March 4, 2002, Meeting
CODIS ARCHITECTURE REDESIGN PLAN
MS. HART: We have with us today John Behun of the FBI. I got the name right. He's going to talk about the CODIS, past, present, and future, where I think there's a lot of exciting things going on here, and I'm looking forward to hearing from him.
John, whenever you're ready.
MR. BEHUN: Is this on? Can you hear me? Okay, good.
Well, thank you-all very much for inviting me to come speak to you today about CODIS. What I'd like to do is talk to you a little bit about where we've been, give you some brief updates on the current status of CODIS and some of our successes. And then talk to you about some redesign plans for the future.
CODIS, as I'm sure you know, stands for Combined DNA Index System. I'm going to talk to you about the overall program and then talk a little bit about the software for storaging and managing the profiles and a little bit of what it does now, what it may do in the future.
There are three levels of CODIS: LDIS, Local DNA Index System, SDIS for State DNA Index System. And then we have NDIS, the National DNA Index System. And NDIS is the National Database, DNA Database, of the country authorized by the DNA Identification Act of 1994.
In that database, we can search - we can upload and search and report on possible matches for casework, offenders, unidentified human remains, and the relatives of missing persons.
And here is just a pictorial depiction, I guess, of the indexes. We have recently added, or we will soon add, DNA-based on mitochondrial DNA analysis as well.
The relatives of Missing Person's Index, of course, that is DNA that is volunteered by relatives of missing persons to help us try to identify or locate them.
And the unidentified human remains is just that. It's from remains that have been uncovered from a crime scene, or a masquerade, or what have you, for which we have no identity.
Also, I should mention that there is e-mail capability with CODIS as well for communication and candidate matches.
This is a depiction of the United States and the federal and state laws. All fifty states have now enacted DNA database laws. And the federal law, of course, or Federal Convicted Offenders was enacted in, I think, 2000. So we consider this finally mission accomplished. We have the entire country covered at least by DNA database statutes.
This is just a little example here of the growth that we have experienced since CODIS began. Back in March of 1992, CODIS began with 13 pilot laboratories in 9 states, and you can see the locations of them.
As of March 2002, this month, we're up to 153 laboratories in 49 states. That includes two federal laboratories as well.
The states participated in NDIS back in October of 1998. When this was finally brought online, there were nine states. And you can see them there highlighted in green. And now you can see that, as of today, most of the map is green. There are 39 states plus the U.S. Army Crime Lab and the FBI Lab participating in NDIS, which covers approximately 88 percent of the population of the country.
There are a 151 CODIS labs, 120 NDIS labs. And this shows you the growth in laboratories, the LDIS sites and the SDIS sites back in from October of 1998 until December of 2002. And you can see we have been making some pretty good progress on the number of sites participating.
This is just a little bit of the profile growth in NDIS. Back in January of 2001, at the beginning of last year, it looks like we're just around 500,000 profiles. And now we are at about 940,000 or 945,000 profiles.
And my guess is sometime during March we will hit the 1 million profile benchmark. We hope to know as soon as that happens so that we can let all of you know, because it's all of your data. It's your successes that are feeding the database and making it grow. And, of course, the larger the database the more successful we'll be.
This is a map of all the investigations that we've aided, and we define it Investigation Aided as investigations that have either been linked together through CODIS, or for which the identity of a perpetrator has been divulged.
And this is where no previous links have been known to occur before. So there was no previous link through the CODIS hit. The investigation has been linked so that you know that it's a serial killer, serial rapists involved, or the identity of the perpetrator uncovered.
We have approximately 3,600 hits - I'm sorry, investigations aided, across 32 states and the two federal laboratories, the Army Crime Lab and the FBI Lab.
This is just a sample of CODIS on the FBI dot home page. If you go to www.FBI.gov, you will see various stories and highlights of the day or the week for the FBI. And then underneath updates, you will find, or public interest, you will find sections on the laboratory or CODIS and DNA.
If you go under that, you will actually get to where you see the laboratory division. And highlights for the laboratory division include the combined DNA Index System. And if you click on that, you get to the CODIS home page that's connected to the FBI website.
This is updated. We try to update it on a monthly basis with the new profiles that are added to the system, the number of hits we've had, the number of investigations aided, the success stories. You can check on the quality assurance standards, both of those for forensic DNA labs, and convicted offender laboratories are also posted on the web.
What you'll find under NDIS is a map of NDIS statistics. You'll find a map of the United States with all the participating laboratories. If you go to a state and you double-click and move the arrow onto the state and you double-click, you'll find, for example, Florida. You'll see the outline of the state and the name of the state and some statistical information.
Dave, I know this probably isn't current because things change daily. But this was a snapshot at sometime in the past of the statistics that you would have found for the State of Florida, the number of offender profiles, forensic profiles, the number of CODIS labs participating and investigation data, and the like.
That's another example. For example, if you were to click on Texas, you would be able to find a little drop-down table with all the statistical information for Texas as well.
Now, just a little bit about the technology. When we first started, CODIS depended, of course, on the RFLP data to feed and populate the database. The local crime laboratories were all operating independently on Windows-based personal computers, and we only had a few laboratories. We had fewer than twenty laboratories at that time participating.
And then the next step basically was the PCR DNA technology would begin. Few PCR profiles were uploaded to CODIS at that point. We also continued uploading RFLP technology for the profiles.
The crime laboratories began operating within the states on Windows NT-based PCs. Communications at that time were via secure modem. We did not have any links through the CJIS WAN at that point. And the laboratories, of course, you can see have grown to almost forty.
The next stage, of course, PCR DNA technology dominated the profiles that were entered into CODIS. The local crime labs were operating within the states, again, on Windows NT computers. And this began operations. That was in October of 1998, just to give you a time frame about what we're talking here for the other facts.
Communications began via the CJIS WAN in late 1998. I believe we had three or four sites operating on the WAN at that point. And CJIS WAN, I'll get into in a few slides in the future. But the CJISWAN is the Criminal Justice Information System Wide Area network, to secure telecommunications network what the FBI pays for and maintains that connects law enforcement agencies and criminal justice agencies and their laboratories around the country. And we take CODIS and other database applications to them via the CJIS WAN.
At this point, as well, in late 1998, you can see the number of CODIS laboratories that increased to just over 70.
By later in 1999-2000, the PCR DNA technology was well established. Most of the profiles in CODIS were PCR profiles. What we have found through our efforts working with the state and the local laboratories at that point is that the crime labs were struggling with constantly upgrading the costs to new windows, platforms. It was more expensive.
They were falling behind the technology curve, as were we in some cases. We were struggling to keep up with the technology as well. And every time, for example, Microsoft would make a change to their system, it may do something to CODIS that we would then have to spend a lot of time and money to correct.
And this operation began weekly, on a weekly basis. We now do uploads and services weekly. It used to be monthly and then biweekly. We're now up to doing them on a weekly basis.
Communications via the CJIS WAN were more well established and continued. As of this point, we probably had 50 percent of the laboratories connected on the LAN. As of today, I think we have about 88 or 90 percent of the laboratories actually participating over the CJIS WAN. And at this point, of course, the laboratories are at about 150 participating for CODIS.
Now, what we're looking at is the PCR DNA technology is well established. And we're now seeing it a way for automated data input from the machines into CODIS. The crime laboratories have requested, and the Attorney General has directed, that we provide immediate on-demand access for uploading and searching of the national database. And we've begun working on that.
The CODIS redesign plan was submitted to the Attorney General in October of 2001 following the Attorney General's directive to us to redesign CODIS in August of 2001. We had begun the redesign process prior to that, but the Attorney General's focus on DNA and on CODIS and his support have really given this a jump-start for us.
This is a map just showing you basically that the hub of the CJIS WAN is that the FBI CJIS's facility in Clarksburg, West Virginia. And it's a frame - it's a secure frame relay network going out to all the participating public DNA crime labs so that they can electronically and remotely upload and search the database.
Training can by provided remotely. Diagnostics and maintenance can be provided remotely, as well as many upgrades to the system. And this we found has not only reduced travel costs, but it's also reduced help desk support costs as well.
This is a depiction of the current NDIS architecture. Right not we have about 180 separate CODIS -I'm sorry NDIS locations. Each one requires maintenance. Each one requires upgrade when the main CODIS or NDIS operating platform or software is upgraded.
You can see the national level of NDIS going down to California with 22 locations. Texas, 16; Florida 9. And, of course, there are many other states that are not depicted.
What we're going to be moving to is something along these lines. I know that's pretty small. You probably can't see it. I apologize. But I can describe it to you in basics so that you can maybe just get an idea for what we're doing here.
The new version of CODIS is going to be called CODIS Version 6.0. That's going to be using a web-based browser technology using thin client architecture.
So we will have one location for the servers that only one location would require upgrading and maintenance. Through the thin-client architecture we would have the database servers for data connecting to the applications servers. The database servers would be the first tier. The application servers would then be the second tier. Then we would go through the firewall and the CJIS WAN through a thin-client architecture to all of the 117 state and local participating laboratories.
So that if you have an upgrade to CODIS in the future to the software, to the hardware, you only need to do that at one location. And then the updates can be sent remotely to the states.
For those states whose database laws allow us to do it, we can maintain the data for them at the national level. And according to their instructions, maintain the data and the database.
For those states who deem their database statutes do not allow us to do that yet, or at the time that this becomes operational, they will basically keep operating as they are now, sending us a copy of their data, and we will continue to provide them the support that they require until they can migrate to the new database architecture.
We anticipate that it would take approximately 16 months to 18 months to develop CODIS 6.0 and have it tested. It would be using STR technology only. As I said, it will rely on the Internet Browser Software.
We're working with the University of Tennessee on a new searching algorithm. It's quite powerful; quite promising. That will be part of CODIS Version 6.0 as well.
This is just a comparison here - or actually it's not a comparison. This will just show you what we've been able to do so far. On a database size, the early test on the database size of 100,000 profiles, the search time was 560 microseconds.
The new profiles search algorithm is a lot more powerful than that and it can actually search so far. We've tested a database of about 47 million profiles and it can search that database and report a candidate match in approximately 290 microseconds.
This is just a depiction of the rack-mounted network structure. The machine types, they're going to be in clusters, or we think they'll be in clusters. This just talks a little bit about the technical specifications for the clusters and the machines and the network speed using fast ethernet ports and the Cisco routers.
This is a picture of the console, the CODIS console, what the CODIS workstation might look like and the root nose that would connect it to the database.
This is just some information on a test that was done. The search time on a 24-parallel node - basically what that is, is 24 states. Each machine or node would represent one state database. So what this is, is a 24-state database running in parallel.
The total number of DNA profiles across the 24 nodes or 24 states was 47 million. The STR profiles that were searched in the database contained 16 loci. We did a search against that 47 million 16 loci each for one specific profile. And it returned a match in 290 microseconds. So about half the time as the earlier test with only 100,000 profiles.
Again, this is just a picture of what the full system might look like or hopefully it will look like with the CODIS nodes and the racks with the clusters of the database and the workstation.
And this will be run on parallel nodes, of course. As I said before, we'll have probably 60 individual nodes. Each state will have its own node or database, if you want to call it that. NDIS will have its own as well. It will be capable of accommodating all DNA profiles. We've tested, as I said, at 47 million. Hopefully we'll be able to expand it beyond that.
This will also meet one of the Attorney General's directives to expand and redesign CODIS to be all foreseeable future needs.
We can search the local and state profiles, as required by state and local laws, and the states can as well as required by their laws and their procedures. The states and the locals will have the capability of searching suspects and arrestees at the state level. However, until we have new legislation, we cannot maintain or search those profiles at the national level.
Until CODIS 6.0 becomes operational - this is just an update on what we're going to be doing to modify the current CODIS software as it exist now to hopefully bring some additional capabilities to the states that our requesting such to help them now so that they don't have to wait for another 18 months until we upgrade to the new architecture.
Data testing will begin in mid-May for CODIS 5.2 W. It will be the model for direct import STR data in GDIS, which stands for General DNA Index System, which is basically the CODIS software.
There will be an STR data entry screen for adding or editing data into GDIS. And I should add that many of these, if not all of these capabilities, have come about through the work of Dr. Barry Brown, the CODIS program manager, and as custodian with people such as Dave Coffman and Mark Nelson and others from across the state and local laboratories.
They have been a big help in providing us input into what they would like to see in the system. And hopefully we're responding to meet some of those needs and those requests.
Pop stat is a population statistics 5.2 W we'll run on the web server and be available on the web and over the WAN with CODIS. All modules from the web server will be also available on the CGIS WAN.
So as we do the upgrades in the modules, we plan to make them available on the WAN to the state and local participating laboratories.
We hope to begin beta testing in the fall of this year. The web-based module for interpretation of mixtures, which I know is a hot topic from SWGDAM working groups, and the CODIS conferences, will be added prior to adding CODIS-LSD.
Capability for mitochondrial DNA analyst will also be added and we hope to begin beta testing that in the fall and hopefully sooner but at least in the fall of this year.
Again, all of the nodules, as they're developed and tested and validated, will be added to the LAN and made available to the users.
And this is just a little bit I hear about some of the other program initiatives that we have for CODIS, many of which also have come about through the input of state and local laboratories.
The CODIS software continues to be upgraded and developed and deployed via the CJIS WAN. There is a CODIS configuration control board. The beta testing laboratories and the mixtures, LSD issues, will be addressed. And on the CODIS configuration control board there will be laboratories who are current users of the system and who participate in SWGDAM, and they will help us to develop this and beta test this.
There will be, we hope, proficiency testing tracker utility so that we can track the status of proficiency test - the results of proficiency test. As you know, the law requires proficiency testing every 183 days. And where, you know, we're sticklers for that. We want to make sure that that's done and that it's done on time and that it's done properly.
We're also looking for ways based upon, again, the input from the laboratories to reduce the paperwork that the time laboratories have to do for us and for their participation. So we're hoping to use electronic signatures and try as much as possible to eliminate the paperwork and have it done electronically via the CJIS WAN.
There will be a CODIS questionnaire. We used to in the past have a rather lengthy CODIS survey, and it was very important for us to develop future software capabilities and enhancements to the system. But, again, it was kind of lengthy. It was a lot of paperwork.
We're going to streamline that and make that questionnaire then available electronically, as well, so that the laboratories can download, answer it electronically and e-mail it back to us.
And CODIS training, we're going to hopefully do more training with CODIS. We've looked at doing regional training. There, of course, is training here in Washington - actually in Tysons Corner at the SAIC facility, but training can increasingly be provided remotely as well via the CJIS WAN.
The CODIS users conference. The next CODIS users conference, I think, will be either the end of October or the beginning of November. We don't have a specific date yet set for that I don't think.
Do we, Barry? Oh, we do.
He's shaking his head yes.
Do you know when it is?
MR. BROWN: November 4th.
MR. BEHUN: November 4th through the?
MR. BROWN: 8th.
MR. BEHUN: 8th.
November 4th through the 8th in Washington will be the next CODIS users conference. And we will make a presentation at that time as well on the status of CODIS, the status of our redesign plans and responsiveness to the AG's directive.
And there will also be meetings of the CODIS state administrators to get further input from them on what they would like to see, not only in CODIS as it exist now, but the new version, CODIS 6.0, as well.
And that's all I have.
And Barry Brown, as I said, the CODIS program manager, is here, and we'd be happy to answer, between the two of us, whatever questions you might have about CODIS as it exist now or maybe what we might be looking to do under the redesign.
Some of that is still unknown. We're still in the process of determining what we would like to do with the CODIS redesign. We may be competing it. And so some of the information we have can't really be, I guess, given out since we may do a competition for the redesign. But as much as we can answer, we would be happy to, if you have questions.
MS. HART: John, if I could just suggest perhaps you should come down here. It's a little easier for you to hear the questions down here -
MR. BEHUN: Okay.
MS. HART: - I think - it's pretty hard up there to hear. And if Barry wants to join you up there, that might be helpful.
Dave?
MR. COFFMAN: Do you know if the University of Tennessee is planning on publishing their new search algorithm they developed -
MR. BEHUN: On the CODIS?
MR. COFFMAN: Uh-huh.
MR. BEHUN: Okay. I'll let Barry answer that since he's the cotar, and he's been working with them on that.
MR. BROWN: They've already published some papers on the mechanisms, but, you know, the source code is proprietary to the University of Tennessee. It's an electro property.
MR. COFFMAN: Okay.
MR. BROWN: But, you know, they are publishing in a lot of the literature as far as the concepts and the cluster design.
MS. HART: Maureen?
MS. CASEY: I just had a question. If you could just explain the concept for the redesign on the FBI's maintenance of the data.
MR. BROWN: Do you want to say that again, Maureen?
MS. CASEY: In the redesign concept, I thought they spoke about how to the extent state statutes allowed it. The FBI was going to maintain the original data, and to the extent that state statutes didn't allow it, yet you were going to come up with an alternate plan to deal with those kind of states.
MR. BROWN: Well, the alternative plan is they would continue to house their data at their existing site. For example, in Florida, all the data is housed at the state site. And so until, you know, if there's a requirement for them to change their legislation for the data they housed off-site.
MS. CASEY: So the requirement for who to -
MR. BROWN: So if the state database law allows the data in the state database to be housed off-site outside of the, I guess, the designated state agency, then what we could do is have a server for that state, a database server for that state at the FBI next to the other states, next to the one for NDIS. And then we can, you know, maintain the hardware and the software for that server.
We can maintain it for them and relieve them of that duty and that cost. If not, then essentially they would just continue the way they are now by housing and maintaining the data and the server at their site and just sending us a copy of it when they upload to NDIS.
To get that right -
MS. CASEY: Is that at the option -
MR. BROWN: - essentially?
MS. CASEY: - of the states?
MR. BROWN: Say again.
MS. CASEY: Is that at the option of the states?
MR. BROWN: Yes, it would be at the option of the states. Again, we only have x-amount of resources to do upgrades. And in most of the upgrades will be for, you know, the main server system, the main server farm at the FBI.
MS. HART: Barry?
MR. SCHECK: I noticed that you had a statistic up there of 35,000 or so forensic samples. And I take it this includes - well, first, these are cases - so-called un-sub cases, meaning where there is a profile from a crime scene but no assailant. And that also includes casework where there has been an identification to an assailant?
MR. BROWN: Yes, to both.
MR. SCHECK: So what is - if you can break it down, how many unsubs do you think there are?
MR. BROWN: We don't have that information -
MR. SCHECK: No idea.
MR. BROWN: - for that information is housed at the individual laboratories. The profile that comes up to us is from an alleged perpetrator.
MR. SCHECK: And is anybody working on some kind of, you know, predictive models statistically on which kinds of inputs will increase the number of hits? I mean, 35,000 forensic samples seems to me minutiae. I mean, it just seems so small.
And in terms of the presentation that Tim made, if you're really going to tap the investigative power of this system, there has to be a concerted effort to raise that number considerably, I take it.
MR. BROWN: Right, right.
MR. BEHUN: Well, I think that's where NIJ comes in too. Through their grant programs, for example, the current solicitation that we're reviewing for no-suspect cases, that would feed into adding more forensic profiles to the system. The more profiles you have, of course, the more hits you'll get and the more successful you'll be.
Georgia showed us a statistic from, I think, a quarter ago or two quarters ago, where about, what Barry, 80 percent of their hits were either between property crime cases to other property crime cases, or property crimes to violent assaults, rapes, and homicides. It's just important to work the cases and to get them submitted.
MS. HART: Paul?
MR. FERRARA: John or Barry, with respect to the 1994 DNA Identification Act, currently there's a lot of limitations with respect to what help you-all - what CODIS can do.
One, does the bureau support changes, modifications, to that 1994 DNA Identification Act; particularly, with respect to who can be included at a national level?
The other, what I'll call bureaucratic problems, that that law brings with it, the 183 days versus ASCLD-LABS twice a year, do you see a simplification or a rewrite of that 1994 Act as maybe an initiative that the bureau will take?
And the other part of that is: Does the Office of the Inspector General always going to be looking over your shoulder regardless of what you do with that Act? And that seems - that's a real problem I think for us and I suspect for you-all.
MR. BROWN: Can I answer that. I'll answer the second one first. The OIGS audit staff has told us that they will periodically come back and take a look at our program at headquarters and the progress of CODIS and the CODIS program as a whole, not only in implementing their recommendations, but just to see how we're managing the program.
So I think for the foreseeable future, we'll probably always have at least one eye from the OIG looking at us and see, you know, what we're doing, and if we're doing it correctly.
For the first question, I'm going to actually turn that over to Joe DiZinno, because he can probably more appropriately speak for the Bureau than I can.
MR. DIZINNO: I would say, Paul, that if the states would come to us with concerns about the legislation, and that was a consensus of the states, the Bureau would certainly support moving that forward.
MR. BROWN: That's good to know. If I could add something. When we originally started to design the CODIS software, this goes back to, you know, the early nineties, the original limitations were married right to what we knew the federal law would be just offenders.
Yet we very quickly realized probably about '93 or '94 that that was not going to serve the needs of the users. And so that's why at the state and local level you do have the capacity for creating specimen categories and indexes to accommodate suspects and arrestees.
And so we built that into the software at the request of the state and local people, even though obviously, as you mentioned, were required to limit, and the searches of the national level.
So right now, as you know, the software is designed to do both.
MS. HART: Carl?
MR. SELAVKA: Has there been resolution of what constitutes appropriate review of convicted offender profiles from outsource laboratories?
MR. BROWN: Yeah, I would actually defer to Dave Coffman, who is on the DNA Advisory Board, and has given excellent advice on that.
MR. COFFMAN: Well, basically I just think that you do need to look at the data. I think there's a lot of different ways that people accomplish that. I think you need to look at the tracings, the actual electropherograms, to ensure that someone didn't erroneously mark a spike or a crystal if you're using a capillary system.
I think it's - we have found issues with vendor data coming back to us. It's rare. But the problem is I think sometimes in the community there's a feeling that because offender samples are very easy to analyze because they're a pure sample or a more pristine sample that somehow it's okay if they don't take care in reviewing the data.
I having a mis-type offender sample going through the system and people thinking that offenders in the system who will never match any crimes that he is committing because he's been mis-typed. So I think a quality review of the data should be accomplished by the owner of the profile which is always the laboratory whether you contract it out or not.
In our system, we don't implement our two individuals review when we send it out to a vendor, because it has been reviewed by two people at the vendor labor, but we do review it before we put it in. And it really hasn't been that oppressive. I mean, you just assign people. You don't have the same person do it or they'll go comatose on you within a month or two. But you just share the wealth and you can get quite a bit of data review with no problem.
MR. SELAVKA: Is that in writing somewhere that all labs do it the same way?
MR. COFFMAN: I don't believe there's anything in writing on how the labs do it, but I have shared our review protocol with many labs who have requested it and we would be happy to.
MR. BROWN: I think Carl at the - yes, when you look at that standard, as you know, talking to people from the DAB like Dave and also Paul Ferrara, there is the expectation there will be 100 percent of 1000 percent of the data.
MS. HART: Cecelia?
MS. CROUSE: Barry, I just wanted to let you know that I'm not so sure that a 35,000 number really represents the number of forensic cases that are in individual databases because there is a requirement that you have a minimum of ten of CODIS. And, I mean, we have three years of casework with only eight because that's the only multiplex we've used. And it's best that we turn to go back and to get those completed.
They're certainly up at the state level, but they're not up at the national level. By special request, we certainly can get these up, which we have.
So, Dave, you can speak to how many are in there by our own individual state versus the forensic samples.
MR. COFFMAN: In no-suspect cases? I'm sorry, I was actually not paying attention.
(Laughter.)
MS. CROUSE: So we laugh. He doesn't know either.
MR. COFFMAN: Well, no. Someone asked me a question. But you're talking about no-suspect cases? How many in -
MS. CROUSE: Barry mentioned about the 35,000 and I don't think that's necessarily representative of what the individual state database is. This is what can go up to national.
MR. COFFMAN: That's correct. Because obviously when the FBI is building a national system that there's more stringent requirements because their system is going to go much more rapidly than within the state.
So we have kind of had a floating threshold as we get bigger and we start getting more and more false matches. We used to allow as few as five loci to search with STI. Now, we're up to seven, because we started getting so many false erroneous matches.
NIJ, when we received funding for working offender samples, they attached a requirement of doing a certain number of no-suspect cases to that. We created a software program that we sent out to all the states that ask specific questions about the cases they've worked and are they no-suspect.
And I've been getting those monthly. And I would say that probably based on the last year and a half as keeping that data that I would say maybe in Florida make 20 percent or actually no-suspect cases that are being put in.
And I think we're better than a lot of states. Virginia, I think, is doing more no-suspect cases than we are. But a lot of states just don't have the staff to work the no-suspect cases, and that's a big issue, the warm bodies to get the job done.
But in the last year I will tell you it's starting to go up drastically, because for the first time we're having more and more burglary cases submitted to use. And used to that was the case that got screened out that they wouldn't look at.
MR. SCHECK: Can I follow-up with a question for all of you then? Let's say that we get a profile in some post-conviction case or you get one in an old case that's being reinvestigated and you don't have - you have maybe eight, you know, loci or something like that, because after all it's an old, created sample.
As Cecelia is pointing out, I mean, how could we accomplish a search that really is going to hit the state databases, as well as, you know, the NDIS database to make sure that we're at least trying to find all hits at eight loci for this sample? We have run into that problem all the time. How would you do that? Or do we have the capacity to do that?
MR. BROWN: The first thing I would premise it by saying that the current business operating procedures that we have were based upon what we speculated would be the way to operate a national program and we certainly gathered a lot of information.
Some of these issues we're planning on addressing in the redesign by redoing the architecture that we do search and actually do a search analysis by different methods than the one we do right now.
Under the plans that the STR Study Committee approved is you have to attempt all 13 for it to be eligible to be searched at national. However, in the case, like you said, where you can only get eight, we will execute a keyboard search at national of those eight loci against the existing offender and forensic samples at national.
MR. SCHECK: You've done that for us. But my question is: How am I going to reach the ones that are in national that Cecelia is pointing at and Dave's pointing at? How would we do that? We just have to request somebody to send them to each different state?
MR. BROWN: A lot of the states have begun because we have a faster searcher algorithm than we started with. And I know Dave can talk about how fast, you know, how the old searcher algorithm. We have a new one and then we have the University of Tennessee. The time frame of the one we're currently using right now which is called Searcher 66 reduce the time of searching at national from about 52 hours to one hour.
And so what we've actually been doing, and I know that Paul's lab did, is they uploaded all of their profiles to us. So if all of those profiles are up there, even though they're not being searched automatically, if we hit it with a keyboard search, it's going to find that. But, you know, they've - if you look at the stats from their laboratory when they've gone back and done the reanalysis for the offender samples, they're going to go up like 15,000 or 20,000 a month.
MS. HART: Are there any other questions? Oh, I'm sorry. Kim and David.
MR. FERRARA: I just want to respond to Barry. I think - I'm hoping I understood what you're asking. But basically what I do is I have all of our CODIS - all the CODIS managers that I have their e-mail. I have my own personal e-mail list.
And if we do have a case like that that does not meet the national standard, I will e-mail it directly to them. And if they're willing to search it, most of them are. They will search it.
So that might be something you might want to consider is just you can send an e-mail out to all the CODIS managers of each state for those cases that don't meet the federal standard.
MS. HART: Kim?
MS. HERD: There's been some press recently about an internet vulnerability. It's the S&N paper protocol. An internet vulnerability and a particular protocol that's utilized over networks. And I guess that made me think.
What type of security measures do you have in place? And do you require those at the state and local in their particular systems?
MR. BROWN: For the national system, the security is - well, first of all, for communications, although we will be using in the future with a new version of CODIS, an internet browser-based technology or typed technology, it will still be carried over the CGIS WAN, which only law enforcement agencies and laboratories, law enforcement laboratories, have access to.
So, you know, this will not be on the Internet. It would only be on the WAN. Our CGIS division is a division constantly doing penetration testing of the LAN. In the last penetration testing that they've done, they reported to me that they were not able through any other network or any other site on the network to get into CODIS, to get to the CODIS data, to see it, to manipulate it, to delete it, to do anything with it.
Now, exactly what all goes into that penetration testing, I don't know. I just know that they were unable to do that. Barry can probably talk to you a little bit better about what security we provide to the server itself or what, you know, the request of the states.
Within the limits but allowed to say publicly it's secure. The firewall is there and, you know, the testing that they do does intentionally look at the vulnerabilities that have been published.
MS. HART: If we could finish up with Paul, I want to try and stay on target so we can get you-all out on time. And after we're done with Paul, if we could take about ten minutes for people to get their lunch, and we can then move on to the next panel.
Paul?
MR. FERRARA: One quick question, Barry, or John.
If Under CODIS 6.0, if the main system goes down, does that mean the states won't be able to do any searching even within their own states if the CODIS 6.0 system is down for maintenance problems of any sort? I mean, are we all vulnerable if you guys go down?
MR. BROWN: Under the redesign, if will have a hot swap off-site location, it will be 24 by 7. So, you know, it'll be a redundant system at a different location.
MR. FERRARA: Thank you.
MR. BROWN: You bet.
MS. HART: Thank you very much. Join me in thanking Tom and Barry here. We appreciate it.
(Applause.)
MS. HART: Help yourself to lunch, and let's try and start with the next panel in about ten minutes.
(Recess.)
