FBI Wants More Access To Everything, Can’t Be Bothered To Protect The Stuff It Already Has
from the bringing-down-a-nation-by-visiting-a-recycling-center dept
The FBI has been pulled right up to the national security table for years. Having switched from regular law enforcement agency to being a major player in the counter-terrorism field has seen it avail itself of vast collections of data obtained by the NSA. While its own contributions to combating terrorism have been questionable at best, only recently was its access to NSA data seriously challenged.
But nothing came of that and things go on as they have for the past two decades. As if that wasn’t enough, the FBI’s directors constantly complain about encryption getting in the way of slurping up communications and scraping seized phones of all their data.
Well, all of the stuff the FBI currently collects, obtains, or has access to has to be stored somewhere. And it wants to add to these haystacks. But when the haystacks needs to be rotated out due to device failure or hardware updates, the FBI apparently believes no precautions should be taken to make sure classified and sensitive data doesn’t end up in the hands of others.
That’s what DOJ Inspector General Michael Horowitz has highlighted in his recent memo to the agency, which points out its extremely careless handling of discarded computer hardware.
We found the FBI does not always account for its loose electronic storage media, including hard drives that were extracted from computers and servers, thumb drives, and floppy disks. For example, the FBI instructs field offices to remove hard drives slated for destruction from Top Secret computers to be couriered separately to save on shipping costs. However, extracted internal hard drives are not tracked, and the FBI does not have the ability to confirm that these hard drives that contained SBU and/or NSI information were properly destroyed. The lack of accountability of these media increases the risk of loss or theft without possibility of detection.
Not great! There are small companies that handle device and data destruction more responsibly than this and their overriding concern is maintaining market share, rather than, say, securing a nation.
The FBI also handles classified data almost as carelessly as a former president. While servers and drives might be marked to indicate the presence of classified or top secret data, data extracted for disposal is placed on other devices that do not bear these markings, making it that much easier for top secret data to be treated as carelessly as trash from the office break room.
On top of that, the FBI tends to take its time destroying hardware, which results in warehouses full of components that are potentially full of extremely sensitive information. This long-term storage is overseen by… nobody.
Non-accountable assets slated for destruction were stored on pallets without sufficient internal physical security for an extended period of time. For example, a pallet containing extracted internal hard drives marked non-accountable had been stored for 21 months and had wrapping that was torn and left open. This facility is shared with other FBI operations, such as logistics, mail, and information technology equipment fulfilment, and had almost 400 persons with access as of May 2024, including 28 task force officers and 63 contractors from at least 17 companies. Both the FBI supervisor and contractor confirmed that they would not be aware if someone was to take hard drives from the pallets because these assets are not accounted for or tracked.
I’m tempted to believe “non-accountable assets” is a reference to FBI employees. But even if it’s meant to designate devices that most likely do not contain classified or top secret information, there’s no way the FBI itself can say for sure because of the previous two problems the IG discovered: top secret/classified info isn’t always accounted for and some devices containing sensitive info get placed on the “please destroy” pile without proper external labeling.
Ignoring every requirement along the way to destruction results in stuff like this, which doesn’t exactly instill confidence in the FBI’s ability to stay on task, be detail-oriented, or many other basic levels of competency one would hope to find in the nation’s largest law enforcement agency.
Walmart takes more care securing its Black Friday pallets than the FBI does with its pallets full of sensitive info. Keep that in mind the next time the FBI’s complaining it simply doesn’t have enough access to data or top secret information. It doesn’t secure what it already has. It definitely shouldn’t be entrusted with anything more until it can handle this very basic part of internal security.
Filed Under: classified documents, doj, fbi, inspector general
Comments on “FBI Wants More Access To Everything, Can’t Be Bothered To Protect The Stuff It Already Has”
Actually give them more access to things so that sensitive government info can continue getting leaked. We get access to whatever the FBI hasn’t officially fessed up to yet and journo sites like Techdirt get more to write about. Win win.
'Collect it all! ... Throw it in a bin afterwards.'
For example, the FBI instructs field offices to remove hard drives slated for destruction from Top Secret computers to be couriered separately to save on shipping costs.
HD’s from Top Secret computers are removed and shipped separately(theoretically anyway) to save on shipping costs. I’d say I struggle to think of a more glaring example of how much they do not take security seriously except the rest of the article provides plenty of other just as if not more damning examples.
Re:
For anyone keeping track at home, the FBI has an annual budget of 11 billion and (IIRC) they’ve asked to get that bumped up to 14 billion this year.
11 billion and they’re shipping hard drives separately so they don’t have to pay 5 dollar shipping costs.
Re: Re:
I get your point about the 14 billion, but your take on the shipping costs is not even remotely correct. Couriering TS material is WILDLY expensive. There must be two people at all times with eyes on the container, which means if anyone wants to pee without an audience you need three people. The container has requirements. The staff must be trained, qualifies, cleared, and approves. Etc. etc.
So rather than do this for every complete computer, you can extract, store, and send a bunch of drives at once. It’s a huge cost savings. Physical TS media is a nightmare.
Re: Re: Re:
Could save all that money, just give the ts data to donald and he will leak it for you.
Just going to leave this here:
https://www.schneier.com/essays/archives/2016/03/data_is_a_toxic_asse.html
And there’s why, right there. The continued existence of those small companies depends upon their practices. The continued existence of the FBI depends on fear (“What would happen if we disbanded them?”). Security is a distant 9th.
Sorry, I’m unfamiliar with the techniques whereby duplicating data facilitates destruction of it. Perhaps I am reading that wrong?
Re:
Ask your SAIC, I guess.
You talk about securing Top Secret and/or Sensitive-to-the-government data.
The FBI will be disposing of both IT equipment (retired disks used by employees) and images taken from people under investigation. That’s risk of PII and/or business secret information exposed to whoever buys that equipment off of Ebay. (Even if the FBI would physically destroy all that media, since it’s not accounted for do you imagine that some of it doesn’t go walkies?
People go to jail for this shit. Private companies get black listed. There is NO excuse.
Re: And not a single lesson was learned
Going back a few years the only reason the NSA knew that a bunch of stuff had been copied and the source of the leak was because Snowden told them, as their system keeping track of who had access to what was that bad.
Fast forward to today and with security like this does anyone think that foreign governments don’t have near or actual real-time access to all sorts of files the FBI(and any other agency with similar ‘security’ practices) would really rather keep to themselves?
“There are small companies that handle device and data destruction more responsibly than this and their overriding concern is maintaining market share”
That’s because when a private company screws up and harms numerous people, they face potential civil, criminal, and market penalties.
When the government screws up, there are no consequences, apart from possibly being given increased funding to “help prevent another incident”.
Re:
Also it adds an extra layer of accountability shielding for the FBI when someone does invariably screw up.
Remember kids, the LL in LLC stands for Limited Liability!
It’s fine(d)! I’m a corporation!
IF they were following the rules for Top Secret data, hard drives would be fully encrypted, and thus the data would be safe, without the original computer’s TPM, and/or appropriate recovery keys, or nation-state level computing assets.
That does not help for external media, and that IF is doing a lot of work, and the rules say you should still take care, and ensure destruction.
Re:
“would be fully encrypted, and thus the data would be safe”
No. Nothing is safe.
Hammers?
Maybe just equip the field offices with one of these:
https://www.homedepot.com/p/Husky-21-oz-Wood-Milled-Face-with-17-7-in-Hickory-Framing-Hammer-SUO-007/321370762
They would really save on storage and shipping costs!
Re:
That might cut into their time of framing up randos and avoiding doing anything about CSAM.
This comment has been flagged by the community. Click here to show it.
“The FBI also handles classified data almost as carelessly as a former president” Just want to point out that Trump was President when those documents were moved to mar a lago where they were locked in a room and there’s also Secret Service there. Biden however has been stealing classified documents dating back to his Senator days and had them in 3 or 4 locations that Hunter had access to as well. Maybe that information is why places like China were giving him, Joe, and his uncle millions of dollars. I bet once Joe’s out of the Whitehouse, that money dries up
Re:
Vice President, actually, not Senator, and the evidence did not establish Biden’s guilt beyond a reasonable doubt. Whereas Trump was clearly guilty, having deliberately stolen stacks of boxes of documents compared to the six classified items that Biden accidentally stole. How do you like that whataboutism?
Vice President, not Senator, and the evidence did not establish Biden’s guilt beyond a reasonable doubt. Whereas Trump was clearly guilty, having deliberately stolen stacks of boxes of documents compared to the few boxes that Biden accidentally stole. How do you like that whataboutism?
Non-accountable assets
“I’m tempted to believe “non-accountable assets” is a reference to FBI employees.”
Employees slated for destruction were stored on pallets? Sure glad I don’t work for the FBI.