The Department of Justice (DOJ) Office of the Inspector General (OIG) recently released the results of a 59-month audit (PDF) on the Bureau of Alcohol, Tobacco and Firearms (ATF) and its penchant for losing weapons and laptops; the report's findings are damning.

Big losses, little documentation



The stated purpose of the audit was to assess "(1) the adequacy of the ATF's actions taken in response to weapons, laptop computers, ammunition, and explosives identified as lost, stolen, or missing; and (2) the effectiveness of ATF's internal controls over weapons, laptop computers, ammunition, and explosives."

The OIG's audit was unusually long and broad in scope thanks to previous issues at the ATF. A 2002 investigation (back when the bureau was part of the Department of the Treasury) found significant problems with how the ATF protected and accounted for laptops, firearms, and ammunition. The ATF agreed with all of the recommendations of that earlier audit and implemented new policies that it claimed would cut the losses. Put simply, these new policies have not worked.

The new audit states: "Over the 59-month period we tested, 76 weapons and 418 laptop computers were lost, stolen, or missing from ATF. ATF's rate of weapons loss per month has nearly tripled since Treasury's 2002 audit, and the rate of loss per month for laptop computers was 50 times higher than what the 2002 audit revealed. According to ATF officials, the much higher rate of laptop computer losses resulted primarily from adjustments ATF made to its inventory records to correct inaccurate data accumulated over several years." (emphasis mine).

The ATF lost an average of 7.08 laptops per month over 59 months, but it's very important to understand how that number is derived. Based on the rules of the OIG's audit process, a laptop that has not been properly logged as decommissioned is considered "lost," even if it wasn't stolen or misplaced. In the ATF's case, a lack of proper documentation did significant harm.

"274 ATF laptops were identified as missing during periodic inventories. These losses represent approximately 66 percent of all lost, stolen, or missing ATF computers... The primary reason was that managers believed the computers were returned to the supplier, exchanged for newer models, or donated to schools after becoming obsolete. However, managers could not demonstrate that this had occurred, because they could not produce the required documentation for such returns, exchanges, or donations."

The bureau was also unable to produce information on whether or not the laptops in question were wiped clean prior to being returned or donated.

Encryption: discovered in 2007



Tracking and management failures abound throughout the ATF, and these impacted the OIG's audit in multiple ways. The ATF only began encrypting its laptops' hard drives in March 2007, meaning any systems that were actually lost or stolen before this date may have contained confidential data that was accessible to anyone who cared to view it. The organization "did not regularly attempt to determine whether the lost, stolen, or missing laptop computers contained sensitive or classified information," and did not report these losses in the appropriate manner.

The report classifies ATF's control over weapons and laptops as "not adequate," for a number of reasons, many of which we've already discussed. The OIG did find that the ATF adequately tracked and monitored its inventory of explosive devices, but that's small comfort considering the low marks for laptops, firearms, and ammunition.

If it was a store, the "Bureau of Alcohol, Tobacco, and Firearms" might be one of the greatest businesses on earth, but that does not excuse the lackadaisical attitude of the organization towards the data and weapons in its care. We're all glad that the bureau has proper controls over its inventory of C4, but the fact that the ATF can't produce adequate documentation on what happened to its hardware, or even identify which hardware contained classified data, is inexcusable.