[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]
WEAKNESSES IN CLASSIFIED INFORMATION SECURITY CONTROLS AT DOE'S NUCLEAR
WEAPON LABORATORIES
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
OVERSIGHT AND INVESTIGATIONS
of the
COMMITTEE ON COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
__________
JULY 11, 2000
__________
Serial No. 106-148
__________
Printed for the use of the Committee on Commerce
__________
U.S. GOVERNMENT PRINTING OFFICE
67-110 WASHINGTON : 2000
COMMITTEE ON COMMERCE
TOM BLILEY, Virginia, Chairman
W.J. ``BILLY'' TAUZIN, Louisiana JOHN D. DINGELL, Michigan
MICHAEL G. OXLEY, Ohio HENRY A. WAXMAN, California
MICHAEL BILIRAKIS, Florida EDWARD J. MARKEY, Massachusetts
JOE BARTON, Texas RALPH M. HALL, Texas
FRED UPTON, Michigan RICK BOUCHER, Virginia
CLIFF STEARNS, Florida EDOLPHUS TOWNS, New York
PAUL E. GILLMOR, Ohio FRANK PALLONE, Jr., New Jersey
Vice Chairman SHERROD BROWN, Ohio
JAMES C. GREENWOOD, Pennsylvania BART GORDON, Tennessee
CHRISTOPHER COX, California PETER DEUTSCH, Florida
NATHAN DEAL, Georgia BOBBY L. RUSH, Illinois
STEVE LARGENT, Oklahoma ANNA G. ESHOO, California
RICHARD BURR, North Carolina RON KLINK, Pennsylvania
BRIAN P. BILBRAY, California BART STUPAK, Michigan
ED WHITFIELD, Kentucky ELIOT L. ENGEL, New York
GREG GANSKE, Iowa TOM SAWYER, Ohio
CHARLIE NORWOOD, Georgia ALBERT R. WYNN, Maryland
TOM A. COBURN, Oklahoma GENE GREEN, Texas
RICK LAZIO, New York KAREN McCARTHY, Missouri
BARBARA CUBIN, Wyoming TED STRICKLAND, Ohio
JAMES E. ROGAN, California DIANA DeGETTE, Colorado
JOHN SHIMKUS, Illinois THOMAS M. BARRETT, Wisconsin
HEATHER WILSON, New Mexico BILL LUTHER, Minnesota
JOHN B. SHADEGG, Arizona LOIS CAPPS, California
CHARLES W. ``CHIP'' PICKERING,
Mississippi
VITO FOSSELLA, New York
ROY BLUNT, Missouri
ED BRYANT, Tennessee
ROBERT L. EHRLICH, Jr., Maryland
James E. Derderian, Chief of Staff
James D. Barnette, General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Oversight and Investigations
FRED UPTON, Michigan, Chairman
JOE BARTON, Texas RON KLINK, Pennsylvania
CHRISTOPHER COX, California HENRY A. WAXMAN, California
RICHARD BURR, North Carolina BART STUPAK, Michigan
Vice Chairman GENE GREEN, Texas
BRIAN P. BILBRAY, California KAREN McCARTHY, Missouri
ED WHITFIELD, Kentucky TED STRICKLAND, Ohio
GREG GANSKE, Iowa DIANA DeGETTE, Colorado
ROY BLUNT, Missouri JOHN D. DINGELL, Michigan,
ED BRYANT, Tennessee (Ex Officio)
TOM BLILEY, Virginia,
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Aftergood, Steven, Senior Research Analyst, Federation of
American Scientists........................................ 169
Browne, John C., Director, Los Alamos National Laboratory.... 152
Glauthier, T.J., Deputy Secretary; accompanied by: General
Eugene E. Habiger, Director, Office of Security and
Emergency Operations; General John McBroom, Director,
Office of Emergency Operations; and General Tom Gioconda,
Deputy Administrator for Defense Programs, National Nuclear
Security Administration, Department of Energy.............. 140
Podonsky, Glenn S., Director, Office of Independent Oversight
and Performance Assurance, U.S. Department of Energy....... 16
Robinson, C. Paul, President and Laboratories Director,
Sandia National Laboratories............................... 145
Tarter, C. Bruce, Director, Lawrence Livermore National
Laboratory................................................. 164
Wells, Jim, Issue Area Director, Energy, Resources, and
Sciences Issues, U.S. General Accounting Office,
accompanied by William F. Fenzel........................... 11
Material submitted for the record by:
Aftergood, Steven, Senior Research Analyst, Federation of
American Scientists, letter dated August 1, 2000, to Hon.
Fred Upton, enclosing response for the record.............. 215
General Accounting Office, response for the record........... 218
Robinson, C. Paul, President and Laboratories Director,
Sandia National Laboratories, responses for the record..... 216
(iii)
WEAKNESSES IN CLASSIFIED INFORMATION SECURITY CONTROLS AT DOE'S NUCLEAR
WEAPON LABORATORIES
----------
TUESDAY, JULY 11, 2000
House of Representatives,
Committee on Commerce,
Subcommittee on Oversight and Investigations,
Washington, DC.
The subcommittee met, pursuant to notice, at 9:30 a.m., in
room 2322, Rayburn House Office Building, Hon. Fred Upton
(chairman) presiding.
Members present: Representatives Upton, Cox, Burr, Bilbray,
Ganske, Bryant, Stupak, Green, and DeGette.
Also present: Representative Wilson.
Staff present: Tom DiLenge, majority counsel; Yong Choe,
legislative clerk; and Edith Holleman, minority counsel.
Mr. Upton. Good morning, everyone. Today we will continue
this subcommittee's focus on the security problems apparently
still unresolved at DOE's nuclear weapon labs, as evidenced by
the most recent security breach at Los Alamos involving some of
the Nation's most sensitive nuclear weapons-related data. This
data, containing hard drives utilized by DOE's Nuclear
Emergency Search Team, or NEST, includes information on
detection of and response to incidents involving improvised
nuclear devices or other nuclear weapons in the United States
or foreign stockpiles.
Many of the shocking facts concerning this latest incident
already have made their way into the public. We all know about
how 26 individuals had unrestricted access to the vault
containing these sensitive NEST hard drives and that they could
take them at any time without creating any written record of
their removal.
But recent committee staff interviews of relevant Los
Alamos officials have revealed that roughly half of these 26
people, including the vault custodian, were not members of the
NEST team and did not have any, ``need to know'' the
information contained on those hard drives.
Thus, numerous individuals, without any legitimate reason
to have access to this highly sensitive data, could have
entered this vault at virtually any time and taken these hard
drives without anyone knowing. Instead of ``need to know,'' we
had a system of ``want to know.''
We also have recently learned that Los Alamos failed to
change the combination on the vault as required when there are
changes to the authorization access list. In fact, the last
time the vault combination had been changed was in 1996,
despite changes in the list of authorized personnel since that
time.
Thus, individuals beyond those 26 whose involvement in
these programs had already ended continued to have access or
could have continued to have access to the vault.
These particular deficiencies reflect poorly on Los Alamos,
and there is no doubt that there was substantial confusion at
the lab about who was supposed to be doing what when it came to
security of classified assets used by NEST.
Part of this confusion stems from the fact that line
managers believed the lab program officials were in charge,
while the program officials thought the opposite. But part of
this confusion also arises from the unique situation of these
DOE-led swat teams like NEST. We have learned that DOE
headquarters essentially picked the NEST management team at Los
Alamos, which in effect reports to DOE on operational issues,
while reporting through the lab management structure on
administrative issues.While this arrangement probably makes
sense, it requires close coordination and communication to make
it work, and we now know the price of such failure.
The greater problem, however, goes beyond this particular
team to the overall system in which it operates. As our first
panel today will explain, DOE essentially has set a low
threshold of security requirements for its labs to follow,
leaving them substantial discretion and flexibility on how they
implement actual security practices.
The result--as both Mr. Podonsky's and this committee's
oversight have discovered--is that the effectiveness of
security practices at the labs varies greatly, both within and
among the labs, even for very similar types of information. And
because of the lack of clear and tough requirements, the built-
in system of laboratory and DOE security oversight is destined
to failure, since virtually any state of affairs could be
considered to be technically in compliance with DOE orders.
Thus, while DOE may want to blame the labs whenever something
goes wrong in security, it seems clear that the real fault lies
much closer to home.
The saddest fact is that the most recent national security
threat posed by these missing hard drives might have been
avoided had numerous expert recommendations to the
administration been implemented in a more timely fashion.
As far back as 1994, DOE and the Department of Defense were
engaged in discussions to increase controls on the more
sensitive nuclear weapons information that the two agencies
share, such as the data on these hard drives, but no consensus
was ever reached. In February 1996, a draft report commissioned
by Secretary of Energy O'Leary recommended that higher security
fences be established for similar categories of data, but DOE
failed to issue a formal proposal to DOD until December of last
year, and it seems that Defense will not lightly accept such
recommendations anyway, for its own reasons.
And two 1999 recommendations, one from the labs themselves
and another from the President's Foreign Intelligence Advisory
Board, urged DOE to tighten control requirements for such data,
apparently to no avail. Nothing prevented DOE from tightening
controls on its own material while in its possession, even if
DOD opted not to go along. Indeed, it is now doing so in
response to the latest crisis.
Yet instead of tightening controls on our most sensitive
secrets years ago, DOE moved in the exact opposite direction.
In January 1998, DOE eliminated controls on Top Secret data,
much as DOE had reduced controls on lower level classified
matter back in 1992.
Today's hearing hopefully will allow us to have an honest
discussion of what is and what is not required by DOE orders
and what is and what is not being done by the labs to properly
control access to our Nation's most sensitive nuclear
information, and what more should be done to remedy this
situation.
I echo Chairman Bliley's call today for a more centralized
Federal role in security affairs at our nuclear weapons labs.
Let's leave the science to the scientists, but let's make
security the responsibility of Federal security experts over
whom we have direct and personal accountability.
I yield to the acting ranking member of this subcommittee,
from the great State of Michigan, Mr. Stupak.
Mr. Stupak. Thank you, Mr. Chairman, and thank you for
holding this hearing. Last time this subcommittee had the
opportunity to ask questions about the missing hard drives at
the Los Alamos National Lab, the Department of Energy witnesses
had few answers to give this subcommittee. Today we know the
hard drives have been found. Although the investigation is not
complete, the FBI and the DOE do not believe the missing hard
drives were the result of espionage. Rather, their loss
resulted from sloppy handling and potentially criminal attempt
to cover up the cause of their loss.
The chain of events that led to the discovery of the
missing hard drives has been well publicized. The Los Alamos
lab took 3 weeks to inform the DOE of the missing hard drives
when it was required to do so within 8 hours. The procedures at
Los Alamos for handling the secret nuclear weapons information
was completely inappropriate.
While all three of the labs have inadequate procedures for
handling this material in place, Los Alamos allowed more people
greater access with fewer controls than either Sandia or
Livermore.
You know, Mr. Chairman, the McDonald's restaurant employees
check the cleanliness of their bathrooms and keep better
records of their maintenance than Los Alamos does of its
nuclear weapons data. As a result of the loss of these drives,
I and other members of this subcommittee wrote Secretary
Richardson asking him to terminate the contract with the
University of California, because it has been unable to perform
its security functions in accordance with its contract with the
Department of Energy and its responsibility to the American
people.
Time and time again, the labs have asked us to excuse their
mistakes, overlook their failures and trust them to properly
handle sensitive materials they are entrusted with. I don't
know about you, Mr. Chairman, but I am all out of trust.
Although I was a State police officer for many years, I am
certainly not a nuclear security expert. Yet, when I analyzed
the proposed improvements to the proposed tracking and
inventory procedures at Los Alamos, I am left scratching my
head. Los Alamos will institute a new bar coding system that
will allow these sensitive documents to be inventoried, but it
will not allow the lab to track who has the information. What
is the use of bar coding the information if you can't track who
is removing it and who has it?
As I mentioned in the earlier testimony and before this
last subcommittee meeting, the Menominee Public Library has the
ability to use its bar coding system to make sure when a book
leaves the library. The coding system will also tell you who
has the book, who removed the book. Why can't Los Alamos do the
same? I am starting to believe that DOE should award the
contract to Menominee Public Library.
Mr. Chairman, I don't believe the labs have produced any
evidence to assure me that they are suddenly going to take
their security function seriously. Rather than complain about
budget cuts or other concerns, the labs need to require their
people to do their job and protect our Nation's nuclear weapons
data. McDonald's and the library keep track of their employees
and property for a lot less than Los Alamos. I believe it is
time for common sense and action, not more excuses.
I yield back the balance of my time, Mr. Chairman.
Mr. Upton. Thank you.
Mr. Burr.
Mr. Burr. Thank you, Mr. Chairman.
Once again, this subcommittee is meeting to examine
security problems at the Department of Energy in our Nation's
nuclear weapon laboratories. Needless to say, I am disappointed
to be here. I had hoped that the work of this subcommittee, the
Cox Commission, the President's Foreign Intelligence Advisory
Board, and others over the course of the last year would have
prompted DOE to take action. Unfortunately, that's not the
case.
While Secretary Richardson has taken some steps to improve
physical security at the labs, it appears as though DOE has
ignored, until recently, recommendations suggesting basic
changes in the way the agency does business.
Once again, we are forced to bring the Department and the
labs to Congress to figure out why these incidents continue to
occur. No one is suggesting that we will be able to prevent all
security lapses or stop every spy, but we can certainly take
steps to make it as difficult as possible for them to occur in
the first place.
Over the last year, a number of recommendations have been
made and a number of recommendations have been ignored. Last
summer, for example, Senator Rudman made some very specific
recommendations: establish clear chains of authority; implement
effective personnel security programs; reinstitute
comprehensive classified document control systems; and conduct
a comprehensive classification review.
Once again, recommendations made and recommendations
apparently and unfortunately ignored.
We know they were ignored because Mr. Podonsky's recent
review of Lawrence Livermore and Sandia contained similar
recommendations. Secretary Richardson has apparently determined
that responsibility for security belongs with the labs. If it
were only that simple.
I have been among the most critical of the labs' management
practices, but it is clear that Secretary Richardson's
arguments ring hollow. The Department has a responsibility to
see that its security policies are clear and leave no room for
confusion. Its policies are anything but clear and confusion
reigns.
The Podonsky review indicates that the labs have generally
implemented standard DOE policy. The labs do indeed bear some
responsibility for security failures that occur on their watch,
but clearly the policies in place at DOE deserve equal
attention. Despite Secretary Richardson's protest to the
contrary, there is simply no clear guidance from DOE on
security issues, period.
Nowhere is that lack of guidance more readily apparent that
than in the NEST program. This little known element of DOE is
one of the most important tools in our national security
apparatus. The lack of accountability and absence of clear
lines of authority in this program are extremely disturbing.
The lab directors and DOE managers seem to be consistently at
odds over who is responsible for the program. This program is
too important for disputes over who is accountable. Someone is.
And this member, for one, intends to find out who.
I also have to express my disappointment with General
Habiger, General McBroom, and General Gioconda. Gentlemen, I
have the utmost respect for the long years of service and
sacrifice you have given to your country. Perhaps better than
any others, you understand the threats posed to our Nation by
nuclear weapons and the damage that could be caused to our
national security should such sensitive information fall into
the wrong hands. That's why we ask you to continue your service
to your Nation at the Department of Energy. We hope that your
backgrounds and knowledge of security issues will serve to
strengthen what has historically been weak security programs.
Somehow, some way, you have lost that focus. Perhaps the
culture of disregard for security at DOE is actually so
pervasive that it consumes all who attempt to run, but we
expect you to fight against that culture. You are all take-
action types. But why haven't we? When you recognize a problem,
you should take the steps to correct it. That's how you became
generals in the first place. You were brought in to DOE to
continue that approach and to pass on your security-conscience
attitudes to the rest of that Department. Gentlemen, we expect
a great deal from you. We want you to succeed. The Department
has a long way to go to improve its security programs and we
will continue to turn to you for the answers.
This member, and I expect this entire subcommittee, stands
ready and able to do whatever the request is.
With that, I yield back, Mr. Chairman.
Mr. Upton. Thank you. Mr. Bilbray.
Mr. Bilbray. Yes, Mr. Chairman. Mr. Chairman, I would like
to echo my colleague from Michigan, the acting ranking member,
and I want to--mostly because he is here--I want to praise
him--or because he is not here, I want to praise him. The fact
is is that I think that he articulated the issue that this is
not a partisan issue, it is an American issue. I for one am
very, very concerned that we handle this in a very nonpartisan
way. I want to ask my colleagues on the Republican side to
remember that the implementation of whatever correction we have
will probably be executed by another administration in another
year, and sadly looking at the next--until the end of the year,
of basically just trying to cover ourselves until that set
time.
I also want to point out to my Democratic colleagues that
defending a status quo, either be it from a previous
administration or this administration, doesn't solve the
problem and doesn't avoid future risks.
Mr. Chairman, the 7-Eleven stores in America can tell you
who picked up lip balm at their counter 3 months ago. They can
give you that type of inventory control because they use very
simple technologies: time delayed video surveillance.
There is almost no company in America that I know of, and
especially in my district with all the high-tech work, that do
not have what appears to be a much superior security, not just
system but mindset, than what we have seen to have been exposed
with our laboratories.
Now, Mr. Chairman, I want to say that I don't know,
speaking to generals, about what is going on in the Army or the
Air Force, but as somebody who worked around nuclear facilities
and nuclear crafts in the United States Navy as a contract
worker, I know the security that the United States Navy puts to
its nuclear secrets and its nuclear information. And as a
worker, firsthand exposure to this, I tell you I am almost to
the point of saying, why can the United States Navy be able to
secure its secrets and its information about its ships that are
sitting in the middle of a 2 million population and all at once
watch our laboratories misplace information that's as critical
as we have seen in the last year?
I just think that we have got to recognize, though, that it
is not just the systems's breakdown that we have witnessed in
the last few years, and I would ask my colleagues and the
witnesses to address the issue of the mindset that has infected
this agency, the mindset which appears to be that this is a
campus environment that is not the precious treasure of
information that is owned by the people of the United States,
and only the people of the United States. It is not the
personal property of the laboratory, of the university system,
or of the world. It is the taxpayers of the United States who
developed this information. It is their right and their right
only to be able to use it as they see fit.
Mr. Chairman, I appreciate the chance to be here today. I
think this is a very important challenge, and I think it is a
challenge to all of us in Congress to be able to understand
that we need to find answers and we need to implement
responses. If my 15- and 14-year-old children had lost their
disks and said, ``Well, we are lucky, dad, nobody stole them, I
just misplaced them,'' as a parent I would be more outraged at
the fact that my children did not take care of what was their
responsibility, even more than thinking that they allowed
somebody to steal it.
I don't think we should celebrate the fact that they were
lost. I think that we should be frustrated and terrified that
they were lost. And I yield back, Mr. Chairman.
Mr. Upton. Thank you. Mr. Green.
Mr. Green. Thank you, Mr. Chairman. I am glad to follow my
San Diego colleague, and I agree that this is a bipartisan
issue and it is a national security concern that should be
bipartisan or nonpartisan. I know not only do we need these
continued hearings, but we need to follow up with the
appropriations necessary with the Department of Energy. And
also as testimony in our earlier hearings showed, we need to
follow up to make sure the money is spent for the security
issues.
Like all the members of the committee, and I think all of
Congress, we have become increasingly concerned about security
controls at DOE and the weapons--nuclear weapon laboratories
and the disappearance and the reappearance of the sensitive
hard drives, and I believe improvements are necessary. And
whether it is changing the contract or maybe bringing someone
else in to make sure, I know we benefit from the campus-like
attitude that we have at both Los Alamos and the other
facility, but we also need to make sure that that campus-like
attitude is not to the detriment of the national security of
our Nation.
I know it is a concern we have, but the testimony we have
had for a number of hearings is that this is not a current
problem. Sure, we have it now and we hear the problems, but it
is a recurring problem over the last number of years and in
different administrations. So I don't want it to be just a
Secretary Richardson problem. It is a national problem that
spans both Republican and Democrat, but we need to solve it.
That's why, Mr. Chairman, I thank you for having these
hearings and to keep the follow-up. We need to make sure that
we don't have these hearings a year and a half from now and
find out something else was misplaced, whether it is the
easiest thing of putting security cameras in sensitive areas,
but again there are lots of solutions that could be done and
hopefully DOE and the administration will do it on their watch
and not wait until the next watch.
Thank you, Mr. Chairman.
Mr. Upton. Thank you. Dr. Ganske.
Mr. Ganske. Mr. Chairman, in March 1999, following the Cox
Commission report findings, the three lab directors wrote to
the DOE Under Secretary, urging that formal accountability
requirements for Secret and Top Secret restricted weapons data
be reinstituted, ``as quickly as possible.'' The Redmond
report, issued shortly thereafter, contained a similar
recommendation, but DOE did not take any apparent action to
address these recommendations prior to this latest security
incident.
A couple of weeks ago this committee meet in secret,
received a briefing on this problem, and what I will say--it
has been reported in the press--and that is that the
information on those disk drives were pretty important. I was
astounded at that briefing at the lack of commonsense security
arrangements, to say the least.
So I think there are some things that we need to determine
in this hearing. For instance, why does there seem to be such a
big difference between DOE minimum security requirements and
commonsense security controls, as outlined so well by Mr.
Stupak already?
Why has DOE failed, since 1996, to act on repeated
recommendations to impose tighter controls on its most
sensitive nuclear weapons information? And why did DOE in 1998
actually move in the other direction by eliminating controls
for Top Secret data? Those are all very important questions for
us to determine today in this hearing. And I thank you, Mr.
Chairman, for calling this hearing.
Mr. Upton. Thank you. I would just note for the record that
for those members that are not here, we will leave the record
open for opening statements and I would make a unanimous
consent request that all members of this subcommittee will have
an opportunity to submit their opening statements as part of
the record. Without objection.
[Additional statements submitted for the record follow:]
Prepared Statement of Hon. Ed Bryant, a Representative in Congress from
the State of Tennessee
Thank you Mr. Chairman: I appreciate your holding this very timely
hearing, and I want to welcome our distinguished panels.
In May of last year, the nation was shocked to learn that a
suspected Chinese spy had been repeatedly transferring top-secret
computer files at the Los Alamos National Laboratory from a classified
system for over 10 years before he was finally arrested. These computer
files contained classified programs used to develop, build, test and
simulate several generations of nuclear weapons. According to the Los
Angeles Times, the loss of this information represents ``a staggering
blow to U.S. national security.''
A little over a month after learning of this security breach, the
full Commerce Committee held a hearing on Department of Energy security
lapses. During this hearing, the chairman of the President's Foreign
Intelligence Advisory Board, former Senator Warren Rudman, reported
that his commission had found evidence of serious security failings,
including: foreign scientists visiting labs without proper background
checks and monitoring; classified computer systems and networks with
innumerable vulnerabilities; and instances where secure areas were left
unsecured for years.
In the wake of this report, Secretary of Energy Bill Richardson
stated that ``I can assure the American people that the nuclear secrets
are now safe.'' Less than a year later, however, news agencies began
reporting that two computer hard drives containing sensitive
information about U.S., Russian, and other nuclear weapons was missing.
The information on these disks is used by the Nuclear Emergency Safety
Team (NEST) to respond to terrorist activities or accidents involving
nuclear weapons.
Investigations into the disappearance of these hard drives have
revealed that security was so lapse that the 26 NEST members were able
to enter the vault where these devices were stored without ever having
to sign in or sign out. NEST team members were also able to remove and
return sensitive nuclear information without filing any type of report.
Although the hard drives were recovered a few weeks ago, during a
recent Senate hearing it was revealed that the information on these
drives could have been copied in such a way that we may never know if
this information has been given to other countries.
The Department of Energy has just recently announced plans to
tighten security by replacing combination locks with more sophisticated
palm scanning locks, and possibly installing video surveillance
systems. While this is encouraging, it is a little like closing the
barn door after the horses have decided to leave. The real question,
isn't what can the Department do to tighten security, but why wasn't
this done before our nation's nuclear secrets were compromised.
I look forward to hearing today's testimony but I want the folks
from DOE to listen carefully. I do not want to hear what has become a
seemingly boiler plate answer that ``yes, mistakes were made and we are
fixing the problems.'' I have heard that too many times before and
without fail another security breech has closely followed such
supposedly reassuring statements. I believe it is time for a more frank
discussion, I'm owed it, this Committee is owed it and most
importantly, the American people are owed it.
I thank the chair and yield back the balance of my time.
______
Prepared Statement of Hon. Tom Bliley, Chairman, Committee on Commerce
Thank you, Mr. Chairman. Today we continue our long-running effort
to get to the bottom of DOE's security problems. The latest incident
involving the disappearance, and now mysterious re-appearance, of two
highly sensitive hard drives used by Los Alamos's nuclear emergency
search team has already been the subject of numerous press reports and
Congressional hearings, including one by this Subcommittee several
weeks ago when the story first broke. But today's hearing will go
beyond this single incident, to expose a security system that has deep
flaws--a system that has failed to keep up with the changing security
threats we face, and the ability of technology to both hurt and help
our security posture.
Based on the Committee's oversight work in this area, last Fall I
became increasingly concerned about how DOE and its labs were
controlling access to their highly sensitive information, such as that
found on these missing hard drives. I instructed Committee staff to
work with the General Accounting Office to set up a review, and we
reached agreement on a scope of work in March of this year. Little did
we know, at that time, how timely this work would become.
GAO is with us today to lay out its findings from the first portion
of its review--a survey of what DOE does, and quite surprisingly does
not, actually require of its labs when it comes to controlling
classified data, and how these requirements have been weakened over
time. While DOE's requirements don't tell the whole story--the labs
often do more than is required--they are, nonetheless, an important
part of why we're in the trouble we're in today. As DOE's own internal
inspectors will tell us today, DOE's minimal, and terribly vague,
security orders create a situation in which inconsistency and
ineffectiveness can, and often do, reign supreme.
Indeed, what both of these recent GAO and DOE independent reviews
confirm is something that this Committee has been exposing for years--
that the labs can be in total compliance with DOE security requirements
and still have poor security practices. And we don't have to look any
further than the latest Los Alamos security breach for an example. Yes,
it appears that Los Alamos violated at least some DOE requirements, and
swift punishment should follow. But the facts that have most of
Congress and the American public up in arms--the lack of any record of
who enters these sensitive vaults and removes classified data--do not
amount to violations of DOE orders. In fact, as GAO and DOE experts
will tell us today, the Department does not now have, and never has
had, such specific requirements for even highly sensitive data. The
suggestion by some that changes in controls in the early 1990s did away
with such common-sense requirements is thus simply not true, and should
not be used as an excuse for the pitiful current state of affairs.
Los Alamos and the other nuclear weapon labs certainly can be
faulted for following such minimal requirements and not using better
local judgment in protecting highly sensitive assets. But it also must
be noted that, in many cases--particularly at Sandia--the labs imposed
greater controls than required by DOE, and fought efforts by DOE
Headquarters to weaken them. And when the Cox Commission raised
concerns last Spring about Chinese espionage at the labs, the lab
directors urged DOE to tighten requirements for control of nuclear
weapons data ``as quickly as possible''--a recommendation that either
fell on deaf ears or through the bureaucratic cracks, as similar expert
recommendations had since 1996.
I firmly believe that, at the end of the day, responsibility for
setting and enforcing proper security controls on this Nation's most
sensitive nuclear secrets must be borne by the Federal government. The
current system--which allows DOE to blame its contractors, and its
contractors to return the favor--will never truly achieve effective
security. The new National Nuclear Security Administration, designed by
Congress to streamline the chain of command and enhance accountability
for security, so far has done neither. Despite a proliferation of
``generals'' within DOE--as evidenced by our witnesses today--we don't
have any greater accountability. Indeed, all of these generals will
tell us that they didn't know about, and weren't responsible for, the
poor state of security affairs at Los Alamos with respect to these
missing hard drives, and similarly sensitive materials scattered
throughout these weapon labs.
We need to put this nuclear agency's security chief firmly in
charge of both security policies and practices at our weapons labs--and
hold him personally accountable for future failures. And the days of
relying on Federal contractors to establish security practices must
end.
Finally, let me urge caution against any reactive effort by either
DOE or the Congress to try to impose a one-size-fits all approach to
information security at DOE, or to return to out-dated notions of
information ``accountability.'' As we will see today, the pre-1992
controls, if they had been left in place, would not have prevented this
latest incident at Los Alamos, nor would they have made our job of
detection and investigation significantly easier. Manual, paperwork-
intensive controls do little to catch those intent on avoiding them.
So the answer is not to return to the old rules, but to develop new
ones that take into account the different risks that increases in
technology and the use of electronic media pose to our nuclear
security. At the same time, we also must embrace the benefits of
today's technology, which allows us to better control and track our
most sensitive data in a more effective and less costly manner--
technology being used today by private industries ranging from high-
tech powerhouses to our local grocery stores. While these technologies
surely are not the theft-proof panacea some might suggest, they do
provide a good starting point. I look forward to this debate, and thank
you Mr. Chairman for holding today's hearing.
______
Prepared Statement of Hon. Diana DeGette, a Representative in Congress
from the State of Colorado
Thank you Mr. Chairman.
I plan to make my remarks brief so that we may more quickly hear
from our witnesses.
I would like to thank our witnesses for coming today, I look
forward to hearing from you. Unfortunately, I have another hearing that
conflicts with this one so I will probably have to step out from time
to time.
As you know, we had a rather timely hearing on this subject roughly
a month ago, just a day after it was revealed that computer hard drives
containing sensitive nuclear defense information were missing from Los
Alamos National Laboratory. I know that some of our witnesses, along
with Secretary Richardson, have been working hard over the past month
to ensure we know what happened to the material these disks contained,
and to ensure that this kind of inexcusable security lapse does not
happen again in the future. I recognize that you may not have much new
information, or at least information appropriate for an open hearing,
but I do look forward to an update on the progress of the
investigation.
On June 15, 2000, I joined five of my colleagues in sending a
letter to Secretary Richardson. Our letter requested that the Secretary
revoke the University of California's contract to manage and operate
Los Alamos National Laboratory because repeated security violations
represent a breach of contract. We obviously did not make this request
lightly. We all recognize the tremendous intellectual value the
University brings to our national defense and research programs. The
problem is that the University does not seem to be able to effectively
manage the contract, which directs them to provide security and comply
with Department of Energy security rules and procedures. The University
has an outstanding reputation and has great intellectual assets, this
does not mean it has the capacity to operate an effective security
program.
I do not hold the University singularly responsible. The Department
of Energy bears some blame. It is the Department's responsibility to
oversee the contract and provide that proper security guidance, rules,
and enforcement authority exists. It certainly appears that the
Department has never mastered these functions. We should all agree that
this is not a partisan issue. These problems go back years through both
Democratic and Republican Administrations.
I understand that the Department is now considering issuing a
security contract. Unfortunately, adding yet another contractor into
the mix is not likely to solve the problems we are here to discuss
today. I am not very confident that a new contractor whose role may be
relegated to providing technical assistance on security matters to
laboratory management is going to remedy our security problems.
I thank you Mr. Chairman for calling this hearing.
I yield back the balance of my time.
______
Prepared Statement of Hon. John D. Dingell, a Representative in
Congress from the State of Michigan
Thank you, Mr. Chairman for holding this hearing, and for the
bipartisan staff work that led up to it. Security at DOE weapons
laboratories is a longstanding and stubborn problem. For example, last
year, after the downloading of nuclear weapons information by a weapons
scientist from classified computers at the Los Alamos National
Laboratory, the Rudman panel concluded that the Department of Energy
``and the weapons laboratories have a deeply rooted culture of low
regard for and, at time, hostility to security issues, which has
continually frustrated the efforts of its internal and external
critics, notably the GAO [General Accounting Office] and the House
Energy and Commerce Committee.''
But even the recommended changes in structure--even if fully
implemented could not guarantee security. According to Senator Rudman,
``[T]he most powerful guarantor of security at the nation's weapons
laboratories will not be laws, regulations, or management charts. It
will be the attitudes and behavior of the men and women who are
responsible for the operation of the labs every day.'' Those attitudes
ranged, according to the panel, from ``half-hearted, grudging
accommodation'' to ``smug disregard.''
Secretary Richardson took many steps to correct deficiencies. Most
significantly, the Department hardened its security and greatly
expanded the counter-intelligence operation. I wish that I could say
the same about the laboratories. Upon the order of Secretary
Richardson, the laboratories had a two-day security training stand-down
last year, but apparently it was not sufficient to change the culture.
In many ways, the loss of the hard drives at Los Alamos reflected
that ingrained culture even more than the Wen Ho Lee incident did. It
involved not one person, but many who knew that they were violating
DOE's security directives when they did not report the missing disks.
Someone--deliberately or otherwise--removed the hard drives from their
secure location. Many, many other people tried to cover up the loss.
But why shouldn't they? No one was disciplined for the weak cyber
security last year. Why would anyone be punished now?
The University of California will tell us today of its ``integrated
security and safeguards management'' system which will instill security
awareness in every employee. Perhaps it would have prevented the latest
incident. But it is still not operational. Mr. Chairman, the chronic
security problems at Los Alamos led me and five other Democrats on this
Committee last month to call for the removal of the University of
California as the contractor at Los Alamos. Only when contractors
understand that there are real consequences to pay for security
breaches will they make necessary changes.
Mr. Upton. This morning, for our first panel, we have Mr.
Jim Wells, Issue Area Director for Energy Resources and Science
Issues of the U.S. General Accounting Office. Welcome, and you
will be accompanied by Mr. Fenzel.
We also have Mr. Glenn Podonsky, a familiar face to members
of this subcommittee, Director of the Office of Independent
Oversight and Performance Assurance at the Department of
Energy.
As you gentlemen know, we have had a longstanding tradition
of taking testimony under oath. Do you have any objection to
that?
Mr. Podonsky. No.
Mr. Wells. No.
Mr. Fenzel. No.
Mr. Upton. The committee rules also allow you to have
counsel help represent you. Do you wish to have counsel?
Mr. Podonsky. No.
Mr. Wells. No.
Mr. Fenzel. No.
Mr. Upton. If you would stand and raise your right hand.
[Witnesses sworn.]
Mr. Upton. Thank you. You are now under oath.
Mr. Wells, we will start with you and I would note we would
like you to keep your remarks to about 5 minutes and your
entire statement is now part of the record. Mr. Wells.
TESTIMONY OF JIM WELLS, ISSUE AREA DIRECTOR, ENERGY, RESOURCES,
AND SCIENCES ISSUES, U.S. GENERAL ACCOUNTING OFFICE,
ACCOMPANIED BY WILLIAM F. FENZEL; AND GLENN S. PODONSKY,
DIRECTOR, OFFICE OF INDEPENDENT OVERSIGHT AND PERFORMANCE
ASSURANCE, U.S. DEPARTMENT OF ENERGY
Mr. Wells. Thank you, Mr. Chairman, members of the
subcommittee. Once again, GAO is here to present information--
--
Mr. Upton. If you would just pull the mike just a little
closer so the folks in the back can hear.
Terrific. Thank you.
Mr. Wells. Once again, GAO is here to present information
regarding a lapse in security at the Department of Energy.
Accompanying me today is William Farrell Fenzel, our assistant
director, who over the years has done a lot of the security
work in the Department of Energy.
At your request several weeks ago, we received a letter
asking for an audit investigation of accountability of
classified material controls that were in existence at the
Department of Energy. That audit has begun and it is still
ongoing.
During our work, you asked us today to appear before this
committee to discuss the answers to two questions. The first
question was, what are the minimum DOE requirements imposed on
classified material by the contractors who do the work for the
Department of Energy? And the second question was, are document
sign-in and sign-out sheets required?
We have this information. It is shown in pages 4 and 5 of
my written statement, but I will also refer to the charts on my
left-hand side. What I would like to do is quickly just
highlight those charts that deal with Secret and Top Secret
requirements to show you how basic accountability requirements
have changed over the last 12 years.
I want to turn your attention now to the Secret chart.
These are changes in the minimum requirements for controlling
secret documents.
What you see on the left-hand side are typical
accountability document requirements, things like frequency of
inventories. These are the types of things that were required
under DOE, things like unique identification numbers, putting a
number on a document so that you know whether that document is
present or not; things like approval for reproduction so before
one can make a copy of a classified document, one must go back
to the originator of the document, and seek permission and
document that an extra copy has been made. As you can see by
that chart, most of those requirements were dropped and
discontinued in 1992.
If I could refer you to the second chart, which talks about
some of the changes in the minimum requirements for controlling
Top Secret documents, once again on the left-hand side you will
see typical accountability-type controls. What I would like to
point out for Top Secret documents, in terms of DOE minimum
requirements, is that some of these requirements have been
reduced not once but twice.
Looking at frequency of inventories, as you can see,
required every 6 months in 1988. That was changed to annually
in 1995, and in 1998 the requirement for inventories was
discontinued.
Looking at items like a Top Secret control officer and end-
of-day verification, we are talking about a requirement that
did exist at one time for a custodian, a person that would know
who had what document and where, and at the end of each day
would verify and certify that the Department of Energy had
control over where that particular document was.
And last, let me answer that question in terms of whether
there are required sign-in and sign-out sheets. Based on our
audit team's discussion with agency officials, we have spent
hours combing hundreds of pages of DOE orders and current
security manuals and cannot find any requirement, minimum
requirement, for sign-in and sign-out sheets.
The bottom line, Mr. Chairman, clearly what you see
represented on those charts document that the requirements have
gone down, or as Mr. Bilbray talked about, the threshold has
been lowered.
This is what we found to date. We still need to look at
what is being done in terms of the actual practices; even why
these changes are being made and what impacts, if any, exist
out there when we finish our audit for this committee.
Mr. Chairman, I am going to stop here. I probably have a
couple more minutes but I am going to stop here because I think
we have much more to do and a lot more answers to come up with.
We do, however, share the concern of the committee about
document accountability and, like you, we too look forward to
hearing the answers of the witnesses that follow this panel.
Mr. Chairman, thank you. We will be glad to respond to any
questions you may have.
[The prepared statement of Jim Wells follows:]
Prepared Statement of Jim Wells, Director, Energy, Resources, and
Science Issues, Resources, Community, and Economic Development
Division, GAO
Mr. Chairman and Members of the Subcommittee: We are pleased to be
here today to provide information on the Department of Energy's (DOE)
requirements for protecting and controlling classified documents. DOE's
requirements are designed to protect classified documents from their
inception to their destruction. At the Subcommittee's request, we have
begun an evaluation, which is still underway, of DOE's classified
matter protection and control program. During the past few weeks, we
briefed your staff on DOE's requirements for controlling classified
documents. At your request, we are testifying today on changes in DOE's
requirements since 1988, when complete accountability was required for
Secret and Top Secret documents. You also asked us to testify on the
extent to which sign-out sheets have been required to provide a record
of who removed a classified document from storage and when it was
removed.
I would like to emphasize that the requirements we address today
are DOE's minimum requirements. The contractors who operate DOE's
facilities may require additional controls and procedures to protect
and control classified documents. We are providing information on the
requirements for controlling both Secret and Top Secret documents in
protected areas. Protected areas have physical barriers and also have
controlled access. Secret and Top Secret documents stored outside of
these areas require additional protective measures.
In summary, DOE has numerous procedures designed to protect
classified documents. The requirements vary depending on the type of
document being protected and the nature of the protection provided
where the document is stored. We found that many requirements for
protecting and controlling Secret and Top Secret documents stored in
protected areas were discontinued in the 1990s. For example, the
requirement to inventory Secret documents every 3 years was
discontinued in 1992 with other controls over Secret documents. In
regard to Top Secret documents, many requirements, such as a Top Secret
Control Officer, were eliminated in 1998.
Background
DOE is responsible for administering a security program that
protects classified documents from loss or theft. DOE's memoranda,
orders, and manuals set forth the requirements for protecting and
controlling classified documents at DOE facilities. DOE's strategy for
protecting classified documents involves a ``graded protection''
system. Under such a system, the level of protection for a classified
document is commensurate with the threat to the document, the
vulnerability of the document, the value of the document, and the level
of risk to the document that DOE is willing to accept. Not all items
are protected to the same degree; furthermore, locations on a DOE site
may be protected differently. Protection is provided by various means,
such as physically protecting classified documents with guards,
buildings, vaults, and locks; limiting access to classified documents
to personnel with proper security clearances and a legitimate need to
have the information; and the processes and procedures known as
classified matter protection and control.
DOE's classified matter protection and control program has included
a wide variety of requirements. These requirements have included
conducting inventories of classified documents and maintaining an
accountability record for each classified document. The accountability
record can include a description of the document, date, classification
level and category. DOE has also required that each classified document
be assigned a unique identification number--to allow the identification
and tracking of the document--and a copy and series designation--to
provide information on how many copies exist. Additionally, DOE has
required the use of receipts for internal and external distribution to
provide a record of dissemination of a classified document within a
facility and outside a facility, respectively. Finally, DOE has
required certain procedures for maintaining receipts and destruction
records and obtaining approval for the reproduction of a classified
document. Other requirements could also be used, such as maintaining a
sign-out sheet to provide a record of who removed a classified document
from storage and when it was removed.
DOE has also required additional controls for Top Secret documents.
These have included assigning a Top Secret Control Officer, who has
ultimate responsibility for Top Secret documents; conducting a
verification to certify that all Top Secret documents have been
returned to storage at the end of each work day; and maintaining a Top
Secret access record that lists all persons who are authorized access
to Top Secret documents.
Changes to DOE's Requirements Over the Past 12 Years
In general, over the past 12 years, many requirements for Secret
and Top Secret classified matter protection and control have been
discontinued. Specifically, requirements for maintaining records and
receipting and reproducing classified documents were discontinued.
According to DOE classified matter protection and control officials,
these changes were implemented to promote governmentwide uniformity
among contractors and to account for technological changes, such as
computers, copiers, and faxes, in the processing and storage of
classified information. In our ongoing evaluation, we will be looking
at how other agencies protect and control classified documents.
The following tables show the requirements, or lack of
requirements, for certain classified matter protection and control
procedures. Several points in time were selected to demonstrate the
changes in requirements from 1988 to 1998. The 1988 requirements are
used as a baseline because, in that year, DOE required accountability
procedures and receipting and reproduction requirements that applied to
all Secret and Top Secret documents. The requirements for Secret
documents for 1992 are shown because in that year DOE modified
accountability requirements for Secret documents. The 1992 requirements
for protecting and controlling Secret documents have not changed.
Table 1 shows that many requirements for controlling Secret
documents that were required in 1988 were discontinued in 1992. Among
those discontinued were DOE's requirement to conduct inventories,
maintain an accountability record, assign a unique identification
number and copy and series to each Secret document, use receipts for
the dissemination of Secret documents within a facility, and obtain
approval from the document's originator before reproducing a Secret
document. The requirements for retaining receipts and destruction
documentation did not change. DOE has not and does not require a sign-
out sheet for Secret documents.
Table 1: Changes in Minimum Requirements for Controlling Secret
Documents
------------------------------------------------------------------------
Control requirement 1988 1992
------------------------------------------------------------------------
Frequency of inventories........ Every 3 years..... Requirement
discontinued
Accountability record........... Required.......... Requirement
discontinued
Unique identification number.... Required.......... Requirement
discontinued
Copy and series designation..... Required.......... Requirement
discontinued
Receipts for internal Required.......... Requirement
distribution. discontinued
Receipts for external Required.......... Required
distribution.
Retention of receipts........... 2 years........... 2 years
Retention of destruction records 2 years........... 2 years
Approval for reproduction....... Required.......... Requirement
discontinued
Sign-out sheets................. Not specified..... Not specified
------------------------------------------------------------------------
Source: Prepared by GAO on the basis of DOE documents.
Table 2 shows DOE's requirements for safeguarding Top Secret
documents in 1995 and 1998 in addition to the 1988 baseline
requirements. The requirements in 1995 are included because DOE revised
its classified matter protection and control manual, changing several
inventory and accountability requirements. DOE decreased the frequency
of inventories from semiannually to annually. DOE had also discontinued
the requirements for assigning a copy and series designation to each
document and the requirement for verifying that all Top Secret
documents had been returned to storage at the end of the work day.
DOE's minimum requirements for 1998 are included because DOE again
revised its classified matter protection and control manual to
eliminate additional accountability requirements for Top Secret
documents. In 1998, DOE eliminated requirements for performing annual
inventories, maintaining an accountability record, assigning a unique
identification number to each document, assigning a Control Officer,
maintaining an access record, using receipts for the dissemination of
Top Secret documents within a facility, and obtaining approval before
reproducing a document. The requirements for using receipts for
dissemination of Top Secret documents to recipients outside the
facility and retaining receipts and destruction documentation did not
change. DOE has not and does not require a sign-out sheet for Top
Secret documents. The 1998 requirements for protecting and controlling
Top Secret documents have not changed.
Table 2: Changes in Minimum Requirements for Controlling Top Secret Documents
----------------------------------------------------------------------------------------------------------------
Control requirements 1988 1995 1998
----------------------------------------------------------------------------------------------------------------
Frequency of inventories............. Every 6 months......... Annually............... Requirement
discontinued
Accountability record................ Required............... Required............... Requirement
discontinued
Unique identification number......... Required............... Required............... Requirement
discontinued
Copy and series designation.......... Required............... Requirement No change from 1995
discontinued.
Top Secret Control Officer........... Required............... Required............... Requirement
discontinued
End-of-day verification.............. Required............... Requirement No change from 1995
discontinued.
Access record........................ Required............... Required............... Requirement
discontinued
Receipts for internal distribution... Required............... Required............... Requirement
discontinued
Receipts for external distribution... Required............... Required............... Required
Retention of receipts................ 5 years................ 5 years................ 5 years
Retention of destruction records..... 5 years................ 5 years................ 5 years
Approval for reproduction............ Required............... Required............... Requirement
discontinued
Sign-out sheets...................... Not specified.......... Not specified.......... Not specified
----------------------------------------------------------------------------------------------------------------
Source: Prepared by GAO on the basis of DOE documents.
While we were asked to discuss document protection and control
within DOE protected areas, it should be noted that Secret and Top
Secret documents stored outside of these areas require additional
protective measures. In addition, these requirements have not been
discontinued for some specific types of Secret and Top Secret
classified documents. These include classified documents related to
special access programs, cryptographic information, and NATO classified
information.
I would like to reiterate that the requirements we address today
are DOE's minimum requirements. The contractors who operate DOE's
facilities may require additional controls and procedures to protect
and control classified documents. In addition, as you know, we have
recently begun our work for the Subcommittee related to accountability
for classified documents and will be doing further work on these
issues.
We discussed the information related to classified matter
protection and control requirements with DOE's Office of Safeguards and
Security and Office of Independent Oversight and Performance Assurance
officials, who agreed with its factual accuracy.
Mr. Chairman, this concludes our formal statement. We would be
happy to respond to any questions that you or Members of the
Subcommittee may have.
Contact and Acknowledgements
For future contacts regarding this testimony, please contact Jim
Wells at (202) 512-3841. Individuals making key contributions to this
testimony include William F. Fenzel, Kenneth E. Lightner, Jr., and
Ilene M. Pollack.
Mr. Upton. Thank you.
Mr. Podonsky.
TESTIMONY OF GLENN S. PODONSKY
Mr. Podonsky. Thank you, Mr. Chairman. I appreciate the
opportunity to appear before this subcommittee to discuss
classified information security controls at DOE's nuclear
weapon laboratories. As you all are aware, my office provides
the Secretary of Energy with an independent view of the
effectiveness of departmental policies, programs and procedures
in the areas of safeguards and security, emergency management
and cyber security.
At the outset of my statement, I believe it is particularly
important to inform this committee about some significant
aspects of DOE's current administrative requirements for
protecting classified information and how those requirements
came about.
Ten years ago, DOE required a formal accountability system
for all Secret and Top Secret information. Each document or
item was accounted for from origination to destruction, and
each was identified by unique number, page count, and various
other specific markings. A chain of custody was maintained
throughout the item's life. Additionally, periodic inventories
were required to ensure that all documents or items were
present and or accounted for.
In 1991, DOE began modifying its requirements for
classified matter accountability. This action was in response
to a governmentwide initiative that originated from a 1990
National Security Council assessment, intended to establish a
single security program that could be applied to both industry
and government.
Consequently, in February 1991, DOE modified its policy to
eliminate the requirement to account for Secret-level national
security information, which was not directly related to nuclear
weapon information.
In May 1992, DOE again modified its requirements based on
the provisions of part 2001 of Title 32 of the Code of Federal
Regulation; this time eliminating formal accountability
requirements for Secret RD; that is, nuclear weapons-related
information.
In January 1998, under the authority of Executive Order
12958 dated April 1995, DOE eliminated security accountability
requirements for all Top Secret information stored in secure
areas.
With these modifications, current DOE policy only requires
sites to formally account for certain types of documents, such
as sensitive compartmented information, foreign government
information, some sensitive nuclear weapons use control
information, and special access program information.
These reductions of accountability requirements were part
of a general trend toward reduction in security that occurred
in the early to mid-1990's. During that period, DOE initiatives
were aimed at reducing security costs, declassifying
information and increasing openness at DOE sites. That general
trend included DOE's encouragement for sites to reduce security
costs through such actions as downsizing protective forces,
downgrading clearances and eliminating or consolidating
security areas, all elements of the overall program for
protection of classified information.
However, as we have seen, security requirements subject to
a wide range of interpretations do not enhance the security
posture of our entire government. In response to the 1999
allegations of espionage at Los Alamos, Secretary Richardson
took some extensive and unprecedented actions. Security within
DOE, and particularly at the three national weapons labs,
received high-level management attention. Secretary Richardson
directed the implementation of an extensive set of cyber
security enhancements; strengthened DOE security management
organization through functional reorganizations, in addition to
personnel and expertise; elevated the oversight function to be
a direct report to his office; implemented a polygraph program
and issued a zero tolerance policy for security violations.
At the same time, the Headquarters Office of Defense
Programs published a ``goal post'' document that established
expectations for near-term improvements that would enable each
site to achieve a satisfactory security program. Under these
initiatives, DOE sites took aggressive action and strengthened
their security programs and practices in several areas,
including cyber security, control of foreign nationals and
storage of classified weapon components. However, since these
efforts were initiated within the DOE, they did not address the
governmentwide policy problems associated with the control of
Secret and Top Secret classified information.
DOE is unique in that it possesses and is responsible for
safeguarding certain types of information that no other agency
possesses; specifically, information categorized as restricted
data that deals with nuclear weapons design, manufacture and
testing, and includes information about disabling or enabling
nuclear weapons. Such information merits a higher degree of
protection than any types of classified information.
Consequently, at the direction of Secretary Richardson, DOE
is currently evaluating and/or implementing four departmental-
wide recommendations:
First, reinstitute requirements for a formal accountability
system for Top Secret and Secret weapons data.
Second, establish a clear and comprehensive graded approach
for information protection and issue appropriate implementing
guidance. This approach should include practical guidelines for
determining relative importance of information, provide more
sensitive information and greater amount of protection.
Third, clarify the need-to-know policy in order to better
limit access to information.
Fourth, continue efforts to expand the human reliability
programs to include personnel with access to the most sensitive
nuclear secrets.
When the Secretary was informed in June of this year of the
security incident at Los Alamos involving missing classified
hard drives, he demanded to get to the bottom of the situation
and once again he took a number of aggressive steps to increase
the control and protection of particularly sensitive weapons-
related data.
The Secretary directed immediate implementation of several
recommendations. Other recommended changes, including the four
I specifically mentioned, should be incorporated--and these
should be incorporated into DOE orders as soon as possible.
Additionally, he directed my office to make an immediate
assessment on an expedited basis of the adequacy of security
procedures and administrative controls for such information at
Los Alamos, Livermore, and Sandia National Laboratories. We
completed reviews of Livermore and Sandia and we will conduct a
similar review at Los Alamos after the FBI has completed its
criminal investigation surrounding the classified hard drives.
This concludes my comments. Thank you, Mr. Chairman.
[The prepared statement of Glenn S. Podonsky follows:]
Prepared Statement of Glenn S. Podonsky, Director, Office of
Independent Oversight and Performance Assurance, U.S. Department of
Energy
Thank you Mr. Chairman. I appreciate the opportunity to appear
before this subcommittee to discuss classified information security
controls at DOE's nuclear weapons laboratories. As you are aware, my
office provides the Secretary of Energy with an independent view of the
effectiveness of departmental policies, programs, and procedures in the
areas of safeguards and security, emergency management, and cyber
security.
At the outset of my statement, I believe it is particularly
important to inform you about some significant aspects of DOE's current
administrative requirements for protecting classified information and
how those requirements came about.
Historical Summary
Ten years ago, DOE required a formal accountability system for all
Secret and Top Secret information. Each document or item was accounted
for from origination to destruction, and each was identified by a
unique number, page count, and various other specific markings. A chain
of custody was maintained throughout the item's life. Additionally,
periodic inventories were required to ensure that all documents or
items were present or accounted for.
In early 1991 DOE began modifying its requirements for classified
matter accountability. This action was in response to a government-wide
initiative that had as its foundation a 1990 National Security Council
assessment intended to establish a single efficient national industrial
security program that could be applied to both industry and government.
Consequently, in February 1991 DOE modified its policy to eliminate
the requirement to account for Secret level information that was
categorized as National Security Information--that is, information that
could impact national security but was not directly related to nuclear
weapons design or nuclear material production.
In May 1992, DOE again modified its requirements based on the
provisions of Part 2001 of Title 32 of the Code of Federal Regulations,
this time eliminating formal accountability requirements for Secret
Restricted Data--that is, nuclear weapons-related information.
In January 1998, under the authority of Executive Order 12958 of
April 1995, DOE eliminated accountability requirements for all Top
Secret information.
With these modifications, current DOE policy only requires sites to
individually account for certain types of documents, such as sensitive
compartmented information, foreign government information, some
sensitive (nuclear weapons) use control information, and some special
access program information.
These reductions of accountability requirements were part of a
general trend toward reduction in security that occurred in the early
to mid 1990s, partly as the result of the end of the cold war. During
that period DOE initiatives were aimed at reducing security costs,
declassifying information, and increasing ``openness'' at DOE sites to
promote interactions with local communities and with industry. That
general trend included DOE's encouragement for sites to reduce security
costs through such actions as downsizing protective forces, downgrading
clearances, and eliminating or consolidating security areas, all
elements of the overall program for protecting classified information.
In response to the 1999 allegations of espionage at Los Alamos,
Secretary Richardson took some extensive and unprecedented actions.
Security within DOE, and particularly at the three national weapons
laboratories, received high-level management attention. Secretary
Richardson directed the implementation of an extensive set of cyber
security enhancements, strengthened DOE's security management
organization through functional reorganization and addition of
personnel and expertise, elevated the oversight function to a direct
report to his office, implemented a polygraph program, and issued a
zero tolerance policy for security violations. At the same time, the
Headquarters Office of Defense Programs published a ``goal post''
document that established expectations for near-term improvements that
would enable each site to achieve a satisfactory security program.
Under these initiatives, DOE sites took aggressive action and
strengthened their security programs and practices in several areas,
including cyber security, control of foreign national visitors, and
storage of classified weapons components. However, since these efforts
were initiated within DOE, they did not address the government-wide
policy deficiencies associated with the control of Secret and Top
Secret classified information. Minimal security requirements that are
subject to a wide range of interpretations for the purpose of
implementation do not, as we have seen, enhance the security posture of
our government.
Recommendations
DOE is unique in that it possesses and is responsible for
safeguarding certain types of information that no other agencies
possess--specifically, information categorized as Restricted Data that
deals with nuclear weapons design, manufacture, and testing, and
includes information about disabling or enabling nuclear weapons. Such
information merits a higher degree of protection than other types of
classified information (categorized as National Security Information).
Consequently, at the direction of Secretary Richardson, DOE is
currently evaluating and/or implementing four Department-wide
recommendations:
First, re-institute requirements for a formal accountability
system for certain types of information (i.e., Top Secret and
Secret Weapons-Related Data).
Second, establish a clear and comprehensive graded approach
for information protection and issue appropriate implementing
guidance. This approach should include practical guidelines for
determining relative importance of information; provide more
sensitive information greater protection, and apply recent
enhanced requirements for vaults to other storage containers.
Third, clarify the need-to-know policy. In order to better
limit access to information, DOE needs to determine prudent
measures for identifying specific need-to-know for access to
information and establish expectations for partitioning
information stored in large repositories.
Fourth, continue efforts to expand the human reliability
programs. DOE's human reliability program, which includes drug
testing and regular medical evaluations and ensuring that
personnel who handle nuclear weapons and special nuclear
material are reliable and fit for duty, should be expanded to
include personnel with access to the most sensitive nuclear
secrets.
When the Secretary was informed in June 2000 of the security
incident at Los Alamos involving missing classified hard drives, he
demanded to get to the bottom of the situation and, once again, he took
a number of aggressive steps to increase the control and protection of
particularly sensitive weapons-related data. The Secretary directed
immediate implementation of several recommendations. Other recommended
changes, including the four I specifically mentioned, should be
incorporated into DOE orders as soon as possible to ensure that they
are institutionalized and become part of a permanent policy base.
Additionally, he directed my office to make an immediate
assessment, on an expedited basis, of the adequacy of security
procedures and administrative controls for such information at Los
Alamos, Lawrence Livermore, and Sandia National Laboratories. We
completed reviews of Lawrence Livermore and Sandia, and we will conduct
a similar review at Los Alamos after the FBI has completed its criminal
investigation surrounding the classified hard drives.
That concludes my comments. Thank you, Mr. Chairman.
Mr. Upton. Thank you both.
Mr. Wells, as I read your testimony back in Michigan, I
came back last night after being back for the July 4 break, I
was, I have to say, a little astounded at looking at the charts
that you shared here and were part of your testimony, and I
know that we are going to be asking Mr. Glauthier questions
about some of this. But did you get any response back from DOE
in terms of how they could change some of these requirements in
the past years?
I mean, I look at myself back home and actually I do a fair
amount of the grocery shopping. There is one store there called
Myers, and they now have checkout lines where there is no
cashier. You verify it yourself. It is scanned yourself. They
have an absolute record in terms of the inventory of the store,
and for those that hadn't done it before, I think there is one
person for every four or five lanes going out.
When I look at no sign-out sheets, unique identification
numbers requirement discontinued, I mean just a whole series of
things, it is rather amazing when I see these changes that in
my view have weakened our security, particularly with security
lapses. I know a number of members went out to look at the
labs. At least from my perspective, I was very impressed with
the physical security, the swat teams that are out, ready to
defend against the mission impossible days that we saw on TV a
number of years ago. But it was the cyber security, the Wen Ho
Lee case, other things, that trouble us the most. By
discontinuing a number of things that were once in place, it
seems that we have provided perhaps an open invitation to
losing documents as we saw with the two hard drives.
What is your comment with regard to that? What reaction do
you have?
Mr. Wells. Regarding my reaction, when the committee
inquired about GAO coming forth in a week or 2 to testify on
what they had found so far, my audit team presented the results
that you see on that chart, I did not believe them. I was
somewhat concerned that I wanted the audit team to go back and
verify and double-check. I found, like yourself, that I was
astounded.
Given the problems that we are now seeing across the
complex, it is unclear to us what objective was trying to be
achieved when these requirements were reduced. We have not been
able to document why some of these changes have occurred yet.
Quite frankly, we asked for documentation for 1992, for
instance, in the security Secret area, why all of those
accountability-type requirements were dropped, and the
Department supplied us with a single one-page memorandum that
basically acknowledged that accountability requirements are
being modified. Nowhere on this single sheet of paper is there
any discussion of why these requirements were being dropped. So
as of this moment, we still don't have a good handle on the why
part.
Mr. Upton. You know, one of the concerns that I saw with
your testimony, and with particularly these two missing hard
drives, I mean as we learned what was on those hard drives, I
can't imagine a more important document that was missing. For
the life of me, I don't understand why it was classified as
Secret versus Top Secret. I will get to that a little bit
later. And Top Secret obviously ought to have a higher
classification in terms of its tracking and its whereabouts.
Do you have any idea why the Top Secret control officer,
which you mentioned in your testimony, was dropped?
Mr. Wells. No, sir, I don't have a good answer for you yet.
Mr. Upton. Mr. Podonsky, do you have a reaction to those
first two questions, these charts and the Top Security control
officer?
Mr. Podonsky. Well, we can confirm that what the GAO is
reporting is an accurate portrayal in terms of the
requirements. But I think part of what we have found over the
years, and we have a long history in 1991, 1992, 1993, 1994,
regarding concerns about the policy, is that this was a clear
national initiative back in 1990; and there is a long stream of
documentation that outlines how this came about, starting with
President Bush's request of the National Security Council to
prepare a review of how to consolidate into a single security
program an industrial requirement that the government could
align itself to.
It finally resulted in a National Industrial Security
Program Manual that came out in 1995 that lays out this. Why
the Department elected over the years to continue to change its
requirements, that's not clear. I would have to yield to the
policy arm of the Department.
Mr. Upton. I know we are going to have a couple of rounds
so I am going to try to stick to the 5 minutes.
Mr. Stupak.
Mr. Stupak. Thank you, Mr. Chairman.
Mr. Wells, I am looking at page 3 of your testimony. You
are talking about DOE's requirements over the past 12 years. It
starts off, and in the first paragraph, middle of the
paragraph, it reads, According to DOE classified matter
protection and control officials, these changes were
implemented to promote governmentwide uniformity among
contractors and to account for technological changes such as
computers, copiers, and faxes in the processing and storage of
classified information. In our ongoing evaluation, we will be
looking at how other agencies protect and control classified
documents.''
So these changes that have occurred over the last 12 years
was to make everybody--contractors, the government, DOE, the
labs--all get on the same page? Am I reading that right?
Mr. Wells. That's correct. We are talking about CIA,
Department of Defense.
Mr. Stupak. National security?
Mr. Wells. National security agencies.
Mr. Stupak. So that started back in about 1988?
Mr. Wells. It was begun then; yes, sir.
Mr. Stupak. When you go to make everybody on the same page,
isn't that when, really, breaches of security start to break
down; or start to occur, I should say?
Mr. Wells. Clearly, from what we understand, much of the
discussion that occurred in terms of whether that would work or
not was centered on unique requirements that may exist in
individual agencies under different circumstances. There were
many people that did not agree with that initiative for
uniformity. That's what we understand.
Mr. Stupak. Well, do you agree with this need for
uniformity amongst contractors and government and private
industry and DOE and NSA? Should they all be on the same page,
or should there be different degrees of security as you move
forward within government or within industry, depending on the
weapon or the research you are doing?
Mr. Wells. I agree that GAO as an audit team will go in and
continue to look at the reasons why the requirements may or may
not need to be different throughout the agencies, but clearly
we shouldn't lose sight of the objective of all security
protection is to prevent the loss and prevent the compromising
of material. And what we are currently seeing, the existing
uniformity of regulations are not achieving that objective. So
we may have a situation where we need to look at some unique
requirements, particularly as regards to our nuclear weapons.
Mr. Stupak. Okay. But in answer to my question, do you
agree that they all should be on the same page or should it be
different?
Mr. Wells. I am unable to agree or disagree until we have
had a further chance to further investigate.
Mr. Stupak. I thought GAO's job was to evaluate this
situation and to give us some recommendation to give this
committee and others, oversight, as to how we should approach
these things?
Mr. Wells. Absolutely. We have an ongoing audit and
investigation. We have been in it about 3 weeks. That work is
continuing and we hope to have that work finished for the full
committee and this subcommittee shortly.
Mr. Stupak. But over the last 3 weeks, obviously you have
done more--other audits; because going back to 1976, I think
Mr. Dingell started the first letters, and periodically every 2
years he was on GAO to do an investigation, to do an audit
because things weren't working right with the secrecy of our
top secrets in this country.
Mr. Wells. Clearly, GAO has a history of 20 years of
oversight in classified security matters and each and every
time we have gone in and looked, there have been problems. Each
and every time we have heard corrective action being promised
by the Department of Energy. When we have looked at some of
these, we have found that the implementation has not been as
successful and problems seem to be recurring.
Mr. Stupak. When you would look at it and you would see
problems recurring over the last 20 years, you would make your
recommendations and go back and see it was never done?
Mr. Wells. We have made 50 recommendations in the last 20
years. I had my team count up the number of recommendations
that have been reported.
Mr. Stupak. You have had 50. How many of them were carried
out?
Mr. Fenzel. I can answer that. In almost all cases with our
recommendation, what DOE does is agree with the
recommendations, take corrective action; but then what happens
is things start to change and the implementation of the
recommendation falls through and the problem resurfaces.
Case in point with the classified documents: We issued a
report in 1991 that pointed out missing classified documents.
At Lawrence Livermore over 10,000 documents were missing. At
other facilities at DOE, hundreds of documents were missing.
DOE agreed, said they had a problem with controlling classified
documents and were going to institute tighter controls.
A year after that is when they began reducing the
requirements for Secret. So the history is they take corrective
action, but then in the implementation that corrective action
usually falls down in many cases.
Mr. Stupak. So we hear your recommendations; we agree with
those recommendations; we begin to implement it, but the wheels
come off the cart halfway through?
Mr. Fenzel. A year, 2 years down the road, a lot of
security issues are cyclical in this fashion.
Mr. Stupak. How long--if anyone knows, how long has the
longest Secretary of Energy ever been in the position? It seems
to be like a resolving door there with Secretaries of Energy.
Mr. Fenzel. A lot of them. The tenure of the Secretary of
Energy--we did some work on that about 2 years ago. I can't
comment on the present Secretary's tenure, but on average it is
usually less than 2 years.
Mr. Stupak. Less than 2 years?
Mr. Fenzel. Right.
Mr. Stupak. So there really is no accountability or
responsibility going on when we have a revolving door at the
top, is there?
Mr. Fenzel. I think that hinders any type of security.
Mr. Stupak. Thanks.
Mr. Upton. Mr. Burr.
Mr. Burr. Mr. Fenzel, after doing your assessment for the
GAO, can you sum up in a couple of sentences not what you
found, but what you felt like after you finished?
Mr. Fenzel. You mean this present assessment?
Mr. Burr. Yes, sir.
Mr. Fenzel. Our work is still ongoing. And I can verify
that when our boss, Mr. Wells, did get these tables, he didn't
believe us at first. So in a way, we had to convince him that
this was the situation.
As for my reaction, I was more concerned on the Top Secret
situation and the decreases in requirements there.
I would like to put a caveat on that. These are the minimum
requirements of DOE. The laboratories can do a lot more, and I
think what you will probably hear is that there are other
things they are doing beyond the minimum controls.
My problem is that these are the minimum controls and while
there are more controls out there right now, they are not
necessarily going to be followed 1 year from now, 2 years from
now, 5 years from now, and that eventually if these minimum
controls are kept in place, somebody, somewhere, is going to
follow these minimum controls and that's----
Mr. Burr. Let me read you something from Mr. Podonsky's
review. It is found on page 17. It says--it is talking about
various DOE elements and individuals that advocated
reestablishment of formal accountability systems for Top Secret
documents and Secret weapons data.
Most noticeably, March 1999, the director of the three
nuclear weapons laboratories sent a joint recommendation to the
DOE Under Secretary and the DOE Director of the Office of
Counterintelligence in which they advocated that DOE reinstate
accountability for documents that contained Secret restricted
data and Top Secret restricted data.
Would it surprise you that the lab directors were on record
in March 1999 saying we want to reinstitute this?
Mr. Fenzel. Well, that doesn't surprise me.
Mr. Burr. It doesn't surprise you, does it?
Mr. Fenzel. No.
Mr. Burr. Let me ask you, Mr. Podonsky--let me just read
the conclusion of that paragraph:
They indicated that without formal accountability,
counterintelligence reviews are much more difficult because it
is not feasible to determine specifically who had had access to
certain design information. They also cite the Cox Commission
report as a basis for reinstating formal accountability.
I mean, is that an accurate depiction in your report of the
lab directors and their requests?
Mr. Podonsky. As far as we know, everything that we put in
our report is valid.
Mr. Burr. Is it not difficult to turn around and blame the
lab managers if they have been out there formally requesting
reinstituting some of the accountability methods? I am not
saying that you are accusing them, but there certainly are
some.
Mr. Podonsky. Congressman Burr, as you have heard me state,
we have been in this Department--I have been in the Department
for 16 years, and we have been writing on a lot of these issues
for as many years as I have been here. So clearly there is a
frustration that there is a tendency in the Federal Government
that there is always fingerpointing as to who is responsible.
And clearly in our collective opinion, from an oversight,
laboratories have the responsibility and so does DOE. There is
a shared responsibility here. As our colleagues from GAO have
pointed out, is the requirements don't say that you can't go
above what those--what the standard is. You can raise the bar.
In some cases the labs have done that.
Mr. Burr. They in fact have, and I think you point out very
clearly in your report, and let me just read on page 6: The
current national requirements for controlling classified matter
are not as stringent and clear as needed in light of DOE's
particularly sensitive nuclear weapons-related information.
Improvements in policy are needed to further enhance security
at DOE sites.
And then on page 10: In many cases in the past, independent
oversight had determined that sites were complying with the
established requirements but that the security interests were
not provided sufficient protection because the applicable DOE
policies are not sufficiently clear or comprehensive.
I guess I would ask of you, given that they had exceeded
where they thought they understood it in the other areas, how
much of a problem was the fact that the guidelines were unclear
or that improvements in the policy were needed?
Mr. Podonsky. We believe that clearly there can be more
granularity to the DOE requirements so people understand,
without exception, what the requirements are meant to be.
However, we also believe that there is--while you can have good
policies, it is also the implementation of those policies. So
there are two sides to this: How are the policies being
implemented? And are the policies really clear?
Mr. Burr. I am going to respect the chairman's time.
Mr. Upton. You better.
Mr. Burr. It is not too difficult to understand if a lab
director says we didn't know something was our responsibility.
There are some things that are unclear relative to the
guidelines where one might understand how they came to that
conclusion; is that accurate?
Mr. Podonsky. I think in some areas you can say that, but
mostly I would harken back to there needs to be a core value of
security applied, just like safety. It is everybody's
responsibility, and the fact that people have a clearance, they
have accepted a certain responsibility, and that means
accountability as well.
Mr. Burr. I think the lab directors will agree with you, as
would these members.
I yield back, Mr. Chairman.
Mr. Upton. Dr. Ganske.
Mr. Ganske. I would like to go to this chart for a few
minutes. Some things I think are self-explanatory. Frequency of
inventories in 1988, every 6 months; in 1995, annually; and
then 1998, requirement discontinued. Accountability record
required in 1988 and 1995, and then discontinued.
Unique identification number, I think probably everyone
understands. What does the Top Secret control officer do or
did?
Mr. Wells. A Top Secret control officer was basically
performing custodial duties and was ultimately charged with the
responsibility for Top Secret documents. He was the accountable
guy. He was the one that said, I know where this document is; I
know where it is stored; I know who had it, and I know when it
was put back. That was the basic thrust of that position
responsibility.
Mr. Ganske. And that----
Mr. Wells. Top Secret.
Mr. Ganske. [continuing] control officer was able to do
that because he or she had end-of-the-day verification?
Mr. Wells. He had a responsibility to certify at the end of
each day.
Mr. Ganske. Had an access record?
Mr. Wells. Who was entitled to look at a document or check
a document out.
Mr. Ganske. And there were receipts for internal
distribution?
Mr. Wells. That's correct.
Mr. Ganske. But those things were discontinued in 1998?
Mr. Wells. 1992----
Mr. Ganske. Some were discontinued in 1995?
Mr. Wells. Yes, Top Secret, some in 1995.
Mr. Ganske. And some in 1998?
Mr. Wells. Yes, some in 1998.
Mr. Ganske. Then we have here, approval for reproduction,
copying documents, in 1988, required; 1995, required; in 1998,
requirement discontinued.
Mr. Wells. Discontinued, that's correct.
Mr. Ganske. Where was this copy machine that the disk
drives were found behind? Where was that located?
Mr. Wells. We don't know that. We are basically waiting for
the investigative team to get through. We understand it might--
well, do you know?
Mr. Podonsky. No, we have not been into the area of X
division since the investigation started.
Mr. Ganske. Doesn't it strike you gentlemen as sort of
unusual that we have a copy machine there, we don't have any
method to determine who is checking out this stuff or copying
it, taking copies wherever? Not very good security, is it?
Mr. Wells. It does not appear to be. Even if you were an
originator of the document, the intent was to ensure that your
document--you became aware of how many of those documents were
out there and who had them. Even that's been lost.
Mr. Ganske. All right. Well, we had a bunch of changes here
in 1995, and then in 1998. The Secretary of Energy back in 1995
was Hazel O'Leary. Did she give--did she sign off on these
changes? Do you know whether she did or did not?
Mr. Wells. The 1995 date was to correspond with the
revision of DOE's security manual. So whichever office
secretary signed the security manual in 1995, which again was
updated and there were additional changes in 1998, it was put
out under a DOE cover and was signed by some top official in
the Department of Energy. I don't have those documents with me.
Mr. Ganske. So I mean, it could have been an Under
Secretary?
Mr. Wells. Yes, that's correct.
Mr. Fenzel. It could have.
Mr. Ganske. Should not something of this importance also be
reviewed by the Secretary? Would any of you care to answer
that?
Mr. Podonsky. From my experience in the Department, up
until this Secretary, and with the exception of Admiral Watkins
in the 1990 period, we did not have a Secretary that really
focused on security in the Department.
Mr. Ganske. Okay. Well, 1998, I believe the Secretary was
Mr. Pena. Is that correct?
Mr. Wells. Yes.
Mr. Ganske. Okay. So we had a whole bunch of requirements
discontinued in 1998. Am I to assume that Mr. Pena did not sign
off on these, or do you know?
Mr. Podonsky. I don't know.
Mr. Wells. I do not know.
Mr. Ganske. Would it be your recommendation that when we
are dealing with changes in security requirements that the
Secretary take a personal interest and review these before this
becomes Department policy?
Mr. Wells. Absolutely. I think if anything, from a lessons
learned standpoint of the many years we have looked at these
problems, it continues to concern us--and I used the word
``mindset'' that was mentioned earlier--about the lack of
attention and perhaps lack of a priority that's been placed on
some of these security matters.
Mr. Ganske. One last question, Mr. Chairman.
Now, you mentioned an Executive Order, I believe, in your
testimony, that was for changes. When was that Executive Order
issued? Was it 1995, 1998?
Mr. Podonsky. There is an April 1995 Executive Order
entitled Classified National Security Information, and that was
April 17, 1995, that was issued.
Mr. Ganske. Okay. Now that's signed by the President,
right?
Mr. Podonsky. Correct.
Mr. Ganske. The President should receive, you know, a
recommendation, I would think, from the Secretary of the
Department of Energy before he would sign an Executive Order
like this. Would that be your impression?
Mr. Podonsky. I would imagine that would be the case.
Mr. Ganske. Do we know whether that happened or not?
Mr. Podonsky. We have not seen any paper trail to that
effect.
Mr. Ganske. Are you looking for that, for this committee to
try to find out how to improve this situation in the future?
Mr. Podonsky. We issued an interim report, as you probably
are aware, and when we continue on with the Los Alamos piece we
will complete the whole package and one of the things that we
have is we are trying to put together the entire trail from
1990, from the original President Bush direction on the
National Security Council to present, as to how this whole
thing evolved.
Mr. Ganske. Is it your current recommendation that these
discontinued requirements be reinstituted?
Mr. Podonsky. That's our recommendation to the Secretary.
Mr. Ganske. Has that--what has happened since your
recommendation?
Mr. Podonsky. The Secretary's response to our report was to
immediately turn to the policy folks and tell them that they
need to take a look at implementing this right away.
Mr. Ganske. Just to take a look, not to do it?
Mr. Podonsky. They need to take a look at what the
implications are going to be, so consequently they are--and I
think the second panel can probably testify to more current
what they are doing with those recommendations.
Mr. Ganske. Since we have lost the disk drives there has
not been a reinstitution of these requirements to date?
Mr. Podonsky. No, there was guidance put out and
requirements put out by the Secretary on June 19 and further
followed up by General Habiger on June 23. So they did start
tightening up right now.
Mr. Ganske. Thank you, Mr. Chairman.
Mr. Upton. Mr. Bryant.
Mr. Bryant. Thank you, Mr. Chairman. You may have already
stated this but I would ask unanimous consent to put my
statement in the record.
Mr. Upton. It has been done.
Mr. Bryant. Thank you.
I thank the panel for being here and the second panel. I
apologize for not being here on time and probably leaving early
also because we do have conflicting committees, and we have to
go back and forth between these.
Mr. Podonsky, you may have--I know we have been talking
about this already around this subject, but you note in your
report the absence of specific requirements, the Department of
Energy sites often decide to implement only the minimum
requirements because of cost concerns. Can you elaborate on
this point and indicate whether you are aware of instances in
which DOE or the sites have refused to fund proposed control
requirements beyond this minimum standard?
Mr. Podonsky. I realize in our report we talk about minimum
standards, and perhaps it is the complexity of the English
language but what we have found is that the--while the
standards that are out there are needing of clarity that if
implemented properly we think that they are good standards,
they need to be raised to be--account for what they call the
graded approach so that different types of information can be
afforded the protection commensurate with that sensitivity of
the information that we are talking about.
But we have seen over the years that if left to open
interpretation of what the requirements are, then we are
basically, as an agency, leaving potential vulnerabilities as
to whether enough is enough or when you have too much security
applied.
So our recommendation to the Secretary and to General
Habiger is that we recommend that they revisit and reinstitute
an accountability system similar to what we had back in the
early--the early 1990's and late 1980's. That's not to say that
we don't want the Department to take into accountability the
technology that can be used today, but clearly accountability
of some of our most sensitive information needs to be
reinstated.
Mr. Bryant. I think I agree with you. I notice that you
mentioned specifically problems with lack of specificity and
clarity in DOE orders, and then combined with the system I
would say minimum requirements and couple that with the cost
reimbursement nature of DOE's contracts with labs, this all
seems to work together in effect to create a race to the
bottom, so to speak, on the security issues.
Again, Mr. Podonsky, could you address this need-to-know
issue and what more needs to be done by the Department of
Energy and the labs in this area?
Mr. Podonsky. Need to know is an old standing requirement
of a lot of government agencies dealing with sensitive
information, and our position with the Department is that the
need to know needs to have some additional clarity to it for
individuals that have the responsibility. Say for a program
manager in a vault, if that custodian or program manager needs
to be able to determine who has access to that vault, need to
know needs to be established, but rather than just limit it to
the individual accountability and saying, okay, you are the
manager, you determine what need to know is, we think there
needs to be a little higher degree of granularity as to what
the Department expects.
For example, and this is just an example, if somebody has
daily access to information, they probably have a need to know,
but if they only have occasional need for that information
perhaps they don't have a regular need to know.
So that needs to be discussed further with the policy group
in the Department of Energy, but we feel that need to know over
the past couple of years has been left to pretty much the
interpretation of the individuals that are executing that. And
while they have the ultimate responsibility to execute that, we
also think there needs to be clear guidance from the
Department.
Mr. Bryant. Do you--and my last question to you, are you
satisfied with the Department's response to your recent
recommendations on tightening controls on classified matter?
Mr. Podonsky. We believe that the initial steps that the
Secretary and General Habiger are taking are, in fact, in the
right direction and we are going to be closely monitoring that.
We would like to see a continued evolution of that.
Mr. Bryant. Thank you.
Mr. Upton. Thank you.
Mrs. Wilson, though not a member of the subcommittee but a
member of the full committee, you have been allowed to
participate in other subcommittee hearings, I need to ask
unanimous consent. Do you desire that?
Mrs. Wilson. Yes, Mr. Chairman.
Mr. Upton. I would make a request, a unanimous consent
request, that you may ask questions as part of this hearing
today. Any objection?
Mr. Stupak. No objection.
Mr. Upton. Thank you. Mrs. Wilson, you are recognized for 5
minutes.
Mrs. Wilson. Thank you, Mr. Chairman.
I am interested in this question of policy and compliance
with policy, and I note from the records from up here that
General Habiger testified last month before the House Armed
Services Committee that the national labs were in full
compliance with DOE security policies. I believe that was
before the most recent incident at Los Alamos.
And then we have a significant change in security policies
on June 19. And subsequently some very specific changes to what
the minimum requirements are on everything from data bases to
vault security to whether things are classified properly and
how to--how to encrypt data and so on and so forth.
Mr. Podonsky, is it your view as well that Los Alamos and
Sandia and Lawrence Livermore were in compliance with the
security policies at the time General Habiger testified to
that?
Mr. Podonsky. As exemplified by our most recent review that
the Secretary directed at Livermore and Sandia and Los Alamos,
the answer is, yes, we found that they were in compliance with
the DOE, what we call the minimum requirements that the DOE
has. Los Alamos we still need to go back up to, but we haven't
finished that because of the FBI investigation. However, before
you came in I also made a statement that you can be in
compliance but it is also more--equally as important is how
those requirements are being implemented. It's the practice
that's also important. We can tighten up all of these
requirements, and I hope that we do. I believe we will. But
that still doesn't take into accountability the individual
error that either is deliberate or by sloppy practice.
It is the human factor. These people that are cleared to
have access to this information, have a need to work with
information, and as long as they have that need to work with
that information there is always going to be the reliance on
the individual. That is something that you can never have an
absolute.
Your question is, are they in compliance? Yes, as far as we
can tell, they are in compliance.
Mrs. Wilson. But it was the Department of Energy's view
that the standards needed revision following that incident. I
guess what I am getting at is, they were in compliance with the
standards before this happened. There has been a significant
revision of standards by the Department of Energy after it
happened. So really this is a question of what our security
policy is in the Department of Energy, isn't it?
Mr. Podonsky. And I would defer that to the second panel
for General Habiger, but over the years, as I also made a
statement earlier, we have been encouraging the Department to,
instead of going down the path from 1990 to where we are today
of decreasing requirements but go back to the path that
Secretary Richardson and General Habiger are now taking the
Department in increasing the requirements.
Mrs. Wilson. Since when?
Mr. Podonsky. Since 1991.
Mrs. Wilson. But we have seen the decline through 1998. I
mean, since when have you been encouraging things to go back in
the other direction?
Mr. Podonsky. We have correspondence to the policy group of
this Department from 1991, 1992, 1993, 1994, and again up until
this past year a lot of what we were reporting on was not
necessarily heeded.
Mrs. Wilson. In other words, you were ignored when you said
we needed to have higher standards?
Mr. Podonsky. I did not want to say that, but yes.
Mrs. Wilson. Thank you, Mr. Chairman.
Mr. Upton. Thank you. We will start a second round.
Mr. Podonsky, I know that you have not been allowed to go
back to Los Alamos while the FBI is conducting the
investigation. Have you visited the other two labs?
Mr. Podonsky. Yes, we have.
Mr. Upton. What is your reaction as to trying to make sure
that something like what happened at Los Alamos doesn't happen
at one of the other two labs? Have they tightened up their
security? Have they made some changes that would prevent
something like the missing disks, the hard drives from
happening again?
Mr. Podonsky. Yes, sir. We believe that the other two
laboratories that we reviewed in a very short period of time
have tightened up their security, and we don't believe--
especially with the further initiative that the Secretary
directed on June 1, we don't believe that that is likely to
happen. But, again, nothing is an absolute.
Mr. Upton. Now, one of the chart lines, and I touched on
this a little bit earlier, the Top Secret control officer is
not a requirement. Do any of the three labs actually have a Top
Secret control officer?
Mr. Podonsky. At Sandia they are controlling TS and they
have been controlling TS, Top Secret, and to a lesser extent at
Livermore. Whether or not they have a Top Secret control
officer, I don't know. I would have to find out.
Mr. Upton. Okay. I want to read just a couple of comments
from the redacted version of the GAO report and get your--from
the Podonsky report, and get the reaction by both of you.
DOE policies make no real distinction between documents and
electronic media with respect to storage and control. Most of
the requirements in DOE orders were written before the advances
in cyber technology and were primarily developed with paper
documents in mind. There has been little revision of the orders
or manual that reflect technology advances, and it goes on and
says in some instances large vaults containing many types of
information that had no additional partitioning such that
anyone with access to the vault would have access to any of the
information therein with no explicit provisions for need to
know, and a couple of pages later it says although there are
some differences the minimum protection requirements for Top
Secret are not significantly more stringent than those for
Secret or Confidential.
Isn't that the bottom line problem that we had at Los
Alamos? Mr. Podonsky?
Mr. Podonsky. Yes, sir, it is.
Mr. Upton. Do you believe that there--and Mr. Wells, do you
have a comment in that regard, too?
Mr. Wells. Clearly, you cannot think of fax machines, you
cannot think of e-mails and then turn around and look at DOE's
security manual, which clearly strikes you as being old
fashioned and out of date.
Mr. Upton. Have any of you seen any evidence that DOE's
orders even acknowledge the dramatic changes that were under
way with this information change in technology during that last
number of years?
Mr. Wells. No, we have not.
Mr. Upton. Mr. Podonsky?
Mr. Podonsky. We have seen anecdotal evidence that there
are changes taken about as we inspect the cyber security.
Mr. Upton. What did your teams observe with respect to how
the other two labs were handling NEST material and other
similar assets and what do you attribute those differences to?
Mr. Podonsky. We did not go into great detail into the
investigation into NEST because of the FBI desire to expand the
scope of their investigation to include all NEST activities,
but what we did look at, we did find that there was good
procedures--that they were following the DOE procedures that
were established.
Mr. Upton. At some point--I mean, I don't know at what
point the FBI will allow you back in, but are you planning to--
--
Mr. Podonsky. Yes, sir, we are not only planning to go back
to Los Alamos, we are also going to do a specific inspection of
the entire NEST operation of all the locations that the DOE
has.
Mr. Upton. Do you expect that to happen in the next couple
of weeks before the summer is out? What is your timetable?
Mr. Podonsky. We expect to go back to Los Alamos at the
time that we can go back in when the investigation is complete.
In terms of the NEST inspection, we plan to do that before the
fall.
Mr. Upton. Had the hard drives been designated as Top
Secret versus Secret, do you think they would have been
missing?
Mr. Podonsky. I don't have the information on what the
particulars are in the investigation and whether they would
have been missing or not.
Mr. Upton. Mr. Wells?
Mr. Wells. While I could not speculate, clearly looking at
the two charts many of those document control requirements,
whether it be Secret or Top Secret, are not a requirement. So
one could speculate that they perhaps might still be missing.
Mr. Upton. Thank you.
Mr. Stupak.
Mr. Stupak. Thank you, Mr. Chairman. When I asked questions
earlier, we sort of established that these minimum controls
were not only in DOE but NSA, CIA, private contractors,
correct?
Mr. Wells. We were told that the changes that were
initiated in 1992, 1995 and 1998 were in response to trying to
get uniformity across the government, yes.
Mr. Stupak. Sure. So the breaches we have had here in
security in Top Secret could have happened in any one of these
agencies, departments, even from private government--I mean
private contractors, correct?
Mr. Wells. We understand that the chart was prepared for
only looking at and assessing the DOE orders. We, the GAO audit
team, had not looked at the other DOD-type orders or
requirements to confirm that they are similar.
Mr. Stupak. Okay.
Mr. Podonsky, it could have happened somewhere else other
than DOE?
Mr. Podonsky. We believe that to be the case, irrespective
of what the chart shows.
Mr. Stupak. In fact, the Walker spy case did not involve
DOE but that was one where they made copies of classified
documents on copy machines and gave them away because we had
these so-called minimum standards, correct?
Mr. Podonsky. I believe that to be the case.
Mr. Stupak. You are nodding your head yes, but you have to
give something verbal so we can record it.
Mr. Podonsky. Sure.
Mr. Stupak. I know when I shake my head, it rattles once in
awhile.
Mr. Podonsky. Mine doesn't rattle, sir.
Mr. Stupak. But the minimum controls, that would also apply
to University of California and the labs, correct?
Mr. Podonsky. Correct.
Mr. Stupak. Even though the director of DOE may be--a
Secretary may only be there less than 2 years, these contracts
are 5 years so even if there is a change in Secretary, the
contract still must be fulfilled by the labs to these minimum
standards, correct?
Mr. Podonsky. Correct.
Mr. Stupak. Regardless of what the minimum controls are, I
would hope that the labs don't feel that even though we have
these minimum controls that does not give them a right to lose
documents or to lose hard drives, things like that; correct?
Mr. Podonsky. Correct.
Mr. Stupak. And I would hope that if you are doing a
contract, whether it is with the government or private
industry, you would always try to perform to the maximum
potential of a contract and not the minimum levels of a
contract; correct?
Mr. Podonsky. Correct.
Mr. Stupak. All right. Mr. Podonsky, in your testimony you
indicated that Secretary Richardson has put in four things, and
I summarized them briefly as accountability, graded approach,
need to know limited access and human liability. That is just
when I was taking my notes there.
You have indicated that the graded approach to protecting
classified material should be implemented. Under this approach,
some Top Secret documents would have more restrictions than
others. In the next panel, Mr. Aftergood is probably going to
testify about the higher fences initiative. Are you familiar
with this, the higher fences initiative?
Mr. Podonsky. I am vaguely familiar with the initiative.
Mr. Stupak. Is this a similar concept to the graded
approach?
Mr. Podonsky. I believe it is.
Mr. Stupak. Could you explain a little bit more clearly to
me what you mean by this graded approach?
Mr. Podonsky. The Department has in place and has had for
some time now the concept of graded approach, which means that
the sites have to protect documents according to the type of
information that's there.
So, in other words, not all secrets that we hold in this
country should be afforded the same type of protection. So the
graded approach is meant to allow folks--allow the people that
have to be accountable for the maintaining of these sensitive
or classified documents at a higher level.
Mr. Stupak. So the graded approach is not just the site
specific but also what happens internally within that site?
Mr. Podonsky. Yes.
Mr. Stupak. Okay. Thank you.
Higher fences, if I remember correctly, was one of the
recommendations of Secretary O'Leary's Interagency Fundamental
Classification Review submitted in 1996. Since the Department
of Defense shares much of this information, DOE has been
negotiating, and I understand unsuccessfully, with the
Department of Defense since 1997 over what should be included.
But the whole effort appears to be dead at this point because
DOD says it costs too much and has operational impact.
Can DOE implement the graded approach when DOD refuses to
have the same level of security for the same documents if we
are talking about these minimum requirements and graded
approach? Can you apply it?
Mr. Podonsky. General Habiger would be more equipped to
answer that but I will answer that from our perspective, and
irrespective of what DOD is willing to do or not do, I think
this agency should take the initiative and raise the bar on its
own requirements.
Mr. Stupak. Okay. Thank you, Mr. Chairman. I will yield
back.
Mr. Upton. Thank you.
Mr. Burr.
Mr. Burr. Thank you, Mr. Chairman. Mr. Chairman, I referred
to a letter earlier from the lab directors to Secretary Moniz
at the Department of Energy on 3-1-99. I would ask unanimous
consent that that be entered into the record.
Mr. Upton. Without objection.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T7110.001
Mr. Burr. Mr. Podonsky, you referred earlier to the fact
that Secretary Richardson had implemented a number of new
security policies, some recent, some last year, when the first
incident at Los Alamos took place. One of them was the
polygraph. Has anybody been polygraphed?
Mr. Podonsky. Yes, sir. I can tell you personally that
almost my entire office has been polygraphed.
Mr. Burr. Your office, the investigators have been
polygraphed. From the standpoint of the original scope of who
was to be polygraphed, individuals at the labs, has that taken
place?
Mr. Podonsky. I believe it has, and again I would defer to
the second panel for the specific numbers.
Mr. Burr. I will be sure to cover it with them.
Let me go back to your report and again read from page 6.
``Secretary Richardson has again taken prompt and aggressive
action to address residual weaknesses that have become apparent
in the course of security incidents. On June 19, 2000, the
Secretary issued directions to enhance classified matter
protection. For example, he specifically required nuclear
weapons laboratories to immediately implement measures for
better control entry and egress to vaults, including mandating
that logs be kept.''
I take it that was a directive from the Secretary that you
are referring to?
Mr. Podonsky. Yes, sir.
Mr. Burr. Let me ask you, if the labs were responsible for
security, why would it need a secretarial mandate or referral
to address specifically those vaults?
Mr. Podonsky. Well, because since there was no requirement
prior to that.
Mr. Burr. But there was a request prior to that, correct?
Mr. Podonsky. I am not following the request.
Mr. Burr. Did you find at any time that any of the labs had
tried to upgrade the security to their vaults?
Mr. Podonsky. There were anecdotal examples that the teams
have found that they were upgrading at Sandia and to a lesser
extent to Livermore.
Mr. Burr. In one case, if I remember, at Sandia, it was met
by the Albuquerque office with ``we won't pay for the upgrade
in security.''
Mr. Podonsky. I am not familiar with that.
Mr. Burr. We will get into that later. Let me again go to
your report on page 14. ``The recent independent oversight
review concluded that the laboratories had addressed identified
weaknesses,'' parenthesis, ``including long-standing weaknesses
with classified parts, met DOE's expectations defined in the
goals posted in the goal post memorandum and generally met
current DOE requirements.''
Now we are talking about moving the security totally
outside of these contractors and possibly renegotiating a
contract with contractors where security is done by a third
party, I take for granted, is the initiative. Let me just ask
you, honestly, will this work if that's all we do?
Mr. Podonsky. I guess, Congressman, to get to the heart of
the answer to your question, I would say that no matter what we
put in place, in this Department or any other agency, it goes
back down to whether people are going to be held accountable
for violating practices, how those practices are put into
place. If you go to a third level contractor, I can only give
you a personal opinion, and my personal opinion is it is
dependent on the management of that contract and how people are
held accountable for that contract.
We have seen a variety of examples of contracts in the
Department. Some work better than others. A lot of it is driven
by the individual at the top.
Mr. Burr. Have you ever done an evaluation or study of the
Albuquerque office as related to their involvement in the
security at the two labs they are responsible for?
Mr. Podonsky. Yes, sir, we have.
Mr. Burr. And what was your finding, if you could just
summarize that?
Mr. Podonsky. Dependent on who the field office manager was
at the time which is responsible for the Albuquerque operation,
we found varying degrees of effectiveness from the Albuquerque
office.
Mr. Burr. Is it safe to say that Albuquerque was fully
aware of the intricacies of the NEST program?
Mr. Podonsky. I don't know.
Mr. Burr. Would they have been fully aware of the security
requirements that the labs instituted at the vaults?
Mr. Podonsky. They should be, because they are required to
do an annual survey of the lab.
Mr. Burr. Is it safe to believe that Albuquerque DOE office
knew that that particular vault had shared resources in it?
Mr. Podonsky. I would assume that since the Albuquerque
office, as I said, does the annual survey of its sites that
they should have known what was contained in that vault.
Mr. Burr. Have you ever found anything that would suggest
that the Albuquerque office had concerns about the security
procedures in place at Los Alamos, specifically that vault?
Mr. Podonsky. Not specifically that vault.
Mr. Burr. NEST program?
Mr. Podonsky. I have not been made aware of that.
Mr. Burr. Is it safe to assume that Albuquerque knew that
at least in Los Alamos, and I believe true in all of the--in
Sandia as well, and I am sure I will be corrected later, knew
that no logs were required for access to those vaults?
Mr. Podonsky. I think there seems to be--I think it is safe
to assume that they knew that, but I also think that it is
clear from our going through the requirements that it is not
clear throughout the Department and the security community of
the Department as to what all the requirements are, because a
lot of the requirements have not been memorialized in policies.
A lot of them go back to memorandum, and that's why one of the
recommendations in our report was to also memorialize these
requirements into DOE orders.
Mr. Burr. If the chairman would allow me one last question,
is it safe for this committee to assume that the security
directives to these labs would be filtered from DOE
headquarters to the DOE field office and then to the labs or is
security a process that takes place only between headquarters
and the labs themselves?
Mr. Podonsky. It is supposed to work that they go--that it
goes through the lines. So General--the policy arm under
General Habiger would promulgate the policy and it would be
implemented by the new NNSA, General Gordon, and he in turn
would pass it down to the labs through the Albuquerque field
office.
Mr. Burr. I thank you for that. I yield back, Mr. Chairman.
Mr. Upton. Ms. DeGette.
Ms. DeGette. Thank you, Mr. Chairman. I apologize for my
tardiness. I know Mr. Green and I at least, probably a few
other members, are also downstairs at the YNY hearing. So thank
you. And I hope I don't repeat anything, but thanks for having
this hearing because I know a number of us at the last hearing
thought it would be important to have this and I appreciate it.
I think we should keep doing it until we hammer this thing out.
Mr. Podonsky, my first question, I guess, is that I was
reading Dr. Browne's testimony and he says that almost all of
Secretary Richardson's directives have now been instituted. You
have been at the labs quite often in the last year. How many of
these changes have you seen that have actually been instituted?
Mr. Podonsky. Most recently at Los Alamos we were not
allowed to come--prior to your attendance, I talked about the
fact that the FBI investigation was still ongoing.
Ms. DeGette. Right.
Mr. Podonsky. But for the most part what we have seen at
Sandia and Livermore, in the last month, is that most all of
the Secretary's initiatives have been, if not started, they are
well underway.
Ms. DeGette. Do you know when they were started?
Mr. Podonsky. No. I would have to go point by point to see
which ones, but while we were at the site and--both sites,
Sandia and Livermore, last month, when the Secretary's memo
came out they immediately started initiating corrective action.
Ms. DeGette. So that was last month?
Mr. Podonsky. June 19.
Ms. DeGette. And what about before June 19, do you know how
many had been instituted?
Mr. Podonsky. Everything that we have seen, when the
Secretary first created our office to go out last--starting
last May, everything that we saw promulgated from headquarters
was at some stage being implemented.
Ms. DeGette. What about the integrated safeguards and
security management system that's supposed to raise employees'
security awareness levels? Have you looked at the
implementation of that in any of the labs?
Mr. Podonsky. We, before we were doing security, we looked
at integrated safety--integrated safety management and the
concept has resonated well enough throughout the Department
that I know General Gordon and General Habiger have been
talking about having the same concept of integrated security
management.
Ms. DeGette. Right.
Mr. Podonsky. It is still in the conceptual form. There is
a lot of acceptance to that, but it has not been implemented.
Ms. DeGette. Do you know if there is a timeframe for
implementation? Because I thought the standards had been agreed
upon and that they were starting to implement it.
Mr. Podonsky. I would have to defer to the second panel.
Ms. DeGette. Okay. So you don't know?
Mr. Podonsky. No.
Ms. DeGette. The Rudman Report concludes that to have safe
and successful security management systems mean that the
security staff have a voice in every management decision and a
voice equal to that of the program people. Is that model in the
new management system that you know of?
Mr. Podonsky. I am not aware of what it is comprised of.
Ms. DeGette. So you don't even know anything about the
system?
Mr. Podonsky. Not in its present state.
Ms. DeGette. Okay. Who would know about that?
Mr. Podonsky. I think perhaps General Habiger or General
Gioconda or perhaps even the lab directors might be able to
address that.
Ms. DeGette. Mr. Wells, do you know anything about this
system?
Mr. Wells. At the request of this committee, we have been
on the job a couple of weeks and we bought our airline tickets
and we are heading out.
Ms. DeGette. So you haven't even----
Mr. Wells. We will look at it.
Ms. DeGette. All right. Okay.
Now, Mr. Podonsky, back to you, over the years DOE has
significantly relaxed its inventory controls over Secret and
Top Secret documents in order to be consistent in the way that
the Defense Department and other agencies handle this
classified material.
As I looked at your testimony before I came in today, this
change did not originate in the DOE but at the National
Security Council in 1990. Can you explain why there had to be
one industrial security standard? Where did the push for that
come from?
Mr. Podonsky. All I can tell you from my reading of the
documents and my staff's reading of the documents was that
President Bush asked the National Security Council to prepare a
comprehensive review to explore the development of a single
industrial security program and determine whether there could
be cost-benefits of aligning the private sector with the
government. It was in an effort, as far as we could tell, for
both the cost savings and also to bring--to bring into control
whether or not we protected all secrets and to, what we talked
about, have a graded approach where those more sensitive
documents or information were protected at the same standard.
Ms. DeGette. And I assume that some of that push or at
least there was support from the industry, from the outside
contractors who had to comply with various different standards;
would that be accurate?
Mr. Podonsky. I would conclude that that would be the case.
Ms. DeGette. Do you think here today that industrial
security is as tight as national security should be? Is there
accountability, do you think, for the most secret documents?
Mr. Podonsky. Not for--when you look at the Department of
Energy, the Department of Energy is unique in the type of
information it has. So while we believe that there can be a
more even playing field for industrial security for some of our
resources, the most sensitive documents that are contained, and
information contained in the Department, need to have a much
higher standard.
Ms. DeGette. Now, what about documents that have been given
up decades ago by the Defense Department? Where is the
accountability for those? Do you know?
Mr. Podonsky. I have no idea.
Ms. DeGette. Now, last September you wrote a memo to
General Habiger telling him that the biggest security threat
was from the active insider.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T7110.002
[GRAPHIC] [TIFF OMITTED] T7110.003
Ms. DeGette. You said there were not adequate steps to deal
with the active insider, and I know this is a concern that a
lot of people on this panel and other places have. What steps
did you have in mind?
Mr. Podonsky. Well, as General Habiger actually has already
begun to take this--you are talking about the human reliability
program, and what I can say in open session here is that they
have already taken steps to combine some programs to further
enhance the reliance on the human reliability program.
When you talk about threats in security, you talk about an
external threat and you talk about an internal threat. An
external threat is protected against various things such as
barriers, a security force, fences, alarms, sensors. When you
talk about internal, you talk about access controls,
clearances. And as we have talked about before your arrival,
one of the things that's vitally important to take into
consideration is while there is never going to be an absolute
there is going to be a reliance on the individual responsible
for maintaining their security responsibilities.
A lot of these people that we are talking about, where
there are violations, are actually creators of the information
that we are talking about. So there is intellectual property
that one needs to take into consideration as well. Our
comment----
Ms. DeGette. Yes, but, you know, the guy who invented Coca-
Cola was subject to company security policies that he not
reveal that formula even though he thought of it.
Mr. Podonsky. And for the most part, I believe that--I
don't have the statistics but I would believe you would find
that for the most part the Department has been--has a pretty
good track record in terms of the individuals, now that
notwithstanding the aberrations that we have seen over the last
14 months.
Ms. DeGette. Yes, but just to finish up, the problem is
when you had the aberrations over the last 14 months that can
undermine our national security network.
Mr. Podonsky. And that----
Ms. DeGette. You have to set up a system, as you say, both
external and internal, that's going to eliminate, as much as
possible, chances for problems, because even one problem can be
devastating.
Mr. Podonsky. Correct, and that's why we wrote the letter
to General Habiger to encourage them to take another look at
their controls against the insider.
Ms. DeGette. Thank you, Mr. Chairman.
Mr. Upton. Dr. Ganske.
Mr. Ganske. I have here Executive Order 12958, dated April
17, 1995, signed by President Clinton. It deals with the
classified national security information.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T7110.004
[GRAPHIC] [TIFF OMITTED] T7110.005
[GRAPHIC] [TIFF OMITTED] T7110.006
[GRAPHIC] [TIFF OMITTED] T7110.007
[GRAPHIC] [TIFF OMITTED] T7110.008
[GRAPHIC] [TIFF OMITTED] T7110.009
[GRAPHIC] [TIFF OMITTED] T7110.010
[GRAPHIC] [TIFF OMITTED] T7110.011
[GRAPHIC] [TIFF OMITTED] T7110.012
[GRAPHIC] [TIFF OMITTED] T7110.013
[GRAPHIC] [TIFF OMITTED] T7110.014
[GRAPHIC] [TIFF OMITTED] T7110.015
[GRAPHIC] [TIFF OMITTED] T7110.016
[GRAPHIC] [TIFF OMITTED] T7110.017
[GRAPHIC] [TIFF OMITTED] T7110.018
[GRAPHIC] [TIFF OMITTED] T7110.019
[GRAPHIC] [TIFF OMITTED] T7110.020
[GRAPHIC] [TIFF OMITTED] T7110.021
[GRAPHIC] [TIFF OMITTED] T7110.022
[GRAPHIC] [TIFF OMITTED] T7110.023
[GRAPHIC] [TIFF OMITTED] T7110.024
[GRAPHIC] [TIFF OMITTED] T7110.025
[GRAPHIC] [TIFF OMITTED] T7110.026
[GRAPHIC] [TIFF OMITTED] T7110.027
[GRAPHIC] [TIFF OMITTED] T7110.028
[GRAPHIC] [TIFF OMITTED] T7110.029
Mr. Ganske. Now on page 3, there is something that bothers
me a little bit because it says, for classification under
section 1.3, that if there is any significant doubt about the
appropriate level of classification it shall be classified at
the lower level.
That bothers me a little bit. But as I have briefly perused
this, you know, the closest I can come to the order for these
changes that occurred with the requirements discontinued for
various types of security arrangements, is on page 18, in which
it says, each agency head shall establish and maintain a system
of accounting for special access programs consistent with
directives issued pursuant to this order.
My question to you gentlemen is: No. 1, are you familiar
with this Executive Order? And No. 2, am I missing something in
this Executive Order?
I do not see in this Executive Order specifics for
discontinuance of, let's say, approval for reproduction. I
don't see specifics for discontinuance of Top Secret control
officers. This is a much more general document.
Am I correct in reading this document?
Mr. Podonsky. Yes, you are.
Mr. Wells. Yes, you are.
Mr. Fenzel. Yes.
Mr. Ganske. Okay. Well, I am getting kind of frustrated
because I am trying to figure out who is responsible for these
changes. Now this is a generalized Executive Order, so these
types of specifics aren't in this Executive Order. Who
specifically directed that, for instance, the approval for
reproduction of documents, which was required in 1995, would be
discontinued? Can you gentlemen tell me that?
Mr. Fenzel. My guess is DOE is responsible because in 1998
there was a----
Mr. Ganske. Well, who in DOE gave that order and where is
the paper order for that?
Mr. Fenzel. I don't know who signed. I don't know who
signed. We can go back and look at the order, who actually
signed it.
Mr. Ganske. Would you please provide the committee with
that information?
Mr. Fenzel. We can provide that.
[The following was received for the record:]
Signers of DOE Orders
DOE-5635.1A: Control of Classified Documents and Information, 2-12-88
Signer: Lawrence F. Davenport, Assistant Secretary, Management and
Administration
Action: Initiated 100 percent inventory. Accountability over secret and
top secret documents
Jan. 30, 1992, Memo: Change in Requirements for the Inventory of
Classified Matter
Signer: Edward J. McCallum, Director, Office of Safeguards and
Security, Office of Security Affairs
Action: Periodic inventories of classified matter below top secret will
no longer be required when matter is maintained within a DOE-
approved limited or exclusion area.
May 15, 1992, Memo: Accountability Requirements for Secret Documents
Signer: George L. McFadden, Director Office of Security Affairs
Action: Secret matter is removed from accountability if it is confined
to a limited or exclusion area.
DOE 5635.1A Chg 1, Control of Classified Documents and Information, 6-
14-93
Signer: Linda Sye, Acting Assistant Secretary for Human Resources and
Administration
Action: Defines accountable matter as top secret matter and secret that
is maintained outside of limited or exclusion areas.
DOE M 471.2-1A: Manual for Classified Matter Protection and Control, 1-
9-98
Signer: Archer L. Durham, Assistant Secretary for Human Resources and
Administration
Action: Defines accountable matter as top secret or secret mater stored
outside of a limited area (or higher).
Mr. Ganske. We need to find out who that individual is and
we then need to ask that individual in a hearing who did he
talk to about that.
I want to find out similar information, who was the
individual in the Department of Energy that, for instance,
discontinued the requirement on copy and series designation?
Who changed the requirement on the Top Secret control officer,
because then we need to ask that individual who did he talk to?
Did he talk to the Secretary of the Department of Energy about
that? Did the Secretary of Energy at that time talk to the
President about that?
Look, I am getting tired of having these hearings and not
finding out who is responsible for this.
You can't blame it on this Executive Order except in the
generalized sense that it loosened--it allowed a loosening of
these, but this Executive Order, as I read it, doesn't deal
with this type of specifics.
So, gentlemen, I am asking you to provide to this
committee, within the next week or 2, the information, the
paperwork, from the Department of Energy on the specific memos
that went out to these laboratories saying that these
requirements which were in place in 1995 could be discontinued.
Can you give our committee that kind of information?
Mr. Wells. Yes, sir.
Mr. Fenzel. We should be able to.
Mr. Ganske. Is it there? Do you know if that information is
available?
Mr. Podonsky. I can't speak for GAO but, yes, we do believe
that there is a paper trail and we are still--we are still
gathering that now for the Secretary.
Mr. Ganske. How long will it take you to provide this
committee with that information?
Mr. Podonsky. We can do it within the week.
Mr. Ganske. I thank you very much and that's all the
questions I have.
Mr. Stupak. Could you provide us a copy of the Executive
Order you are speaking of?
Mr. Ganske. Sure.
Mr. Stupak. Thanks.
Mr. Ganske. Thanks.
Mr. Upton. Mr. Bilbray.
Mr. Bilbray. Thank you, Mr. Chairman.
I guess my question will go to the Department of Energy,
and I apologize if I seem to be approaching this from a
simpleton approach. Right now we have an individual supervising
a log system for access to the vault; is that what we have now?
Mr. Podonsky. Yes.
Mr. Bilbray. We reinstituted the log system?
Mr. Podonsky. Yes, General Habiger did reinstitute that
under the Secretary's direction.
Mr. Bilbray. The log system is supervised by an individual
who specifically checks identification and supervises the sign-
in and sign-out process?
Mr. Podonsky. That's what we understand. We have not gone
back out to inspect to make sure that that is how it is being
implemented.
Mr. Bilbray. How long ago did we implement this?
Mr. Podonsky. June 23.
Mr. Bilbray. So we assumed it has been but in the last
couple of weeks you haven't--no one has checked to make sure it
is operating the way it was directed?
Mr. Podonsky. No. Our oversight folks have not done that.
Perhaps the policy group in the next panel could tell you
whether they have actually done that.
Mr. Bilbray. Okay. Do we have any electronic inventory
tracking system on these documents?
Mr. Podonsky. I am not aware that that is the case right
now.
Mr. Bilbray. Okay. Do we have any video surveillance
systems on these documents or on the environs for access and
egress?
Mr. Podonsky. At some locations we might. I don't know
across the board.
Mr. Bilbray. Okay. So it seems like right now we are sort
of operating under a 1941 model of a piece of paper, people
sign in by a security person and sign out; basically a system
that would have been right at home to our fathers during World
War II and our mothers during World War II?
Mr. Podonsky. And again, Congressman, there may be other
pieces that are currently in place but the currency of my
teams, we came back off the road on June 23.
Mr. Bilbray. Okay. This change in the 1995--or the changes
we have seen over the last few years, why were these changes
made?
Mr. Podonsky. I don't have a good answer for you because we
asked the same questions.
Mr. Bilbray. I will tell you something. What I am concerned
about is that we can change systems, we can go through
procedures. What I am really worried about is the institutional
mindset of why were these changes made and who made them? What
were they thinking? Is this an attitude that now that the so-
called cold war is over that now don't worry about it? Was it
sloppiness or was there a real intention on the fact that this
is no longer--national security or national secrets are no
longer a high priority?
I think the biggest question is not the institutional--I
mean, not the structural system but the institutional mindset.
Like I said before, I am really worried that this is being
perceived as being a huge responsibility.
Mr. Wells, are we going to be looking at developing an
internal system within our own government structure? Are we
going to be looking at bringing the private sector into some
called-for proposals to see how we can upgrade this and make it
a system that's more compatible with this millennium rather
than 1941?
Mr. Wells. Cyber technology is here today. We need to catch
up quick in terms of what the requirements are.
Mr. Bilbray. You know, I mean I know right now from maybe
because San Diego is a high tech center that--I mean I have got
companies that use a strip about the size of a hair on every
one of their documents and anywhere that document moves
anywhere in the building they know exactly when and where it
was there. I am just wondering how are we going to gain access
to what the private sector has been using for over a decade and
use it for our most precious secrets? Is there any vehicle
being considered to be able to go out and draw on these
resources and have them participate in the development of the
new upgraded security mode?
Mr. Wells. Certainly I don't have an answer for you today
but we will certainly pose that question to our audit teams and
try to find out if there is something out there that would be
applicable to be used under these circumstances.
[The following was received for the record:]
We are exploring that question as part of our ongoing work.
Mr. Bilbray. I just hope those of us in government take
advantage of this knowledge. And the way to do it is not to go
out for bid, don't say what you want and how much it is going
to cost but go out for proposals and say bring us the best
packages you guys can develop so that you see exactly what's
out there. I think the call for proposal is the only
responsible way to go, but this is one member's opinion.
Thank you very much, Mr. Chairman, and I yield back.
Mr. Upton. Mr. Cox.
Mr. Cox. Thank you, Mr. Chairman. I thank our panel for
being with us.
Two weeks ago, Congress received a report of the Redmond
panel. Paul Redmond, of course, is well-known to you. He is one
of America's leading counterintelligence experts and was the
head of counterintelligence at the Central Intelligence Agency
until recently.
Have you all read this Redmond Report, the unclassified or
the classified version?
Mr. Podonsky. No, I have not.
Mr. Wells. No, I have not.
Mr. Fenzel. No, I have not.
Mr. Cox. I would like to ask you some questions about it
and so I will share it with you as part of the question so you
at least have the relevant portion to which to respond.
Mr. Stupak. Mr. Cox, I am sorry to interrupt, but do you
plan on putting that in the record then so we all have it?
Mr. Cox. Yes, we ought to add it to the record of this
committee. It has already been put on the Union Calendar and
introduced in the Committee of the Whole House.
Mr. Stupak. Okay. None of us have it here.
Mr. Cox. In fact, this is the House print of it. It is a
House document and that is, of course, only the unclassified
version of the report. It is dated as entered into the record
of the House June 21, 2000. But if the chairman agrees----
Mr. Upton. Without objection it will be made a part of the
record here.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T7110.030
[GRAPHIC] [TIFF OMITTED] T7110.031
[GRAPHIC] [TIFF OMITTED] T7110.032
[GRAPHIC] [TIFF OMITTED] T7110.033
[GRAPHIC] [TIFF OMITTED] T7110.034
[GRAPHIC] [TIFF OMITTED] T7110.035
[GRAPHIC] [TIFF OMITTED] T7110.036
[GRAPHIC] [TIFF OMITTED] T7110.037
[GRAPHIC] [TIFF OMITTED] T7110.038
[GRAPHIC] [TIFF OMITTED] T7110.039
[GRAPHIC] [TIFF OMITTED] T7110.040
[GRAPHIC] [TIFF OMITTED] T7110.041
[GRAPHIC] [TIFF OMITTED] T7110.042
[GRAPHIC] [TIFF OMITTED] T7110.043
[GRAPHIC] [TIFF OMITTED] T7110.044
[GRAPHIC] [TIFF OMITTED] T7110.045
[GRAPHIC] [TIFF OMITTED] T7110.046
[GRAPHIC] [TIFF OMITTED] T7110.047
Mr. Cox. It will also be included in the record of this
committee, as well it should be because it is precisely the
same topic and a great deal of work went into the preparation
of this report.
The Redmond Report finds two areas of greatest shortcoming.
The first is gaining employee acceptance of the polygraph
program and the second is counterintelligence awareness
training. With respect to the polygraph program, this is as of
2 weeks ago, the report states, the Department of Energy has
failed to gain even a modicum of acceptance of the polygraph
program in the laboratories.
With respect to counterintelligence, it states, the
Department of Energy's efforts to improve CI awareness training
have failed dismally.
Mr. Podonsky, do you share that evaluation?
Mr. Podonsky. I have no information to conclude that that
is accurate. The information that I have is that there has been
polygraphs being administered at the national labs, as well as
other organizations such as my own and General Habiger's. But
whether or not the counterintelligence program is effective or
being accepted or whether the polygraphs are being accepted, I
have no information.
Mr. Cox. The reason that the Redmond Report is concerned
with the lack of acceptance of polygraphs at the laboratories
is the lack of implementation. Can you tell us how many people
at Los Alamos, how many people at Livermore, how many people at
Sandia, have been polygraphed?
Mr. Podonsky. I can only ask you to defer that question to
the second panel.
Mr. Cox. Do you have a rough idea?
Mr. Podonsky. Just ballpark numbers which I wouldn't want
to quote because they are fourth party.
Mr. Cox. Well, the answer is not very many and we can go
into that with the next panel, but this program of polygraphing
sensitive employees in the most sensitive nuclear weapons
security positions is incipient. It is barely beginning and
there has been a great deal of temporizing and, according to
the Redmond Report, worse than that in putting the program into
place.
Let me share with you more of what he has to say and what
the panel has to say. First, the panel notes that Congress has
mandated these polygraphs and also the President of the United
States in President Decision Directive 61, which was issued in
February 1998. So even a few months before the Congress created
the Select Committee that issued its report on
counterintelligence and security at the national weapons
laboratories, the President of the United States had issued a
direct order to the Secretary of Energy to implement
polygraphing at the national laboratories.
That polygraphing, until very recently, had not even
commenced and now it has barely commenced.
The Redmond Report further states with respect to this that
Department of Energy headquarters personnel have made little
effort to consider the views of senior laboratory managers and
have not involved them in the planning process for determining
who will be polygraphed. I can say that the chairman of this
subcommittee, Mr. Burr and myself found this also to be true on
our field visits to the labs as members of this subcommittee.
The Department of Energy headquarters' efforts to meet with
the laboratory employees to explain the polygraph program have
been ineffective, if not counterproductive. To make matters
even worse, DOE headquarters, by vacillating and changing the
policy over time, appeared inconsistent, and I am sure where
the opposite is essential, to instill confidence in the program
parameters and professionalism. And the authors of this report
saw the same thing that the subcommittee members did when they
went to visits the labs. The scientists are wearing buttons
that say ``Just say no to polygraphs.'' Now these, of course,
are employees of the University of California, contractors to
the Department of Energy, in cleared positions.
Why is it that there is a direct order from the President
of the United States that this program go forward, a direct
legislative mandate from Congress and we can have a report in
June of 2000 that tells us that the Department of Energy not
only isn't doing it properly but is getting in the way?
Mr. Podonsky. Congressman, I am not about to sit here and
give you answers to information I know nothing about. I would
only, again, defer to those who have been involved, Ed Kern and
General Habiger.
Mr. Cox. Mr. Wells, do you care to comment?
Mr. Wells. Mr. Cox, to my knowledge we don't have any
ongoing work involving that issue.
Mr. Cox. Do you, Mr. Podonsky, think that polygraphing is
an important part of security at the labs, and
counterintelligence?
Mr. Podonsky. I can only give you my personal opinion in
doing oversight in this Department for quite some time and I
think if polygraphs are administered in a reasonable fashion,
that it can be--it can be employed to be useful. That's a
personal opinion.
Mr. Cox. Okay. Are you aware that at the labs, one of the
complaints of the scientists was that President Clinton had
issued an Executive Order that had exempted from polygraphs
political appointees and Schedule C appointees?
Mr. Podonsky. I wasn't aware of that, no, sir.
Mr. Cox. The, I think, diplomatic statement in the Redmond
panel about the ineffective, if not counterproductive, efforts
of DOE headquarters in meeting with the scientists refers to
the sensitivity sessions that have been held about polygraphs
that have really made the problems worse in full public view.
I will say, if the chairman will permit, that when we have
scientists at the labs responsible for very sensitive military
secrets and we entrust them with this responsibility we also
have to entrust them with enough information so that they can
understand why they are being asked to change their behavior.
And there is more information being shared in court these days
with Federal judges than is being shared with our scientists.
We have got to, as this report states, deal much more
effectively with that problem. And the rest of these things
that we are talking about here today, it seems to me, are
symptomatic virtually so of this underlying problem.
The counterintelligence issues, I don't know whether my
time has expired and I can come back to this.
Mr. Upton. Your time has expired some time ago, but you can
get more. I will allow you to have another round.
Mr. Cox. I think we ought to do that because the
counterintelligence issue, which the Redmond panel raises, is
equally important.
I thank the chairman.
Mr. Upton. And I might ask if we could retrieve temporarily
your copy of the Redmond Report so we can make copies for the
minority as well.
Mr. Cox. Sure.
Mr. Upton. Temporarily. We will get the copies back to you.
Thank you.
Mrs. Wilson.
Mrs. Wilson. Thank you, Mr. Chairman.
Mr. Podonsky, I may be asking a question that Mr. Burr may
have covered before I came, but I would like to hear your
answer to it. In your report, you refer to a request--which I
believe is on page 19 of your redacted report--that early last
year the weapons labs proposed to Under Secretary Moniz, that
tighter controls be reinstituted for certain sensitive matter,
including things like hard drives.
Do you know what happened to that recommendation?
Mr. Podonsky. At the time of our special review out at
Sandia, the staff at Sandia provided that fax to us. That was
the first time that we had seen it, and specifically we don't
know what happened after that was sent to Washington.
Mrs. Wilson. You say at the time of your review at Sandia.
Which review would that be?
Mr. Podonsky. Over Father's Day, the June 19 timeframe.
Mrs. Wilson. So that was after the problem at Los Alamos?
Mr. Podonsky. Yes, ma'am.
Mrs. Wilson. So you had no knowledge of a recommendation to
tighten security procedures before that?
Mr. Podonsky. We had no knowledge of this memorandum or fax
from the laboratory directors.
Mrs. Wilson. Would it be unusual for you to be excluded
from the staffing of that kind of recommendation?
Mr. Podonsky. No, not unusual at all.
Mrs. Wilson. Who in the Department of Energy would be
involved in the staffing of that kind of recommendation? I am
assuming that, you know, you can't expect the deputy to be
seeing everything. What organization would that normally be
routed to?
Mr. Podonsky. That would be routed to the line
responsibility, so that would be perhaps General Gioconda's
organization, as well as the policy group for security, which
would be under General Habiger.
Mrs. Wilson. Are you familiar with a program called ISecM
that was instituted last year with respect to cyber security?
Mr. Podonsky. My cyber security people are very familiar
with that.
Mrs. Wilson. As I understand it, it was a response to the
Wen Ho Lee incident, to try to deal with the insider security
problem. Do you know what the cost estimate was to implement
ISecM?
Mr. Podonsky. No, ma'am, I do not.
Mrs. Wilson. Who in the Department of Energy would have
that information?
Mr. Podonsky. If I'm not mistaken, that originated out of
the defense organization program so perhaps General Gioconda
might have that information.
Mrs. Wilson. Thank you, Mr. Chairman. I yield my time.
Mr. Upton. Thank you. For those members wishing another
round of questions, I am going to pass and yield to Mr. Burr.
Do you have additional questions?
Mr. Burr. I do. I thank the chairman.
Let me follow up with where Ms. Wilson was. If I understood
you correctly, you have the responsibilities for independent
oversight?
Mr. Podonsky. Yes, sir.
Mr. Burr. You said that it is not unusual for you to be
excluded from requests about security upgrades from the
laboratories?
Mr. Podonsky. That's correct. And--I am sorry.
Mr. Burr. No, I am somewhat baffled by that as to how you
could be excluded from the--given that you are responsible to
do evaluations. I mean, we have had you do numerous ones, or
DOE certainly has--that a document like that and a request from
the directors of these labs might not have been supplied for
you, as you evaluated what the current and--for your own
recommendations, what they felt. That's accurate?
Mr. Podonsky. That is accurate. I really--we don't find
that terribly unusual from the standpoint of we do not manage
any of the sites. We do not have responsibility that the line
has, so I would not expect that we would be exposed to a lot of
decisions that are made in the security arena that involve
either policy, upgrades----
Mr. Burr. But it is clearly helpful to committees like this
that are trying to look at the process that your report
include, this is a deficiency; the directors of these labs have
made a recommendation. I can't imagine that the Department of
Energy would let you go through a review process and not make
available anything that they felt was pertinent, or anything
that was pertinent; but it is not unusual?
Mr. Podonsky. No, and I would agree with your--with your
statement that if--we should be exposed to a lot of the
background of how decisions arise, but as those decisions are
underway I don't find that to be unusual.
Mr. Burr. Let me read some of Mr. Browne's testimony
because we won't have an opportunity to have you back up, and
just get some comments on it.
``There are a number of special programs at Los Alamos in
which line managers have little or no access to ensure that
laboratory safety and security rules are met.''
``Prior to this incident, it was not clear to our line
management and security people whether or not they had the
necessary authority to accept responsibility for the detailed
security procedures of these programs.''
They are referring to SAP and--nonSAP and nonSCI programs.
Is that inconsistent or consistent with your findings?
Mr. Podonsky. From our past inspections, that is not
consistent. We have found that the folks that in last year's
inspection that we interviewed and looked at their programs,
that they seemed to understand what their responsibilities
were.
Mr. Burr. He goes on as it relates to the NEST program:
``The NEST program has been operated as a closely held need-to-
know program but not a formal special access program. Los
Alamos has made a good faith effort to participate in this
program, as we understood the guidance of the program sponsors
in DOE. Oversight of NEST by our security division was limited.
Not all aspects of the NEST security plan were reviewed and
approved by laboratory managers for compliance with DOE rules
or for best security practices. Even if NEST was treated as
closely held need-to-know programs, it was subject to DOE
policy for handling SRD and that policy was in place at the
laboratory.''
Can you comment on that statement by Mr. Browne?
Mr. Podonsky. We believe that security at a site is the
responsibility of the site and it is a shared responsibility
with the DOE headquarters and the line organization.
Specifically on NEST, we do know, as I mentioned, that we are
going to do an inspection of all the NEST activities. We have
not inspected the entire NEST activities since 1992, but
looking at NEST as a program, we do know that there has been--
prior to this past year and a half, there has been some
confusion as to where the responsibilities and accountability
for NEST lie.
Mr. Burr. Clarified in a memo several weeks ago by one of
the Under Secretaries to the labs; am I correct?
Mr. Podonsky. Yes, sir.
Mr. Burr. So clearly everybody knew there was a lack of
understanding, or there wouldn't have been a need for a memo;
safe to say?
Mr. Podonsky. Yes.
Mr. Burr. Since this was a DOD project, was DOD involved in
the security requirements for the NEST program?
Mr. Podonsky. I am not conversant on that. I would defer
that to General Boomer--or I would say General McBroom.
Mr. Burr. Let me just say, Mr. Chairman, that it is my
understanding from staff that the committee did make an
invitation of DOD to participate in this hearing. They did not
accept our invitation. I am sorry that they didn't because I
would hope that anybody who had relevant information would be
willing to come in.
One last question, if I could, from the standpoint of the
individual in charge of independent oversight and the extensive
work that you have done in the labs, do you have any
recommendations to this subcommittee and to the three directors
of those labs that are in our audience and here testifying
after you, about the dual use of vaults in the future and if
you have any specific comments about the dual use of the vault
that NEST equipment kits were kept in?
Mr. Podonsky. I would say that, Congressman, we addressed
that with our recommendations for a closer look at the need-to-
know policy, but for a general statement I would say, as--I
would like to iterate the point I said earlier, is that the
fingerpointing needs to cease between the lab and the
Department, as well as the legislative arm and the executive
branch, and we need to get on with fixing our national security
interests.
Mr. Burr. I agree with you totally. I hope I am--I hope I
understand correctly what took place in that vault facility. I
think even a layman would agree that if you have got two
separate projects in there, and you have got individuals who
are approved for one and not approved for the other and vice
versa, all with the ability to go in alone, that you have got a
potential breach. It doesn't mean that one will happen, but you
have got the opportunity for a breach of that information to
happen.
As a security expert, would you agree with that?
Mr. Podonsky. Yes, sir.
Mr. Burr. So it is probably a policy that we ought to look
at very seriously in the future about the dual use of a secure
facility?
Mr. Podonsky. Yes, sir.
Mr. Burr. Okay. I thank all of our witnesses, and I yield
back.
Mr. Upton. Thank you. Mr. Cox.
Mr. Cox. Thank you. Before I leave the subject of
polygraphs, I note that in the Interim Report to the Secretary
of Energy on the Control of Classified Weapons Data at the
National Weapons Laboratories--which I believe, Mr. Podonsky,
you have provided?
Mr. Podonsky. Yes, sir.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T7110.048
[GRAPHIC] [TIFF OMITTED] T7110.049
[GRAPHIC] [TIFF OMITTED] T7110.050
[GRAPHIC] [TIFF OMITTED] T7110.051
[GRAPHIC] [TIFF OMITTED] T7110.052
[GRAPHIC] [TIFF OMITTED] T7110.053
[GRAPHIC] [TIFF OMITTED] T7110.054
[GRAPHIC] [TIFF OMITTED] T7110.055
[GRAPHIC] [TIFF OMITTED] T7110.056
[GRAPHIC] [TIFF OMITTED] T7110.057
[GRAPHIC] [TIFF OMITTED] T7110.058
[GRAPHIC] [TIFF OMITTED] T7110.059
[GRAPHIC] [TIFF OMITTED] T7110.060
[GRAPHIC] [TIFF OMITTED] T7110.061
[GRAPHIC] [TIFF OMITTED] T7110.062
[GRAPHIC] [TIFF OMITTED] T7110.063
[GRAPHIC] [TIFF OMITTED] T7110.064
[GRAPHIC] [TIFF OMITTED] T7110.065
[GRAPHIC] [TIFF OMITTED] T7110.066
[GRAPHIC] [TIFF OMITTED] T7110.067
[GRAPHIC] [TIFF OMITTED] T7110.068
[GRAPHIC] [TIFF OMITTED] T7110.069
[GRAPHIC] [TIFF OMITTED] T7110.070
[GRAPHIC] [TIFF OMITTED] T7110.071
[GRAPHIC] [TIFF OMITTED] T7110.072
[GRAPHIC] [TIFF OMITTED] T7110.073
[GRAPHIC] [TIFF OMITTED] T7110.074
[GRAPHIC] [TIFF OMITTED] T7110.075
[GRAPHIC] [TIFF OMITTED] T7110.076
[GRAPHIC] [TIFF OMITTED] T7110.077
[GRAPHIC] [TIFF OMITTED] T7110.078
[GRAPHIC] [TIFF OMITTED] T7110.079
[GRAPHIC] [TIFF OMITTED] T7110.080
[GRAPHIC] [TIFF OMITTED] T7110.081
[GRAPHIC] [TIFF OMITTED] T7110.082
[GRAPHIC] [TIFF OMITTED] T7110.083
[GRAPHIC] [TIFF OMITTED] T7110.084
[GRAPHIC] [TIFF OMITTED] T7110.085
[GRAPHIC] [TIFF OMITTED] T7110.086
[GRAPHIC] [TIFF OMITTED] T7110.087
[GRAPHIC] [TIFF OMITTED] T7110.088
Mr. Cox. You have recommended that the human reliability
program should be reevaluated to make sure that it is providing
assurance of an individual's trustworthiness, and you
specifically mentioned polygraphs for that purpose.
I take it it is your view that polygraphs are an integral
part of the security function that you are trying independently
to evaluate?
Mr. Podonsky. As I answered in the last round of questions,
yes, sir, we do believe that if it is applied in a reasonable
way, that it can, in fact, be a way to enhance security.
Mr. Cox. Are you troubled by the fact that it has taken so
many years to get started?
Mr. Podonsky. There are many things in the Department that
trouble me, but this one in particular we haven't really
focused on.
Mr. Cox. I wonder whether I ought to address my questions
next about changing the results of security surveys to GAO or
to you, Mr. Podonsky?
Mr. Podonsky. I am not familiar with how much GAO is
cognizant of the survey program.
Mr. Cox. Well, the Inspector General's report, of course,
dated May 30, 2000, tells us that Department of Energy
management changed ratings for the 1998 and 1999 surveys at Los
Alamos without providing a documented rationale for the
changes; that they did not fully address concerns about a
compromise of force-on-force exercise; that they destroyed work
papers contrary to policy. And I wonder, Mr. Wells, whether you
have any thoughts on that?
Mr. Wells. Whether it be the survey program, whether it be
reducing the minimum requirements that we have testified here
today about, given the problems that seem to surface weekly or
monthly regarding security lapses, one just clearly comes to
the conclusion it is unclear what objective they are trying to
achieve when they put forth reductions in surveys and
reductions in oversight and reductions in accountability
controls.
Mr. Cox. Now this same Department of Energy office in
Albuquerque comes in for criticism in the Redmond Report for
its frustration of counterintelligence programs. Specifically,
I am reading now from the Redmond Report: ``The Department of
Energy Operational Field offices at Albuquerque and Oakland
continue to refuse to share relevant information from employee
personnel files under their control with the Department of
Energy counterintelligence or the lab counterintelligence
components. The team,'' that is, the Redmond team, ``learned
that Department of Energy counterintelligence is not even
informed by these three offices''--by DOE offices with the
records, with the files--``when an employee loses his or her
security clearance.'' So counterintelligence can't even find
out, because DOE husbands the information and refuses to share
it with counterintelligence when an employee loses a security
clearance for cause.
Mr. Podonsky, what can we do about this?
Mr. Podonsky. Well, the first thing I would suggest is that
I would--I would want to know whether Ed Curran, the director
of the Counterintelligence Office, is familiar with this and if
he was, then I would expect Ed Curran and his oversight program
of counterintelligence to remedy this in consultation with the
rest of the Department that has responsibility over those
areas.
Mr. Cox. Are you comfortable with the compartmentalization
of CI from security?
Mr. Podonsky. This is an initiative that the Secretary
created, and the answer is so far we have been working very
closely with Ed Curran's organization, counterintelligence, as
well as with General Habiger's security organization. So the
answer is we have no reason not to be comfortable with it.
Mr. Cox. Do you know what the views of lab management are?
We will have a chance to ask them directly in the next panel,
but do you know what the lab's view is on this?
Mr. Podonsky. Other than not necessarily liking Podonsky's
oversight organization, no, sir, I don't know what their views
are.
Mr. Cox. I ask the question because, for example, with
respect to human reliability, it is awfully difficult to
separate out the expertise that is required for CI from the
expertise that's required for security.
Let me read just another passage from this report, the
Redmond Report: ``It has been the sad experience in many
espionage cases that only after the spy is uncovered does it
become clear that a plethora of counterintelligence indicators
concerning various facets of the individual's life,
performance, and behavior have been known in different places
by different individuals but never effectively collated or
holistically evaluated. The Department of Energy must ensure
that the CI officers at the laboratories are part of a formal
system set up locally to ensure that all relevant CI and
security data information is collected, assembled, and analyzed
by means that are not solely dependent on personal
relationships''--and on and on.
It is often difficult, it would seem to me, to arbitrarily
characterize a bit of information as security information but
not CI, or as counterintelligence information but not security.
If you have an unreliable person in the building, that's a
security issue; it is also a CI issue, isn't it?
Mr. Podonsky. Yes, sir, and I think that you will find that
both the Office of Security Operations and the
Counterintelligence work hand in glove, as we also try to
ascertain how they are proceeding in some of their operations.
In years gone by, Congressman, the counterintelligence, the
intelligence and the security organizations were all contained
in the Defense Programs Office and they worked the same way.
The difference now is that they all have separate direct
reports to the Secretary. So that we have Secretarial attention
on these matters.
Mr. Cox. I would conclude by observing that Congress
created the NNSA, the National Nuclear Security Administration,
with a view to centralizing authority over all of these
concerns, so there would be a single chain of command, a single
line of direction. And we first faced the two-hatting exercise
where the Secretary of Energy and the White House decided that
they were going to frustrate the intent of Congress and not let
the NNSA do its job. We also had a long political delay in
getting it started, and only when there was this latest public
embarrassment with the hard drives could we even confirm
General Gordon as the first Administrator. So now, a year after
passing the legislation, we have it in place but we have all of
these efforts to keep power, bureaucratic power and turf in DOE
and not let NNSA be the independent agency that it must be to
do its job.
I hope that with the experience under our belt, with all of
the months and years that are being consumed with people saying
that they are doing their jobs but not actually accomplishing
it, we can finally see the value of doing this properly, having
the NNSA and General Gordon be in charge.
There is one other aspect of the Redmond Report that I
think deserves mentioning, and it is the disconnection that
this report finds between DOE's glowing reports on its own
accomplishments of the initiatives that it has put in place and
so on and what actually has been done. What this report says is
that whenever an initiative is started or if an order is
promulgated, then DOE takes credit for doing it; whereas most
of this is unfinished business.
It is a useful remark for the report, and I just wonder
whether, Mr. Wells or Mr. Fenzel, you have any comment on that
point?
Mr. Wells. We would agree--and I think we used almost those
exact same words earlier in response to a question--that our 20
years' and 50 recommendations' worth of effort in oversight
clearly pointed out that they are quick to take action for
corrective action, but the implementation isn't necessarily
always completed nor is success fully achieved, and the next
thing we know the problem recurs.
Mr. Cox. Well, Mr. Chairman, I thank you for your
indulgence. Mr. Podonsky, I thank you for your efforts in this
area; Mr. Wells and Mr. Fenzel as well. It is vitally important
that we not make this a fingerpointing exercise and that we get
on with it, but there are big changes that have to be made if
we are going to get on with it.
While no one means to be critical or fingerpoint, if you
have months and months and years and years of inactivity or
inadequate response to these challenges, then call it what you
will, somebody has to raise hell about it.
Mr. Upton. Thank you. I think that that leads us to the
conclusion of Panel I.
Thank you very much for being with us this morning. You are
now formally excused. Thank you. Thank you for your time and
your reports.
We will now go to Panel II, that includes the Honorable T.
J. Glauthier, Deputy Secretary from the Department of Energy;
who is accompanied by General Eugene Habiger, the Director of
the Office of Security and Emergency Operations; General John
McBroom, Director of the Office of Emergency Operations, and
also accompanied by General Tom Gioconda, Deputy Administrator
for Defense Programs at the National Nuclear Security
Administration; also Dr. Paul Robinson, President and
Laboratory Director of Sandia; Dr. John Browne, Director of Los
Alamos; and Dr. Bruce Tarter, Director of Lawrence Livermore
National Lab; as well as Mr. Steven Aftergood, Senior Research
Analyst from the Federation of American Scientists.
It will just take a moment to get the names placed
correctly.
As you all know, we have a longstanding tradition of taking
testimony under oath. Do any of you gentlemen have objection to
that? If not, you are also, under committee rules, allowed to
be represented by counsel. Any objection to that? Do any of you
desire counsel?
[Witnesses sworn.]
Mr. Upton. Thank you very much. You are now under oath, and
we will start with Mr. Glauthier.
TESTIMONY OF HON. T.J. GLAUTHIER, DEPUTY SECRETARY;
ACCOMPANIED BY: GENERAL EUGENE E. HABIGER, DIRECTOR, OFFICE OF
SECURITY AND EMERGENCY OPERATIONS; GENERAL JOHN McBROOM,
DIRECTOR, OFFICE OF EMERGENCY OPERATIONS; AND BRIGADIER GENERAL
TOM GIOCONDA, ACTING DEPUTY ADMINISTRATOR FOR DEFENSE PROGRAMS,
NATIONAL NUCLEAR SECURITY ADMINISTRATION, DEPARTMENT OF ENERGY;
C. PAUL ROBINSON, PRESIDENT AND LABORATORIES DIRECTOR, SANDIA
NATIONAL LABORATORIES; JOHN C. BROWNE, DIRECTOR, LOS ALAMOS
NATIONAL LABORATORY; C. BRUCE TARTER, DIRECTOR, LAWRENCE
LIVERMORE NATIONAL LABORATORY; AND STEVEN AFTERGOOD, SENIOR
RESEARCH ANALYST, FEDERATION OF AMERICAN SCIENTISTS
Mr. Glauthier. Thank you, Mr. Chairman. Thank you for this
opportunity to appear today to provide an update on the
security situation at the Department of Energy's weapons
laboratories.
I will be brief. My overall testimony has been submitted in
writing. I would like to reiterate Secretary Richardson's
statement in reference to the missing Los Alamos hard drives.
That is, that the Energy Department security procedures were
not followed, and since coming to the Department the Secretary
has emphasized security issues. We are outraged at what has
taken place in this particular incident.
Now, as much as can be discussed, I would like to give a
brief update on the current FBI criminal investigation. A grand
jury has been convened to examine issues related to the case.
It has been determined by the FBI that these are the authentic
disk drives. Based upon the investigation by the FBI, there is
no evidence of espionage. It can be assured that personnel will
be held accountable and disciplinary action will result from
this incident, but the Department will not take action until
all the facts are established.
During the last 2 years that Bill Richardson has been
Secretary, security has been a top priority and the security--
and the Secretary has gone to extreme lengths to improve the
agency security and counterintelligence profile. Through his
leadership, we have implemented over 50 major security and
counterintelligence initiatives.
For example, the Secretary has established the Office of
Independent Oversight which is headed by Mr. Podonsky that you
just heard from, and he is reporting directly to the Secretary.
The purpose of that office is to focus on implementation and to
give an independent oversight on the practices that are
actually being carried out at our various sites.
A lot has been made in the last 2 hours about changes that
have occurred in the practices at the facilities. I am sure we
will talk more about that. I would comment that the changes
that were made over the last decade were changes to introduce
more flexibility into the individual practices, the actions
that are taken. There was no change in that timeframe on the
responsibility for protecting secure information, and I think
that is important to recognize that all the individuals at our
facilities, all the contractors, all the Federal employees,
maintained the same responsibility for protecting secure
information throughout this whole timeframe.
And the over 120,000 Federal and contractor employees of
the Department of Energy have an outstanding record.
Unfortunately, it only takes a few individuals to cause a
serious problem which is, of course, what we have seen.
We have implemented additional security procedures in light
of the recent incident at Los Alamos, and I would like to just
mention a couple of those; things that in some cases changed
the kinds of items you were talking about on the earlier chart,
and in other cases are new and additional actions, such as
encrypting selected classified electronic media, enhancing
verification procedures, including log-in and log-out
requirements for vault and vault-type room access; staffing all
open vaults and vault-type rooms; increasing security measures
for certain classified encyclopedic data bases; conducting
immediate inventory of all Nuclear Emergency Search Team, or
NEST, data; and placing serial numbers and identification codes
on sensitive materials.
Additionally, as you probably noticed, the Secretary has
informed the University of California that its contract for
managing the Department's national weapons laboratories must be
restructured in order to bring in a separate organization to be
responsible for security procedures and some other facility
operations.
Under Secretary John Gordon will oversee the negotiations
and work with the university to identify new mechanisms and
procedures to address the serious security shortcomings. It is
expected that he will have his recommendations to the Secretary
by September 5.
The last action that I want to highlight is the assignment
that former Senator Howard Baker and former Congressman Lee
Hamilton have accepted. Jointly they will conduct a thorough
investigation and assessment into the circumstances surrounding
the incident at Los Alamos. Their expected assessment, separate
from the FBI investigation, will provide recommendations for
necessary corrective actions.
In summary, the Department of Energy has a significant
responsibility for the American people regarding our overall
nuclear security. We are responsible for sustaining America's
nuclear deterrent, the cornerstone of our national defense, and
for securing nuclear weapons materials and know-how at home and
abroad. We must ensure our security measures are stringent, but
also that they do not stifle the science that allows us to have
that deterrent and that underpins our national security decades
into the future.
I know I can speak for my colleagues at the labs and
throughout the Department in reiterating our commitment to
carrying out this mission in a safe, secure and sensitive
manner.
I think General Habiger would like to make a couple of
comments, and then Dr. Browne, the director of Los Alamos, in
particular wants to comment on these.
[The prepared statement of Hon. T.J. Glauthier follows:]
Prepared Statement of Hon. T.J. Glauthier, Deputy Secretary of Energy
Thank you for this opportunity to appear before you today to
provide an update on security at the Department of Energy's weapon
laboratories.
To begin, at the end of June the Secretary Bill Richardson informed
the University of California (UC) that its contract for managing the
department's national weapons laboratories must be restructured in
order to make much-needed improvements to security and other facility
operations. We have begun negotiations with the University to bring
into their operations specific security and management expertise to
implement these improvements.
Although the Secretary recognizes UC's unparalleled scientific
reputation and its contribution to the scientific vitality of the
laboratories, he is sharply critical of their failure to bring the same
degree of expertise to the management of security and facility
operations.
Secretary Richardson has asked Under Secretary John Gordon to
oversee this and to work with the University to identify new mechanisms
and procedures to address the serious security shortcomings of the
University of California at the weapons laboratories. It is expected
that General Gordon will make his recommendations to the Secretary by
September 5.
situation update
I would like to reiterate Secretary Richardson's statement in
reference to the missing Los Alamos hard-drives, that the Energy
Department security procedures were not followed. Since coming to the
Department, the Secretary has emphasized security issues. We are
outraged at what has taken place. There are no excuses.
Now, as much as can be discussed, I would like to give a brief
update on the current FBI criminal investigation. A grand jury has been
convened to examine issues related to the case.
The FBI is still looking at the two hard drives found on June 16 at
the Los Alamos National Lab. The Secretary has been speaking with FBI
Director Louis Freeh throughout the investigation.
It has been determined by the FBI that these are the authentic disk
drives. Based upon the investigation by the FBI, there is no evidence
of espionage.
The Bureau continues to treat the area where the hard drives were
found as a crime scene. Over the last several weeks, the FBI and Energy
Department investigation has focused on a handful of X-Division
employees, who have offered conflicting statements to investigators.
I can also tell you that, according to its latest findings, the
FBI's working theory puts the loss of the drives at the tail end of
March of this year. This time-line would be further refined as the
investigation continues. This information helps clarify some details
surrounding this case.
Prior to this incident, the Secretary's directive required the
Department to be notified of any such problem within eight hours of
their discovery. That is his policy. Instead, the University of
California neglected to inform the Department until three weeks after
the initial discovery.
As you know, the Department immediately brought in the FBI,
informed the President, advised others in the Administration with a
need to know, and shared what we knew with the relevant Congressional
committees.
It can be assured that personnel will be held accountable and
disciplinary action will result from this incident. But the Department
will not take action until all the facts are established.
latest security actions
During the last two years, security has been a top priority, and
the Secretary has gone to extreme lengths to improve this agency's
security and counterintelligence profile. Through his leadership we
have implemented more than 21 major security initiatives and have
completed 36 recommendations in the Counterintelligence Implementation
Plan.
However, when the recent breach came to our attention, we
immediately implemented an elevated slate of security procedures to be
followed in our sensitive divisions. I reviewed a number of enhanced
security protection measures directed by General Eugene Habiger,
Director of Security and Emergency Operations, and who is with me.
These new steps will effect immediately. They include:
Encrypting selected classified electronic media;
Enhancing verification procedures for vault and vault-type
room access;
Manning all open vaults and vault-type rooms;
Evaluating existing vault and vault-type room procedures;
Increasing security measures for certain classified
encyclopedic databases; and,
Conducting an immediate inventory of all Nuclear Emergency
Search Team (NEST) and Accident Response Group (ARG) assets.
These steps are in addition to measures the lab has put in place:
Placing serial numbers/identification on sensitive materials;
Changing combinations to vaults; and
Reviewing vault access policy, including a vault ``stand-
down'' to ensure procedures are followed.
NEST
Next I would like to give a description of the Department's Nuclear
Emergency Search Team, familiarly known as NEST, and the policies and
procedures in which it operates.
NEST is one of seven major Department of Energy Emergency Response
assets tasked with responding to nuclear incidents or accidents. NEST
members are dedicated volunteers who, when called, form a highly
skilled force specially trained to deal with all types of nuclear and
radiological emergencies.
The concept of the response teams and how the program runs on a
daily basis may provide some valuable insight. Ordinarily, the
Department has no standing teams formed. The all-volunteer personnel
who would comprise these teams are working their normal jobs within the
lab/site structure. An example of this concept would be a volunteer
fire department in which a member's full time occupation is working in
the local school system. That person only becomes a responder when the
siren goes off; up until then he or she is a school teacher.
Similarly at the Department, when an event such as a training
exercise, or an actual emergency occurs, the Secretary, through the
Director of Security and Emergency Operations ``stands-up'' a response
team. Until that time, most personnel are working full time on the
laboratories' scientific and technical missions.
Once a team is formed, the operational responsibility shifts from
the laboratory to the Department's headquarters chain of command. The
administrative responsibility continues with the laboratories. For
example, the Director of Emergency Management cannot fire or suspend a
University of California team member, however, the ultimate
administrative responsibility continues with the laboratory's director.
Training deployments or real world events, such as the World Trade
Organization meeting in Seattle,Washington or the 50th NATO Summit in
Washington, DC, present unique and difficult challenges in moving and
securing the classified equipment on the road. Sometimes the teams work
in US cities and other times they find themselves in overseas
locations.
RECENT REPORTS
Now I would like to take this opportunity to address recent reports
criticizing the Department's security.
We have recently reviewed the Inspector General's report entitled
``Inspection of Allegations Relating to the Albuquerque Operations
Office Security Survey Process and the Security Operations' Self-
Assessments at Los Alamos National Laboratory.'' We are concerned about
these results, particularly with respect to the reported changes to the
1998 and 1999 surveys without providing a documented rationale for the
changes. We note however, that making such ratings decisions always
involves a degree of objective judgment.
However, we are more concerned with the reported destruction of
work papers regarding the survey ratings at the Albuquerque Operations
Office, and reports that thirty percent of the laboratory security
staff felt pressured to ``mitigate'' security self-assessments and
other related allegations. We are reviewing the report carefully and
are not ruling out changes to existing procedures regarding our
security surveys and self-assessments. We also are reviewing the role
and actions of the personnel involved in these particular surveys and
assessments, and stand ready to hold personnel fully accountable for
any improper actions taken, if our review indicates that to be the
case.
I will now discuss the responsibilities of the Department's
Counterintelligence (CI) Program inspections. This program was directed
by Presidential Decision Directive No. 61, which directed the
establishment of a CI Program at Energy, and the inspections of the CI
Programs in the laboratories, sites and operations offices. These
inspections assess program performance in seven topical areas, which
include subjects such as investigations, training, analysis and
management. The inspections also evaluate the degree to which the
programs are in compliance with the measures identified by the CI
Implementation Plan.
The CI Programs of the three national laboratories were inspected
in August, September and October of 1999. As the Committee knows, the
CI Program at Lawrence Livermore received a satisfactory rating. The CI
Programs at Los Alamos and Sandia, however, received a marginal and an
unsatisfactory rating, respectively. Many of the problems stemmed from
the newness of these CI Programs and the personnel involved. Shortfalls
identified by the inspections were responded to in corrective action
plans developed by the programs; progress on the corrective actions was
tracked by Office of Counterintelligence management.
The Office of Counterintelligence reinspected the Los Alamos and
Sandia CI Programs in April of this year. These special inspections
focused on the problem areas that were identified during the initial
Inspections. In both cases, the inspections found that the corrective
actions had been completed and both programs received satisfactory
ratings. The Lawrence Livermore CI Program will be reinspected in
September.
Next, I would like to make a few comments on the recently
publicized General Accounting Office (GAO) report on the Department's
foreign travelers. The Department agrees with the GAO that travelers to
nonsensitive countries may also encounter incidents similar to those
experienced by sensitive country travelers and that any Department
employee traveling overseas could be an intelligence target. It is true
that the initial focus of the CI Program has been on Departmental
employees working in classified programs who have sensitive country
contact. However, our CI Program does not focus only on those employees
and programs. The Department's Counterintelligence Program collects
information of any kind or any location that may show a foreign
intelligence presence. Moreover, all employees and contractors are
required to receive an annual CI awareness briefing that instructs on
the methods and capabilities of foreign intelligence services. During
these briefings, employees are instructed to inform their CI officers
of anything they observe that may be an indicator of intelligence
activity.
In short, our relatively new CI Program, which truly only got
underway after Secretary Richardson arrived to the Department in late
1998, leaves the Department far better prepared to protect its
personnel and programs overseas than ever before. Our defensive CI
Program now can be said to be one of the best in government, and it
will continue to improve. The fact that the report cites a number of
overseas incidents is not an indicator of CI Program deficiencies;
rather, the existence of these incident reports demonstrates that
Energy's CI Program is getting the information it needs to build a good
defense to these ongoing hostile intelligence activities. Moreover, as
a result of the incident reporting the CI Program is getting, we
believe we are steadily improving our ability to get the message to our
employees on how they can protect themselves during overseas travel.
LARGER PICTURE
The Department of Energy has a greater charge from the American
people. Our overall nuclear security. It is a task far more complex
than can be described by me or debated to a satisfying conclusion here
today.
We are responsible for:
Sustaining America's nuclear deterrent--the cornerstone of our
national defense; and
Securing nuclear weapons materials and know-how--at home and
abroad.
The Department has taken its security responsibility very
seriously. The challenges of the Department of Energy have crossed
decades and administrations.
Ultimately, security will always also be an individual
responsibility, and must rely on the dedication, loyalty, and
patriotism of our weapons scientists. And these people must be
accountable like anybody else. Individuals are, indeed, fallible, and
no amount of policy--no amount of legislation--will protect us from
irresponsibility and human failings.
We must remember that a successful security policy is one that
results in the detection of security violations. The worst security
violations are the ones that go undetected. We will continue to keep
you and other key Congressional committees informed of further
developments immediately as they become available.
Thank you for this opportunity to appear before you today to
provide an update on security at the Department of Energy's weapon
laboratories.
Mr. Upton. General Habiger.
Mr. Habiger. Mr. Chairman, thank you. I just want to
clarify three things. First, I am a little disappointed at our
colleagues from the General Accounting Office in terms of the
chart that they put up there, in terms of what you saw was
characterized as Department of Energy. What you saw in that
chart is across the government in every respect. That's point
No. 1.
Point No. 2, and I think it is equally important, is if
you--if he had included time lines, you would have clearly seen
that we didn't get credit for dragging our feet like we
normally do. We lagged the rest of government for some very,
very good reasons.
Point No. 3, sir, Ms. DeGette raised the point about human
reliability program and a letter from Podonsky to Habiger.
Mr. Chairman, I asked for Glenn's input because I had only
been in the job 6 weeks and I saw we had two human reliability
programs at the Department of Energy. It didn't make sense; two
different rice bowls. It has taken awhile, but we are in the
final stages of putting out a strengthened single human
reliability program.
But to characterize questions to Glenn as to whether or not
I accepted his inputs, I am the one that asked for those
inputs. Thank you, sir.
Mr. Upton. Thank you.
Dr. Robinson.
TESTIMONY OF C. PAUL ROBINSON
Mr. Robinson. Thank you very much, Mr. Chairman. It is a
pleasure to again be with you. I did prepare a formal written
statement for the record, and with your permission----
Mr. Upton. All the statements will be made a part of the
record.
Mr. Robinson. Good. I will summarize and move to your
questions.
Several of you, in fact, visited our laboratories to sample
the security environment. You saw for yourselves the physical
security measures, the personnel security measures both to
enter or egress from one of our facilities. We discussed the
challenges which cyber security is placing before us and some
of the measures we are taking to counter that threat.
Most of you know the unique missions of Sandia National
Laboratories: U.S. nuclear weapons, related areas of nuclear
intelligence and nonproliferation. You may not be aware of our
mission responsibilities in security research and development,
both for nuclear weapons storage and transport, and computer
security technologies. We carry these functions out for not
only the Department of Energy but for other high-security
agencies as well.
Because of these core responsibilities, we believe we
should and can be held to a higher standard for security, and I
believe the record will show that we are meeting that higher
standard.
Now, this is certainly not an area to ever be boastful.
Security is something that does require eternal vigilance. I
will try to explain, and I think I try to discuss in my
testimony, the complexity that accompanies security. Most
importantly, at its heart, security requires the care and
devoted effort of the people who perform the classified work.
There is always the danger of a mental lapse, a mental lapse
which could cause great harm.
Besides trying to design in approaches of defense and depth
into all of our security practices and procedures, which could
allow for that inevitable human error that will occur, we must
also involve our people, those who carry out the classified
work in the design of the best practices. I believe their
understanding, their faithfulness, their care in fulfilling
these duties as holders of our important secrets is an
essential part of the formula for success.
In my testimony, I would like--I do describe security
management at Sandia; our unique role within emergency response
functions, our controls to protect classified material, both
documents and electronic media. We have made more stringent
controls on vaults and vault-like rooms.
Finally, in that wonderful clarity that's hindsight, I do
discuss some of the weaknesses, both in document accountability
and in classification, or rather declassification. I think
these are areas where we can all agree we need to make
improvements.
Let me close with the statement that I said in my formal
text. I have been in classified work, associated with nuclear
weapons, for just over 32 years. I can validate Secretary
Richardson's remark several weeks ago that indeed he has done
more to focus on and improve security than any prior Secretary.
Doubtless, that is true, but I believe we are all culpable.
Indeed, across the government, standards were lowered after the
end of the cold war, in classification and accountability for
classified documents and levels of background investigation to
obtain clearance to work at our laboratories.
Also, we have been facing in more recent years a growing
threat of cyber security which is real and it is challenging.
What is the road back? I think we need to use the
opportunity you have provided us in the creation of the NNSA to
streamline responsibilities and accountabilities, to clear out
the bureaucracy that often confuses this line and paralyzes
actions by both Department Secretaries as well as laboratory
directors. I want to assure you, we did not lose our concern
for security. We are a unique enterprise, conducted on behalf
of the Nation. We can and we will strengthen the protections to
once again win your respect to manage nuclear weapon affairs
with confidence. Thank you very much.
[The prepared statement of C. Paul Robinson follows:]
Prepared Statement of C. Paul Robinson, Director, Sandia National
Laboratories
INTRODUCTION
Mr. Chairman and distinguished members of the committee, thank you
for the opportunity to testify today. I am Paul Robinson, director of
Sandia National Laboratories. Sandia National Laboratories is managed
and operated for the U.S. Department of Energy by Sandia Corporation, a
subsidiary of the Lockheed Martin Corporation.
Sandia National Laboratories is a multiprogram laboratory of the
National Nuclear Security Administration (NNSA). We share
responsibility for the design and stewardship of nuclear weapons with
Los Alamos and Lawrence Livermore National Laboratories. Sandia's job
is the design, development, and certification of nearly all of the non-
nuclear subsystems of nuclear weapons. Our responsibilities include
arming, fuzing, and firing systems; safety, security, and use-control
systems; engineering support for production and dismantlement of
nuclear weapons; and surveillance and support of weapons in stockpile.
We perform substantial work in programs closely related to nuclear
weapons, such as nuclear intelligence, nonproliferation, and treaty
verification technologies. As a multiprogram national laboratory,
Sandia also performs research and development for DOE's energy offices,
as well as work for other agencies when our unique capabilities can
make significant contributions.
SECURITY AND BUREAUCRACY
I appreciate your invitation to make a statement today addressing
the topic, ``Weaknesses in Classified Information Security Controls at
DOE's Nuclear Weapon Laboratories.'' Secretary Richardson said in
testimony before the Senate Armed Services Committee on June 21 that he
has done more to improve security during his two years in office than
had been accomplished in the previous twenty years by his predecessors.
I have been active in the DOE/AEC community for all my career, and I
can vouch for his claim. Yet, for all the well-motivated actions and
strong leadership that has been so evident, I cannot say that our
important restricted data and national security information are more
secure than ever before. My hesitancy derives from a surfeit of
complications that surround security.
The Secretary and the laboratory directors share the same desire
for effective security performance; we are not at odds. But I believe
we are both stymied by the bureaucratic sclerosis of the agency. From
below, the laboratories are frustrated with a maze of conflicting rules
and directives from various offices of the Department, together with
team after team of inspectors that descend upon us. From above, the
Secretary has resorted to managing the security problems by issuing
directives from his own office, rather than relying on the agency's
internal mechanisms to generate and implement reforms. This game of
catch-up between the top of the agency and those who must implement the
directives, with far too little communication on the chances for
success or the unforeseen consequences of new policies, has been a
problem in almost all areas of support for DOE missions--in
environment, safety, and health issues, in business practices, and in
security.
The President's Foreign Intelligence Advisory Board (PFIAB)
appreciated the magnitude of this problem. Their report, ``Science at
Its Best; Security at Its Worst,'' issued last year, referred to DOE as
a ``big, byzantine, and bewildering bureaucracy.'' In regard to
security performance, the PFIAB found that ``multiple chains of command
and standards of performance negated accountability, resulting in
pervasive inefficiency, confusion, and mistrust'' (page I). It
concluded that ``real and lasting security and counterintelligence
reform at the weapons labs is simply unworkable within DOE's current
structure and culture'' (page 46). The PFIAB's recommendations, of
course, were the impetus for the legislation creating the semi-
autonomous National Nuclear Security Administration within the
Department of Energy.
It is my belief that the circumstances in DOE are not the fault of
any individuals, certainly not the people who are in charge or occupy
key positions in the Department of Energy today. As the President's
Foreign Intelligence Advisory Board found, the single most identifiable
factor that led to the current state of affairs was the relentless
growth of bureaucracy. My definition of bureaucracy is when well-
meaning, capable people find it difficult to accomplish their mission
responsibilities because of multiple lines of authority and
bureaucratic hurdles that must be overcome.
I believe the National Nuclear Security Administration is our last
best hope for fixing our security problems in a systematic way. By
``fixing'' I mean creating a security culture across the complex
(federal workers and contractors) that achieves teamwork and mutual
commitment to the goals of security. As things stand now, there is
little sense of collaborative work toward a shared goal in security.
Security in DOE is a ``house divided''--those who make the rules, and
those who must follow them. There is little discussion with the field
by those who write guidance and policy. The people who really know the
technologies that can be helpful have little input. It is, as has been
said before, a ``dysfunctional'' relationship.
The new administrator of the NNSA, General John A. Gordon, has
quite a challenge before him. But as qualified and as competent as he
is, he will not succeed unless he has full authority and free rein to
redesign the structure of the nuclear complex from the ground up. I
know that the laboratory directors and the federal managers of the NNSA
will fully support him in this undertaking.
SANDIA HAS A POSITIVE SECURITY CULTURE
An erroneous perception has arisen that the laboratories have a
culture of indifference or even contempt for security. I can tell you
that this perception is grossly inaccurate for Sandia National
Laboratories, and I believe it is inaccurate for the other NNSA
laboratories as well. Certainly we have had challenges and problems in
various aspects of security performance, but I take issue with the
belief that we have an ingrained or widespread ``attitude problem''
toward security at Sandia.
Sandia's laboratory culture was shaped by its industrial heritage,
which began in 1949 under the management of AT&T Bell Laboratories and
continued after 1993 with Lockheed Martin Corporation. Our industrial
roots gave us a strong cultural commitment to security. Industrial
laboratories are very conscious of the need to keep proprietary
information secure. As I enumerated in previous testimony to this
committee, Sandia has a long history of originating and implementing
innovations that have improved security without direction from DOE (see
Questions for the Record for my testimony to this subcommittee on
October 26, 1999). And we also have a history--as I will illustrate
later in my statement--of challenging policy changes mandated from
above that would weaken our protections and controls on classified
materials.
In June 1999, the Secretary of Energy called for a stand-down of
operations at the Defense Programs laboratories to conduct an intensive
two-day session of security training. Contrary to reports that
laboratory staff were resistant to this training, our staff
participated with great interest and with a positive attitude. We had
93 percent staff participation during the stand-down, and we achieved
the full 100 percent shortly thereafter. (The seven percent difference
consisted of people on previously scheduled vacations or essential
business travel, illness absences, and critical job functions such as
security and medical staffing.) The thoughtful dialog and suggestions
offered by employees during the security sessions clearly demonstrated
a laboratory culture of positive concern and advocacy for effective
security.
I was not at all surprised that the inspectors from the DOE Office
of Independent Oversight and Performance Assurance remarked on the
positive and cooperative attitude among Sandia managers with whom they
worked during the 1999 inspection of Sandia National Laboratories. I
frequently get similar comments from other audit and inspection teams.
Sandia has a culture of respect for security, and people notice it. At
the close-out meeting of the most recent visit of the DOE Oversight and
Performance Assurance Team in June, it was encouraging to receive
informal verbal feedback from the inspectors to the effect that Sandia
is currently meeting all requirements and is above and beyond minimal
requirements in many areas. The team commented that they found it
refreshing to see a sense of ownership for security at the manager
level. They also remarked that Sandia's custodians of classified matter
are well-versed in their responsibilities; they know what to do and are
doing it well.
SECURITY MANAGEMENT AT SANDIA
Sandia has implemented an Integrated Safeguards and Security
Management System (ISSMS) for all its security responsibilities. As the
name implies, the goal of Integrated Safeguards and Security Management
is to incorporate responsibility for security into the daily work of
every employee. We can't just bring in security experts and give them
the job of inspecting-out the defects; every single person bears
responsibility to build-in and maintain sound security measures. This
is a necessary attribute of a stable security culture.
ISSMS establishes clear and unambiguous lines of authority and
responsibility for ensuring that secure operations are established and
maintained at all organizational levels. Authority and responsibility
for security at Sandia National Laboratories begins with me and flows
via my deputy laboratory director to the line vice presidents that
report to her. Sandia's Chief Security Officer coordinates the enabling
resources that support the line executives in their security
responsibilities. ISSMS ensures that personnel possess the training,
knowledge, and abilities necessary to discharge their security
responsibilities. It also provides a way to allocate resources
efficiently to address security and operational needs.
Our ISSMS methodology stresses the need to identify applicable
security standards and requirements before work is performed.
Administrative and engineering controls to prevent and mitigate
security risks are tailored to the work being performed and are
designed into work processes. While we make use of a ``fresh-set-of-
eyes'' in examining security practices and draw on the knowledge and
experience of security professionals, we gain the involvement and
creativity of those actually carrying out the work in developing
security procedures that make sense in the workplace.
SANDIA'S PARTICIPATION WITH THE NNSA'S NUCLEAR EMERGENCY SEARCH TEAM
(NEST)
The National Nuclear Security Administration plays a vitally
important support role in combating acts of nuclear terrorism through
its Nuclear Emergency Search Team (NEST). NEST provides the FBI with
technical assistance in response to terrorist use or threat of use of a
nuclear or radiological device in the United States. NEST also supports
the State Department in a similar role overseas. Another team, the
Accident Response Group (ARG), has the different mission of providing
technical support in response to accidents involving U.S. nuclear
weapons while they are either in the custody of DOE or the military
services.
The highly selective force that makes up the cadre of deployment
personnel for NEST and ARG are mostly from the nuclear weapons
laboratories. To be on the NEST team, an individual must be approved by
both line and program management, have certain essential technical
skills, pass a physical examination, and take additional training. My
experience is that NEST members are conscientious and dedicated
individuals with a high sense of duty. NEST personnel volunteer for a
mission which, if not successful, could have severe consequences for
the nation and be fatal for the team.
Sandia National Laboratories contributes a number of team members
to the NEST. Sandia does not possess any NEST computer media similar to
that reported as missing by the Los Alamos group. Sandia's role in NEST
is different from that of Los Alamos and Lawrence Livermore, focusing
largely on the non-nuclear electronic subsystems of warheads and bombs
as well as methods for calculating the consequences of dispersal events
and methods for containment.
Sandia does maintain some classified computer media and lap-tops
under the ARG program. This information is significantly different from
the NEST media at Los Alamos. This classified material has all been
accounted for. Furthermore, within the last three weeks, we instituted
stricter controls for these items, including a two-person rule and
formal sign-in/sign-out procedures.
CLASSIFIED MATERIAL PROTECTION AND CONTROL
Sandia employees and contractors who handle classified matter are
required to protect and control classified material from unauthorized,
casual, and deliberate access. This requirement is one of the first
things a new-hire is briefed on when he or she joins Sandia National
Laboratories, and we continue to educate our personnel on the
procedures that implement this policy throughout their careers through
annual refresher training courses.
The core principles that we teach our employees regarding access to
classified material are contained in Sandia's Safeguards and Security
Guide, which is readily available as a reference on our internal
network. Access to classified matter requires a job-related need-to-
know, as determined by an individual's manager, as well as a proper
security clearance.
As you know, Secretary Richardson distributed a memorandum on June
19, 2000, directing the implementation of certain enhanced protection
measures at the NNSA laboratories. I welcome the emphasis on
accountability that the memorandum so clearly communicates. Sandia took
immediate steps to implement or commence work on the enhancement
measures that are the responsibility of the laboratories, and we will
cooperate with the NNSA offices responsible for implementing other
measures in their purview.
Controls for Vault Access
Sandia has explicit rules governing the storage of classified
matter. Briefly, classified material must be stored in vaults or vault-
type rooms (or in a military-style igloo similar to a vault-type room),
or in key- or combination-lock containers approved by the General
Services Administration and located in a locked and alarmed building.
Sandia National Laboratories manages 166 vaults or vault-type rooms
that store classified matter (documents or material)--114 at our New
Mexico location and 52 at our California site.
In compliance with Secretary Richardson's memorandum of June 19,
2000 (received late on June 20), Sandia modified operating procedures
for all vault access on June 21. We modified our log sheets to record
the entrance and exit of all personnel. We also required that access/
egress points for vaults be under continuous, positive control by
personnel authorized for access to that specific vault. Or, for vault-
type rooms (large vaults in which a number of people work) we required
that the vault be occupied and that access by authorized personnel be
controlled by an electronic system. In the absence of these controls,
the vault must be in a locked and alarmed state.
Controls over Electronic Media
On June 15, 2000, Sandia's chief information officer initiated a
lab-wide survey of removable classified electronic storage media. The
objective of this survey was to determine that removable media are
accounted for (to the extent possible in the absence of formal document
accountability) and are properly stored. The survey found that all
holdings were accounted for, except for two relatively minor issues
which were immediately communicated to DOE via the Department's
incident reporting system. The first issue involved a set of
unclassified commercial software program disks that were treated as
classified. The inquiry is still active, but has concluded that those
disks contained no classified information. The other issue (reported on
June 30) involves a single 3\1/2\ inch, 1.44-megabyte diskette that has
not yet been located. An inquiry is currently underway in accordance
with DOE procedures.
Significant overall improvements in the cyber-security of the
nuclear weapons complex have been accomplished at substantial cost in
1999 and 2000. However, many potential vulnerabilities continue to
present formidable challenges to computer security. There are no easy
solutions. Although encrypted removable media or media-less computing
may have their places in a defensive system (and I believe they do),
there are many ways for a sophisticated adversary to extract
information in today's modern electronic environment. Removable media,
email, hot mail, ftp file transfer, http file transfer, port-enabled
file transfers, laptops, modems, network sniffers, video-monitor-to-VCR
converters, faxes, mail, copiers, two-way pagers, telephones, cell-
phones, and computer trash are all potentially exploitable. Cyber-
security is certainly the most formidable security challenge facing DOE
and the federal government as a whole.
Because of the magnitude of the cyber-security challenge, a systems
approach across the entire NNSA complex is required. I am very pleased
that emergency supplemental funding for cyber-security upgrades has
been approved by Congress as part of the FY2001 Military Construction
Appropriations Bill. The funding is badly needed to combat cyber
threats and vulnerabilities in a coordinated fashion throughout the
nuclear weapons complex.
WEAKNESSES IN THE DOCUMENT ACCOUNTABILITY PROGRAM
Prior to 1991, DOE practiced full document accountability for all
Secret data under its control. Document accountability was a formal
system for inventorying and recording access to classified documents
over the lifetime of the document, from creation to destruction. The
system was analogous to--although much more rigorous than--the common
library check-out system that was aptly cited by a member of this
committee.
In February 1991, DOE modified its accountability rules to drop the
requirement for formal document accountability over Secret National
Security Information and ``non-weapon Secret Restricted Data.''
(Restricted Data is a category of protected information created by the
Atomic Energy Act that includes ``data concerning the manufacture or
utilization of atomic weapons, the production of fissionable material,
or the use of fissionable material in the production of power.'')
In May 1992, DOE extended its Modified Accountability Program to
include weapon-related Secret Restricted Data. DOE notified the
laboratories that accountability requirements were being modified for
all categories of Secret data for organizations that had met certain
requirements, including having completed a 100 percent inventory and
reconciliation of controlled documents in accordance with DOE Order
5635.1A.
The Modified Accountability Program was instituted by DOE to
accommodate the National Industrial Security Program, which was
intended to standardize security requirements among all federal
agencies. It should be noted that prior to the Modified Accountability
Program, DOE protected Secret Restricted Data with the same level of
protection employed by the Department of Defense for Top Secret.
The modified accountability program eliminated the requirements for
unique document numbers and maintenance of accountability records for
documents, inventories, destruction certificates, written
authorizations to reproduce, and some internal receipting. Other
security procedures not explicitly changed by the modified
accountability program were unaffected.
Unfortunately, with the change in accountability, DOE lost the
ability to track who was accessing which secret documents, a feature
that had been a useful tool for counterintelligence analysis. While
this change clearly saved money and made sense in the broader context
of consistency across all federal agencies, it reduced our ability to
quickly detect the absence of a document, and it eliminated our
capability to formally monitor the access to secret classified matter.
This statement applies to documents and information in printed form as
well as to electronic media.
The laboratory directors were never comfortable with the change to
Modified Document Accountability. At Sandia, we originally told DOE
that we intended not to implement the Modified Accountability Program.
In response, DOE told us that costs for full accountability would no
longer be reimbursable under the operating contract. Sandia complied
with DOE's requirement, but we left open local options for higher
levels of accountability.
In January 1998, DOE moved to eliminate full document
accountability for Top Secret Restricted Data as well (and for other
categories of Top Secret information). As part of this change, DOE
eliminated the ``Top Secret Control Officer'' positions at the
laboratories. I am proud to say that staff at Sandia had better sense
and continued to protect Top Secret data with full document
accountability--a decision that I have fully endorsed.
Sandia National Laboratories has consistently maintained full
accountability for all Top Secret data under its control. And in fact,
we have also maintained document accountability over selected sets of
Secret data that we felt merited ongoing accountability. These examples
demonstrate the culture of respect for security that exists at our
laboratory. Rather than resisting efforts to improve security (as has
been charged by some critics of the laboratories), the record shows
that we are more likely to resist efforts to weaken it.
On March 1, 1999--following a conference call of the three nuclear
weapon laboratory directors with Under Secretary Ernest Moniz on the
topic of Secret and Top Secret accountability--I faxed a request on
behalf of the directors to the Under Secretary in which we recommended
that the former controls over document accountability be reinstated as
quickly as possible. We requested that the Under Secretary and the
Department's counterintelligence official evaluate the feasibility of
promptly reinstating full document accountability. This request was
submitted to the Department's security bureaucracy, and to our
knowledge it has never emerged.
I have twice brought the modified accountability problem to the
attention of Congress in testimony: in my statement to the Senate
Committee on Energy and Natural Resources on May 5, 1999, and to this
very subcommittee on October 26, 1999.
In my judgment, we can no longer afford to wait for official
reinstatement of the full document accountability policy. The security
and counterintelligence benefits afforded by formal accountability
decisively outweigh the costs. Moreover, formal document accountability
will help protect conscientious employees from the indignity of
criminal suspicion similar to what some employees had to endure in the
recent Los Alamos incident. Therefore, I have decided that Sandia
National Laboratories will re-implement formal document accountability
for Secret Restricted Data under its control at the earliest feasible
date. I have directed Sandia's Chief Security Officer to develop an
implementation plan for this change.
WEAKNESSES IN THE CLASSIFICATION PROGRAM
In parallel with the changes in document accountability introduced
by the Department of Energy in the middle 1990s, changes were also made
to DOE's classification program that, in my view, introduced systemic
weaknesses.
A Fundamental Classification Policy Review was recommended by a
Classification Policy Study in July 1992. Based on that recommendation,
Secretary Hazel O'Leary committed DOE to review all classification
policies and related technical guidance, and then to revise
classification guidance to reflect changes in policy. DOE's Fundamental
Classification Policy Review was initiated in March 1995, and was a
major component of Secretary O'Leary's Openness Initiative.
In April 1995, the President issued Executive Order 12958,
``Classified National Security Information.'' This directive modified
some of the existing rules concerning classification, but it introduced
significant new provisions requiring agencies to perform large-scale
reviews of material for potential declassification. However, the order
explicitly exempted Restricted Data (RD), which is governed by the
classification provisions of the Atomic Energy Act.
Even though Executive Order 12958 excluded Atomic Energy Act
Restricted Data, the directive dramatically influenced DOE's thinking
toward classification and declassification of RD during its Fundamental
Classification Policy Review. The review concluded in July 1996 with
recommendations for regulatory changes that substantially applied the
provisions of Executive Order 12958 to Atomic Energy Act Restricted
Data. The new regulations (10CFR1045) required large-scale periodic and
systematic reviews of RD documents for declassification ``based on the
degree of public and researcher interest and likelihood of
declassification upon review.''
The declassification regulations, while well-intentioned, required
a level of effort by the Department that it was not equipped to handle.
As a result, the primary emphasis and deployment of manpower in the
classification organization at DOE changed from effective
administration of classification responsibilities to effective
management of the declassification efforts. The organization even
changed its name from ``Office of Classification'' to ``Office of
Declassification.''
It should be noted that some federal agencies used the process of
``bulk declassification'' as a mechanism to meet the requirements of
Executive Order 12958. This practice often resulted in inappropriate
information being released into the public domain without document-by-
document review. The negative impact of these actions is still being
felt today throughout the federal government.
It has become evident in the last few years that DOE's
classification program is in crisis. As a profession, the
classification field has become needlessly complex and arcane. The
federal government's classification rules evolved over several decades
and from different agencies, and they are rife with inconsistencies and
legalistic complexities. The system is poorly indexed and coordinated.
DOE classification officers rely on a body of some eight hundred
sources of classification guidance for DOE source material alone; and
they must be familiar with hundreds of other sources that govern the
classification of National Security Information from other agencies.
Classification professionals in the DOE community--and they are all
technical-degreed personnel--often must use their subjective good
judgment to resolve conflicting or unclear guidance.
To their credit, the DOE Office of Declassification embarked on a
``Guidance Flattening Initiative'' two years ago which should go a long
way toward simplifying classification guidance and reducing conflicts.
It would also be helpful if the classification community could define
subsets of need-to-know categories to help us in administering the
need-to-know principle. However, the classification community in DOE is
disproportionately assigned to the management of the declassification
effort, with a need to devote more effort to the efficient and
effective management of the classification program.
IMPACT OF SECURITY ON THE WORK ENVIRONMENT
As a laboratory director, I am responsible for maintaining in top
condition the infrastructure and human talent of one of the nation's
foremost laboratories supporting vitally important national security
objectives. I am worried about our pool of human talent to carry out
this mission. Clearly, the NNSA laboratories need to continue their
focus on enhancing security. But if security enhancements are
implemented in a way that creates an atmosphere of mistrust, or
generates unnecessary procedural burdens, or is perceived to be
discriminatory against some groups, or dictates prescriptions that
technical people have no input to, then the talent pool at the
laboratories will begin to suffer.
Even without the security issues that the laboratories face today,
we would still be having a tough time attracting and retaining talent
in an economy that offers very attractive opportunities to technical
graduates. Frankly, we are beginning to have a serious
multidisciplinary staff retention issue. Poorly thought-out security
and human reliability programs will only make that situation worse.
Rather, the NNSA must strive to create conditions that make
security a natural way of doing one's job. We need user-friendly work
environments that incorporate robust security features in a way that
achieves maximum protection for secrets with minimal obstruction of
productive activity. I am certain that the best solutions will be
system solutions that begin by focusing on specific work activities and
move outward from there to establish rules--as opposed to those that
begin with rules, directives, and policies that originate at a great
distance from the workplace. Robust and lasting security can only be
achieved through the cooperative efforts of the laboratories, their M&O
contractors, and NNSA management, with the firm but supportive
oversight of Congress.
Mr. Upton. Thank you very much. The second bells are just
about ready to ring, so we are now going to adjourn until 1
o'clock, and we will start with Dr. Browne when we come back.
Thank you.
[Brief recess.]
Mr. Upton. Thank you, everyone, for being prompt and coming
back.
Dr. Robinson, thank you for your testimony.
Dr. Browne, welcome.
STATEMENT OF JOHN C. BROWNE
Mr. Browne. Mr. Chairman, members of the committee, thank
you. It has been 6 weeks since I first found out about these
missing hard drives. That was on June 1 of this year, and my
anger and frustration has increased over these 6 weeks because
we have not been able to understand how this incident occurred
or, in fact, what led to even the missing hard drives being
found on June 16. Their finding really gives me no comfort, and
we certainly did not celebrate. We were pleased that we had
control back of the hard drives, but we were not pleased
because we did not understand the circumstances.
I would like to clear up something for the record. It has
been stated that the University of California did not notify
the Department of Energy for over 3 weeks. It is true that some
employees at the laboratories kept that information from my
management team. But when we found out, we immediately and
promptly notified the Department of Energy. As a matter of fact
it was less than 2 hours between the time I was informed and
the formal notification of the Department of Energy.
I would like to start out by saying that there are no
excuses that I can give you for this hard drive incident, and I
certainly did not want to come here and point fingers between
myself and the Department of Energy. When we look at this,
there may be some contributing factors. Again, none of them
really are excuses, but they are contributing factors. One is,
I do think that we have to look at the adequacy of both DOE
laboratory procedures and practices, both to prevent and detect
this type of incident. I think we have to determine whether our
human reliability programs are adequate. And did we have the
appropriate oversight of a closely held need-to-know program
like NEST, and fundamentally, did we have the right formality
of operations in the NEST program.
Let me say that I am accountable for the actions at Los
Alamos National Laboratory, and I take those responsibilities
very seriously. We have taken significant corrective actions
since the finding of the hard drives being missing, and I will
take disciplinary action once the FBI case has been concluded,
I have been precluded from further internal investigations by
the FBI.
I believe we must return Secret RD and Top Secret to
accountability and tracking. There is a cost and a time factor
involved. I think we should review our human reliability
programs to make sure we have the right people and we have the
right program in place.
Science is essential to do our mission. We will fail
without science. But it is not sufficient. If we have
indifference or carelessness on the part of any of our people,
regardless of their scientific or technical accomplishments, we
cannot allow that to occur and to affect national security.
I think the challenge facing General Gordon and the NNSA is
to reinforce the security culture while maintaining science at
its best. And I think he should be given the opportunity to do
that, and we certainly will support him in that. Let me make
just a few points. We have discussed a lot this morning, the
1990 period of security deemphasis. I will not go into any more
of that. I think it has been covered pretty clearly.
I would like to point out that before this committee last
year, I think all three laboratories testified to the point
that we felt L Clearances and the use of L Clearance as a
default clearance was a mistake and that we would prefer to
have Q Clearances at our site. And I think we still feel the
same way.
Also the color of badges. We brought that up saying that we
thought a single-colored badge really hurt our ability to
maintain security environment at our laboratory. The Department
has returned to a colored-badge system that we think is very
effective now.
When I became director about 2\1/2\ years ago, I started a
lot of security enhancements. I have increased the budget that
we spend on security by 50 percent in the last 3 years. We have
made improvements in cyber security, counterintelligence, and
since the hard drives incident, we have been logging people in
and out of vaults since about June 12. We now have our computer
media, the high-density type of media, whether they are hard
drives or Zip drives or any of that type, we have 66,000 of
those bar-coded, and they are able to be tracked.
We are waiting for guidance from the Department of Energy
on how best to put in place a tracking system that is
consistent across the entire Department of Energy so that we do
not have incompatibilities between various sites.
Let me mention something that Mr. Podonsky brought up this
morning, which I think is a very important issue about the role
of UC in the laboratory and the Department of Energy. I know my
time is up, but if it is okay, I would like to make this point.
It is a shared and joint upon responsibility.
There is no doubt that the University of California signed
a contract with the Department of Energy, which assigns
responsibility for security to the university, and that as an
officer of the university, they delegate that responsibility to
me as laboratory director.
And I accept that responsibility. The Department shares, I
believe, in our accomplishment of that, because they do set
rules. They do evaluate our performance, and they also provide
the resources. And I think it is important for the committee to
realize that there are no separate resources provided for
security. The security dollars come out of the programs
directly. Which means there always has to be a prioritization
between safety, security, programmatic. And it is a balancing
act that both the labs and the DOE have to maintain.
With that, I will stop and be happy to answer any questions
that you might have. The last statement I guess I would like to
conclude with is I would hope this committee does not judge all
8,000 Los Alamos employees by the acts of a few individuals.
Our people are really dedicated to national security. I would
like to tell you today that they are hurt and angry. They feel
let down by their other employees. People are really angry. I
get lots of e-mail from laboratory employees who have been
pretty outspoken about this latest incident in the wake of the
one a year ago. I believe that science and security can
coexist. I think it is critical to our Nation's defense, and I
believe that we need to move on from this incident; learn from
it, but not throw out the good things that we have and are
doing for our country. Thank you.
[The prepared statement of John C. Browne follows:]
Prepared Statement of John C. Browne, Director, Los Alamos National
Laboratory
INTRODUCTION
Mr. Chairman and members, thank you for the opportunity to discuss
the security environment within which the Laboratory operated when the
recent serious security incident occurred. When I first heard about
this incident my reaction was probably the same as yours--how could
this happen at Los Alamos after all the events of last year? I am angry
and frustrated. The fact that the hard drives with classified
information were found on June 16 by one of our people does not
diminish accountability or responsibility to address the root causes.
We made many significant improvements to security in the last year,
with a strong emphasis on cyber security. We enhanced our security
awareness training for our employees and subcontractors. Nevertheless,
this incident still occurred at our Laboratory, leaving us to ask what
more needs to be done.
Although there are no excuses for this incident, there may be some
contributing factors. The issues I have identified so far involve the
adequacy of required DOE and Laboratory security procedures, human
reliability in following procedures, and the oversight and acceptance
of responsibility for security in special programs.
Key Messages
I have these key messages to emphasize today:
We are accountable. Corrective actions have been taken; more
are underway; disciplinary actions will be taken, subject to
the immediate requirements of the ongoing criminal
investigation.
There is a need to return to more formal accountability for
handling of Secret Restricted Data materials. Increased
accountability will enhance the sense of personal
responsibility, and reduce the opportunity for and consequences
from human error.
Human reliability programs need to be evaluated to ensure that
people with access to the most sensitive information are
included and that the program is effective.
Outstanding science is essential to achieve our mission--we
will fail without it--but it is not sufficient. Indifference or
carelessness toward security, regardless of an individual's or
an organization's accomplishments, will not be allowed to
compromise our nation's interests. The National Nuclear
Security Administration has a major challenge to reinforce the
security culture while retaining science at its best in the
National Laboratories, and they should be given the opportunity
to do so.
SCIENCE AND SECURITY
Criticism of the National Laboratories recently has taken the form
that security is in direct conflict with an elite scientific culture
because security emphasizes keeping information from people while
science flourishes in an open environment.
I reject the notion that science and security are incompatible. The
tension that exists between the characteristics of security and science
has been and can continue to be managed effectively. The most sensitive
information in our custody--information about the design and operation
of our country's nuclear arsenal--has been developed by the very
scientists who are responsible for assuring that it is securely
managed. More than any others, these scientists understand the
information entrusted to them and appreciate the risks involved should
it end up in the wrong hands. They have devoted their careers to public
service in the national interest. They have demonstrated since the
early days of the nuclear weapons program their ability to accomplish
outstanding science and to simultaneously satisfy the requirements of
effective security.
For over 50 years, our nation has been well served by the
relationship between the University of California and the Department of
Energy and its predecessor agencies. It is one of the longest lasting
and most productive partnerships between a state entity and the federal
government in our history. The University has provided an outstanding
workforce to help the government solve some of its most challenging
national defense problems. The challenge today and in the coming decade
to ensure the safety and reliability of the US nuclear deterrent
without nuclear testing is as great as any faced in our history. The
University's role is as important now as ever.
Security management is a responsibility assigned to the Laboratory
by the DOE through the management and oversight contract with the
University of California. I would like to emphasize that as Laboratory
Director, I am an officer of the University of California. In that role
I represent the University and carry out the responsibilities assigned
to it. I take that responsibility very seriously. The DOE sets the
security rules within which we work. DOE evaluates our security
performance through a series of programmatic and independent audits.
DOE provides the financial resources to implement the security systems
that are required. If resources do not match requirements, DOE sets the
priorities. The University's obligations in all aspects of contract
performance were made more explicit in the performance-based contract
starting in October of 1993. This arrangement, which became a federal
norm in that time frame, was to have clearly defined the contractor's
accountability by establishing quantitative performance goals. However,
in the last implementation of this process to the security function,
the previously agreed-to criteria were dropped and our performance was
judged solely by the outcome of the final 1999 DOE ``go green'' audit.
This left our evaluation dependent on the auditors' criteria rather
than a set of pre-established performance standards and metrics
covering the major areas of security.
The University has greatly enhanced its ability to provide
oversight by adding a dedicated laboratory management office in 1993
that provides an interface with the DOE on contractual issues. The UC
Board of Regents has had a standing Laboratory Oversight Committee that
regularly interacts with the Laboratory directors. The University of
California President also has a Committee on the National Laboratories
that is composed of individuals who previously served in senior
positions in industry, government and academia. Recently the University
of California Office of the President (UCOP) appointed a security
advisory panel chaired by Adm. Tom Brooks and hired a former military
security officer as UC security director for contractor oversight on
these matters. The UCOP and Admiral Brooks have assembled an
outstanding panel of security experts that has begun to evaluate
security practices across a broad spectrum at the two UC weapons labs.
This panel has not been in existence long enough to have an impact on
our security performance. Committees and offices by themselves do not
ensure security, but they do demonstrate the University's commitment to
improvements in this area.
The Department of Energy announced on June 30 that it will begin
working with the University of California to explore ways in which
security expertise can be brought into the UC and the Laboratory to
achieve improvements in security. UC and the Lab welcome the study and
will fully cooperate with the Department. Although the UC contract
might be restructured to provide external security expertise, the day-
to-day responsibility for handling classified information will still
rest on the shoulders of the scientists and engineers at the
Laboratory. There are important lessons from our recent improvements in
safety. Safety and security are line responsibilities. Additional
expertise from outside can be very helpful, but it must reinforce line
responsibility. This is where the day-to-day work occurs.
SECURITY DE-EMPHASIS FROM 1990-98
To understand the current situation in security it helps to review
the changes that have occurred in the nuclear weapons program over the
last 10-12 years.
After the end of the Cold War, the budgets for the nuclear weapons
laboratories dropped rapidly. There was considerable pressure from the
DOE and the Congress to reduce overhead costs, and this included
security. Security funding dropped to a new low, especially for
physical security.
Policies changed as well as funding. Individual accountability for
classified documents was done away with as a cost saving measure across
the government. Secret Restricted Data document accountability was
dropped as federal policy in 1992 and by 1993 after some debate Los
Alamos ended this practice. In 1997, Top Secret Restricted Data
document accountability was dropped as a federal requirement by DOE and
other agencies. For Top Secret material and Sigma 14 and 15 weapons
data we have continued to require more accountability and control than
has been required by DOE.
There were other changes as well. Significant amounts of
information were declassified. The name of the DOE Office of
Classification was changed to the Office of Declassification. A policy
of openness was promoted that aimed to make more information available
to the public, especially information related to the safety and
environmental impacts of nuclear activities.
A significant change of practices was instituted in the 1994-95
time frame when we were instructed to reduce the number of Q-cleared
personnel (Top Secret) by downgrading many of our employees' clearances
to L (Secret). The result was many more people with lower level
clearance in our secure work areas. Not long after that, distinctive
colors for Q-cleared versus L-cleared badges were dropped, which made
the identification of the security access of individuals much more
difficult. While none of the above changes can be shown to have a
direct bearing on the hard-drive incident, they were part of the
atmosphere that was created after the end of the cold war.
A few years after these budget reductions and policy changes
occurred, we began having difficulty earning satisfactory ratings in
security reviews and audits by the DOE. In addition, information
technology was expanding at an incredible rate. Reinvestment in
security began to occur, but too slowly to address the new environment.
I faced this condition when I became Director of Los Alamos in
November of 1997. I began to increase our overhead funding of security
to make the changes mentioned elsewhere in this testimony. We have made
significant progress. We still have further progress that needs to be
made, and we are dedicated to doing that.
SECURITY ENHANCEMENTS SINCE 1998
In early 1998, I provided greater emphasis on security and
environment, safety, and health by creating a Deputy Laboratory
Director position that would concentrate on operations, including
security and safety. Previously, a single deputy director had oversight
of all operational, business, and outreach functions. In April 1998 I
formed a separate Security Division, reporting to my operations deputy,
with a former Air Force security officer specializing in nuclear
security at the head. Consequently, a greatly improved Site Safeguards
and Security Plan was developed and approved by DOE--our first since
1994. In a similar manner, I created a new Counter-Intelligence office,
headed by a former FBI CI expert and reporting to the operations deputy
but with full access to me.
In response to last year's criticism of cyber security at the
defense national laboratories (Los Alamos, Livermore, and Sandia),
these laboratories and DOE developed a Tri-Lab Information Security
Plan in April 1999. The Laboratory is implementing this plan, and to
ensure continued coordination of these improvement efforts, I formed a
senior Information Security (INFOSEC) Policy Board, headed by my
principal deputy. In addition, a formal technical program was created
to lead our technical efforts to identify and develop solutions to
present and projected computer security challenges. This program
interacts directly with the INFOSEC Policy Board to ensure tight
communications regarding Laboratory objectives, priorities, and
oversight. The Security and Safeguards (S) Division is represented on
the INFOSEC Policy Board to ensure compliance with the security
regulations and guidance issued by DOE Safeguards and Security
organizations.
Cyber security upgrades in the past year include
Strict site and cyber access for foreign nationals.
Network separation with firewalls between Laboratory
unclassified administrative computing and public information
computers--an additional layering beyond complete isolation of
the classified computing network completed six years ago.
Eliminated except in very special cases authorized use of any
computer for both classified and unclassified computing (dual-
use computers eliminated).
Actions After The Hard-Drive Incident
As soon as the hard-drive incident was reported to me on June 1, I
initiated all actions that were required, prudent to limit further
damage, or appropriate to facilitate further inquiry. Those actions
include temporarily eliminating SRD access for members of the NEST team
who had unescorted access to the vault in question until we had a
better understanding of the FBI investigation.
Some of the actions taken in June have become continuing policy,
such as:
Logging of all vault entries and exits, with positive
identification.
Reduced access lists for vaults and Limited Access Control
Areas (LACAs).
Placed barcodes on all portable high-density computer storage
media with Secret Restricted Data (SRD: secret nuclear weapons
data) to facilitate inventory.
Initiated a review of all nuclear weapons programs to ensure
that they have security plans consistent with DOE and
Laboratory policy.
These activities addressed immediate concerns, but we recognize
that more may be required. We are working with the DOE to identify and
implement additional measures that address root causes.
Last year I established a Lab-wide goal of ``Zero Safeguards and
Security Violations.'' Upgrades in personnel practices to ensure
suitability of staff for critical national security jobs includes
intensified security awareness training, enforced by automatic
rejection of personnel at entry badge readers if their training is
overdue, and implementation of the DOE's counterintelligence polygraph
program.
To reinforce the message of low tolerance for serious violations,
strong sanctions are being taken by line managers for serious or
deliberate security infractions. Since I have become Director, I have
found it necessary to terminate 3 employees and suspend 4 others for
serious security infractions and violations. For lesser infractions,
sanctions such as salary reductions and reassignment to less
responsible jobs have been applied. I have also empowered my managers
to pull the Laboratory badges of non-UC subcontractor workers in their
organizations who had the privilege of site access but failed to follow
our procedures. This action also has been taken a number of times
recently for visitors who did not comply with security procedures.
After the investigations are complete in the hard-drive incident,
appropriate personnel actions will be taken. It is not fair to our
thousands of conscientious employees to tolerate the deliberate,
careless or indifferent acts of a few individuals.
Oversight
The quality of the Laboratory's security program is monitored
through regular self-assessments and DOE evaluations. UC had also added
detailed oversight through its new security office and panel that
reports to the UC President's Council.
In the last few years we have made substantial investments to
provide a stronger security environment. The improved status of our
whole security posture was validated by the DOE's Office of Independent
Oversight and Performance Assurance (OIOPA) at the end of 1999 with a
rating of ``Satisfactory,'' the highest of their three rating levels,
following a year of preliminary visits and final audits. The GAO
followup report, ``Improvements Needed in DOE's Safeguards and Security
Oversight'' (February 2000) primarily addressed needed integration of
oversight findings and followup records in DOE's methods. In this
regard, the GAO report also calls out as a noteworthy practice that Los
Alamos maintains its own database with ``virtually every known security
problem at the laboratory'' as a method to track findings and
corrective actions--although improvements were recommended in root
cause and risk/benefit analyses.
The DOE Inspector General investigated security inspection ratings
at Los Alamos for 1998 and 1999 and in May wrote the Summary Report on
Inspection of Allegations Relating to the Albuquerque Operations Office
Security Survey Process and the Security Operations' Self Assessment at
Los Alamos National Laboratory. Most of the report is related to DOE
ALO. I will not comment on those findings.
The portion of the IG report dealing with LANL self-assessments in
1998 and 1999 alleges that a) all self-assessments were not completed
by LANL as required; and b) ratings on some self-assessments were
manipulated by LANL management to make the Lab look better than the
facts would have indicated.
Self-assessments are a valuable internal tool to senior management
because they allow us to determine where we need improvements. The DOE
OIOPA audit reviewed our self-assessment function after the IG visit to
LANL and found that the LANL self-assessment program was operating and
communicating the results to management effectively. Manipulating self-
assessments as alleged would be counterproductive to our goals of
having an effective security. Self assessment findings have no direct
impact on DOE's annual evaluation of our security performance.
If the DOE IG will share more information on those allegations with
me, I will investigate further. It is correct that we did not complete
as many self-assessments as we had planned. We went beyond the DOE
requirement for self-assessments and set a ``stretch goal'' that we
missed. However, I would like to point out the Laboratory's security
program was reviewed 16 times in 1999 alone. The DOE-IG report is the
only audit for which we objected to the findings, and our objections
were only because the findings could not be validated.
Current Regulatory System
The regulatory system for security, like safety, is complex and
multilayered. At the top level public laws provide general principles
and objectives. Next, the DOE has established a layer of rules in the
Code of Federal Regulations and then has a layer of requirements in
their Orders system. The Orders system has many thousands of pages of
orders, manuals, and guides that are under constant revision.
Requirements can be modified in real time by DOE direction.
One of the contract roles for the University of California is to
help, with the DOE and the Labs, review regulations as they are
developed and to maintain a list of applicable requirements.
INTEGRATED SAFEGUARDS & SECURITY MANAGEMENT (ISSM)
To deal with this complex environment we are taking the same
approach to security that we took with safety. It is called Integrated
Safeguards and Security Management (ISSM) and uses a simple five-step
approach that every employee can understand. We are writing plain
language ``Laboratory Implementation Requirements'' (LIRs) that capture
all the government requirements in a form that allows the employees to
understand what they must do in a given circumstance. Many requirements
are common sense and we must continue to work toward a simple system
that is easily understood but is difficult to circumvent.
Ultimately, security depends on individual performance. This is not
unlike the individual's responsibility for safety. With the general
security objectives in mind, the logic of the rules can be followed.
Following the rules offers the worker protection when some failure
occurs. More importantly, we have found that formality of operations
encourages work habits that prevent failures.
To reinforce these expectations, I have directed all employees to
participate in mandatory security awareness training, and review their
security responsibilities with their next level of supervision.
We have the experience from implementing Integrated Safety
Management (ISM) over the last three years that self-reporting is an
important tool for performance improvement. Self-reporting is defeated
in a climate of fear. We must maintain the support of the employees for
self-reporting while carrying out our responsibilities for management
oversight of the lab.
Over the last five years, we have averaged around 40 security
``occurrences'' per year. Most of these were self-reported and were
administrative security infractions that had no or minimal impact on
loss of control of information. Those that were serious were dealt with
swiftly. It is important that we retain honest internal reporting and
self-evaluation, if we are to improve our performance in security. I
would be suspicious if only a few security occurrences or safety
incidents were reported in an organization of 8,000 employees. Our goal
of zero security violations can only be met by honest reporting and by
addressing root causes.
CLASSIFIED MATERIAL PROTECTION AND CONTROL
Security implementation includes providing secure work and storage
places for classified material, controlling the movement of that
material, and qualifying personnel to ensure trustworthiness, and
regular training.
Physical Security
The Laboratory has several layers of physical security, providing
graded protection and defense in depth around classified materials. The
outermost layer is the Laboratory site boundary, which encompasses DOE
property. Inside this boundary, all persons are subject to DOE rules
including following guard force directions. Vehicles and personal
belongings are subject to search. A professional protective force with
approximately 400 armed guards enforces these rules and site security.
The next layer is the security fence. Unescorted access to the
Administration Building security area (which incorporates X-Division's
principal work space) is through portals using a Q- or L-cleared
(secret--national security information [NSI]) badge plus identification
either by a guard from the badge photo or by means of the badge plus a
hand-geometry biometric reader. About 8000 people have badge access to
the Administration Building. Other Q-cleared buildings have similar
measures.
X-Division's principal workspace is located within a Limited Access
Control Area (LACA) inside the Administration Building. The LACA is an
additional layer of security that we use to identify and authorize a
group of people doing related work inside a more general security area.
Unescorted LACA access, through another badge reader, was allowed to
about 1300 Q-cleared people who required emergency access or who
routinely work in or with X-Division, usually involving Secret
Restricted Data--secret nuclear weapons data. (Once inside the LACA,
personal recognition provides a strong deterrent to unauthorized
access.) The access list for the LACA badge readers has been pruned to
600 people.
Another higher-level security environment can be provided by a
Sensitive Compartmented Information Facility (SCIF). These areas can be
multi-office work areas, like a LACA, but with more extensive access
control features specified in federal standards. SCIFs are normally
used for intelligence work or for Special Access Programs (SAPs).
The next layer of physical security in classified workspaces is
provided by personal control or secure storage of the classified
materials. When not in the possession of an authorized user, classified
material must be in approved storage. Approved non-work-hours storage
can be a safe in an office, a vault, or a vault-type room meeting
standards specific to each kind of system, its security environment,
and the classification level of the material inside. The DOE standards
cover the storage device location, construction, and door locks. For a
vault, a GSA-approved standard lock and intrusion detection alarms are
required.
Los Alamos vaults have always been equipped with GSA approved locks
and intrusion alarms that meet DOE standards. Until June, workday
practices for control of classified material were met by various means
allowed by the DOE requirements. For some vaults, including the vault
in question, a number of Q-cleared persons were authorized for
unescorted access. No entry logging process was required by DOE or the
Laboratory or routinely in place when the vault was attended.
After the hard-drive incident, we immediately instituted a vault
access-logging requirement that subsequently became DOE policy per
Secretary Richardson's June 19 memo. We are now meeting that
requirement for all of our 96 vaults on site.
Since 1994, we have had 19 DOE inspections that covered vault
operations. These resulted in two findings. One finding is closed and
the other, involving a technical issue regarding alarm testing, has a
corrective action plan. Neither of these two findings addressed the
issues surrounding this incident.
DOE is planning to review vault operations across the complex and
establish upgraded standards on a very fast track. We have already
reviewed the security practices at all 96 vaults at LANL. We welcome
the DOE review.
Information Security
Information security is provided by physical security as described
above and by controlling the movement of the information. The rules for
controlling computer media have evolved to be somewhat different than
for hard copy on durable media such as paper and film because the
expansion of digital storage capacity challenges the traditional
concept of ``document.'' Some hard drives in personal computers can
hold more than the equivalent of a million pages of text. The increase
in the amount of material that can be compromised and the speed with
which it can be transmitted as digital capabilities increase is a
government-wide problem that must be broadly addressed. Many of our
cyber security improvements of the past year were aimed at this problem
and we continue to deploy technology to address what may be the most
volatile security issue we face.
In 1992 when SRD accountability changes occurred, DOE was not
prepared to give guidance for the secure handling of computer based
information. The technology was changing so rapidly it was difficult
for anyone to keep up. The computer technology moved faster than
security technology or policy. We needed clearer overall guidance in
order to follow priorities on expenditures. This all occurred in an
environment when great pressure was being applied to reduce overhead
accounts. In such an environment, it was essential that we follow DOE
policy and expenditure guidance.
As said earlier, government-wide policy from 1992 ended the
requirement to maintain an auditable inventory of Secret Restricted
Data material. This is often referred to as the ``end of
accountability,'' but of course, everyone is still responsible for the
classified documents in one's possession. The Laboratory follows DOE
policy for accountability of SRD material.
Positive inventory control for all of the approximately 6 million
classified items now in the Laboratory's possession raises the issue of
cost vs. benefit that caused the downgrading of requirements eight
years ago. We estimate that the effort to reinstate an inventory
listing of all SRD items would be at least $60M. Maintenance of the
accountability system plus periodic inventories would cost on the order
of $25M per year.
An inventory system can help reinforce careful work habits as well
as providing more positive document control. The cost and difficulties
could be reduced by a graded implementation. For example, the first
focus could be on inventorying portable high-density digital storage
devices. We have now completed that task. Sigma categories can be used
to prioritize items for inventory. Security and subject matter experts
should be involved in detailing standards. It would be costly and
ineffective for the Laboratory to attempt to create its own inventory
system without DOE guidance. Any system must be DOE-wide to be
effective. The magnitude of such an effort will raise issues of costs
and benefits. DOE will need to establish priorities for resources.
Prior to this incident there was no government requirement to
protect a compendium of secret information beyond the requirement that
applies to the highest level of classification of any item in the
compendium. This is regardless of the volume of information.
Immediately following the hard-drive incident, I directed that
portable high-density digital storage devices with SRD must be put
under inventory control. For this purpose, bar-coding on some 65,000
such devices is essentially complete. As announced in June, the DOE
will institutionalize the inventory control requirement for selected
compendia of secret information on high-density media. We strongly
endorse the development of such a plan.
There is no formal DOE or Laboratory requirement associated with
transfer of SRD ownership within a Q-cleared security area. In
particular, the previous owner is not required to retain a record of
change of ownership, so in a sense, everybody owns it--and therefore
nobody does. The opportunity to lose track of ownership is high in
multi-user vaults if there is no formal accountability. This may have
been a contributing factor in the hard-drive incident. Prior to the
1992 changes, the originator of a document had to record any copies
made, number the copies, and the tracking system retained a record of
all copies and their owners. We recommend re-establishment of rules for
tracking SRD (and higher) document ownership.
Transport of SRD outside of a security area requires physical
security measures, but without inventory controls, there is no unique
identifier to track removal, transport, and arrival of the item.
Document accountability is important when documents are transferred
between owners and transported outside of the security perimeter.
Tracking document transfers and movements would be enabled by and
should be part of a revitalized accountability system.
With modern technology, there is an opportunity to develop
centralized electronic repositories with a high degree of security,
tracking, and access control. This would, however, create a security
vulnerability by concentrating information. Security measures would
have to be very high for such a system, but may be the best approach
for a cost-effective document control system.
The digital age has created new problems for information security
and may also provide means to help that should be further considered.
Encryption of classified information could be an important augmentation
to other security measures. Secretary Richardson directed that
encryption be utilized in protection of large quantities of SRD. A
limited set of software encryption tools are available now, but are
likely to improve rapidly in coming years. We plan to utilize these
developments in concert with DOE.
Personnel
In my opening comments I identified human reliability as one of my
core concerns. This concern is widespread in security management. A
recent DoD study 1 ``Insider Threat Mitigation'' identified
maliciousness, disdain for security procedures, carelessness, and
ignorance as four kinds of insider behavior that can generate security
incidents. Our system attempts to minimize these behaviors by thorough
selection, training, mentoring, and re-evaluation of personnel, but
needs to be strengthened.
---------------------------------------------------------------------------
\1\ DoD Insider Threat Mitigation: Final Report of the Insider
Threat Integrated Process Team, available by subscription from http://
www.insidedefense.com/
---------------------------------------------------------------------------
Access to various levels and kinds of classified material can be
authorized to persons with corresponding clearance levels and need-to-
know. Clearances are provided through the federal departments for their
own personnel and contractors. Although periodic reinvestigations check
external risk factors such as indebtedness for cleared personnel, it
may be necessary to strengthen personnel requalification through a
better human reliability program.
The 1995 DOE policy to make L (Secret) the default clearance level
instead of Q (Top Secret) introduces many less-scrutinized people
within our security perimeter. We recommend that only Q-cleared
personnel have routine access within our security areas. This would
require a much higher quota of new Q clearances.
Personnel develop sound security work habits through initial
training, work experience in a supportive environment, and refresher
training. This is the normal process at my Laboratory. I know these
people and I know their work style. It is not an atmosphere of
widespread disdain for security.
However, to ensure that current requirements are clearly
understood, we conduct required periodic security retraining and hold
occasional special events for security awareness. The basic retraining
program has a number of elements and is largely computer-based on the
Lab's internal web, to ensure currency and standardization. The
retraining system is highly automated, including reminders emailed to
the individuals and their administrative offices, and automatic
rejection of personnel at security area badge readers if their training
has lapsed.
We have conducted a number of special events for security awareness
that consist of presentations by respected security experts and use of
professionally-prepared training materials. This follows a pattern
developed by Integrated Safety Management that has been well-accepted
by the workforce. We had very good employee feedback from these
sessions. I have directed that security awareness training be conducted
this summer for all employees. This will be an occasion for
presentation of the Integrated Safeguards and Security Management
System to the whole workforce. Additional security training will be
focused on areas of need; for example, last week we conducted a
security immersion day for NEST.
I am particularly concerned about the apparent human failure
involved in this incident. Losing or misplacing secret information is a
serious matter but does not necessarily expose the individuals involved
to severe disciplinary action if promptly reported. The rules are
intended to accommodate a certain level of inadvertent security
infractions through self-reporting. Through prompt reporting it can
sometimes be established that the material was never left unprotected,
and if not, then its movement can reconstructed and perhaps the
material can be found. With prompt action the consequent damage to
national security can be more effectively determined and limited. We
will have to ensure that our security awareness training strongly re-
emphasizes the reporting requirement to our employees.
DOE has several special personnel programs, such as the Personnel
Security Assurance Program (PSAP) and the Performance Assurance Program
(PAP), to assure fitness for particular duties. For example, personnel
handling nuclear weapons are evaluated for psychological stability and
drug abuse. It is important that an expanded human reliability program
be wisely employed to help us determine if we have risks with people in
our most sensitive programs. The DoD report cited above reaches a
similar conclusion.
Access to Programs
There are rules specifying access privileges to information in
various categories according to the clearances held by a person. Beyond
a Q-clearance, which enables access with need-to-know (NTK) to SRD and
Top Secret material, there are Special Access Programs (SAPs) and
Sensitive Compartmented Information (SCI) access.
SCI information is often intelligence-related and
compartmentalization helps protect sources and methods as well as
highly sensitive information. Access to a SAP or SCI program can be
granted only by a designated government program manager. Los Alamos
works in many SAPs and SCI programs with the DOE and other federal
sponsors. A DOE rulebook dictates the formal steps required for in
these relationships to ensure that roles and responsibilities are
documented.
There are a number of special programs (non-SAP, non-SCI) at Los
Alamos into which line managers have had little or no access to ensure
that Laboratory safety and security rules are met. Prior to this
incident it was not clear to our line management and security people
whether or not they had the necessary authority to accept
responsibility for the detailed security procedures of these programs.
By their very nature, sponsors try to limit the number of people who
have access to such programs. It is important that the line management
maintain oversight of the security and safety of all such activities
with assistance from security experts.
NEST SECURITY
The NEST program has been operated as a closely held need-to-know
program but not a formal Special Access Program. Los Alamos has made a
good faith effort to participate in this program as we understood the
guidance of the program sponsors in DOE. Oversight of NEST by our
Security Division was limited. Not all aspects of the NEST security
plan were reviewed and approved by laboratory managers for compliance
with DOE rules or for best security practices. Even if NEST was treated
as a closely held need-to-know program, it was subject to DOE policy
for handling SRD, and that policy was in place at the Laboratory. We
have been asked by the FBI not to interview the current Los Alamos NEST
team, so we cannot report on any security audits that the team may have
conducted. I also do not have the results of any security audits of
NEST that DOE may have conducted. However, our preliminary review of
NEST operations prior to the FBI being engaged indicates to us that the
program operated using normal SRD security measures, although
additional factors may be uncovered by the present FBI or future
investigations and could cause us to modify this judgment.
The vault where the X Division NEST toolkit was stored was subject
to normal inspections by our Security Division. Since there was no
accountable matter in the vault, inspections were related to physical
security and spot-checks on document markings. Adequate equipment,
procedures, training, and personnel qualifications were in place to
enable secure handling of NEST items.
Execution of security oversight is less clear. Our discussions with
DOE have revealed that some personnel at DOE did not have the same
understanding as LANL personnel of how NEST program security was to be
administered. Elimination of such misunderstanding is a mutual
responsibility of the DOE and the Laboratory.
We believed in good faith that this program was indeed considered
special in a very real sense, i.e., a ``close-hold'' program. There was
a list of the people allowed access to the information. Deployment
details were very closely held. We are addressing this issue with DOE
and are working together to eliminate the ambiguity that we have
discovered. In fact, the Deputy NNSA Administrator for Defense Programs
sent me a letter on June 16 clarifying that we are responsible for the
security of all programs unless directed to the contrary.
There are a number of other closely held need-to-know programs that
have some of the characteristics of the NEST program. On the basis of
the NNSA letter we are undertaking a comprehensive review of their
security. I believe that NEST and other closely-held need-to-know
programs should have a level of formality that includes, at a minimum,
a security plan reviewed and approved by DOE and laboratory management
delineating roles and responsibilities for security for all
participants, strict accountability and tracking control for all SRD (
and higher) information and equipment, regular security/counter-
intelligence training and certification, and regular audits.
Such measures would not necessarily have prevented the hard-drive
incident , but would have made it easier to detect someone violating
security.
SUMMARY OF CURRENT ACTIVITY
It is critically important for national security that our recent
security incident be analyzed, the lessons learned, and corrective
actions taken. At the local level, many changes already have been
implemented and many are planned or under consideration. At the
national level, actions are underway that provide an enhanced focus on
security, especially for computer media. I will summarize
recommendations and actions underway.
First, the National Nuclear Security Administration will provide a
new setting for our nuclear weapons programs, including a strong focus
on security management. It is important that the NNSA and its new
leader, Gen. John Gordon, be given the opportunity to create a new
management team and processes that will ensure we accomplish our
mission with effective security for these times.
I am also very pleased that the Administration has created the
Hamilton-Baker panel to review the hard-drive incident. I believe that
these two distinguished public servants will provide a thorough and
thoughtful analysis and recommendations.
We are implementing upgrades to current security practices to
address some of the underlying factors that may have contributed to the
recent security incident. I have explained most of these in context
above. In summary:
Upgraded access control measures now in place include positive
identification and logging of persons for vault entries by the
vault custodian during work hours and through the central alarm
system manned 24 hours per day by our guard force. In addition,
if a vault custodian leaves his/her station, the vault must now
be locked and alarmed. Entry to Limited Access Control Areas is
also under review to improve controls.
We are implementing inventory control of portable high-density
data storage devices with Secret Restricted Data. Device bar-
coding for this purpose is nearly complete. Development of
requirements are underway with the DOE for reinstating
inventory control of SRD information.
We are also considering how to reduce the volume of secret
information held in distributed storage, to facilitate
inventory control, yet not lose the valuable information from
the past.
Encryption will be evaluated and incorporated as DOE guidance
is received. This will preserve the secrecy of information
regardless of control of the physical media.
In our security awareness training, we will emphasize the
importance of continuing self-reporting. We must ensure that
our security practices do not discourage this.
We are considering how to provide a graded approach to
personnel evaluations according to their access to the most
sensitive information. It may be necessary to include PSAP-like
features in evaluating fitness for duty for some positions.
CONCLUDING REMARKS
If we made all these significant improvements in security over the
past year, why didn't it prevent the latest security incident? It
appears that there are a number of contributing factors, none of which
can be or should be used as an excuse.
Policies, procedures, and security systems are all necessary to
make it difficult for someone to compromise our nation's secrets, but
also to make it easier to detect someone who tries to do so. Such
measures will not be able to wholly prevent inadvertent or intentional
human error.
There are additional improvements we can make. We will follow DOE
guidance when it is received. To initiate further changes without that
guidance usually leads to backing up and starting over, which wastes
scarce resources.
We have worked very hard and invested many resources in physical
and cyber protection, but nonetheless we have suffered severely
damaging incidents.
Many people have stated that security, due to its inherent desire
to keep information closed, is totally incompatible with science, whose
fundamental premise is openness. There is no doubt that there is a
tension between these two objectives--but it has been managed at Los
Alamos and elsewhere for many years. It requires great diligence and
continual improvements to deal with changing situations. It must be
managed because science is too important to the future of our nation's
security. Science creates the ideas that strengthen our national
defense. Science created the information on the hard drives. We look
forward to the leadership of the NNSA to help us strengthen our
security environment while preserving science at its best.
Although we incorporated all existing DOE policies in our
requirements and had highly qualified workers involved, it appears a
failure to execute required duties occurred, possibly from deliberate
human action or omission of action. Security is not just the rules and
the systems. We must engage the hearts and minds of the people. I
reject the conclusion that this latest incident is typical of our
workforce. Our people are dedicated to national security. Many have
spent a large fraction of their lives contributing to our most
important national problems. At the same time, we must insist that
arrogance, carelessness and indifference to security not be an excuse
for inadequate protection of our nation's secrets, regardless of the
scientific accomplishments of the individual or the organization.
Our goal is zero security violations. We are accountable and
committed to make the needed changes to improve our security. We can
have science at its best and security at its best. Our nation needs
both and should demand no less.
Mr. Upton. Thank you.
Dr. Tarter.
STATEMENT OF C. BRUCE TARTER
Mr. Tarter. I will try to be very brief also. Let me first
reinforce and reaffirm what I think Dr. Browne has just said,
that security, and I think it also restates something I think
Mr. Podonsky said several times this morning, both in its
testimony and in answer to questions. Security on our site is
our site's responsibility, and responding to basically the set
of Department of Energy requirements. It is not some third
party. It is not somebody else. It is mine as the leader of the
site. It is the responsibility of the employees on the site.
And that is ours to do in response to DOE requirements. And I
think you pointed out occasionally that comes into some degree
of conflict of knowing exactly how to implement those, but that
is the way the system works. There aren't magical silver
bullets in the sky that you invoke to make it happen. We have
to do it onsite in response to the DOE regulations and what
will now become the NNSA part of those regulations.
I think, as I said to the committee last year, we have, I
think, done well in many aspects of security. I think there are
two that I think are still very much works in progress. And I
think the committee has covered one this morning very, very
thoroughly, but let me mention the two I think--one that has
come out of the hearing and one which several committee members
have alluded to. And as I was listening to all the testimony
this morning, I was struck again and again about details of
vault access, details of document control. A whole variety of
different things. And you do not want to go back to one thing.
But whatever the set of events that created the set of actions
taken in the early 1990's, which basically took accountability
of documents out--off the table, I think almost everything else
in dealing with the inside treatment of information has flowed
from that. And in agreement, I think with Dr. Robinson and Dr.
Browne, and I believe the Department, I think we do need to
return to a system of full accountability for the documents
inside the system.
It is not as simple as just saying it. It is a major task.
The interface with other agencies is complex. Contrary to some
testimony, the Department of Defense does not have as close a
security system in those documents as we had before the 1990's
period. But I think we need to do that.
The second thing--and I think Congressman Cox has made this
point on a number of occasions, I think when you visited this
you saw this, too--that technology has outstripped, in many
cases, what I would call your intuition, and our intuition,
about how to treat--how to protect great masses of concentrated
information of high value. And I think that is something which
is still a work in progress. I think all of us appreciate the
supplemental money which has been, I think, added to help us
this year now to work on that problem. But this is not a simple
problem, because taking all of the documents we have, we can
still put them in very small concentrations, and I think we
need a different way of treating that information.
Let me close by simply stating that I think there are two
other comments. I think as with the other laboratories, in
spite of the change in document control, we continue to treat
Top Secret information differently. We have had that under
almost a complete control, and I am confident that that
information has been handled well over this period of time.
Second, one of the first things that I did after I was
informed of the Los Alamos incident was go through our NEST
procedures. I would be happy to do that for the committee, but
we found everything was where it was supposed to be. And I went
through our procedures, and I believe they were quite adequate.
But I would agree that I believe there should be a formality of
operations complex-wide because as I learned, most of our
particular NEST regulations were ones that were done by our own
site. I think they were good ones, but I think it should be
done uniformly across this system. Thank you very much.
[The prepared statement of C. Bruce Tarter follows:]
Prepared Statement of C. Bruce Tarter, Director, Lawrence Livermore
National Laboratory, University of California
OPENING REMARKS
Mr. Chairman and members of the Committee, I am the Director of the
Lawrence Livermore National Laboratory (LLNL). Our Laboratory was
founded in 1952 as a nuclear weapons laboratory, and national security
continues to be our central mission.
The specific events that prompted these hearings are most
regrettable. However, I welcome the opportunity to report to you the
progress we are making to increase security at our Laboratory. My
statements before this Committee during the past year provide a record
of the many specific actions we have taken in this area. And, in
January 2000, our Laboratory was visited by three members of the
Subcommittee--Chairman Upton, Vice Chairman Burr, and Representative
Cox--to see our security measures first hand and to discuss issues with
senior managers as well as working nuclear weapons specialists in their
workplace. We were very grateful for that opportunity. These prior
interactions and my testimony today focus on three points:
Progress. In December 1999, Livermore's security programs
received an overall Satisfactory (Green) rating from DOE's
Office of Independent Oversight and Performance Assurance.
Since the Los Alamos incident, we have been expeditiously
implementing enhanced protection measures--those directed by
DOE Secretary Richardson and those taken on our own initiative.
Commitment. Our national security mission and safeguards and
security are inextricably linked, and we take both obligations
very seriously. I am ultimately accountable for the
Laboratory's performance and have made very clear to all
employees, who have been specially trained in security
measures, their individual and collective responsibilities.
Challenges. An extensive security and counterintelligence
infrastructure is in place. However, we continually have to
adjust to new security threats and challenges, and those
arising from rapid changes in information technologies warrant
particular attention and investment.
improvements to increase confidence in security
A Satisfactory (Green) Security Performance Rating. Throughout
1999, we worked expeditiously to address all issues that arose in self-
evaluations or resulted from the May 1999 inspection by the DOE Office
of Independent Oversight and Performance Assurance. In particular, we
took steps this past year to upgrade each leg of our security triad--
physical security, cyber security, and personnel security (including
counterintelligence). Actions included steps to improve:
The protection of Special Nuclear Materials (SNM), by
executing an action plan to analyze, document, performance
test, and enhance the Laboratory's comprehensive protection
strategy. We also made numerous physical and procedural
upgrades and increased the size of our Special Response Team.
Procedures for Materials Control and Accountability, by
demonstrating the ability to consistently meet SNM measurement
and inventory requirements and resolve inventory differences in
a timely manner.
The physical security and protection of classified matter, by
addressing performance issues in several of our vault-type
rooms (VTR), upgrading classified parts storage areas,
replacing non-GSA-approved repositories, and installing
additional barriers to segregate L-cleared employees from Q-
clearance-only areas.
Cyber security, by implementing scheduled steps in a Nine
Point Action Plan to better protect both unclassified and
classified computer systems. For example, the installation of a
firewall between the open and restricted portions of the
unclassified network has increased protection against outsider
threats. For the classified system, which is not connected to
the outside world except through NSA-approved encryption, steps
were taken to protect against ``insider'' threats: ensured
physical incompatibility of removable media between classified
and unclassified systems, logged access to centralized weapons
data bases, rigorous new procedures for the transfer of
unclassified data from classified computers, and additional
internal firewalls to enforce stringent need-to-know
separations.
Counterintelligence, by adding staff to a Counterintelligence
Program at Livermore that was established in 1986 and has been
well integrated into the U.S. counterintelligence community for
many years. Polygraph testing of identified classes of
employees has also begun and we are committed to completing the
necessary testing.
Employee security awareness and training, through a
comprehensive security awareness program that exceeds DOE
mandatory requirements. In addition, all Laboratory staff
participated in two two-day stand-downs of activity in 1999 for
intensive training and to review their individual and
collective responsibilities.
As an outgrowth of these efforts, we received an overall
Satisfactory (Green) rating from the Office of Independent Oversight
and Performance Assurance in their Follow-up Inspection in December
1999. We continue to make upgrades to strengthen all aspects of
security, address identified issues--such as those that arose because
of the Los Alamos incident--and deal with any perceived weaknesses.
LLNL Actions Following the Los Alamos Incident. Lawrence Livermore
personnel also support emergency response activities such as the
Nuclear Emergency Search Team (NEST). In conjunction with this
responsibility, the Laboratory has classified hard drives and computers
that are taken to the field to complete assignments as requested by
DOE. Livermore officials were made aware of the security incident at
Los Alamos as soon as their top management was informed. We conducted
our own, parallel review at Livermore to assure that our emergency-
response assets had not been compromised. All NEST data stored at the
Laboratory was and is accounted for.
Beyond NEST, the incident raised broader issues about access to
vaults and portable, highly-concentrated collections of sensitive data
at Livermore. A working group was immediately chartered to review the
Laboratory's classified data holdings, identify the locations of
especially sensitive and portable collections of high concentrations of
data, and recommend appropriate procedures to provide additional
protection. This review has been completed and found that we were
compliant with DOE requirements. Nonetheless, enhanced chain-of-custody
controls and access procedures have been implemented at the identified
locations.
Access control to vaults and vault-type rooms (VTR) at the
Laboratory is managed in accordance with current DOE requirements. An
access control list is maintained for each, and an area custodian uses
the list to determine who may enter without an escort. We are upgrading
our vault-access verification procedures in accordance with the
Enhanced Protection Measures directed by DOE Secretary Richardson on 19
June 2000. In addition, the Laboratory has instituted a working group
to address the effectiveness of our vault and VTR operations and
management. They are in the process of identifying additional
protection measures beyond those required by DOE that can further
enhance security.
A Review of Classified Matter Protection and Control Procedures.
Following the Los Alamos incident, the DOE Office of Independent
Oversight and Performance Assurance conducted a review of the
effectiveness of Classified Matter Protection and Control (CMPC)
procedures at the Laboratory. The review focused on the protection of
the most sensitive classified assets--weapons design information and
use control information--within the Defense and Nuclear Technologies
Directorate and Top Secret information. Key aspects of protection,
including information generation, storage, marking, destruction, and
control of access, were examined. Particular attention was devoted to
the role of Laboratory management in ensuring that DOE policies related
to control of classified matter are established and implemented.
The review was conducted from June 19 through June 21, 2000, and
the results--as summarized in the draft report--were satisfactory.
Particular mention is made of strong management attention to issues,
including a proactive approach to emerging needs to enhance protection,
attention to training programs, inclusion of security considerations in
personnel performance evaluations, and pursuit of an enhanced security
self-assessment program.
AN INSTITUTIONAL COMMITMENT TO SECURITY
Security and Science. Security and science are both central to
Livermore's purpose and its operations. They are tightly coupled in our
programmatic activities, and we are deeply committed to both. Through
the Stockpile Stewardship Program, we further national security by
applying advances in science and technology to maintain the nation's
nuclear stockpile in the absence of nuclear testing. With less than 2%
of the world's research and development being conducted at DOE national
laboratories, many of the scientific advances that we adapt and apply
to national security problems are made elsewhere. Hence, we interact
with the broad science and technology community to be cognizant of
major advances and to acquire needed special expertise. We also engage
foreign nationals as part of our national security mission through
participation in international efforts to prevent the spread of nuclear
weapons, materials, and know-how.
Accomplishing our mission depends critically on these external
interactions, and we must manage them in a way that protects sensitive
information. It is a challenge, but not the ``clash of cultures'' that
is so often portrayed. Since the Laboratory's founding, both security
and science have been central to our ``culture.'' The staff at
Livermore take great pride in their scientific and technical
accomplishments. They are also attracted to the Laboratory and are
motivated by the opportunity to serve the nation. Few groups of people
in the world are more painfully aware than Livermore employees what the
loss of nuclear weapons secrets means to the security of the nation.
Few groups are more concerned about the impact of the diffusion of
information on proliferation. Few have been more at the forefront of
initiatives to limit the spread of weapons of mass destruction and to
develop capabilities to prepare the nation to deal with the threat of
their use.
Security is not just our business, it is part of the way we
operate, but so are outside technical interactions. Security and
science are not incompatible objectives, but they require threat
awareness, proper training, and vigilance.
Security Awareness and Training. As I have said, I am ultimately
accountable for the Laboratory's security performance, and our success
depends on the vigilance of everyone--from senior managers to
individual employees. Increased vigilance is evidenced by a three-fold
reduction in the number of security infractions that have occurred over
the past year. All Livermore workers are aware of the ``zero
tolerance'' policy for security violations that place nuclear secrets
at risk. They rely on a comprehensive Safeguards and Security Awareness
Program at the Laboratory to understand their responsibilities, proper
procedures, and best practices. In addition to a series of DOE
mandatory briefings--many of which are annual requirements--the
Laboratory offers nearly a dozen additional programs, some of which
train people for specialized security responsibilities. Each year, all
employees are required to complete security refresher training, and
those that do not or fail the follow-on test have their clearance
suspended or lose it.
As an example of training, regardless of previous assignment,
employees joining the Defense and Nuclear Technologies Directorate are
required to be thoroughly instructed as to their responsibility for
protecting classified matter as well as specific procedures used within
the program to generate, use, store, transmit, and destroy classified
material. Significant additional training is required for classified-
document administrative specialists and custodians.
Laboratory-Wide Implementation of Security into Day-to-Day
Activities. Our institutional commitment to security is reflected in
the way that we centralize authority for key functions while
distributing responsibilities for execution. For example, we
established in 1991 a Classified Document Project Office (CDPO) to
provide Laboratory-wide programmatic direction and oversight of
classified document protection and control. Interfacing with all levels
of Laboratory management, the CDPO ensures development of protection
and control procedures, develops and implements training activities,
performs self-assessments, and manages the Livermore Administrative
Document System (LADS). LADS is a centralized computer system that
provides modified accountability (tracking access to material rather
than specific pieces of paper) for all classified documents at the
Laboratory except those that are in Special Access Programs or are in
Sensitive Compartmented Information Facilities, which have additional
restrictive controls.
In the area of cyber security, the Laboratory has a Chief
Information Officer (CIO). The CIO leads a Laboratory-wide Computer
Security Council that reviews the Computer Security Program and
approves computer security policies. Program products include policies
and guidelines that locally implement DOE's Computer and
Telecommunications Security Orders, templates to assist the development
of system-specific security plans, and checklists and testing
guidelines to support certification of classified computer systems. In
addition, an individual in each directorate serves as the central point
of contact for cyber security. These Directorate Cyber Security
Officers, who meet regularly with the Computer Security Program,
oversee and ensure uniformity of Cyber and Telecommunications Security
implementation. This system of Cyber Security Officers has been in
place for the last six years.
University of California Actions to Enhance Security. As the
Laboratory has developed and continues to develop plans for and
implemented changes to enhance confidence in security, we depend on
outside review to help surface the best ideas and provide quality
assurance. We have benefited considerably from the efforts of the
University of California Office of the President. In addition to hiring
a security expert, retired Air Force Colonel Terry Owens, to serve as
UC Director for Safeguards and Security, the University formed a
Laboratory Security Panel of the UC President's Council. It was able to
attract highly respected counterintelligence and security experts to
participate. The panel, chaired by retired Rear Admiral Thomas A.
Brooks III, is helping us to identify potential security weaknesses and
develop improvements. Just last April the panel conducted a high-level
review of our computer security program.
The University's commitment to work with the DOE to improve
security at the two laboratories is further demonstrated by the
specific actions UC has taken since the Los Alamos incident. In
addition, since early this year, UC and representatives from the
laboratories have been pursuing an initiative to develop and implement
an Integrated Safeguards and Security Management System (ISSM) at both
Livermore and Los Alamos national laboratories. This system, when in
operation, will fully integrate security awareness, the principles of
sound security practices, and the needed tools into the day-to-day
performance of individuals and institutional activities.
CHALLENGES IN THE CONTROL OF CLASSIFIED INFORMATION
Accountability of Classified Materials. Accountability requirements
for classified restricted data documents go back to the days of the
Atomic Energy Commission. At first, these requirements included
tracking and keeping precise inventory of specific pieces of paper by
document and copy number. As copying machines multiplied the number of
documents and copies, the inventory requirement was dropped in the late
1970's and then reinstated in the late 1980's. With changing missions
and decreasing budgets, DOE aligned with the requirements of the NISPOM
(National Industrial Security Program Operating Manual) and moved away
from full accountability in 1992. Basically, it was concluded total
accountability does not necessarily translate into total control and
effective protection of the material in an age of copying machines and
FAX machines. An unfortunate consequence of the change is that it
created an overall environment in which the formality of handling
classified information has been reduced.
In some areas--the handling of Top Secret documents and Sigma 14
and 15 weapons data--Livermore has continued to follow more stringent
than DOE-required control procedures. Greater accountability and
control of such materials system-wide may be warranted. Major concerns
also arise because of the revolutionary changes that have occurred in
information technologies. Accountability of pieces of paper is a far
different issue than accountability of hard drives that can hold
Gigabytes of data, roughly a thousand times more than the main memory
of the Cray-1 computer, the Laboratory's most capable machine in the
late 1970s. As recent events make it very clear, we need to enhance
controls over and the accountability of portable, highly-concentrated
collections of sensitive data. We are taking steps to do so.
The Need for Investments. Security upgrades do not come without
cost. For example, at Livermore, resources devoted to our Computer
Security Program increased from $1.3 million two years ago to $18.4
million this year. To implement the cyber security upgrades that we are
expected to complete over the coming year without seriously eroding
programmatic work, additional funds--beyond what was in the President's
budget request--are needed. This is a DOE Defense Programs complex-wide
issue that merits serious attention. Adequate funding must be
complemented by a consistent set of policies and thoroughly vetted
planning to make certain that costs and benefits are carefully weighed
as we deliberate about new directives and revised procedures.
CLOSING REMARKS
I appreciate the opportunity to address the Committee on our
efforts to increase security at our Laboratory and to enhance the
control of classified information based on the painful lessons learned
from the recent security incident at Los Alamos. As I have stressed,
secure operations are vitally important to Livermore--they underpin all
our research and development activities and protect some of our
nation's most closely held secrets. We continue to upgrade physical
security, cyber security, and our counterintelligence program to
strengthen these areas, address new threats and concerns, and deal with
any perceived weaknesses. Our efforts are made more challenging by
rapid changes in information technologies and would benefit from an
infusion of new investments--particularly directed at cyber security.
Mr. Upton. Mr. Aftergood.
STATEMENT OF STEVEN AFTERGOOD
Mr. Aftergood. Thank you, Mr. Chairman. Thank you for
holding this hearing. We have been talking not about security
as much as about the rules for security. And I think that is an
important distinction that has gotten lost.
GAO presented a list of rules that have been modified over
the past 10 years in the direction of relaxing security. They
did not ask whether those rules, in their prior form, had
actually been implemented. I provide some evidence in my
written statement that such rules were not implemented, in
particular, annual inventories and others.
A deeper question is whether the rules were tighter or not
and whether they were implemented or not? Was security better
or not? An investigation done in 1990 found that there were
over 5,000 Secret restricted data documents that were missing
and unaccounted for. It is at least a logical possibility that
security is better today, not worse, than it was 10 years ago.
And because we have been focusing on the rules and not the
reality of security, we are missing that important possibility.
Let me just skip very quickly. Dr. Robinson mentioned a few
words critical of the declassification program of the 1990's. I
would like to suggest to you that declassification is not a
problem, but it is part of the solution. It is how we take this
vast mass of classified information and turn it into a
tractable management problem. We are always adding stuff to the
mountain of classified material. It is important that we have
an orderly process to remove information control.
Congressman Cox spoke about the polygraph tests, the
scientists wearing buttons. I would suggest to you that the
scientists are well within their rights. Polygraph has not been
proven as a useful device for employee screening. There is some
data that the polygraph is useful for incident-specific
investigations. In other words, to investigate a particular
security violation. There is no documentation to support
polygraph testing for employee screening.
You may recall that Secretary of State George Schulz
famously threatened to resign during the Reagan administration
rather than undergo polygraph testing. It wasn't because he was
a scientist or indifferent to national security, but because
the polygraph is a problematic and dubious technology.
Last, I would just like to stress the point about balance.
Balance is not a word that has been mentioned much today, I
think until Dr. Browne mentioned it. It is a mistake, I
believe, to look at security in isolation. Security is part of
a larger picture. The larger picture is the health and vitality
of our national laboratories. And whenever we think about
changes to security, we should ask at least two questions: What
would those changes cost financially, and more important, what
will their impact be on the viability of the laboratories?
You know, the Department of Defense has research
laboratories also, and we do not hear any complaints about
security there. The problem is we do not hear anything good
about them either. Army General William Odom, many of you know
I am sure, has actually called for the DOD research labs to be
abolished. He said they haven't invented anything of value for
years and years. That should not be our goal for the DOE
national laboratories. Security is an important part of the
picture, but it is only a part. And we should always think
about the larger picture. Thank you very much.
[The prepared statement of Steven Aftergood follows:]
Prepared Statement of Steven Aftergood, Senior Research Analyst,
Federation of American Scientists
My name is Steven Aftergood and I am a senior research analyst at
the Federation of American Scientists (FAS), which was founded in 1945
(as the Federation of Atomic Scientists) by Manhattan Project
scientists at Los Alamos. FAS performs policy research and advocacy on
a range of national security policy issues, with an emphasis on nuclear
arms control. I direct the FAS Project on Government Secrecy, which
studies government secrecy and information security policies, and
generally advocates a reduction in the scope of the national security
classification system. As required by Committee rules, I hereby state
that neither I nor FAS has received any federal grants or contracts
that are relevant to the subject of this hearing during the current
fiscal year or the two preceding fiscal years.
BALANCING COMPETING INTERESTS
The basic conundrum for information security policy is how to
balance security with other competing interests such as cost and
mission performance. Security is ``too good'' if it precludes or
significantly interferes with achievement of program goals. And since
funding resources are finite, there are practical limits to security in
any case.
It is necessary to accept the fact that there can be no absolute
security. The best one can aim for is to manage the security risks,
keeping them to a reasonable minimum, while optimizing mission
performance and limiting costs.
The proper balance is not obvious, because it depends on multiple
considerations, including threat level, resource availability, and
other factors, all of which may change over time. In practice, a
different balance has been proposed at different times over the last
decade. Some benchmarks of shifting security policy positions, as they
apply to document ``accountability'' and classification, follow.
a. The 1990 Freeze Report: Thousands of Unaccounted-For Secret
Documents
In 1990, DOE conducted a major review of security policy, which
raised many of the same issues of accountability for classified
documents that have recently surfaced. The Report of the Secretary's
Safeguards and Security Task Force, chaired by Major General James F.
Freeze, USA(ret.), noted that DOE document accountability requirements
had come and gone and come again:
Historically, the Department had not required Secret document
inventories except for weapons data, and the Task Force was
advised that requirement had been dropped ``in the early 1970's
for cost benefit reasons.'' However, weaknesses in the
accountability for Secret documents were identified by a
Classified Document Control Action Team in late 1986.
Therefore, the requirement to conduct an ``initial inventory''
of Secret documents was included [for both Department elements
and contractors] . . .
This new Secret document inventory requirement was not fully
implemented. Even so, a partial inventory revealed that thousands of
Secret documents were accounted for:
Failure to complete the required complex-wide 100% inventory
of Secret documents on a timely basis has resulted in an
unsatisfactory condition . . . The estimated number of Secret
documents throughout the complex was 6,165,969. The number of
documents inventories at that time [October 1989] totaled
3,299,936, and there were 5,716 unreconciled or unaccounted for
documents.
Interestingly, control of Top Secret documents was found to be
satisfactory. No Top Secret documents were unaccounted for.\1\
---------------------------------------------------------------------------
\1\ Report of the Secretary's Safeguards and Security Task Force
(the ``Freeze Report''), December 1990, pp. 17, 70-71, emphasis added.
---------------------------------------------------------------------------
b. National Industrial Security Program Eliminates Secret
Accountability
The National Industrial Security Program arose in response to
President Bush's National Security Review 25 (4 April 1990). It was an
attempt to develop uniform security policies for government contractors
in the interests of cost efficiency. As President Bush put it: ``The
development of a single, coherent and integrated industrial security
program should be explored to determine the extent of cost savings for
industry and government while improving protection of our national
security interests.''
In the early post-cold war days, cost savings were given higher
priority than improved protection, and requirements for Secret document
accountability at contractor facilities were soon dispensed with.
(Secret document accountability within most government agencies had
been abandoned decades earlier.)
A DOE security official articulated DOE's opposition to document
accountability at a 1993 meeting of the NISP steering committee:\2\
---------------------------------------------------------------------------
\2\ Minutes of the NISP Steering Committee Meeting of 20 July 1993
(unpublished).
---------------------------------------------------------------------------
Ed McCallum, DOE, advised that DOE does not concur with
retention of SECRET accountability, stating that it is very
expensive to account for SECRET when such a security
requirement can so easily be circumvented. Moreover, Ed stated
that in his opinion, such a security requirement dictates that
an inspector spends a good portion of their time in an
inspection ``chasing paper,'' rather than concentrating on the
real security vulnerabilities at the facility.
The Central Intelligence Agency representative at the meeting also
expressed opposition to accountability for Secret documents. The
Defense Department favored accountability, but ``with a more
liberalized approach to the administrative methodology employed by the
contractor.'' Ultimately, a requirement for Secret accountability was
eliminated government-wide by the National Industrial Security Program
Operating Manual, published in 1995.
c. The Higher Fences Initiative: Increased Classification for the Most
Sensitive Information
In 1993, then-Energy Secretary Hazel O'Leary established a
``Fundamental Classification Policy Review'' (FCPR), a comprehensive
review of all DOE classification policies that was intended ``to
determine which information must continue to be protected and which no
longer requires protection and should be made available to the
public.'' It was endorsed by Congress in the conference report on the
FY 1994 Energy and Water Appropriations Act. This was the first
comprehensive review of DOE classification in fifty years, and was
conducted by government scientists from DOE and DoD. To my knowledge,
no other government agency has undertaken a comparable review of its
own classification policies.
Along with numerous recommendations for declassification, the
Review also include a call for increased classification of 137
categories of certain highly sensitive nuclear weapons information.\3\
This recommendation became known as the Higher Fences Initiative, since
it envisioned higher, Top Secret security ``fences'' around a small,
select subset of very sensitive information. [It may be noted that any
such upgrade to Top Secret would entail document accountability for the
affected information, among other increased protections.]
---------------------------------------------------------------------------
\3\ Report of the Fundamental Classification Policy Review Group,
Dr. Albert Narath, Chair, unclassified version, December 1997, page 26.
An initial draft report was published for public comment on February 1,
1996.
---------------------------------------------------------------------------
Contrary to some erroneous news reports, the recommendations of the
FCPR were accepted by Secretary O'Leary and formed the basis for
ongoing negotiations with the Department of Defense beginning in 1997.
However, the proposal to upgrade certain Secret information to Top
Secret was rebuffed by DoD for cost reasons, even after DOE had
significantly shortened the recommended list of 137 topics. DoD
explained its opposition to Higher Fences in a 1999 letter:\4\
---------------------------------------------------------------------------
\4\ Letter to General Eugene E. Habiger, Director, Office of
Security and Emergency Operations, U.S. Department of Energy, from Hans
Mark, DDRE and Arthur Money, ASD(C3I), Office of the Secretary of
Defense, December 17, 1999.
---------------------------------------------------------------------------
Even working with this significantly shortened list, we
anticipate that the costs of implementing such a program would
be substantial. They would extend to such requirements as the
upgrade of clearances with Single-Scope Background
Investigations, the establishment or addition of TOP SECRET
storage facilities at government and contractor facilities, the
sanitization of SECRET-level computers and computer networks
where this information currently resides and institution of new
TS-level capabilities, etc . . .
In addition to purely financial considerations, the DoD is
concerned that there may also be operational costs. For
example, the ability to respond to urgent stockpile problems
may be inhibited if it should happen that the necessary
responders are not cleared at the appropriate level . . .
This DoD assessment provides a vivid illustration of how security
professionals may balance the competing interests of security, cost,
and ease of operational use in different ways. Neither DOE nor DoD is
obviously wrong, nor is either agency clearly derelict or oblivious to
security. They have simply reached different, and conflicting,
professional judgments.
(It should be noted in passing that DOE's Secret-Restricted Data
[SRD] category is comparable in some respects to ``ordinary'' [i.e.
non-Restricted Data] Top Secret elsewhere in the government. So, for
example, the ``Q'' clearance required for access to SRD is
approximately as rigorous as the Top Secret clearance. For that reason,
DOE relies heavily on SRD and has rarely used the classification
category ``Top Secret Restricted Data,'' which entails security
measures beyond those required for ordinary Top Secret elsewhere in the
government. The 1990 Freeze Report found that there were no more than
3,451 Top Secret documents throughout the entire DOE complex, a
comparatively minuscule number.)
DECLASSIFICATION AS A SECURITY MEASURE
Neither the declassification measures nor the classification
upgrades recommended by the Fundamental Classification Policy Review
have been fully implemented by the Department of Energy. Both aspects
of the Higher Fences Initiative deserve continued consideration.
Since the need for increased protection may seem obvious at the
moment, I would like to stress the equal importance of relaxing
protection in areas of lower sensitivity, i.e. declassification.
There is a tendency among some to believe that greater secrecy
translates directly into greater security, and that declassification
means increased vulnerability. This is not so.
Declassification is an indispensable component of a rational
information security program. Removing information that is obsolete or
no longer sensitive from security controls through declassification
keeps security focused where it is most needed. It also preserves the
credibility of classification, which can otherwise become simply a
bureaucratic habit, instead of a vital instrument of national security.
Any information security reform program that does not provide for
appropriate declassification is incomplete.
NUCLEAR SECRECY IN PERSPECTIVE
The Department of Energy should make every reasonable effort to
ensure the protection of sensitive nuclear weapons information. But no
more than a reasonable effort. The limits of what information security
can achieve should be understood by everyone concerned so that
responsible security policies can be formulated and implemented.
In the first place, it should be obvious that information is only
one ingredient in nuclear proliferation, and it is not the most
important one. No nation or sub-national group can use classified
information to build a bomb unless it also has access to sufficient
quantities of suitable nuclear material, and an engineering and
manufacturing infrastructure to produce the bomb. But if it has the
latter two items--the nuclear material and the engineering capacity--
then it can dispense with classified information.
Thus, ``Access to classified information is not necessary for a
potential proliferator to construct a nuclear weapon,'' according to a
1995 report of the National Academy of Sciences.\5\ This is partly due
to the fact that much information about nuclear weapons design has been
declassified since 1945, and partly due to the fact that such
information, classified or not, can be independently replicated.
---------------------------------------------------------------------------
\5\ ``A Review of the Department of Energy Classification Policy
and Practice,'' National Academy Press, 1995, p. 19.
---------------------------------------------------------------------------
Fundamentally, it is not within the power of any classification
system or any information security policy to prevent the proliferation
of nuclear weapons. The most that classification of scientific or
technological information can generally accomplish is to delay the
independent achievement of any particular scientific discovery or
technological feat. But discovery or duplication cannot be prevented.
Thus, according to a DOE report, ``The considerable progress of
Iraq toward becoming a nuclear power was largely independent of U.S.
classification policy.'' \6\
---------------------------------------------------------------------------
\6\ ``Classification Policy Study,'' prepared for the Department of
Energy by Meridian Corporation, July 4, 1992, p. 35.
---------------------------------------------------------------------------
Finally, everyone should understand that the number of nuclear
weapons secrets is diminishing and will, in time, approach zero. The
``economics'' of nuclear secrecy favor disclosure, not continued
secrecy: Secrets that took hundreds of person-years and billions of
dollars to invent can be disclosed by a single individual and
disseminated around the world in an instant at no cost--whether through
official declassification, independent discovery, foreign disclosure,
espionage, malice, dissent, or error. In short, it is far easier to
disclose nuclear secrets than to create them. And unlike the secrets of
diplomacy or intelligence, nuclear secrets are not replenished on a
daily basis. There aren't many fundamentally new ones being created. As
a result, we must anticipate that, whether in five years or twenty-five
years, there will be no appreciable nuclear secrets left to protect.
Some would say we are there already.
CONCLUSION: ENDS AND MEANS
Information security is a means to a larger end, and is not an end
in itself. The frustration generated by recurring security failures at
the weapons labs tends to obscure this distinction. So, for example, a
proposal recently offered in the Senate would ``short-circuit'' the
necessary balancing of security, costs, and mission performance
discussed above by simply declaring that ``the protection of sensitive
and classified information'' should be ``the highest priority of the
National Nuclear Security Administration.'' \7\ But in the real world,
the NNSA must have higher priorities than protecting information.
Sometimes, one or more of its mission priorities--including the
promotion of international nuclear reactor safety and nonproliferation,
for example--will require the sharing or disclosure of classified
information, not its protection.
---------------------------------------------------------------------------
\7\ ``Implementation of Security Reforms at the Department of
Energy,'' a sense of the Senate resolution introduced by Senators Kyl
and Domenici, June 21, 2000, Congressional Record, pp. S5573-4.
---------------------------------------------------------------------------
The biggest risk of all concerns the institutional health of the
DOE national laboratories. Whether one is committed to stockpile
stewardship, to deep cuts in the U.S. nuclear arsenal, or to
dismantlement and eventual abolition of nuclear weapons, the
availability of a cadre of skilled nuclear weapons professionals is a
prerequisite for the foreseeable future. These professionals are
becoming an endangered species, and the laboratories are becoming a
deeply unattractive place to work.
Whatever the defects of current security policy, and whatever
reforms are ultimately determined to be necessary, the viability of the
national laboratories is an even larger and more important issue. The
labs should not be sacrificed in the name of an unachievable absolute
security.
Mr. Upton. Thank you very much as well.
We will now proceed to rounds of questions like we did with
the first panel of 5 minutes for each member.
Lab directors, Drs. Robinson, Browne and Tarter, what
authority did you have as individuals in terms of overseeing
the NEST security at your particular labs?
Dr. Robinson? We will start and go in order. Do you have a
direct chain-of-command link in overseeing in terms of what
they did in security?
Mr. Robinson. Certainly all the activities conducted on my
site, I am directly responsible for including the security and
the operations.
When the NEST team is deployed to the field, they must
operate under the rules of the particular site. We, thank God,
have mostly deployed them for exercises at other sites, rather
than actual threat conditions. They operate under the site
rules at that site under those conditions.
Mr. Upton. Dr. Browne?
Mr. Browne. My answer would be very similar. I am
responsible for all activities at the laboratory. I think in
the case of this particular NEST program at our laboratory, I
did uncover some issues that I believe could have contributed
to the particular incident. One of those was that in looking at
the security plans that were in place, they are pretty explicit
that people are supposed to take care of the information,
according to DOE Secret restricted data rules.
What was missing for me personally was that there was no
cross-cutting NEST security plan. There were pieces of security
plans. There was computer security plans, et cetera. There was
no signature on those computer security plans or other security
plans of any line manager of my laboratory. That is not typical
of how we would run a program. Someone in line management who
is responsible for the people, the facilities, would be in the
chain of command for ensuring that the practices of the
activities of the people were being actually followed. So I
think that may have been a shortfall.
Mr. Upton. You did not know about those shortcomings until
it was discovered that the two hard drives were missing?
Mr. Browne. That is correct.
Mr. Upton. Dr. Tarter.
Mr. Tarter. Again, a very similar answer on our site. I am
responsible. We are responsible for the security process. I
think our NEST program people had a set of procedures, both for
having personnel within the program, for having them vetted for
the program, for having the spectacular security things that we
implemented on the site. On-site, of course, they are under the
direction and the rules of whatever site they do their work
within.
Mr. Upton. Can you also tell me the differences in
functions, if there are any, between the NEST teams at each
particular lab?
Mr. Robinson. Let me go first. I think ours are the most
unique. Sandia's responsibility concentrates on the arming
devices, the electronics and how one might overcome those,
rather than the nuclear design. Consequently, we had no
analogous cores for NEST in any of our vaults.
Mr. Browne. We have several functions in the NEST program.
One is a group of people who are very good at measuring
radiation so that one can detect the presence of nuclear
devices and determine what might be there. There are also some
people who are good about analyzing how one might--not disarm
but disable a device. And the third party is the device
assessment team. That was the team that was involved in the X
Division incident in the loss of the hard drives.
Those are the people that one would turn to to evaluate if
you found an unknown object in the field--what it was.
Mr. Tarter. Essentially identical with Los Alamos.
Mr. Upton. General McBroom, what type of relationship did
you have in establishing the security of the NEST team? And
specifically, why--you know, again, I mentioned this in the
first panel, I would--it would seem to me that there is no
data--there is no data more important than what was on those
hard drives that were missing and how in the world could it
possibly be classified as Secret versus Top Secret?
Mr. McBroom. Yes, sir, I not do classification, although I
am going to take a course in it so that I can do it in the
future. I would like to make those calls. We are looking at an
equipment guide that we are going to put out pretty soon, which
will classify all the equipment which we deal with in NEST. But
I really can't address the equipment on the hard drive. Those
are classified at the site and primarily with the scientists
and with the security people.
Mr. Upton. And to answer the second part of the question,
what type of oversight did you have working with the lab
directors to try and ensure----
Mr. McBroom. Oversight at the lab is lab daily business.
They may have 40 different programs or 50 different programs
going on there. They can't have 50 different people trying to
manage everything. There is a comprehensive lab program that
manages all equipment, all security; they do the training, they
do everything at the lab. Now, when they deploy to the field,
then we provide some oversight, but they still use the
procedures from the site.
Mr. Upton. So did you feel removed then from the security
aspect of the material that they use?
Mr. McBroom. Well, to some degree, because my focus is
emergency management. My title is director of emergency
operations, so what I do is handle an emergency. In handling
that emergency, I look at security, safety, all of these things
as normal course of business. But that is not my focus. I am
more worried right now about Los Alamos floods than I am
anything else.
Mr. Upton. How about their fire?
Mr. McBroom. I was worried about that when it happened,
sir. Now it's all burned up and it is not going to be a
problem.
Mr. Upton. Mr. Stupak.
Mr. Stupak. Well, it will be a problem with flooding
because of the pollution that is there, and it is going to
affect the river and the streams and everything else around
there, correct.
Mr. McBroom. It could be a big problem. I am heading out
there next week.
Mr. Stupak. General Habiger, you indicated that you were
going to provide a time line. You had those minimum controls up
there and you said you wanted to show how DOE developed though
time lines, you could provide a time line?
Mr. Habiger. That was my request of GAO. If GAO were to go
look across the government, you would see that we lagged the
rest of the government.
Mr. Stupak. By ``rest of the government,'' NSA, CIA? Labs?
Mr. Habiger. State, Defense, yes, sir.
Mr. Stupak. Because we are all under this one national
security standard that came up in 1988, 1990 I think it was
implemented?
Mr. Habiger. Yes, sir.
Mr. Stupak. So that was the impetus for these minimum
controls?
Mr. Habiger. Yes.
Mr. Stupak. Regardless--I will direct this to the lab
directors--regardless of what minimum controls at the labs may
be under, there is no reason to lose documents or hard drives,
is there? That does not fall under some minimum control saying
that it is okay to lose these; right?
Mr. Robinson. Of course not.
Mr. Stupak. Okay. So we can't blame these time lines or
minimum controls for what happened?
Mr. Browne. Correct.
Mr. Stupak. Were the labs--excuse me, the University of
California, were they involved in this one national security
standard? Do any of you gentlemen know that?
Mr. Browne. In setting the standards? Not to my knowledge,
I don't believe they were involved at all.
Mr. Stupak. Okay.
Dr. Browne, how long is a contract usually?
Mr. Browne. It is a 5-year contract.
Mr. Stupak. So the earlier testimony about the Secretary,
average lifetime of a Department of Energy Secretary being less
than 2 years, that wouldn't impact your contract in any way,
would it?
Mr. Browne. Well, the contractual relationship is usually
handled by more than just the Secretary. There are people in
the Department who have the continuity between various
contracts.
Mr. Stupak. So the change in Secretary really doesn't
affect the continuity of that?
Mr. Browne. Not directly. It can, I guess, depending on the
Secretary's personal interest.
Mr. Stupak. And the University of California, if my memory
serves me right, has had these contracts for the last 50 years;
correct?
Mr. Browne. That is correct. 47 years at Los Alamos.
Mr. Tarter. 48 years.
Mr. Browne. 57 at Los Alamos. Excuse me.
Mr. Stupak. In those contracts it talks about security, do
they not?
Mr. Browne. The most recent contracts that I have looked at
which date back to 1992, it is explicitly called out in the
contract.
Mr. Stupak. For security?
Mr. Browne. That's correct.
Mr. Stupak. So if there's been a problem with security, we
can't blame DOE, we can't blame U of C, we have security
responsibilities that we all have to adhere to; correct?
Mr. Browne. That's my opinion. We all must share
responsibility for security.
Mr. Stupak. Well, in the short time that I have been on
this subcommittee now, 6 years, it seems like we are always
back here talking about security at labs. So we just can't
blame DOE, the labs have to share some responsibility here too.
Mr. Browne. Absolutely.
Mr. Stupak. Okay. And if the hard drives were missing at
the end of March, it would appear that they were not lost in
the confusion of the fire then at Los Alamos.
Mr. Browne. That's correct. I don't think you can blame
this incident on the fire.
Mr. Stupak. Okay. Mr. Glauthier, in June, I and six other
members of this subcommittee asked the Secretary to terminate
the contract with the University of California for the Los
Alamos Laboratory because of its repeated security and other
violations, and, frankly, its refusal to take responsibility
for or to fix the problems. This contract has never been up for
bid. I think we have established today it's 47, 48 years. But
from your testimony it sounds like the Department is going to
make some cosmetic changes and let UC continue on. Am I reading
it properly?
Mr. Glauthier. No, we believe that this is a significant
change. The current contract at Los Alamos I think is 57 years,
the director said. And what we are going to do now is a change.
For the first time, we are going to have another firm be
responsible for the security and probably some of the other
industrial-type practices at the site.
I do want to be clear, though, that that is not to relieve
the university or any of the laboratory employees from their
responsibility to also take the proper care of secure
information, classified information and materials and the like.
But the practices of who is inspecting the vaults, who is
actually being sure that the procedures are being carried out
properly----
Mr. Stupak. But if you are going to have a separate firm or
separate entity be involved with security operations, which UC
does not control or is responsible for, it sounds like it's
just really another disaster waiting to happen. How is this new
firm, entity, going to really carry out the mandates of the
Department or what Secretary Richardson wants and what GAO
pointed out? It seems like there is an atmosphere within these
labs that just doesn't do it. How is another entity going to
fix that?
Mr. Glauthier. Well, the atmosphere is necessary to deal
with no matter how security is done. What we are talking about
with this firm is some organization to actually have a targeted
responsibility to see that the requirements are sensible,
appropriate ones at the site, follow through, make sure they
are being implemented. We talked earlier about implementation.
We need to see that they are actually being carried out. There
are several models and the Secretary----
Mr. Stupak. Who is going to carry them out, this new firm
or UC?
Mr. Glauthier. The responsibility for actually performing
security is going to be one that individual scientists will
have to have. For example----
Mr. Stupak. So University of California, then?
Mr. Glauthier. If the scientist has got a classified
document, that person is responsible for putting it in the
right place at the end of the day or transporting it in a
proper way.
Mr. Stupak. If I am a scientist and I work for UC and I am
responsible for this document and I am responsible for it and I
am there, and this other firm or entity comes in and tells me
to do something different, who would I look to then as the
scientist? Am I supposed to listen to the so-called new
security entity who I have no contractual relationship with,
who I can say buzz off because you have nothing to do with my
evaluation, or do I listen to UC?
Mr. Glauthier. First of all, we are not sure whether there
will be a contractual relationship or not. That is part of what
Under Secretary Gordon will be looking at over the next several
months, whether this ought to be a subcontract to the
university, a joint venture, or separate contracts. All of
those models are on the table. But the management of the
university at the laboratory will be responsible for seeing
that all of its employees are carrying out procedures. They
have the line responsibility to make sure it's all being
managed properly.
Mr. Stupak. Have you discussed this with Dr. Browne?
Mr. Glauthier. Yes, we have.
Mr. Stupak. Any comment on it? This other entity?
Mr. Browne. My opinion is that whatever mechanism the
Department of Energy comes up with, we are still going to
ultimately be responsible because we not only have the
information, we create the information. The scientists are
creating the information that winds up on the hard drives or
pieces of paper. So we can't get away from that individual
personal responsibility at the working level or at the
management level.
Mr. Stupak. Thank you. Thanks for letting me go over, Mr.
Chairman.
Mr. Upton. Mr. Burr.
Mr. Burr. To both the generals, do you both agree with what
the Secretary just said about a decision at the labs to break
out security separately and negotiate a new contract with the
labs that would allow you to put a security entity in place to
be in charge of security?
General Gioconda?
Mr. Gioconda. Sir, I am the staff officer that is assigned
by the Secretary to come up with the range of recommendations.
Mr. Burr. Is this your recommendation?
Mr. Gioconda. The range of options to choose--yes, sir.
Mr. Burr. It is?
General Habiger, are you in agreement with it?
Mr. Habiger. Sir, I will defer to see what General Gordon
comes up with, sir.
Mr. Burr. I will take that as a very hesitant answer.
Mr. Habiger. It is.
Mr. Burr. I appreciate it, then. I appreciate the honesty.
Because I am sitting here as a member, and the last thing I
want to do is try to make some decision as to what the proper
security is for Los Alamos or for Livermore or for Sandia. And
for some of the people that come in here and testify, I feel
like I have been there as many times as they have, once. And
the last thing you need is input from me.
But we have had an opportunity over the last several years
to see the problem in its totality. And one of the problems is
the right and the left hand never see each other. One of the
problems is that the line of communication--and I think Mr.
Robinson said it very well in his testimony--just does not
exist to the degree it has to for something as sensitive as
national security. And for that reason, I am flustered, for the
lack of a better word right now, to believe that we can just go
out and renegotiate a contract, bring in a new entity, call
this a security program and without fundamental changes in the
line of communication, both with the labs, the new security
company, walk away and feel good and believe that anything is
different.
One of the problems I am convinced today, right or wrong,
it was believed that there were areas that the labs weren't
responsible or did not think they were responsible for as it
related to special programs, because I can't believe that there
wouldn't have been stricter things in place if they thought it
was their decision. And I think they have expressed, through
faxes and through conference calls, hesitancy with the
deterioration of some of the security methods.
So it sounds great, Mr. Secretary, but I don't think it can
work without a significant fundamental change to the operation,
both on the labs' part and the security part. And if we can
accomplish that, I am not yet convinced that they can't
continue to supply the appropriate security, and we have
eliminated another layer that might further blur the problem
down the road. It is a personal observation, and I wait with
some degree of anxiousness to watch how, in fact, this is
structured.
Mr. Secretary, on March 1, 1999, these three directors had
a conference call with Secretary Moniz, and they faxed to him a
recommendation to reinstate the formal accountability. Do you
know what happened to that recommendation?
Mr. Glauthier. I am not clear exactly what happened. I
understand that that was written up after a meeting at which
some of those topics were discussed.
Mr. Burr. I believe it was a conference call between the
three directors, am I correct, to any of the directors?
Mr. Robinson. That was my memory, yes.
Mr. Glauthier. When I discussed it with the Under Secretary
yesterday, he did not have a recollection of the specific memo
and the like. It's clearly a topic that was discussed at some
level, and it was at a time when security issues were very
prominent last year, as you recall. The Secretary and the
Department took a lot of action on various fronts. We had, as I
indicated in the testimony, about 50 different security and
counterintelligence measures that were implemented as a result
of last year's event. So I think that this must have been a
part of the overall pattern. But it came in just before I
arrived and I am not sure exactly what happened to it.
Mr. Burr. Let me just read the last paragraph. I don't
think I read it when I entered it into the record. And I assume
that it got there, and maybe somebody can tell me whether it
was acknowledged: ``The directors of all three of the DOE
nuclear weapons design laboratories are in agreement that the
former controls should be reinstated as quickly as possible.
This recommendation is presented to the Under Secretary and
counterintelligence officials for their evaluation of what, if
any, problems might result from prompt reinstatement of the
previous policy.''
Let me ask General Habiger--I think you have been there the
longest--next. Did you have any recollection of this? Or was it
ever mentioned to you?
Mr. Habiger. No, sir. The first I was made aware of that
was approximately 2 weeks ago.
Mr. Burr. I hope all of you can understand how that makes
us feel as we try to wade through this. There were some pretty
good signs from our lab directors, we do not think we are doing
the right thing, that seem to not only have been discarded by
the individuals that were given those, they can't even be
uncovered now except for the process that we are going through.
I know that we will have another round, and I thank the
chairman and I yield back.
Mr. Upton. Thank you.
Mr. Cox.
Mr. Cox. Thank you. I just want to register--I'm sorry Mr.
Stupak has left--my strong agreement with my colleague from
Michigan. He is absolutely right. The Department of Energy used
private security at foreign launches--the Department of
Defense, I should say, used private security at foreign
launches, and it was a failure. And one of the recommendations
of Congress was to make sure that we take that responsibility
on as the U.S. Government. The U.S. Government is responsible
for the national security. It must not be privatized. And the
notion that we are going to, because we necessarily use
academics when we are trying to contract for science, that we
are going to contract now additionally for security ought to be
unacceptable on its face.
That is why Congress created the NNSA. Congress created the
NNSA so that there would be a clear line of authority virtually
independent of all the rest of the bureaucracy at the
Department of Energy, and it would have exclusive
responsibility at the national labs over intelligence and
counterintelligence, for example.
But I am hearing here today another endorsement of blurred
lines of authority, and I wonder whether you could, Mr.
Glauthier, explain why it is that Congress should look
favorably upon bringing in additional private contractors to be
a new layer of authority in providing security direction for
the national laboratories?
Mr. Glauthier. Certainly, Congressman. First of all, we
agree very much with the need for line accountability and for
clearing up what has been, in many cases, a blurred sense of
responsibility, of staff versus line responsibilities in the
Department. We want very much to see the NNSA responsibility
carried out very directly from Under Secretary Gordon to
Defense Programs, to the field offices, to the laboratories,
and have that accountability apply to missions and security and
safety and all the other functions there.
Having said that, we also see in the past that the
experience of the laboratories has not always been outstanding
in some areas that are not the science areas. Science is
clearly their forte. It is the strongest area. But security,
construction management, some other things that are not as
closely allied to the academic areas, for the University of
California labs at least, have not been as outstanding. And it
is those areas we are looking to try to strengthen. We might do
it through a joint venture with the university and another
firm. I have talked with the provost and the management of the
university about different models. They feel very strongly that
they ought to have some continued responsibility.
Mr. Cox. What the laboratories are telling us is that they
are creating the information--and I think we are misusing the
term ``responsibility'' here, because--or at least we are using
it in multiple senses. Obviously, lab employees, scientists and
others, are responsible for the information they handle. They
are responsible in that sense. But it should be equally obvious
that every employee cannot be equally responsible for
establishing the rules. And that ought to be the responsibility
of someone who clearly has authority to implement those rules.
And when the rules aren't followed, there ought to be clear
accountability, which we have been lacking every time we have
had an oversight hearing when something goes wrong.
And every group that has looked at this, the Select
Committee that I chaired, was one in a long stream that
extended earlier and went beyond that, all said the same thing.
Everybody that has looked at this has said that the lines of
authority are not clear, and that is why the Congress created
the NNSA.
Now, earlier when we had a report from the Office of
Independent Oversight and Performance Assurance, we heard from
the head of that office that he does not know much about
polygraphing; he does not know much about counterintelligence,
and so on. The compartmentalization of this and the blurring of
lines of authority is incongruous with the real world.
If you take now a private contractor and slide them in
between the Department of Energy, the NNSA, the lab management,
and so on, I cannot imagine how that does not make matters
worse.
Obviously, they are going to be setting the rules--or are
they not going to be setting the rules? What are they going to
be doing?
Mr. Glauthier. Their focus will largely be on
implementation. They will set some of the specific practices
for how to actually live up to the standards.
Mr. Cox. So when they are setting specific practices, do
the labs report to them?
Mr. Glauthier. Well, I think, for example, what kind of a
log should there be in the vault?
Mr. Cox. Let me ask a more specific question. How does this
private contractor relate to the NNSA? Does it work for the
NNSA?
Mr. Glauthier. Yes.
Mr. Cox. All right. And does it work for the lab or above
the lab?
Mr. Glauthier. Well, that is part of what General Gordon is
supposed to decide this summer with the university. Should it
work directly for the NNSA in parallel with the University of
California contract or----
Mr. Cox. What is the advantage of not making these people
employees of the U.S. Government and the NNSA? What is the
advantage of having it be privatized?
Mr. Glauthier. Well, they are it is already not employees
of the Federal Government. They are now the University of
California employees, in the case of those two laboratories.
Mr. Cox. The function you are talking about creating does
not presently exist. You are talking about going out presumably
to the private sector and sliding it in. So it is not fair to
say that presently it exists when it isn't created yet. The
NNSA does not yet exist. Even though the Congress passed the
law a year ago, the administration has so dragged its feet that
we have had nothing. And of course, the politics in the Senate
as well, the minority in the Senate held up the confirmation of
the administrator, as you know. Now we are finally getting it
off the ground and it is just a matter of weeks now. With the
NNSA just now getting up and running, why would we not want to
have the NNSA perform the functions that Congress just gave it
in statute? Those very functions you are talking are about the
statutory functions of the NNSA.
Mr. Glauthier. And we do intend for the NNSA be responsible
for carrying this out. The way they perform most of their
functions is through contractors at the various facilities. So
it will be natural for them to use a contractor in some mode.
The question is in what mode? What's the right way? Should it
be through the university or in parallel to it? Those are
things I think they need to----
Mr. Burr. Will the gentleman from California yield for a
clarification? Do you also envision that the field offices
would be in charge of the evaluations for the security company
as well, the DOE field offices?
Mr. Glauthier. The field office, in their role as
administering the contracts, would continue to do that. We
have, as you saw this morning also, an Independent Office of
Security Oversight headed by Glenn Podonsky. We would expect
that office to also provide oversight and evaluation of these
activities.
Mr. Burr. I thank the gentleman for yielding.
Mr. Cox. Well, I think we are headed off in the forest
here. I think it is going to get much worse if you do this.
Mr. Upton. Ms. Wilson.
Mrs. Wilson. Thank you, Mr. Chairman. I would like to pick
up this same line of questioning here, and I am glad that there
are some members of the DOE at this table who are skeptical
about this proposed new arrangement, because I think it
exacerbates the very problem that we are identifying here, and
it sounds pretty dysfunctional to me.
I have to always put things in a little bit simpler terms,
I am afraid. At our house we have some rules. You have to close
the front door when you come in and out. You are supposed to
keep the lid on the jug of milk. You are supposed to close the
refrigerator door and push in your chair after you get up from
the table. We repeat those rules. We try to be clear about
those rules. We train to those rules. And there are
consequences if you do not follow those rules.
But what I hear you saying with this new contract here is
that you are going to bring somebody in and post the rules on
the refrigerator, and then you are going to come in and check
and see if people have done what they are supposed to do. But I
am no longer in charge of training and controlling and
repeating and consequences and all those things. That may be a
little simple, but that is kind of the way I see this new
security contractor.
And I wonder if perhaps, since I noticed, Paul, you
referred to, in your testimony, the importance of integration,
and since you are not the direct guy who is immediately
affected by this possibility of a new contract, if this kind of
thing were imposed on the other labs, would it work?
Mr. Robinson. I am worried about anything that splits the
authority and responsibility. As I said in my written
testimony, I believe the preferred direction is to try and
streamline authority, responsibility, and accountability. Only
if you do that do you have a chance of knowing who is
responsible and being able to take action.
I also am a believer with a little bit of experience over
time that when you have that clean line of responsibility,
people, in fact, grow to deserve it instead of shrinking from
it if the lines are blurred.
Mrs. Wilson. Thank you. I want to change the subject a
little bit, because I have some questions about the NEST chain
of command. And I wonder if maybe General McBroom, you are the
person to ask this. Can you describe the chain of command for
the NEST and who is responsible for what?
Mr. McBroom. There is normally--we pay for a couple of
people in each site. The number varies. Most of them we pay
them, I think, seven full-time salaries at Los Alamos, but that
includes the secretary, and we have a small contingent there
that works primarily on NEST operations, and then we will have
another couple hundred people that do not. Normally, there is a
designated point of contact at each site that we deal with from
the staff that deals directly with the NEST team. So that chain
of command would go from myself to my program manager at the
staff, right down to that program manager at the site.
Mrs. Wilson. The University of California said in a letter
on June 20, and Dr. Browne also mentioned it in his testimony,
that line managers at labs had little or no access to ensure
that lab safety and security rules are met for these close-hold
programs. Is that--do you agree with that?
Mr. McBroom. I think that there was nothing preventing them
from doing that. I think that there was some confusion at the
site. I would go that far. But I mean, there is nothing--I went
back to the--I have been there for 9 months now. I went back to
the two previous directors and talked to both of them and they
both said no, definitely we've never said that people can't
look at it, that it shouldn't be looked at or anything like
that.
Mrs. Wilson. But there was confusion as to who was
responsible?
Mr. McBroom. I think there was some confusion there. I
hope--I sent something out the first week of June moving the
control to Albuquerque Operations. Because the operation, when
I got there, was done with the headquarters deploying with the
teams. And I thought that kind of confused the mission, the
oversight mission and the--and what we were really supposed to
be doing at the headquarters.
Mrs. Wilson. General, when was the last time the Department
of Energy did a program-wide security audit or assessment of
the NEST program?
Mr. McBroom. I have no idea. I am a force employer. I am
not a security person. That is a security question.
Mrs. Wilson. Who would be responsible within DOE? You talk
about this is a team drawn from people from all over the
country, all different responsibilities; they end up in some
airport somewhere. Who within DOE is responsible for this whole
thing?
Mr. McBroom. When they are on the road?
Mrs. Wilson. No--well, for the program. Who runs the
program?
Mr. McBroom. I run the program. I am responsible for the
team when they are on the road. When they leave that lab, I
have operational control. I do not have administrative control.
Administrative control, disciplinary action, firing, things
like this, remains with the lab. Just like when they are on the
road, they follow lab procedures. My people are out there to
focus on the emergency and to help the scientists do their job.
At the same time, we look at security and safety just from
a standpoint of doing the way the headquarters said we should
do it.
Mrs. Wilson. Dr. Browne, did your folks feel as though they
had the authority to do security audits of the NEST team?
Mr. Browne. Well, I think you hit one of the points that
the General referred to about some concerns at our laboratory.
Our program manager, who I am no longer allowed to talk to
because of the FBI investigation, but what I can talk to you
about is that he wore a couple of different hats. He wore a hat
inside the laboratory where he reported to our management for
organizing and coordinating the program inside the laboratory,
and he also wore a hat for the Department where he was
responsible for activities at Livermore and Sandia.
He made some comments to our security people that they were
not allowed to look at the NEST operational security because
that was his function. And my opinion is that there was a lack
of formality of operations that would have clearly defined the
roles and responsibilities of people at Los Alamos for this
program. I think it's missing. You know, I'll share some of the
blame for that. I think we should have caught that. But, in
fact, I believe it was missing. There was no line manager that
had his or her signature on that plan, the security plan.
Mrs. Wilson. One final question, Mr. Chairman, if I may.
This memorandum from the lab directors concerning increasing
level of security from March, I understand the Under Secretary
has no recollection of receiving this. And I can understand
that. All of us up here get about 5,000 letters a month. But in
our office, we do have a process for identifying, by number,
each incoming letter. Does the Under Secretary have a similar
system?
Mr. Glauthier. We do have that kind of tracking system, and
my understanding yesterday, when I discussed this in our
office, was that this was never actually submitted to us in the
mail or in the normal transmittal system. It was faxed to his
office and, thereby, avoided the regular process. It wasn't
captured in the regular tracking system.
Mrs. Wilson. Let me make sure I understand. The Under
Secretary's correspondence management system, you have checked
it and you can find no reference to this memo?
Mr. Glauthier. That was what I was told yesterday, that's
right.
Mrs. Wilson. Thank you, Mr. Chairman.
Mr. Upton. Thank you. I want to go back to a question that
was I focussing on when my time expired a little bit early.
Mr. Glauthier, who is the individual or the department that
is actually responsible for the classification in terms of
security with regard to the material at the labs?
Mr. Glauthier. The classification responsibility?
Mr. Upton. Who determines whether it is Secret or Top
Secret?
Mr. Glauthier. I think it is actually at the laboratories
themselves, the people who develop the material. No?
Mr. Upton. Dr. Tarter?
Mr. Browne. There is a classification guide that is
developed by the Department that the laboratories provide
technical input to.
Mr. Glauthier. But the actual decision on a particular
document using the guide I thought was actually done at the
lab. The guide itself is developed by the Security Office.
Mr. Upton. So who would have been responsible? For example,
these hard disks--the hard drives that were missing, who
actually determined that it was Secret versus Top Secret?
Mr. Habiger. We have----
Mr. Upton. Whose chain of command?
Mr. Habiger. Chain of command would go from the program
office to the laboratory. I have a group of people, who are
subject matter experts, develop classification guides. Those
guides are then sent to the field offices, the laboratories,
and the program offices.
Mr. Upton. So are you saying are the directors--ultimately,
as they are in charge of the security of the entire lab site,
are the three lab directors, these particular NEST tapes that
the NEST team lost, is it--was it Dr. Browne's responsibility
that they were Secret versus Top Secret?
Mr. Habiger. It would be classifiers at the laboratory.
Mr. Upton. Who did they report to? I mean, ultimately to
Dr. Browne and up, or did they go back to General McBroom or
who?
Mr. Browne. Mr. Chairman, let's see if I can explain this.
Each piece of information on the hard drive by itself was
secret RD and would have been classified as such if it were a
piece of paper or on an electronic medium.
Mr. Upton. Right.
Mr. Browne. The compendium, I think, is the issue here, the
large amount of information. There was no guidance in existence
about how we treat large encyclopedic data bases at a higher
level.
I would like to mention that I just found out, after I
read--after I wrote my testimony, that we did submit in
September 1999 to the Department a letter requesting that these
hard drives be encrypted. One of the difficulties is that the
software for encrypting information, until recently, and I
believe General Habiger can point out in more specificity, that
it did not exist. So even though we made a request in
September, it was not possible to accommodate it.
Mr. Upton. Although I am told that, at least at Livermore,
some portions of the hard drives have, in fact, been encrypted
and at least for a number of months, is that not true?
Mr. Tarter. What we did, we used a nonNSA-approved
encryption technique because, as Dr. Browne said, there was not
an NSA-approved encryption. It was our decision that--we call
it--some encryption was better than no encryption.
Mr. Upton. Did you share that information with the other
labs, or did the NEST teams--was it actually a part of the NEST
team that did that?
Mr. Tarter. It was part of the NEST team that did that.
Mr. Upton. And did they not share that information with the
NEST teams at the other two sites?
Mr. Tarter. They did, and I have the--you know, we can go
into more detail if you wish. I have the head of the NEST team
here. I think we had those discussions, and I think in the
absence of an official NEST policy and since ours was not
approved in the NSA sense, I think it became local option.
Mr. Upton. General McBroom, were you aware of that at all?
Mr. McBroom. No, sir.
Mr. Upton. So you have really wiped your hands clean
altogether of the security at the site of the material, is that
right? Your role is really just the operations; the phone rings
and then out the door and then you have them under charge; is
that right?
Mr. McBroom. Yes, sir. I am the force employer. They
provide a head, two arms, two legs, and a 20-pound brain with a
piece of equipment. I employ those people out there. I watch to
make sure, while they are in my charge, what they do when they
are at that site, but primarily they still come under those
rules.
Mr. Upton. Dr. Tarter, your answer again as to whether that
information was shared between the three teams, it just wasn't
done; or was it?
Mr. Tarter. We did--we had those discussions with Los
Alamos. We said what we were going to do, and I think they
chose, in the absence of either an approved status for the
encryption technique we were using or formal guidance, to
continue with the local option.
Mr. Upton. Did you talk to DOE about what you were doing?
Was DOE aware?
Mr. Tarter. Apparently yes. Again, if you wish, you could
swear in the head of our NEST team for a more precise----
Mr. Upton. We might just do that. Just get that--is that
individual here, behind you?
Mr. Tarter. He retired a week ago but, yes, he is here.
Mr. Upton. Just come up and identify yourself for the
record.
Mr. Tarter. This is Dr. Alan Mode.
Mr. Upton. Just remain standing there for just a second.
[Witness sworn.]
Mr. Upton. You are now under oath.
If you would just describe the set of circumstances behind
this. I know my time has expired, and I will yield to Mr.
Stupak.
Mr. Mode. It is, as Dr. Tarter has described, the request
and information had been discussed within the NEST community.
There was not an approved encryption technique available at the
time. DOE had made that request some time ago for an approval
from--NSA-approved encryption technique. It was purely a local
option. We--our people just felt a little more comfortable. We
also recognized that it was not an approved encryption
technique, and in one sense you could argue that we were, in
fact, acting outside of our bounds by imposing an encryption
technique that had not been approved.
We encrypted the Livermore portions of the information. We
did not encrypt the Los Alamos portions. Again, with their
knowledge and----
Mr. Upton. How long did it take to encrypt the information?
Mr. Mode. I am sorry. I don't know. We used--in open
hearing, I won't say exactly how we did it, but not an extended
period of time.
Mr. Habiger. Mr. Chairman, if I could point out that NSA,
National Security Agency, certified encryption on June 19 and
we were the first ones in the government to buy it.
Mr. Upton. Right. I understand that, but I think this
actually took place--nonNSA-approved happened, what, September
last year, thereabout?
Mr. Mode. Approximately January 1999.
Mr. Upton. January 1999?
Mr. Mode. Yes.
Mr. Upton. So literally a year and a half it took.
Okay. Mr. Stupak.
Mr. Stupak. Thank you, Mr. Chairman.
Dr. Browne, you said something that bugs me a little bit.
You said that you are responsible for the information that
would go on the hard drive that--whatever segment it is--and
there are many Top Secret segments on this hard drive.
Mr. Browne. Secret. Secret RD.
Mr. Stupak. Okay. Secret?
Mr. Browne. Correct.
Mr. Stupak. So in, say, year one, there might be a thousand
pieces of Secret on that hard drive?
Mr. Browne. It is less than that, but let's say many.
Mr. Stupak. But then you said you weren't responsible for
the encyclopedia of the information on it there.
Mr. Browne. No. I said there is no DOE guidance that tells
anyone that once you have accumulated any amount of
information, that you should classify it at a higher level.
Mr. Stupak. But do you really need a guideline to figure
this out?
Mr. Browne. We don't have the authority----
Mr. Stupak. I mean, if you have one piece of information
that's so important, now you have all kinds of pieces on there,
I think that hard drive just becomes more valuable. I don't
think I need a government guideline to tell me not to drop it
behind the copier.
Mr. Browne. Well, I don't disagree with that, but we don't
have the authority to classify something Top Secret or not.
Mr. Stupak. But you have the authority to provide security
and control----
Mr. Browne. Correct.
Mr. Stupak. [continuing] for this?
Mr. Browne. Absolutely.
Mr. Stupak. Because I guess my concern--and is it your
testimony that you did not believe you were responsible for
security over the NEST team and the information under their
control?
Mr. Browne. No. I believed I was. My comment was that our
security people were told by our NEST program manager that they
did not have the right to come in and look at the NEST program
operations; that it was a closely held need-to-know program. A
limited number of people had access to that program and access
lists, and so they were--they were told that they were not to
look at this program.
Mr. Stupak. Who do the security people work for?
Mr. Browne. They work for me. They did not bring that to my
attention.
Mr. Stupak. So even the people under your control who are
doing security, plus your scientists, they don't agree who can
look at what and who has control over what?
Mr. Browne. That's an issue, and I brought that up with
them since I found out about this.
Mr. Stupak. So now the proposal is to put another entity
out here, yet to be hired, to even have more arguments on who
is controlling and who has the authority?
Mr. Browne. No. General Gioconda sent me a very excellent
letter, I believe it was June 16, saying if there is any
confusion about any program, you have the authority to
investigate it unless you are directed not to investigate it.
I have used that letter now to look into a series of
programs that are very similar to NEST.
Mr. Stupak. When did you get that letter? Maybe I was out
of the room and I had to make a phone call.
Mr. Gioconda. I happen to have a copy.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T7110.089
Mr. Stupak. How long ago--when was that written?
Mr. Gioconda. Well, sir, I sent that letter on June 16
because I was surprised, too. John brought it to my attention.
Let me read it to you.
Mr. Stupak. Okay.
Mr. Gioconda. It says, ``This memorandum is to reconfirm
the responsibility of the Nation's nuclear weapons laboratories
for assuring that proper security procedures are followed in
ALL''--all capitalized--''activities performed on laboratory
property or under laboratory auspices. No program can be exempt
from such oversight without written approval from me or my
superiors.''
Mr. Stupak. That was because labs were saying that they
didn't have responsibility here?
Mr. Gioconda. They were--as Dr. Browne described,
apparently the program manager said stay away from my program.
No, he did not have the authority to do that.
Mr. Stupak. Well, this is really sort of the same argument
that we have been hearing since about 1976 when Mr. Dingell
first brought this to our attention. And if you go through
this, this responsibility, this lack of accountability, we have
had these concerns brought up in 1976, 1982, 1988, 1992, 1997,
1998, 1999 and now again in 2000. We always get these
assurances things will be different. Now we have a letter
saying they have to be different, but they never really are.
And I guess that's the frustration we see on this side of the
dais.
Mr. Glauthier. Congressman, may I comment?
Mr. Stupak. Sure.
Mr. Glauthier. One of the changes that Secretary Richardson
made in April of last year was a reorganization to make
explicit staff versus line responsibilities, and at that time
we actually had iscovered that the head of Defense Programs
claimed he had no responsibility for security; it was somebody
else's responsibility.
We made it very clear that that responsibility is a line
responsibility, and implementation and accountability for
security flows right through the whole organization, but that
has been a problem over the years.
Mr. Stupak. Sure, but that was last year. And now it seems
like we don't get this thing really cleared up now until this
June 16 letter here from the General.
Mr. Glauthier. I think what you are hearing is one specific
area. These NEST programs were a point of confusion at one of
the laboratories. I believe, you know, the vast majority of the
people understood the responsibility was in fact much clearer,
and this was just to clear that one piece up.
Mr. Stupak. But it really should be clear that the NEST
program manager is a lab employee, right?
Mr. Glauthier. Absolutely.
Mr. Stupak. I was really interested, Dr. Tarter, you
mentioned your own little local option that you put on the hard
drives, the encryption?
Mr. Tarter. Yes.
Mr. Stupak. That's just something that you thought was
necessary?
Mr. Tarter. It seemed good practice.
Mr. Stupak. And security is part of your responsibility,
right?
Mr. Tarter. Right.
Mr. Stupak. Thanks.
Mr. Upton. Mr. Burr.
Mr. Burr. We have spent a lot of time on the 3-1-99 fax,
whether it came or didn't come. Let me just share with you, Mr.
Secretary, and this is out of the Redmond report:
``Comprehensive classified document control system--document
controls for the most sensitive data of the weapons lab should
be reinstituted by the agency director. The program should be
constantly monitored by a centralized agency authority to
ensure compliance''--basically what the three directors said.
So if you didn't get it in March, in June you certainly got
the same message from Senator Rudman; and still today, a year
later, we don't have that policy back in place, or if we do
it's a recent one.
And, General Gioconda, I want to commend you for
recognizing there might have been a lack of communication on
the labs' understanding of their jurisdiction and where it did
or did not stop, and your quick response to get a memo out that
says, no, here is where it extends to; because I think that's
the type of thing we have got to clear up, some of the
misunderstandings that exist, if we are going to move forward
at all, and I think that the directors, though they may not
always be in agreement, I think they are appreciative of
clarification.
Mr. Gioconda. Sir, I have only been in an acting capacity
since August of 1999. I am a history major, so I went back and
read all of the history that you have read. It really boils
down to--and I just want to say--because I got the impression
that when I gave you a ``yes sir,'' that I am supportive of the
decision to go and look at options and how to make this
situation better, that somehow was a problem. I would wait
until you see what Under Secretary Gordon comes out with on 5
September, regarding negotiations with the University of
California before you make your judgment about whether this can
work, because this decision will be made within the NNSA
process.
General Gordon is my boss. I am the Acting Deputy
Administrator to him for Defense Programs.
But it really boils down to four things. When I took over
and told everybody here at the table that it is, one, you have
to stay focused on the mission, and we have to be very clear to
do that. Really, the mission is safe, secure, and reliable
nuclear weapons. It isn't harder than that. And if we do
anything to damage that, I am concerned about any security, any
arrangement we have. That's important.
Mr. Burr. So you feel confident--I may not be here and you
may not be here, but there will be someone on this
subcommittee, if it doesn't work, who asks the question why did
they do this and why didn't they have more vision than that?
Mr. Gioconda. Yes, sir.
Mr. Burr. I am not prejudging it. I am raising what I think
are legitimate questions but, more importantly, legitimate
concerns based upon my interpretation of the history that I
have read and certainly what I have seen firsthand for the last
5\1/2\ years since I have been here as it relates to the
relationship between the agency and these labs.
Mr. Gioconda. Sir, if I may, two more things.
Mr. Burr. You may.
Mr. Gioconda. Accountability and responsibility has to be
in this environment. I agree with you, as the staff officer
that's going to put some of the ideas together, that if you
remove accountability and responsibility from individual
scientists who create a lot of this data, this won't work.
And then the third thing I will tell you is the chain of
command. The chain of command has to be followed in this
organization, and that's a lot of what happened back in April
when they made sure that the line is involved.
That's why I am at this table. I am responsible for this
incident. Defense Programs is responsible down to the weakest
link in its program. We have got to get that across to
everybody in Defense Programs, and if you walk around the
complex, sir, as I know you have, 99 percent of them know that.
Mr. Burr. Well, one of the questions that I had earlier was
from--and I can't lay my fingers on it right now, but it was
basically the fact that many of the Secretary's initiatives of
late, this last round, were not decisions that were based upon
conversations with the directors of the labs. And it may have
come from Mr. Robinson's testimony, that this was a--this was a
somebody makes the rules and somebody else lives by them. This
is not a shared process of adults that get together to try to
figure out how to make it work the most effectively and the
most securely that we can. And I would tell you, that's an
important part of the process and any criticism of how we reach
that, I would hope that you and others would take it hard and
that we would find inclusion in the process.
I have just a couple of--I know my time is already out, but
I have to finish this before I go because I have got a meeting.
Let me just ask one of the directors, do all scientists
sign a commitment to take a polygraph if the need ever arises?
Mr. Robinson. They do not.
Mr. Burr. They do not. But my understanding, and correct me
if I am wrong, NEST members have signed an agreement for a
polygraph, if needed?
Mr. Robinson. They have not.
Mr. Tarter. No, they have not.
Mr. Mode. No.
Mr. Robinson. What is the case--and let me first go to non-
DOE programs where polygraphs have been employed for a decade.
If a scientist were going to be assigned to that compartment,
they had to then agree to take a polygraph or they could not go
into the information in that compartment, but it is not a
general thing throughout the laboratory. So it is program-
specific, compartment-specific for polygraphs.
Over the course at our laboratory, about 220 people were
polygraphed as a part of those programs.
Under DOE programs, we identified just above 200 people who
are members of the compartments that were just made--that
polygraphs were just made mandatory. Taking some of the people
who had been polygraphed within the previous 5 years, so you
didn't have to do them again, our number came down to 171
people. We have polygraphed 46 of those as of a week ago, so I
suspect the number is well above 56 at the present time.
Some of the members of our NEST team, when faced with the
question of a polygraph to continue as members of NEST, chose
to opt out and resign from this responsibility.
Mr. Burr. So it is not a requirement of NEST now?
Mr. Robinson. It is a requirement now.
Mr. Browne. I don't think so.
Mr. Tarter. No.
Mr. Robinson. No?
Mr. Burr. Just to express my own frustration, somewhere
in--since the latest problem at Los Alamos, somewhere in the
conversations, whether it is with labs or whether it is with
DOE, I was led to believe that it was standard protocol that
every member of the NEST team signed a waiver that said I will
be polygraphed if you ever need it. So we can even be mistaken
up here, based upon the information that we hear.
I hope that if there is a policy on that, somebody would
let us know.
Mr. Robinson. I have got a clarification from my own folks.
Those who are in certain roles within the program have to be,
but not all members of NEST have to be polygraphed if they are
a part of what is called the PSAP program, Personal Security
Assurance Program.
Mr. Burr. I would say to Mr. Aftergood, if those people
have signed a pre-waiver on a polygraph, I would not expect to
see them with a badge on in the facility saying no polygraphs.
And you are right, they do have a right to. They also have
a choice of where they work.
One last thing, Mr. Robinson. You said in your testimony--
and if this is not something we can get into, then certainly
feel free to tell me, we will follow up in another way. In your
testimony it said, talking about controls on electronic media,
said the other issue--talking about two things that you have
found as you have gone back and looked at your system--reported
on June 30 involved a single 3\1/2\ inch 1.44 megabyte disk
that had not been yet located. Inquiry is currently underway in
accordance with DOE's procedures.
Is that still the case? Have we still got something that's
missing?
Mr. Robinson. It is unaccounted for at the present time.
Mr. Burr. And is that of a nature that we should be
concerned?
Mr. Robinson. It is always a concern if you have anything
that's a secret item that is accountable.
I might point out that only because that work group, which
is our largest holder of classified information in the weapons
engineering department, never took off the accountability
system for Secret or Top Secret information, that we in fact
know that it is missing; but the content of what is on the disk
we know, and it is not of the same magnitude as other things.
It is very high-level information. There is no detailed
information. There are no figures.
Mr. Burr. Well, we are relieved with that. And just for the
purposes of my colleagues, I want to point out two things in
Mr. Browne's testimony. The first one was, ``since 1994 we have
had 19 DOE inspections that cover vault operations. These
resulted in two findings.'' One finding that's closed,
involving a technical issue regarding alarm testing, and has
corrective action. Neither of the two findings address the
issues surrounding this incident.
And later on in--or earlier in your testimony, I would like
to point out, ``the laboratory security programs were reviewed
16 times in 1999 alone.''
I say this for the purpose of everybody here. This is not a
question of whether we have investigated, whether we have had
enough inspections. I truly think that if we asked Mr. Podonsky
to go back six more times to every facility, he would very
politely do it. He would come in with a very detailed analysis.
Folks, until we all care, until we decide that we are going
to make the fundamental changes that have to be made and that I
believe the people that we have got in place are capable and
willing to make, we are not going to solve the problem. No
matter what we come up with in the way of new inspections, no
matter what we come up with in breaking the security entity out
separately, if you are not willing to make the structural
changes and to require the accountability, then you have got to
be prepared to keep coming back to this subcommittee.
Mr. Chairman, I yield back.
Mr. Upton. Thank you.
Mr. Cox.
Mr. Cox. Thank you. Mr. Glauthier, earlier, not in this
round but in the previous round, Mr. Burr asked a question. And
then perhaps Mr. Burr can help me. Mr. Burr, as you leave, you
and Mr. Glauthier had an exchange about the field offices and
the relationship potentially to these new privatized security
people we are thinking about hiring. Do you remember what your
question was and what the answer was?
Mr. Burr. My question was, did the Secretary envision that
the field offices would be in charge of the evaluations of this
new security entity, just like they are currently responsible
for the evaluation of the contractors of the labs, both for
their administrative and their security performance?
Mr. Cox. And my recollection, Mr. Glauthier, is that you
answered yes.
Mr. Glauthier. Yes, that's right.
Mr. Cox. Now, I don't know whether you have read the House
Armed Services Committee Report dated February 2000 on the
proposed DOE implementation plan of Title 32?
Mr. Glauthier. No.
Mr. Cox. Which sharply criticizes the maintenance of pre-
Title 32 reporting relationships and specifically focuses on
the role that the field offices have played.
Let me just read a portion of it. ``The panel notes with
concern that the plan''--this is the Department of Energy's
plan--``explicitly sustains current reporting relationships
between the NNSA contractors''--and these new contractors would
fall, of course, into this category--``field offices, and
headquarters staff. Thus, NNSA contractors will report to the
Deputy Administrator for Defense Programs through the field
offices rather than directly to the Deputy Administrator.
Several studies have found that this arrangement has generated
redundant and confusing lines of authority in the past. Despite
strong criticism in the President's Foreign Intelligence
Advisory Board and other reports, no changes in the field
office reporting structure are contemplated. Furthermore,
section 3214 of Title 32 states''--that's the law--``that the
NNSA facility should report to the Deputy Administrator.''
Now I have just read while we were sitting here, the whole
Title 32 again to make sure I understood the law. Why is it
that you are violating the law?
Mr. Glauthier. My recollection of the law, I don't have it
in front of me, is that it permits us to use a field structure
in the line organization if we wish.
Mr. Cox. Is the field structure part of the NNSA?
Mr. Glauthier. Yes.
Mr. Cox. Are the people who work in the field offices NNSA
employees and not employees of the Department of Energy?
Mr. Glauthier. They are both. NNSA is a part of the
Department of Energy.
Mr. Cox. Are they people who are hired exclusively by the
Administrator of NNSA?
Mr. Glauthier. It depends on the field office. The
Albuquerque----
Mr. Cox. Well, no, the law doesn't say that. The law says
that except for certain named positions in the statute, it is
the role of the Administrator to hire and fire people within
the Administration, and furthermore the Administrator is given
the statutory authority to set policies within the NNSA that
are different from the policies and procedures in the
Department of Energy, and only the Secretary of Energy himself
can reverse those.
Mr. Glauthier. Or the Deputy Secretary, if he is given that
responsibility by the Secretary; that's correct. And in fact,
the Secretary has the authority under the law to set policies
that will apply to the NNSA as well.
Mr. Cox. So why are we using these structures from the old
system before the creation of NNSA?
Mr. Glauthier. The field offices are part of a line
organization, and that's where the contracting is done. They
have processing of vouchers.
Mr. Cox. I know that's how it used to work, but what about
the new statute?
Mr. Glauthier. The new statute doesn't require that we
change that. It is up to the NNSA administrator, as you
indicate, how that structure is going to be carried out and the
implementation plans----
Mr. Cox. Well, now, General Gioconda used to be an employee
of the Department of Energy and now is a--is that correct,
General?
Mr. Gioconda. I am not the best example to use, sir. I am a
detailee from DOD to DOE.
Mr. Cox. But you had a DOE function before?
Mr. Gioconda. Yes, sir.
Mr. Cox. Now you have an NNSA function?
Mr. Gioconda. Yes, sir.
Mr. Cox. So your relationship to the Department of Energy
is semiautonomous.
Mr. Gioconda. Yes.
Mr. Cox. In other words, the authority of the people who
work at the Department of Energy over you can be exercised only
through the Secretary himself or, if the Secretary is
incapacitated or otherwise unavailable, by other statutory
authority through his deputy, but acting qua Secretary because
the statute is very explicit about that, and not in any other
way. Is it your understanding that the same can be said for
every employee in, say, the Albuquerque field office?
Mr. Gioconda. Sir, in Albuquerque they are all in the NNSA.
That is clear.
Mr. Cox. And then the DOE exercises no authority over that
field office?
Mr. Gioconda. No, sir. The business functions are connected
to DOE. They do have authority over the business functions that
are connected to DOE.
Mr. Cox. That sounds awfully confusing. Which is which? How
do we know?
Mr. Glauthier. May I? Congressman, may I respond?
Mr. Cox. Well, the----
Mr. Glauthier. The policies----
Mr. Cox. I just want to remind you why I am concerned about
this, because in questioning an earlier panel I read this
portion of the report of 2 weeks ago from the Redmond panel,
chaired by the former head of counterintelligence at the
Central Intelligence Agency.
He said the DOE operational field offices at Albuquerque
and Oakland continue to refuse to share relevant information
from employee personnel files under their control with DOE CI,
counterintelligence, or laboratory counterintelligence
components. The Department of Energy counterintelligence is not
even informed by these three offices when an employee loses his
or her security clearance.
That's a mess.
Now, if NNSA is in charge of these people, then I want to
call NNSA on the carpet for this performance. If DOE is
responsible, then I want to call DOE on the carpet for this
performance.
But the truth is, as we sit here in this hearing we don't
know. Whose responsibility is it? Whose responsibility is that
failure, NNSA or DOE?
Mr. Habiger. Mr. Cox, if I may, sir, that is very dated
information and is no longer applicable.
Mr. Cox. Well, it is 2 weeks old.
Mr. Habiger. Well, the report may be 2 weeks old, sir, but
the assertions have been corrected some time ago.
Mr. Cox. Were those assertions relevant to a time period
prior to the enactment of Title 32?
Mr. Glauthier. Before the implementation of it.
Mr. Cox. Well, I understand you didn't obey the law for a
very long time. And I am quite serious about this, because
starting with the President of the United States own signing
statement, there was a direct effort, documented by the
Congressional Research Service, to subvert the statute. But I
wonder whether or not this situation--independent of who shot
John in this circumstance--obviously nobody is willing to own
up to responsibility for this. But let me ask this question:
Who is responsible for any defalcation today at the field
offices? Would it be DOE? Would it be NNSA? Or is the answer,
it depends?
Mr. Glauthier. If it is a practice that they should be
carrying out, the policy is in place and they are not doing
what they are supposed to be doing, there is an NNSA
responsibility; their line accountability to NNSA. On the
specific information sharing of those personnel files, I would
be willing to go back and get the specifics. I don't have those
at this point.
[The information referred to was not received at time of
printing.]
Mr. Cox. Is there any aspect of the performance of the
field offices for which DOE is responsible and not NNSA?
Mr. Glauthier. Only in establishing some of the policies.
There may be Department-wide policies on procurement, for
example, that are issued to the NNSA and then implemented
through the NNSA.
Mr. Cox. Obviously that's not how the statute is supposed
to work. The NNSA has ample authority to do its own
procurement.
Mr. Glauthier. But the statute also provides for the
Secretary to determine policies that would be applicable to the
NNSA.
Mr. Cox. Well, I think the answer, plainly, which you have
just given, is it depends on whether it is one or another kind
of function at that field office. And sometimes presumably the
very same people working in the Albuquerque or Oakland field
offices we are describing here would be responsible to
headquarters DOE, and other times they would be responsible to
the NNSA. And what we are now talking about doing is sliding in
a new contractor that will have the same questions about who it
reports to, because it is going to be reporting to somehow this
field office which is itself a hybrid of DOE and NNSA, exactly
what the statute was meant to prevent.
I think if I were out at the labs, I would not know who in
the hell I am supposed to report to, and this is making it
worse, not better.
Mr. Glauthier. One point we are clear on is no one in the
NNSA can take direction from people who are not in NNSA. We do
understand that and have tried to implement it that way.
Mr. Cox. Well, I think the chairman is being--perhaps I
have more time. Do I have time further?
Mr. Upton. I stopped the clock. If you want to ask another
question, you may.
Mr. Cox. The chairman is being generous. I do hope that we
will recognize that there is a Presidential election in a few
months, that whether it is a Gore administration or a Bush
administration, if past transitions are any guide, most of the
people in the Presidential appointment positions, not for terms
of years, will be changed and so this ought not to be viewed as
a turf battle. It shouldn't be about somebody in Congress
taking away my power. We are not trying to take away the power
of any individuals.
This is not a threat to Bill Richardson. This is a question
about whether or not there can be an independent agency with
only rare reporting relationships through the Secretary himself
in charge of this function. And this administration, the
Clinton-Gore administration, has fought it every step of the
way, and I think it is doing a great disservice to our national
security.
Mr. Upton. Mr. Bilbray.
Mr. Bilbray. Thank you, Mr. Chairman.
I am going to ask one open question and would ask anybody
to answer it as truthfully as possible. Can this Member of
Congress assure his constituency, or, more important, assure
his children that the security and the problems we have
articulated here in this hearing, both structural and
institutional, will be corrected before January of next year?
Will the next administration have to solve this problem or
will we have it corrected before January 1? Is anybody here
willing to say that we think we will have it all taken care of
by January 1; it will be wrapped up?
Mr. Glauthier. I will be the first one to try to respond to
you. I simply can't give an absolute answer, I think, to
anything. One of our experiences over the years has been that
that has always been a mistake. We are working our hardest to
try to deal with the institutional and structural issues, as
you have put it, and our hope is to have those in place, to
have the NNSA elements in implementation, and then to have the
continuing problem of, of course, the human element being
something we always will have to deal with. But our hope is to
be as far along that path as possible.
Mr. Bilbray. Well, Mr. Chairman, I just want to say in
closing that I grew up in a family where my father was a damage
control officer who was at Bikini, at Eniwetok, who studied
nuclear arms--was involved in the nuclear arms development in a
peripheral manner as a warrant officer. And I darn well believe
that we all have a responsibility to make sure that his
grandchildren do not have the technology he helped develop
turned against those children, and I certainly hope that we can
take care of this before we expect a new administration will
have to take care of the problems of the past.
I yield back, Mr. Chairman.
Mr. Upton. Mrs. Wilson.
Mrs. Wilson. Thank you, Mr. Chairman.
Just to follow-up on what Congressman Burr was talking
about a little bit, and what I asked as well about this issue
of the facts. I don't want to belabor the point too much, but
as you well know, representing Albuquerque, New Mexico, we have
quite a bit of correspondence with the Department of Energy.
And I asked my staff to go back and check, and everything that
we send, whether by letter or by snail mail or by fax, gets a
registration number and that registration number comes back as
a reference on the reply.
And so without being too difficult about this at first, I
would ask the chairman if he would request from the Department
of Energy, copies of records of all items entered into DOE
correspondence management systems for the week surrounding
March 1, 1999, and also for a record of the fax receipts for
March 1, 1999, for what I believe is Under Secretary Moniz's
fax number, which is 586-7210.
Mr. Upton. Without objection, Mr. Glauthier, if you can
provide that for us?
Mr. Glauthier. Yes, we will be happy to provide it.
Normally, this would be logged in, so you are correct to expect
that the system should have captured it.
[The information referred to was not received at time of
printing.]
Mrs. Wilson. Dr. Robinson, there are some statements in
your testimony which I found very interesting in light of your
32-year perspective of security. You talk a little bit about
changes to the classification system that introduced systemic
weaknesses in DOE's security system. I wonder if you could
elaborate on that a little bit.
Mr. Robinson. I wonder if you would let me have 1 minute to
comment on the question of the fax. In addition to the lab
directors expressing our views in March of last year, as I say
on page 9 in my testimony, I twice brought up in congressional
testimony, once to this committee, exactly the same content
that is the conclusion of this fax. So it has been something
that has been a botherment to not only the three of us but to
most of the folks who work in the laboratories; that all of
this material, Secret, Restricted data as well as Top Secret,
must be accountable.
The classification has taken on some serious problems in
the decade of the 1990's. There was an order to declassify a
larger amount of material and to speed up the declassification.
In particular, within the Department of Defense, a lot of
documents were declassified by category rather than someone
looking at the document to see if there are paragraphs within
the document that should not be released.
Unfortunately, in that process, some things went into the
open that should not have gone into the open; and when we
learned of it, we have been trying to pull it back.
The one unique thing about Restricted data, the Atomic
Energy Commission controlled information, is it never has a
time line associated with it, that it's declassified after X
years, as is the practice in Department of Defense and most
other parts of the government, Department of State, et cetera.
If the information could lead to the building of a nuclear
weapon, as Mr. Bilbray suggests, to threaten our children, we
would like to keep that information as bottled up as we
possibly can in perpetuity.
So I considered it a fairly serious breach in the 1990's of
declassification that led to some information going out.
I believe that was not the intent of the people who did the
higher fences initiative. It was to still keep anything that
could make a functioning nuclear weapon more possible to keep
it classified, to keep it restricted from distribution.
Mr. Cox. Would the gentlewoman yield for just a moment for
a point of clarification?
Dr. Robinson, I think I understood you to say that the
material at the labs is classified under the Atomic Energy Act.
Mr. Robinson. Correct.
Mr. Cox. Is it the case that it is never classified under
the Executive Order 12958?
Mr. Robinson. No. Some of the information in other programs
than nuclear weapons that we work on and contribute to fall
under that Executive Order and we carry out and use the stamps
of declassify after 12 years, declassify after 25 years; but
not information that could lead to a functioning nuclear
weapon.
Mrs. Wilson. With respect to that, I understand that the
lab directors resisted a lot of the changes that happened in
the 1990's with respect to security and material control and so
on. Were you ever told by the Department of Energy that if you
didn't reduce your security controls you wouldn't be
compensated for the cost?
Mr. Robinson. There is such a statement from the
Albuquerque Operations Office, that this would not be cost
reimbursable. I must tell you it was at that point not an issue
of whether we were reimbursed or not. It is a question of
national security.
Mrs. Wilson. So as a contractor, in this case not
University of California but I would assume either AT&T or
Lockheed Martin, you were told that you couldn't have a higher
standard anymore; is that right? Or if you had a higher
standard, it would come out of the hide of the contractor?
Mr. Upton. Can I inquire about the date of that?
Mr. Robinson. I am quoting from a memorandum of June 19,
2000--whoops. Is this an attachment to it?
Oh, the attachment is June 29, 1992, and it says--the
question is: May sites continue to account for all secret
documents on a voluntary basis?
And the answer given by the Department was: Sites may
continue to account for documents that do not require
accountability under paragraph 2 but it must be at no cost to
DOE. Costs associated with document accountability will be
calculated only for documents that must be accounted for.
Mrs. Wilson. Mr. Chairman, I would like to ask if we could
add that document to the record, if possible?
Mr. Robinson. Sure.
Mr. Upton. Yes.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T7110.090
[GRAPHIC] [TIFF OMITTED] T7110.091
[GRAPHIC] [TIFF OMITTED] T7110.092
[GRAPHIC] [TIFF OMITTED] T7110.093
[GRAPHIC] [TIFF OMITTED] T7110.094
[GRAPHIC] [TIFF OMITTED] T7110.095
[GRAPHIC] [TIFF OMITTED] T7110.096
[GRAPHIC] [TIFF OMITTED] T7110.097
[GRAPHIC] [TIFF OMITTED] T7110.098
[GRAPHIC] [TIFF OMITTED] T7110.099
[GRAPHIC] [TIFF OMITTED] T7110.100
Mrs. Wilson. So basically you were told by DOE Albuquerque
that you could have a higher standard if you wanted to but it
was going to be at no cost to the government?
Mr. Robinson. Correct.
Mrs. Wilson. Thank you, Mr. Chairman.
Mr. Upton. Thank you. I just have one further question and
then a comment. We are expecting a vote in the next 5 or 10
minutes. Mr. Glauthier, I know you have a meeting downtown as
well, and I will let other members ask if they have additional
questions.
Dr. Browne, the list of new controls that you mentioned in
your testimony, you did not include procedures to ensure that
those who remove materials from vaults check out such documents
or disks. And I just wondered why you did not include that type
of reform. And I am wondering, maybe from General Habiger, in
terms of why that was not required in his June 23 list of new
security directives. Dr. Browne?
Mr. Browne. With respect to the NEST program, we have had
that vault closed as part of the FBI investigation and have
done a full inventory of all the NEST equipment.
So that program is sort of an off-limits program right now.
With respect to all the other information, until we
reestablish tracking ability for the documents, we don't have a
mechanism to find where the information goes. We have started
down that path with the computer storage media that I mentioned
earlier, the 66,000 devices. So we can track those, but we are
not in a position to track everything that comes out of a vault
unless it is done by hand; you know, the name of the person, et
cetera. We have not done that.
Mr. Upton. Do you expect to have some type of tracking,
whether it be a bar code or something of that nature?
Mr. Browne. That's what we had before, and the mechanism
for transfer of documents between one individual and another
one required a tracking of the bar code and the copy number,
and so one had a record of when it left and went somewhere
else.
Mr. Upton. And are you on the path to encrypt some of this
data as well?
Mr. Browne. That's correct. That's part of the
Department's----
Mr. Upton. On both Top Secret and Secret data material?
Mr. Browne. That's correct.
Mr. Habiger. Mr. Chairman, the big problem we have with
encryption is that we have one certified software package that
is only good for Windows NT. The Department of Energy had many,
many operating systems. The vendor tells us it could be up to a
year before we are able to have other operating systems
covered.
Mr. Upton. General McBroom, what has happened to this
particular NEST team while the investigation is going on? Are
they in limbo? Have they gone back to their other functions?
Mr. McBroom. Well, sir, that's really a lab question. I
haven't been allowed out there or to see them. I am going out
there next week. I can tell you in talking to Dr. Browne, they
have been through a lot, sir. Personally and professionally it
has been very hard on them.
We are going to have to really stroke some of these people
because--and I think Dr. Browne had a very, very valid point.
Ninety-nine percent of these people are just really neat United
States American citizens.
Mr. Upton. You need to find that 1 percent.
Mr. McBroom. Yes, sir, I have to find them in a hurry.
Mr. Gioconda. Sir, also for the record to understand, the
NEST team are a group of volunteers. They volunteer to be in
this program. They are not assigned to this particular program.
They step up to be assigned. I think that it is important to
understand that when you go through a situation like this, and
we have talked about this often, what are we going to have on
Monday morning. Will that person volunteer after going through
this? And we are all very, very concerned about that.
Mr. Browne. Mr. Chairman, may I add a comment to that?
Mr. Upton. Yes.
Mr. Browne. What we did with our NEST team was essentially
had the entire team stand down to go through in great detail
their security procedures for the entire team, not just the
device assessment team that I mentioned but the entire team,
because we wanted them to update all of their security
procedures and to assure themselves, not just assure us but
assure themselves that they had the best practices in place.
They have just completed that and they are back at work.
We have some compensatory measures in place because of the
FBI investigation that's going on, but I feel very comfortable
that we are doing the right thing by allowing the NEST team
members back to work.
Mr. Upton. Mr. Glauthier, I know you mentioned at the very
beginning of your testimony sort of the update in terms of
where we were with regard to the investigation. I am certainly
not a police officer or a detective, as my colleague Mr. Stupak
was with the Michigan State Police. But are we getting close to
the end of this? I mean, I know that a number of folks, in
fact, were polygraphed. It has been almost a month since those
began. Where are we in terms of the end of this investigation
so we can put things back together?
Mr. Glauthier. I think it is all right to mention here that
one of the delays has been that the lawyers for these
individuals felt they needed to get clearances in order to
properly deal with their clients and to deal with these issues.
Those clearances were granted last week. It took some time for
them to submit the paperwork to us. We turned it around in a
matter of few days.
Mr. Upton. But they were polygraphed almost from the
beginning, right? June 15 or so?
Mr. Glauthier. The individuals were, but the lawyers
representing those individuals needed to get clearances, they
said, in order to proceed with the case. So some of the
investigation has been on hold. Now, those clearances have been
in place for a matter of a few days at least and I understand
that the FBI and the U.S. Attorney out there are proceeding.
Our hope is that this will----
Mr. Upton. Do you expect some charges to be brought within
this month, July?
Mr. Glauthier. You would have to ask the FBI and the U.S.
Attorney's Office. I can't comment on that.
Mr. Upton. Okay. Let me just say this, as part of my
conclusion. As Chairman of this subcommittee, we have had more
hearings on security at our energy labs than on any other
topic--Medicare fraud, anything else--maybe, I would guess, 12
to 15 hearings in the last year and a half.
At the suggestion of the lab directors last year, for a
number of us that had not ever been to one of these labs and
really not been to the West Coast much, I know that we did take
your suggestion. We visited the labs, and I have to say that
for me, I could not have been more impressed with the physical
security of those labs; the drills that the teams did, all the
different things that were shown to us over those couple of
days, Mr. Cox, myself, Mr. Burr and Mrs. Wilson and some of our
staff that went out.
It seems as though we have focused on--we have gone from
one thing to the next.The hearings last year followed along the
lines of the Q clearances and the access to some of our secret
material by folks that really should not have been in those
areas. Changes were made.
One of the things that we focused quite a bit on in our
visit last January was looking at the cyber security details
and to make sure that there were air locks and a whole number
of different things that would prevent someone from hacking in
and getting access to that material.
I just hope that as we have looked now at this GAO report,
that again it sort of goes back to the basics, logging in
material; I mean, what we can do at a Meyers, a Thrifty Acres,
or maybe a Safeway here in the Washington area type of thing, a
library logging in material using the tools that we have,
encryption and others, to make sure that, in fact, that
material--you know, if we find that 1 percent that, in fact,
may be out there that, in fact we can prevent that individual
or individuals from leaking or selling that information
someplace else, let alone misplacing it, I mean that to me is
fundamental.
We--as Chairman of this subcommittee, and I know I speak
for every member of this subcommittee--we have got to have
accountability by all of you to make sure that the system
works. We are tired of the blame game. We would rather be
focusing on other things than this. But these really are the
crown jewels. And whether it is a culture, whether it is just
mistake after mistake, we need to get to the bottom of this and
we need to get it resolved. We don't necessarily need another
level of bureaucracy. We want results and we want to know that
when the lights get turned off, that that material is safe and
cannot get into the hands of the wrong people.
Virtually every one of you, with the exception of Mr.
Aftergood, are Federal employees; particularly General McBroom
and others, you need to take every effort. We are prepared as a
Congress to fund whatever it takes to make sure that these
secrets remain just that. Now you have a tremendous
responsibility. The American public has entrusted you and we
want to make sure it works. I would just hope that as we follow
up on this hearing today that, in fact, we won't see further
miscues.
Mr. Glauthier, your comment earlier about taking the
pledge--I think it was by Mr. Bilbray--by January 1, Secretary
Richardson did that. You might have offered him some different
advice last year when he assured us in fact that those things
would not take place. We want your word to be good and we want
the fire doors to be closed so that this does not happen again.
As we look at further GAO reports and other things that may
come our way, we want to hear from you first and see what
suggestions you might have that we might help you do a better
job to make sure that, in fact, that fire door remains closed.
Mr. Cox, I don't know if you want to make a closing
statement, Mrs. Wilson, but I yield to you if you would like to
do that.
Mr. Cox. I thank you, and I just want to thank every member
of our panel. These are difficult topics and they are made more
difficult by the fact that there have been so many things that
everybody wishes hadn't happened go on over the last few years.
My greatest concern is the seeming consistency of the
bureaucratic problems, notwithstanding all of the renewed vigor
to attack them at this time and to get it right.
When the House of Representatives nearly unanimously
created this select committee that I chaired, it was 4 months
after the President had issued PDD 61, and then we went through
a whole year on our select committee and had more public impact
with that, and then we had damage assessment by the CIA which
confirmed what our select committee had found. We had the
President's Foreign Intelligence Advisory Board complain about
security and counterintelligence at the laboratories and about
DOE mismanagement. We had recommendations for reform. And yet
it was not until March of this year that one of the key
elements of the President's directive to the Secretary of
Energy, polygraphing, was even begun to be implemented.
It was not really until these hard drives turned up missing
that people in sensitive positions in that connection were
subjected to polygraphs. I think that it is a fair thing to
argue, particularly for scientists who are technically minded,
to argue about the relative merits and demerits of polygraphs.
They are well equipped to do so. But once the President of the
United States orders it done, it oughtn't take the bureaucracy
so many years to begin it.
The same holds with the creation of the NNSA. The NNSA was
created in direct response to recommendations from all the
outside groups that have looked at it and the bureaucracy has
been fighting it because of turf. Now we are talking about new
creative ways to restructure the bureaucracy, all of them
compounding the prolix nature of the Department of Energy's
relationship to the labs, and I am very sorry for that. I hope
that one of these days they will listen to the advice and
follow the legislation.
I thank the chairman.
Mr. Upton. Thank you. Mrs. Wilson, do you have a closing
comment?
Mrs. Wilson. Thank you, Mr. Chairman. I wanted to thank you
again for allowing me to sit in and participate in this
hearing. I think I walk away with kind of a reconfirmation that
the problems relating to security in the nuclear weapons
complex are systemic. They relate more to policy and the
implementation of that policy than they do to isolated acts by
individuals. And I look forward to General Gordon taking the
reigns and being able to look at the complex systematically
over a long period of time to ensure its continued health for
the country, and I think that's the right direction to go in.
And I thank the chairman again.
Mr. Upton. Again, I thank all members for participating. I
would note for the record that there are a number of
subcommittees meeting during these hours. We do look forward to
hearing from General Gordon probably this fall, once Congress
returns from the August break. Again we thank you for your
testimony. We look forward to working with you. This hearing is
now adjourned.
[Whereupon, at 2:55 p.m., the subcommittee was adjourned.]
[Additional material submitted for the record follows:]
Federation of American Scientists
August 1, 2000
Hon. Fred Upton, Chairman
Subcommittee on Oversight and Investigations
Committee on Commerce
U.S. House of Representatives
2125 Rayburn House Office Building
Washington, DC 20515-6115
Dear Mr. Chairman: Attached please find my answers to the questions
for the record from the July 11, 2000 hearing on weaknesses in
classified information security control's at DOE's nuclear weapons
laboratories.
Thank you for the opportunity to present my views to the
Subcommittee.
Sincerely,
Steven Aftergood
Senior Research Analyst
Questions for Steven Aftergood
Q. In your testimony, you quoted a National Academy of Sciences
report which states that ``access to classified information is not
necessary for a potential proliferator to construct a nuclear weapon.''
The Academy said that access to nuclear material and an engineering and
manufacturing infrastructure to build a bomb are most important. Iraq
became a nuclear power without stealing our secrets, as did India. Was
the Cox Commission and the Congress in error last year when they placed
so much emphasis on the alleged theft of our technology for China's
weapons advances?
A. The espionage threat from China and other nations is certainly a
legitimate and necessary subject of inquiry. But I believe the Cox
Committee and Congress erred by failing to place the espionage threat
in proper perspective.
The People's Republic of China has possessed thermonuclear weapons
since 1964 and has a mature nuclear weapons manufacturing capacity. Yet
today, fifteen years after China's alleged theft of W-88 warhead design
information described by the Cox Committee, there has been no
``apparent modernization of their deployed strategic force or any new
nuclear weapons development,'' according to the CIA's Jeremiah panel.
Espionage, if it occurred, evidently did little to alter the threat
facing the United States.
Instead of clarifying the issues, the continuing emphasis on
Chinese nuclear espionage has led to a serious distortion of public
perceptions. Senator Bob Kerrey said last year that the Cox Committee
report ``has left the impression that China is a bigger threat to the
United States in terms of nuclear weapons than Russia is. Nothing can
be further from the truth.'' But a Time-CNN public opinion poll found
that 46 percent of Americans consider China a serious threat, compared
to 24 percent who hold that view of Russia.
Finally, the preoccupation with espionage has incurred serious
damage to the nuclear weapons laboratories where morale a,'Id
recruitment have fallen precipitously. This is a potentially far more
serious blow to national security than any espionage that may have
taken place.
Q. What do you see as the solution to these embarrassing security
breaches at DOE?
A. There is no solution. That is to say, it is impossible to
guarantee that security breaches will not occur in the future.
Again, it is important to keep these matters in perspective. There
can be no absolute security. There is no national security agency in
the U.S. government that has not been deeply penetrated by a foreign
intelligence service at one time or another. Meanwhile, minor security
infractions are literally a daily occurrence.
It is easier to say what is not the solution. I do not believe that
Congress should legislate specific security requirements (such as
document accountability, polygraph screening, etc.) because such
system-wide requirements can have unintended consequences and may need
to be modified to meet local needs and circumstances.
On the other hand, it would be appropriate to identify an official
at each facility who is responsible for security at that facility.
While I believe it was absurd to suggest that the Secretary of Energy
should be accountable for the fact that a particular classified item at
Los Alamos was missing, it would be entirely sensible to assign
responsibility for such cases to a particular official at every
laboratory. That official should have the flexibility and discretion to
tighten or relax baseline security requirements, as appropriate, and
then should be held responsible for overall security performance.
I would only add, as I stated in my testimony, that security should
not be permitted to significantly erode the quality of the labs. If it
were necessary to choose, I would prefer second-rate security at a
first-rate laboratory to first-rate security at a second-rate
laboratory.
Q. What will it take to implement the ``higher fences'' initiative?
A. The ``higher fences'' concept of focusing security resources on
the most sensitive information makes obvious, intuitive sense. But like
any change to established practices in a bureaucracy, it faces
resistance that will require high-level leadership to overcome.
DOE officials now refer to the adoption of a ``graded approach'' to
security, involving stronger protection for more sensitive materials,
The ``graded approach'' seems to be similar to the ``higher fences''
initiative except that it omits declassification.
This is a mistake, in my opinion. Proper declassification is an
essential component of an information security classification system.
The system will not function properly, and will eventually break down,
if there is no reliable mechanism for removing controls on information
that no longer warrants protection.
For this reason, I believe that the DOE Fundamental Classification
Policy Review group (which last reported in 1997) should be reconvened
at perhaps 5-year intervals to identify which categories of information
should be newly declassified and which categories, if any, should
receive increased protection.
I also believe that Congress should increase support for
declassification review. Congress should clearly communicate to DOE the
expectation that while sensitive information must be properly
classified, information that is no longer sensitive should be
efficiently removed from classification controls.
______
Answers to Questions for the Record of Dr. C. Paul Robinson, Director,
Sandia National Laboratories
Question: The Committee understands that Sandia played a big role
in the Higher Fences initiative. Can you describe your lab's
involvement and why you believe DOE has not reached closure on this
issue after four years of trying?
Did Sandia object to DOE's initial proposal on higher fences, and
if so, why?
Did Sandia object to reclassifying these sensitive categories as
Top Secret, and if so, why? What value would there be in re-classifying
these sensitive topics as Top Secret, as proposed by DOE, if DOE didn't
require additional controls for Top Secret, as evidenced by its January
1998 decision to eliminate such controls?
Response: Sandia National Laboratories was a major participant and
contributor in the Higher Fences Initiative beginning with the
Fundamental Classification Policy Review, which began its work in May
1995. Secretary O'Leary appointed Dr. Albert Narath, the director of
Sandia, to be chairman of the review group. (It should be noted that
Dr. Narath left Sandia in August 1995 to accept a position with the
Lockheed Martin Corporation. He continued to chair the review team
while in his new position.) The Fundamental Classification Policy
Review Group consisted of about 50 experts from the DOE community and
other agencies, including several individuals from Sandia. The review
team issued a final report in January 1997.
Sandia National Laboratories also played a major role on the second
of two Higher Fences working groups. A first working group had been
formed at DOE headquarters shortly after the Fundamental Classification
Policy Review issued its report, but the results of this first effort
were deemed inadequate by many reviewers in the field and at
headquarters. The considerable criticism of the first working group's
proposal prompted the DOE Office of Declassification to charter a
second Higher Fences Working Group in July 1998 to resolve the issues
identified in the critiques. The DOE Office of Declassification
appointed the classification officer at Sandia National Laboratories to
lead this group of classification experts from the field and DOE.
Sandia National Laboratories fully supported (and continues to
support) the initial Higher Fences recommendation of the Fundamental
Classification Policy Review Group (January 1997). However, Sandia and
other DOE elements in the field and at headquarters had several
criticisms of the work of the first Higher Fences Working Group, which
issued a memorandum for comment in March 1998. That report received a
largely negative response. A major concern shared by Sandia and the
other nuclear weapon laboratories was that DOE had recently removed (in
January 1998) the longstanding requirement for formal document
accountability of Top Secret Restricted Data. To classification
professionals in the field, it seemed inconsistent to propose to
reclassify certain information to Top Secret while at the same time
weakening the accountability controls on Top Secret. Thus,
reclassification on the Higher Fences criteria would be a paper
exercise resulting in no significant increase in protection within the
DOE community.
In May 1998, the DOE Technical Evaluation Panel submitted its
concerns on the initial Higher Fences guidance in a memorandum to the
director of the DOE Office of Security Affairs. The Technical
Evaluation Panel is a committee of weapon designers that provides
consultation for the DOE classification community, and it was chaired
at that time by a Sandia weapon program manager. The panel's basic
criticism of the initial Higher Fences guidance was that the lack of
consistency in the level of protection provided for Top Secret
Restricted Data by the various DOE orders governing security of
documents and computer systems undermined the initiative. The panel
predicted that these inconsistencies, together with the failure to
address the costs of implementation, would result in failure of the
Higher Fences Initiative.
The second Higher Fences Working Group issued an unclassified draft
report to the DOE Office of Declassification in February 1999, followed
by a full, classified report in April. The report filled in some of the
detail that would be required for implementation and added much-needed
rigor to the sensitivity criteria for reclassification. This work
provided a foundation for moving forward with the Higher Fences
Initiative within the Department's decision structure, and eventually
to DoD.
DOE issued a final report for implementing the Higher Fences
recommendation in October 1999. At that point, considerable
disagreement still existed both within the Department and in the field
concerning how Higher Fences should be implemented, although the
concept and intent of the Higher Fences Initiative were generally
accepted. The most significant issues of concern were:
1. DOE's decision in January 1998 to remove the requirement for formal
document accountability for Top Secret Restricted Data;
2. The lack of consistent guidance within DOE on handling paper and
electronic forms of Top Secret;
3. The lack of implementation guidance and associated funding for
segregating new Top Secret and handling existing Top Secret;
4. The lack of funding to upgrade Secret-level computer networks to Top
Secret networks, which was estimated to run $20 to $30 million
per site.
Notwithstanding these concerns, the DOE leadership decided to press
forward with implementation. In October 1999, the Assistant Secretary
for Defense Programs and the Director of the Office of Security and
Emergency Operations sent a letter to the Nuclear Weapons Council (a
joint DoD/DOE coordinating group of senior officials) requesting the
assistance of the Council in encouraging DoD to participate in a joint
working group to develop an implementation plan for Higher Fences. Buy-
in by DoD was essential because much Secret Restricted Data that would
be reclassified to Top Secret under the Higher Fences plan was in the
custody of DoD.
In December 1999, DOE received a response from the Office of the
Secretary of Defense (signed by the director of Defense Research and
Engineering and by the Assistant Secretary for Command, Control,
Communications, and Intelligence) in which DoD declined to participate
in an interagency working group for the Higher Fences Initiative. The
letter cited increased costs, operational difficulties, and DoD's
belief that such information is adequately protected at the Secret
level. The letter also indicated that DoD would review the Higher
Fences recommendations from a cost-benefit perspective so that the
initiative could receive serious consideration. At this time, I am
unaware that DoD has completed its review. However, the evident lack of
serious interest by DoD is the principal reason for the failure of the
Higher Fences Initiative to continue to move forward toward
implementation.
______
General Accounting Office Responses to Questions For the Record
Q. Was the 1992 change in DOE Secret-level accountability controls
mandated by Executive Order or government-wide changes that occurred in
that year, as DOE has suggested in article in the Washington Post, or
was DOE free to set its own policies in this regard?
A. The 1992 change in DOE Secret-level accountability controls was
not mandated by Executive Order or any government-wide requirements as
far as we can determine. The Executive Order in force at the time--EO
12356, dated April 2, 1982, and its implementing directive-allowed
heads of agencies to set policies for accountability for Secret-level
documents. Therefore, DOE could set its own policies within this
framework.
Q. This same article also states that, in January 1993, just two
weeks before the end of the Bush Administration, an executive order
extended these new relaxed rules to government contractors, such as Los
Alamos. Is that an inaccurate statement based on your research? What
did the Executive Order actually do? Please provide a copy of the
Executive Order for the record.
A. The statement ``in January 1993, just two weeks before the end
of the Bush Administration, an executive order extended these new
relaxed rules to government contractors, such as Los Alamos'' is
inaccurate. Executive Order 12829, dated January 6, 1993, created a
National Industrial Security Program to establish a single, integrated,
cohesive program to protect classified information that is released to
contractors, licensees, and grantees of the United States Government.
While the Program was created to promote uniformity, the Executive
Order did not specify that accountability requirements were to be
relaxed.
Q. To your knowledge, was there any government-wide decision made
to reduce controls on Secret data prior to 1995?
A. Our audit work concentrated on DOE actions in accountability for
Secret documents. As such we did not examine what other government
agencies were doing to control Secret data. We will examine this issue
as part of our ongoing work in the area.
[GRAPHIC] [TIFF OMITTED] T7110.101
[GRAPHIC] [TIFF OMITTED] T7110.102
[GRAPHIC] [TIFF OMITTED] T7110.103
[GRAPHIC] [TIFF OMITTED] T7110.104
[GRAPHIC] [TIFF OMITTED] T7110.105
�