The GAO listed seven specific flaws in the FBI's handling of data and maintenance of its new network, and concluded that, "Taken collectively, these weaknesses place sensitive information transmitted on the network at increased risk of unauthorized disclosure or modification, and could result in a disruption of service."

John Miller, the FBI's Assistant Director for Public Affairs, said that, "The majority of issues and recommendations brought up in the GAO report have been previously identified by the FBI through our own audits and internal controls. The report omitted the fact that the FBI already has corrective action plans in place that proactively and aggressively address information security issues."

Dean Hall, the FBI's Deputy CIO, and Charles Fred Newberry, Jr., Section Chief for the Information Assurance Division, responded to the report and agreed with many of the GAO's technical recommendations. "However," they said, "the FBI takes exception with the GAO's conclusion that the collective result of the information security weaknesses identified by the GAO present an increased risk to FBI information. The FBI does not agree that it has placed sensitive information at an unacceptable risk for unauthorized disclosure, modification, or insider threat exploitation."

'Sad Lessons of the Past'

The GAO investigation was commissioned by U.S. Representative James Sensenbrenner (R-Ohio) when he was serving as chair of the House Judiciary Committee during the last Congress. In a press release, Rep. Sensenbrenner noted that similar problems were identified in 2001, and called on FBI Director Robert S. Mueller, III, to hold someone accountable for the network flaws.

"This report illustrates that the FBI underestimates the insider risk," said Sensenbrenner.

"This baffles me," he said, "given the incredible damage former FBI agent Robert Hanssen inflicted on the FBI's worldwide intelligence network, primarily because he knew exactly how to extract information from the system. Now the FBI has installed two-thirds of the Trilogy system at a cost approaching half a billion dollars, and, once again, it is ignoring the sad lessons of the past."

Not Just the FBI

Largely overlooked in the media coverage of the GAO report is the grim fact that the government oversight agency has been warning of similar problems for a full decade. "We have designated information security as a government-wide, high-risk area since 1997," the GAO report said, "a designation that remains today."

In December 2002, partially in response to those warnings, Congress passed the Federal Information Security Management Act (FISMA), which requires every federal agency to improve its information security. The FBI response to FISMA was the Information Technology Upgrade Project, which later became known as Trilogy.

The GAO report raises serious questions about whether the half-billion spent on Trilogy has been effectively allocated.