The FBI has been a major landmark in the IT security landscape. Much like a landmark, it is immediately recognizable, utterly unignorable, and basically stationary.
For years, the FBI has been a controversial factor in discussions of information technology security. A full accounting of every major newsworthy involvement of the FBI in information technology issues ranging from crime and investigation to warfare and espionage would be far beyond the ability of a humble TechRepublic contributor to recount. A few selected highlights follow, though:
- How to Protect Your Computer -- This page is an example of the warm, fuzzy side of the FBI, the same kind of of inoffensive security advice it seems every headline-worthy government agency feels compelled to want to share with the world. It is also, like the rest of the various agencies' efforts in this realm, benignly useless. Everyone technologically savvy enough to figure out how to do something with the vague advice provided is savvy enough to need more advanced advice.
- FBI lists 20 most dangerous Internet security holes -- You may be familiar with the relatively well-known Top 20 lists from the System Administration, Networking, and Security Institute (SANS). You may not know that the FBI piggybacked on that a decade ago, give or take, and somehow managed to convince technology news media outlets that this was somehow the FBI's hard work on our behalf.
- Hacker claims he was working for FBI -- You have probably seen movies and television programs that make a lot out of the idea of "plausible deniability", where someone is sent on a dangerous mission fully knowing that, if he or she is captured, the agency that sent this intrepid agent into harm's way will disavow any knowledge of his or her existence. Unfortunately, it appears that Jesse Tuttle (supposedly also known as Hackah Jack) never got the memo. When he was arrested for illegally accessing the Hamilton County government network and storing child pornography on his own computer in 2003, he sang like a canary. The FBI, meanwhile, kept its collective trap shut.
- How Does The FBI's Spyware Get Around Security Software? -- In 2007, cases of the FBI's very own spyware were making the news. Of course, the idea of the FBI using malware, in stark contrast to the warm fuzzy image of Uncle FBI giving us security advice to protect ourselves, was not new. Earlier reports, however, did not generally make it so obvious that the FBI was remotely installing spyware on our computers using the same tactics as non-governmental malicious security crackers.
- GAO Slams FBI Network Security -- The Government Accountability Office had some choice words to say about the state of FBI network security in a 2007 report titled Information Security: FBI Needs to Address Weaknesses in Critical Network. The report essentially makes it clear that the FBI has not consistently met the standards of its own recommendations to the general public. I said before those recommendations were essentially useless, and apparently I was correct, because the very people making those recommendations have not, themselves, been doing a very good job of following them.
- Documents: FBI Spyware Has Been Snaring Extortionists, Hackers for Years -- If the 2007 reports of the FBI's CIPAV spyware were not enough, documents declassified in 2009 suggest the custom malware has been extensively used for several years. In fact, a 2002 memo point to FBI spyware in widespread use, wherein the Justice Department's Computer Crime and Intellectual Property Section said, "While the technique is of indisputable value in certain kinds of cases, we are seeing indications that it is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and a risk of suppression) without any countervailing benefit."
- Microsoft, FBI Reprogram Botnet to Remove Coreflood Permanently -- Fear not, for if CIPAV was not enough, the FBI also highjacked a malware botnet this year for the more noble purpose of using it to remove itself from victims' computers. Of course, it seems to fall neatly into the middle of the question, "Do the ends justify the means?"
- Report: 25 percent of U.S. hackers are FBI informants -- The idea that a quarter of all computer network criminals in the US are actually informing for the FBI seems a bit far-fetched. Of course, if it is true, it would explain Jesse Tuttle's claims in 2003. One in four seems like quite enough to catch the rest, however, so it is likely one of three things is true: the number is inflated (perhaps by simple misunderstanding), the FBI is just really that bad at its job, or catching malicious security crackers is far from the FBI's real goal here. An easily overlooked factor in all this, however, is the pair of requirements for something like this to even seem plausible. One is that the FBI must be exerting a lot of pressure to intimidate people into acting as an informant, and intimidation is not really a tactic I would like people supposedly protecting me to use to get its way without a case ever seeing the inside of a courtroom. The other is that, when the FBI catches malicious security crackers, it usually lets them go (as long as they agree to inform for the FBI).
- Greek police arrest suspected FBI hacker -- An eighteen-year old was arrested by Greek police in June 2011 on suspicion of having cracked security on FBI and Interpol networks. It looks like the FBI has really learned a lot from its poor rating on security from the GAO about four years before.
- Hackers Fight Rivals, FBI to Control Hijacked-Computer Networks -- It appears to be turning into a bit of a chaotic mess out there. Various security cracker groups, including a self-identified LulzSec faction and (of course) the FBI, have been fighting over control of botnet resources and otherwise duking it out across the Internet.
If its history shows anything clearly, it is that the FBI's record in IT security issues has been spotty and wildly inconstant, to say the least. It seems unlikely that a slow-moving bureaucracy like the FBI will ever quite stabilize its effectiveness in this area in the near future, considering the accelerating pace of technological change.
While we consider these facts and trends, it might be worth it to think about one more thing, specifically something Julian Assange said: "Facebook is the most appalling spy machine that has ever been invented.* The fact that the Director of the FBI just happened to be in the building where Zuckerberg and his staff were having a meeting, at work, might raise a few alarm bells.