FBI's CIO faces agency's tech challenges
FBI's Zalmai Azmi discusses the agency's existing cumbersome systems and its seemingly antiquated security.
The results so far have been mixed. Last year, the FBI was forced to abandon its initial plans to create a so-called Virtual Case File system, with FBI Director Robert Mueller admitting to Congress that more than $100 million had been wasted. In addition, a series of damning reports have described slipshod management and missing equipment.
Now, however, the FBI is trying again with a project named Sentinel that's designed to succeed a paper-intensive system that relies on 1980s mainframe technology. In March, the FBI awarded Lockheed Martin the contract for Sentinel's development, which is estimated at $305 million over six years.
Azmi, an Afghan native, came to the FBI from the Executive Office of the U.S. Attorneys, where he was responsible for developing and carrying out a multiyear IT transformation plan.
CNET News.com spoke with Azmi about Sentinel's direction, the existing cumbersome systems and recent reports that a contractor
Q: The FBI spent over $100 million on a system that ultimately had to be abandoned. Earlier this year, government auditors faulted the bureau for wasting millions of dollars on "questionable contractor costs" and misplaced equipment from earlier stages of the upgrade process. How can you be sure that taxpayer money won't go to waste again?
Azmi: The GAO audit was specific to the Trilogy program and not specifically to the Virtual Case File. Sentinel is more akin to VCF than it was (to) Trilogy because Trilogy was the deployment of our network, desktops, laptops, scanners, printers, a lot of moving parts and a lot of computers. Sentinel is different. It's not going to supply any desktops or laptops or anything like that, it's more of an application we will make available to our users through Web technology or through a Web browser.
Regardless of that, a lot has changed since the Virtual Case File program was envisioned.
out-of-date computers
financial indiscretions mire
efforts to modernize the
agency's computer systems.
Now we have an enterprise architecture in place...We have the governance process to do that project from cradle to grave. As we go through that process, there are specific control gates and reviews and a proof of project to move to the next step. We have an investment management board in place...to make sure we're investing in technologies that the bureau needs, technologies that are what our vision needs, and technologies that are budgeted for and envisioned for in enhancing the FBI's future mission.
We do have a very strict certification and accreditation policy or program in place for security, so every program has to go through what we call a C&A process. We also have a Life Cycle Management directive in place, which means that every program has to be developed according to a set of standards within the bureau, and those standards are reviewed and monitored through the governance process to make sure our contractors and our vendors are following the policies, methodologies that we have put in place.
From the perspective of agents and analysts doing their day-to-day work, how urgent is it that the FBI modernize its case-management system? If the system itself dates back to the 1980s, why weren't upgrades started sooner?
Azmi: Information technology has to be revamped on a regular basis. Within the government, the best practices, every three to four years we have to replace our computers, and every five or maybe six years our servers. So there's a refresh cycle for the technology because it's constantly changing. With our current mission of national security and cybersecurity, it is imperative for us to have the latest and greatest tools within the bureau. And that's why there's a sense of urgency; we need to have those critical tools at the disposal of our agents and analysts to do their job, and that urgency will remain. We're looking at new technologies every single year to enhance our mission.
The FBI's case-management system seems to be keyboard-based and paper-intensive, slowing down the process of accessing records. What are some of the complaints that FBI users have made about the way the case management system works, and how would the new system address those concerns?
Azmi: The existing automated case system that we have, which is called ACS, is a mainframe application, what we call a green screen, because it's command driven. You have to put commands in there, you have to do everything manually. It is true we don't have any mouse interaction with that version of automated case system. It is not taking advantage of modern technology. For example it's probably going to take about 13 function keys or pressing of the keys on the keyboard to load a document into the mainframe in comparison to what you are probably aware or familiar with when you go into your e-mail and see an attached document. It's a couple of clicks and the document is on its way through to the receiver.
The new technology, the central program that we will be implementing is a program based on Web technologies. It is a service-oriented architecture, meaning each capability of the program will be provided as a service in terms of information management, document management, search capabilities, reporting capabilities; those will be all services that we will provide through this application. But also the benefit of this approach is the same services can be used by other applications throughout the enterprise. In a nutshell, the new Sentinel is going to be akin to an AOL or a Yahoo Web page where you go and information is available to you through your searches, through your data entry, and you move forward to the daily work.
The other part of the challenge was the uploading of the documents. It was also the process of electronically routing documentation. Currently, if we are in one of our resident agencies and we do that paperwork, that paperwork requires a signature of our supervisor. Basically we have to put that file in an envelope, we have to mail it to our field office where our supervisor is going to take a look at it, maybe sign it, maybe comment on it, or whatever, so in my view that is a delay in time. With our new system, that process will be seamless...because you work online, you just forward the e-mail, that document, to your supervisor, who is going to approve it and move forward. So there's time saving in there. There's accountability for the document at any given time. It's not going to get lost in the mail, and there will be also a chain of custody. At any given time, you will know who has that document, the critical capabilities that we are missing currently.
What made the FBI decide on Lockheed Martin as the primary contractor in March? Will there be other companies working on Sentinel as well?
Azmi: The contract was completed under the National Institutes of Health's (procedure). There were a number of vendors that actually bid on this, and Lockheed was the one that was selected based on their proposal and their strategy for developing this program. Lockheed has a number of (subcontractors) under it. About 10 primary subs are working with Lockheed to support Lockheed in this endeavor. (Some of them are Accenture, Computer Sciences Corp., and CACI.)
The Washington Post recently reported that a former contractor broke into secret FBI systems without proper authorization. The contractor that broke in, working from a field office in Virginia, apparently took advantage of an antiquated security mechanism (/etc/passwd files in cleartext) that the private sector abandoned a decade ago. Why was the FBI so behind? Do you plan changes in security with Sentinel?
Azmi: It's two different issues--first of all, let me clarify that the individual who had access to our networks was a privilege that was granted to him because he was part of our system administrative staff when he was deploying Trilogy. So he already had access to the system, took advantage of those privileges, so that's how he was caught.
Sentinel is actually an application that has its own security mechanism, which is different and actually does not even relate to the case in Springfield at all, because we manage passwords and security in Sentinel much different than what happened in Springfield. Springfield was (about) access to the network, and Sentinel is access to an application, two different things.
Statements were made that this guy cracked the passwords and that's how he gained access to the network. That's not true. He had the privilege already to the network, and he abused that privilege and that's how he was caught...
We knew of the vulnerability, and we also are protecting our password files, but the fact that this guy had the administrative rights to our system, that's what made it vulnerable, and that's why we call it insider threats. It's very difficult to defend against that. It's almost like you shouldn't give anybody administrative rights, but who's going to manage the system? So there's a balance you always have to reach.
