The new technology, the central program that we will be implementing, is a program based on Web technologies. It is a service-oriented architecture, meaning that each capability of the program will be provided as a service in terms of information management, document management, search capabilities and reporting capabilities; those will be all services we will provide through this application.
The benefit of this approach is that the same services can be used by other applications throughout the enterprise. In a nutshell, the new Sentinel is going to be akin to an AOL or a Yahoo Web page where you go and information is available to you through your searches, through your data entry, and you move forward to the daily work.
The other part of the challenge was the uploading of the documents. It was also the process of electronically routing documentation. Currently, if we are in one of our resident agencies and we do that paperwork, it requires a signature from our supervisor. We have to put that file in an envelope, mail it to our field office where our supervisor is going to take a look at it, maybe sign it, maybe comment on it, or whatever, so in my view that is a delay in time. With our new system, that process will be seamless... because you work online, you just forward the email, that document, to your supervisor, and they are going to approve it and move forward. So there's time saving in there. There's accountability for the document at any given time. It's not going to get lost in the mail, and there will be also a chain of custody. At any given time, you will know who has that document, the critical capabilities that we are missing currently.
What made the FBI decide on Lockheed Martin as the primary contractor in March? Will there be other companies working on Sentinel as well?
The contract was completed under the National Institutes of Health's [procedure]. There were a number of vendors that bid on this, and Lockheed was selected based on their proposal and their strategy for developing this program. Lockheed has a number of [subcontractors] under it. About 10 primary subs are working with Lockheed to support it in this endeavour. [Some of them are Accenture, Computer Sciences Corp, and CACI.]
The Washington Post recently reported that a former contractor broke into secret FBI systems without proper authorisation. The contractor that broke in, working from a field office in Virginia, apparently took advantage of an antiquated security mechanism (/etc/passwd files in cleartext) that the private sector abandoned a decade ago. Why was the FBI so behind? Do you plan changes in security with Sentinel?
It's two different issues — first of all, let me clarify that the access that individual had to our networks was a privilege granted to him because he was part of our system administrative staff when he was deploying Trilogy. So he already had access to the system, took advantage of those privileges, and that's how he was caught.
Sentinel is an application that has its own security mechanism, which is different and does not even relate to the case in Springfield, because we manage passwords and security in Sentinel differently to what happened in Springfield. Springfield was [about] access to the network, and Sentinel is access to an application — two different things.
Statements were made that this guy cracked the passwords and that's how he gained access to the network. That's not true. He already had the privilege to the network, and he abused that privilege which is how he was caught.
We knew of the vulnerability and we are also protecting our password files, but the fact that this guy had the administrative rights to our system is what made it vulnerable; that's why we call it insider threats. It's very difficult to defend against that. It's almost like you shouldn't give anybody administrative rights, but who's going to manage the system? So there's a balance you always have to reach.
