tracking Task Force.

        The Joint Terrorism Task Forces

        To enhance its responsiveness to the terrorist threat and to provide for direct sharing of intelligence and other information, the FBI has increased the number of JTTFs from 36 in 2001 to 84 in 2003.  In addition to FBI personnel, JTTFs include state and local law enforcement officers and representatives of various federal agencies.  The JTTFs are supervised by FBI Supervisory Special Agents and are locally managed by the Special Agent in Charge or Assistant Directors in Charge of the respective field office.  The first formal JTTF was established in New York City in 1980.

        The task forces vary in size from office to office and are structured in relation to the terrorism threat dealt with by each office.  Examples of federal law agencies participating in the JTTFs on a part-time or a full-time basis include the former Immigration and Naturalization Service (INS); former Customs Service; U.S. Secret Service; Naval Criminal Investigative Service; Bureau of Alcohol, Tobacco, and Firearms; U.S. Marshals Service; and U.S. Department of State’s Diplomatic Security Service among others.³⁰  The JTTFs generally have about 40 to 50 people assigned to them; however, some, such as New York, have as many as 500 people.  At the time of our audit approximately 1,245 FBI agents, 650 state and local law enforcement officers, and over 400 federal agency representatives served full-time in JTTFs.  Additional members participate in the JTTFs on a part-time basis.  All JTTFs (and FBI field offices) are responsible for investigations involving international terrorism, domestic terrorism, WMD, and national infrastructure protection.

        According to several FBI officials, JTTFs routinely share intelligence and other information within the task force, the members of which all have TS security clearances.  State and local law enforcement agencies may pass along information to their home agencies on a cleared and need-to-know basis.  However, as discussed in Finding 1, many higher-level state and local law enforcement officials have not applied for security clearances and do not have lawful access to the information available to the JTTF participants.  The information-sharing method varies from one JTTF to another, but is largely informal and based on direct discussion or the exchange of hard copy documents.  Again, the FBI’s IT problems prevent the electronic dissemination of classified information.

        The FBI is working on standardizing the mechanism for sharing information with state and local law enforcement agencies through the JTTFs.  Any threat information developed by the JTTFs is to be communicated directly to the CT Watch Unit in FBI headquarters.  Some local JTTFs have their own information-sharing initiatives.  For example, the Dallas and Houston JTTFs have begun a project to notify state and local law enforcement agencies of terrorism threats through pagers with text messaging capability.

        Foreign Terrorist Tracking Task Force

        On August 6, 2002, the Attorney General directed that the Foreign Terrorist Tracking Task Force be formally consolidated with the FBI’s CTD.  The Foreign Terrorist Tracking Task Force operates under a Section Chief within the CTD’s Operations Support Branch, who also has the title of task force Director.  Homeland Security Presidential Directive 2 states that the mission of the task force is to:  1) deny entry into the United States of aliens associated with, suspected of being engaged in, or supporting terrorist activity; and 2) locate, detain, prosecute, or deport such aliens already present in the United States.  The Foreign Terrorist Tracking Task Force has three units:  1) the Tracking and Detection Unit, 2) the Flight Training Security Unit, and 3) the Alien Security Advisory Unit.

        Within the Foreign Terrorist Tracking Task Force, the Tracking and Detection Unit has the core function of preventing and detecting the entry of terrorists into the United States.  The Tracking and Detection Unit’s primary analytical process is to compare a list of known terrorists and supporters with data sets of public and private providers.  The Flight Training Security Unit is responsible for implementing Section 113 of the Aviation and Transportation Security Act.³¹  The Alien Security Advisory Unit largely supports the former INS in implementing the National Security Entry Exit Registration System, the Congressionally mandated system that requires registration of certain males from certain countries between certain ages.  The main work of the task force is to compare aggregated data sets in an attempt to identify and locate known terrorists or their supporters.  To accomplish this the task force uses the Department of State’s Tipoff system, the Terrorist Offender portion of the NCIC, and I-94 data collected by the from non-immigrant aliens.³²

The Office of Law Enforcement Coordination

        In April 2002, the Director appointed a former Chief of Police as the Director of the FBI’s Office of Law Enforcement Coordination (OLEC). The OLEC was established to improve coordination and liaison between the FBI and the federal, state, and local law enforcement communities.  The goals of the OLEC were to:  1) build partnerships with the law enforcement community, 2) enhance the FBI’s customer service to the law enforcement community, 3) ensure the administrative effectiveness of the OLEC team, and 4) measure and evaluate performance.  The OLEC’s strategic plan included among its objectives:  1) provide general counterterrorism guidance to state and local law enforcement, 2) help clarify the roles of various law enforcement community members in the fight against terrorism, 3) promote information sharing in the law enforcement community through Law Enforcement Online and other technologies, and 4) help state and local law enforcementoperationalize their response to the Homeland Security Advisory System.

        According to OLEC documents, the OLEC provides advice and guidance to FBI executives regarding the utilization of state and local law enforcement expertise and resources in criminal, cyber, and counterterrorism investigations, and recommends policies and programs to enhance the FBI’s relationships with its state and local partners.  The OLEC coordinates the Director’s Law Enforcement Advisory Group and certain aspects of the FBI’s intelligence and technology efforts with state and local law enforcement.  Additionally, the OLEC serves as the FBI’s primary point of contact for national law enforcement organizations such as the International Association of Chiefs of Police, the National Sheriffs Association, and the Fraternal Order of Police.  The OLEC is also responsible for liaison with the Department of Justice’s Office of Justice Programs and Office of Community Oriented Policing Services.

The Terrorist Threat Integration Center

        In January 2003, during his State of the Union Address, the President announced an initiative to better protect the nation by continuing to close the “seam” between the analysis of foreign and domestic intelligence on terrorism.  The President asked the Director of Central Intelligence (DCI) and the Director of the FBI to work with the Attorney General and the Secretaries of Homeland Security and Defense to develop the unified TTIC.  The purpose of the center is to merge and analyze terrorist-related information collected domestically and abroad in order to form the most comprehensive possible threat picture.  Although the center is not to engage in information collection, it can establish requirements for the participating agencies.  Specifically, the center is to:

• optimize the use of terrorist threat related information, expertise, and capabilities to conduct threat analysis and inform collection strategies;

• create a structure that ensures information sharing across agency lines;

• define the criteria and standards for terrorist threat reporting;

• be responsible and accountable for providing terrorist threat assessments to national leadership;

• play a lead role in overseeing a national counterterrorism tasking and requirements system and for maintaining shared databases; and

• maintain an up-to-date database of known and suspected terrorists that will be accessible to federal and non-federal officials and entities, as appropriate.

        The TTIC was officially established on May 1, 2003, and is led by a former Deputy Executive Director of the CIA.  He was appointed by the DCI in consultation with the FBI Director, the Attorney General, and the Secretaries of Homeland Security and Defense, and he reports to the DCI.  The center began operating with 50 personnel from the Department of State, DOD, DOJ/FBI, DHS, and other intelligence community agencies.  The TTIC was expected to have a staff of 150 by October 2003.  The TTIC now produces the Threat Matrix and, with FBI input, the Presidential Terrorism Threat Report.

        According to the FBI Director, the TTIC will be crucially important to the success of the FBI mission.  He said that he views the center as an important resource that will provide the FBI and other federal intelligence and law enforcement entities with integrated analysis of information from all sources, which can be quickly shared with state and local law enforcement.

        On May 1, 2004, the TTIC is expected to co-locate with elements of the FBI’s CTD and the CIA’s CTC.  The joint facility will accommodate [CLASSIFIED INFORMATION REDACTED] TTIC personnel and [CLASSIFIED INFORMATION REDACTED] employees from the CTC and CTD.  In testimony before the Senate Committee of the Judiciary on March 4, 2003, the FBI Director stated that this co-location will:

• speed the creation of compatible information infrastructure with enhanced capabilities, expanded and more accessible databases, and greater [data] network sharing on counterterrorism issues;

• enhance interaction, information sharing, and synergy among U.S. officials involved in the war against terrorism;

• potentially allow for the FBI and the CIA to manage more effectively their counterterrorism resources by reducing overhead and redundant capabilities; and

• further enhance the ability of comprehensive, all source analysis to guide their collection strategies.

He further stated that the co-location will afford greater opportunity to the FBI and the intelligence community to enhance the coordination of operations against terrorist targets inside and outside the United States.

Concepts of Operations

        In May 2003, Director Mueller appointed an Executive Assistant Director for Intelligence.  One of her first initiatives was an effort to reevaluate how the FBI structures and conducts its intelligence operations.  This 10-week initiative produced Concepts of Operations that provide a framework for improving each of nine core intelligence functions defined by the FBI.  The FBI’s Office of Intelligence, in cooperation with the FBI’s headquarters’ divisions, created the plans.  As of September 2003, four Concepts of Operations had been approved and issued to the field offices, and five of the plans were in draft.  Five of the nine plans discuss information sharing and intelligence dissemination, including one draft plan specifically dealing with information sharing.  The nine Concepts of Operations are entitled:

• Community Support (draft as of August 2003)
• FBI Intelligence Assessment Process (final in August 2003)
• FBI Intelligence Requirements and Collection Management Process (final in August 2003)
• FBI Field Office Intelligence Operations (final in August 2003)
• Forecasting Intelligence Program Operational Requirements (draft as of August 2003)
• Human Talent for Intelligence Production (final in September 2003)
• Integrated Information Sharing (draft as of July 2003)
• Intelligence Production and Use (draft as of July 2003)
• Intelligence Program Budget Formulation Process (draft as of August 2003).

        The FBI’s Concepts of Operations are a significant first step toward revamping and institutionalizing the FBI’s intelligence processes by establishing a vision for the various components of the intelligence program and related information-sharing processes.  The plans vary in their degree of specificity, but all establish a basic framework.  Additional work is required  to develop the procedures required to implement the plans.  Also, the plans are not yet incorporated into formal FBI policy.  Other aspects to be considered include an assessment of any budgetary implications to carrying out the plans and the timeframes for accomplishing the overall end state of the intelligence program reinvention process.  We noted that some of the plans include language that could be adopted into formal FBI policy manuals.  For example, the draft Integrated Information Sharing Plan lists the following eight guiding principles that the FBI expects to apply to its information sharing strategy.

• All FBI data is to be shared within the FBI, with very few exceptions.

• The ownership of FBI information is corporate; no individual division or employee “owns” FBI information.

• The FBI will have a single, integrated information space, in which the default will be to share with agencies with due consideration for the protection of sources and methods, and the security and prosecutive objectives of investigations.

• The FBI will not filter information internally but instead will create an overarching FBI-wide policy that balances the need for cross-correlation with the risks of misuse.

• The view of what the FBI collects and what the FBI creates will look very similar.

• All data collected must also be recorded, searchable, retrievable, and easily cross-correlated.

• FBI employees will have the ability to conduct federated queries across multiple systems to identify relationships.

• Technology will be in service of people instead of people in service of technology.  The FBI must have interconnectivity with Intelligence Community systems.  Additionally, the FBI must leverage existing technologies instead of rebuilding them.

The information sharing plan recognizes the need for the development of an associated policy, as follows:

The OI will be the primary author of high-level information sharing policy for the FBI.  Intelligence capability is the ability to transform raw data into actionable information.  For this reason, the OI has a policy level interest in the accessibility of raw data as well as finished intelligence products.  It is the intention of the OI to produce and update this policy with the input and participation of all relevant headquarters and field divisions.  These include not only the operational divisions but much of the “support” infrastructure as well.

Conclusions

        In recognition of its longstanding weaknesses and to accomplish its highest priority of preventing future terrorist attacks, the FBI has begun a number of initiatives that, in time, should improve its ability to share intelligence and other sensitive information both within the FBI and externally.  To solve its problem with processing and sharing information classified above the Secret level, the FBI is implementing a TS/SCI LAN pilot program in addition to the Trilogy project and its VCF and SCOPE components.  Because of the importance and difficulty of these FBI IT projects, we believe they require continued close monitoring by FBI management, including the expansion of the TS/SCI LAN to the FBI’s field offices.

        In addition, the FBI is working to improve its relationship with other members of the intelligence and law enforcement communities.  To accomplish this, the FBI exchanged personnel with the CIA, DOD, and other federal agencies and is working closely with other agencies in the NJTTF, the JTTFs, and the TTIC.  Still, differences in organizational cultures and operating methods may continue to impede the free flow of information, at least in the short term.  The FBI Director’s emphasis on information sharing and interagency cooperation should, over time, help break down the barriers between the FBI and other agencies that in the past have prevented a more seamless counterterrorism effort.  To improve its relationship with state and local law enforcement, the FBI established the Office of Law Enforcement Coordination and has developed law enforcement sensitive products, which are discussed in Finding 3.  These attempts to reach out to state and local law enforcement officials have been helpful but have not remedied concerns of some officials that the FBI too often withholds information.  The FBI’s plan to have state and local law enforcement representatives rotate into the NJTTF may help state and local law enforcement officials better understand the limited nature of intelligence on terrorist groups and activities.

        A major effort is underway to hire and train Reports Officers, Intelligence Analysts, and Operations Specialists.  To attract and retain the highest qualified individuals, the FBI has rewritten position descriptions, established career paths, and at the time of our audit was in the process of developing a training plan.  However, progress has been slow in hiring qualified analysts.  The OIG plans to conduct a separate audit of the hiring and training of FBI analysts beginning in September 2003.

        In less than a year, the FBI has expanded the CTD from two to nine sections.  New sections were created for terrorism financial review, terrorism reporting, counterterrorism analysis, and communications analysis.  The FBI’s greater organizational emphasis on counterterrorism is an appropriate step toward the goal of transforming the FBI into an agency that can prevent terrorism as well as investigate terrorist acts after the fact.  The FBI’s new organizational structure should also facilitate information sharing through units established for that purpose.  FBI management should monitor the operating relationship between the CTD and the newly-created Office of Intelligence to ensure coordinated action and adequate support of the CTD’s mission on the one hand and proper training and utilization of analysts on the other hand.  Also, the CTD’s Domestic Terrorism Operations Section should focus on threats involving weapons of mass destruction and preventing domestic terrorist attacks aimed at creating mass casualties or damaging critical infrastructure.  We believe that the FBI should consider assigning other investigations involving, for example, social protests and property crimes committed by environmental, animal rights, and other radical groups and individuals to the FBI’s Criminal Investigative Division.

        The recent development of FBI-wide Concepts of Operations to improve the overall intelligence function in the FBI is a good and necessary beginning toward establishing guidance and laying the foundation for formal policy and procedures on information sharing.  The plans provide broad guiding principles for information sharing and collectively can serve as a springboard for reinventing the FBI’s intelligence program.

Recommendations

        We recommend that the Director of the FBI:

3. Consider transferring responsibility for investigating crimes committed by environmental, animal rights, and other domestic radical groups or individuals from the Counterterrorism Division to the Criminal Investigative Division, except where a domestic group or individual uses or seeks to use explosives or weapons of mass destruction to cause mass casualties.

4. For each Concept of Operations, develop an implementation plan that includes a budget along with a time schedule detailing each step and identifying the responsible FBI official.

24. The National Security Agency (NSA) has established a 4-level protection rating, with level 1 being the least secure.
25. In September 2003 the FBI announced that it would manage a multi-agency Terrorist Screening Center that consolidates the various agency watch lists. The Center was established on December 1, 2003, but was not yet fully functional.
26. In this audit we did not evaluate the adequacy of the number of analysts to be hired, the qualifications of analysts already hired, or the deployment and utilization of the analysts. The OIG plans to begin a separate audit of the hiring and training of the FBI's intelligence analysts in September 2003.
27. The FBI established the College of Analytical Studies in October 2001 in Quantico, Virginia.
28. The JTTFs will be discussed in more detail later in this section of the report.
29. The other elements of the Counterterrorism Operational Response Section are the Fly-Away Rapid Deployment Teams and the Military Liaison and Detainee Unit.
30. A number of these agencies, including the INS, Customs Service, and Secret Service are now part of the Department of Homeland Security.
31. Section 113 directed the Attorney General to conduct background investigations and assess the risk of aliens who want to train as pilots - and receive FAA certification - of planes weighing over 12,500 pounds.
32. The I-94, or Arrival-Departure Record, shows the date a person arrived in the United States and the "admitted until" date. An I-94 that has been approved by an immigration agent serves as proof that the person arrived in the country legally and did not overstay.