April 1, 2003–September 30, 2003
Office of the Inspector General
THE FEDERAL BUREAU OF INVESTIGATION
THE FBI'S PERFORMANCE IN DETERRING, DETECTING, AND INVESTIGATING THE ESPIONAGE ACTIVITIES OF ROBERT PHILIP HANSSEN
Over the course of more than 20 years, former FBI supervisory special agent Robert Philip Hanssen compromised some of this nation's most important counterintelligence and military secrets, including the identities of dozens of human sources, at least three of whom were executed. Hanssen's espionage began in November 1979 - three years after he joined the FBI - and continued intermittently until his arrest in February 2001, just two months before his mandatory retirement date.
Shortly after his arrest, the Senate Select Committee on Intelligence and the Attorney General asked the OIG to review the FBI's performance in connection with the Hanssen case. In response, the OIG analyzed more than 368,000 pages of material and conducted more than 200 interviews and in August 2003 completed a 674-page report describing the results of the review. This report is classified at the Top Secret/Codeword level because it contains extremely sensitive classified information regarding sources involved in the case and FBI counterintelligence activities. The OIG also produced a 383-page version of the report classified at the Secret level and a 31-page unclassified executive summary to provide a public summary of the main findings.
Our review of the Hanssen case revealed that there was little deterrence to espionage at the FBI during Hanssen's 25-year career. The FBI did not employ basic personnel security techniques - such as counterintelligence polygraph examinations and financial disclosure reviews - and the one background reinvestigation Hanssen underwent during his career was not thorough. In addition, Hanssen was not closely supervised for most of his FBI career. He committed flagrant security breaches and indiscretions, many of which came to the attention of coworkers and supervisors. Only one of Hanssen's security violations was documented, and he was never disciplined for any of his misconduct.
The FBI's information security program likewise offered little deterrence to Hanssen's espionage. Because of inadequate document security, Hanssen felt comfortable removing hundreds of pages of classified documents from FBI offices, including numbered original Top Secret documents. And because of inadequate computer security, Hanssen felt free to conduct thousands of searches on the FBI's computer system for references to his own name, address, and drop and signal sites to see if he was under suspicion and to search for information concerning the FBI's most sensitive counterintelligence cases. The computer system's audit function, mandated by Department regulation and a principal tool against unauthorized use as well as espionage, was rarely used before Hanssen's arrest.
In addition to its management responsibility to detect espionage among its employees, the FBI is the lead agency for detecting and investigating espionage committed in the United States. Our review of the Hanssen case found that the FBI's efforts against penetration in the late 1970s and 1980s suffered from a lack of cooperation between the FBI and the Central Intelligence Agency (CIA) and from inattention and indifference regarding serious intelligence losses. Although the FBI pursued several penetration investigations between 1993 and 2000, Hanssen received no investigative scrutiny until late 2000. Until the FBI identified Hanssen, it never opened even a preliminary inquiry on any FBI employee in connection with the search for a mole, even though a mole - ultimately identified as Hanssen - was believed to have compromised a large number of FBI assets and operations.
In sum, the OIG found that Hanssen escaped detection not because he was extraordinarily clever and crafty, but because of long-standing systemic problems in the FBI's counterintelligence program and a deeply flawed internal security program. Over the years, the FBI demonstrated an institutional reluctance to consider itself as a possible source for a penetration in the absence of information identifying a specific FBI target. The FBI's reluctance to recognize the possibility that an FBI employee might commit espionage also was reflected in the FBI's failure to implement an effective internal security program, particularly after the 1994 arrest of CIA officer Aldrich Ames for espionage. Ineffective oversight by FBI management and poor coordination with the Department contributed to the FBI's failure to pursue appropriate avenues of investigation.
The OIG's report made 21 recommendations to help the FBI improve its internal security and enhance its ability to deter and detect espionage in its midst. For example, the OIG recommended that the FBI create a new unit at FBI headquarters dedicated to determining whether the FBI has been penetrated. The OIG also recommended that the FBI create a senior operational position in the Counterespionage Section at FBI headquarters to be filled, on a rotating basis, by senior executives from the CIA and other components of the intelligence community. In addition, the OIG made recommendations for enhancing coordination with the Department and for improving personnel, document, and computer security.
IMPLEMENTATION OF INFORMATION TECHNOLOGY RECOMMENDATIONS
As computer technology has advanced, federal agencies have become increasingly dependent on information systems to carry out operations and to process, maintain, and report essential information. The FBI's computerized information systems affect many of its mission-critical activities, such as financial management, security of sensitive and classified data, and investigative work.
Recognizing the importance and vulnerability of data processed, maintained, and reported by the FBI, the OIG has conducted various audits and reviews of the FBI's management of IT. Since 1990, reports issued by the OIG have found numerous deficiencies with the FBI's IT program, including outdated infrastructures, fragmented management, ineffective systems, and inadequate training.
The audit we issued in September 2003 assessed the FBI's implementation of IT recommendations in previous OIG reports. While the FBI had implemented many of the recommendations (93 out of 148), significant further actions are necessary to ensure that the IT program effectively supports the FBI's mission. For example, recent audits and reviews conducted by the OIG have found repeated deficiencies with the FBI's IT control environment and compliance with information security requirements.
These repeated deficiencies indicate that, in the past, FBI management had not paid sufficient attention to improving the agency's IT program. Until recently, the FBI lacked an effective system of management controls to ensure that the OIG's recommendations are implemented in a timely and consistent manner. However, current leadership has stated that the FBI is committed to enhancing controls to ensure recommendations were implemented in a consistent and timely manner. The FBI has recently established a system to facilitate the tracking and implementation of recommendations. Additionally, the FBI expects significant improvements from its IT modernization efforts, which it believes will correct many of the deficiencies identified by the OIG. Our report offered three recommendations, with which the FBI agreed, to improve the FBI's tracking, resolution, and implementation of IT recommendations.
CASEWORK AND HUMAN RESOURCE ALLOCATION
In its 1998 strategic plan, the FBI identified foreign intelligence, terrorist, and criminal activities that directly threaten the national security of the United States as its top priority. This OIG audit of the FBI's casework and human resource allocation, issued in September 2003, analyzed trends in the resources used to investigate the various categories of crimes under the FBI's jurisdiction and the types and numbers of cases investigated. We found that prior to the September 11, 2001, terrorist attacks, the FBI devoted significantly more special agent resources to traditional law enforcement activities - such as investigating white collar crime, organized crime, drugs, and violent crime - than it did to terrorism-related programs. The audit also revealed:
The FBI responded to the September 11 attacks with a level of effort unprecedented in its history. In a comparatively short time, the investigation into the attacks became the FBI's largest major case in the past seven years. Additionally, since September 11, the FBI has continued to devote more of its time to terrorism-related work than to any other single area.
The OIG provided seven recommendations to help the FBI create an environment in which its operational priorities, in terms of human resources and investigations, consistently coincide with the priorities that it has identified in its strategic plan. Specifically, the OIG recommended that the FBI (1) regularly review resource allocation reports for the FBI as a whole, as well as for the individual investigative programs, and explore additional means of analyzing the FBI's resource use among the various programs; (2) research and implement methods for addressing the overutilization and high allocation of agent resources in the Violent Crime and Major Offenders program; and (3) review its current planning factors and processes to more closely approximate the agent resources the FBI actually needs. The FBI generally agreed with our recommendations.
During this reporting period, the OIG received 435 complaints involving the FBI. The most common allegations made against FBI employees included job performance failure, waste and misuse of government property, and improper release of information. The OIG investigated many of the most serious allegations and referred others to the FBI Office of Professional Responsibility (OPR).
At the close of the reporting period, the OIG had 61 open cases of alleged misconduct against FBI employees. The criminal investigations cover a wide range of offenses, including the improper release of law enforcement information and theft of government property. The administrative investigations include serious allegations of misconduct, including allegations against high-level employees. The following are some of the cases investigated during this reporting period.
THE FBI'S HANDLING OF INTELLIGENCE INFORMATION PRIOR TO THE SEPTEMBER 11 ATTACKS
At the FBI director's request, the OIG is reviewing issues related to the FBI's handling of intelligence information prior to the September 11, 2001, terrorist attacks. The investigation is focusing on how the FBI handled an electronic communication written by its Phoenix Division in July 2001 regarding extremists attending civil aviation schools in Arizona, the FBI's handling of the Zacarias Moussaoui investigation, and other issues concerning the FBI's handling of information or intelligence before September 11 that might relate to the terrorist attacks.
The OIG is reviewing the failure of a former technician in the FBI Laboratory DNA Analysis Unit to complete steps designed to detect contamination in the analysis process. In addition, with the assistance of nationally known DNA scientists, the OIG is conducting a broader assessment of the DNA Analysis Unit's protocols and procedures to determine if other vulnerabilities exist in its operations.
THE LEGAL ATTACHÉ PROGRAM
The Legal Attaché program was created to establish greater cooperation with international police partners in support of the FBI's mission. The FBI has legal attaché offices in 46 countries. The OIG is auditing the effectiveness of the legal attaché offices in establishing liaisons with foreign law enforcement agencies, the criteria and process used by the FBI to determine the location of offices and the oversight and management of existing offices, and the types of activities attachés perform and whether they overlap with other federal enforcement agencies' activities.
EFFORTS TO IMPROVE THE SHARING OF INTELLIGENCE AND OTHER INFORMATION
The OIG is conducting an audit of the FBI's progress in addressing deficiencies in its intelligence-sharing capabilities identified by the FBI, Congress and the OIG. The primary objectives of the audit are to determine the extent to which the FBI has identified impediments to the sharing of counterterrorism intelligence and other information, has improved its ability to share intelligence and other information both internally and with the intelligence community and with state and local law enforcement agencies, and is providing useful threat and intelligence information to intelligence and law enforcement agencies.
LANGUAGE TRANSLATION SERVICES
The OIG is conducting an audit of the FBI's language translation services program. The audit's objectives are to determine the extent and causes of any FBI translation backlog; assess the FBI's efforts to hire additional translators; and evaluate whether FBI procedures ensure appropriate prioritization of work, accurate and timely translations of pertinent information, and proper security of sensitive information.