Security News > 2001 > March > FBI to require lie detector tests on its systems administrators

FBI to require lie detector tests on its systems administrators
2001-03-23 04:49

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO58852,00.html By DAN VERTON March 22, 2001 The FBI last week quietly expanded its use of the polygraph to cover systems administrators and all other employees with access to sensitive computer networks and databases, marking the first time that IT specialists in the government have been singled out for the controversial lie detector test. FBI Director Louis Freeh issued a memorandum last week that put the new policy into effect immediately, said agency spokesman Bill Carter. "The director notified all employees that interim changes have been made to the FBI security program, including an expansion of the use of the polygraph to cover employees in sensitive areas," Carter said. To date, the FBI's polygraph policy has been used to conduct periodic tests of employees at random. The change in policy is a direct response to the Feb. 18 arrest of Robert Phillip Hanssen in one of the most damaging spy scandals in the bureau's history. Hanssen, a career FBI agent with access to highly classified counterintelligence databases, is accused of spying for Russia since 1985 and giving Russian intelligence agents details about U.S. intelligence sources and electronic surveillance operations (see story). However, the Hanssen case is unique in that the computer-savvy counterintelligence agent used his access to the FBI's Electronic Case File system, which contains classified information about ongoing FBI investigations, to check whether the bureau had been alerted to his activities. Although Hanssen and his Russian handlers relied heavily on traditional spying methods, such as "dead drops" for exchanging packages anonymously, the case is being touted by the FBI and IT security experts as a harsh lesson in the growing threat to corporate data by insiders. As a result, the new FBI policy also includes what Carter called technical "enhancements" to the bureau's ability to monitor and analyze the computer activity of employees in sensitive areas of the bureau and to detect "anomalies." Steven Aftergood, who runs the Project on Government Secrecy at the Federation of American Scientists in Washington, said he thinks this the first case where system administrators have been singled out to take the polygraph. It's also clear, he said, that the revised testing policy is a direct reaction to the FBI's failure to monitor Hanssen's online activities in real time before he could do damage. Still, it's unclear, pending the release of an ongoing independent review of the Hanssen case, whether the new polygraph policy will remain in effect. "It's a bit of a compromise," said Aftergood. "There is a cultural resistance to the polygraph that is different at the FBI than at the CIA. A polygraph is something that is given to new employees and suspected criminals, not to employees in good standing." Polygraphs are used regularly at the CIA as a hiring tool and as a method of uncovering spies within the agency. Employees are hooked up to a machine that records pulse, heart and breathing rates during a series of questions. Changes in those rates are then recorded and used to determine truthfulness. However, while polygraphs have been an important tool over the years in catching people who have betrayed national secrets, experts are split on their accuracy and acknowledge they can finger honest people as well as criminals and spies. Convicted CIA spy Aldrich Ames, for example, passed his polygraph examinations. "I think there will be problems and cases where employees are tripped up by the tests," said Aftergood. "But the bureau as a whole will adapt." Alan Paller, director of research at the SANS Institute, a security research organization in Bethesda, Md., characterized the increased focus on internal security and personnel monitoring as "the Carnivore effect," referring to the FBI's controversial system for e-mail monitoring (see story). "People have discovered that system administrators have unfettered access to all the most private information being passed through their systems," said Paller. "With it comes a sense that there ought to be some controls on what they see and what they do with it. [However,] I have not yet seen any consensus on what they are going to do about these new discoveries." John Pescatore, an analyst at Stamford, Conn.-based Gartner Group Inc., said although he can see the benefit of subjecting systems administrators to polygraphs, he doesn't see polygraph testing becoming widespread. "It is expensive and intrusive," said Pescatore, adding that the national security community on average only does them every five years because of cost. However, "the average time at a job of a system administrator is less than three years," he said. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".


News URL

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO58852,00.html