Hanssen's behavior raised no red flags at the bureau, and he was caught
only with help from a Russian defector.
Hanssen not only walked out of the FBI building with documents and computer
disks containing top-secret information, but he also cruised the FBI's
major investigative database. The Webster report and FBI leaders agree that
installing basic security in its computer system is crucial, and the bureau
plans to use devices that will trigger warnings if someone is regularly
inspecting files without authorization.
A preliminary damage assessment by the FBI of the impact of convicted spy
Robert P. Hanssen's treachery determined that the identities of more than
50 people who were providing confidential intelligence information to the
bureau or were being recruited to do so were disclosed to the Russians.
Although it has been reported that Hanssen's disclosures played a part in
the execution or jailing of at least three Russians who had spied for the
United States, this is the first indication that his activities put in
jeopardy a far larger number of other people working clandestinely for the
bureau, according to the report of a special commission headed by former
FBI and CIA director William H. Webster that was released Thursday.
The FBI has had to take dozens of its informants out of operation and halt
"a number of technical programs and projects," according to the report. The
Russian intelligence units in the Washington field office were "apparently
hard hit," the report said, and the New York field office had two sources
"put in jeopardy."
Even today, according to the Webster report, some FBI sources "apparently
fear that information Hanssen passed will lead to their discovery and their
handlers can do little to assuage these fears."
A senior FBI official said yesterday that disclosure to the Russians of the
identity of certain people providing secret information to the bureau
"could be a threat to their lives." But some of the informants may have
been American or foreign nationals who would not be in danger because they
were in positions in banks or private companies. Their access through their
work would have enabled them to provide confidential information on Russian
targets.
The Webster commission used Hanssen's damaging disclosures to sharply
criticize the FBI's sloppy security practices, starting with weaknesses in
its automated case support system (ACS), which was supposed to "store the
Bureau's institutional knowledge."
"Most, if not all members of the Bureau community have access to ACS," the
report found. Though the system could be used in a way that would restrict
access to highly sensitive files, such as those on informants, the
commission found that the system that went into effect in 1995 was so
difficult to operate that many of the files that should have been made
unreachable were not. As a result, it found, Hanssen was able to access
"500 case files that had not been appropriately restricted."
The weakness in the ACS system was known in some bureau field offices but
not accepted at FBI headquarters, according to the report. For example, the
commission found it was "common knowledge" that agents in the New York
field office refused to put intelligence information in ACS as required by
bureau regulation because "they developed significant concerns about
security." That came because an intern from the Massachusetts Institute of
Technology was able to break into restricted files in one afternoon of
testing the pilot system.
Another major weakness in protecting the identities of informants was that
they were given only a "secret" classification, and thus their files could
be kept on desks during working hours at headquarters and field offices
because those spaces were considered secured areas.
"The FBI's failure to give human intelligence more protection than it does
is somewhat at odds with its traditional desire to protect human sources,"
the commission noted.
When CIA spy Aldrich H. Ames was uncovered in 1994, it was learned that he
had disclosed the names of agency and FBI-recruited Soviet and Warsaw Pact
agents and that about 10 were executed. At that time members of Congress
were surprised to learn that the agency classification for the identities
was only secret, as opposed to the more restrictive top-secret.
One of the Webster panel's recommendations was that "the bureau should
carefully consider adopting the . . . system of compartmenting human source
information developed by the CIA." The irony is that an FBI
counterintelligence expert was sent to the CIA to upgrade its internal
security operations after the Ames case, while today a CIA
counterintelligence officer has been dispatched to the FBI to do the same
thing there.
In summing up its findings, the Webster commission in effect said the FBI
now joins the CIA, the State Department -- which lost a laptop computer
containing sensitive information and found a bug in one of its rooms -- and
the Energy Department, which had the Wen Ho Lee case, in being forced to
restructure its internal security system.
"Had the FBI learned from the disasters these agencies experienced, perhaps
Hanssen would have been caught sooner or would have been deterred from
violating his oath to the bureau and to the country," the commission said.
In a broader sense, however, the Webster panel suggested there should be
some central standards for security that are valid government-wide, and not
the agency-by-agency, department-by-department system now in effect.
"If there is no national policy," the panel said, "there is no standard
against which to hold each department accountable. If national policies are
fragmented, outdated or unbalanced, security becomes subordinated to other
department priorities and interagency disputes."
There are even concerns regarding the quantum encrypted information on the
fibre links in the DC area following the Hanssen revelations.
Hanssen did not even have to do anything forbidden to get at top-secret
information, Senser said.
`Lack of restriction'
"The kinds of things Hanssen did were not characterized as hacking," Senser
said. "He didn't have to break passwords to get into the information he got
in. He basically had what was `legitimate,' in quotes, access because of
the lack of restriction and control, and just did a lot of surfing."
While FBI officials are touting their new computer system, the report warns
that it has not been assembled with sufficient attention to making it secure.
"They are keeping their fingers crossed that this will also work out, but
there is a potential for a very expensive new computer system to have
serious weaknesses in it," said the person who has been briefed.