Federal cyber rules halt LAPD's move to Google Apps

FBI security rules are holding up the Los Angeles Police Department's move to Google Web-based email and office applications, according to contractors. The federal policies, which relate to confidentiality of criminal history data, could prevent certain agencies from ever moving operations to the cloud, or third-party data centers that provide software over the Internet, experts say.

FBI Criminal Justice Information Services security policies require that state and local agencies maintain "management control," or final authority, over the security of criminal justice information, according to bureau officials. In 2009, the City of Los Angeles struck a $7.25 million deal with prime contractor CSC to transition local government systems, including the police department's email, to online software offered by Google.

"The FBI CJIS security requirements must be complied with by CSC and Google before we can migrate to Gmail," Los Angeles Police Chief Information Officer Maggie Goodrich said. "CSC and Google have indicated that they are unable to comply with all of the requirements in the current CJIS policy." Aside from law enforcement employees, all other city personnel -- more than 17,000 employees -- are using Google Apps.

The apparent conflict between federal criminal justice requirements and the nature of cloud computing could deny many agencies the benefits of a cost-saving technology, some law enforcement information-sharing specialists said. Increasingly, state and local governments are outsourcing administrative systems to Web services providers, including Google and Microsoft, to cut costs and collaborate more easily. The federal government is following closely behind with plans to recoup $5 billion by closing more than 2,000 energy-sucking, expensive data centers and shifting IT operations to the cloud.

"I am sure that the FBI requirements could never be met by Google," said Paul Wormeli, executive director emeritus of the Integrated Justice Information Systems Institute. "If this position is sustained, and it probably will be, the implication is that mission-critical law enforcement information will never be stored in the public cloud. The use of cloud computing for this purpose will only work in private clouds and only there if the owner of the private cloud will abide by FBI standards. This is a huge issue."

State and local agencies, however, should not be emailing criminal justice information in the first place, he said.

"There are inquiry systems that any law enforcement agency can go to" at the state level, Wormeli said. "If you're copying that response and sticking it in the email, I don't know why you'd do that . . . There are prohibitions against sending it out in unconstrained emails."

The City of Los Angeles added the security requirements at issue after all parties had signed an agreement, CSC and Google officials said.

Google also said the exchange of criminal justice information via email is not a practice the company often runs into.

"In our experience, certain criminal justice information should never be shared over email -- and indeed agencies have policies against it -- so a request to meet requirements regarding the treatment of such data in email is highly unusual," a Google spokesman said. "Many of the requirements in question were crafted throughout the years with systems other than cloud computing in mind. Even so, we have undertaken substantial engineering work and presented a plan to the city to address their revised requirements at no additional cost."

CSC officials said in a statement, "CSC and Google worked closely with the city to evaluate and eventually implement the additional data security requirements, which are related to criminal justice services information, and we're still working together on one final security requirement."

Justice officials said their current security requirements, which were updated earlier this year, had been vetted and approved during a two-year period by representatives from the government community who use criminal justice information.

"A historical tenant of the CJIS security policy is the assurance that the management control, i.e. oversight and decision-making authority, of all security aspects related to the sharing of criminal justice information remains with the criminal justice agency," FBI spokesman Stephen G. Fischer Jr. said. "The policy strives to ensure consistent application of security requirements across the nation providing the assurance to law enforcement officials that data originating from a given agency in one state is afforded the appropriate protections by a different agency in another state."

A 2009 proposed contract stated that LAPD transmits sensitive criminal history information in email, but added that Google would be able to accommodate the city's security needs.

"The Los Angeles Police Department and city attorney receive and transmit information through email that the city is required to keep confidential," the document states. "One notable example of these confidential documents is criminal records and history data that are stored in the California Law Enforcement Telecommunications System."

The 2009 proposal goes on to say that the city's IT agency had determined that Google's enhanced ciphering methods would ensure protection. "Highly confidential data, and specifically the CLETS data mentioned above, will not be readable except through the use of encryption keys that will limit access to this data to authorized city users," the document states.