A Q&A with the FBI's data czar
Q: What was missing?
A: . . . The backend data, the rules, the security implementation. I mean the facade was good, you know, you could see the program that was navigating from one screen to the other and people were being assigned tasks, but not with the actual data in the background.
Q: The system worked as long as there was no data in it?
A: The system worked as long as there was no checks for security or actual data.
Q: If you don't have data, what point is the system?
A: But they were going to the data conversation, so that's why I said, I couldn't make a judgment call at that point.
Q: What happened if they put data in it? It crashed?
A: . . . We had a subset of data, very little data. I don't know how many records. But for that small amount of records it worked just fine. There was the other concern; what happens if we put 30,000 users on it? And all of the data out of ACS [Automated Case Support]would the system be able to handle it?
Q: Did it crash under its own weight because of the security requirements?
A: I don't think security requirements was the one that crashed the system. They took a different model from what we specified.
Q: What do you mean?
A: We asked for a "role-based" security development. . . . That means we get work based on your roles, not on you as an individual. For example if all supervisors would be doing X, Y, Z. So for supervisors we will build a security model. So, as long as you're a supervisor, the system would know how to handle your access. What SAIC implemented was based on the individual, like "Who is Mike?" and that is how the security has been implemented.
Q: And so what?
A: Very difficult to maintain because I have to know all 30,000 people in the bureau what they are doing, what their roles are.
Q: Why didn't they do what you wanted?
A: Difficult to implement, very difficult to implement.
Q: So, basically, what you wanted from them was very difficult for them to do. What they created for you was impossible for you to maintain, right?
A: Yeah. It's cumbersome.
Q: So, there's just no way to make your needs compatible with their abilities on the security problem?
A: The other part of it is the program itself is a proprietary software that was developed by SAIC. I mean they didn't make use of the commercial-off-the-shelf products that were out there. They coded everything, [730,000 lines of code] and that means that I have to know everythingbefore I can maintain that software, we should know everything about the software that SAIC does, and that is almost impossible.
Q: In a simple way, can you explain what VCF would have done for FBI agents?
A: It would give them automated workflow. That means that I don't do paper work anymore. I do my 302 [investigative case reports], I send it to my boss, he looks at it, he . . . would use one of this public key infrastructure keys, and electronic signature, once it was signed it would up load into the system which would be a record management system and a document management system so we motion control for our documents, we will have a record . . . so that's the capability it will give you. Record management, at any given time you will know where the document is, who has it, who's working on it. Accountability for the agents, for the supervisors, for the record manager, all of those people would know who has the data, where it's going.