The Federal Bureau of Investigation (FBI) organizes InfraGard, a coalition of government and industry organized to protect the nation’s infrastructure.
Last Month, LulzSec disclosed the list of the Atlanta InfraGard Members, including their pass keys, encryption codes, and passwords.
On the list is the name of a Deputy Chief of Police, removed from office. A Federal Grand Jury indicted him for bribery. He subsequently plead guilty in Federal District Court.
The admitted corrupt official’s name remains on the InfraGard access list.
What makes this interesting is that some of the InfraGard members are forensic auditors, experts in rooting out these types of problems. It’s unclear what “auditing” failed when reviewing the Infragard Member access codes.
Also, this is interesting because the FBI – which runs Infragard – issued one (among many) federal press release detailing the Deputy Police Chief’s legal troubles.
Core Question
Why did someone the Department of Justice prosecuted for public corruption -- and identified in federal press releases issued by the FBI and other federal agencies -- remain on an access list to a website managed by the FBI?
It’s unclear what automated notifications failed or did not occur once the Department of Justice issued multiple press releases related to the bribery, but the FBI did not remove his name from the
access list.
In light of the intelligence-communications failures before 9-11, we would have expected in the “post 9-11 era” for there to be coherent communications between – especially within -- Federal agencies on matters of intelligence, national security, and public safety. Apparently our reasonable expectations have (to not surprise) not been fulfilled.
However, what makes this striking is that there were multiple Federal-level connections – all detailed in federal level press releases – but somehow the FBI leadership failed to connected the dots.
Had a private citizen made this error, you can be sure there would have been massive Federal attention, not to mention a chorus of excuses for federal agent mistreatment of a private citizen. At a minimum, a public discussion is warranted.
I would like to know what’s happened. The public could spend time reviewing the individual qualifications of the Atlanta InfraGard members, then question why that expertise did not design a plan and software detection system which would ensure a convicted Federal Felon did not remain on the Infragard Access list.
We could also spend time reviewing the individual Federal level press releases since 2010, and question – at each press release – who specifically within the Atlanta Infragard knew – or should have known – the details of this press release, but failed to properly update the access list.
We might also review the details of the software coding problems within the access list, and question why someone with expertise in computer software did not – after 9-11 – create a plan that would connect the dots, remove people who should not have access to the list, and properly secure information.
However, this is not something the public should have to do. Rather, the Attorney General (AG) should be the one to provide this explanation, along with details of what failed, and why.
In preparation for the AG response, this reviews the technical and professional backgrounds of those publicly identified as Atlanta IfraGard members. This diary raises some auditing and oversight questions related to their experience and this apparent communication problem within the Department of Justice.
Details
Let’s review some detailed questions related to this situation, and provide you with some background material to shed some light on the seriousness of what has happened. The sign-in information to InfraGard, note the connection with “Dekalb” County, Georgia:
June 2011 LulzSec Provided Atlanta Infragard Sign In
Email prefix: defrank
Email extension: co.dekalb.ga.us
Sign-in name: DFrank
InfraGard Assigned Individual: Donald E. Frank
Source: LulzSec.
Then Deptuy Chief Frank was removed from office in 2010, but remains on the LulzSec-disclosed access list in 2011. Someone connected with the Atlanta InfraGard office needs to explain why Frank’s name remains on the access list; why there was no purging of that list; and why the list contains a name which is connected with crimes adjudicated in Federal Court.
Open Media
“Donald E. Frank, former deputy police chief for DeKalb County, was arraigned today for allegedly accepting two bribes from a small business owner.”
“DeKalb Deputy Chief Donald E. Frank terminated after indictment 9:26 am, May 27th, 2010”
The InfraGard Member lists includes multiple names which are connected with the Digital Forensics industry. These are personnel whose
business is to analyze digital evidence, and understand why there were problems.
It would seem reasonable for (1) a member of the public, (2) leadership at the SES level, and (3) Members of Congress to believe that someone connected with Infragard would have the in-house ability to review this digital evidence, form a coherent explanation, and issue a public press release. In turn, it would be reasonable to believe that the press release would generate some action.
However, DOJ has showed it’s not able to do that. Despotie multiple Federal-level press releases related to the Deputy Chief’s termination, indictment, and guilty plea – in Federal court – somehow the FBI cannot connect the dots.
Not only is there an glaring conflict of interest – that of using digital forensics experts connected with Infragard to review Infragard digital evidence – but the Department of Justice doesn’t seem to understand the importance of policy modernization connected with factual data in their press releases,
Consider each of the following press releases – connected with the Federal government – and consider what should have happened re Franks name on the InfraGard Access list.
FBI Issued Press Release
FBI, 2011 Press Release: “DONALD E. FRANK, 47, of Monroe, Georgia, pleaded guilty today in federal district court to conspiring to take bribes while employed as a deputy police chief”
Someone within the FBI “should” have reviewed this press release, and considered who was on the access list. That apparently did not occur. Franks name remains on the access list.
Press Release on Justice.gov Website
Justice.gov: “Former Dekalb Police Lieutenant Indicted for Bribery” (March 7, 2011)
Someone connected with the Justice Department should have approved the drafting of that press release. It should have been approved by staff at the DOJ-level, presumably the Asst Deputy Attorney General (ADAG), and that information would have been forwarded through all the Department of Justice information centers. Something didn’t happen. Frank’s name remains on the access list.
Press Release via US Attorney’s Office
US Atty Office: “The U.S. Attorney for the Northern District of Georgia issued the following news release: DONALD E. FRANK, 46, of Monroe, Georgia, was arraigned late today”
The Executive Office of US Attorneys (EOUSA) is a different division than the FBI, which compounds the problem. Information hasn’t been stove piped within the FBI; but has cross-flowed from one office to another at the Senior Staff within the District.
The US Attorney’s involvement with the press release raises more questions: Even through the FBI and US Attorneys operate in different lanes, why isn’t information related to an InfraGard member properly forwarded through someone within DOJ to Infragard? This “routing” problem seems eerily similar to the excuses we heard re 9-11. However, reckless US government conduct should not be a green light for more power and authority; but a tighter leash, e.g. FISA violations.
Federal Prison Connection
Atlantaunfiltered.com, April 2011: “Ex-Lt. Donald E. Frank faces up to five years in federal prison”
Once there was a possibility of a
federal prison sentence, there would have been a discussion between the DOJ and the public media on background related to that possibility.
From the US Attorney-firing emails, we learned that all press questions are rapidly disseminated so that DOJ staff are – or should be – on the same sheet of music. Here, once the question of federal prison surfaced, there should have been a discussion within DOJ on the press questions related to that prison sentence.
Those questions should have triggered emails, documentation, and staff research time. Those records are reviewable by the public, and Congress, and DOJ OPR/IG.
The public needs information on the following:
- What internal discussions were there related to these federally-connected issues; who was involved; and where was the FBI leadership in Atlanta on these issues.
- Then, we need to examine how the staff in Atlanta disseminated this information, reviewed it, and who should have conducted a manual review of the reports related to then Deputy Chief Frank’s access to InfraGard.
The President and others can access Grand Jury testimony, and use that information for intelligence purposes. Indeed, a “useful” use of that “intelligence” is to remove that person’s name from the InfraGard access list.
Federal Grand Jury Connection
11alive.com: “A DeKalb County police officer who was once a Deputy Chief has been indicted by a federal grand jury for taking bribes”
Apparently, despite having the “authority” to use secret grand jury testimony, the President and AG failed to do just that. The information from the grand jury – related to the indictment – was not forwarded, as it should have been, to remove his name from the InfraGard access list.
This White House connection is important because an Atlanta Infragard member was on a special committee connected with the White House, “The White House Global Information Infrastructure, 1995.”
Where is the DOJ OLC memo that says the President, that can use combat forces illegally in violation of FISA, is somehow “not accountable” for refusing to properly use Grand Jury information for intelligence purposes.
DOJ OLC would argue a President “can” use Grand Jury information; but argue that that requirement is not “shall”.
If that is the case, then there is no useful purpose for the FBI, EOUSA, or DOJ.gov to issue press releases. That information isn’t getting used by those who should access, use, and monitor reasonable applications of that information.
Going further, despite the public press releases on Frank’s guilty plea/termination/indictment/arraignment/demotion, we still don’t have information on what InfraGard members were internally discussing on the “private” network. The public information shows us something wasn’t getting discussed.
Benefits of Access to Infragard
"Gain access to an FBI secure communication network complete with VPN encrypted website, webmail, listservs, message boards, and much more."
From: “The FBI Deputizes Business,” The Progressive, March 2008
We need to know what – while the press releases were issued – what the InfraGard personnel
were discussing.
What “plan” were they writing that would “better protect” the information systems?
What “forensic analysis” occurred to gather evidence of access codes which should have been removed?
What “conference meetings” did they attend to better protect information resources?
One of the purposes of facilitating communication is so that personnel can adequately administer resources, and do the public’s business.
The public needs to know what happens when, as now, the open media is ignored; and internal communication systems apparently fail to connect the dots.
We know the open media reporting through DOJ.gov, FBI, and EOUSA had no effect. We need to understand also what failed within the InfraGard communication system; and properly identify an appropriate leader who will transform InfraGard from where it is to where it needs to be.
Questions About Deputy Chief Frank’s Legal Challenges, Access to InfraGard
What was discussed on the VPN encrypted website, sent via webmail, or discussed on the listservs or message boards between February 2010 and June 2011 related to the InfraGard Access list?
Who was responsible for conducting a forensic audit on the InfraGard website?
What were their results?
Who was responsible for developing a security plan for the InfraGard information?
How was that plan reviewed, discussed, and applied in light of the disclosures about Deputy Chief Frank after February 2010?
Specific Questions to Individuals Connected With Atlanta InfraGard
Up to now, we’ve raised general issues. Let’s be specific with names of personnel LulzSec disclosed, and review their technical and professional backgrounds in light of the Deputy Chief’s guilty plea for bribery.
Be.njamin J. Halb.ert is identified on the access list as being – or once was connected with – Lo.ckheed Mart.in.
Some of the InfraGard members are linked with the following organizations and activities:
- IFCC: Internet Fraud Complaint Center
- Information Systems Security Association: 5th Annual IT Security Automation Conference and Expo.
- Security Content Automation Protocol (SCAP)
- Readings And Cases in the Management of Information Security
- MIS (MANAGEMENT INFORMATION SYSTEMS) TRAINING INSTI.TUTE’S INFOSEC WORLD 2010 (April 17-23; Orlando, Florida).
Ben, is it your position as a person associated or formerly associated with Loc,kheed Mar.tin that “nothing” above would have helped anyone connected with the Atlanta InfraGard to, among other things:
Goals For Future InfraGard Software Protection
- Identify potential security risks;
- Properly automate removals or notifications related to significant legal cases;
- Automatically secure the network through any protocol, code, or software language to remove the name of a convicted felon from the access list;
- Preserving updated, correct password lists for sensitive government information
Let’s consider the information connected with another InfraGard Member:
Har.old W. Phip.ps, J.D. (Vice-President – Industry Relations, as a “former attorney with the FBI”
Reportedly, Ha.rold P.hipp.s “has a balanced understanding of both computer technology and the legal system.”
Am I missing something, H.arol.d: Are you claiming to be a “former” FBI agent; but that experience wasn’t getting put into practice; or were you “too busy” with Habitat for Humanity to take the time to properly put your experience to good use?
According to the open media, Harold is connected with the Computer Forensics competition because he is reportedly a “digital forensic investigator.” Is there someone else – not connected with InfraGard – who might review why Deputy Chief Frank’s name is still on the access list?
Let’s consider another reported member of the Atlanta Infragard: Ja.y Harm.on, connected with “Bord.er H.awk.” We read the following,
”J.ay is a solution oriented professional providing a unique blend of strategic sales, marketing and management consulting services
. . .
“Our Security Teams are comprised of only the most senior Cyber Security professionals in the United States. . .”
Jay, is it your contention that the “most senior Cyber Security professionals
in the United States” did not develop a system to review open media reporting by the FBI to ensure that the FBI’s classified access list properly excluded federal felons; or was that “someone else’s job”?
It doesn’t sound as through there was a “solution” packaged in a coherent “management service” to InfraGard. Or is there something you’d like to discuss?
Why not go one step further and review the public record of someone else connected with the Atlanta InfraGard: B.en Fein.stein of Secu.reWorks
Sec.ure Wor.ks offers public speakers. Interestingly, it appears Ben may know something about the DEFCON Hacking Convention: Someone with the same name as his attended. He’s also reportedly connected with the RFC 4767, “Intrusion Detection Exchange Protocol.”
On those lonely days when Elena is alone, Ben might spend time understanding hackers, contemplating upgrades to RFC 4767. Was there never a time when you were away from Elena that you did not consider a method to apply RFC 4767 to the Atlanta InfraGard website; and develop a method to detect when a federal felon still had their name on the Atlanta InfraGard access list?
Ben was also recognized by Microsoft Security Response Center for finding and reporting security vulnerabilities. Isn’t it a “security vulnerability” to have the name of a convicted felon on the access list?
Consider someone with the credit reporting agencies on the InfraGard access list. Someone with the name of “Th.omas Ak.in” is connected with “Equi.fax”. Is this the same Aki.n who is a member of the international society of Forensic Computer Examiners?
I never quite understood what happened in the Gulf of Mexico: British Petroleum made a mess of things. Then I looked at the InfraGard access list, and things started to make sense.
If we were in the middle of a disaster, would we call someone who was connected with the disaster; or would we call someone who solved problems?
John Chess.er is connected with Mona.rch Res.iliency, a firm that proclaims itself as “focused on IT Disaster Recovery, Business Continuity Planning, and Business Resiliency.
Then I read this:
Monarch Business Resiliency (MBR)'s roots go back to 2001, when it evolved from a group of Global Project Managers for British Petroleum
There’s an excellent reference. Weren’t these the same engineers that couldn’t’ figure out – before drilling – how to solve a disaster? You’d think they’d have a plan already created.
Scit. Woody’s [Leading Georgia Executives Nominated for the Information Security Executive of the Year in Georgia 2004], is indirectly linked with something called “Enterprise Risk Management” which is an internal audit and compliance tool:
Enterprise Risk Management (ERM) is a process-driven tool that enables senior USG management to visualize, assess and manage significant risks
What happened to the ERM tool: Why were there no “visualizations” of the impact that leaving the name of a convicted felon on the access list; and why wasn’t ERM successfully used to “manage” the risk of having a convicted felon on that access list after indictment by a grand jury?
Factoid: Did you know that Dr. Whitfield “Whit” Diffie and Martin Hellman are known for their 1975 invention of public key cryptography?
Those are those funny, long codes on the InfraGard access list.
Kristina Cole of Georgia Tech, I would like you to provide some meaningful leadership at the “Internet Governance Forum” (IGF) to address the following:
What role should the Federal Government play in governing the internet when it proves incapable of using open media information to properly update the list of authorized users?
Don Jac.kson of Secu.reWorks, you are reported to be a “trusted advisor” on security issues; and an “established subject matter expert” (SME) on cyber security and intelligence with government and law enforcement. These issues connected with the FBI press releases, InfraGard access lists, and the FBI leadership appears to fall within your area of expertise.
Could you share with the Department of Homeland Security your views on ways that internal government information can be better disseminated so the public can conduct better oversight of InfraGard?
Seymor Goo.dman, with Geo.rgia Tech is associated with
A. “International Coordination to Increase the Security of Critical Network Infrastructures
B. The Congressional Hearing, Cyber Security R&D Hearing before the Subcommittee on Research and Science Education, Committee on Science and Technology, House of Reps, 111th Cong.
C. The White House Global Information Infrastructure, 1995
As with 9-11, the issue facing the Atlanta InfraGard was
not that there “no intelligence” about a problem; but how to put that lawfully gathered intelligence in the hands of decision makers. Here, even through the information is in the hands of government, it’s not (apparently) acted upon. It doesn’t make sense to keep gathering
new information when the existing leadership cannot adequately manage existing information security plans.
Could you comment on the ability of the United States to effectively lead the world in protecting infrastructures, while there remains an internal communication problem thwarting effective implementation of these lessons learned? Should the public be more concerned with our own communication failures within the FBI; or with the Cyber Warfare expertise of the Chinese?
Shau.vik R.oy Chou.dhary crafted a report on migrating an airport management system, and should be encouraged to provide a similar report on transitioning the current InfraGard computer systems to something that properly incorporates needed adjustments to the member access lists.
He might be able to put into practice some of the lessons from the May 2011 Software Engineering conference (ICSE) in Hawaii. He should be able to conduct some software testing and verification using his connections with IEEE Entity Web Hosting (EWH).
If you’re interested in developing a tracking system to monitor who is doing what with this review, you could talk to this InfraGard member, Cha.d McDo.nald who is reported to be with Lu.ci.d Da.ta Corp.orations which provides “web based software” to “manage and track professional development programs and activities.” The software product appears to be at the educational level of those who appear to be managing the InfraGard access list.
These issues could have been audited, given this – and other -- auditing expertise in Atlanta’s InfraGard:
University System of Georgia (USG)
InfraGard Member: Erw.in L. Car.ro.w, IT Audit Director and Auditor, “conducting enterprise risk assessment and planning; performing . . . information system audit[s]. . . ”.
Why wasn’t the auditing expertise of this InfraGard member robustly applied to how the DOJ’s information systems would automatically review, monitor, update, and verify the InfraGard access lists?
Conclusion
The LulzSec posting of the Atlanta InfraGard Members provides a rich list of people to ask questions. Their backgrounds raise questions: What was done; what should have been done; and what conflicts might exist.
One name is a former Deputy Chief of Police, who plead guilty to bribery. The Federal Government issued several press releases related to his demotion, indictment, and potential federal prison sentence. However, it appears his name was not removed from the Atlanta InfraGard access list.
We need to know what information was or wasn’t reviewed; what information system security upgrades are needed; and what changes are required to the automated Infragard access system.
It’s baffling to see these things happen, especially connected with a website whose IT experts know how to make software systems, protect information, and conduct forensic audits.
It appears keeping this information in the shadows has allowed something to fall through the cracks. Although the InfraGard members may have a good faith belief they are doing excellent work in secret, that secrecy appears to have not subjected them to needed oversight.
Something fell through the cracks. It shouldn’t have, but it did. The way forward is for the InfraGard personnel to address the apparent risk areas within their own areas; seek external assistance; and develop a plan for reform that can be subject to independent review.
This needs to change. InfraGard need to forward a public plan; then that plan can be subject to rigorous public review. Going forward, the House and Senate Homeland Security and Judiciary Committees should work with the public to review the public records, and provide measurable leadership to the InfraGard.
Rather than repeating the mistakes of the past, the InfraGard personnel need to forward their plan to conduct better oversight, and demonstrate they can be trusted to properly manage a software system in secret. Once Infragard personnel demonstrate this ability, we can trust them to do something more difficult on the international stage in support of Cyber Warfare Operations.
Recommendations
The AG should direct a review of the InfraGard member lists to ensure only the names of properly authorized personnel are on those lists.
1. AG should direct a review InfraGard access lists, to identify which government and civilian personnel still have active access status, but who should be removed from the authorization lists.
2. Review results should be provided to DOJ OPR, DOJ IG, and the House-Senate Committees for Judiciary, Intelligence, and Homeland Security.
Future Research
There needs to be a better, more thorough discussion of the technical and professional backgrounds of those listed in the InfraGard member lists. This will help the public understand what was – or should have been done – internally in the Terrorist Surveillance Program (TSP) after 2001, re: FISA violations.
It appears many on the InfraGard lists knew or should have known about technical solutions to properly comply with the legal requirements and provide commanders with lawfully acquired intelligence. If the internal mechanisms and auditing systems do not work, they need to be adjusted or replaced with more responsive personnel and systems.
It remains an open question which specific duties personnel linked with InfraGard failed to perform. These conclusions have bearing on whether the public can trust American leadership to properly, lawfully organize information systems and personnel resources to conduct lawful combat operations consistent with Geneva and the FISA requirements.