[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]
COMPUTER SECURITY REPORT CARD
=======================================================================
HEARING
before the
SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
INFORMATION, AND TECHNOLOGY
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 11, 2000
__________
Serial No. 106-260
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
U.S. GOVERNMENT PRINTING OFFICE
74-495 WASHINGTON : 2001
_______________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing
Office
Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250
Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON GOVERNMENT REFORM
DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut ROBERT E. WISE, Jr., West Virginia
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
STEPHEN HORN, California PAUL E. KANJORSKI, Pennsylvania
JOHN L. MICA, Florida PATSY T. MINK, Hawaii
THOMAS M. DAVIS, Virginia CAROLYN B. MALONEY, New York
DAVID M. McINTOSH, Indiana ELEANOR HOLMES NORTON, Washington,
MARK E. SOUDER, Indiana DC
JOE SCARBOROUGH, Florida CHAKA FATTAH, Pennsylvania
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
MARSHALL ``MARK'' SANFORD, South DENNIS J. KUCINICH, Ohio
Carolina ROD R. BLAGOJEVICH, Illinois
BOB BARR, Georgia DANNY K. DAVIS, Illinois
DAN MILLER, Florida JOHN F. TIERNEY, Massachusetts
ASA HUTCHINSON, Arkansas JIM TURNER, Texas
LEE TERRY, Nebraska THOMAS H. ALLEN, Maine
JUDY BIGGERT, Illinois HAROLD E. FORD, Jr., Tennessee
GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California ------
PAUL RYAN, Wisconsin BERNARD SANDERS, Vermont
HELEN CHENOWETH-HAGE, Idaho (Independent)
DAVID VITTER, Louisiana
Kevin Binger, Staff Director
Daniel R. Moll, Deputy Staff Director
James C. Wilson, Chief Counsel
Robert A. Briggs, Clerk
Phil Schiliro, Minority Staff Director
------
Subcommittee on Government Management, Information, and Technology
STEPHEN HORN, California, Chairman
JUDY BIGGERT, Illinois JIM TURNER, Texas
THOMAS M. DAVIS, Virginia PAUL E. KANJORSKI, Pennsylvania
GREG WALDEN, Oregon MAJOR R. OWENS, New York
DOUG OSE, California PATSY T. MINK, Hawaii
PAUL RYAN, Wisconsin CAROLYN B. MALONEY, New York
Ex Officio
DAN BURTON, Indiana HENRY A. WAXMAN, California
J. Russell George, Staff Director and Chief Counsel
Ben Ritt, Professional Staff Member
Bryan Sisk, Clerk
Trey Henderson, Minority Counsel
C O N T E N T S
----------
Page
Hearing held on September 11, 2000............................... 1
Statement of:
Dyer, John R., Chief Information Officer, Social Security
Administration............................................. 142
Gilligan, John, Chief Information Officer, Department of
Energy, cochair, security, privacy and critical
infrastructure committee, Chief Information Officers
Council.................................................... 116
Hobbs, Ira L., Deputy Chief Information Officer, Department
of Agriculture............................................. 184
Hugler, Edward, Deputy Assistant Secretary for Administration
and Management, Department of Labor........................ 179
Singleton, Solveig, director of information studies for the
CATO Institute............................................. 201
Spotila, John T., Administrator, Office of Information and
Regulatory Affairs, Office of Management and Budget........ 27
Tanner, Mark A., Information Resources Manager, Federal
Bureau of Investigation, Department of Justice............. 193
White, Daryl W., Chief Information Officer, Department of the
Interior................................................... 155
Willemssen, Joel, Director, Accounting and Information
Management Division, U.S. General Accounting Office,
accompanied by Robert Dayce, Director for Computer Security
Issues, General Accounting Office.......................... 95
Letters, statements, etc., submitted for the record by:
Dyer, John R., Chief Information Officer, Social Security
Administration, prepared statement of...................... 145
Gilligan, John, Chief Information Officer, Department of
Energy, cochair, security, privacy and critical
infrastructure committee, Chief Information Officers
Council, prepared statement of............................. 120
Hobbs, Ira L., Deputy Chief Information Officer, Department
of Agriculture, prepared statement of...................... 186
Horn, Hon. Stephen, a Representative in Congress from the
State of California:
Letter dated July 27, 2000............................... 46
Prepared statement of.................................... 4
Hugler, Edward, Deputy Assistant Secretary for Administration
and Management, Department of Labor, prepared statement of. 181
Singleton, Solveig, director of information studies for the
CATO Institute, prepared statement of...................... 204
Spotila, John T., Administrator, Office of Information and
Regulatory Affairs, Office of Management and Budget,
prepared statement of...................................... 31
Tanner, Mark A., Information Resources Manager, Federal
Bureau of Investigation, Department of Justice, prepared
statement of............................................... 196
Turner, Hon. Jim, a Representative in Congress from the State
of Texas, prepared statement of............................ 25
White, Daryl W., Chief Information Officer, Department of the
Interior, prepared statement of............................ 157
Willemssen, Joel, Director, Accounting and Information
Management Division, U.S. General Accounting Office,
prepared statement of...................................... 97
COMPUTER SECURITY REPORT CARD
----------
MONDAY, SEPTEMBER 11, 2000
House of Representatives,
Subcommittee on Government Management, Information,
and Technology,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., in
room 2154, Rayburn House Office Building, Hon. Stephen Horn
(chairman of the subcommittee) presiding.
Present: Representatives Horn and Turner.
Staff present: J. Russell George, staff director and chief
counsel; Randy Kaplan, counsel; Ben Ritt, professional staff
member; Bonnie Heald, director of communications; Bryan Sisk,
clerk; Elizabeth Seong, staff assistant; George Fraser, intern;
Michelle Ash and Trey Henderson, minority counsels; and Jean
Gosa, minority assistant clerk.
Mr. Horn. The quorum being present, this hearing of the
Subcommittee on Government Management, Information, and
Technology will come to order.
We're here today to discuss one of the Federal Government's
most important and ongoing challenges, the security of
government computers. Computers and the Internet are
revolutionizing the way we do business, conduct research and
communicate with friends and associates. The benefits are
enormous as vast amounts of information flow instantly from
business to business and individual to individual, but
widespread access to computers and the Internet also carries
the significant risk that personal, financial or business
information can fall into the hands of computer hackers or
others with more malicious intent.
Similarly, as the Federal Government becomes increasingly
dependent on computers and the Internet, the computer systems
and the sensitivity of information they contain come under an
increasing number of attacks. Unlike the year 2000 or Y2K
computer challenge, this threat has no deadline. Rather it is a
day-to-day challenge created by an increasingly sophisticated
technology. In order to guarantee the integrity of the Federal
programs and to protect the personal privacy of all Americans,
government leaders must focus their attention on the security
of their vital computer systems.
Today the subcommittee is releasing its first report card
on the status of the computer security at executive branch
departments and agencies. These grades are based on self-
reported evaluation of agency information, in addition to the
results of audits conducted by the General Accounting Office
and the various agency inspectors general. This is the first
time such governmentwide information has ever been compiled.
As you can see, only two agencies have made progress toward
protecting their computers against invasion. Although auditors
found some significant weaknesses at the Social Security
Administration and National Science Foundation, both agencies
received Bs, the highest grade awarded. But the rest of the
picture is very dismal. Overall the government earned an
average grade of D minus. More than one-quarter of the 24 major
Federal agencies received a failing F; the Department of Labor,
charged with maintaining vital employment statistics, an F; the
Department of the Interior, which manages the Nation's public
lands, an F; the Department of Health and Human Services that
holds personal information on every citizen who receives
Medicare, another F; Agriculture and Justice, the Small
Business Administration, the Office of Personnel Management,
the personnel office for the entire executive branch of the
Federal Governments, all Fs.
Six other vital agencies nearly failed. The Department of
Defense, whose computers carry some of the Nation's most
sensitive secrets, earned only a D plus for its computer
security program; Veterans Affairs and Treasury, along with the
Environmental Protection Agency, General Services
Administration and National Aeronautics and Space
Administration, more Ds.
Four other government agencies received grades of
incomplete. These vital agencies oversee key elements of the
Nation's infrastructure and emergency services. They are the
Departments of Energy and Transportation, the Nuclear
Regulatory Commission and the Federal Emergency Management
Agency [FEMA]. These agencies could not receive a grade because
there has been insufficient auditor resources and scrutiny to
validate the agencies' self-evaluations.
Obviously there is a great deal of work ahead. Regardless
of grade, each agency must recognize that the daily challenges
to their computer systems will continue to grow in number and
sophistication. They must take the necessary steps to mitigate
those threats. There is no room for complacency, for the stakes
are simply too high.
We have with us today witnesses representing six of the
agencies that were graded. They will discuss their agency's
progress and plans to develop acceptable computer security
procedures.
Mr. John Gilligan from the Department of Energy will also
testify on behalf of the Chief Information Officers Council. In
addition, we have the Honorable John Spotila from the Office of
Management and Budget, which is charged with overseeing the
agency's computer security efforts; and Mr. Joel Willemssen
from the General Accounting Office, which works for the
legislative branch, headed the Comptroller General of the
United States. And I want to thank Comptroller General Walker
and the staff for their excellent help in regard to the grades
and everything else. I take the responsibility for the grades,
but they sat for hours with us on making sure that we've been
fair.
We have the ability, the government has the ability, to
protect the integrity of the vital computer systems. As I look
back, this is sort of where we were on Y2K in April 1996. There
are a lot of Fs, a lot of Ds, but the executive branch came
through on midnight January 1 where it counted, and I am
confident that the executive branch will do the same thing this
time.
We welcome all of our witnesses, and we look forward to
their testimony.
I now yield to the ranking member for an opening statement,
the gentleman from Texas Mr. Turner.
[The prepared statement of Hon. Stephen Horn follows:]
[GRAPHIC] [TIFF OMITTED] T4495.001
[GRAPHIC] [TIFF OMITTED] T4495.002
[GRAPHIC] [TIFF OMITTED] T4495.003
[GRAPHIC] [TIFF OMITTED] T4495.004
[GRAPHIC] [TIFF OMITTED] T4495.005
[GRAPHIC] [TIFF OMITTED] T4495.006
[GRAPHIC] [TIFF OMITTED] T4495.007
[GRAPHIC] [TIFF OMITTED] T4495.008
[GRAPHIC] [TIFF OMITTED] T4495.009
[GRAPHIC] [TIFF OMITTED] T4495.010
[GRAPHIC] [TIFF OMITTED] T4495.011
[GRAPHIC] [TIFF OMITTED] T4495.012
[GRAPHIC] [TIFF OMITTED] T4495.013
[GRAPHIC] [TIFF OMITTED] T4495.014
[GRAPHIC] [TIFF OMITTED] T4495.015
[GRAPHIC] [TIFF OMITTED] T4495.016
[GRAPHIC] [TIFF OMITTED] T4495.017
[GRAPHIC] [TIFF OMITTED] T4495.018
[GRAPHIC] [TIFF OMITTED] T4495.019
[GRAPHIC] [TIFF OMITTED] T4495.020
Mr. Turner. Thank you, Mr. Chairman.
As we all understand, our Federal agencies rely on
computers and electronic data to perform functions that are
essential to our national welfare and directly affect the lives
of millions of Americans.
This technology greatly benefits Federal operations through
the speed and accessibility it provides, but it also creates
vulnerability to attack. Individuals, organizations and
virtually anyone today with a computer and a modem has the
potential to interrupt and to eavesdrop on government
operations around the world. Many experts are predicting that
future wars will be in the form of cyberattacks and fought out
over a computer grid rather than a battlefield.
I want to commend the chairman for his interest and his
work on this important issue. Computer security is without a
doubt one of the most critical and difficult technical
challenges facing our government. Like Y2K, this subcommittee
has an important oversight role in holding our Federal agencies
accountable for implementing computer security efforts, and
while I commend the chairman's efforts to reduce the task to a
simple report card grade, I also realize that improving
computer security is a very complicated, timely and costly
process.
Additionally, I do understand that the subjective format of
our grading system could in some cases unfairly portray the
significant efforts an agency has made to take corrective
actions. I realize that some agency computer systems are
critical to national security, while others may not be. I also
realize that this Congress has an obligation to provide
adequate funding to agencies so that they might meet the
requirement that we have imposed on them.
While I want to commend the agencies that are moving
forward, it is clear that the Federal Government has a long way
to go before an effective, comprehensive Federal computer
security system is in place. It is my hope that as a result of
these hearings, we will be closer to achieving our mutual goal.
We want to make sure that the Federal managers have the tools
and the funds in place to be accountable for the protection of
agency infrastructures.
Again, I thank the chairman for calling this hearing. I
appreciate the good work that the committee and the staff has
done, and I look forward to hearing from each of our witnesses.
Thank you, Mr. Chairman.
[The prepared statement of Hon. Jim Turner follows:]
[GRAPHIC] [TIFF OMITTED] T4495.021
[GRAPHIC] [TIFF OMITTED] T4495.022
Mr. Horn. Well, we thank you, and I agree with you. We need
to be talking to the authorizers and the appropriators to make
sure that what is needed will be there. So I imagine the next
round we should have some improvement.
We will now start with the witnesses, and along the agenda
the Honorable John Spotila is the Administrator, Office of
Information and Regulatory Affairs, Office of Management and
Budget, part of the President's Executive Office of the
President, and he is speaking on behalf of OMB today.
So, Mr. Spotila.
STATEMENT OF JOHN T. SPOTILA, ADMINISTRATOR, OFFICE OF
INFORMATION AND REGULATORY AFFAIRS, OFFICE OF MANAGEMENT AND
BUDGET
Mr. Spotila. Good morning, Mr. Chairman and members of the
committee. Thank you for inviting me here to discuss OMB's
efforts in the vital area of computer security.
OMB policies build on a statutory framework requiring that
Federal agencies adopt a set of risk-based management controls
for all Federal computer systems. The agencies must
periodically review their security controls to ensure continued
effectiveness.
In an effort to identify strengths and weaknesses in agency
security programs, OMB sought updated information from the
agencies in June 1999 on their risk management processes. We
are now focusing on the security posture of 43 high-impact
government programs where good security is particularly
important. These programs include Medicare, Medicaid, the air
traffic control system, Social Security and Student Aid. In
late May of this year, we asked the agencies to send us
specific information regarding the management, operational and
technical controls in place for each application or general
support system sustaining these programs.
Our preliminary findings are illuminating. We have made
significant progress, but can still do better. Agencies are
working to integrate security into their capital planning and
investment control processes. We have made this a high
priority. Many agencies have completed a security review of
their systems and have updated their security plans within the
last 2 years. Many agencies develop and share their security
plans with their partner organizations and other agencies. This
promotes a comprehensive understanding of the interconnections
prevalent in a shared risk environment.
Due to their extensive Y2K work, most agencies have tested
their continuity of operations plans within the last 2 years.
Most agencies have provided users and system administrators
with IT security training within the last year. Most agencies
update their virus detection and elimination software on an
ongoing basis and have successfully implemented processes to
confirm the testing and installation of software patches in a
timely manner.
Nearly all agencies have documented incident handling
procedures and have a formal incident response capability in
place. More agencies need to install firewalls at external
entry points to exclude unauthorized users and within their
networks to ensure that authorized users do not exceed
authorization.
Agencies can better protect the confidentiality of
sensitive material through increased use of encryption for
password files and personal information. Agencies should
improve their intrusion detection capabilities and procedures.
This should include increased involvement of agency privacy
officers and legal counsel in reviewing the monitoring
activities.
More agencies should ensure that agency managers
specifically authorize the processing of each new or updated
system before actual operations begin. More agencies should
have independent review of their security plans.
We are working with the agencies on all of these areas. The
President, his chief of staff and the Director of OMB have all
taken a personal interest in enhancing security for our
interconnected systems. This has gone a long way to establish
senior management support at the agencies.
In February, OMB issued important guidance to the agencies
on incorporating security and privacy requirements in each of
their fiscal year 2002 information technology budget
submissions.
A well-known computer security expert, Robert Courtney,
once said, ``Good security is the ultimate non-event.'' In that
phrase, he summarized the difficulty of measuring effective
security. We face a significant challenge. We must devise a
method to assess security for the whole of government, its
thousands of vastly diverse systems and millions of desktop
computers. No other organization faces demands in this area
that are as broad as those the government confronts.
Since last fall, OMB has worked with the CIO Council, NIST,
GAO and the agencies to develop security performance measures
against which agencies can assess their security programs. As
you know, CIO Council and NIST representatives have met with
your staff to discuss this effort. We have made great progress
in a relatively short period of time, but, not surprisingly,
there is more to be done. Even the private sector is struggling
with this challenge.
Mr. Chairman, clearly you are focused on the need to assess
agency security programs. While we appreciate your serious
interest in security and your belief that grades will help the
agencies improve their performance, we do have some concerns
with this approach. We look forward to working closely with you
to develop better ways of measuring progress in this area. We
learned much from our collegial efforts with the committee, GAO
and the agencies in developing good Y2K measurements. Ideally,
we should work together to develop a similar workable set of
measurements for assessing agency security programs.
Measuring agency security effectiveness is at least as
complex as the Y2K measurement effort. We must assess programs
and implementation at three different levels: the relatively
uniform agency management or executive level; the expansive mix
of individual programs where agency business operations take
place; and at each of the thousands of government information
systems that support actual agency program operations.
Cursory measurements can be misleading. A well-documented
security program without the periodic evaluation of control
effectiveness can give a false sense of security. A weak
central organization can obscure highly effective component,
program or system-level security. We must take a comprehensive
approach to evaluating security if we are to generate
meaningful results.
Our assessment approach begins with the premise that all
agency programs and systems must include a continuing cycle of
risk management, appropriate methods to evaluate and measure
performance, and the ability to anticipate or quickly react to
changes in the risk environment.
We are putting great emphasis on agency self-assessment.
This fall all agencies will use a NIST-prepared questionnaire
that focuses on overall agency programs as well as on specific
management, operational and technical controls applied to each
system or group of systems. Assessing the effectiveness of the
program and the individual controls, not simply their
existence, is vital to achieving and maintaining adequate
security.
The NIST questionnaire will help agencies identify whether
the program and controls are properly documented, implemented
and continuously tested and reviewed. We can then determine a
security level for an individual system, an agency or
component, or an aggregated form, an entire agency.
Self-assessments improve security. They are less costly and
can be performed more frequently than compliance inspections
and audits. They can be performed by system users, thereby
helping to promote buy-in and greater compliance. They promote
openness and cooperation among all participants. They can also
give us good information on a timely basis.
In seeking to measure security effectiveness, we should not
equate it to our Y2K experience. While Y2K was a complex
management challenge, it was a relatively straightforward
technical one, and we could measure progress toward a known
event. Security challenges, on the other hand, are
unpredictable, ongoing, ever-changing and multidimensional.
Security threats often arise from malicious parties who probe
for vulnerabilities and risks. These threats can strike at the
confidentiality of our information, the integrity of our
systems and data, and our ability to ensure that information in
systems will be ready for use when needed. These threats are
ever-changing and our approach to security must be equally
dynamic.
While a general progress report at an agency level can be
valuable when used in the proper context, it is but a snapshot
taken at a point in time. It may or may not even be a clear
picture. Because a security program comprises physical,
personnel, technical and other controls, accurately assessing a
program is an extremely complex undertaking. In our view, the
differences between the two call for different responses. Just
as we must resist the simplicity of a one-size-fits-all
security program for the wide variety of agency systems, we
must also avoid a one-size-fits-all approach to measuring
successes and shortfalls.
If we are to improve the government's approach to
information security, we need to work together. We very much
appreciate the committee's interest in this important area and
look forward to continuing our close cooperation with you. We
value our partnership with you and hope that this hearing will
mark a further strengthening of our joint efforts on behalf of
the American people. Thank you.
Mr. Horn. We thank you. And in courtesy to the executive
branch, we let you go beyond the 5-minute rule.
Mr. Spotila. Thank you.
[The prepared statement of Mr. Spotila follows:]
[GRAPHIC] [TIFF OMITTED] T4495.023
[GRAPHIC] [TIFF OMITTED] T4495.024
[GRAPHIC] [TIFF OMITTED] T4495.025
[GRAPHIC] [TIFF OMITTED] T4495.026
[GRAPHIC] [TIFF OMITTED] T4495.027
[GRAPHIC] [TIFF OMITTED] T4495.028
[GRAPHIC] [TIFF OMITTED] T4495.029
[GRAPHIC] [TIFF OMITTED] T4495.030
[GRAPHIC] [TIFF OMITTED] T4495.031
[GRAPHIC] [TIFF OMITTED] T4495.032
[GRAPHIC] [TIFF OMITTED] T4495.033
[GRAPHIC] [TIFF OMITTED] T4495.034
[GRAPHIC] [TIFF OMITTED] T4495.035
[GRAPHIC] [TIFF OMITTED] T4495.036
Mr. Horn. I will say for all the other witnesses after Mr.
Willemssen, who speaks for the General Accounting Office of the
legislative branch, that we would like you to summarize, and we
will bring the gavel down every 5 minutes now or we're not
going to be out of here, and we want to be out of here by
roughly 11:45. I know a number of you have commitments.
What I would like to put in the record at this point for
the hearing record--and tell me if there's anything else that
ought to go into it, or some of these are classified, just to
redact them, as the saying goes--Presidential Directive 63;
OMB-A130, the Budget Director Mr. Lew's guidance, to agencies;
the appendix 3 and associated NIST--what was once the Bureau of
Standards and Security--guidance. And I would like these simply
as appendices to your testimony, and if there's a problem, work
it out with staff.
Mr. Spotila. That's fine.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T4495.037
[GRAPHIC] [TIFF OMITTED] T4495.038
[GRAPHIC] [TIFF OMITTED] T4495.039
[GRAPHIC] [TIFF OMITTED] T4495.040
[GRAPHIC] [TIFF OMITTED] T4495.041
[GRAPHIC] [TIFF OMITTED] T4495.042
[GRAPHIC] [TIFF OMITTED] T4495.043
[GRAPHIC] [TIFF OMITTED] T4495.044
[GRAPHIC] [TIFF OMITTED] T4495.045
[GRAPHIC] [TIFF OMITTED] T4495.046
[GRAPHIC] [TIFF OMITTED] T4495.047
[GRAPHIC] [TIFF OMITTED] T4495.048
[GRAPHIC] [TIFF OMITTED] T4495.049
[GRAPHIC] [TIFF OMITTED] T4495.050
[GRAPHIC] [TIFF OMITTED] T4495.051
[GRAPHIC] [TIFF OMITTED] T4495.052
[GRAPHIC] [TIFF OMITTED] T4495.053
[GRAPHIC] [TIFF OMITTED] T4495.054
[GRAPHIC] [TIFF OMITTED] T4495.055
[GRAPHIC] [TIFF OMITTED] T4495.056
[GRAPHIC] [TIFF OMITTED] T4495.057
[GRAPHIC] [TIFF OMITTED] T4495.058
[GRAPHIC] [TIFF OMITTED] T4495.059
[GRAPHIC] [TIFF OMITTED] T4495.060
[GRAPHIC] [TIFF OMITTED] T4495.061
[GRAPHIC] [TIFF OMITTED] T4495.062
[GRAPHIC] [TIFF OMITTED] T4495.063
[GRAPHIC] [TIFF OMITTED] T4495.064
[GRAPHIC] [TIFF OMITTED] T4495.065
[GRAPHIC] [TIFF OMITTED] T4495.066
[GRAPHIC] [TIFF OMITTED] T4495.067
[GRAPHIC] [TIFF OMITTED] T4495.068
[GRAPHIC] [TIFF OMITTED] T4495.069
[GRAPHIC] [TIFF OMITTED] T4495.070
[GRAPHIC] [TIFF OMITTED] T4495.071
[GRAPHIC] [TIFF OMITTED] T4495.072
[GRAPHIC] [TIFF OMITTED] T4495.073
[GRAPHIC] [TIFF OMITTED] T4495.074
[GRAPHIC] [TIFF OMITTED] T4495.075
[GRAPHIC] [TIFF OMITTED] T4495.076
[GRAPHIC] [TIFF OMITTED] T4495.077
[GRAPHIC] [TIFF OMITTED] T4495.078
[GRAPHIC] [TIFF OMITTED] T4495.079
[GRAPHIC] [TIFF OMITTED] T4495.080
[GRAPHIC] [TIFF OMITTED] T4495.081
[GRAPHIC] [TIFF OMITTED] T4495.082
[GRAPHIC] [TIFF OMITTED] T4495.083
[GRAPHIC] [TIFF OMITTED] T4495.084
[GRAPHIC] [TIFF OMITTED] T4495.085
Mr. Horn. So we will now move to have the oath since I
didn't begin it that way. If you will all stand.
[Witnesses sworn.]
Mr. Horn. The clerk will note all the witnesses affirmed.
And we now go to the agent of the Comptroller General of
the United States, which is Joel Willemssen, Director,
Accounting and Information Management Division, U.S. General
Accounting Office.
Mr. Willemssen.
STATEMENT OF JOEL WILLEMSSEN, DIRECTOR, ACCOUNTING AND
INFORMATION MANAGEMENT DIVISION, U.S. GENERAL ACCOUNTING
OFFICE, ACCOMPANIED BY ROBERT DAYCE, DIRECTOR FOR COMPUTER
SECURITY ISSUES, GENERAL ACCOUNTING OFFICE
Mr. Willemssen. Thank you, Mr. Chairman, Ranking Member
Turner. Thank you for inviting us to testify today.
Accompanying me is Robert Dayce, GAO's Director for Computer
Security Issues, and as requested I'll briefly summarize our
statement.
Overall GAO and inspector general reviews done over the
past year continue to show that Federal agencies have serious
and widespread computer security weaknesses. Our analysis of
recently issued GAO and inspector general reports revealed
significant weaknesses at each of the 24 major Federal
agencies. As displayed on the board, these weaknesses were
reported in all six major areas of general computer security
controls.
For example, in the area of security program management,
weaknesses were identified at 21 agencies. Security program
management is fundamental to the appropriate selection and
effectiveness of the other categories of controls shown on the
board. This area covers a range of activities related to
understanding risks, selecting and implementing controls
appropriate with risk levels, and ensuring the controls, once
implemented, continue to operate effectively.
Another critical area where weaknesses have been found at
each of the 24 agencies is access controls. Weak controls over
access to sensitive data and systems make it possible for a
person to inappropriately modify, destroy or disclose data or
computer programs. For the other highlighted areas of security
controls, we've also found significant weaknesses at most of
the agencies in which audit work has been done.
I think it's noteworthy to point out that since our last
analysis of issued reports in 1998, the scope of audit work
performed has expanded to more fully cover all six major
control areas at each agency. Not surprisingly, this has led to
the identification of additional areas of weakness. However,
this does not necessarily mean that security is getting worse,
although it is clear that serious pervasive weaknesses persist.
These serious weaknesses present substantial risk to Federal
operations, assets and confidentiality.
Because virtually all Federal operations are supported by
automated systems and electronic data, the risks are very high,
and the breadth of the potential impact is very wide. The risks
cover areas as diverse as taxpayer records, law enforcement,
national defense, and a wide range of benefit programs.
While a number of factors have distributed to weak Federal
information security, I want to emphasize that we believe the
key underlying problem is ineffective security program
management. With that in mind, we have issued two executive
guides that discuss practices that leading organizations have
employed to strengthen the effectiveness of their security
programs.
In conclusion, the expanded body of audit evidence that has
become available shows that important operations at every major
Federal agency continue to be at risk as a result of weak
controls. Reducing these risks will require agencies to
implement fundamental improvements in managing computer
security.
Thank you, Mr. Chairman, and I would be pleased to address
any questions that you may have.
Mr. Horn. Well, thank you very much. We will have the
questions after all the witnesses have made their presentation.
[The prepared statement of Mr. Willemssen follows:]
[GRAPHIC] [TIFF OMITTED] T4495.086
[GRAPHIC] [TIFF OMITTED] T4495.087
[GRAPHIC] [TIFF OMITTED] T4495.088
[GRAPHIC] [TIFF OMITTED] T4495.089
[GRAPHIC] [TIFF OMITTED] T4495.090
[GRAPHIC] [TIFF OMITTED] T4495.091
[GRAPHIC] [TIFF OMITTED] T4495.092
[GRAPHIC] [TIFF OMITTED] T4495.093
[GRAPHIC] [TIFF OMITTED] T4495.094
[GRAPHIC] [TIFF OMITTED] T4495.095
[GRAPHIC] [TIFF OMITTED] T4495.096
[GRAPHIC] [TIFF OMITTED] T4495.097
[GRAPHIC] [TIFF OMITTED] T4495.098
[GRAPHIC] [TIFF OMITTED] T4495.099
[GRAPHIC] [TIFF OMITTED] T4495.100
[GRAPHIC] [TIFF OMITTED] T4495.101
[GRAPHIC] [TIFF OMITTED] T4495.102
[GRAPHIC] [TIFF OMITTED] T4495.103
[GRAPHIC] [TIFF OMITTED] T4495.104
Mr. Horn. The next witness is John Gilligan, the Chief
Information Officer for the Department of Energy, the cochair
for Security, Privacy and Critical Infrastructure Committee of
the Chief Information Officers Council. I will give you another
minute besides the 5 because you're speaking for the Chief
Information Officers Council. Mr. Gilligan, you've prepared a
very thorough statement, but we can't obviously get over 25
pages into the record at this point, but it is in the record,
but not having been spoken.
So if Mr. Gilligan will proceed.
STATEMENT OF JOHN GILLIGAN, CHIEF INFORMATION OFFICER,
DEPARTMENT OF ENERGY, COCHAIR, SECURITY, PRIVACY AND CRITICAL
INFRASTRUCTURE COMMITTEE, CHIEF INFORMATION OFFICERS COUNCIL
Mr. Gilligan. Thank you, Chairman Horn and Ranking Member
Turner. I want to thank you for the opportunity to appear
before this subcommittee to address the very important issue of
improving security of our Federal information systems. My
remarks today will focus on my perspectives as cochair of the
CIO Council's Security, Privacy and Critical Infrastructure
Committee.
Federal CIOs share the concerns that have been expressed by
Members of Congress, senior members in the administration, and
the public, that we need to improve the security of our
government information systems. Federal CIOs take their
responsibility to oversee agency efforts in cybersecurity very
seriously. We share the frustration of members of this
committee that progress in securing government systems has not
been more rapid. Let me assure you that Federal CIOs are not
asleep at the wheel. Rather, they are laboring hard to get a
handle on one of the Nation's most complex technological and
management problems.
Perhaps it is useful to put the difficulty of cybersecurity
into perspective. I recall an exchange I had with a military
four-star general a few years ago. We were discussing his
frustration with the slow progress on an information technology
project. This very successful commander with hundreds of
thousands of troops under his command was clearly exasperated.
He commented to me after we had discussed the project status,
``John, after all, this is not rocket science.'' As I later
examined his comment, it became clear that he was right. The
problem could not correctly be compared to rocket science where
we have literally hundreds of years of experience, including a
well-defined set of engineering principles.
Due to the rapid pace of evolution of information
technology, we are typically faced with applying information
technology solutions that have been in existence for months or,
at best, a few years. I submit that the situation is acute for
cybersecurity. It is not rocket science. No, many aspects of
cybersecurity are indeed much more difficult than rocket
science.
When I addressed this committee in March of this year, I
stated that the single biggest challenge that I saw for CIOs in
cybersecurity was making line management aware that
cybersecurity is not just a complex technological issue. At the
core cybersecurity is also a complex risk management issue.
Another challenge that I see facing CIOs is helping line
management answer the question, ``what is adequate security?''
Security experts tell us that no system is impenetrable if
network access is provided. However, the collective
inexperience of government and industry in applying security to
a range of functions including public Web sites, financial data
bases, procurement-sensitive data, citizen benefits and
corporate-sensitive or government-sensitive research, makes
this a hard problem.
The primary focus of the CIO Council efforts in this area
has been to help Federal organizations address the question of
what is adequate security. The CIO Council has sponsored a Web-
based repository for sharing best practices. This repository
can be found at http://bsp.cio.gov.
We have developed sample security policies for use by
agencies in intrusion reporting and procuring security
projects. We have worked to improve governmentwide processes
for reporting security incidents and distributing warnings in a
rapid fashion. An ongoing effort is to develop a set of
benchmark security practices for electronic services.
The Council has also sponsored a number of training and
education forums addressing privacy and critical infrastructure
protection.
The CIO Council is also leading efforts to establish a
governmentwide encryption infrastructure using public key
technology called a public key infrastructure [PKI].
An additional CIO Council effort that is particularly
relevant to today's hearing is the development of an
Information Technology Security Assessment Framework. This
effort was initiated about 10 months ago to provide a tool to
help guide security efforts within Federal agencies. This
framework has been developed largely with the leadership of the
National Institute of Standards and Technology and built upon
existing policy and guidance from the Office of Management and
Budget, the General Accounting Office, and the National
Institutes of Standards and Technology.
The framework provides a road map for Federal organizations
to guide them in focusing and prioritizing their efforts to
improve security. For each of five levels in the framework, a
set of activities is defined that should be undertaken to
assure a sound and effective security program. The framework
reinforces the importance of a solid foundation for an
organization security program and is based on sound policy,
clearly defined management responsibility, and organizationwide
coverage.
The CIO Council has completed a final draft of version one
of the Information Technology Security Assessment Framework and
hopes to publish this version in October. Following the example
of similar efforts by Carnegie Mellon University to develop
security frameworks for software and other disciplines, we plan
to continue to refine the framework over the upcoming months.
With advice and input from GAO, we have started working on
enhancements to the framework that would permit organizations
to better assess the effectiveness of the security programs
that have been documented and implemented.
The final area that I would like to address is the need for
stronger funding support from Congress for a small set of
cross-government security initiatives that serve as the
foundation for governmentwide improvements in cybersecurity.
The cochairs of the Security, Privacy and Critical Committee of
the CIO Council recently sent a letter to all Members of
Congress that highlighted our concern in this area. The letter
points out that while there is almost $2 billion identified in
the administration's fiscal year 2001 budget request for
cybersecurity-related items, only a very small portion of this
request totaling less than $50 million is requested for these
essential governmentwide foundation programs. The efforts of
this group include the Federal Computer Incident Response
Capability [FEDCIRC], which is managed by GSA and provides
alerts and warnings of virus attacks to all Federal agencies.
It has become clear to the CIO Council that these necessary
foundation efforts to improve cybersecurity governmentwide are
being hampered by a patchwork of funding and oversight
structures in both the executive and legislative branches. We
cannot hope to achieve robust governmentwide security without
these programs. We urge the respective congressional committees
who have jurisdiction over these efforts not to view them as
politically driven projects, but as essential elements of a
governmentwide foundation for cybersecurity. Moreover, we
believe that a $50 million investment for these efforts is a
very small investment in view of the great leverage that these
efforts will provide.
I would like to enter into the record a copy of the letter
entitled ``Essential Programs for Ensuring Security of the
Federal Cyber Infrastructure.''
Mr. Horn. Without objection, it will be in the record at
this point in your testimony.
Mr. Gilligan. It is clear to Federal CIOs that the lack of
a single integrated budget for cybersecurity items--these
foundation cybersecurity items--keeps these efforts from
getting the proper attention that they deserve and makes
progress and governmentwide efforts more difficult.
In similar fashion, the efforts of the CIO Council Security
Committee and other CIO Council committees continue to be
hampered by lack of effective methods to fund these cross-
government initiatives that we undertake. The synergistic
benefit and opportunity for savings across the government are
enormous. However, due to the use of pass-the-hat funding
approaches for the CIO Council, for example, funding for the
best security practices efforts that was mentioned earlier had
to be limited to $200,000 and was received 9 months into the
fiscal year. We will not be able to continue to operate and
expand this site or undertake other projects with operational
demands without an adequate level of funding.
I would suggest that this committee, working with the
administration, should examine ways to provide better methods
to fund and manage cross-government initiatives in the
information technology area. As a taxpayer, I am dismayed by
the difficulty of funding these efforts which have the ability
to yield tremendous efficiencies. It is an area where our
executive and legislative branches are truly failing, unable to
leverage the potential of information technology.
In my written testimony, I've included descriptions of
efforts within the Department of Energy to improve the security
of our many security systems.
In summary, let me again express my appreciation for the
opportunity to share my views on the important subject and
encourage the committee to continue to support the CIO Council-
sponsored efforts, especially the Information Technology
Security Assessment Framework.
While our joint challenge to improve cybersecurity may be
more difficult than building rockets, chief information
officers are committed to rapidly improving the protection
afforded to information systems managed by the Federal
Government.
This concludes my remarks. Thank you.
[The prepared statement of Mr. Gilligan follows:]
[GRAPHIC] [TIFF OMITTED] T4495.105
[GRAPHIC] [TIFF OMITTED] T4495.106
[GRAPHIC] [TIFF OMITTED] T4495.107
[GRAPHIC] [TIFF OMITTED] T4495.108
[GRAPHIC] [TIFF OMITTED] T4495.109
[GRAPHIC] [TIFF OMITTED] T4495.110
[GRAPHIC] [TIFF OMITTED] T4495.111
[GRAPHIC] [TIFF OMITTED] T4495.112
[GRAPHIC] [TIFF OMITTED] T4495.113
[GRAPHIC] [TIFF OMITTED] T4495.114
[GRAPHIC] [TIFF OMITTED] T4495.115
[GRAPHIC] [TIFF OMITTED] T4495.116
[GRAPHIC] [TIFF OMITTED] T4495.117
[GRAPHIC] [TIFF OMITTED] T4495.118
[GRAPHIC] [TIFF OMITTED] T4495.119
[GRAPHIC] [TIFF OMITTED] T4495.120
[GRAPHIC] [TIFF OMITTED] T4495.121
[GRAPHIC] [TIFF OMITTED] T4495.122
[GRAPHIC] [TIFF OMITTED] T4495.123
[GRAPHIC] [TIFF OMITTED] T4495.124
[GRAPHIC] [TIFF OMITTED] T4495.125
[GRAPHIC] [TIFF OMITTED] T4495.126
Mr. Horn. Well, thank you very much. And I would hope that
when there is some budget negotiations going on toward the end,
that the President's list will include this, and we hope that
the Speaker will include it.
The next witness is John R. Dyer, the Chief Information
Officer for the Social Security Administration.
Mr. Dyer.
STATEMENT OF JOHN R. DYER, CHIEF INFORMATION OFFICER, SOCIAL
SECURITY ADMINISTRATION
Mr. Dyer. Good morning, Mr. Chair, Mr. Turner. Thank you
very much for inviting us to testify.
We, too, as this committee, consider security to be an
actual vital concern, particularly in this day as we move more
into the systems world.
At the onset let me emphasize that the Social Security
Administration has always taken the responsibility to protect
the privacy of personal information in agency files very
seriously. The Social Security Board's first regulation
published in 1937 dealt with the confidentiality of SSA
records. For 65 years SSA has honored its commitment to the
American people to maintain the confidentiality of the records
in our possession. We understand in order to address privacy
concerns, we need a strong computer security program in place.
Today I would like to discuss where we are with computer
security, what improvements we're making.
SSA approaches computer security on an entitywide basis. By
doing so we address all aspects of the SSA enterprise. Overall
the Chief Information Officer, who reports directly to the
Commissioner and Deputy Commissioner, is responsible for
information system security. In my role as CIO, I assure that
our security initiatives are enterprisewide in scope. At the
Deputy Commissioner level, Social Security's Chief Financial
Officer assures that all new systems have the required
financial controls to maintain sound stewardship over the
moneys entrusted to our care. We have also placed our system
security policy function with this Deputy Commissioner.
In order to meet the challenges of data security in today's
highly technological environment, this agency has adopted an
enterprisewide approach to system security, financial
information, data integrity and prevention of fraud, waste and
abuse. We have full-time staff devoted to system security
stationed throughout the agency, in all regions and in the
central office. We have established centers for security and
integrity in each Social Security region. They provide day-to-
day oversight control over our computer software. In addition,
we have a Deputy Commissioner-level Office of Systems which
supports the operating system, develops new software and the
related controls, and, in general, assures that Social Security
is taking advantage of the latest in effective systems
technology.
SSA has been certifying its sensitive systems since the
original OMB requirement was published in 1991. Our process
requires Deputy Commissioners responsible for those systems to
accredit them. SSA's planning and certification activity is now
in full compliance with NIST 800-18 guidance.
SSA sensitive systems include all programmatic systems
needed to support programs administered by the agency as well
as critical personnel functions. They also include the network
and the system used to monitor Social Security's data center
operations.
As an independent agency we have our own inspector general
who can focus his efforts on the agency needs and concerns. The
IG is also very active working with other Federal, State and
local law enforcement agencies to assure all avenues for
investigation and prosecution are being pursued, especially for
systems security-related issues.
In summary, we have in place the right authorities, the
right personnel, the right software controls to prevent
penetration of our systems and to address systems security
issues as they surface.
As I mentioned, SSA has maintained an information security
program for many years. Key components, such as deploying new
security technology, integrating security into the business
process, and performing self-assessment of our security
infrastructure, to name a few, describe the goals and
objectives that will touch every SSA employee.
Of particular importance this year are the activities
related to the Presidential Decision Directive PDD-63 on
cyberterrorism and infrastructure protection and continuity of
operations. We have recently completed an evaluation of all
critical SSA assets. I am pleased to note that SSA was one of
the first agencies to do so.
Originally, SSA was not a tier I agency, but given the
importance of our ongoing monthly payments, we were elevated to
this level by the Critical Infrastructure Assurance Office. As
part of this effort we have completed an inventory of all
critical assets and implemented an incidence response process
for computer incidents. We have also revised our physical
security plans to assure our facilities are properly secured.
An independent auditor, Pricewaterhouse Coopers, has
evaluated our security program over the last 4 years working
with the IG. They have given us many recommendations to
strengthen our security program, and we have implemented 77
percent of their recommendations. We are addressing the
remainder at this time. Most of the ones that will take us to
finish up over the next fiscal year are facility-related, and
that's what takes a little bit of time.
In addition, we have ongoing site reviews, corrective
actions, and we also have another independent contractor,
Deloitte and Touche, reviewing our systems and overall
management.
In the contingency area this year, we actually tested all
of our sites at one time, which was an area of recommendation
that Pricewaterhouse Coopers had recommended for us. And so we
believe that when we get the next report from PwC, it will
indicate that we have made substantial progress.
In terms of the new increasing technology, and as we're
moving toward Internet, we are putting in place all the latest
security features from firewalls to filters to head off
specific attacks.
So I would like to say in conclusion, Mr. Chairman, the
Social Security Administration has a longstanding tradition of
assuring the public that their personal records are secure.
Both the Commissioner and the Deputy Commissioner give system
security their highest priority. We all recognize this is not a
one-time task to be accomplished, but rather it's an ongoing
mission that we can never lose sight of. We know we cannot rest
on past practice. We must be vigilant every way we can to
assure that these records remain secure and that the public
confidence in Social Security is maintained.
I want to thank the committee for the opportunity to
testify at this hearing, and I will be glad to answer any
questions you might have.
Mr. Horn. Thank you very much, Mr. Dyer.
[The prepared statement of Mr. Dyer follows:]
[GRAPHIC] [TIFF OMITTED] T4495.153
[GRAPHIC] [TIFF OMITTED] T4495.154
[GRAPHIC] [TIFF OMITTED] T4495.155
[GRAPHIC] [TIFF OMITTED] T4495.156
[GRAPHIC] [TIFF OMITTED] T4495.157
[GRAPHIC] [TIFF OMITTED] T4495.158
[GRAPHIC] [TIFF OMITTED] T4495.159
[GRAPHIC] [TIFF OMITTED] T4495.160
[GRAPHIC] [TIFF OMITTED] T4495.161
[GRAPHIC] [TIFF OMITTED] T4495.162
Mr. Horn. As usual, Social Security is at the top of the
heap even though it's a B. So we're used to you getting As
under the Y2K situation, and we look forward to you keeping
ahead of the pack, shall we say. Thank you very much for
coming. Thanks to your colleagues that led to a B grade.
We now go to Daryl W. White, the Chief Information Officer
of the Department of the Interior, who has presented us with
quite a full platter of documentation. We appreciate that. It's
all in the record, and now you have 5 minutes to summarize it.
STATEMENT OF DARYL W. WHITE, CHIEF INFORMATION OFFICER,
DEPARTMENT OF THE INTERIOR
Mr. White. Good morning, Mr. Chairman and Mr. Turner. Thank
you for the opportunity to appear before you today to discuss
the status of computer security at the Department of the
Interior. The Department of the Interior appreciates being
afforded the opportunity to complete the recent computer
security questionnaire. We are pleased to report that we are
making substantive progress to improve our computer security
posture.
The Department of the Interior recognizes that computer
security is of agencywide importance and is actively working to
implement a well-structured program to protect our information
assets. It is anticipated that the vast majority of issues
identified in the questionnaire will be adequately addressed
through implementations of our program.
Let me summarize the steps that Interior has taken over the
past 14 months to improve our computer security posture. During
1999, Interior performed extensive work in Y2K readiness for
mission-critical systems and major data centers. As a result of
Y2K preparation, policies and guidance for contingency planning
and physical security were issued and several implemented.
In September 1999, we acquired limited funding for
contractor services to perform automated vulnerability scanning
of our most critical systems. Based on the results of the
scanning, remediation was performed where needed.
January 2000, Interior accomplished priority filling of the
Department Information Technology Security Manager position
with a well-qualified and experienced individual. We were
fortunate to have obtained Steve Schmidt from the State
Department's Bureau of Diplomatic Security. Mr. Schmidt has
brought a wealth of experience and practical knowledge to
Interior. It is through his leadership and direction that we
have seen a revitalizing of the Department IT Security Working
Group.
Also in January 2000, $175,000 was allocated for computer
security program development. Funding was obtained through an
internal competitive process whereby senior Department managers
clearly chose computer security as a high priority issue in
competition with other equally important issues. This funding
was obligated to obtain contractor computer security services
in program development and limited as-needed vulnerability
scanning.
February 2000, Interior was successful in including in the
fiscal year 2001 President's budget request $175,000 for
electronic data security. The House and Senate omitted this
funding from their versions of the fiscal year 2001
appropriations bill. Interior continues to clarify the urgent
need for the funding to the Appropriations Committee.
In May 2000, the Departmental Information Technology
Security Manager issued the Interior Information Technology
Security Plan, fully specifying the National Institute of
Standards and Technology [NIST], published generally accepted
principles and practices for securing Federal computer systems.
This plan provides the basis for ensuring a computer security
program that meets or exceeds the minimum Federal requirements
as required by public laws, Federal regulations and executive
branch directions.
July 2000, the Department issued agencywide budget guidance
that further supported Office of Management and Budget
instructions on incorporating computer security funding in all
information technology projects. This guidance advised that
computer security spending should average 5 percent of the
total budget for information technology spending and placed a
high priority on increasing resources for security.
August 2000, a contract was awarded by the General Services
Administration under the SafeGuard program to Science
Applications International Corp. to provide computer security
program development services to the Department. This is
significant to our approach to computer security, and I wish to
elaborate further.
One of the primary means to improve IT security across the
Department of the Interior is to establish proven structured
and self-documenting methodologies for working through the
security life-cycle process. I am pleased to report that
realizing this goal has begun through the award of the
mentioned contract. The associated statement of work divides
the task into two phases. The first phase tasks will provide
Interior with the technical and administrative assistance to
put in place proven structured methodologies for information
technology security development. The second phase will produce
minimum requirements for risk mitigation in the form of
policies for agencywide information technology security issues.
From here we will develop technology and product-specific
implementation guides. Dependent upon the availability of
resources, we will then implement operating capabilities.
In August 2000, an additional $240,000 was obtained for
computer security program development. This funding will be
used to accomplish the development and implementation of
selected security practices.
In closing, it must be noted that our ability to completely
implement an adequate computer security program is strongly
dependent upon the availability of necessary resources.
This concludes my statement. I will be happy to respond to
any questions that you or any members of the committee may
have.
Mr. Horn. Well, we thank you very much, Mr. White.
[The prepared statement of Mr. White follows:]
[GRAPHIC] [TIFF OMITTED] T4495.163
[GRAPHIC] [TIFF OMITTED] T4495.164
[GRAPHIC] [TIFF OMITTED] T4495.165
[GRAPHIC] [TIFF OMITTED] T4495.166
[GRAPHIC] [TIFF OMITTED] T4495.167
[GRAPHIC] [TIFF OMITTED] T4495.168
[GRAPHIC] [TIFF OMITTED] T4495.169
[GRAPHIC] [TIFF OMITTED] T4495.170
[GRAPHIC] [TIFF OMITTED] T4495.171
[GRAPHIC] [TIFF OMITTED] T4495.172
[GRAPHIC] [TIFF OMITTED] T4495.173
[GRAPHIC] [TIFF OMITTED] T4495.174
[GRAPHIC] [TIFF OMITTED] T4495.175
[GRAPHIC] [TIFF OMITTED] T4495.176
[GRAPHIC] [TIFF OMITTED] T4495.177
[GRAPHIC] [TIFF OMITTED] T4495.178
[GRAPHIC] [TIFF OMITTED] T4495.179
[GRAPHIC] [TIFF OMITTED] T4495.180
[GRAPHIC] [TIFF OMITTED] T4495.181
[GRAPHIC] [TIFF OMITTED] T4495.182
[GRAPHIC] [TIFF OMITTED] T4495.183
[GRAPHIC] [TIFF OMITTED] T4495.184
Mr. Horn. Our next presentation is from Edward Hugler, the
Deputy Assistant Secretary for Administration and Management,
Department of Labor.
STATEMENT OF EDWARD HUGLER, DEPUTY ASSISTANT SECRETARY FOR
ADMINISTRATION AND MANAGEMENT, DEPARTMENT OF LABOR
Mr. Hugler. Thank you, Mr. Chairman and Ranking Member
Turner. I will be brief, as you requested.
We share your view that computer security is a high
priority, a priority that the Department of Labor takes very
seriously at the highest levels. Quite frankly, I am
disappointed at the grade we received today, and in some small
measure dismayed by it.
Following a successful transition or the century date
change, we have directed significant attention to enhancing our
security program and strengthening our security perimeter to
defend against its attack. While this surely is an ongoing and
very complex task, I am pleased to report that we have made
solid progress to date and are continuing to improve our
ability to defend against cyber attacks.
As we began the fiscal year, we had a number of security-
related issues identified by our Office of the Inspector
General in their audit of our financial statement. The issues
encompassed work to done in six areas of Department-wide
security program planning and management structure. The good
news is, because computer security is a high priority, we had
already identified areas that needed attention and had plans
under way for corrective action. This proactive posture was
acknowledged by the OIG in their audit findings.
At this stage we have resolved all of the audit report
issues at the departmental level and are working toward closing
out the remaining issues with specific agency systems.
In addition to dealing with immediate day-to-day issues,
such as continued attempts to gain unauthorized access to our
systems and responding to malicious codes such as the I Love
You virus, we have invested substantial effort in planning
ahead. Led by the Department's Chief Information Officer, our
strategy in this undertaking has been twofold: First, align our
information technology investments with legislative mandates
and other direction; and second, bring a departmental focus to
our information technology investments where a unified approach
and economies of scale are advantageous.
Information technology approaches that are common across
the Department, such as the implementation of a common
architecture and needed improvements in the infrastructure,
lend themselves to a common cross-cutting strategy. The use of
a common strategy then enables us to effectively leverage the
use of individuals' expertise and other scarce resources for
the good of all at the Department of Labor.
Utilizing this approach for fiscal year 2001, the
Department identified three cross-cutting areas for investment,
one of which is computer security. The computer security cross-
cut represents approximately 18 percent of the Department's
information technology cross-cutting investment portfolio for
fiscal year 2001. It includes plans to ensure that the
information security policies, procedures and practices of the
Department are adequate, as well as reflect the first step
toward implementing a multiyear plan for protecting our
critical infrastructure. Notably this will be a separate budget
activity, and the funds will be administered by the
Department's Chief Information Officer to ensure an organized,
disciplined approach to implementing a stronger security
program.
Mr. Chairman, our plans for next year should not, however,
overshadow what we've accomplished this year, 2000. I would
like to submit a brief highlight of those accomplishments for
the record, if I may.
Mr. Horn. Without objection, it will be in the record at
this point.
Mr. Hugler. Thank you, Mr. Chairman.
Mr. Chairman, we concur with the need to assess the overall
state of the Federal Government's computer security
environment, and we welcome the opportunity to work with you
and the subcommittee to devise an instrument that will provide
the flexibility necessary to accurately assess agencies'
progress. We also recognize that work remains to be done at the
Department of Labor to further improve our computer security.
I share with you your confidence that we will come through
as we did with the year 2000 challenge. I am confident as well
that we have sound plans for making these improvements and the
skill on hand to do so. However, the key to our success, as has
been mentioned by other witnesses at the table this morning,
will be making the necessary funding available.
Thank you, Mr. Chairman. I appreciate the opportunity to be
here, and I will be happy to take your questions.
Mr. Horn. Well, thank you very much.
[The prepared statement of Mr. Hugler follows:]
[GRAPHIC] [TIFF OMITTED] T4495.185
[GRAPHIC] [TIFF OMITTED] T4495.186
[GRAPHIC] [TIFF OMITTED] T4495.187
Mr. Horn. And our next presenter is Ira L. Hobbs, the
Deputy Chief Information Officer for the Department of
Agriculture.
Mr. Hobbs.
STATEMENT OF IRA L. HOBBS, DEPUTY CHIEF INFORMATION OFFICER,
DEPARTMENT OF AGRICULTURE
Mr. Hobbs. Thank you, Mr. Chairman. Good morning, Mr.
Chairman and Ranking Member Turner.
I am pleased to appear before the committee this morning to
update you on the status of the computer security program of
the U.S. Department of Agriculture. With your permission, I
will make a few brief comments and submit my written testimony
for the record.
USDA's programs touch the lives of every American every
day. We manage a diverse portfolio of over 200 Federal programs
throughout the Nation and the world at a cost of about $60
billion annually.
The information we manage, which includes Federal payroll
data, market-sensitive data, geographical data, information on
food stamps and food safety, proprietary research data, is
among USDA's greatest assets.
The Department is committed to protecting its information
assets as well as the privacy of its customers and its
employees. Audit reports conducted by both USDA's own Office of
the Inspector General and the General Accounting Office have
identified significant weaknesses in our overall computer
security program, which we are working hard to correct. As an
example, the Department is acquiring and installing necessary
equipment to upgrade security at our highest priority Internet
access points, and we are strengthening our intrusion detection
capabilities. We are working diligently to correct all of the
deficiencies that have been identified by the reports and hope
to be able give you a much more expanded impact in terms of the
changes that we have made.
Reports such as those cited above, as well as internal
security reviews mandated by the Secretary of Agriculture in
July 1999, made it clear that the Department requires an
overall coordinated and corporate approach to cybersecurity if
it is to succeed.
The USDA agencies include some security funding in their
respective budgets. Departmental funding is critical to
ensuring the creation of a standard security infrastructure,
and departmental leadership is required to ensure that we have
a comprehensive set of policies and guidelines.
The Secretary's security review also resulted in a
multiyear action plan to strengthen USDA's information
security, which addresses program organization, staffing needs,
policy and program operations, and security and
telecommunications technical infrastructure. When fully enacted
our plan will align USDA security practices with those of
leading organizations.
Our recent focus primarily has been upon building upon the
competency and skill of our security staff. We are extremely
fortunate working with the Secretary to establish the first
Associate Chief Information Officer for Cybersecurity at the
Department of Agriculture and able to select a senior level
executive, Mr. William Hadesty, formerly with the Internal
Revenue Service, as our first CIO for Cybersecurity. With the
recent addition of Mr. Hadesty, we have already started to
implement the priority actions in our action plan.
The Congress provided a $500,000 budget increase for the
Office of the Chief Information Officer for security in fiscal
year 2000. With these funds and existing resources, we are
assembling a well-qualified staff of security experts to lead
the Department's efforts.
Since joining with us in February 2000, the Associate CIO
for Cybersecurity has carefully analyzed and made adjustments
to our ongoing program. In addition, our most critical
information resources, including the National Information
Technology Center in Kansas City and the National Finance
Center in New Orleans, have been or are now undergoing critical
review. We recognize, though, that we still have a long way to
go.
The Office of the Chief Information Officer's fiscal year
2001 budget request included an increase in funding for
cybersecurity of approximately $6.5 million. If enacted as
requested, our security budget will provide the resources to
complete the development of a USDA risk management program,
continue to expand our cybersecurity office, increase our
capacity to conduct onsite reviews, and provide training and
hands-on assistance to augment the skills of our agency's
security staff. Additionally our project plans call for a major
effort in 2001 to further define requirements for a security
architecture and begin its redesign and implementation.
In fiscal year 2002, we will continue to develop and
implement our USDA-wide computer security program. The
information survivability program and the sensitive systems
certification program we plan to establish will complete USDA's
computer security umbrella.
Mr. Chairman, we believe that fulfillment of our
cybersecurity action plan will position the Department to
comply with Federal computer security guidelines and best
management practices. The reality is, though, that until our
computer security program is fully funded, we will remain much
too vulnerable.
I appreciate the opportunity to speak to the committee. I
look forward to being able to answer any questions you may
have.
Mr. Horn. Thank you very much, Mr. Hobbs.
[The prepared statement of Mr. Hobbs follows:]
[GRAPHIC] [TIFF OMITTED] T4495.188
[GRAPHIC] [TIFF OMITTED] T4495.189
[GRAPHIC] [TIFF OMITTED] T4495.190
[GRAPHIC] [TIFF OMITTED] T4495.191
[GRAPHIC] [TIFF OMITTED] T4495.192
[GRAPHIC] [TIFF OMITTED] T4495.193
[GRAPHIC] [TIFF OMITTED] T4495.194
Mr. Horn. Our next presenter is Mark A. Tanner, Information
Resources Manager, Federal Bureau of Investigation, Department
of Justice.
Mr. Tanner.
STATEMENT OF MARK A. TANNER, INFORMATION RESOURCES MANAGER,
FEDERAL BUREAU OF INVESTIGATION, DEPARTMENT OF JUSTICE
Mr. Tanner. Good morning, Mr. Chairman, Mr. Turner and
other members of the audience. I thank you for inviting us here
to discuss computer security at the FBI. The FBI shares your
conviction that computer security is a vital concern. That
concern is manifested in a variety of levels: First, the
concern within the FBI as to how the FBI collects and handles
sensitive personal information; the concern as a member of the
U.S. intelligence community where there is a growing awareness
and desire to achieve a collaborative sharing of intelligence
information while at the same time securing highly sensitive
and classified sources and techniques; the concern as a member
of the law enforcement community often called upon to
investigate, identify and apprehend those responsible for
hacking into government systems and critical infrastructures of
this Nation; and the concern as a Federal law enforcement
agency called upon to investigate computer and computer-related
crimes as diverse as a pedophile seeking to prey on a
youngster, Internet fraud crimes which victimize all elements
of our society, including persons and businesses, and those who
would seek to enrich themselves by manipulating stock prices.
The FBI's internal computer policies and practices present
a somewhat unusual picture as far as Federal agencies are
concerned. The FBI is, as I have stated, an agency charged with
investigating many computer-related crimes and it is charged
with the conduct of all counterintelligence activities in the
United States.
In addition, the FBI operates several systems on which
State and local law enforcement agencies have come to rely as a
necessity. As such, the FBI must operate both classified and
unclassified systems, and many of those unclassified systems
have strong requirements for the protection of personal data
about American citizens as well as a need to maintain instant
availability.
In addition, the nature of some of these, some of these
systems presents special requirements in that the data
represents information gathered through a variety of methods,
each requiring its own specialized method of handling and
protecting the information. These methods includes Federal
grand jury subpoenas which are subject to the requirements of
rule 6(e) of the Federal Rules of Criminal Procedure, material
identified as Federal taxpayer information, and thus, subject
to specialized handling and disclosure requirements, as well as
other many other specialized requirements. Of course, the
specific requirements of classified information such as that
obtained as a result of title 50, the Foreign Intelligence
Surveillance Act, activities or by other intelligence community
agencies, which must be respected.
To accomplish these tasks, the FBI operates 35 general
support systems and 12 major applications; 24 of the 35 general
support systems are classified and 6 of the 12 major
applications are classified. In other words, the FBI operates
30 national security systems. It should be noted that the vast
majority of the FBI's classified systems are currently internal
systems and thus do not have external connections to nonsecure
or unclassified systems.
The FBI's information systems security policy is codified
in our Manual of Investigative Operations, section 35. A copy
of this policy has previously been provided to this
subcommittee. The policy is a compilation of requirements which
are outlined in section 35-11 of this policy. In general, let
me state that because of the variety of types of systems used
by the FBI, our practice, where practical, involves using a
hierarchical approach to any requirement from these sources
based on the selective system's criticality and risks. This is
to avoid any possible confusion as to whether or not a system
should follow this or that set of rules and regulations. To
choose any other course of action would be folly.
The FBI's policy is coordinated with the Information
Systems Security Unit which is a part of our National Security
Division. The security unit works closely with the Department
of Justice entities which oversee classified and unclassified
computer systems. In addition, they maintain a good working
relationship with the national entities responsible for
computer security policy, such as the NSTISSC and NIST and the
Security Policy Board to ensure that the latest information is
available.
There are many challenges which face the FBI in today's
computerized world. One of the biggest challenges involves the
rapidly changing environment and the rapidly changing world in
which we all live. New technologies are moving into the
marketplace at a frenetic pace; old technologies are undergoing
metamorphosis. Each of these new products presents particular
problems and a careful and thoughtful analysis to ensure that
the FBI continues to maintain a policy which recognizes the
business needs of the computerized world and still providing
meaningful security practice.
The FBI is practicing risk management approach in its
certification and accreditation of all computer system
security. As I previously noted, most systems are internal and
not connected to nonsecure unclassified systems. This isolation
provides some sense of comfort in that these systems are not
connected to the outside and far less vulnerable to compromise
and attack. In this manner, our approach has been to identify
both systems which pose the largest risk in terms of their data
and sensitivity of the data. These systems are approached
before systems which play a lesser role in either their data or
sensitivity. The FBI is currently engaged in a series of
activities which will hopefully lead to the speedy completion
of the certification and accreditations. Resources have been on
loan from the Department of Justice as well as other
intelligence community under the ICAP program.
The FBI has undertaken a--an effort to make system owners
cognizant of system security requirements in their initial and
life-cycle development of plans for systems, in that way
ensuring that systems security is built into all systems and
that the continuing costs are specifically identified as a
separate line in each proposal.
In conclusion, let me just reiterate that the FBI
appreciates the interest of this subcommittee, indeed the
interests of all parts of Congress in this area where we share
your interests and concern. Our efforts will continue to ensure
that all systems, including those of the FBI, meet the
expectations of the American public to appropriately protect
that information which must be protected. The FBI respects the
trust placed in it by the American public and the Congress and
will do the utmost to maintain that trust.
Thank you.
[The prepared statement of Mr. Tanner follows:]
[GRAPHIC] [TIFF OMITTED] T4495.195
[GRAPHIC] [TIFF OMITTED] T4495.196
[GRAPHIC] [TIFF OMITTED] T4495.197
[GRAPHIC] [TIFF OMITTED] T4495.198
[GRAPHIC] [TIFF OMITTED] T4495.199
Mr. Horn. Well, thank you Mr. Tanner. We appreciate very
much what the FBI has done in tracking down a lot of these
hackers, and some I believe are in Federal prison now. So we
thank you for that effort, and I think you were very on top of
the situation in the Philippines when that occurred.
Our last presenter before questions is Solveig Singleton,
Director of Information Studies for the CATO Institute. Am I
correct to say the CATO Institute would be called a
libertarian-based institute?
Ms. Singleton. Yes.
Mr. Horn. OK. Ms. Singleton, it's all yours for 5 minutes.
STATEMENT OF SOLVEIG SINGLETON, DIRECTOR OF INFORMATION STUDIES
FOR THE CATO INSTITUTE
Ms. Singleton. Thank you, Mr. Chairman. My testimony today
is going to offer examples of some of the types of data bases
maintained by Federal agencies and offer a big-picture
perspective on the significance of any security problems within
those data bases.
With the power to command, powers of arrest, police, courts
and armies, the government has powers that the private sector
lacks. You can hang up on an annoying telemarketer but it's
hard to hang up on the IRS. Recognizing that in the
Constitution we have the fourth amendment which limits the
means by which government may collect information and we also
had the idea originally of a government of relatively limited
powers, and inherently a government of more limited power has
less need for hundreds and hundreds of data bases than a
government of broader powers.
Now, for better or for worse, we have drifted away from
this concept of limited government, and there's a natural
consequence. The amount of detailed information about private
citizens in Federal files has grown by leaps and bounds.
To underscore the importance of keeping this information
secure, I will offer an overview of the types of information
that are held by Federal agencies.
Essentially, Federal agencies collect an enormous array of
information. The Federal Government will inexorably record,
obviously, your name, your address, your income, but also your
race, details of how you spend your money, your employer,
updated quarterly, whether you've asked for information from
government agencies, student records, whether your banker
thinks you've engaged in any suspicious activities like making
an unusually large withdrawal or deposit, and finally, of
course, a surprising number of agencies hold different types of
medical records and not simply Health and Human Services.
I am going to run down some of the departments that we
looked at very quickly and offer a very small number of
examples of the type of information that they hold. Let me
start with the Commerce Department.
One file maintained by this Department keeps individual and
household statistical surveys which include individual's names,
age, birth date, place of birth, sex, race, home business phone
and address, family size and composition, patterns of product
use, drug sensitivity data, medical, dental, and physical
history and other information as they consider necessary.
The Department of Education has the national student loan
data system and, among other items, a registry of deaf-blind
children nationwide.
The Department of Energy maintains, among some very
sensitive counterintelligence data bases, records of human
radiation experiments.
The Federal Bureau of Investigation, obviously, is home to
the FBI central records system, alien address reports, witness
security files and information on debt collection and parole
records.
The Department of Health and Human Services has massive
quantities of medical record information, filling hundreds of
data bases. Some of these data bases include the personal
Medicaid data system and the national claims history billing
and collection master records system.
Next comes the Department of Housing and Urban Development.
Now, this agency is perhaps best known among privacy advocates
over the last few years, urging that residents of Federal
housing agree to warrantless searches of their apartments in
their lease agreements. This agency holds data such as single
family research files, income certification evaluation data,
and tenant eligibility verification files.
The Department of Labor has a lot of data bases including a
data base with information on applicant race and national
origin, records from the workers' compensation system and
records from the national longitudinal survey of youth, which
is a longterm study of certain individuals as they grew up over
the past few decades.
Obviously the Social Security information collects
information on lifetime earnings, as well as information
related to insurance and health care and census data. What may
be less well known is the extent to which they share and match
information with Health and Human Services, the IRS, and other
agencies. So, for example, one data base at the Social Security
Administration is--matches Internal Revenue Service and Social
Security Administration data with census survey data and
records of Cuban and Indo-Chinese refugees.
The Department of Treasury, last but not least, holds a
financing data base which contains millions of reports of
banking activities of privately named U.S. citizens. They have
also got the national data base of new hires, which holds
records of the income and employment of every working American,
updated quarterly.
Now, to sum up, I don't want to suggest that all this data
is part of some kind of sinister plot and we should all go
around wearing tinfoil hats on our head, nor do I want to
denigrate the well-intentioned efforts that have been made to
make many of these data bases more secure, but what I would
like to point out is that the growth of these data bases makes
security and the need for internal controls against
unauthorized use by government employees a systemic problem
rather than an occasional problem, and it generally--the growth
of these data bases threatens to shift the balance of power
between individuals and the Federal Government. So this really
is a systemic issue and it will be become more and more acute
as we move away from a vision of limited government and want
the government to be involved more and more in our day-to-day
lives.
Thank you.
[The prepared statement of Ms. Singleton follows:]
[GRAPHIC] [TIFF OMITTED] T4495.200
[GRAPHIC] [TIFF OMITTED] T4495.201
[GRAPHIC] [TIFF OMITTED] T4495.202
[GRAPHIC] [TIFF OMITTED] T4495.203
[GRAPHIC] [TIFF OMITTED] T4495.204
[GRAPHIC] [TIFF OMITTED] T4495.205
[GRAPHIC] [TIFF OMITTED] T4495.206
[GRAPHIC] [TIFF OMITTED] T4495.207
[GRAPHIC] [TIFF OMITTED] T4495.208
[GRAPHIC] [TIFF OMITTED] T4495.209
Mr. Horn. We thank you and now begin the questioning. What
we'll do is alternate the questioning, 5 minutes for myself and
5 minutes for the ranking member and back and forth until we
get the questions out of our system.
I'm going to start with the Department of Agriculture. As I
recall in your statement, Agriculture repelled 250 hacker
attacks. Were any of these successful attacks, Mr. Hobbs, and
if so what kind of damage was done?
Mr. Hobbs. In some instances, Mr. Chairman, the attacks
were successful. They resulted in things like changes to Web
pages. We report all of our intrusions. Some of them like
changes to Web pages. We were able to identify where people had
been able to access systems, but in no instance were there any
major or significant damages done. In most instances we've
taken the necessary steps to shut down what we consider to be
backdoor ways that people were getting into the systems, and
are trying to be more vigilant in our monitoring and tracking
of those activities and those kinds of concerns.
Mr. Horn. On the Agriculture, you completed the security
questionnaire and it states the Department doesn't really feel
that the system accreditation is important. A lot of other
agencies feel the system accreditation, where possible, is
important. Why isn't accreditation that important to the
Department of Agriculture?
Mr. Hobbs. I don't think that we said that it was not
important. I believe that what we are doing is we have a
prioritized program that we are working toward completion of,
with systems accreditation being a part of that. So I don't
think we said it was unimportant. I think what we said is we
have a prioritized effect--direction in terms of which we're
trying to proceed, and that we're moving with deliberate speed
in that sense of looking at all aspects and all phases of our
security program.
Mr. Horn. Well let me ask Mr. Willemssen, on behalf of the
General Accounting Office, as I understand, system
accreditation is a formal management process to test and accept
the adequacy of the system's security before putting it into
operations. So how important is it to an agency's security
computer programs that they're accredited; and could you
explain that process and why most of the Departments are doing
that where they can?
Mr. Willemssen. We believe system accreditation is
especially critical, and it represents management's judgment
that they have gone in, made an assessment of the risk of a
particular system and the associated data; that given the risk
associated with the system and data, appropriate controls have
been put in place to fend off any attacks that may occur, and
that management is therefore making a declaration that the
appropriate controls are there to deflect or at least be aware
of any such attacks that may happen. We think it's especially
important. Most agencies agree. We do see at times differences
in nomenclature. Some agencies may actually be doing something
similar to accreditation but may call it something else.
Mr. Horn. Moving to the Department of Labor, Mr. Hugler, as
I looked at the information, the computer security
questionnaire indicated weaknesses in all six general control
areas and the weaknesses were confirmed by the Inspector
General's audit results. So I'm curious, what does the
Department consider to be its most critical weaknesses?
Mr. Hugler. Well, Mr. Chairman, I think you're correct to
state what the Inspector General found last year and they did
find weaknesses in all six areas. I think what's important to
recognize is that we have now addressed all of those issues,
and in fact the Inspector General's audit findings, as I
recall, acknowledged that if we did two important things, one
is put out the rules for the Department's computer security and
put out the rules for the Department, in terms of systems
development and life-cycle criterion rules, if we did those two
things, that we would have addressed all six of the categories
with which they found issues.
We have done that and, more importantly I think, we have
gone ahead aggressively with implementing those rules. And the
example, I would cite to you, is our experience with the I-
love-you virus. We have incident response procedures now in
place at the Department. We had some 33,000 attacks from that
virus. A small number of computers, 243 as I recall, were
infected. I think the most--the best measure of our response,
however, was the fact that we notified our employees of that
virus and what to do with it 3 hours in advance of the official
Federal notification.
So I would commend your attention to that as an example of
the kind of things we've been able to do over the last year. So
really the OIG's findings from last year are just that, a year
old, and we have improved dramatically since then.
Mr. Horn. And so you would say the corrective action for
these has been completed?
Mr. Hugler. Yes, sir. At the Department level we have done
that and I am very comfortable with that.
Mr. Horn. I now yield 5 minutes to the gentleman from
Texas, Mr. Turner.
Mr. Turner. Thank you, Mr. Chairman. As I listen to each of
you who come from your respective agencies, it causes me to
come back to a comment Mr. Gilligan made about the importance
of cross-government initiatives. As many of you know, I have
been an advocate of having a Federal CIO, a chief CIO for the
Nation, someone who had the expertise, the competence, the
leadership role, as well as the budgetary support necessary to
be sure that we can have stronger cross-government initiatives
in the area of information technology and certainly in the area
of computer security.
And I think I'd like to ask you, Mr. Gilligan, to expand
upon your assessment of the need for these cross-government
initiatives, and I would be interested in your insight on it,
because not having nearly the expertise in the area that you do
nor the experience in the area, I still am left, after hearing
all this testimony, with the conviction that the area of
information technology certainly provides the potential for the
expenditure of vast sums of Federal dollars in a very
inefficient way. And I would be interested in your comments on
the idea of more emphasis on cross-governmental initiatives and
what kind of leadership might be necessary to ensure that
happens.
Mr. Gilligan. Mr. Turner, I'd be happy to comment. What I
have found in my activities in the CIO Council is that the
potential that you allude to for enormous sufficiencies as a
result of cross-government IT efforts is there, but that
potential is difficult to realize because our fundamental
government structures in the executive branch and in the
legislative branch tend to be stovepipe-oriented on particular
agencies and particular missions, and in fact, what I have
found is the most difficult efforts to get support for are
cross-government initiatives. And relatively small sums of
money that would have enormous benefits often fall through the
cracks because there is no clear forum for advocacy. And
individual committees, whether they be in the executive or the
legislative branch, tend to be very narrowly focused on that
portfolio to which they're assigned responsibility.
In my testimony, I noted our best security practices
effort. This is an effort that is enormously compelling. The
objective is to pull together best security practices from
across the Federal Government, provide a Web repository where
they can be accessed easily, and to share this wealth of
experience that we have across the government.
We have found that getting small sums, hundreds of
thousands of dollars for this initiative, is very difficult,
and it's not that the effort is not supported. It is supported.
And when I talk to members in the administration and Members of
Congress, it is supported. But the question is, ``who should
pay for it and where should that funding come from?''
The Federal incident response capability, FedCIRC, which is
our government's central point for disseminating information on
viruses and patch updates, is funded through a set of
committees. It is sponsored by Department of Defense, the FBI
and GSA. We have found in the recent remarks that the report
has not been strong, and again I don't think it's because the
merits of this effort are not supported in general. It's that
there is no central focus that helps bring this together and to
help identify that these individual, relatively small dollar
items in individual budgets, are in fact of far greater
importance than their small dollars would indicate.
And so I think as you suggest, this is an area where we
desperately need to focus attention. I think not only in the
security area will it help us improve security, but we can far
better leverage the enormous resources that we do have in
attacking a whole range of information technology issues.
Mr. Turner. Thank you.
Mr. Spotila, I know you have worked in this area, and one
of your duties at OMB is to try to be sure that we move toward
the kind of things Mr. Gilligan is talking about. I know there
is a Presidential directive that established two tiers of
agencies. It strikes me, and you might want to explain that a
little bit, but it strikes me that it is certainly appropriate
to acknowledge that the importance of computer security may
vary from agency to agency, and that when we try to focus our
resources, perhaps we should choose certain agencies over
another. If we did that, we would expect to see different
grades from the agencies because we would have made a choice
regarding where to place the initial dollars to improve
security. But describe for us a little bit that Presidential
directive that established those first, those two tiers.
Mr. Spotila. Yes, Mr. Turner. First of all, let me just
mention that OMB has been very supportive, as I've testified to
the committee before, of these cross-cutting initiatives. We
share Mr. Gilligan's belief that these are very important, that
they would make a great deal of difference, and that they do
need support.
The President, in May 1998, put out a Presidential Decision
Directive aimed at critical infrastructure protection. It was
at that time that he designated Mr. Richard Clark as his
adviser on counterterrorism. He's worked with the committee and
has been very active. The Critical Infrastructure Assurance
Office was then established.
What we have tried to do in the administration is to
prioritize in this area. I mentioned in my testimony that OMB's
focus has been on the same 43 high-impact programs that we
focused on during the Y2K effort. We have more than 26,000
systems in the government. If we're going to enhance our
ability to serve the American people by promoting effective
information security, we need to prioritize. We need to start
with the areas that have the greatest impact, whether they be
agency by agency, or, more accurately, within agencies, program
by program, system by system.
The Critical Infrastructure Assurance Office has tried to
zero in on those areas, those agencies, and those aspects
within agencies that have the greatest importance and perhaps
would be at risk the most. We've tried to work at OMB at
focusing on the programs that we think have the greatest impact
on the American people; as I'd mentioned, Medicare, Medicaid
and the like. We think that we have to begin with the most
important things. That's where we're going to have the most
significant improvement and have the most significant benefit,
which is not to say that we ignore all the other areas. We put
out general guidance. We're working with the agencies. We're
relying on the agencies to try to improve their efforts in this
regard across the board.
But in terms of White House attention, we're obviously
starting with the things that matter the most.
Mr. Turner. Thank you.
Mr. Horn. Let me add to that the following. This is the
last month of a fiscal year. This is the time Cabinet officers,
deputy secretaries, assistant secretaries, all of them sit
around and say, what can we do with the surplus we have in our
budget? And having been in administration, I know exactly what
they do, and this is the time, if they're serious about this,
to reprogram some of that money into what everybody's saying,
oh, we've got to have new money. That isn't the way we started
with Y2K. We started when I urged a lot of the people to start
reprogramming.
When Dr. Raines came in as budget director, he said, You're
absolutely right, and that's what I'm going to tell them. And
he did, and that's how we got the job done. We also made sure
Congress provided the money. But if they're serious in these
various executive branch agencies, this is the time to get a
few million here and there.
And then besides that, let's just talk about a few simple
steps such as policies requiring regular changing of passwords,
safeguarding equipment, turning off computers. That doesn't
cost a thing. That just costs doing it, if any. And I guess I
would ask, because energy has certainly been in the papers for
the last 2 years on this, but I'd ask, is there in OMB the
concern about policies to just get those basic areas done?
Mr. Spotila. Let me respond in a couple of respects.
First of all, I agree with you, Mr. Chairman, that some
agencies are going to have discretionary funds available this
September. We would certainly hope that they would apply them
to this area. I know that the various CIOs at this table and
others around government are going to do all they can to try to
impress that upon their agency heads. So I think that we do
need to be serious; just as all of us need to be serious, the
executive and the legislative branch, because this is a really
important area.
We have a lot of policy out there, even things that you
mentioned about passwords, changing passwords and the like. The
key is getting people to implement and follow the policy that
may be out there. One of the things I emphasized in my
testimony today and in my written testimony is that, in order
to have effective security, it is essential that nonsecurity
people buy in, that they participate, that they understand the
significance and that they buy into it. Because we can have all
the policies in the world and we can have all the centralized
supervision in the world, but if that person at the desk
doesn't follow it, it doesn't do any good.
You know, we tell the story about having very complex
passwords that people write on little yellow sticky notes and
paste to their computer screen. You can't have effective
security without cooperation at all levels, and it's a message
that we're trying to impart throughout the government. I think
it will be an ongoing challenge to continue to do that.
Mr. Horn. I thank you very much.
Let me ask Mr. Dyer, who's got the B grade, the social
security system, there is--apparently you're farther along than
most other agencies now. Do you have a best practices that
others might implement and what are they?
Mr. Dyer. Mr. Chair, I think it's just like when we
approached Y2K. Early on we saw it coming, and we
institutionalized the process, the resources to deal with it.
And we've done the same thing with security. It's part of our
life cycle with our programs. Anytime we think about bringing
up a new system, we look at the security aspects. Any
modification to any system, we check the security all the way
through and how it could roll over into other security systems.
I pick up on what GAO said and what John Spotila said. The
biggest challenge we're finding is managing it. You can have
good procedures, policies, rules in place, but you constantly
have to be working with your managers, your employees that they
follow them, and that's where we've been putting a tremendous
amount of our effort.
We've had conferences across the country. We've set up
centers so that we're able to make sure that we have people in
place that are doing the dogging and checking it. We change
passwords every month now. We found that it just didn't happen
the way it should. So we have instituted it. We're going
through. We found out that they change the passwords to
something they could remember. We now have software to check to
see if it's dates of birth or names of family members or
whatnot so you can start to screen those things out.
So, to me, it's a constant management challenge. You can do
the systems, but you've got be there, right there on top of it
all the time.
Mr. Horn. In my 26 seconds remaining, Mr. Willemssen,
anything you want to add to that as to what might be done that
isn't being done?
Mr. Willemssen. One thing that I would add, Mr. Chairman--
and it somewhat extending off of Mr. Spotila's comment--and
that is, it's one thing for agencies to have the policies and
procedures which I think in many cases they do. It's quite
another to see whether the accompanying practices have actually
been put in place.
That's been particularly the case when we and Inspectors
General go out and we test whether these policies and
procedures are actually being implemented. They often have not
been. And that really is a key distinction I think often
between what the agencies believe is going on and what may
actually be happening, although I think there is clearly many
of the agencies are on the road for improvement in that
direction, also.
Mr. Horn. I now yield 5 minutes to the gentleman from
Texas, Mr. Turner.
Mr. Turner. Thank you, Mr. Chairman.
The designation of the Presidential directive--is it tier
1, tier 2, phase 1, phase 2, whatever it's called--I'm curious
as to what kind of impact that has and how is that designation
significant; and I'd like, Mr. Hugler, if you would, to comment
on that because I know Department of Labor is a tier 2
designation.
Mr. Hugler. Yes, sir. Thank you, Mr. Turner.
It is an important distinction, because it is important to
recognize that some agencies handle more sensitive information
and have more sensitive systems than others do. We certainly
believe that our mission is important to American workers, but,
frankly, we do not have critical information that directly
implicates national security. So, as such, if we are going to
prioritize funding and implementation priorities, I think it is
appropriate for the Department of Labor to be a phase 2 agency
or tier 2 agency.
I think it's also important to note, though, that we take
those responsibilities as a tier 2 agency as important and that
we meet them and we are on target to meet all the milestones
for which we are accountable.
Mr. Turner. Mr. Spotila, when you think about funding for
these various agencies to be sure they move forward in the area
of computer security, do you make budgetary recommendations
based on this phase 1, phase 2 designation?
Mr. Spotila. What we do in the first instance is to
actually have the agencies themselves come to OMB with their
own determinations as to what they'd like to accomplish and
what they feel they need in the information security area. They
do so within their overall budget submissions when they go
through the OMB review process.
With the guidance that OMB put out earlier this year,
focusing on the next budget year, we've made it very clear that
information security needs to be part of that agency initial
analysis. It needs to be integrated within the entire area of
information technology planning for budget purposes because we
don't believe that doing it as an add-on is effective at all.
Within the budget review process, obviously if an agency is
a higher priority, if the need is greater, that will be
recognized in the process. Very often, the budget issues turn
more on whether or not the proposal has been well thought out,
whether it is likely to be a good use of money and a good
expenditure of money and one that is likely to contribute not
only to increased security but the agency's performance of its
mission. Those are the kinds of factors that OMB takes into
account, just as later on the Congress will take that into
account.
And your comment earlier about the risk, that money could
be wasted in this area, is also something that we take very
seriously. You can't just fund a proposal because it sounds
good or because the agency is an important agency or the area
is an important area. You have to make certain that the
proposal will work, that it will contribute something that will
add value and will involve money well spent. And so this
analysis is actually a very comprehensive and thorough one.
We think in the next budget cycle we're going to get better
submissions from the agencies. We've been working with the
agencies directly one on one to get them to understand the
change. We're expecting that in the IT area we are going to
receive budget submissions that are better thought out and that
will have better justifications.
Mr. Turner. Mr. Gilligan made a strong case for greater
emphasis on cross-agency initiatives. What has OMB done to
promote greater cross-agency efforts?
Mr. Spotila. We've actually been doing a variety of things.
We've worked closely with the CIO council, which I've chaired
since last year until their DDM was confirmed. We've worked
closely with John and his committee in that regard trying to
identify areas. We've worked closely with Dick Clark and the
Critical Infrastructure Assurance Office and the national
security community and with others throughout OMB and the
agencies trying to identify areas where crosscutting
initiatives would help.
John mentioned public infrastructure which would enable us
to authenticate signatures. We think that's an important area.
We know we need better intrusion detection capability. We think
we need expert review teams that can get out onsite in the
various agencies and help them not only assess security but try
to improve their efforts in security. We think we need more
efforts in the R&D area. We need scholarships for people to
start learning this area so that the Federal Government can get
the kind of personnel it needs with the kind of experience and
educational background it needs to work in this area over the
long term.
So we have tried to identify areas of need, working closely
with all these other parties, and then within the budget
process we've actually given it a huge amount of support to try
to help develop proposals that make sense, that will have
credibility with the Congress, that will work once implemented.
I think that the reality is we do start with a stovepipe
approach. We all need to think outside of the box. We need to
make certain that, as we do crosscutting initiatives, that they
work so that we can buildup credibility and support for further
efforts in the future. That's something we take very seriously,
and I think that will be an ever-growing need in the future.
Mr. Turner. How many dollars have you expended on cross-
agency initiatives and how many of them have been accomplished?
Mr. Spotila. Well, I think the reality is that in the past,
as John has said, when there have been efforts like
crosscutting initiatives, for example, support of the CIO
Council and its efforts, we've done that by what John indicates
is passing the hat. Under the Clinger-Cohen Act, we have some
ability to do that, to have agencies contribute toward support
of crosscutting measures.
The President's budget, as I outlined in my testimony, not
only includes an increase for computer security in general, but
it highlights crosscutting initiatives that we think are very
important. John mentioned that for $50 million an awful lot can
be accomplished. I think the President's request is actually
greater than that in this area because we're also focusing on
research and development and on cyberscholarships and the like.
Still, we're looking at a relatively small amount of money.
$150 million would make a huge impact in this area. The key is
to get it appropriated.
And so when we talk about past crosscutting initiatives
it's hard to track because we haven't had the kind of
appropriations in large numbers that we're talking about here.
We have used relatively small amounts of money to support the
CIO Council and some other developmental areas along these
lines. The GITS Board, for example, worked on the PKI--public
key infrastructure-- issue for some time. The Board has now
been rolled into the CIO Council. We've identified a need to do
much more of this going forward. I think the key now will be to
see what happens in the appropriations process this fall.
Mr. Turner. You've requested how many dollars for cross-
agency initiatives?
Mr. Spotila. We have a list in my testimony that I can just
mention, highlight real quickly.
Mr. Turner. Where would that be found?
Mr. Spotila. In my written testimony?
Mr. Turner. I mean in the budget itself. Is it
appropriations in OMB? Is that where the money would reside
currently?
Mr. Spotila. No. Actually, although these are crosscutting
initiatives in the budget, they appear in the departmental
submissions. So, for example, the Department of Commerce is
seeking $5 million for NIST to establish an expert security
review team that can then go to agencies, to a number of
different agencies outside of Commerce. That's an example. When
we talk about crosscutting initiatives, because of the nature
of the appropriations process, it needs to appear in an
individual agency's budget. Part of the difficulty is--not to
single out Commerce--if that particular appropriations
committee or subcommittee doesn't think it a priority, that an
expert security review team at Commerce will be helping 25
other agencies, they might give it less support. That's where
the difficulty comes in the budget process.
So all of these so-called crosscutting initiatives still
appear in individual agency budget submissions.
Mr. Turner. I think that's one of the things that I have
concern about, that perhaps we need some central location, some
leadership for this that would flow through our Federal CIOs to
be sure that these things happen. Because I think what you're
left with, even after you secure the appropriations agency by
agency, you're still in the pass-the-hat mode, which I think is
one of the problems that we perhaps face in the area that we
are discussing.
Thank you, Mr. Chairman. I know my time's expired.
Mr. Horn. Thank you.
Let me followup on that again. There's obviously a concern
when you have these cross--the boundaries, if you will,
initiatives. Now, can--on reprogramming, you know, $5 million,
that's chicken feed to any agency. They have got the--they can
reprogram that.
So you don't really need to worry too much. But you're
right. If they're trying to help four or five other agencies,
the appropriations and authorizers here might say, hey, not on
my beat, put them somewhere else. So--but, hopefully, that's
why OMB is there, to sort of help straighten it out.
I am not going to embarrass any of the CIOs here, the chief
information officers, but have the secretaries and heads of the
agencies within the executive branch been responsive to the
efforts to strengthen computer security? And I just--perhaps
Mr. Gilligan on behalf of the CIO Council, Chief Information
Council, do you get a feeling in those meetings that some of
them just--these are not, obviously, here. They're other
places. But do you get a feeling that they're not getting good
backing from the top executives in the agency?
Mr. Gilligan. It's my clear sense that the senior
executives across the agencies are getting the message. It's a
complex issue, and I think the difficulty, as I addressed in my
testimony, is understanding both that cybersecurity is
important, and understanding what to do about it are two
different things, and I think that's, in many cases, where
agencies are stuck. It is not an issue that can be delegated
down. It has to be undertaken and aggressive leadership has to
be provided by senior management, as we found with Y2K.
So I reiterate, I think the actions of the senior levels of
the administration, and of this committee and others are going
to be important in helping to get that message across. While
there are complex technical issues that equate to rocket
science, there is a foundation that must be built that is just
good sound management practice that requires aggressive
involvement at the senior levels.
Mr. Horn. Let me move to another question, that when we had
this discussion a few minutes ago on the libertarian
suggestions, what message do the grades that we have given you
send to the American people regarding the security of the
citizens' personal information? Should we have a special
category in that as to how that's dealt with in an agency and
on those files that such as the census and others are the
obvious one over in Commerce? Should we have a category as to
how high in the agenda and hierarchy of things to be done that
you first protect the information of the American citizen from
getting out for people making use of those data and, therefore,
perhaps as we've seen what's happened in credit card operations
is some of these idiots take exactly the whole name and number
and all the rest of it, and the result is that those poor souls
can never get a loan again because somebody's running around
the country with their credit card. Well, isn't that also true
in some of the agencies here? What do you think, Mr. Spotila?
Mr. Spotila. Well, let me start by saying that we take very
seriously the importance of preserving the confidentiality of
information that the government holds. As we've been discussing
throughout this morning, we recognize that, although a lot of
progress has been made, we are not done. We cannot afford to be
complacent because the challenge in this area is a dynamic one.
The threat changes; new technology, new threats can appear. And
so, on a day-by-day basis, we need to continue to do the best
we can and to improve our efforts.
Without getting into the grades themselves, we all agree
here that there is room for improvement. I'm perhaps more
sanguine in the sense that I think that the information that
we're talking about here is not at great risk. I think the
agencies are very careful about protecting that information, as
John Dyer indicated at Social Security. They take it very
seriously and realize the importance of it. This is not to say
that we're complacent. A new threat could emerge tomorrow that
hasn't been anticipated, and a part of what you need in the
security area is the ability to detect intrusions and to react
to them and to correct problems when they surface.
So I would say to the American people that we take security
very seriously and that we all need to work together on behalf
of the American people in this area.
Mr. Horn. Mr. Willemssen, you've looked at a lot of
agencies over the years. What is your answer to that question
and how worried should the American people be about this
situation?
Mr. Willemssen. Well, I think--point one, Mr. Chairman, I
think it's imperative to point out that absolute protection is
not possible, and so we've got to look at this from a risk
perspective. And in doing those risk assessments, the higher
the sensitivity of systems and data, then the more rigid and
tight the controls need to be and agencies need to make that
up-front judgment on how much risk for particular systems and
data they're willing to accept and, given that acceptance of
risk, then put in the appropriate controls.
And I think in many cases we still have agencies who
haven't done the in-depth risk assessments of systems and data
in order to come to those judgments because not all systems and
data are created equal. There has to be some judgments up front
on what we absolutely have to protect as best as possible,
again recognizing that there is no absolute as it pertains to
protection but that we can narrow the margin significantly.
Mr. Horn. Ms. Singleton, would you like to get your licks
in, shall we say?
Ms. Singleton. I'd like to offer one additional comment
along those lines, which is to say that part of the problem
that I think the American people might perceive with this
system as a whole is that in the private sector if you leak a
document--say you work in a law firm and you leak a document
about a client. The law firm stands a good chance of losing its
client and you stand a good chance of losing your job. But
there's a greater perception I think on the part of the
American people--and partly it's correct that, in a Federal
Government agency, if there's a leak or a mistake or an error,
that there will be relatively lesser consequences for the
agency as a whole and for the employee of that agency than
there would be in the private sector.
For example, if somebody in the agency does lose your file
or give it to the wrong person, you still have to deal with
that agency. You can't go to say another Department of
Agriculture or another Department of Labor and find a, you
know, better security practice there. So I think that also goes
to the issue of some of the expense involved, is that it would
be very helpful for the perception of the American people to
have an understanding that if these policies are violated that
there will be real consequences for the agency and for the
employees involved.
Mr. Horn. Well, we thank you on that.
I'm going to have a few closing words, and I want to thank
the staff and tell you what we're doing tomorrow here.
It's clear that a great deal of attention must be focused
on this vital issue. There's a lot of computer security policy
out there, but it isn't necessarily being followed by some
agencies and others. And when we look at all of the State
governments you've got another matter there in terms of
privacy. What does it take, legislation? You can be assured if
it does we will continue to monitor the government's progress
in this area.
This report card sets a baseline for the future oversight.
It also is a wake-up call for Federal departments and agencies
to begin taking the necessary steps to ensure that the
sensitive information contained in the computers will be
protected.
Tomorrow at 10 a.m. the subcommittee will hold a related
hearing to examine two proposals that would establish the
position of a Federal chief information officer. The gentleman
from Texas has proposed that. Among other responsibilities,
this governmentwide position would be responsible for the
government's computer security efforts, and that's one
approach, and that's in essence what we asked the President to
do in the summer of 1997, was get somebody to put them in
charge.
Now, they didn't move for about a year, but when they did
move that was exactly what was needed to get the coordination,
somebody to be assistant to the President as Mr. Constant was
when he was brought back into government, and he did a very
fine job of pulling all the pieces together. Because I would
ask, has the President brought this up at a Cabinet meeting?
And, Mr. Spotila, I don't know if you know the answer to
that, but in the Eisenhower administration, that thing would
have been up there 10 years before. That's what Social Security
was under the Y2K. They were on their own. There was no
administration. They went through three of them in that period
that didn't really face up to it until the bells were really
ringing.
So that's one of our concerns. But I think the next round
we'll have a better feel for how accurately and diligently the
agencies are doing it.
I want to thank each of these witnesses today, and I want
to thank the staff on both the minority and majority: J.
Russell George, staff director, chief counsel of the
subcommittee; Randy Kaplan, counsel; on my left, your right,
Ben Ritt, professional staff member on loan from the GAO and
the one that has had a lot of effort on putting this particular
hearing together; Bonnie Heald, director of communications;
Bryan Sisk, clerk; Elizabeth Seong, staff assistant; Earl
Pierce, also a professional staff member; and George Fraser,
intern.
On Mr. Turner's side, Trey Henderson, minority counsel; and
Jean Gosa, minority clerk.
Court reporters, Colleen Lynch and Melinda Walker.
May I say that we're now going to end this, and I know the
media have wanted to have some questions, and those of you that
would like to stay, please, gentlemen, and Ms. Singleton,
you're welcome to stay. You're the experts in a lot of these,
and I'm sure they'd like to ask you a few questions, but we
won't do it in a formal hearing, and we--I don't know how the
oath spreads over to a press conference, but we're in recess
here. So--till tomorrow anyhow.
[Whereupon, at 11:50 a.m., the subcommittee was adjourned.]
�