[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]
HOW SECURE IS SENSITIVE COMMERCE DEPARTMENT DATA AND OPERATIONS? A
REVIEW OF THE DEPARTMENT'S COMPUTER SECURITY POLICIES AND PRACTICES
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
OVERSIGHT AND INVESTIGATIONS
of the
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
FIRST SESSION
__________
AUGUST 3, 2001
__________
Serial No. 107-56
__________
Printed for the use of the Committee on Energy and Commerce
Available via the World Wide Web: http://www.access.gpo.gov/congress/
house
_______
U.S. GOVERNMENT PRINTING OFFICE
74-853 WASHINGTON : 2001
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON ENERGY AND COMMERCE
W.J. ``BILLY'' TAUZIN, Louisiana, Chairman
MICHAEL BILIRAKIS, Florida JOHN D. DINGELL, Michigan
JOE BARTON, Texas HENRY A. WAXMAN, California
FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida RALPH M. HALL, Texas
PAUL E. GILLMOR, Ohio RICK BOUCHER, Virginia
JAMES C. GREENWOOD, Pennsylvania EDOLPHUS TOWNS, New York
CHRISTOPHER COX, California FRANK PALLONE, Jr., New Jersey
NATHAN DEAL, Georgia SHERROD BROWN, Ohio
STEVE LARGENT, Oklahoma BART GORDON, Tennessee
RICHARD BURR, North Carolina PETER DEUTSCH, Florida
ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois
GREG GANSKE, Iowa ANNA G. ESHOO, California
CHARLIE NORWOOD, Georgia BART STUPAK, Michigan
BARBARA CUBIN, Wyoming ELIOT L. ENGEL, New York
JOHN SHIMKUS, Illinois TOM SAWYER, Ohio
HEATHER WILSON, New Mexico ALBERT R. WYNN, Maryland
JOHN B. SHADEGG, Arizona GENE GREEN, Texas
CHARLES ``CHIP'' PICKERING, KAREN McCARTHY, Missouri
Mississippi TED STRICKLAND, Ohio
VITO FOSSELLA, New York DIANA DeGETTE, Colorado
ROY BLUNT, Missouri THOMAS M. BARRETT, Wisconsin
TOM DAVIS, Virginia BILL LUTHER, Minnesota
ED BRYANT, Tennessee LOIS CAPPS, California
ROBERT L. EHRLICH, Jr., Maryland MICHAEL F. DOYLE, Pennsylvania
STEVE BUYER, Indiana CHRISTOPHER JOHN, Louisiana
GEORGE RADANOVICH, California JANE HARMAN, California
CHARLES F. BASS, New Hampshire
JOSEPH R. PITTS, Pennsylvania
MARY BONO, California
GREG WALDEN, Oregon
LEE TERRY, Nebraska
David V. Marventano, Staff Director
James D. Barnette, General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Oversight and Investigations
JAMES C. GREENWOOD, Pennsylvania, Chairman
MICHAEL BILIRAKIS, Florida PETER DEUTSCH, Florida
CLIFF STEARNS, Florida BART STUPAK, Michigan
PAUL E. GILLMOR, Ohio TED STRICKLAND, Ohio
STEVE LARGENT, Oklahoma DIANA DeGETTE, Colorado
RICHARD BURR, North Carolina CHRISTOPHER JOHN, Louisiana
ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois
Vice Chairman JOHN D. DINGELL, Michigan,
CHARLES F. BASS, New Hampshire (Ex Officio)
W.J. ``BILLY'' TAUZIN, Louisiana
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Bodman, Hon. Samuel W., Deputy Secretary, accompanied by
Thomas Pyke, Acting Chief Information Officer, U.S.
Department of Commerce..................................... 40
Dacey, Robert F., Director, Information Security Issues, U.S.
General Accounting Office.................................. 20
Frazier, Hon. Johnnie E., Inspector General, U.S. Department
of Commerce................................................ 10
(iii)
HOW SECURE IS SENSITIVE COMMERCE DEPARTMENT DATA AND OPERATIONS? A
REVIEW OF THE DEPARTMENT'S COMPUTER SECURITY POLICIES AND PRACTICES
----------
FRIDAY, AUGUST 3, 2001
House of Representatives,
Committee on Energy and Commerce,
Subcommittee on Oversight and Investigations,
Washington, DC.
The subcommittee met, pursuant to notice, at 9:30 a.m., in
room 2123, Rayburn House Office Building, Hon. James C.
Greenwood (chairman) presiding.
Members present: Representatives Greenwood, Burr, and
Tauzin (ex officio).
Staff present: Tom Dilenge, majority counsel; Mark
Paoletta, majority counsel; Will Carty, legislative clerk; and
Peter Kielty, legislative clerk.
Mr. Greenwood. Good morning. The subcommittee will come to
order.
I apologize for starting a little late. It was a late night
last night, and we are hoping some of the other members arrive,
but we do not want to dishonor anyone's time. So we will start
now.
We are here today to continue the committee's review of
computer security, or lack thereof, as the case may be, at
Federal agencies under our jurisdiction. Since 1998, this
committee has reviewed computer security policies and practices
at the Environmental Protection Agency, the Department of
Energy, the Health Care Financing Administration, and today we
will be focusing our attention on the Department of Commerce.
Without exception, we have found significant security
problems at each of these agencies, all of which either took or
are taking prompt action to correct the deficiencies identified
as a result of our oversight.
Unfortunately, it appears that information security rarely
becomes a priority within an agency until the white hot lights
of public and congressional attention focus on that agency's
specific flaws.
Today we will hear from information security experts at the
General Accounting Office, who at this committee's request
conducted an in depth evaluation of the department's management
and implementation of computer security at seven of its
operating divisions, including the Bureau of Export
Administration, the International Trade Administration, the
Economics and Statistics Administration, and the Office of the
Secretary.
GAO's team of ethical hackers identified and exploited
vulnerabilities in the computer systems of these divisions to
gain virtually unlimited access to them internally from within
the department's network and externally from the Internet.
Not only could these systems be accessed without
authorization, but the information contained in them could be
read, modified, or deleted at will, even with respect to the
most sensitive systems and data files within these seven
divisions.
And with such access also comes the power to completely
disrupt critical department operations. It is no secret that of
the systems reviewed and found to be vulnerable by GAO, many
contain highly sensitive personal, financial, commercial, and
national security related data and are critical to the
department's overall mission.
Included in this list are the export control licensing
systems and the networks that are used by the International
Trade Administration for communications with our foreign
commerce outposts around the world.
The state of the department's security was truly
deplorable. GAO found instances in which systems did not
require passwords even for system administrator accounts. Other
systems had easily guessed passwords, such as ``password.''
Certain passwords and password files were either
unencrypted or not otherwise protected, permitting anyone on
the network, authorized or unauthorized, to read and obtain
even the most powerful account passwords.
And six of the seven bureaus did not even limit the number
of times an individual could try to log onto the system,
allowing would be hackers excessive opportunities to crack
these poor password controls.
GAO also found that poor network security and
configurations permitted GAO's experts to circumvent the
limited security controls that were in place and thus, to
travel between and among the seven connected bureaus,
essentially finding that the lowest common denominator among
these bureaus set the security standard for the rest of them.
Some of the bureaus did not even have firewalls in place to
protect all of their sensitive internal systems from the
Internet or, if they did, they were either so poorly
implemented as to be largely ineffective or could be easily
bypassed by alternative access routes.
These failures place all of the connected bureaus at
significant risks of intrusions.
Equally troubling, and despite advanced notice of the GAO
hacking attempts, the department's monitoring of cyber
intrusions failed to detect the overwhelming majority of GAO's
intrusion and scanning efforts, including the successful ones.
In fact, GAO reports that its hackers gained access to one
system only to find that a Russian hacker had been there before
them without the department's apparent knowledge. And only two
of the bureaus reviewed by GAO had formal intrusion detection
systems in place.
In short, the department simply has no idea of whether its
sensitive systems are being or have been compromised, a totally
unacceptable situation.
The reason for these failures, according to GAO, is the
lack of an effective security management program at the
department. Basic and longstanding Federal security
requirements have essentially been ignored for years. Only 3 of
the 94 sensitive systems reviewed by GAO had documented risk
assessments, and only seven had current security plans, none of
which have been approved yet by management.
The department's computer security policies have not been
updated since 1995, despite the tremendous growth of the
Internet and the increased interconnectivity between Commerce
bureaus and the outside world, and there are virtually no
minimum security requirements for all Commerce computer
systems, even, for example, on basic issues such as password
lengths or characteristics.
In addition to GAO, we will hear today from the
department's Inspector General, which also has done work in
this area. A recent IG report essentially confirmed that the
lack of effective security management found by GAO with respect
to seven of the department's operating divisions was not
unusual.
Across the department adequate risk assessments and
security plans are the exception rather than the norm with
roughly 92 percent of the department's systems failing to
comply with at least one of these Federal security
requirements.
The IG's financial control audits, which beginning this
year contained a limited penetration test of computer security
controls, also confirm that access control problems similar to
those identified at the seven bureaus reviewed by GAO exist at
many other Commerce bureaus as well, including the Census
Bureau, NOAA, NIST, and others, posing threats from both
internal and external sources.
How could this situation exist and for so long? The short
answer is that until this committee started asking questions
early last year, no one at the department was even seriously
looking at these issues.
Despite Federal requirements for independent reviews of
security controls on major systems on a routine basis, GAO
found that neither the department's Chief Information Officer
nor six of the seven bureaus reviewed had conducted any such
audits or oversight.
Unfortunately the situation is not at all unusual. Our
cyber security reviews have consistently shown that this lack
of real world testing of the effectiveness of security controls
is one of the major problems facing not just the Commerce
Department, but the Federal Government as a whole.
This lack of attention to cyber security is reflected by
the lack of resource devoted to this purpose. At Commerce, for
example, the department's Office of Information Technology
Security, which is responsible for setting the department's
computer security policies and conducting oversight to insure
compliance by these various bureaus, was a one-person operation
until March 2000, when the Director of this office was given
two interns to assist with these important functions.
I am pleased to hear that Secretary Evans recently approved
a redirection of additional personnel and funding for this
office, which in addition to computer security is also
responsible for the department's overall critical
infrastructure protection efforts.
It certainly is time; indeed, it is well past time for the
Commerce Department to start taking the security of its data
system seriously, much more so than it was under the previous
administration.
In the 21st Century effective computer security is as much
a part and cost of doing business as having locks on the front
was during previous centuries. And we will continue our
oversight in this area until Commerce and the other Federal
agencies under our jurisdiction get this message loud and
clear.
I want to welcome and thank our witnesses for testifying
today on this important topic, and we'll now recognize the
Ranking Member.
Actually, I will now recognize the chairman of the full
committee, Mr. Tauzin, for his opening statement.
[The prepared statement of Hon. James Greenwood follows:]
Prepared Statement of Hon. James Greenwood, Chairman, Subcommittee on
Oversight and Investigations
We are here today to continue this Committee's review of computer
security--or lack thereof as the case may be--at Federal agencies under
our jurisdiction. Since 1998, this Committee has reviewed computer
security policies and practices at the Environmental Protection Agency,
the Department of Energy, the Health Care Financing Administration, and
today we will be focusing our attention on the Department of Commerce.
Without exception, we have found significant security problems at each
of these agencies, all of which either took--or are taking--prompt
action to correct the deficiencies identified as a result of our
oversight. Unfortunately, it appears that information security rarely
becomes a priority within an agency until the white-hot lights of
public and congressional attention focus on that agency's specific
flaws.
Today we will hear from information security experts at the General
Accounting Office who, at this Committee's request, conducted an in-
depth evaluation of the Department's management and implementation of
computer security at seven of its operating divisions, including the
Bureau of Export Administration, the International Trade
Administration, the Economics and Statistics Administration, and the
Office of the Secretary.
GAO's team of ethical hackers identified and exploited
vulnerabilities in the computer systems of these divisions to gain
virtually unlimited access to them internally, from within the
Department's network, and externally, from the Internet. Not only could
these systems be accessed without authorization, but the information
contained in them could be read, modified, or deleted at will--even
with respect to the most sensitive systems and data files within these
seven divisions. And with such access also comes the power to
completely disrupt critical Department operations.
It is no secret that, of the systems reviewed and found to be
vulnerable by GAO, many contain highly sensitive personal, financial,
commercial, and national security-related data, and are critical to the
Department's overall mission. Included in this list are the export
control licensing systems and the networks that are used by the
International Trade Administration for communications with our foreign
Commerce outposts around the world.
The state of the Department's security was truly deplorable. GAO
found instances in which systems did not require passwords, even for
system administrator accounts. Other systems had easily guessed
passwords, such as ``password.'' Certain passwords and password files
were either unencrypted or not otherwise protected, permitting anyone
on the network--authorized or unauthorized--to read and obtain even the
most powerful account passwords. And six of the seven bureaus did not
even limit the number of times an individual could try to log on to the
system, allowing would-be hackers excessive opportunities to crack
these poor password controls.
GAO also found that poor network security and configurations
permitted GAO's experts to circumvent the limited security controls
that were in place, and thus to travel between and among the seven
connected bureaus--essentially finding that the lowest common
denominator among these bureaus set the security standard for the rest
of them. Some of the bureaus did not even have firewalls in place to
protect all of their sensitive internal systems from the Internet--or,
if they did, they were either so poorly implemented as to be largely
ineffective, or could be easily bypassed via alternative access routes.
These failures place all of the connected bureaus at significant risk
of intrusions.
Equally troubling, and despite advance notice of the GAO hacking
attempts, the Department's monitoring of cyber intrusions failed to
detect the overwhelming majority of GAO's intrusion and scanning
efforts, including the successful ones. In fact, GAO reports that its
hackers gained access to one system, only to find that a Russian hacker
had been there before them, without the Department's apparent
knowledge. And only two of the bureaus reviewed by GAO had formal
intrusion detection systems in place. In short, the Department simply
has no idea of whether its sensitive systems are being or have been
compromised--a totally unacceptable situation.
The reason for these failures, according to GAO, is the lack of an
effective security management program at the Department. Basic and
longstanding Federal security requirements have essentially been
ignored for years. Only three of the 94 sensitive systems reviewed by
GAO had documented risk assessments, and only seven had current
security plans, none of which had been approved yet by management. The
Department's computer security policies have not been updated since
1995, despite the tremendous growth of the Internet and the increased
inter-connectivity between Commerce bureaus and the outside world. And
there are virtually no minimum security requirements for all Commerce
computer systems--even, for example, on basic issues such as password
lengths or characteristics.
In addition to GAO, we will hear today from the Department's
Inspector General, which also has done work in this area. A recent IG
report essentially confirmed that the lack of effective security
management found by GAO, with respect to seven of the Department's
operating divisions, was not unusual. Across the Department, adequate
risk assessments and security plans are the exception rather than the
norm, with roughly 92% of the Department's systems failing to comply
with at least one of these Federal security requirements.
The IG's financial control audits, which, beginning this year,
contained a limited penetration test of computer security controls,
also confirm that access control problems similar to those identified
at the seven bureaus reviewed by GAO exist at many other Commerce
bureaus as well, including the Census Bureau, NOAA, NIST, and others,
posing threats from both internal and external sources.
How could this situation exist, and for so long? The short answer
is that, until this Committee started asking questions early last year,
no one at the Department was even seriously looking at these issues.
Despite Federal requirements for independent reviews of security
controls on major systems on a routine basis, GAO found that neither
the Department's chief information officer, nor six of the seven
bureaus reviewed, had conducted any such audits or oversight.
Unfortunately, this situation is not at all unusual. Our cyber
security reviews have consistently shown that this lack of real-world
testing of the effectiveness of security controls is one of the major
problems facing not just the Commerce Department, but the Federal
government as a whole.
This lack of attention to cyber security is reflected by the lack
of resources devoted to this purpose. At Commerce, for example, the
Department's Office of Information Technology Security--which is
responsible for setting the Department's computer security policies and
conducting oversight to ensure compliance by the various bureaus--was a
one-person operation up until March 2000, when the director of this
office was given two interns to assist with these important functions.
I am pleased to hear that Secretary Evans recently approved a re-
direction of additional personnel and funding for this office, which in
addition to computer security is also responsible for the Department's
overall critical infrastructure protection efforts.
It certainly is time--indeed, it is well past time--for the
Commerce Department to start taking the security of its data systems
seriously, much more so than it was under the previous Administration.
In the 21st century, effective computer security is as much a part and
cost of doing business as having locks on the front door was during
previous centuries. And we will continue our oversight in this area
until Commerce and the other Federal agencies under our jurisdiction
get this message loud and clear.
I want to welcome and thank our witnesses for testifying today on
this important topic, and will now recognize the Ranking Member for an
opening statement.
Chairman Tauzin. Thank you, Mr. Chairman.
And let me echo your comments regarding the need for
Federal agencies to start devoting a great deal more attention
and resources necessary to secure the computer systems of our
country safe from the attacks or misuse from hackers.
I want to congratulate you, Jim, on the excellent work you
have done as our O&I chairman this year, and this, of course,
may be some of the most important work you do, even ranking
with the important work you have done in tire safety this year
to protect Americans.
Protecting the security of our systems is critical not only
to the privacy of American citizens, who share information with
these systems very often involuntarily, but they do not even
have a chance to say, ``Please do not use it for something
else,'' but it obviously has huge implications for the
potential for someone to create some real mischief in some very
sensitive data banks in this country.
What we learned about the capability of hackers to move
into, for example, CMS, (Center for Medicaid/Medicare Services)
the agency formerly known as HCFA (Health Care Financing
Administration), and interfere with the provision of health
care services and reimbursement, sensitive medical accounts, it
is pretty frightening.
You know, there is one area where citizens are keenly aware
of the privacy of their information and the sanctity of that
privacy. It is in the health care area.
I cannot tell you how appalled I was to learn that that
information might be compromised and that the systems that my
mother and so many other Americans depend upon for their health
care might be ripped because somebody got in and managed it
improperly and misused it.
And so again, I want to stress how important it is. This
subcommittee has been moving on this issue, and again, Mr.
Chairman, I congratulate you.
The Commerce Department, which is the focus of our hearing
today, the GAO and Inspector General audit findings are
alarming. Hackers from GAO and the Inspector General's Office
were able to have their way with the department's various
computer systems, violating the integrity of the department's
computer networks virtually at will.
You know, if our government ethical hackers can get in, I
guarantee you there are kids in Russia and Cal Tech, somewhere
all over this world who can get in.
And while the findings are quite troubling, they don't
surprise me based upon the committee's work on other agencies.
When an administration, like the last administration, devotes
so little time and attention to this particular matter, we are
not surprised that these problems are so pervasive.
It is clear to me that while the former President might
have said that this was an area of importance, the
administration simply failed constantly, consistently to make
the protection of our Nation's critical cyber assets a true
priority. There just was not enough attention paid to it.
Somebody was asleep at the computer switch, and that is why
I am pleased to see the new Secretary of Commerce is taking a
very different approach.
He has instituted a new management structure with increased
authority, responsibility, and accountability for the
department's information officers, and he has allocated more
resources to the security functions at the departmental level.
And probably most importantly, the Secretary has made clear
to his Under Secretaries that they will make computer security
a priority as an integral part of their programmatic missions
and will allocate additional resources as necessary to get the
job done.
Those are strong words. We have heard strong words before.
So we want to make sure those strong words are translated today
and hereafter into very strong action.
In this vein I'm very pleased to have the newly confirmed
Deputy Secretary of the department here today, signifying, I
think, the importance of this topic to the Secretary and the
level at which these issues are now being handled by the
department. That is very encouraging.
Let me just finish by emphasizing that good computer
security is not a simple fix. We have learned that in this
committee. It is sort of like the radar systems, you know. For
every new radar system they manufacture for the police, the
same company is manufacturing a radar detection system for
consumers to put in their cars.
And we know that the people who make the best security
systems also know how to break them, and very often the people
that are really good at this stuff figure it out on their own.
And while it takes consistent and sustained leadership,
particularly in the beginning, effective long-term information
security programs require their implementation, sound processes
and policies that can carry on absent or despite the particular
personalities involved.
I hope the Commerce Department and all of the Federal
agencies of our country keep this principle in mind as they
take the long overdue steps to improve the security of
sensitive data when the American people have entrusted them or
that they have entrusted us, rather, to protect.
When they give us their information, very often
involuntarily, we have a sacred duty to protect their privacy
and the integrity of that information, and we cannot look at it
any less solemnly than that.
Thank you, Mr. Chairman.
[The prepared statement of Hon. W.J. ``Billy'' Tauzin
follows:]
Prepared Statement of Hon. W.J. ``Billy'' Tauzin, Chairman, Committee
on Energy and Commerce
Thank you, Mr. Chairman, and I want to echo your comments regarding
the need for all Federal agencies to start devoting the attention and
resources necessary to secure their computer systems from attacks or
misuse. The government must do more to protect the sensitive personal,
financial, proprietary and national security-related data on its
systems.
I also want to stress how valuable the work of this Subcommittee
has been in moving the ball forward on these issues. There should be
little doubt in anyone's mind that, absent the aggressive oversight of
this Subcommittee, agencies such as EPA, DOE, HCFA (now known as CMS)
and others would not have taken many of the actions that they recently
have taken to improve the security of their sensitive data and systems.
While none of them are yet perfected, and none will likely ever be
perfected due to rapidly changing technology, keeping the pressure and
the focus on these issues is critically important to our nation and to
its citizens.
As for the Commerce Department--which is the focus of our hearing
today--the GAO and Inspector General audit findings are alarming.
Ethical hackers from GAO and the Inspector General's office were able
to have their way with the Department's various computer systems--
violating the integrity of the Department's computer networks virtually
at will.
While these findings are quite troubling, they don't surprise me at
all, based on the Committee's work at other agencies. When an
Administration, such as the Clinton Administration, devotes so little
attention and resources to a particular matter, we shouldn't be
surprised to find that such problems are so pervasive. It is clear to
me that, despite what the former President might have said about the
importance of computer security, his Administration failed to take
actions to make the protection of our nation's critical cyber assets a
true priority.
That is why I am so pleased to see that the new Secretary of
Commerce is taking a different approach. He's instituted a new
management structure--with increased authority, responsibility, and
accountability for the Department's information officers. He's
allocated more resources to these security functions at the Department
level. And, probably most importantly, the Secretary has made clear to
his Under Secretaries that they will make computer security a priority
as an integral part of their programmatic missions, and will allocate
additional resources as necessary to get the job done.
In this vein, we are pleased to have the newly-confirmed Deputy
Secretary of the Department here today to testify, signaling the
importance of this topic to the Secretary and the level at which these
issues are now being handled within the Department.
Let me finish just by emphasizing that good computer security is
not a simple fix. While it takes consistent and sustained leadership,
particularly in the beginning, effective long-term information security
programs require the implementation of sound processes and policies
that can carry on absent, or despite of, particular personalities. I
hope the Commerce Department, and all Federal agencies, keep this
principle in mind as they take these long-overdue steps to improve the
security of the sensitive data which the American people have entrusted
them to protect.
I thank the Chairman, and yield back the balance of my time.
Mr. Greenwood. The Chair thanks the chairman for his
comments and for his presence and for his assistance and
cooperation and help with this investigation, and recognizes
for an opening statement the gentleman from North Carolina, Mr.
Burr.
Mr. Burr. I thank the chairman and full committee chairman.
Having finished a hectic legislative schedule this week, if
we look a little tired, it is because we are, and this
committee contributed greatly to major legislation in the form
of a comprehensive energy package and a patient's bill of
rights that some dreamed would never happen.
But the issue that we are here to look at today is of
interest to every member, Republican and Democrat. That is
certainly not indicative of the participation that we have this
morning. It is more indicative of the lack of sleep that all
have had and their anxiousness to go home since the business is
over.
This subcommittee has looked at computer security issues at
a number of government agencies. As troubling as many of the
problems that those agencies were, and still are in many cases,
I am especially troubled by some of the concerns raised by the
General Accounting Office audit of seven Commerce bureaus.
In particular, I am more than a little concerned about the
security of the Bureau of Export Administration, which is
responsible, among other things, for regulating the export of
sensitive goods and technology, enforcing export controls,
anti-boycott and public safety laws, cooperating with and
assisting other countries on export control and strategic trade
issues, assisting U.S. industry to comply with international
arms control agreements, and monitoring the viability of the
United States' defense industrial base.
That mission statement came straight off BXA's Web site. I
imagine most of us recognize those as some very serious
responsibilities, and I imagine most of us will be equally
disturbed by the fact that BXA has one of the worst computer
security problems and is among the most susceptible to
unauthorized access of the seven bureaus examined by GAO.
I suspect, based on the track record, that it is not a
stand out among the rest of the department's bureaus either.
Apparently BXA had not tested its system since 1991 and had not
conducted a risk assessment since 1994.
Many of the problems GAO will discuss were also identified
by the Commerce Inspector General in a 1999 report. Here we are
today, August 2001. It must be Groundhog Day, starting at the
same point with the same problems once again.
Now, what this means is that the Commerce Department has
apparently not made much progress adhering to PDD 63 issued in
May 1998 that set up groups within the Federal Government to
develop and implement plans that would protect government
operated computer and communications infrastructure.
The directive identified 12 areas critical to the
functioning of this country. Commerce was designated as lead
agency for information and communications security. Foreign
affairs and national defense are also key elements of the
directive, and it is my understanding that the export control
system is considered, under PDD 63, critical.
And I have the sneaking suspicion that GAO is about to tell
this subcommittee that it was able to gain unauthorized access
to administrative level BXA systems.
That's not the only portion of the mission statement on the
Web site. It also states that another of the bureau's missions
is to promote Federal initiatives and public-private
partnerships across industry sectors to protect the Nation's
critical infrastructure. To protect the Nation's critical
infrastructure. I think that one phrase justifies why we are
here today, and I think why everybody takes it seriously.
In closing, I will say to our friends from the Department
of Commerce: you inherited this problem. The challenge is that
you have inherited a problem you have to fix.
I hope the next Congress with the next Commerce
Department--hopefully they are the same people we have today in
the next Commerce Department--but heaven forbid we ever have a
situation where we come back up here to talk about this problem
again because I believe that this committee is serious about
making sure that we work as a partner to make sure that the
problem of security within BXA, within Commerce, within all
Federal agencies is eliminated as it relates to the access that
we've seen.
Mr. Chairman, once again, let me thank you, and yield back
the balance of my time.
Mr. Greenwood. The Chair thanks the gentleman for his
statement and welcomes our first two witnesses.
They are the Honorable Johnnie E. Frazier, Inspector
General, U.S. Department of Commerce, and Mr. Robert F. Dacey,
Director of Information Security Systems at the U.S. General
Accounting Office.
You gentlemen are aware that the committee is holding an
investigative hearing, and when doing so has had the practice
of taking testimony under oath. Do you have any objections to
testifying under oath?
Mr. Frazier. No, sir.
Mr. Greenwood. Seeing no such objections, the Chair then
advises you that under the rules of the House and the rules of
the committee you are entitled to be advised by counsel.
Do you desire to be advised by counsel during your
testimony today?
Seeing a negative response, in that case if you would
please rise and raise your right hands, I will swear you in.
[Witnesses sworn.]
Mr. Greenwood. Thank you.
You may be seated, and you are now under oath, and, Mr.
Frazier, we will begin with you for your opening statement.
Please proceed. Welcome.
TESTIMONY OF HON. JOHNNIE E. FRAZIER, INSPECTOR GENERAL, U.S.
DEPARTMENT OF COMMERCE; AND ROBERT F. DACEY, DIRECTOR,
INFORMATION SECURITY ISSUES, U.S. GENERAL ACCOUNTING OFFICE
Mr. Frazier. Thank you, Mr. Chairman.
Mr. Chairman and members of the committee, I am very
pleased to be here today to talk about the OIG's work as it
relates to the Department of Commerce IT security.
The detailed results of our work have been included in my
long statement, which I would like to have submitted for the
record, but I would like to take a few minutes right now just
to talk about a few of the projects that we have been working
on.
Commerce, as you know, has many complex computer systems
that provide essential services to the public and support
critical mission activities, such as the Nation's weather
services, care of the environment, promotion of trade, economic
growth, and scientific research.
As the department's systems have become more
interconnected, vulnerabilities have also increased, thus
increasing the need to continuously improve IT security
measures. I cannot overemphasize the importance of IT security.
Indeed, in our recent semi-annual reports to the Congress,
we have identified strengthening department-wide security over
information technology as one of the top ten management
challenges facing the Department of Commerce.
During the past year, we have engaged in various audit,
inspection, evaluation, and investigation activities aimed at
strengthening IT security Commerce-wide. We have coordinated
with GAO and the CIO to ensure that we address the most
important issues and avoid duplication of effort.
In our resulting reports and briefings, we have made
numerous observations and recommendations aimed at improving IT
security. Let me briefly mention a few of our efforts.
One recent evaluation which examined the Office of the
CIO's oversight of the department's IT security program found
that despite some progress in recent years, additional
improvements are needed. The department's IT security policy
needs to be revised and expanded because it has not been
updated to comply with significant revisions of OMB guidance,
and it has not kept pace with recent trends in technology and
related security threats.
Additional IT security compliance procedures are needed
because security for many of the department's systems has not
been adequately planned. The security reviews have not been
performed, and several of our agencies do not even have
adequate awareness plans or training plans or even sufficient
capabilities for responding to IT security incidents.
Another one of our evaluations revealed that although the
department made early strides in its critical infrastructure
protection planning, important milestones had slipped. The
inventory of critical assets needed to be reevaluated and
vulnerability assessments, remediation plans, and budget
justifications just simply had not been completed.
A third evaluation identified privacy and security concerns
raised by the department's use of Internet ``cookies'' and Web
``bugs'' on its Web sites.
We have also identified security issues through our
inspections of Commerce offices and activities, both
domestically and overseas. Likewise our investigative work has
identified and examined specific incidents or allegations
involving IT security weaknesses, vulnerabilities, or threats.
And finally, our systems security audits of departmental
financial management systems are designed to identify IT
security problems. These audits are performed by certified
public accounting firms under contract with us and include
security reviews of the department's financial management
systems and related networks.
The CPAs use the GAO Federal information system controls
audit manual as their guidance.
The fiscal year 2000 financial statement audits included
review of general system controls at the department's seven
data processing locations. We found weaknesses at all seven
locations, including our observations that formal security
plans either did not exist, were outdated, or were not approved
for the major financial management systems and associated
support systems.
Moreover risk assessments needed to be completed and
approved, and more security monitoring was clearly needed.
In addition to the general system security control reviews,
penetration testing was also performed at four of the seven
locations to identify weaknesses in access controls. The
penetration testing found open modems and ports that were
accessible to potential hackers, readily accessible sensitive
information on Web sites, and firewall configurations that
could allow a hacker to introduce a virus.
As for physical security, some computer rooms in sensitive
work areas were not adequately secured.
It is important at this point to note that the department
and its operating units have reported progress on some of these
weaknesses, and I should also note that we are aware that they
are working to address others.
But you should also note that we are in the process of
performing our annual follow-up work to try and confirm many of
these observations and reported accomplishments.
We currently have other IT security reviews underway,
including looking at some of the classified systems, looking at
the background investigations behind some of the people who run
these systems and a host of other projects.
Finally, I am pleased to note that just last month my
office entered into a memorandum of agreement with the
department's Office of the CIO and the Office of Security to
define our respective roles and responsibilities related to
Commerce's IT security program. This agreement is intended to
promote a partnership among the three offices to ensure
improved coverage of IT security matters.
In closing, it is clear to me that cooperative, continuous,
and concerted efforts are needed by each of us, and I mean each
of us, as we move to address IT security weaknesses. These same
efforts are needed if we are to have any chance of at least
staying one step ahead of hackers and others that see IT
security as some sort of cat and mouse game.
I am encouraged that the senior management of the
department and its operating units increasingly recognize the
need to take a proactive approach to do this. For example, the
Secretary's recent directive increasing the authority of
operating unit CIOs and making them a more integral part of the
bureau management team is an important initiative.
Likewise, the recent appointment of the Senior Advisor to
the Secretary for Privacy should be instrumental in addressing
such issues as ``cookies,'' Web ``bugs,'' and other security
and privacy matters.
Program officials are being strongly reminded that they,
too, have key IT security responsibilities and need to work
closely with operating CIOs and security officials to ensure a
more effective security program.
This concludes my statement, and I will gladly answer any
questions.
[The prepared statement of Hon. Johnnie E. Frazier
follows:]
Prepared Statement of Johnnie E. Frazier, Inspector General, U.S.
Department of Commerce
Mr. Chairman and Members of the Committee, I am pleased to appear
before you today to discuss the Office of Inspector General's (OIG)
work and other activities related to the security and protection of the
Department's critical information technology (IT) systems, programs,
and activities.
The Department of Commerce has numerous complex computer systems
that provide essential services to the public and support critical
mission activities, such as the nation's weather services,
environmental stewardship, promotion of trade and economic growth,
scientific research, and technological development. As the Department's
systems have become more interconnected, vulnerabilities have also
increased, thus increasing the need to continuously improve IT security
measures. Strong IT security measures are vital to (1) protecting the
privacy of information, (2) safeguarding the integrity of computer
systems and their networks, and (3) ensuring the availability of
services to the American public and other users. I cannot emphasize too
much how important these measures are.
Indeed, in our recent Semiannual Reports to the Congress, we have
identified ``Strengthening Department-wide Information Security'' as
one of the top 10 management challenges facing the Department of
Commerce because of that issue's:
1. Importance to the Department's mission and the nation's well-being,
2. Complexity and sizable expenditures, and
3. Need for significant management improvements.
During the past year, we have engaged in a number of audit,
inspection, evaluation, and other activities involving Commerce IT
security matters--all aimed at strengthening IT security Commerce-wide.
We have completed evaluations of the Department's efforts to implement
its Critical Infrastructure Protection (CIP) plans. We also have
assessed the Office of the Chief Information Officer's (CIO) IT
security policy and the effectiveness of its oversight of the
Department's IT security program. In addition, we have evaluated the
use of persistent Internet ``cookies'' and ``web bugs'' on Commerce
Internet sites. Furthermore, in support of the OIG's fiscal year 2000
financial statement audits, we have conducted security reviews of the
Department's financial management systems and their related networks.
Moreover, assessments of IT security policies and practices are
often an integral part of the operational inspections we conduct of
Commerce activities, units, and offices domestically and overseas.
These inspections are intended to provide operating unit managers with
useful, timely information about their operations, including IT
security issues. IT security problems have also been identified through
our investigative work. In addition, we have worked closely with many
of the Department's key IT managers, top security personnel, and senior
program officials in an effort to identify the most critical IT
security issues and help craft corrective measures. Let me briefly
summarize the results of some of our recent efforts.
EARLY PROGRESS MADE IN CRITICAL INFRASTRUCTURE PROTECTION, BUT PLANNING
AND IMPLEMENTATION HAVE SLOWED
Last year, we evaluated the Department's CIP plan, identification
of minimum essential infrastructure (MEI) assets, and vulnerability
assessments of its cyber-based assets. MEI assets are the physical and
cyber-based assets essential to the minimum operations of the economy
and the government. Our evaluation found that although the Department
had made initial progress by developing a Department-wide CIP plan,
identifying critical infrastructure assets, and initiating
vulnerability assessments, there were several areas that warranted
management attention:
The Department's CIP plan needed to be strengthened because
several of its elements were outdated or missing, and important
milestones had slipped. The asset inventory, vulnerability
assessment framework, and budget estimates included in the plan
were not current. The plan also did not include requirements
for reviewing new assets to determine whether they should be
included as MEI assets, periodically updating vulnerability
assessments, or developing a system for responding to
infrastructure attacks.
The MEI asset inventory needed to be reevaluated because of
limitations in data gathering. In most cases, asset managers
were neither interviewed nor given adequate guidance before
filling out complex questionnaires used to gather asset
information, and the officials most knowledgeable about the
assets were seldom interviewed because of logistical problems
and limited resources. Establishing a reliable MEI inventory is
important because it forms the basis for later activities, such
as selecting the highest risk assets for vulnerability
assessments and taking remedial actions.
Vulnerability assessments, remediation plans, and budget
justifications needed to be completed. Reportedly due to
resource constraints, the Department had current vulnerability
assessments for less than 10 percent of MEI assets and had not
developed any remediation plans.
The CIO's office agreed with our findings and stated that the
Department's focus would be on the broad spectrum of IT security, which
emphasizes assets critical to the Department's mission and includes
most cyber-based MEI assets. Short-term actions were identified to
improve guidance to operating unit personnel involved in vulnerability
assessments and increase their involvement in the MEI asset inventory,
revise the MEI asset list, and evaluate new assets to determine whether
they should be included as MEI assets.
ADDITIONAL FOCUS NEEDED ON IT SECURITY POLICY AND OVERSIGHT
The CIO is responsible for developing and implementing a
departmental IT security program to ensure the confidentiality,
integrity, and availability of information and IT resources. The CIO's
responsibilities include developing policies, procedures, and
directives for IT security and providing oversight of the IT security
programs of the Department's operating units.
We conducted an evaluation to assess the CIO's policies and the
effectiveness of his oversight of the Department's IT security program.
Our review focused on the CIO's compliance with laws and regulations
governing IT security and his actions in recent years to oversee the
Department's IT security program.
We found that although in the past IT security did not receive
adequate attention, in more recent years, the CIO's office had expanded
its focus on and increased the resources devoted to IT security. For
example, the office conducted its first Department-wide assessment of
IT security planning in 1999 and reviewed operating unit self-
assessments in 2000, which resulted in increased compliance with
security requirements. Nevertheless, policy and oversight need further
improvements. Specifically:
IT security policy needs to be revised and expanded. The
Department's IT security policy is out of date because it was
developed in 1993 and 1995, prior to a significant revision of
OMB Circular A-130, which communicates policy on the security
of federal automated information resources. The policy is also
missing important components because it has not kept pace with
recent trends in technology and related security threats. The
Department's policy must be kept current and complete because
the operating units use it as the foundation for their general
and system-specific policies. We recommended that the CIO's
office update and expand its IT security policy as soon as
possible.
Additional IT security compliance procedures are needed.
Security for many of the Department's systems has not been
adequately planned, and security reviews have not been
performed. In addition, several operating units do not have
adequate awareness and training programs or adequate
capabilities for responding to IT security incidents. The
Government Information Security Reform Act (GISRA) requires the
CIO's office to conduct annual IT security evaluations in 2001
and 2002 similar to the self-assessments it monitored in 2000.
We recommended that the office commit to a program of reviews
that extends beyond GISRA's 2-year review requirement.
Moreover, the CIO's office should work with the Department's
acquisition and budget managers to ensure that IT-related
procurement specifications include security requirements, and
that funds for meeting these requirements are included in
operating unit budgets.
During our evaluation of the Department's IT security policy, we
provided the Department with a written analysis that identified
weaknesses and deficiencies in the policy, and made recommendations for
specific changes to bring the policy into compliance with applicable
laws and regulations.
The CIO's office agreed with all of our recommendations and cited a
number of corrective actions it planned to take to implement them.
Among other things, it agreed to revise, expand, and update the
Department's IT security policy; continue its compliance review program
beyond the 2-year period required by GISRA; and begin security reviews
as soon as possible.
USE OF INTERNET ``COOKIES'' AND ``WEB BUGS'' RAISED PRIVACY AND
SECURITY CONCERNS
We evaluated the use of persistent Internet cookies and web bugs by
departmental Internet sites, as well as the adequacy of the privacy
statements posted on the main web pages of the Department and its
operating units. We conducted our evaluation in response to Public Law
106-554, the Consolidated Appropriations Act of 2001, which required
the Inspector General of each agency to submit a report to the Congress
disclosing any activity regarding the collection of information
relating to any individual's access or viewing habits on the agency's
Internet sites.
Persistent Internet cookies are data stored on web users' hard
drives that can identify users' computers and track their browsing
habits. Web bugs are software code that can monitor who is reading a
web page. These technologies are capable of being employed in ways that
could violate the privacy of individuals visiting the Department's web
sites and can also pose security threats.
Web bugs are considered security threats because they can perform
malicious actions, including searching for the existence of specific
information, such as financial information, on a user's hard drive, and
downloading files from, or uploading files to, a user's computer. A web
user would be unaware of the presence of web bugs without using
detection software. Even if such software were used, the malicious
actions performed by identified web bugs could go undetected.
We found that most of the Department's Internet sites do not use
either persistent cookies or web bugs. However, we did find several
instances in which persistent cookies were being used without a
compelling reason or the approval of the Secretary, as required by
Department and OMB policy. We also found a number of web pages using
web bugs. At the time we began our evaluation, the Department did not
have a policy regulating web bug use, but it promptly developed and
issued one when informed of the problem. Finally, we found that many of
the operating units' privacy statements did not provide all of the
information required by the Department's privacy policy.
We recommended that the Department's CIO direct operating unit CIOs
and senior management to implement a strategy to control the use of
persistent cookies and web bugs and to certify annually that the
operating unit is in compliance with the Department's applicable
policies. We also recommended that the CIO direct operating unit CIOs
and senior managers to revise their privacy policy statements to make
them compliant with the Department's policy. The CIO's office agreed
with our findings and worked with us to help ensure that the cookies we
had identified were removed. The Secretary of Commerce's new Special
Assistant for Privacy is working to remove all web bugs and develop a
uniform privacy policy statement.
SYSTEMS SECURITY AUDITS OF DEPARTMENTAL FINANCIAL MANAGEMENT SYSTEMS
REVEAL PROBLEMS
Our audits of Commerce operating units' financial statements,
performed by certified public accounting (CPA) firms under contract
with us, include security reviews of the Department's financial
management systems and related networks that support the statements.
Our CPA contractors use GAO's Federal Information System Controls Audit
Manual (FISCAM) as a guide in performing these reviews. FISCAM provides
guidance on assessing the reliability of computer-generated data that
supports financial statements, including physical security and logical
access controls designed to prevent or detect unauthorized access or
intrusion into systems and networks.
In 1999 we adopted a systems security review strategy that provides
for full coverage of each financial management system and its related
networks on a two-year basis. Every two years, a review addresses the
six systems security areas identified in FISCAM: (1) entitywide
security program planning and management, (2) access controls, (3)
application software development and change control, (4) systems
software, (5) segregation of duties, and (6) service continuity. In the
alternate years, we routinely conduct penetration testing (in which
someone playing the role of a hostile attacker tries to compromise
systems security) and application-level testing. Review of the system
environment for significant changes and follow-up on open
recommendations occurs annually.
The audits of operating units' individual fiscal year 2000
financial statements included reviews of the general system controls
over the major financial management systems at the seven data
processing locations. In the reports on our audits of the Department's
fiscal year 1999 and 2000 consolidated financial statements, we noted
that these systems security reviews disclosed weaknesses in controls
over major financial management systems at all seven locations that
provide data processing support. Specifically, these reviews found
that:
1. Entitywide security program planning and management needed
improvement at all seven locations. This control is the
foundation of an entity's security control structure and a
reflection of senior management's commitment to addressing
security risks. It is intended to ensure that security controls
are adequate, consistently applied, and monitored, and that
responsibilities are clear and properly implemented.
2. Access controls for both operating systems and the financial
management systems needed strengthening at all seven locations,
and monitoring of external and internal access to systems
needed strengthening at five locations. These controls should
limit or monitor access to computer resources to guard against
unauthorized modification, loss, and disclosure.
3. Applications software development and change control needed
improvement at four locations. These controls should help
prevent the implementation of unauthorized programs or
modifications to existing programs.
4. Systems software improvements were needed at four locations.
Controls in this area should limit and monitor access to the
important software programs that operate computer hardware.
5. Segregation of duties improvements were needed at five locations.
Appropriate controls in this area include policies, procedures,
and an organizational structure to prevent one individual from
controlling key aspects of computer-related operations, thus
deterring unauthorized actions or access to assets.
6. To ensure service continuity, contingency plans needed to be
prepared, updated, or improved at all seven locations.
Appropriate controls in this area include procedures for
continuing critical operations, without interruption and with
prompt resumption of those operations, when unexpected events
occur.
Of particular note, among the weaknesses identified by the CPA
firms in the area of entitywide security program planning and
management, was the fact that formal comprehensive security plans
either did not exist, were outdated, or were not approved for the major
financial management systems and associated general support systems on
which the applications were processed. In addition, risk assessments
needed to be completed and approved, and security monitoring needed to
be performed.
At four locations, penetration testing was also performed on the
network that supports the financial management systems to identify
weaknesses in access controls. As part of the penetration testing, the
CPA firms reviewed the adequacy of access controls, which include
logical and physical controls. Logical access controls involve the use
of computer hardware and software to prevent or detect unauthorized
access, such as by hackers, to networks, systems, and sensitive files
by requiring users to input user ID numbers, passwords, and other
identifiers that are linked to predetermined access privileges.
Physical controls involve keeping computers in locked rooms to limit
physical access. The firms' penetration testing of logical controls
found that in some cases:
Open modems and ports were accessible to potential hackers.
Sensitive information on websites was readily accessible.
Sensitive active system services could allow unauthorized
access, downloading of files, and gathering of information.
Firewall configurations could allow a hacker to introduce a
destructive virus.
In addition, physical access controls over networks and financial
management systems needed strengthening. For example, at one location,
automated exterior locking systems had not been installed on doors to
restrict access, and the key card lock for the data center's computer
room was inappropriately placed on the inside of the door, rather than
the outside. In addition, personnel did not consistently lock and
secure their work areas. At another location, hardware that processed
very sensitive information was located in an area accessible by
numerous employees and contractors and was not segregated in an
individually secure area.
For fiscal year 2000, the CPA firms concluded that four operating
units had system security weaknesses that rose to the level of
``reportable conditions.'' Taken together, these conditions, combined
with the Department's lack of an integrated financial management
system, constituted a material weakness in the audit of the
consolidated financial statements. In our report on the audit of the
consolidated statements, we recommended that the CIO's office continue
to develop and implement a database for tracking and reporting on
corrective actions planned and taken to address the outstanding general
controls recommendations. We also recommended that the office review,
monitor, and provide guidance to the reporting entities on their
corrective actions planned and taken in response to our current and
prior years' audit reports on general controls.
We issued audit reports with recommendations to correct the control
weaknesses identified at each of the seven data processing locations,
and the operating units generally agreed with our recommendations. The
Department and its operating units are required to provide us with
audit action plans that address each of our recommendations. We have
reviewed the plans submitted to date and concur with the actions taken
or planned. Moreover, we are in the process of performing our annual
follow-up of the adequacy of the corrective actions planned or taken.
IT SECURITY ISSUES HAVE ALSO BEEN IDENTIFIED THROUGH OIG INSPECTIONS
AND INVESTIGATIONS
We have also identified IT security issues through our inspections
and investigative work. Our inspections unit, for example, conducted a
1999 assessment of the Bureau of Export Administration's (BXA) Export
Control Automated Support System as part of a larger review of BXA's
administration of the federal export licensing process for dual-use
commodities. While we determined that most of the system's general and
application controls were adequate, we found that BXA's IT security
controls could be enhanced by improving database access controls,
preparing a security plan, performing periodic security reviews,
officially assigning the security duties to its security officer,
providing all users with current security training, and restricting the
number of BXA employees with file manager access. BXA management
implemented some corrective actions immediately and agreed to take
action on our other recommendations dealing with the IT security of its
licensing system.
We are also conducting a series of inspections of the National
Weather Service's weather forecast offices (WFOs) that have identified
a number of IT security issues that need to be addressed by local
managers. Among other problems, we noted that one WFO we visited did
not have a designated security officer, and office personnel did not
follow the Weather Service's policy on IT security. We found other
problems, which I cannot describe in detail in a public hearing, that
highlight how vulnerable some systems can be without proper management
attention. Fortunately, the Weather Service has greatly improved its IT
security both locally and nationally since the start of our review.
During the past nine months, we visited two other WFOs. Although we
continued to identify some IT security problems, we have found that
designated security officers have been named and are receiving
necessary training on IT security. More importantly, WFO personnel
appear to better understand IT security concepts and requirements.
IT security problems have also been identified through our
investigative work. Through our OIG Hotline and other information
channels, specific incidents or allegations involving IT security
weaknesses, vulnerabilities, or threats have been brought to our
attention and examined. For example:
In one incident, a foreign hacker penetrated a network server
and installed software without the knowledge of the system
administrator. Had the software been activated, the server
would have been prevented from performing its normal network
services and would have been one of many computers
simultaneously activated to overload a designated Internet
site. As a result of the incident, the number of points of
access to the network was reduced to a bare minimum, and
existing monitoring software was activated.
In another incident, a hacker caused extensive damage to an
operating unit server, and it took more than 5 work days to
repair the server and restore operations. Because the software
on the server was destroyed, the system administrator was not
able to determine how the attack had occurred. Security
features were added when the software was restored, to reduce
the risk of another shutdown.
In a third incident, an after-hours contract cleaning employee
used a computer that had not been properly secured to gain
access to the Internet via a network system and view
pornographic materials. Coordination with the contracting
officer, property manager, and president of the contract
company resulted in the employee's immediate removal from the
facility contract and subsequent termination. In addition, the
practice of routinely leaving the computer on overnight was
discontinued.
ADDITIONAL OIG REVIEWS OF IT SECURITY MATTERS ARE EITHER UNDERWAY OR
PLANNED
We are currently conducting IT security evaluations related to (1)
the Economics and Statistics Administration's and the Census Bureau's
preparation and release of the Advance Retail Sales Principal Economic
Indicator, (2) the Department's classified information systems, and (3)
the Department's IT security program and practices, as required by the
Government Information Security Reform Act.
The objective of our security evaluation of the Advance Retail
Sales indicator is to determine whether adequate internal controls and
system safeguards are in place to prevent the unauthorized disclosure
or use of the economic indicator data before its release to the public.
We have found that employees dealing with the indicator do not always
have appropriate background investigations and that their positions are
not always assigned the appropriate level of risk as required by Title
5, Part 731, of the Code of Federal Regulations and OMB Circular A-130.
In some instances, the Department's records did not identify the type
of investigation done, if any, for personnel working on Principal
Economic Indicators. We also noted a lack of guidance from the Office
of Human Resources Management, as well as from the Office of Security,
suggesting that the problems associated with assigning appropriate risk
levels to positions and ensuring that background investigations are
performed may exist throughout Commerce. We are conducting additional
work to examine this issue.
Our review of the Department's classified information systems will
assess the adequacy of its policies for protecting classified
information and the effectiveness of its oversight of these systems.
The GISRA-mandated review is the annual evaluation of the
Department's IT security program and practices. This evaluation will
incorporate information from our security reviews, as well as results
of related evaluations performed by operating units, GAO, and
contractors. We are also continuing our security reviews of Commerce's
financial management systems and related networks as part of our fiscal
year 2001 financial statements audits. These reviews will be in line
with our IT security review strategy and will include penetration
testing of the U.S. Patent and Trademark Office and FISCAM reviews for
the other operating units.
The need for the OIG to provide oversight and evaluation of IT
security will be increasingly critical in the coming years. Our
independent evaluation of the Department's IT security program being
performed under GISRA and our security reviews of the Department's
financial management systems show that although the Department is
giving greater attention to IT security, serious issues remain to be
resolved. These issues appear to be the result of an earlier lack of
attention to IT security, limited resources, and an environment in
which the risks, threats, and vulnerabilities have continued to
escalate in number and complexity. The weaknesses identified by GAO's
recent network vulnerability analysis of the Department underscore our
concerns.
In our independent GISRA evaluation for the next fiscal year, we
plan to evaluate the effectiveness of operating unit IT security
programs and to conduct security evaluations of specific general
support systems and major applications. We will use the findings of our
current GISRA evaluation and of GAO's security audit to assist us in
identifying specific operating units, general support systems, and
major applications to evaluate in the future.
COOPERATIVE EFFORTS NEEDED TO ADDRESS IT SECURITY WEAKNESSES
I am pleased to note that, just last month, my office entered into
a memorandum of agreement with the Department's Office of the CIO and
Office of Security to define our respective roles and responsibilities
relating to the development, implementation, and management of the
Commerce IT security program. This agreement is intended to promote a
partnership among the three offices that both ensures complete coverage
of IT security matters and prevents wasteful duplication of effort.
Under the agreement, the CIO's office has the basic responsibility
for developing and implementing the Commerce-wide IT security program,
which includes developing IT security policies and procedures,
promoting IT security awareness and training, serving as the
Department's critical infrastructure assurance officer, and convening a
meeting of the incident response group when incidents or intrusions
occur. Commerce's Office of Security has the primary responsibility for
security for the Department's classified systems and, in conjunction
with the Department of State, for IT security at Commerce overseas
posts. My office is responsible for conducting investigations of IT
incidents and intrusions, and for conducting reviews of the
Department's IT security program and individual systems, including the
annual independent evaluations of the program required by GISRA.
In closing, it is clear that cooperative, continuous, and concerted
efforts are needed by each of us--and I mean each of us--if we are to
address IT security weaknesses. These efforts are needed if we are to
have any chance of staying at least one step ahead of the hackers and
others that see IT security as some sort of cat-and-mouse game.
I am confident that the senior management of the Department and its
operating units increasingly recognize the need to take a proactive
approach to do this. For example, the Secretary's recent directive
increasing the authority of operating unit CIOs and making them a more
integral part of the management team is an important initiative.
Likewise, the recent appointment of a Senior Advisor to the Secretary
for Privacy should be instrumental in addressing such issues as
cookies, web bugs, and other security/privacy matters. And program
officials are also being strongly reminded that they too have key IT
security responsibilities and need to work closely with operating unit
CIOs and security officials to ensure an effective security program.
We intend to continue our partnership with all of these managers by
identifying weaknesses and potential vulnerabilities in IT security and
by searching for ways to improve it. Through this relationship, I
believe we can help strengthen IT security within the Department.
This concludes my statement. A list highlighting some of the
reports we have issued that address IT security issues is included as
an attachment. Mr. Chairman, I would be happy to answer any questions
you or other members of the Committee might have.
Attachment
U.S. DEPARTMENT OF COMMERCE
OFFICE OF INSPECTOR GENERAL
RECENT AUDIT, INSPECTION, AND EVALUATION REPORTS ON INFORMATION
TECHNOLOGY SECURITY MATTERS
Evaluations
1--Office of the Chief Information Officer: Use of Internet ``Cookies''
and ``Web Bugs'' on Commerce Web Sites Raises Privacy and
Security Concerns, OSE-14257, April 2001
2--Office of the Chief Information Officer: Additional Focus Needed on
Information Technology Security Policy and Oversight, OSE-
13573, March 2001
3--Office of the Chief Information Officer: Critical Infrastructure
Protection: Early Strides Were Made, but Planning and
Implementation Have Slowed, OSE-12680, August 2000
4--Bureau of the Census: Computer Security for Transmission of
Sensitive Data Should Be Strengthened, OSE-10773, September
1998
Financial Statements Audits
[Note: These audits are performed annually; listed below are only the
reports covering FY 2000. In addition, the reports on security reviews
are not publicly available documents.]
5--Department of Commerce: Consolidated Financial Statements, FY 2000,
FSD-12849-1, March 2001
6--National Institute of Standards and Technology, Improvements Needed
in the General Controls Associated with Financial Management
Systems, FSD-12859-1, February 2001
7--Economic Development Administration, Improvements Needed in the
General Controls Associated with Financial Management Systems,
FSD-12851-1, January 2001
8--Bureau of the Census, Improvements Needed in the General Controls
Associated with Financial Management Systems, FSD-12850-1,
January 2001
9--National Technical Information Service, Improvements Needed in the
General Controls Associated with Financial Management Systems,
FSD-12857-1, January 2001
10--Office of the Secretary, Follow-up Review of the General Controls
Associated with the Office of Computer Services/Financial
Accounting and Reporting System, FSD-12852-1, January 2001
11--International Trade Administration, Review of General and
Application System Controls Associated with the Fiscal Year
2000 Financial Statements, FSD-12854-1, January 2001
12--National Oceanic and Atmospheric Administration, Improvements
Needed in the General Controls Associated with Financial
Management Systems, FSD-12855-1, December 2000
13--United States Patent and Trademark Office, Improvements Needed in
the General Controls Associated with Financial Management
Systems, FSD-12858-1, December 2000
Inspections
14--National Oceanic and Atmospheric Administration: San Angelo Weather
Forecast Office Performs Its Core Responsibilities Well, but
Office Management and Regional Oversight Need Improvement, IPE-
13531, June 2001
15--National Oceanic and Atmospheric Administration: Raleigh Weather
Forecast Office Provides Valuable Services, but Needs Improved
Management and Internal Controls, IPE-12661, September 2000
16--Bureau of Export Administration: Improvements Are Needed to Meet
the Export Licensing Requirements of the 21st Century, IPE-
11488, June 1999
17--Office of Security: Vulnerabilities in the Department's Classified
Tracking System Need to Be Corrected, IPE-11630, March 1999
Mr. Greenwood. We thank you very much for your testimony,
and we will be getting to questions shortly.
Mr. Dacey.
TESTIMONY OF ROBERT F. DACEY
Mr. Dacey. Mr. Chairman and members of the committee, I am
pleased to be here today to discuss our review of information
security controls over unclassified systems at the Department
of Commerce.
As you requested, I will briefly summarize our written
testimony.
At the seven Commerce operating units we reviewed,
significant and pervasive computer security weaknesses place
sensitive Commerce systems at serious risk. We demonstrated
through commonly or readily available software and common
techniques that individuals, both internal and external to
Commerce, could gain unauthorized access to these systems and
thereby read, copy, modify or delete sensitive financial,
economic, personnel and confidential business data.
Moreover, intruders could disrupt the operations of mission
critical systems, and due to poor incident detection
capabilities, unauthorized system access may not be detected.
As an illustration of these points, a recent media report
announced the discovery of security vulnerabilities that
allowed sensitive business information to be publicly accessed
from a Commerce Web site, forcing the department to temporarily
shut down a part of that site.
Our review identified vulnerabilities in four key areas.
First, controls intended to protect information systems and
critical data from unauthorized access were ineffectively
implemented, leaving systems highly susceptible to intrusions
or disruptions.
Specifically, management of user IDs and passwords,
including those related to powerful system administration
functions, were not effective. As you alluded to earlier, in
many systems passwords were not required or were easy to guess.
Also, bureau operating systems were not securely
configured, including exposing excessive amounts of system
information and allowing unnecessary or poorly configured
system functions to exist.
Further, none of the Commerce bureaus reviewed had
effective external and internal network security controls. Our
testing demonstrated that extensive unauthorized access to the
department's networks and systems could be gained as a result
of weakly configured external control devices, poorly
controlled dial-up modems, and ineffective internal network
controls.
Second, we found other significant weaknesses.
Specifically, computer duties were not properly segregated to
mitigate the risk of errors and fraud.
Software changes were not adequately controlled to ensure
that only authorized and tested programs were put in operation,
and comprehensive and complete recovery plans were not
developed to ensure the continuity of operations in the event
of a service disruption.
Third, Commerce bureaus did not adequately prevent, detect,
respond to, or report intrusions, providing little assurance
that unauthorized attempts to gain access to its systems would
be identified and appropriate actions taken in time to prevent
or mitigate damage.
For example, software updates to correct known
vulnerabilities were not installed, tested bureaus were
generally unable to detect our extensive intrusion activities,
and in two instances when our activity was detected, Commerce
employees inappropriately responded by launching attacks back
against our systems.
Moreover, these two incidents were not reported to the
security managers of the various bureaus.
Also, we identified evidence of hacker activity that
Commerce had not previously detected on a system containing
sensitive personnel information.
Fourth, and most important, Commerce does not have an
effective, department-wide information security program, as Mr.
Frazier earlier discussed, to proactively insure that sensitive
data and critical operations are adequately protected.
The lack of an effective security program is exacerbated by
the highly interconnected nature of Commerce's systems. Key
weaknesses existed in each of five critical areas.
First, there was lack of a strong, centralized management
function to oversee and coordinate department-wide security
activities.
Second, there was a widespread lack of risk assessment. For
example, as of March 2001, of the bureau's 94 sensitive systems
we reviewed, 91 did not have documented risk assessments, 87
had no current security plans; and none were authorized for
processing by Commerce management.
Third, there were significantly outdated and incomplete
information security policies which did not reflect current
Federal requirements in many important areas, had not been
updated to reflect certain risks related to the Internet, and
did not establish baseline security requirements for all
systems.
Fourth, there was inadequately promoted security awareness
and training. Although each of the bureaus had informal
programs in place, none had documented computer security
training procedures that meet Federal requirements to ensure
that security risks and responsibilities are understood by all
managers, users, and system administrators.
Fifth, there was a lack of an ongoing program to test and
evaluate security controls. No oversight reviews of the
bureau's systems had been performed by either the staff of
Commerce's information security program or six of the seven
bureaus. There had been isolated tests at one bureau.
In a draft report to Commerce, we made recommendations,
which are summarized in our written statement, to address these
weaknesses. The Commerce Secretary's response stated that
Commerce has developed and is currently implementing an action
plan to correct the specific problems we identified.
Mr. Chairman, this concludes my statement. I would be happy
to answer any questions that you or members of the committee
may have.
[The prepared statement of Robert F. Dacey appears at the
end of the hearing.]
Mr. Greenwood. I thank you, Mr. Dacey.
And the full statements of both witnesses will be entered
into the record.
Here is a question that I would like you each to respond
to. Both of you used the term ``sensitive'' to describe the
types of systems and the data at issue here. Can you be more
specific with respect to the types of information that are
susceptible to compromise and why it is that Congress and the
American people should be concerned about these
vulnerabilities?
Mr. Frazier. I will be happy speak first.
There are so many systems in the Department of Commerce
that we view as sensitive. You can start with the Census
Bureau, for example. The Census Bureau has lots of information
that is protected by Title 13, and in fact, I have heard you
speak to the concern about how the American public must come to
trust and know that information that they share with us is
going to be protected.
Mr. Greenwood. That was a huge issue in this whole last
census exercise where so many Americans were reluctant to fill
out long forms because of the fear of compromise in the
integrity of the system.
And, of course, we all assured them that that was not a
problem.
Mr. Frazier. Yes. I should tell you that in 1998, in
advance of the decennial census, we found an incredible
vulnerability there, and we brought it to the attention of
census managers, and that was handled as a red cover report for
obvious reasons.
The concern was that if that information got out, people
would begin to question whether it was wise to send in
information. It was just an oversight on the part of a security
manager that we could not believe, something that we would
think would be as obvious as this. I am not giving the details
here for obvious reasons, but we were just amazed that
something as basic as that could have that kind of potential
consequence to the integrity of the system.
Mr. Greenwood. To interrupt you for a moment, is it
conceivable that a hacker could go in through the Census Bureau
to my Greenwood family long forms, Census form, and scan it and
identify information as being responses that our family gave to
the Census form?
Mr. Frazier. No. When we found this problem, fortunately it
was before the decennial census. It was in doing the work we
did for the dress rehearsal, and so we were able to plug that
gap. Of course, once you brought that to the attention of the
Department and Census officials, that was something that they
were going to correct immediately. So that was not a problem
there.
But, again, I go back to tell you how something as
important as that system would have been overlooked. You know,
that was incomprehensible to us that that could be the case.
As we have gone in to look at the work at BXA, as you are
aware, we have done quite a bit of work in BXA, and for many
years, too many years, we have raised concerns about the
adequacy of its ECASS system, which has the sensitive
information on export controls, licensing requests.
We have made recommendations----
Mr. Greenwood. Could you elaborate on why that is
sensitive? What makes that particular information sensitive?
Mr. Frazier. Well, part of it is business proprietary from
the standpoint if you are Company X and are getting ready to
export radars to a certain country, you have to provide the
department with certain information that they can use to assess
your license request.
In the process of doing that, that is information that you
surely do not want your competitors to have. So that would be
extremely sensitive.
Mr. Greenwood. You mentioned radar. I assume that could
apply to other military equipment that is being exported,
information that we would certainly not want some individuals
or organizations to have ready access to, who might have an
interest in intercepting that military equipment.
Mr. Frazier. As you know, Commerce handles what we call
dual use items, which have both military and civilian uses, and
so you are right on the money when you suggest that that is
information that we would surely want to protect as much as we
possibly can.
Mr. Greenwood. In fact, in the GAO report, it says
sensitive data such as relating to national security, nuclear
proliferation, missile technology, and chemical and biological
warfare reside in the bureau system.
Mr. Frazier. Yes.
Mr. Greenwood. Mr. Dacey, would you like to elaborate on
the same subject?
Mr. Dacey. Yes. Basically, in addition to the export
license information we talked about, there is certain other
information. There is something called the safe harbor, which I
alluded to in my oral statement, which is a method for filing
to satisfy European Union privacy requirements, and by filing
you demonstrate that you meet certain requirements and then can
obtain certain personnel information and bring it back to your
company.
And that included information like revenue, you know, what
companies are you doing business with, number of employees and
such nature of information which was exposed as well.
There is, additionally, other information that the bureaus
have on the personal side, and that would have to do with
credit card information, for example the ESA subscription
services. They collect credit card information.
The bureau itself has data bases containing significant
information on Commerce personnel, including various
information, Social Security numbers, and that sort of thing.
So there is a variety of information, including financial
information, that is out there on the systems that are at
Commerce.
Mr. Greenwood. And what about the ability to go through the
Commerce Department systems? Is it conceivable that one could
go through the Commerce Department's system and then thereby
reach out to consulates, to our consulates around the world?
Mr. Dacey. One of the tests that we performed, we were able
to--let me back up a minute.
When we do our testing, our target or goal is to gain what
we call administrative control of the systems we are looking
at, and that means we could place ourselves in the position of
system administrator and thereby do just about anything that we
would want to do on that system, including reading files,
copying files, deleting files, changing software, any number of
things that a system administrator could do.
We gained that level of access on several of Commerce's
systems. Some of those allowed us to gain access to networks
which went to the Foreign Commercial Service posts as well as
the systems that contained some of this sensitive information.
Mr. Greenwood. And those consulates are, of course, in
turn, interconnected to other sensitive agencies of the Federal
Government so that it would seem to me to heighten the
sensitive nature of this leak.
Mr. Dacey. We did not specifically look at the connectivity
of those Commerce installations in foreign posts with other
potential agencies, but that is an issue which might be
explored in the future as another task.
Mr. Burr. Would the chairman yield?
Mr. Greenwood. Certainly.
Mr. Burr. What I understand your answer to be that you did
not try to go outside of the Commerce system within the
embassy?
Mr. Dacey. That is correct. We went to Commerce
installations in the various foreign posts, and because that
was the limit of our testing, we stopped at that point. We did
not try.
Mr. Burr. If the focus at the embassies was to keep people
out of their system, but not to limit their movement from
within their system that they were in, had you tried you might
have been able to go anywhere within the embassy system.
Mr. Dacey. It is hard to speculate where we could have
gone, but if there was interconnectivity, we had significant
rights on the system, Commerce's system. We just do not know
what interconnectivity might exist.
Mr. Greenwood. The Chair's time has expired, and the
chairman recognizes the chairman of the full committee for 5
minutes to inquire.
Chairman Tauzin. Thank you, Mr. Chairman.
Mr. Dacey, I want to understand the concept of the weakness
within the system, if you do not mind. In your testimony you
state that the individuals both within and outside Commerce
could compromise internal and external security controls to
gain extensive unauthorized access.
I want to know what you mean by ``extensive.'' Is that
another term for what is call root access or total control of
the systems?
Mr. Dacey. Right. That is what I was referring to as
administrative level access on the networks. That is referred
to as root access, and we were able to gain that level of
access on several systems.
Chairman Tauzin. Now, you also state that the department
was able to detect your extensive intrusion activities on only
four occasions. How many intrusions should have been detected
if they had had a good system in place?
Mr. Dacey. We attempted to scan over 1,000 system devices.
So I do not say that they would detect all 1,000, but certainly
we would have expected a significantly higher number of those
attempts to be detected.
Chairman Tauzin. So you are saying 4 out of 1,000 were
detected?
Mr. Dacey. Over 1,000.
Chairman Tauzin. Over 1,000?
Mr. Dacey. Yes.
Chairman Tauzin. What is that .4 of 1 percent, something
like that were detected? So that in effect, if again my math is
right, something like 99.6 percent of the intrusions were not
detected.
Mr. Dacey. Something like that, yes.
Chairman Tauzin. That is purer than Ivory Snow. That is a
huge number. It basically says that you could walk around
undetected in cyberspace, in effect, within the department's
data banks.
Mr. Dacey. Right. That is one of our concerns, as I said in
my oral statement. There was actual hacker activity on one of
the systems which we discovered, which Commerce was not
previously aware of.
Chairman Tauzin. Can you give me a little more information
about the fact that your auditors discovered the intrusion of a
Russian hacker in the system? What exactly happened there? What
was going on?
Mr. Dacey. We identified a server, a network server, and
when we went in to start to explore it, we identified certain
tools that were left behind by a hacker, and at that point in
time we turned that over to the agency and suggested that they
investigate the situation and resolve it and figure out what
happened.
Chairman Tauzin. Well, did they find out what the Russian
was up to?
Mr. Dacey. I believe, based on my recollection, the IG
really followed up on the process afterward. I don't know if
Mr. Frazier has any further information.
Chairman Tauzin. Could you tell us?
Mr. Frazier. Vladimir was his name.
Chairman Tauzin. Vladimir?
Mr. Frazier. Yes.
Chairman Tauzin. Good, old Vladimir. What was Vladimir
doing in our data banks?
Mr. Frazier. We found out that he had hacked into a number
of government systems.
Chairman Tauzin. Was he just having fun or was he up to
mischief?
Mr. Frazier. Well, we could not determine that. He got into
the system. He got into the systems at other agencies, and he
did not do any major damage to our knowledge, but that is part
of the problem. You do not know how long he had been there. You
do not know what else he had----
Chairman Tauzin. Well, I mean, you detected only .4 of 1
percent. So he could have been all over the place, and if he
did not drop a tool here or there, you may never know he was
there.
Mr. Frazier. We would have never known he had been there.
Chairman Tauzin. So he could have been in a lot of other
places that he did not leave his tracks, right?
Mr. Frazier. Yes. So what they will do is close that door.
Chairman Tauzin. That is right.
Mr. Frazier. But many other doors are left open.
Chairman Tauzin. Yes, let's talk about doors. One of the
thing you mentioned, Mr. Dacey, is the interconnectivity of the
Commerce Department, the bureaus you reviewed.
Interconnectivity is good, of course, in a sense because it
allows all of the bureaus to share information and to relate to
one another. It could be a problem if a hacker or Vladimir
finds, excuse my expression, the weakest link in the system and
through interconnection, he is everywhere, and then bye-bye, he
is gone.
Tell me about interconnectivity within the bureau, within
the department, rather, among its bureaus.
Mr. Dacey. One of the issues is the interconnectivity
between us. As you suggested, it is a good thing. It is used to
communicate between the bureaus at Commerce. One of the issues
though is protecting those systems and that interconnectivity
so that if someone gains unauthorized access to one bureau
system, that there are measures to prevent them from going
further once they are inside the network.
What we found, in fact, was that some of the accesses that
we obtained to some of the more sensitive information were
actually through other bureaus that we----
Chairman Tauzin. So you actually did that. You found the
weakest link, and then bingo, you had access to other
information that you might not have directly been able to
access, right?
Mr. Dacey. That is correct. When we identified these,
again, our tests were not designed also to detect every
vulnerability, but we found sufficient evidence to----
Chairman Tauzin. Well, I guess here is probably the most
important question. Have you done enough testing to be able to
advise the Commerce Department on how to seal those doors and
how to protect against the Vladimirs of the world?
Mr. Dacey. We provided detailed out-briefings at the time
that we performed our work in the field, and our understanding
is that the agency has fixed some and is working on others, and
that is consistent with their response to----
Chairman Tauzin. Was your testing complete?
Mr. Dacey. But that was what I was going to suggest, is
that we do a limited amount of testing. We spent about, let's
say on average, 2 weeks at each bureau, and we found sufficient
vulnerabilities to support our conclusions. I would not aver
that, in fact, we found all of the vulnerabilities.
In fact, we did not find all of the vulnerabilities. One of
the important steps that Commerce needs to take is really to
develop an active testing program of their own and identify
these vulnerabilities from a management viewpoint and fix them.
We certainly did not find them all.
Chairman Tauzin. Mr. Chairman, one final thought, and I do
not want to at all cast aspersions on either one of your
operations because you do a very good job for us, but we heard
from a lot of agencies that we are losing talented people, and
they are reaching retirement age, and I assume that is true of
your agency as well, that you are losing some of your best
people.
What we have learned in this area of the high tech commerce
world is that some extraordinarily good people are the youngest
people, and I just wonder, are you satisfied that within your
ranks are, indeed, some of the brightest and most capable
people who could be charged with determining whether we have
left doors open and whether the systems are adequate or
whether, in effect, we really know all the answers as to how
inappropriate access can be obtained.
I guess what I am asking you is: are we as bright within
your agencies as the people out there, particularly the younger
people who are coming up and know these kind of systems like
the back of their hands? Are we as bright as they? And are we
as capable as they in understanding what is possible when it
comes to entries of access?
Mr. Frazier. Let me comment on that on a number of levels.
First, I think that we recognize the need to go out and get new
talent, if you will, to stay current with this. We are using
contractors like never before because, as you point out, we
cannot literally keep IT specialists. The private sector will
hire them away very, very, very quickly.
But at the same time, I am fortunate that I have an
assistant IG for systems who I think is one of the best in
government. She has brought a lot of people from the private
sector, and we have been able to keep them.
It is not easy, you know, but I think that that is
something that we have worked very hard to do.
But I think that even more important is for managers to
recognize that it is not just about the IT specialist or the
security specialist. It is about program officials taking
responsibility for this.
You know, you used the term ``weakest link,'' and it is
exactly the word that describes the problem. I can put in the
best system. I can hire the best people. I can get the best
contractors, but then if I get an employee who decides that he
or she is going to leave his system on overnight so that a
cleaning person can access the system, as we found in one case,
then it does not matter that I have hired the best and the
brightest.
So the goal here, I think, is to get managers in the
Department of Commerce involved. That is why we are so
impressed with the Secretary's recent memo that said to the
Under Secretaries and others: This is your responsibility.
When we issue our reports to the CIO or if I issue my
report to the Director of Security, I am preaching to the choir
at that point, but the reality is that I've got to turn around
and talk to the people who run those systems, who do not
understand, who do not see that information security is their
responsibility.
It is an awareness program. I have to tell you when you go
in and you brief many senior officials and you start to talk
about security reviews and doing quarterly reviews, their eyes
kind of gloss over because it sounds so boring or that is ``not
my responsibility.''
Quite the contrary, it is something that has not been taken
seriously in the past, and until all of us, until everyone
recognizes the role that they are charged with playing, I think
that we are going to come back to you year in and year out with
the same kinds of problems. That is my frustration.
Chairman Tauzin. Very well said.
Thank you, Mr. Chairman.
Mr. Greenwood. I thank the chairman of the full committee
for his participation and note that with his heavy schedule and
six subcommittees to cover, it is impressive that he manages to
come to each one of our hearings and spend the time. We
appreciate it.
The Chair recognizes the gentleman, Mr. Burr, to inquire.
Mr. Burr. Thank you, Mr. Chairman.
Mr. Dacey, I have seen a lot of folks behind you going like
this. So I assume that they are part of the security analysis
team, and let me thank them for their good work.
But let me ask you a real important question. Are they the
best that is out there?
I think we have a very good team actually, whether they are
behind me or not.
Mr. Burr. And I am sure you do, and I thought of another
way to ask it, and I could not think of it, but the likelihood
is there is somebody out there that is going to be as good if
not better.
Mr. Dacey. Our aggregate experience averages about 20 years
per person on our staff doing this work at this point in time.
Mr. Burr. Well, then you may have the best.
Mr. Dacey. No, I do not profess we have the best. I do not
think they would profess that, but we have some good folks
here.
The issues are in this whole environment that there are a
lot of people who are out there that are finding these
vulnerabilities and issues with systems that apparently have
the time and abilities to go do that. We do not try to discover
new ones. We just try to figure out if agencies have processes
in place to find them and fix them, and that has been a
challenge, and we have pursued that role to try to do that.
Mr. Burr. The question that I am trying to get answered:
there are a host of folks in the world who have skills at least
equal to the folks that conducted this review of the
deficiencies and security at Commerce. Would that be safe to
say?
Mr. Dacey. Yes.
Mr. Burr. So we have got an ever looming threat of people
who want to get into these systems. Now, I would assume that
commerce is probably linked to the Department of Energy, and if
one could hack into Commerce, they might find their way at
least to try to get into the Department of Energy, and if the
Department of Energy had an area that might have a deficiency
and they got into that, the Department of Energy is linked to
the nuclear labs, and you follow the path I am going, that one
could enter in Commerce and potentially end up in the Los
Alamos system.
Is that conceivable?
Mr. Dacey. We really did not look at that connectivity, but
if, in fact----
Mr. Burr. If they were connected.
Mr. Dacey. And if it was not adequately controlled, yes,
that is conceivable, but again, given the particular facts I do
not know. We did not look at the interconnectivity of Commerce
to other bureaus.
So it is an issue, but I think it is one that has not been
actively explored, and that is not just Commerce, but the
interconnectivity between various bureaus. I mean there is some
of that interconnectivity. When we do our work, we find
connections to other bureaus routinely.
We have not tested those because our work has typically
been focused on the bureau that we have been looking at at that
time.
Mr. Burr. And we know that employees of Commerce are paid
by the United States Treasury. Therefore, there is probably a
link to the Treasury, and because there is a link to the
Treasury, the Treasury is probably linked to every other
agency, and there might be a way to go that system and test
numerous different agencies within the Federal Government.
Mr. Dacey. It depends on the connectivity and the controls.
In some cases, for example, the information may, in fact, be
just downloaded and pushed down to another entity. There may
not be a live connection, and there are a lot of other things
that go on.
So I think though that that is an increasing risk because
what we are seeing overall is more interconnectivity as time
goes on. It is certainly convenient, and it saves time and
cost.
At the same time, there need to be adequate controls in
place to prevent someone from doing what you suggested.
Mr. Burr. And am I correct that a scenario like that could
happen if you had one entry point that they could get into?
Mr. Dacey. In the situation, take Commerce, for example. As
I said, some of our access to this sensitive data was obtained
through other bureaus. So we were able to get in.
Typically that is what we do. As I said before, we do not
explore every conceivable opportunity to get into the systems
because when we find one and gain the level of access we
obtained----
Mr. Burr. You are completed.
Mr. Dacey. [continuing] we do not need to go further to do
what we do.
So there are definitely weakest link concepts that we
talked about earlier that need to be protected against.
I would also like to reiterate that most of our testing
that we have done here is technical in nature. We have tools
that are available to virtually anyone that can identify these
types of vulnerabilities and tools to exploit them.
What we have not done much of, one thing that the hacker
community does, is something called social engineering, where
they try to gain information like passwords and other
information from employees, which is why employee awareness is
very important as we talked about earlier.
And so those are the issues. The weakest link might be
someone answering a phone and saying, ``Yes, here is my
password and user ID,'' and someone else using it to log onto
the system, and if you get a little bit into the door,
oftentimes you can get information, including network traffic,
that has other passwords and escalate your privileges to the
level we seek to obtain.
Mr. Frazier. And, in fact, as part of our penetration
testing for the financial statements, our CPAs did exactly
that, called up, pretended to be the system administrator, told
someone that they needed their password to get in, and the
person gave it to them over the phone, and so we know that that
has, in fact, happened.
Your questions are right on the money. Those are the
questions that the system's administrators, that the program
officials, and the security people should be asking every day.
You should make the assumption that people are constantly
trying to get into your system.
And what is important is that you should make the
assumption that they are trying to get into your system so that
they can get into other parts of the Department of Commerce
because you do not know what the interconnectivity is, and so
until you do the extensive testing, which is seldom done at any
agency, you have to make that assumption that this is happening
on a continuous basis.
Mr. Burr. Let me ask you real directly, Mr. Frazier: do you
know all the connectivity point?
Mr. Frazier. No. Right off the bat, no.
Mr. Burr. Is there anybody at the Commerce Department that
does?
Mr. Frazier. And I would venture to say at this point, no.
Mr. Burr. So even if it was not a technical deficiency that
we had, a simple password management problem might create
access for somebody intending to enter the system and figure
out where they can go.
Mr. Frazier. Yes.
Mr. Burr. Okay. Let me ask you real quickly. Your testimony
seemed to rehash some of the issues covered in the 1999 report
your office sent to then Secretary Daley. I believe, in fact,
the report had your name on it, if I am correct.
Mr. Frazier. Yes, it did.
Mr. Burr. Why should we have confidence in your office's
ability to insure needed changes do take place, I guess,
considering the fact that you have raised the issue? You have
raised the issue. We know it has gone to the level of the
Secretary, and we still have a problem.
Mr. Frazier. It is an easy answer there. We identify the
problems. We then report those problems to managers. We, as you
know, report to the Congress also. We come to the Congress and
tell them the same story. We send them our list of the top ten
challenges.
We sent that report up to the Hill. Unfortunately we have
not been empowered with what I call the enforcement tool that
says, ``You are going to put the resources into this area to
develop it.''
If you use BXA, for example, you can go back 5 years and
find out where the IG's Office--I was not the IG--recommended
that that system be improved, that the system be updated. It
identified many weaknesses as long ago as 5 years.
In our 1999 report, we found a litany of problems, whereas
we have checked recently and found out that about half of those
issues have been addressed, but some of the most critical ones,
the ones that say are you trying to see if people can penetrate
your system, are you regularly developing the kinds of security
plans that are required by the government rules and
regulations, and the answer is still no.
Now, we have not let that drop because we currently have an
inspection team that is in there looking at the ECASS system
again. And again we will take the message of our findings to
the Congress, to the Secretary, and you hope that they will get
the message.
Again, I would go back and emphasize the program officials
having the top responsibility for making sure that these are
implemented.
We have testified that in the case of BXA, that there
should be additional funding to support the resources that were
necessary to develop that system, and that's something that an
IG usually does not do. We are usually trying to find ways to
cut resources.
But in that case, we went on record as saying, yes, we
think that that system definitely needed to be upgraded. It
needed additional support, and again, that's not an excuse. It
says that this is the way it is in the sense that we do not
have the authority, if you will, to go in and make somebody do
anything.
We can surely use the bully pulpit. That is why I am so
pleased with this hearing today because it represents an
opportunity for these issues to be aired. In fact, they should
have long been done.
Mr. Burr. Well, we hope you will continue to speak very
loudly on it and not wait for the invitations from us. I think
you have gotten an administration that is very anxious to solve
some of these problems.
Both of you in your testimony, I think, alluded to one
phrase that I found very interesting, excessive user
privileges, and I remember when we were in the heat of the
investigation at our nuclear labs. One of the problems that we
found was the lack of different levels of security within the
lab.
We had adopted this policy in the early 1990's where rather
than offend somebody, we sort of brought everybody in at the
same status and never thought about the fact that that gave
everybody the same type of access to the sensitive areas of a
computer system, and that contributed to the potential
nightmare that we saw.
Does there exist a separation of individuals' levels of
access that they can get in the Commerce system, or once you
are in, you are in everything or you are only in a
compartmentalized area?
Mr. Frazier. It is hard to generalize, but I can tell you
examples where that has definitely been a problem in the
Department of Commerce, without mentioning the bureau's name,
where certain people who should have had the authority, for
example, to only read information were inadvertently given the
authority to not only read, but to alter the information.
Now, that can have very dire consequences when you give 15
people access to a system that should not have access.
Now, what was equally troubling, of course, when we found
this out, the second time what was of great concern to us, if
they had done what I call the quarterly monitoring, if they had
done the risk assessment, that is something that would have
been identified, and again, managers too often think of this as
just these requirements that really do not have any impact, and
you cannot overemphasize that these are things that are put on
the books for a very good reason.
So the answer is yes.
Mr. Burr. Mr. Dacey?
Mr. Dacey. There are different levels of access that one
can give to different systems. Our main target in our review is
to try to get at the system administrator level of access,
which is the one that should be fairly tightly controlled and
limited to only a limited number of folks. So there is the
ability to do that.
What we found in Commerce though is not a regular review
process, as was just discussed, to look at those and see if, in
fact, they have been properly allocated to the right people.
Additionally, we also found system administrator passwords
and information in files in certain bureaus that would give us
that ability. So even if we had not been given the direct
access, we could have gained information that would have
allowed us to log on or sign on at that level of access.
Mr. Burr. So that would sort of come under that header of
password management problem?
Mr. Dacey. And how is it stored in the system.
Mr. Burr. I will ask one last question. The chairman has
been very patient.
Could we at least conclude that if an individual who had a
password that allowed them the same access you were able to
achieve as an administrator left the Department of Commerce,
could we believe that their password would be canceled,
altered, or are we convinced that they could not access the
system when they left today?
Mr. Dacey. We did not specifically look at that at
Commerce. I know in other bureaus it is an issue of people
revoking passwords on a timely basis, but I believe the IG has
done some work in that area.
Mr. Frazier. Yes, there are cases where that does not
happen. If you are in the private sector, my brother-in-law
works for CISCO, and he points out that when you go in and tell
them that you are going to leave, they change your password
before you leave the room, terminating your access to the
systems.
We have people who have been out of the Department of
Commerce for 3 years and who still we found have access to the
system.
That is unacceptable, absolutely unacceptable, you know.
Mr. Burr. I thank both of you.
I yield back.
Mr. Greenwood. The Chair thanks the gentleman for his
inquiry. The gentleman asked if you folks had the expertise. It
is my observation that you do not need the smartest hackers in
the world to get into a department who has a computer security
system that is the cyberspace equivalent of the Keystone Cops.
So I do not think you need to worry about what your
capacity is.
Mr. Burr. Mr. Chair, could I say that I think Mr. Dacey has
the smartest ones?
Mr. Greenwood. Both of you have also found in your
respective audits a failure on the part of the Commerce bureaus
to prepare risk assessments and security plans for their
sensitive systems, including some that have been designated as
critical to our national security.
Is this just a paper work problem, or should we be truly
concerned about this lack of documented assessments and plans?
Either gentlemen.
Mr. Frazier. Well, see, I think that therein is part of the
problem, is there are too many managers who perceive it as a
paper work exercise. This is just another check list for us to
go through.
And I cannot overemphasize the importance of changing that
thinking, establishing a different culture that says we need to
do this, and it needs to be done on a regular basis.
That is part of the problem, and again, I think I mentioned
that.
Mr. Greenwood. Let me ask this to both gentlemen. We have
your official reports and so forth, but I also know that in
some of these tests you gave advanced warning to the department
that you were going to be doing this testing. I assume you had
conversations with people in the department whose work you were
examining and whose job--maybe you did not, but I would be
interested in what those informal conversations were like.
I mean, did people in the department say, ``Oh, God, you
are going to look at our system, and I know you are going to
find that it is awful and I am embarrassed,'' or, ``we are
doing the best that we can, but we just are overworked. We will
get to it?''
When you communicate with folks in the department whose job
it is to set up these security systems, what kind of dialog is
that? What has that been like?
Mr. Frazier. Well, when we do our penetration testing with
the CPAs through the financial systems, we usually identify one
bureau official who is sworn to secrecy and will work with us,
but as I have pointed out, usually once you identify these
problems, these are people who are in the systems business, who
understand systems, and you are preaching to the choir.
The message has to be conveyed to their supervisors, to the
top officials to let them know that they have got to get the
message out on a broader level. This is not just a problem for
the accountants to worry about or the systems people to worry
about or the security people to worry about.
And traditionally that is what happens.
Mr. Greenwood. But I am talking about the people in the
department whose job it has been to comply with the Federal law
and to make sure that these systems are secure. When you
communicate with them, have they said, ``Our hands are tied. We
do not have the resources. We are not well trained enough. I do
not have enough people?''
What do they say?
Mr. Frazier. A number of things, but, in fact, I think that
Bob alluded to the fact also that the department has agreed to
implement the recommendations.
We went back in preparation for this hearing and looked at
the recommendations that we had issued, say, in the last 2 to 3
years in the areas of IT security, and almost without
exception, I mean, let's say if there were 100 recommendations,
there may have been 5 to 7 that the bureau said, ``We disagree
with you on.''
So they give you the assurances that they are going to deal
with this, and they send in what we call action plans to tell
us how they propose to deal with it, but also, if you look at
those audit action plans and inspection action plans, usually
they raise questions about the limited resources that they have
available to implement some of the recommendations.
And then the other thing is that they, too, are faced with
the problems of making sure that they have the talent to do
this.
Now, you take one bureau. I will not mention the name, that
has plenty of resources, and they went out and hired a CPA firm
to try and penetrate their system doing the exact same thing
that we do or GAO would do, and any bureau can do that.
In fact, most bureaus should have that as part of their
risk management plan. So part of it does come down to
resources, but, again, it comes down to a commitment.
Mr. Greenwood. But when they have complained about
inadequacy of resources and they have asked for the resources,
did you get a sense of how far up into the hierarchy? Did those
requests go to the Secretary's level? Did the Secretary
transmit those requests to the administration?
Where was the weakest link, so to speak, in terms of the
folks in the department or in the administration who failed to
provide the resources?
Mr. Frazier. I send all of my reports to the head of the
bureaus, the Under Secretary level or the Assistant Secretary
level, and any finding or observation that has IT security
implications would have been sent to the department's CIO and
to the department's Deputy Assistant Secretary for Security.
So the report, the information has surely been made
available.
Mr. Greenwood. And the problem, I think--correct me if I am
wrong about this--but the CIO has a variety of responsibilities
beyond. The security of the IT is a subset of the CIO's
responsibilities; is that correct?
Mr. Frazier. Yes, that is correct.
Mr. Greenwood. Okay, and what were some of the other
responsibilities of the CIO?
Mr. Frazier. One of the things I looked at, how long we
have had IT security on our list of the top ten management
challenges, and it has been about 1\1/2\ years, and I asked my
Assistant IG, ``Well, why didn't we have this on there
earlier?'' Because we knew that there were problems.
And she said, you know, a lot of times we forget that back
in 1988 and 1989 most of us were preoccupied with the Y2K
issues, which you know, we kind of forget. The concern was
whether----
Mr. Greenwood. Do you mean 1988 or 1998?
Mr. Frazier. I am sorry. 1998.
Mr. Greenwood. Nobody was thinking about it in 1988.
Mr. Frazier. The concern was whether the systems were going
to function literally, and so people were not worried about
some of the details.
And the other thing, if the truth be told, is these systems
have become more sophisticated and more interconnected. This
problem has grown, and I do not think that our interest and
attention has kept up with the way that the system technology
has grown, and so I think that that is part of the problem.
Mr. Greenwood. Mr. Dacey, do you have any other comments?
Mr. Dacey. No. I think it is a matter of emphasis. Some of
the things that we have found is that for some of the bureau's
security officers, it was a part-time duty. They had other
responsibilities even besides security management. They did not
have a full-time security manager, even one in some bureaus. I
think that is a major issue.
In terms of thoughts, I know they had time to prepare, and
I know in the process of doing our work things improved because
they were aware we were there and we were certainly fixing
issues.
But when we raise these issues, they are generally not a
big dispute, and generally the people we talk to appreciate the
significance of the vulnerabilities that we highlight. So we do
not have a lot of convincing to do.
So the real issue is really focusing attention because I
think if it was placed that they would be able to find the same
kind of vulnerabilities that we find and use some of the same
tools that we use to do that.
Mr. Greenwood. Mr. Frazier, in your financial control
audits for fiscal year 2000, you looked at seven Commerce
bureaus including NOAA, NIST, the Census Bureau, and others,
and found that access control problems existed at all seven
locations. Can you be more specific about what you mean by
access controls?
Mr. Frazier. Well, we looked at the access controls at four
of the seven, and what that means is that we were able to get
into the system. I mentioned that we were able to get one
individual system administrator to compromise his or her
password.
We also were able to get into the system in ways that we
should not have been able to get into the system, and again,
the CPAs use Cybercop and several other readily available
software packages to try and do this penetration testing, and
so it is not like they have some special techniques that need
to be used, but in using what is readily available software,
they were able to access these systems.
Mr. Greenwood. Do you believe that this represented a
material weakness or a reportable condition under the relevant
statutory authorities?
Mr. Frazier. Well, they were reportable conditions, but of
course, once you pull them together and we issued our
consolidated reports for the Department of Commerce, we became
concerned that it was a material weakness.
Individually it may not have been a material weakness at
the various bureaus, but again when pulled together and looked
at together, it would be a material weakness.
Mr. Greenwood. Okay. A related question, again, for you,
Mr. Frazier, and, Mr. Dacey, if you would like to comment,
please do.
GAO has testified that at the seven bureaus it reviewed,
none of them had effective internal or external network
security controls. It appears based on the body of IG audit
work at other Commerce bureaus that there is nothing unique
about these seven bureaus in this respect, and that in your
opinion similar deficiencies either have been or would be found
at virtually any commerce bureau.
Would that be a fair statement?
Mr. Frazier. Let me clarify one thing. GAO is looking at
seven bureaus. We are looking at seven financial data centers.
So we are talking about apples and oranges. There would be, for
example, one financial data center, such as NOAA, and BXA would
be the same one. So it is not the same seven.
So when we talk about what we have found in problems at all
of these seven locations, it is not the same seven. Okay?
Mr. Greenwood. But the problems are similar.
Mr. Frazier. The problems are definitely similar.
Mr. Greenwood. And there is no indication that anybody at
the department level Commerce-wide had been creating security
systems in other bureaus that would make the seven that you
looked at unique.
Mr. Frazier. I'm sorry?
Mr. Greenwood. I am assuming that what you found in these
seven bureaus and these seven centers, there is no reason for
us to believe that they were unique. One would assume that----
Mr. Frazier. If you look at seven and you find----
Mr. Greenwood. [continuing] the department as a whole
allowed these weaknesses in these seven bureaus, there was
nothing going on at the department at the top most level that
would have presented these weaknesses in other bureaus.
Mr. Frazier. Yes, I do not think so.
Mr. Greenwood. Mr. Dacey, any further comments?
Mr. Dacey. No. Just based upon a reading of some of the
reports that the IG has issued, the nature of the
vulnerabilities appeared to be similar.
Mr. Greenwood. Okay. We are about to hear from the new
Deputy Secretary. Let me just ask you in his presence if you
could make one recommendation, each of you gentlemen, what
would be your most critical recommendation to the department?
Mr. Frazier. Well, I have had the pleasure of meeting with
Deputy Secretary Bodman, and when we sat down at our first
meeting, the first thing we talked about were the challenges
facing the department. It was a lengthy meeting, and one of the
things that I was encouraged about, as you know, he has an
engineering background. He comes from the business sector. He
comes out of the academic community, and it was very clear that
he understands systems.
But more to the point was getting the message out to the
program officials to hold them responsible. I think often we
look for very complicated fixes, and the point that I surely
tried to convey to him, that part of this is an awareness
program.
And so there is a short memo that came out that said
basically to the secretarial officers: you are now basically
responsible for security in your agency.
That will probably have a greater impact than putting an
additional $2 million in every budget in the department. I mean
if you begin to change that culture.
So I am encouraged, is the word that I use, that I think he
will bring a new dimension there.
Chairman Tauzin. Mr. Chairman.
Mr. Greenwood. The Chair recognizes the chairman.
Chairman Tauzin. Could I be recognized and strike the last
word for a second?
Mr. Greenwood. The Chair yields to the gentleman.
Chairman Tauzin. I thank the gentleman.
Mr. Chairman, I have to be at the White House in about 10
minutes for a cabinet meeting on global warming, and so I am
going to have to leave right now, and I will not have a chance
to visit with the witness from the Commerce Department, but I
wanted to put on the record at this point my deep concern about
the existence of ``cookies'' and Web ``bugs'' within the
Commerce Department systems, and my concern that even now that
the department is focusing on the existence of these
``cookies,'' that as the testimony indicates are there without
a compelling reason and without the approval of the Secretary,
that the department's CIO is now recommending a strategy to
control the use of persistent ``cookies'' and Web ``bugs.''
My concern is that I think we ought to go further than
that. My understanding of the policy of the government is that
unless there is a very good reason for a ``cookie'' or a Web
``bug'' to exist on Federal sites, that we will have a very
serious concern about Americans having to deal with these
devices when they are sharing their information, as I said,
involuntarily with the government.
I can understand ``cookies'' and Web ``bugs'' on commercial
sites that I enter voluntarily and choose to visit and do
business with, but when American citizens are asked to
involuntarily do their business with the government with the
Internet only to find that we have permitted someone else, some
other institution, perhaps not even a government institution,
to be collecting that information for other purposes sometimes
without the knowledge or consent of the citizens of this
country, that raises grave concerns.
When leader Dick Army and I asked for a study by the GAO of
the existence of security and privacy on Federal sites, we were
appalled to find out; so was the Senate appalled to find out
that there were so many ``bugs'' on the systems and so many
``cookies'' that were actually out there. We found one on an
IRS site. We found a ``cookie'' for a private enterprise
concern in this country collecting information from citizens on
an IRS site.
Now, how abominable is that? It is bad enough having to
deal with the IRS, but to think that the IRS is sharing our
information with other people without our consent is
outrageous.
And so, Mr. Chairman, again, my apologies for having to
leave because this is such a good hearing and it is such a
serious focus of your oversight investigations work that I hate
to leave it, but I want to leave it with this thought, and I
hope the department witnesses are prepared to speak out
forcefully about their intention about how they intend to deal
with these ``bugs'' and this ``cookie'' problem.
Americans ought not to have to be surprised to find out
that private information is being shared by their own
government with people they might not want to share it with. It
is as simple as that.
Mr. Frazier. As you are aware, we did find 12 of them in
the Commerce system, but to the department's credit, the
Secretary has hired a special advisor for privacy. He has met
with me and my systems people to ask about other particulars.
Chairman Tauzin. Well, you do not need an expert consultant
to tell you that when we have got a Federal Trade Commission
that is pounding on private companies in America to have good
policies of disclosure to consumers about what they are
gathering and how they are using that information, you do not
need an expert to tell you there is something deadly wrong
about the government doing it without consumers' permission,
particularly when it is information, as I said, that we are
sharing not necessarily of our own volition.
And if consumers have questions about privacy in the
commercial world, I can promise you their concerns rise to
astronomical levels when it comes to information they are
sharing with the government very often only because they have
to.
So anything you can do to put a spotlight on this problem
and anything the department can do to help us aggressively stop
whoever it is in our government who thinks they have the right
to do this without asking our consent as citizens of this
country to allow others to come in and gather information about
us without our consent, I hope you come down like a sledge
hammer in your reports, and I hope the department comes down
like a sledge hammer on any employee who thinks they have a
right to do that without very important reasons that are well
spelled out and well justified and approved at the top and with
the disclosure to Congress of what is going on.
And I thank you very much, Mr. Chairman.
Mr. Greenwood. I thank the chairman, again, for his
participation and for his keen interest in this issue.
And before I recognize Mr. Burr for inquiry, I had a
question on the table, to which Mr. Frazier has responded, and
before I go to Mr. Dacey, Mr. Frazier made reference to the
memo dated July 27 from Donald Evans, the Secretary, on the
high priority to information technology security.
The Chair would, without objection, enter it and several
other documents provided to us by the department for the
official record.
Mr. Dacey, if you would respond to the question about your
No. 1 recommendation, then I would following that recognize the
gentleman from North Carolina.
Mr. Dacey. I think it is important that a good foundation
be established on which to build the future efforts to provide
security at Commerce. There is currently an IT restructuring
plan for IT overall, as well as a task force focused on
computer security, and those groups are to provide
recommendations and there are to be developed policies and
procedures.
I think in doing so there is an excellent opportunity for
the department to put together that strong foundation and
support, and they should do so, including clarifying the roles
and responsibilities of the various parties for security in the
department, including the department-wide CIO, as well as the
bureaus' CIOs.
It is also important to provide accountability and make
sure those people are accountable for providing security, and
also in that process, address the resource issue to insure that
there are adequate resources put to bear to address the
security issues.
I think now is a critical time to do that, and it is
important to proceed in that manner.
Mr. Greenwood. Thank you.
Mr. Frazier, were you about to say something?
Mr. Frazier. No.
Mr. Greenwood. Okay. The Chair recognizes the gentleman
from North Carolina.
Mr. Burr. Mr. Chairman, just for clarification if I could,
Mr. Frazier, because in my last question you said that there
had been instances where former employees' passwords stayed
active in you said 3 years. Are there currently any former
employees whose passwords are still active?
Mr. Frazier. I could not answer that, but I would make the
assumption that the answer is yes because it is not something
that I have monitored. If someone left yesterday, it is that
kind of situation.
The concern is that there is not a system in place that
would check that with such regularity to make certain that it
could not happen. You know, I could not say that it is, but I
would be amazed that it is not.
Mr. Burr. Given your role, has a recommendation been made
for a process to be set up to make sure that those passwords
are eliminated?
I mean, in the private sector they are eliminated as soon
as you utter the words, ``I am leaving.''
Mr. Frazier. Yes.
Mr. Burr. I think one of you alluded to that.
Mr. Frazier. That is the recommendation that I would make.
Mr. Burr. It has been made or----
Mr. Frazier. It has not been made, but it is interesting
because I think I did not think of that until literally this
morning. We raised the concern about people who had left, and
we brought those to the attention, and we have a recommendation
that says, on a bureau-by-bureau basis, that says when someone
leaves, the password should be changed.
And the question that I have to go to to look to see if we
have elevated that to the CIO's office so that it could become
a department-wide policy. It has been made at bureau level.
Mr. Burr. I think you are going to get the answer.
Mr. Frazier. Yes, it is at the bureau level as I have
suggested. But is surely is one that should be made at the
department level.
Mr. Burr. I would hope before the end of the day that
recommendation would be made.
I thank you for the information.
Thank you, Mr. Chairman.
Mr. Greenwood. The Chair thanks the gentleman and wishes to
thank both of the witnesses for your fine work, for your
testimony, for your continued cooperation with this
subcommittee.
And allow me to thank both of your staff folks, those with
you and those not with you, for the excellent service that they
provide to the country. This is an issue that is in some ways
obscure, but increasingly it becomes evident that this is so
critical to our national security and to the confidentiality
that our citizens demanded and have a right to, and so we thank
you for your work and the work that you will do in the future.
And we excuse you now.
Mr. Dacey. Thank you.
Mr. Frazier. Thank you.
Mr. Greenwood. And call our next witness, who is the
Honorable Samuel W. Bodman, Deputy Secretary for the Department
of Commerce. He is accompanied by Mr. Thomas Pyke, the Acting
Chief Information Officer.
Welcome, Mr. Secretary. Welcome, Mr. Pyke. Thank you for
being with us this morning.
You are aware that the committee is holding an
investigative hearing, and when doing so we have had the
practice of taking testimony under oath. Do either of you have
objection to testifying under oath?
Seeing no objection, the Chair then advises you that under
the rules of the House and the rules of the committee, you are
entitled to be advised by counsel. Do you desire to be advised
by counsel during your testimony?
Mr. Bodman. No, sir.
Mr. Greenwood. The gentlemen indicate negative in that
case.
If you would please rise and raise your right hand, I will
swear you in.
[Witnesses sworn.]
Mr. Greenwood. So swearing, you are under oath, and you may
now give your testimony, Mr. Bodman. Thank you, again, for
being with us.
TESTIMONY OF HON. SAMUEL W. BODMAN, DEPUTY SECRETARY,
ACCOMPANIED BY THOMAS PYKE, ACTING CHIEF INFORMATION OFFICER,
U.S. DEPARTMENT OF COMMERCE
Mr. Bodman. Mr. Chairman, I appreciate the opportunity of
being here.
I have submitted my formal statement, and I will attempt to
summarize it in the interest of time.
I am accompanied today by Mr. Pyke, who is our Acting Chief
Information Officer for the department. I will count on him for
the answer to any technical questions that may come up,
although he took on his role only recently. His background in
security, I think, is notable--in particular, his having
directed the National Institute of Standards and Technology's
program for the development of governmentwide computer security
standards and guidelines, which assignment he had prior to his
becoming the CIO at NOAA.
And then he was asked recently to take on the acting CIO
job for the department as a whole.
I can report to you that Secretary Evans and I are very
concerned about the findings that have been reviewed this
morning. I am as concerned as the committee, perhaps more so.
I want to thank the committee, and I want to thank the GAO
with sincerity, as well as the IG's Office for all of the hard
work that they have done on this.
I have had experience in my prior life of having managed IT
security systems at both Fidelity and at Cabot Corporation,
where I was previously employed. I appreciate the significance
of this matter, and I hope that my previous experience will be
of some value in dealing with these problems.
Speaking for the Secretary and myself, we accept the
findings of the GAO report, both specifically and as to their
general causes. I do not have much more to say. The defense
stipulates the evidence.
We are here to assure you that we will work hard on dealing
with these issues. You have alluded before to some of the
actions that the Secretary has already taken to build a strong
and effective IT security program.
First, he has directed all of the Commerce agency heads to
focus their personal attention on this matter. I think, as the
Inspector General alluded to already, at least in the part of
his discussion and testimony that I heard when I arrived, that
this is really a matter of a general manager's responsibility,
not the responsibility of the CIO. This is a general manager's
job.
It is my job. It is Secretary Evans' job, not Mr. Pyke's
job. We hope to rely on him to help us get this done, but this
is our responsibility, and frankly, I am embarrassed to be here
in front of you to hear the nature of what we are dealing with.
Mr. Greenwood. Mr. Bodman, how long have you been on the
job?
Mr. Bodman. Six days.
Mr. Greenwood. You do not need to feel embarrassed yet. We
will let you know.
Mr. Bodman. I am sorry, sir, but that is just the nature of
responsibility. We have it. It does not matter how long we have
had it. We are here now, and it is our job. To be responsible
for something that is in this great a difficulty is not
something that I find a great deal of personal comfort in,
however long I have been here.
And I know I speak for the Secretary in this matter.
He has ordered a department-wide IT restructuring plan. We
referred to that. It features the department's Chief
Information Officer.
Mr. Pyke. This oversight function will ensure that
appropriate action is taken at the agency level to implement
new departmental IT policies.
Mr. Bodman. In the past the departmental CIO apparently had
relatively little management authority. We believe we have
fixed that. In the past the policy seems to have stalled at
times when it got to the agency heads, who had in their view
more important matters. And I believe that the new priority the
Secretary has given to IT security will be very helpful.
The plan also gives each of our CIOs the authority to
manage IT security, IT planning and operations, and IT capital
investment review. This new approach is in sharp contrast to
the old way of doing business, and as I said before, I think it
will be helpful.
Third, we have established an IT security task force
chaired by Mr. Pyke that will work under my personal oversight.
The task force will improve our IT security by developing a
comprehensive department-wide plan.
The task force is made up of individuals with a lot of
expertise in this area, including people from NIST, which has
had a governmentwide responsibility in this area in the past.
We have also enlisted assistance from the National Security
Agency, and we are grateful to the NSA that they have been
forthcoming with personnel to be helpful to us in dealing with
these matters.
The new task force is already at work. They have met more
than once, and they are working on a fast track to develop an
effective security program for the department and to identify
actions that we should take.
We have already received some short-term recommendations,
and these have been implemented. We are doing the best we can
to get on top of the things that can be dealt with immediately
and to bring these problems to a much higher level of
consciousness among our managers.
Furthermore, the program development task force will
address the assessment of risks throughout the department and
the means for providing security commensurate with those risks.
They will provide a road map for updating our approach to
security problems, develop an oversight process with compliance
testing as a key component, and plan a department-wide IT
security awareness training program.
The task force is also addressing the specific issues that
have been identified, including strengthening access controls.
You have heard extensive discussion about that. We are working
on it.
The problem with this area involves more of a mind set--how
everybody in the department feels about his or her
responsibility for security. It is a challenge to deal with
these matters because security is a personal responsibility,
and it is something that is difficult at times.
I would imagine that even the Congressman may find it
difficult at times to change your password and make sure that
it is updated. This is a natural, human problem. Certainly I
find it a pain in the neck to have to change a password and
than remember what my password is.
Mr. Greenwood. It is impossible for me to do it. That is
why I have a 15 year old daughter to take care of that.
Mr. Bodman. Well, you are way ahead of me, sir.
In any event, it is something that we believe we can and
will get started on, and it is that factor that makes it
difficult to forecast exactly when we will be done. I guess the
truth is we will never be done because this has got to be an
ongoing effort.
The Secretary and I are committed to supporting all of
these efforts ourselves under the leadership of our agency
heads and our CIOs, and we think that we will get there.
And I want to thank you all for this opportunity of coming
here and addressing this matter relatively early in my tenure.
And I know I speak for the Secretary, since both of us have
come from the private sector and have managed publicly owned
companies, in saying that we recognize the kind of
responsibility we have for the management of these systems and
will do our best to get on top of these problems as quickly as
we can.
Thank you.
[The prepared statement of Hon. Samuel W. Bodman follows:]
Prepared Statement of Samuel W. Bodman, Deputy Secretary, U.S.
Department of Commerce
Good morning, Mr. Chairman. I appreciate this opportunity to
discuss the Information Technology Security Audit of the Department of
Commerce that was recently conducted by the General Accounting Office
(GAO). Accompanying me today is Tom Pyke, Acting Chief Information
Officer for the Department. Although Tom took on this role only
recently, his information technology (IT) security experience includes
directing the National Institute of Standards and Technology's (NIST's)
program for the development of government-wide computer security
standards and guidelines.
Secretary Evans and I are very concerned about the findings of this
GAO review because much of the work of the Department on behalf of our
citizens depends on the quality and integrity of our data and IT
systems. We thank the Committee and GAO for bringing this serious issue
to the attention of the Department's new leadership. Having managed the
IT security programs at Fidelity Investments and the Cabot Corporation,
I appreciate the critical importance of IT security, and I trust that
my management experience in this area will be of some value in meeting
the challenges presented by the findings of the GAO review.
Speaking for the Secretary and myself, we accept the findings of
the GAO report, as to both the specific weaknesses identified in the
audit and their underlying causes. To correct these security problems
and prevent future incidents, Secretary Evans is acting to build a
strong and effective Commerce IT Security Program and to correct the
technical problems identified by the GAO audit.
First, Secretary Evans has directed all Commerce agency heads to
focus their personal attention on establishing IT security as a
priority. Working in conjunction with their Chief Information Officers,
they will allocate necessary resources to assure that the Department's
data and IT systems are protected in order to avoid data loss, misuse,
or unauthorized access, and to assure the integrity and availability of
Commerce data. In this connection, the Secretary has also recently
appointed a Senior Advisor for Privacy, another area important to
overall IT security.
Second, the Secretary has ordered the implementation of a
Department-wide IT restructuring plan. The plan provides the
Departmental Chief Information Officer (CIO) with the authority to
guide individual agency CIOs as they address IT security problems. This
oversight function ensures that appropriate action will be taken at the
agency level to implement new Departmental IT policies. In the past,
the Departmental CIO apparently had little management authority, and
policy often stalled when it reached the agencies. I believe that the
new priority given this matter by Secretary Evans and me, our agency
heads and our CIOs will produce positive results.
The plan also gives each of our CIOs the authority to manage IT
security, IT planning and operations, and IT capital investment review.
This new approach is in sharp contrast to the old way of doing business
in which CIOs apparently were not key members of the Commerce
management team.
Third, Commerce has established an IT Security Task Force, which
will work under my personal oversight. This Task Force will improve
Commerce IT security by developing a comprehensive, Department-wide IT
security program. The Task Force is made up of individuals with
expertise in IT security management, including people from NIST, which
has a critical Government-wide role in developing standards and
guidelines for effective IT security programs. We also have enlisted
the assistance of the National Security Agency. We appreciate NSA's
willingness to share its institutional knowledge and leadership in this
field as part of the Task Force.
The new Task Force is already working on a fast track to develop an
effective IT Security Program for the Department and to identify
actions that Commerce should take quickly to bolster its IT security
posture. These recommendations for short-term action will be made in
the context of the Corrective Action Plans already developed by
Commerce agencies in response to specific concerns identified in the
GAO review.
Furthermore, the program developed by the Task Force will address
the assessment of risks throughout the Department and the means for
providing security commensurate with those risks. The Task Force will
provide a roadmap for updating the Department's IT security policies,
develop an oversight process with compliance testing as a key
component, and plan a Department-wide IT security awareness training
program.
The Task Force is also addressing specific issues, including
strengthening access controls for the Department's IT systems,
segregating assigned duties consistent with mitigating risk, and
developing policies and procedures for authorizing, testing, reviewing
and documenting software changes prior to implementation. Special
attention is being given to network security, an area the GAO audit
singled out in light of the Department's reliance on network
connectivity to carry out its mission. The Task Force is designing
recovery plans for the Department's sensitive systems; developing a
Department-wide IT security incident detection and response process;
and looking at other areas essential to a comprehensive Commerce IT
Security Program.
The Secretary and I are committed to supporting the efforts of the
Commerce IT Security Task Force and to implementing its recommendations
throughout the Department. Under the leadership of our agency heads and
our CIOs, and guided by the efforts of this Task Force, we are
confident that we are moving in the right direction, and that the
Department's IT security program will be effective.
Again, thank you for this opportunity to discuss the IT security
initiatives underway at the Department of Commerce. Secretary Evans and
I appreciate that effective IT security is vital to the Department's
mission, and I am pleased that this important issue is among the first
I have devoted my time and attention to after having been sworn in last
week. I would be pleased to respond to any questions you may have.
Mr. Greenwood. Thank you very much, Mr. Bodman.
We are delighted to have you here. We are delighted to see
the prompt response to an issue that this subcommittee thinks
is crucial to our Nation's security, and we are very optimistic
that in the short time you have been here you have recognized
this problem, grappled with it, and are prepared, you as well
as the Secretary, prepared to move the department in the right
direction.
Let me ask you a question. GAO notes in its testimony that
IT management at the department has been very decentralized
over the years, 14 different data centers, 20 independently
managed E-mail systems, hundreds and possibly thousands of
separate networks managed by individual bureaus or offices
within bureaus and lots of different connections to the
Internet, so much so that we are still not sure the department
even knows about all of them.
How would the reforms you have discussed this morning
address what appears to be one of the fundamental problems
preventing the department from implementing an effective
security program?
And, Mr. Pyke, if you would like to comment, you can do so
as well.
Mr. Bodman. Well, let me comment generally, and then I will
ask Mr. Pyke to give you more factual information.
First of all, I think that is an accurate statement. We
have a very formidable task to bring to ground the management
of the information systems that currently reside within the
Commerce Department.
The Commerce Department is difficult enough to manage
because of the highly disparate nature of the various bureaus
that reside therein. On top of that, we have a set of systems,
most of which are interrelated, that have grown a bit like
Topsy over the years and that do not use a common approach.
And so we have had a department-wide effort to try to bring
more common systems such that they can be managed in a more
reasonable way, and that has been underway for some time.
I will ask Mr. Pyke to speak to that.
So we think that the competence and capability of this task
force will enable us to start getting our arms around this
issue, but I would be misrepresenting the facts if I were to
tell you that we were going to be done in any short period of
time. This is a long-time fix, and it will require our
attention over many years, and we expect to put a program in
place initially led by Mr. Pyke, and I hope led by him for many
years, that will deal with it.
Tom, do you want to speak to that?
Mr. Greenwood. Let me insert another question, Mr. Pyke,
that is related to that so that maybe you can answer both at
the same time.
And that is can you describe the number of Commerce
personnel in these bureaus and at headquarters that are
dedicated to computer security and their level of training and
other job duties? So when you talk about what you are going to
be able to do, also if you could tell us how well equipped you
are in terms of person power.
Mr. Pyke. Thank you, Mr. Chairman.
The CIO management structure that has now been put into
place and empowered by the Secretary and the Deputy Secretary,
which includes the department level CIO and CIOs for each of
the Commerce agencies, is now in the position to get on top of
the extensive IT systems and networks that the department has.
It is going to take a while to bring the necessary discipline
in the area of IT security into the management of all of those
systems and networks.
It is important that at the departmental level we provide
suitable guidance that is generic and strong guidance that
provides a basis for the individual bureaus or agencies to get
moving and to devote the necessary resources to IT security.
As the Deputy Secretary said, the department's mission is
broad, and the various agencies have diverse activities. And so
it is important that each one of them have a CIO leader who I
work very closely with, who is in a position to address the
specific kinds of issues relative to IT security and IT
management in general, on a continuing basis, that relate to
that agency's mission and the kinds of systems they have.
At the present time, we have a very small number of people
at the department level devoted to IT security. We are
increasing that number of people and the amount of contract
support very substantially very fast.
As was mentioned in earlier testimony, basically up until
very recently we had a single person and a couple of
assistants, and we are moving very fast now to bring on
additional people and have already begun doing that.
At the bureau level, some of the bureaus have a significant
staff. At NOAA, for example, there are several people, about
three government folks and several contractor folks who spend
full-time on IT security, and there are dozens of others across
the bureau that spend a lot of their time on IT security.
One of the things we are going to be doing is to make sure
that each of the bureaus has an appropriate number of
individuals who devote their time to IT security and to
managing the program and making sure all of the technical
processes are in place.
Mr. Greenwood. Let me ask you kind of an organizational
chart question, a twofold question.
First off, looking at your position, describe if you would
all of your responsibilities to the extent that this computer
security is a subset of your total duties. Do a similar
explanation for us for the CIOs of the different bureaus, and
then if you could explain to me, so I am interested in to what
extent this is a subset of their duties, and explain to me what
is changing, if anything, in terms of your ability to directly
command, if you will, activities on the part of the CIOs at the
various bureaus.
Mr. Pyke. First, the general role of the CIO at the
department level is to oversee all of the department's
information technology activities, both its planning,
development of policy at the departmental level, providing
guidance relative to procedures, standards, and guidelines that
need to be administered on a department-wide level, to monitor
the compliance of the entire department, all of the bureaus
with the policies, with the standards, with the guidelines.
And with regard to IT security, that includes actually
conducting compliance testing, including penetration testing of
a kind similar to what both GAO and the Inspector General's
Office have been doing, and in fact, that function we expect to
be carried out also at the Bureau level.
The planning functions of the CIO at the department level,
as well as at the bureau level, include systematic review of
proposals for new expenditures in IT, budget initiatives,
review in terms of all the way from return on investment to
consistency with our IT architecture, which guides our planning
and guides our implementation of systems, to the plans for
operating the systems and plans for implementing them, and
nothing gets through our review without an IT security plan
being an integral part of each proposal.
We also carry out control reviews of ongoing information
technology projects and programs across the department, and we
are involved in evaluating after the fact how development
efforts have gone and putting that information in the hands of
the bureaus to build on.
So at the department level it is policy, procedures,
guidance, compliance testing. At the bureau level the CIOs also
are responsible for any specialized policy guidance that is
necessary, procedures that may be unique to the bureaus, with
oversight of the operations of IT within each of those
information technology computer systems and networks within
each of the bureaus, and with making sure that the policies and
procedures that are provided at the departmental level, and in
part, provided on a Federal Government-wide level, are
followed.
We expect that the bureau CIOs will include compliance
testing as part of their portfolio, too, and so what we will be
doing at the departmental level will be to oversee them and, on
a sampling basis, analogous to what the IG and what the GAO
have been doing----
Mr. Greenwood. So it will be your responsibility to make
sure the CIOs and the bureaus have the resources they need so
that the buck will to some extent stop with you. If a bureau or
CIO says, ``I am sorry that we are not doing the things that we
should be doing. We do not have the resources,'' that is when
they call you back, and then that is when Mr. Bodman decides
whether he is embarrassed again.
Mr. Pyke. Yes, except this time we have two things in
place. No. 1, we have this strong directive from the top to the
agency heads themselves to get on top of IT security and to put
the necessary resources into it, and this should be a big help
to each of the CIOs and provide their marching orders basically
from the top.
Second, you asked about the reporting relationship a moment
ago. Each of the CIOs in the bureaus, each of those CIOs have a
dual reporting responsibility. They report first to their
agency head or the deputy head, and they also report to me.
They also report to the Commerce CIO.
And in fact, when it gets to the end of the year, I have a
cut at their performance evaluation in collaboration with their
line manager. So they receive guidance from the CIO. They
receive direction from the CIO. They are evaluated, in part, in
their performance through the CIO. And I'm in a position to
help them get the resources they need.
But the person in charge of the resources when it comes
right down to it is their agency head, and the agency head has
now received appropriate direction.
Mr. Bodman. If I could add.
Mr. Greenwood. Please, sir.
Mr. Bodman. At the risk of contradiction, the buck stops at
the Secretary. The buck stops with me, and it is our
responsibility, and that is how every general manager must feel
in order to make this work.
And this system that has been put in place calls for this
dual reporting that Mr. Pyke has referred to quite correctly,
and it is the only way that I am aware of, at least from my
prior experience, when you have a crucial staff function to
have it work, whether it is financial reporting, whether it is
safety management, whether it is environmental management. It
has to be handled at the local basis with an empowered
individual who works for the local management, but who is
audited and advised by a central, capable person. That is Mr.
Pyke.
And we believe that that dual reporting and that dual
responsibility will work, but make no mistake. The ultimate
responsibility, sir, is ours.
Mr. Greenwood. Very well. I appreciate that.
I would like to ask about the broader question, Mr. Bodman,
of critical infrastructure. This will be my last question, and
just for your information, we are aware that you have a
commitment at noon.
Mr. Bodman. Thank you, sir.
Mr. Greenwood. And we will get you out of here in about 15
minutes at the most.
As I understand it, the department has assigned one person
at the headquarters level to work on these critical issues with
little or no support or funding to oversee the bureau's efforts
to identify, assess, and then fix vulnerabilities in its
critical systems.
As you know, the IG issued a report last year on this topic
which was critical of the lack of progress from the
department's efforts to date. I want to read you some comments
that were written by the department's CIO office in response to
last year's IG audit of computer security policies and
management.
``Given the lack of priority in funding by the Clinton
administration in the area of critical infrastructure
protection, we must disagree with the IG assertion that using
information as security assessments scheduled to be performed
on the department's critical infrastructure system would result
in more systems being certified while realizing significant
savings. In the event that the Bush administration raises the
priority of critical infrastructure through the application of
funding, we will take advantage of assessments gained through
this avenue.''
What do you and the Secretary plan to do about this
important issue, given that your department has so many systems
and assets critical to our national and economic security and
the health and safety of our citizens?
Mr. Bodman. Well, I cannot speak to the views of the
previous CIO. I have never met the gentleman.
I can tell you that the approach that we have put in place
that I have described will, in fact, deal with these issues. I
do believe that these are crucial. I do believe that--I am not
quite sure I understood the quote in its entirety, but I do
believe that the efforts that we will put in will bear fruit.
In my view this is not so much a matter of additional
funding. We may find that we need additional funding, but this
is more a matter of priority. This is more a matter of
management. This is a matter of placing importance on this
function at the proper level so that we can deal with it. That
is what this is about.
I do not think it is a matter principally of money, and so
we can count heads. We can count dollars, and we may need
additional heads and additional dollars, but this is more about
the people understanding that this has to be dealt with. This
is more a matter of the bureau heads of the bureau CIOs
understanding that we will deal with this and that we are going
to do it.
Tom, do you want to add?
Mr. Greenwood. The Chair recognizes the gentleman from
North Carolina to inquire.
Mr. Burr. Mr. Secretary, welcome. Mr. Pyke.
Mr. Secretary, let me thank you for one thing. I have been
on the oversight committee for 7 years. You are the first--my
memory is not great. I do not know if I could remember my
password--but you may be the first; I think you are the first
person who has testified who has ever, one, taken
responsibility regardless of how long they have been there and,
two, not used funding as a reason why it could not be
accomplished.
So if you keep those two things in the right perspective, I
have more confidence in any answer you can give me that we will
make tremendous progress at closing some of the problems that
we have got.
Mr. Bodman. Thank you, sir.
Mr. Burr. Let me ask you two fairly lengthy questions, and
my purpose for doing it is that these might be areas that you
have not looked at, and I would be remiss if I did not double
check with both of you to ask on that short term list. Did
password management make it on that list today?
From the conversation I had with Mr. Frazier, is password
management now on that very quick to do list?
Mr. Bodman. Yes, it did. It sure did.
Mr. Burr. Thank you.
Mr. Bodman. Today it will be done.
Mr. Burr. Let me discuss and focus on BXA for a minute,
which is one of the more sensitive bureaus within the
department and the subject of negative audits by both the IG
and GAO.
The IG issued a report in June 1999 regarding BXA's
management of its computer system, particularly the ECASS
system, which is the export control licensing system. At that
time the IG found that BXA did not have a security plan for the
system. The risk assessment was 5 years old, and BXA had not
conducted a security review of this system since the last Bush
administration, all of which had long been required under
Federal law and under the policy directives.
And let me say my understanding of ECASS, given the nature
of the licensing process that goes on, is that other agencies
with direct interest in that process would be electronically
linked: Department of Defense, the State Department, possibly
the intelligence community.
I won't ask you to assess whether that system is air gapped
in any way, but I would have some belief that it is probably
not from some of the things that I have heard today. Therefore,
I would think that it is very susceptible to a potential entry
point that sends them into some of the most sensitive areas
singularly through the ECASS system.
In response to the department's pledge to undertake those
efforts promptly, yet as I understand GAO found the same things
with respect to the ECASS nearly 2 years later: still no
security plan, no risk assessment, and no security review
conducted.
Do you know why these issues weren't addressed by now? And
how can we be confident that the department will take seriously
these issues in the future?
Mr. Bodman. First, I can tell you that we take it
seriously. We take it so seriously that I am going to ask Mr.
Pyke to give you a detailed answer rather than my trying to
paraphrase what he told me before we walked in here.
Mr. Burr. Thank you.
Mr. Pyke. Mr. Burr, the problems with ECASS and Bureau of
Export Administration are being addressed, and they will be
addressed even more intensively as get the strengthened IT
security program in place. As GAO conducted its audit, as they
made specific findings of weaknesses, attempts were made on the
spot, in a very short period of time, to correct those specific
findings.
The bureau has also prepared and put in place a corrective
action plan that has attempted to address, either already in
many cases, but certainly very quickly, all of the specific
issues that GAO identified.
As a part of the task force effort that we have now put in
place at the department level, we are not only looking
generically at computer security and all of the elements of a
complete program, but we are looking at all of the specific
findings of GAO and of the Inspector General over the last 2 to
3 years, to generalize on those, and to provide very quick
advice and guidance to the bureaus, including the individuals
in BXA responsible for ECASS.
So all of the findings in each of the agencies can be
responded to in a general sense by all of the bureaus. All of
this is being applied toward ECASS, and I can assure you that
attention is being given by the CIO in BXA and by us to the
special concerns that have been expressed about ECASS, and some
steps have already been made, as I say, some steps, and we will
work with them to make sure that things are completely taken
care of in an appropriate way and that adequate protection is
in place relative to the risks that they are confronted with.
Mr. Burr. I appreciate that answer, and I think you
understand the sensitivity of where someone might venture if,
in fact, the correct level of security does not exist within
that system.
Mr. Bodman, I note that NIST computer security personnel
played a prominent role in your new task force, but I cannot
help but be concerned about that, given that despite it, its
purported role is the government's expert on computer security.
NIST itself fared rather poorly in the recent IG
penetration test and was the subject of a repeat finding in
1999 and 2000 regarding the lack of security plans for its
system.
In addition, the self-assessments that were performed by
the bureau last year revealed that NIST was just as bad, if not
worse, than most of the bureaus when it came to complying with
the Federal guidelines on computer security, including those
that NIST itself had crafted.
Should we be concerned? If we were concerned before this
hearing, should we be concerned after this hearing?
Mr. Bodman. That is not one I am going to burden Mr. Pyke
with answering since at one point in his life he was
responsible for the information operations at NIST.
Mr. Burr. That is why I directed the question to you.
Mr. Bodman. I think it is entirely consistent with what we
have been saying. This is not a problem with technology. This
is a problem with management. This is a problem with priority.
And to the extent that this becomes a matter that the
bureau manager feels a responsibility for, then it will be
dealt with, and to the extent that it is not something that the
bureau leadership feels responsible for, it will not be dealt
with because it is not something that the human being naturally
does.
This is something that is easily ignored, just given the
nature of the fact that we all like to do something. We all
have our own jobs. The thing that gives me great pleasure each
day is not worrying about my password management. I have other
things that I like to do that I am, I think, a little better at
since I seem to have difficulty remembering the password from
time to time.
And so I think the fact that we are using the technical
skills at NIST as a part of this is entirely understandable and
bears no relationship to how that particular agency was
evaluated with respect to the management of its information.
Mr. Burr. I thank you for that answer.
As a member of this committee, my goal every year is the
hope that I will not see the same witnesses on the same issue
at any point in the future. That goal has not been fulfilled
yet, but I have reason to believe that as it relates to the
security issue and you being here, this might be the last time
that we have this conversation, unless it is to report on the
progress that you have made.
I thank you.
Mr. Bodman. I thank you, sir.
Mr. Burr. Thank you, Mr. Chairman.
Mr. Greenwood. I thank the gentleman.
And on that point, the report on progress, might we expect
a report in 6 months from the department as to how you have
responded to these issues?
Mr. Bodman. We would be happy to report, sir, whenever you
wish.
Mr. Greenwood. Okay. We appreciate that.
Again, thank you for your presence, for your testimony, for
your good work. Welcome to Washington, and we look forward to
working with you on a number of issues.
Thank you again.
Mr. Bodman. Thank you very much.
Mr. Greenwood. This hearing is adjourned.
[Whereupon, at 11:45 a.m., the subcommittee was adjourned.]
[Additional material submitted for the record follows:]
[GRAPHIC] [TIFF OMITTED] T4853.001
[GRAPHIC] [TIFF OMITTED] T4853.002
[GRAPHIC] [TIFF OMITTED] T4853.003
[GRAPHIC] [TIFF OMITTED] T4853.004
[GRAPHIC] [TIFF OMITTED] T4853.005
[GRAPHIC] [TIFF OMITTED] T4853.006
[GRAPHIC] [TIFF OMITTED] T4853.007
[GRAPHIC] [TIFF OMITTED] T4853.008
[GRAPHIC] [TIFF OMITTED] T4853.009
[GRAPHIC] [TIFF OMITTED] T4853.010
[GRAPHIC] [TIFF OMITTED] T4853.011
[GRAPHIC] [TIFF OMITTED] T4853.012
[GRAPHIC] [TIFF OMITTED] T4853.013
[GRAPHIC] [TIFF OMITTED] T4853.014
[GRAPHIC] [TIFF OMITTED] T4853.015
[GRAPHIC] [TIFF OMITTED] T4853.016
[GRAPHIC] [TIFF OMITTED] T4853.017
[GRAPHIC] [TIFF OMITTED] T4853.018
[GRAPHIC] [TIFF OMITTED] T4853.019
[GRAPHIC] [TIFF OMITTED] T4853.020
[GRAPHIC] [TIFF OMITTED] T4853.021
[GRAPHIC] [TIFF OMITTED] T4853.022
[GRAPHIC] [TIFF OMITTED] T4853.023
[GRAPHIC] [TIFF OMITTED] T4853.024
[GRAPHIC] [TIFF OMITTED] T4853.025
[GRAPHIC] [TIFF OMITTED] T4853.026
[GRAPHIC] [TIFF OMITTED] T4853.027
[GRAPHIC] [TIFF OMITTED] T4853.028
[GRAPHIC] [TIFF OMITTED] T4853.029
[GRAPHIC] [TIFF OMITTED] T4853.030
[GRAPHIC] [TIFF OMITTED] T4853.031
[GRAPHIC] [TIFF OMITTED] T4853.032
[GRAPHIC] [TIFF OMITTED] T4853.033
[GRAPHIC] [TIFF OMITTED] T4853.034
[GRAPHIC] [TIFF OMITTED] T4853.035
[GRAPHIC] [TIFF OMITTED] T4853.036
[GRAPHIC] [TIFF OMITTED] T4853.037
[GRAPHIC] [TIFF OMITTED] T4853.038
[GRAPHIC] [TIFF OMITTED] T4853.039
[GRAPHIC] [TIFF OMITTED] T4853.040
[GRAPHIC] [TIFF OMITTED] T4853.041
[GRAPHIC] [TIFF OMITTED] T4853.042
[GRAPHIC] [TIFF OMITTED] T4853.043
[GRAPHIC] [TIFF OMITTED] T4853.044
[GRAPHIC] [TIFF OMITTED] T4853.045
[GRAPHIC] [TIFF OMITTED] T4853.046
[GRAPHIC] [TIFF OMITTED] T4853.047
[GRAPHIC] [TIFF OMITTED] T4853.048
[GRAPHIC] [TIFF OMITTED] T4853.049
[GRAPHIC] [TIFF OMITTED] T4853.050
[GRAPHIC] [TIFF OMITTED] T4853.051
[GRAPHIC] [TIFF OMITTED] T4853.052
[GRAPHIC] [TIFF OMITTED] T4853.053
[GRAPHIC] [TIFF OMITTED] T4853.054
[GRAPHIC] [TIFF OMITTED] T4853.055
[GRAPHIC] [TIFF OMITTED] T4853.056
[GRAPHIC] [TIFF OMITTED] T4853.057
[GRAPHIC] [TIFF OMITTED] T4853.058
[GRAPHIC] [TIFF OMITTED] T4853.059
[GRAPHIC] [TIFF OMITTED] T4853.060
[GRAPHIC] [TIFF OMITTED] T4853.061
[GRAPHIC] [TIFF OMITTED] T4853.062
[GRAPHIC] [TIFF OMITTED] T4853.063
[GRAPHIC] [TIFF OMITTED] T4853.064
[GRAPHIC] [TIFF OMITTED] T4853.065
[GRAPHIC] [TIFF OMITTED] T4853.066
[GRAPHIC] [TIFF OMITTED] T4853.067
[GRAPHIC] [TIFF OMITTED] T4853.068
[GRAPHIC] [TIFF OMITTED] T4853.069
[GRAPHIC] [TIFF OMITTED] T4853.070
[GRAPHIC] [TIFF OMITTED] T4853.071
[GRAPHIC] [TIFF OMITTED] T4853.072
[GRAPHIC] [TIFF OMITTED] T4853.073
[GRAPHIC] [TIFF OMITTED] T4853.074
[GRAPHIC] [TIFF OMITTED] T4853.075
[GRAPHIC] [TIFF OMITTED] T4853.076
[GRAPHIC] [TIFF OMITTED] T4853.077
[GRAPHIC] [TIFF OMITTED] T4853.078
[GRAPHIC] [TIFF OMITTED] T4853.079
[GRAPHIC] [TIFF OMITTED] T4853.080
[GRAPHIC] [TIFF OMITTED] T4853.081
[GRAPHIC] [TIFF OMITTED] T4853.082
[GRAPHIC] [TIFF OMITTED] T4853.083
[GRAPHIC] [TIFF OMITTED] T4853.084
[GRAPHIC] [TIFF OMITTED] T4853.085
[GRAPHIC] [TIFF OMITTED] T4853.086
[GRAPHIC] [TIFF OMITTED] T4853.087
[GRAPHIC] [TIFF OMITTED] T4853.088
[GRAPHIC] [TIFF OMITTED] T4853.089
[GRAPHIC] [TIFF OMITTED] T4853.090
[GRAPHIC] [TIFF OMITTED] T4853.091
[GRAPHIC] [TIFF OMITTED] T4853.092
[GRAPHIC] [TIFF OMITTED] T4853.093
[GRAPHIC] [TIFF OMITTED] T4853.094
[GRAPHIC] [TIFF OMITTED] T4853.095
[GRAPHIC] [TIFF OMITTED] T4853.096
[GRAPHIC] [TIFF OMITTED] T4853.097
[GRAPHIC] [TIFF OMITTED] T4853.098
[GRAPHIC] [TIFF OMITTED] T4853.099
[GRAPHIC] [TIFF OMITTED] T4853.100
[GRAPHIC] [TIFF OMITTED] T4853.101
[GRAPHIC] [TIFF OMITTED] T4853.102
[GRAPHIC] [TIFF OMITTED] T4853.103
[GRAPHIC] [TIFF OMITTED] T4853.104
[GRAPHIC] [TIFF OMITTED] T4853.105
[GRAPHIC] [TIFF OMITTED] T4853.106
[GRAPHIC] [TIFF OMITTED] T4853.107
[GRAPHIC] [TIFF OMITTED] T4853.108
[GRAPHIC] [TIFF OMITTED] T4853.109
�