[House Hearing, 106 Congress] [From the U.S. Government Publishing Office] WEAKNESSES IN CLASSIFIED INFORMATION SECURITY CONTROLS AT DOE'S NUCLEAR WEAPON LABORATORIES ======================================================================= HEARING before the SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS of the COMMITTEE ON COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED SIXTH CONGRESS SECOND SESSION __________ JULY 11, 2000 __________ Serial No. 106-148 __________ Printed for the use of the Committee on Commerce __________ U.S. GOVERNMENT PRINTING OFFICE 67-110 WASHINGTON : 2000 COMMITTEE ON COMMERCE TOM BLILEY, Virginia, Chairman W.J. ``BILLY'' TAUZIN, Louisiana JOHN D. DINGELL, Michigan MICHAEL G. OXLEY, Ohio HENRY A. WAXMAN, California MICHAEL BILIRAKIS, Florida EDWARD J. MARKEY, Massachusetts JOE BARTON, Texas RALPH M. HALL, Texas FRED UPTON, Michigan RICK BOUCHER, Virginia CLIFF STEARNS, Florida EDOLPHUS TOWNS, New York PAUL E. GILLMOR, Ohio FRANK PALLONE, Jr., New Jersey Vice Chairman SHERROD BROWN, Ohio JAMES C. GREENWOOD, Pennsylvania BART GORDON, Tennessee CHRISTOPHER COX, California PETER DEUTSCH, Florida NATHAN DEAL, Georgia BOBBY L. RUSH, Illinois STEVE LARGENT, Oklahoma ANNA G. ESHOO, California RICHARD BURR, North Carolina RON KLINK, Pennsylvania BRIAN P. BILBRAY, California BART STUPAK, Michigan ED WHITFIELD, Kentucky ELIOT L. ENGEL, New York GREG GANSKE, Iowa TOM SAWYER, Ohio CHARLIE NORWOOD, Georgia ALBERT R. WYNN, Maryland TOM A. COBURN, Oklahoma GENE GREEN, Texas RICK LAZIO, New York KAREN McCARTHY, Missouri BARBARA CUBIN, Wyoming TED STRICKLAND, Ohio JAMES E. ROGAN, California DIANA DeGETTE, Colorado JOHN SHIMKUS, Illinois THOMAS M. BARRETT, Wisconsin HEATHER WILSON, New Mexico BILL LUTHER, Minnesota JOHN B. SHADEGG, Arizona LOIS CAPPS, California CHARLES W. ``CHIP'' PICKERING, Mississippi VITO FOSSELLA, New York ROY BLUNT, Missouri ED BRYANT, Tennessee ROBERT L. EHRLICH, Jr., Maryland James E. Derderian, Chief of Staff James D. Barnette, General Counsel Reid P.F. Stuntz, Minority Staff Director and Chief Counsel ______ Subcommittee on Oversight and Investigations FRED UPTON, Michigan, Chairman JOE BARTON, Texas RON KLINK, Pennsylvania CHRISTOPHER COX, California HENRY A. WAXMAN, California RICHARD BURR, North Carolina BART STUPAK, Michigan Vice Chairman GENE GREEN, Texas BRIAN P. BILBRAY, California KAREN McCARTHY, Missouri ED WHITFIELD, Kentucky TED STRICKLAND, Ohio GREG GANSKE, Iowa DIANA DeGETTE, Colorado ROY BLUNT, Missouri JOHN D. DINGELL, Michigan, ED BRYANT, Tennessee (Ex Officio) TOM BLILEY, Virginia, (Ex Officio) (ii) C O N T E N T S __________ Page Testimony of: Aftergood, Steven, Senior Research Analyst, Federation of American Scientists........................................ 169 Browne, John C., Director, Los Alamos National Laboratory.... 152 Glauthier, T.J., Deputy Secretary; accompanied by: General Eugene E. Habiger, Director, Office of Security and Emergency Operations; General John McBroom, Director, Office of Emergency Operations; and General Tom Gioconda, Deputy Administrator for Defense Programs, National Nuclear Security Administration, Department of Energy.............. 140 Podonsky, Glenn S., Director, Office of Independent Oversight and Performance Assurance, U.S. Department of Energy....... 16 Robinson, C. Paul, President and Laboratories Director, Sandia National Laboratories............................... 145 Tarter, C. Bruce, Director, Lawrence Livermore National Laboratory................................................. 164 Wells, Jim, Issue Area Director, Energy, Resources, and Sciences Issues, U.S. General Accounting Office, accompanied by William F. Fenzel........................... 11 Material submitted for the record by: Aftergood, Steven, Senior Research Analyst, Federation of American Scientists, letter dated August 1, 2000, to Hon. Fred Upton, enclosing response for the record.............. 215 General Accounting Office, response for the record........... 218 Robinson, C. Paul, President and Laboratories Director, Sandia National Laboratories, responses for the record..... 216 (iii) WEAKNESSES IN CLASSIFIED INFORMATION SECURITY CONTROLS AT DOE'S NUCLEAR WEAPON LABORATORIES ---------- TUESDAY, JULY 11, 2000 House of Representatives, Committee on Commerce, Subcommittee on Oversight and Investigations, Washington, DC. The subcommittee met, pursuant to notice, at 9:30 a.m., in room 2322, Rayburn House Office Building, Hon. Fred Upton (chairman) presiding. Members present: Representatives Upton, Cox, Burr, Bilbray, Ganske, Bryant, Stupak, Green, and DeGette. Also present: Representative Wilson. Staff present: Tom DiLenge, majority counsel; Yong Choe, legislative clerk; and Edith Holleman, minority counsel. Mr. Upton. Good morning, everyone. Today we will continue this subcommittee's focus on the security problems apparently still unresolved at DOE's nuclear weapon labs, as evidenced by the most recent security breach at Los Alamos involving some of the Nation's most sensitive nuclear weapons-related data. This data, containing hard drives utilized by DOE's Nuclear Emergency Search Team, or NEST, includes information on detection of and response to incidents involving improvised nuclear devices or other nuclear weapons in the United States or foreign stockpiles. Many of the shocking facts concerning this latest incident already have made their way into the public. We all know about how 26 individuals had unrestricted access to the vault containing these sensitive NEST hard drives and that they could take them at any time without creating any written record of their removal. But recent committee staff interviews of relevant Los Alamos officials have revealed that roughly half of these 26 people, including the vault custodian, were not members of the NEST team and did not have any, ``need to know'' the information contained on those hard drives. Thus, numerous individuals, without any legitimate reason to have access to this highly sensitive data, could have entered this vault at virtually any time and taken these hard drives without anyone knowing. Instead of ``need to know,'' we had a system of ``want to know.'' We also have recently learned that Los Alamos failed to change the combination on the vault as required when there are changes to the authorization access list. In fact, the last time the vault combination had been changed was in 1996, despite changes in the list of authorized personnel since that time. Thus, individuals beyond those 26 whose involvement in these programs had already ended continued to have access or could have continued to have access to the vault. These particular deficiencies reflect poorly on Los Alamos, and there is no doubt that there was substantial confusion at the lab about who was supposed to be doing what when it came to security of classified assets used by NEST. Part of this confusion stems from the fact that line managers believed the lab program officials were in charge, while the program officials thought the opposite. But part of this confusion also arises from the unique situation of these DOE-led swat teams like NEST. We have learned that DOE headquarters essentially picked the NEST management team at Los Alamos, which in effect reports to DOE on operational issues, while reporting through the lab management structure on administrative issues.While this arrangement probably makes sense, it requires close coordination and communication to make it work, and we now know the price of such failure. The greater problem, however, goes beyond this particular team to the overall system in which it operates. As our first panel today will explain, DOE essentially has set a low threshold of security requirements for its labs to follow, leaving them substantial discretion and flexibility on how they implement actual security practices. The result--as both Mr. Podonsky's and this committee's oversight have discovered--is that the effectiveness of security practices at the labs varies greatly, both within and among the labs, even for very similar types of information. And because of the lack of clear and tough requirements, the built- in system of laboratory and DOE security oversight is destined to failure, since virtually any state of affairs could be considered to be technically in compliance with DOE orders. Thus, while DOE may want to blame the labs whenever something goes wrong in security, it seems clear that the real fault lies much closer to home. The saddest fact is that the most recent national security threat posed by these missing hard drives might have been avoided had numerous expert recommendations to the administration been implemented in a more timely fashion. As far back as 1994, DOE and the Department of Defense were engaged in discussions to increase controls on the more sensitive nuclear weapons information that the two agencies share, such as the data on these hard drives, but no consensus was ever reached. In February 1996, a draft report commissioned by Secretary of Energy O'Leary recommended that higher security fences be established for similar categories of data, but DOE failed to issue a formal proposal to DOD until December of last year, and it seems that Defense will not lightly accept such recommendations anyway, for its own reasons. And two 1999 recommendations, one from the labs themselves and another from the President's Foreign Intelligence Advisory Board, urged DOE to tighten control requirements for such data, apparently to no avail. Nothing prevented DOE from tightening controls on its own material while in its possession, even if DOD opted not to go along. Indeed, it is now doing so in response to the latest crisis. Yet instead of tightening controls on our most sensitive secrets years ago, DOE moved in the exact opposite direction. In January 1998, DOE eliminated controls on Top Secret data, much as DOE had reduced controls on lower level classified matter back in 1992. Today's hearing hopefully will allow us to have an honest discussion of what is and what is not required by DOE orders and what is and what is not being done by the labs to properly control access to our Nation's most sensitive nuclear information, and what more should be done to remedy this situation. I echo Chairman Bliley's call today for a more centralized Federal role in security affairs at our nuclear weapons labs. Let's leave the science to the scientists, but let's make security the responsibility of Federal security experts over whom we have direct and personal accountability. I yield to the acting ranking member of this subcommittee, from the great State of Michigan, Mr. Stupak. Mr. Stupak. Thank you, Mr. Chairman, and thank you for holding this hearing. Last time this subcommittee had the opportunity to ask questions about the missing hard drives at the Los Alamos National Lab, the Department of Energy witnesses had few answers to give this subcommittee. Today we know the hard drives have been found. Although the investigation is not complete, the FBI and the DOE do not believe the missing hard drives were the result of espionage. Rather, their loss resulted from sloppy handling and potentially criminal attempt to cover up the cause of their loss. The chain of events that led to the discovery of the missing hard drives has been well publicized. The Los Alamos lab took 3 weeks to inform the DOE of the missing hard drives when it was required to do so within 8 hours. The procedures at Los Alamos for handling the secret nuclear weapons information was completely inappropriate. While all three of the labs have inadequate procedures for handling this material in place, Los Alamos allowed more people greater access with fewer controls than either Sandia or Livermore. You know, Mr. Chairman, the McDonald's restaurant employees check the cleanliness of their bathrooms and keep better records of their maintenance than Los Alamos does of its nuclear weapons data. As a result of the loss of these drives, I and other members of this subcommittee wrote Secretary Richardson asking him to terminate the contract with the University of California, because it has been unable to perform its security functions in accordance with its contract with the Department of Energy and its responsibility to the American people. Time and time again, the labs have asked us to excuse their mistakes, overlook their failures and trust them to properly handle sensitive materials they are entrusted with. I don't know about you, Mr. Chairman, but I am all out of trust. Although I was a State police officer for many years, I am certainly not a nuclear security expert. Yet, when I analyzed the proposed improvements to the proposed tracking and inventory procedures at Los Alamos, I am left scratching my head. Los Alamos will institute a new bar coding system that will allow these sensitive documents to be inventoried, but it will not allow the lab to track who has the information. What is the use of bar coding the information if you can't track who is removing it and who has it? As I mentioned in the earlier testimony and before this last subcommittee meeting, the Menominee Public Library has the ability to use its bar coding system to make sure when a book leaves the library. The coding system will also tell you who has the book, who removed the book. Why can't Los Alamos do the same? I am starting to believe that DOE should award the contract to Menominee Public Library. Mr. Chairman, I don't believe the labs have produced any evidence to assure me that they are suddenly going to take their security function seriously. Rather than complain about budget cuts or other concerns, the labs need to require their people to do their job and protect our Nation's nuclear weapons data. McDonald's and the library keep track of their employees and property for a lot less than Los Alamos. I believe it is time for common sense and action, not more excuses. I yield back the balance of my time, Mr. Chairman. Mr. Upton. Thank you. Mr. Burr. Mr. Burr. Thank you, Mr. Chairman. Once again, this subcommittee is meeting to examine security problems at the Department of Energy in our Nation's nuclear weapon laboratories. Needless to say, I am disappointed to be here. I had hoped that the work of this subcommittee, the Cox Commission, the President's Foreign Intelligence Advisory Board, and others over the course of the last year would have prompted DOE to take action. Unfortunately, that's not the case. While Secretary Richardson has taken some steps to improve physical security at the labs, it appears as though DOE has ignored, until recently, recommendations suggesting basic changes in the way the agency does business. Once again, we are forced to bring the Department and the labs to Congress to figure out why these incidents continue to occur. No one is suggesting that we will be able to prevent all security lapses or stop every spy, but we can certainly take steps to make it as difficult as possible for them to occur in the first place. Over the last year, a number of recommendations have been made and a number of recommendations have been ignored. Last summer, for example, Senator Rudman made some very specific recommendations: establish clear chains of authority; implement effective personnel security programs; reinstitute comprehensive classified document control systems; and conduct a comprehensive classification review. Once again, recommendations made and recommendations apparently and unfortunately ignored. We know they were ignored because Mr. Podonsky's recent review of Lawrence Livermore and Sandia contained similar recommendations. Secretary Richardson has apparently determined that responsibility for security belongs with the labs. If it were only that simple. I have been among the most critical of the labs' management practices, but it is clear that Secretary Richardson's arguments ring hollow. The Department has a responsibility to see that its security policies are clear and leave no room for confusion. Its policies are anything but clear and confusion reigns. The Podonsky review indicates that the labs have generally implemented standard DOE policy. The labs do indeed bear some responsibility for security failures that occur on their watch, but clearly the policies in place at DOE deserve equal attention. Despite Secretary Richardson's protest to the contrary, there is simply no clear guidance from DOE on security issues, period. Nowhere is that lack of guidance more readily apparent that than in the NEST program. This little known element of DOE is one of the most important tools in our national security apparatus. The lack of accountability and absence of clear lines of authority in this program are extremely disturbing. The lab directors and DOE managers seem to be consistently at odds over who is responsible for the program. This program is too important for disputes over who is accountable. Someone is. And this member, for one, intends to find out who. I also have to express my disappointment with General Habiger, General McBroom, and General Gioconda. Gentlemen, I have the utmost respect for the long years of service and sacrifice you have given to your country. Perhaps better than any others, you understand the threats posed to our Nation by nuclear weapons and the damage that could be caused to our national security should such sensitive information fall into the wrong hands. That's why we ask you to continue your service to your Nation at the Department of Energy. We hope that your backgrounds and knowledge of security issues will serve to strengthen what has historically been weak security programs. Somehow, some way, you have lost that focus. Perhaps the culture of disregard for security at DOE is actually so pervasive that it consumes all who attempt to run, but we expect you to fight against that culture. You are all take- action types. But why haven't we? When you recognize a problem, you should take the steps to correct it. That's how you became generals in the first place. You were brought in to DOE to continue that approach and to pass on your security-conscience attitudes to the rest of that Department. Gentlemen, we expect a great deal from you. We want you to succeed. The Department has a long way to go to improve its security programs and we will continue to turn to you for the answers. This member, and I expect this entire subcommittee, stands ready and able to do whatever the request is. With that, I yield back, Mr. Chairman. Mr. Upton. Thank you. Mr. Bilbray. Mr. Bilbray. Yes, Mr. Chairman. Mr. Chairman, I would like to echo my colleague from Michigan, the acting ranking member, and I want to--mostly because he is here--I want to praise him--or because he is not here, I want to praise him. The fact is is that I think that he articulated the issue that this is not a partisan issue, it is an American issue. I for one am very, very concerned that we handle this in a very nonpartisan way. I want to ask my colleagues on the Republican side to remember that the implementation of whatever correction we have will probably be executed by another administration in another year, and sadly looking at the next--until the end of the year, of basically just trying to cover ourselves until that set time. I also want to point out to my Democratic colleagues that defending a status quo, either be it from a previous administration or this administration, doesn't solve the problem and doesn't avoid future risks. Mr. Chairman, the 7-Eleven stores in America can tell you who picked up lip balm at their counter 3 months ago. They can give you that type of inventory control because they use very simple technologies: time delayed video surveillance. There is almost no company in America that I know of, and especially in my district with all the high-tech work, that do not have what appears to be a much superior security, not just system but mindset, than what we have seen to have been exposed with our laboratories. Now, Mr. Chairman, I want to say that I don't know, speaking to generals, about what is going on in the Army or the Air Force, but as somebody who worked around nuclear facilities and nuclear crafts in the United States Navy as a contract worker, I know the security that the United States Navy puts to its nuclear secrets and its nuclear information. And as a worker, firsthand exposure to this, I tell you I am almost to the point of saying, why can the United States Navy be able to secure its secrets and its information about its ships that are sitting in the middle of a 2 million population and all at once watch our laboratories misplace information that's as critical as we have seen in the last year? I just think that we have got to recognize, though, that it is not just the systems's breakdown that we have witnessed in the last few years, and I would ask my colleagues and the witnesses to address the issue of the mindset that has infected this agency, the mindset which appears to be that this is a campus environment that is not the precious treasure of information that is owned by the people of the United States, and only the people of the United States. It is not the personal property of the laboratory, of the university system, or of the world. It is the taxpayers of the United States who developed this information. It is their right and their right only to be able to use it as they see fit. Mr. Chairman, I appreciate the chance to be here today. I think this is a very important challenge, and I think it is a challenge to all of us in Congress to be able to understand that we need to find answers and we need to implement responses. If my 15- and 14-year-old children had lost their disks and said, ``Well, we are lucky, dad, nobody stole them, I just misplaced them,'' as a parent I would be more outraged at the fact that my children did not take care of what was their responsibility, even more than thinking that they allowed somebody to steal it. I don't think we should celebrate the fact that they were lost. I think that we should be frustrated and terrified that they were lost. And I yield back, Mr. Chairman. Mr. Upton. Thank you. Mr. Green. Mr. Green. Thank you, Mr. Chairman. I am glad to follow my San Diego colleague, and I agree that this is a bipartisan issue and it is a national security concern that should be bipartisan or nonpartisan. I know not only do we need these continued hearings, but we need to follow up with the appropriations necessary with the Department of Energy. And also as testimony in our earlier hearings showed, we need to follow up to make sure the money is spent for the security issues. Like all the members of the committee, and I think all of Congress, we have become increasingly concerned about security controls at DOE and the weapons--nuclear weapon laboratories and the disappearance and the reappearance of the sensitive hard drives, and I believe improvements are necessary. And whether it is changing the contract or maybe bringing someone else in to make sure, I know we benefit from the campus-like attitude that we have at both Los Alamos and the other facility, but we also need to make sure that that campus-like attitude is not to the detriment of the national security of our Nation. I know it is a concern we have, but the testimony we have had for a number of hearings is that this is not a current problem. Sure, we have it now and we hear the problems, but it is a recurring problem over the last number of years and in different administrations. So I don't want it to be just a Secretary Richardson problem. It is a national problem that spans both Republican and Democrat, but we need to solve it. That's why, Mr. Chairman, I thank you for having these hearings and to keep the follow-up. We need to make sure that we don't have these hearings a year and a half from now and find out something else was misplaced, whether it is the easiest thing of putting security cameras in sensitive areas, but again there are lots of solutions that could be done and hopefully DOE and the administration will do it on their watch and not wait until the next watch. Thank you, Mr. Chairman. Mr. Upton. Thank you. Dr. Ganske. Mr. Ganske. Mr. Chairman, in March 1999, following the Cox Commission report findings, the three lab directors wrote to the DOE Under Secretary, urging that formal accountability requirements for Secret and Top Secret restricted weapons data be reinstituted, ``as quickly as possible.'' The Redmond report, issued shortly thereafter, contained a similar recommendation, but DOE did not take any apparent action to address these recommendations prior to this latest security incident. A couple of weeks ago this committee meet in secret, received a briefing on this problem, and what I will say--it has been reported in the press--and that is that the information on those disk drives were pretty important. I was astounded at that briefing at the lack of commonsense security arrangements, to say the least. So I think there are some things that we need to determine in this hearing. For instance, why does there seem to be such a big difference between DOE minimum security requirements and commonsense security controls, as outlined so well by Mr. Stupak already? Why has DOE failed, since 1996, to act on repeated recommendations to impose tighter controls on its most sensitive nuclear weapons information? And why did DOE in 1998 actually move in the other direction by eliminating controls for Top Secret data? Those are all very important questions for us to determine today in this hearing. And I thank you, Mr. Chairman, for calling this hearing. Mr. Upton. Thank you. I would just note for the record that for those members that are not here, we will leave the record open for opening statements and I would make a unanimous consent request that all members of this subcommittee will have an opportunity to submit their opening statements as part of the record. Without objection. [Additional statements submitted for the record follow:] Prepared Statement of Hon. Ed Bryant, a Representative in Congress from the State of Tennessee Thank you Mr. Chairman: I appreciate your holding this very timely hearing, and I want to welcome our distinguished panels. In May of last year, the nation was shocked to learn that a suspected Chinese spy had been repeatedly transferring top-secret computer files at the Los Alamos National Laboratory from a classified system for over 10 years before he was finally arrested. These computer files contained classified programs used to develop, build, test and simulate several generations of nuclear weapons. According to the Los Angeles Times, the loss of this information represents ``a staggering blow to U.S. national security.'' A little over a month after learning of this security breach, the full Commerce Committee held a hearing on Department of Energy security lapses. During this hearing, the chairman of the President's Foreign Intelligence Advisory Board, former Senator Warren Rudman, reported that his commission had found evidence of serious security failings, including: foreign scientists visiting labs without proper background checks and monitoring; classified computer systems and networks with innumerable vulnerabilities; and instances where secure areas were left unsecured for years. In the wake of this report, Secretary of Energy Bill Richardson stated that ``I can assure the American people that the nuclear secrets are now safe.'' Less than a year later, however, news agencies began reporting that two computer hard drives containing sensitive information about U.S., Russian, and other nuclear weapons was missing. The information on these disks is used by the Nuclear Emergency Safety Team (NEST) to respond to terrorist activities or accidents involving nuclear weapons. Investigations into the disappearance of these hard drives have revealed that security was so lapse that the 26 NEST members were able to enter the vault where these devices were stored without ever having to sign in or sign out. NEST team members were also able to remove and return sensitive nuclear information without filing any type of report. Although the hard drives were recovered a few weeks ago, during a recent Senate hearing it was revealed that the information on these drives could have been copied in such a way that we may never know if this information has been given to other countries. The Department of Energy has just recently announced plans to tighten security by replacing combination locks with more sophisticated palm scanning locks, and possibly installing video surveillance systems. While this is encouraging, it is a little like closing the barn door after the horses have decided to leave. The real question, isn't what can the Department do to tighten security, but why wasn't this done before our nation's nuclear secrets were compromised. I look forward to hearing today's testimony but I want the folks from DOE to listen carefully. I do not want to hear what has become a seemingly boiler plate answer that ``yes, mistakes were made and we are fixing the problems.'' I have heard that too many times before and without fail another security breech has closely followed such supposedly reassuring statements. I believe it is time for a more frank discussion, I'm owed it, this Committee is owed it and most importantly, the American people are owed it. I thank the chair and yield back the balance of my time. ______ Prepared Statement of Hon. Tom Bliley, Chairman, Committee on Commerce Thank you, Mr. Chairman. Today we continue our long-running effort to get to the bottom of DOE's security problems. The latest incident involving the disappearance, and now mysterious re-appearance, of two highly sensitive hard drives used by Los Alamos's nuclear emergency search team has already been the subject of numerous press reports and Congressional hearings, including one by this Subcommittee several weeks ago when the story first broke. But today's hearing will go beyond this single incident, to expose a security system that has deep flaws--a system that has failed to keep up with the changing security threats we face, and the ability of technology to both hurt and help our security posture. Based on the Committee's oversight work in this area, last Fall I became increasingly concerned about how DOE and its labs were controlling access to their highly sensitive information, such as that found on these missing hard drives. I instructed Committee staff to work with the General Accounting Office to set up a review, and we reached agreement on a scope of work in March of this year. Little did we know, at that time, how timely this work would become. GAO is with us today to lay out its findings from the first portion of its review--a survey of what DOE does, and quite surprisingly does not, actually require of its labs when it comes to controlling classified data, and how these requirements have been weakened over time. While DOE's requirements don't tell the whole story--the labs often do more than is required--they are, nonetheless, an important part of why we're in the trouble we're in today. As DOE's own internal inspectors will tell us today, DOE's minimal, and terribly vague, security orders create a situation in which inconsistency and ineffectiveness can, and often do, reign supreme. Indeed, what both of these recent GAO and DOE independent reviews confirm is something that this Committee has been exposing for years-- that the labs can be in total compliance with DOE security requirements and still have poor security practices. And we don't have to look any further than the latest Los Alamos security breach for an example. Yes, it appears that Los Alamos violated at least some DOE requirements, and swift punishment should follow. But the facts that have most of Congress and the American public up in arms--the lack of any record of who enters these sensitive vaults and removes classified data--do not amount to violations of DOE orders. In fact, as GAO and DOE experts will tell us today, the Department does not now have, and never has had, such specific requirements for even highly sensitive data. The suggestion by some that changes in controls in the early 1990s did away with such common-sense requirements is thus simply not true, and should not be used as an excuse for the pitiful current state of affairs. Los Alamos and the other nuclear weapon labs certainly can be faulted for following such minimal requirements and not using better local judgment in protecting highly sensitive assets. But it also must be noted that, in many cases--particularly at Sandia--the labs imposed greater controls than required by DOE, and fought efforts by DOE Headquarters to weaken them. And when the Cox Commission raised concerns last Spring about Chinese espionage at the labs, the lab directors urged DOE to tighten requirements for control of nuclear weapons data ``as quickly as possible''--a recommendation that either fell on deaf ears or through the bureaucratic cracks, as similar expert recommendations had since 1996. I firmly believe that, at the end of the day, responsibility for setting and enforcing proper security controls on this Nation's most sensitive nuclear secrets must be borne by the Federal government. The current system--which allows DOE to blame its contractors, and its contractors to return the favor--will never truly achieve effective security. The new National Nuclear Security Administration, designed by Congress to streamline the chain of command and enhance accountability for security, so far has done neither. Despite a proliferation of ``generals'' within DOE--as evidenced by our witnesses today--we don't have any greater accountability. Indeed, all of these generals will tell us that they didn't know about, and weren't responsible for, the poor state of security affairs at Los Alamos with respect to these missing hard drives, and similarly sensitive materials scattered throughout these weapon labs. We need to put this nuclear agency's security chief firmly in charge of both security policies and practices at our weapons labs--and hold him personally accountable for future failures. And the days of relying on Federal contractors to establish security practices must end. Finally, let me urge caution against any reactive effort by either DOE or the Congress to try to impose a one-size-fits all approach to information security at DOE, or to return to out-dated notions of information ``accountability.'' As we will see today, the pre-1992 controls, if they had been left in place, would not have prevented this latest incident at Los Alamos, nor would they have made our job of detection and investigation significantly easier. Manual, paperwork- intensive controls do little to catch those intent on avoiding them. So the answer is not to return to the old rules, but to develop new ones that take into account the different risks that increases in technology and the use of electronic media pose to our nuclear security. At the same time, we also must embrace the benefits of today's technology, which allows us to better control and track our most sensitive data in a more effective and less costly manner-- technology being used today by private industries ranging from high- tech powerhouses to our local grocery stores. While these technologies surely are not the theft-proof panacea some might suggest, they do provide a good starting point. I look forward to this debate, and thank you Mr. Chairman for holding today's hearing. ______ Prepared Statement of Hon. Diana DeGette, a Representative in Congress from the State of Colorado Thank you Mr. Chairman. I plan to make my remarks brief so that we may more quickly hear from our witnesses. I would like to thank our witnesses for coming today, I look forward to hearing from you. Unfortunately, I have another hearing that conflicts with this one so I will probably have to step out from time to time. As you know, we had a rather timely hearing on this subject roughly a month ago, just a day after it was revealed that computer hard drives containing sensitive nuclear defense information were missing from Los Alamos National Laboratory. I know that some of our witnesses, along with Secretary Richardson, have been working hard over the past month to ensure we know what happened to the material these disks contained, and to ensure that this kind of inexcusable security lapse does not happen again in the future. I recognize that you may not have much new information, or at least information appropriate for an open hearing, but I do look forward to an update on the progress of the investigation. On June 15, 2000, I joined five of my colleagues in sending a letter to Secretary Richardson. Our letter requested that the Secretary revoke the University of California's contract to manage and operate Los Alamos National Laboratory because repeated security violations represent a breach of contract. We obviously did not make this request lightly. We all recognize the tremendous intellectual value the University brings to our national defense and research programs. The problem is that the University does not seem to be able to effectively manage the contract, which directs them to provide security and comply with Department of Energy security rules and procedures. The University has an outstanding reputation and has great intellectual assets, this does not mean it has the capacity to operate an effective security program. I do not hold the University singularly responsible. The Department of Energy bears some blame. It is the Department's responsibility to oversee the contract and provide that proper security guidance, rules, and enforcement authority exists. It certainly appears that the Department has never mastered these functions. We should all agree that this is not a partisan issue. These problems go back years through both Democratic and Republican Administrations. I understand that the Department is now considering issuing a security contract. Unfortunately, adding yet another contractor into the mix is not likely to solve the problems we are here to discuss today. I am not very confident that a new contractor whose role may be relegated to providing technical assistance on security matters to laboratory management is going to remedy our security problems. I thank you Mr. Chairman for calling this hearing. I yield back the balance of my time. ______ Prepared Statement of Hon. John D. Dingell, a Representative in Congress from the State of Michigan Thank you, Mr. Chairman for holding this hearing, and for the bipartisan staff work that led up to it. Security at DOE weapons laboratories is a longstanding and stubborn problem. For example, last year, after the downloading of nuclear weapons information by a weapons scientist from classified computers at the Los Alamos National Laboratory, the Rudman panel concluded that the Department of Energy ``and the weapons laboratories have a deeply rooted culture of low regard for and, at time, hostility to security issues, which has continually frustrated the efforts of its internal and external critics, notably the GAO [General Accounting Office] and the House Energy and Commerce Committee.'' But even the recommended changes in structure--even if fully implemented could not guarantee security. According to Senator Rudman, ``[T]he most powerful guarantor of security at the nation's weapons laboratories will not be laws, regulations, or management charts. It will be the attitudes and behavior of the men and women who are responsible for the operation of the labs every day.'' Those attitudes ranged, according to the panel, from ``half-hearted, grudging accommodation'' to ``smug disregard.'' Secretary Richardson took many steps to correct deficiencies. Most significantly, the Department hardened its security and greatly expanded the counter-intelligence operation. I wish that I could say the same about the laboratories. Upon the order of Secretary Richardson, the laboratories had a two-day security training stand-down last year, but apparently it was not sufficient to change the culture. In many ways, the loss of the hard drives at Los Alamos reflected that ingrained culture even more than the Wen Ho Lee incident did. It involved not one person, but many who knew that they were violating DOE's security directives when they did not report the missing disks. Someone--deliberately or otherwise--removed the hard drives from their secure location. Many, many other people tried to cover up the loss. But why shouldn't they? No one was disciplined for the weak cyber security last year. Why would anyone be punished now? The University of California will tell us today of its ``integrated security and safeguards management'' system which will instill security awareness in every employee. Perhaps it would have prevented the latest incident. But it is still not operational. Mr. Chairman, the chronic security problems at Los Alamos led me and five other Democrats on this Committee last month to call for the removal of the University of California as the contractor at Los Alamos. Only when contractors understand that there are real consequences to pay for security breaches will they make necessary changes. Mr. Upton. This morning, for our first panel, we have Mr. Jim Wells, Issue Area Director for Energy Resources and Science Issues of the U.S. General Accounting Office. Welcome, and you will be accompanied by Mr. Fenzel. We also have Mr. Glenn Podonsky, a familiar face to members of this subcommittee, Director of the Office of Independent Oversight and Performance Assurance at the Department of Energy. As you gentlemen know, we have had a longstanding tradition of taking testimony under oath. Do you have any objection to that? Mr. Podonsky. No. Mr. Wells. No. Mr. Fenzel. No. Mr. Upton. The committee rules also allow you to have counsel help represent you. Do you wish to have counsel? Mr. Podonsky. No. Mr. Wells. No. Mr. Fenzel. No. Mr. Upton. If you would stand and raise your right hand. [Witnesses sworn.] Mr. Upton. Thank you. You are now under oath. Mr. Wells, we will start with you and I would note we would like you to keep your remarks to about 5 minutes and your entire statement is now part of the record. Mr. Wells. TESTIMONY OF JIM WELLS, ISSUE AREA DIRECTOR, ENERGY, RESOURCES, AND SCIENCES ISSUES, U.S. GENERAL ACCOUNTING OFFICE, ACCOMPANIED BY WILLIAM F. FENZEL; AND GLENN S. PODONSKY, DIRECTOR, OFFICE OF INDEPENDENT OVERSIGHT AND PERFORMANCE ASSURANCE, U.S. DEPARTMENT OF ENERGY Mr. Wells. Thank you, Mr. Chairman, members of the subcommittee. Once again, GAO is here to present information-- -- Mr. Upton. If you would just pull the mike just a little closer so the folks in the back can hear. Terrific. Thank you. Mr. Wells. Once again, GAO is here to present information regarding a lapse in security at the Department of Energy. Accompanying me today is William Farrell Fenzel, our assistant director, who over the years has done a lot of the security work in the Department of Energy. At your request several weeks ago, we received a letter asking for an audit investigation of accountability of classified material controls that were in existence at the Department of Energy. That audit has begun and it is still ongoing. During our work, you asked us today to appear before this committee to discuss the answers to two questions. The first question was, what are the minimum DOE requirements imposed on classified material by the contractors who do the work for the Department of Energy? And the second question was, are document sign-in and sign-out sheets required? We have this information. It is shown in pages 4 and 5 of my written statement, but I will also refer to the charts on my left-hand side. What I would like to do is quickly just highlight those charts that deal with Secret and Top Secret requirements to show you how basic accountability requirements have changed over the last 12 years. I want to turn your attention now to the Secret chart. These are changes in the minimum requirements for controlling secret documents. What you see on the left-hand side are typical accountability document requirements, things like frequency of inventories. These are the types of things that were required under DOE, things like unique identification numbers, putting a number on a document so that you know whether that document is present or not; things like approval for reproduction so before one can make a copy of a classified document, one must go back to the originator of the document, and seek permission and document that an extra copy has been made. As you can see by that chart, most of those requirements were dropped and discontinued in 1992. If I could refer you to the second chart, which talks about some of the changes in the minimum requirements for controlling Top Secret documents, once again on the left-hand side you will see typical accountability-type controls. What I would like to point out for Top Secret documents, in terms of DOE minimum requirements, is that some of these requirements have been reduced not once but twice. Looking at frequency of inventories, as you can see, required every 6 months in 1988. That was changed to annually in 1995, and in 1998 the requirement for inventories was discontinued. Looking at items like a Top Secret control officer and end- of-day verification, we are talking about a requirement that did exist at one time for a custodian, a person that would know who had what document and where, and at the end of each day would verify and certify that the Department of Energy had control over where that particular document was. And last, let me answer that question in terms of whether there are required sign-in and sign-out sheets. Based on our audit team's discussion with agency officials, we have spent hours combing hundreds of pages of DOE orders and current security manuals and cannot find any requirement, minimum requirement, for sign-in and sign-out sheets. The bottom line, Mr. Chairman, clearly what you see represented on those charts document that the requirements have gone down, or as Mr. Bilbray talked about, the threshold has been lowered. This is what we found to date. We still need to look at what is being done in terms of the actual practices; even why these changes are being made and what impacts, if any, exist out there when we finish our audit for this committee. Mr. Chairman, I am going to stop here. I probably have a couple more minutes but I am going to stop here because I think we have much more to do and a lot more answers to come up with. We do, however, share the concern of the committee about document accountability and, like you, we too look forward to hearing the answers of the witnesses that follow this panel. Mr. Chairman, thank you. We will be glad to respond to any questions you may have. [The prepared statement of Jim Wells follows:] Prepared Statement of Jim Wells, Director, Energy, Resources, and Science Issues, Resources, Community, and Economic Development Division, GAO Mr. Chairman and Members of the Subcommittee: We are pleased to be here today to provide information on the Department of Energy's (DOE) requirements for protecting and controlling classified documents. DOE's requirements are designed to protect classified documents from their inception to their destruction. At the Subcommittee's request, we have begun an evaluation, which is still underway, of DOE's classified matter protection and control program. During the past few weeks, we briefed your staff on DOE's requirements for controlling classified documents. At your request, we are testifying today on changes in DOE's requirements since 1988, when complete accountability was required for Secret and Top Secret documents. You also asked us to testify on the extent to which sign-out sheets have been required to provide a record of who removed a classified document from storage and when it was removed. I would like to emphasize that the requirements we address today are DOE's minimum requirements. The contractors who operate DOE's facilities may require additional controls and procedures to protect and control classified documents. We are providing information on the requirements for controlling both Secret and Top Secret documents in protected areas. Protected areas have physical barriers and also have controlled access. Secret and Top Secret documents stored outside of these areas require additional protective measures. In summary, DOE has numerous procedures designed to protect classified documents. The requirements vary depending on the type of document being protected and the nature of the protection provided where the document is stored. We found that many requirements for protecting and controlling Secret and Top Secret documents stored in protected areas were discontinued in the 1990s. For example, the requirement to inventory Secret documents every 3 years was discontinued in 1992 with other controls over Secret documents. In regard to Top Secret documents, many requirements, such as a Top Secret Control Officer, were eliminated in 1998. Background DOE is responsible for administering a security program that protects classified documents from loss or theft. DOE's memoranda, orders, and manuals set forth the requirements for protecting and controlling classified documents at DOE facilities. DOE's strategy for protecting classified documents involves a ``graded protection'' system. Under such a system, the level of protection for a classified document is commensurate with the threat to the document, the vulnerability of the document, the value of the document, and the level of risk to the document that DOE is willing to accept. Not all items are protected to the same degree; furthermore, locations on a DOE site may be protected differently. Protection is provided by various means, such as physically protecting classified documents with guards, buildings, vaults, and locks; limiting access to classified documents to personnel with proper security clearances and a legitimate need to have the information; and the processes and procedures known as classified matter protection and control. DOE's classified matter protection and control program has included a wide variety of requirements. These requirements have included conducting inventories of classified documents and maintaining an accountability record for each classified document. The accountability record can include a description of the document, date, classification level and category. DOE has also required that each classified document be assigned a unique identification number--to allow the identification and tracking of the document--and a copy and series designation--to provide information on how many copies exist. Additionally, DOE has required the use of receipts for internal and external distribution to provide a record of dissemination of a classified document within a facility and outside a facility, respectively. Finally, DOE has required certain procedures for maintaining receipts and destruction records and obtaining approval for the reproduction of a classified document. Other requirements could also be used, such as maintaining a sign-out sheet to provide a record of who removed a classified document from storage and when it was removed. DOE has also required additional controls for Top Secret documents. These have included assigning a Top Secret Control Officer, who has ultimate responsibility for Top Secret documents; conducting a verification to certify that all Top Secret documents have been returned to storage at the end of each work day; and maintaining a Top Secret access record that lists all persons who are authorized access to Top Secret documents. Changes to DOE's Requirements Over the Past 12 Years In general, over the past 12 years, many requirements for Secret and Top Secret classified matter protection and control have been discontinued. Specifically, requirements for maintaining records and receipting and reproducing classified documents were discontinued. According to DOE classified matter protection and control officials, these changes were implemented to promote governmentwide uniformity among contractors and to account for technological changes, such as computers, copiers, and faxes, in the processing and storage of classified information. In our ongoing evaluation, we will be looking at how other agencies protect and control classified documents. The following tables show the requirements, or lack of requirements, for certain classified matter protection and control procedures. Several points in time were selected to demonstrate the changes in requirements from 1988 to 1998. The 1988 requirements are used as a baseline because, in that year, DOE required accountability procedures and receipting and reproduction requirements that applied to all Secret and Top Secret documents. The requirements for Secret documents for 1992 are shown because in that year DOE modified accountability requirements for Secret documents. The 1992 requirements for protecting and controlling Secret documents have not changed. Table 1 shows that many requirements for controlling Secret documents that were required in 1988 were discontinued in 1992. Among those discontinued were DOE's requirement to conduct inventories, maintain an accountability record, assign a unique identification number and copy and series to each Secret document, use receipts for the dissemination of Secret documents within a facility, and obtain approval from the document's originator before reproducing a Secret document. The requirements for retaining receipts and destruction documentation did not change. DOE has not and does not require a sign- out sheet for Secret documents. Table 1: Changes in Minimum Requirements for Controlling Secret Documents ------------------------------------------------------------------------ Control requirement 1988 1992 ------------------------------------------------------------------------ Frequency of inventories........ Every 3 years..... Requirement discontinued Accountability record........... Required.......... Requirement discontinued Unique identification number.... Required.......... Requirement discontinued Copy and series designation..... Required.......... Requirement discontinued Receipts for internal Required.......... Requirement distribution. discontinued Receipts for external Required.......... Required distribution. Retention of receipts........... 2 years........... 2 years Retention of destruction records 2 years........... 2 years Approval for reproduction....... Required.......... Requirement discontinued Sign-out sheets................. Not specified..... Not specified ------------------------------------------------------------------------ Source: Prepared by GAO on the basis of DOE documents. Table 2 shows DOE's requirements for safeguarding Top Secret documents in 1995 and 1998 in addition to the 1988 baseline requirements. The requirements in 1995 are included because DOE revised its classified matter protection and control manual, changing several inventory and accountability requirements. DOE decreased the frequency of inventories from semiannually to annually. DOE had also discontinued the requirements for assigning a copy and series designation to each document and the requirement for verifying that all Top Secret documents had been returned to storage at the end of the work day. DOE's minimum requirements for 1998 are included because DOE again revised its classified matter protection and control manual to eliminate additional accountability requirements for Top Secret documents. In 1998, DOE eliminated requirements for performing annual inventories, maintaining an accountability record, assigning a unique identification number to each document, assigning a Control Officer, maintaining an access record, using receipts for the dissemination of Top Secret documents within a facility, and obtaining approval before reproducing a document. The requirements for using receipts for dissemination of Top Secret documents to recipients outside the facility and retaining receipts and destruction documentation did not change. DOE has not and does not require a sign-out sheet for Top Secret documents. The 1998 requirements for protecting and controlling Top Secret documents have not changed. Table 2: Changes in Minimum Requirements for Controlling Top Secret Documents ---------------------------------------------------------------------------------------------------------------- Control requirements 1988 1995 1998 ---------------------------------------------------------------------------------------------------------------- Frequency of inventories............. Every 6 months......... Annually............... Requirement discontinued Accountability record................ Required............... Required............... Requirement discontinued Unique identification number......... Required............... Required............... Requirement discontinued Copy and series designation.......... Required............... Requirement No change from 1995 discontinued. Top Secret Control Officer........... Required............... Required............... Requirement discontinued End-of-day verification.............. Required............... Requirement No change from 1995 discontinued. Access record........................ Required............... Required............... Requirement discontinued Receipts for internal distribution... Required............... Required............... Requirement discontinued Receipts for external distribution... Required............... Required............... Required Retention of receipts................ 5 years................ 5 years................ 5 years Retention of destruction records..... 5 years................ 5 years................ 5 years Approval for reproduction............ Required............... Required............... Requirement discontinued Sign-out sheets...................... Not specified.......... Not specified.......... Not specified ---------------------------------------------------------------------------------------------------------------- Source: Prepared by GAO on the basis of DOE documents. While we were asked to discuss document protection and control within DOE protected areas, it should be noted that Secret and Top Secret documents stored outside of these areas require additional protective measures. In addition, these requirements have not been discontinued for some specific types of Secret and Top Secret classified documents. These include classified documents related to special access programs, cryptographic information, and NATO classified information. I would like to reiterate that the requirements we address today are DOE's minimum requirements. The contractors who operate DOE's facilities may require additional controls and procedures to protect and control classified documents. In addition, as you know, we have recently begun our work for the Subcommittee related to accountability for classified documents and will be doing further work on these issues. We discussed the information related to classified matter protection and control requirements with DOE's Office of Safeguards and Security and Office of Independent Oversight and Performance Assurance officials, who agreed with its factual accuracy. Mr. Chairman, this concludes our formal statement. We would be happy to respond to any questions that you or Members of the Subcommittee may have. Contact and Acknowledgements For future contacts regarding this testimony, please contact Jim Wells at (202) 512-3841. Individuals making key contributions to this testimony include William F. Fenzel, Kenneth E. Lightner, Jr., and Ilene M. Pollack. Mr. Upton. Thank you. Mr. Podonsky. TESTIMONY OF GLENN S. PODONSKY Mr. Podonsky. Thank you, Mr. Chairman. I appreciate the opportunity to appear before this subcommittee to discuss classified information security controls at DOE's nuclear weapon laboratories. As you all are aware, my office provides the Secretary of Energy with an independent view of the effectiveness of departmental policies, programs and procedures in the areas of safeguards and security, emergency management and cyber security. At the outset of my statement, I believe it is particularly important to inform this committee about some significant aspects of DOE's current administrative requirements for protecting classified information and how those requirements came about. Ten years ago, DOE required a formal accountability system for all Secret and Top Secret information. Each document or item was accounted for from origination to destruction, and each was identified by unique number, page count, and various other specific markings. A chain of custody was maintained throughout the item's life. Additionally, periodic inventories were required to ensure that all documents or items were present and or accounted for. In 1991, DOE began modifying its requirements for classified matter accountability. This action was in response to a governmentwide initiative that originated from a 1990 National Security Council assessment, intended to establish a single security program that could be applied to both industry and government. Consequently, in February 1991, DOE modified its policy to eliminate the requirement to account for Secret-level national security information, which was not directly related to nuclear weapon information. In May 1992, DOE again modified its requirements based on the provisions of part 2001 of Title 32 of the Code of Federal Regulation; this time eliminating formal accountability requirements for Secret RD; that is, nuclear weapons-related information. In January 1998, under the authority of Executive Order 12958 dated April 1995, DOE eliminated security accountability requirements for all Top Secret information stored in secure areas. With these modifications, current DOE policy only requires sites to formally account for certain types of documents, such as sensitive compartmented information, foreign government information, some sensitive nuclear weapons use control information, and special access program information. These reductions of accountability requirements were part of a general trend toward reduction in security that occurred in the early to mid-1990's. During that period, DOE initiatives were aimed at reducing security costs, declassifying information and increasing openness at DOE sites. That general trend included DOE's encouragement for sites to reduce security costs through such actions as downsizing protective forces, downgrading clearances and eliminating or consolidating security areas, all elements of the overall program for protection of classified information. However, as we have seen, security requirements subject to a wide range of interpretations do not enhance the security posture of our entire government. In response to the 1999 allegations of espionage at Los Alamos, Secretary Richardson took some extensive and unprecedented actions. Security within DOE, and particularly at the three national weapons labs, received high-level management attention. Secretary Richardson directed the implementation of an extensive set of cyber security enhancements; strengthened DOE security management organization through functional reorganizations, in addition to personnel and expertise; elevated the oversight function to be a direct report to his office; implemented a polygraph program and issued a zero tolerance policy for security violations. At the same time, the Headquarters Office of Defense Programs published a ``goal post'' document that established expectations for near-term improvements that would enable each site to achieve a satisfactory security program. Under these initiatives, DOE sites took aggressive action and strengthened their security programs and practices in several areas, including cyber security, control of foreign nationals and storage of classified weapon components. However, since these efforts were initiated within the DOE, they did not address the governmentwide policy problems associated with the control of Secret and Top Secret classified information. DOE is unique in that it possesses and is responsible for safeguarding certain types of information that no other agency possesses; specifically, information categorized as restricted data that deals with nuclear weapons design, manufacture and testing, and includes information about disabling or enabling nuclear weapons. Such information merits a higher degree of protection than any types of classified information. Consequently, at the direction of Secretary Richardson, DOE is currently evaluating and/or implementing four departmental- wide recommendations: First, reinstitute requirements for a formal accountability system for Top Secret and Secret weapons data. Second, establish a clear and comprehensive graded approach for information protection and issue appropriate implementing guidance. This approach should include practical guidelines for determining relative importance of information, provide more sensitive information and greater amount of protection. Third, clarify the need-to-know policy in order to better limit access to information. Fourth, continue efforts to expand the human reliability programs to include personnel with access to the most sensitive nuclear secrets. When the Secretary was informed in June of this year of the security incident at Los Alamos involving missing classified hard drives, he demanded to get to the bottom of the situation and once again he took a number of aggressive steps to increase the control and protection of particularly sensitive weapons- related data. The Secretary directed immediate implementation of several recommendations. Other recommended changes, including the four I specifically mentioned, should be incorporated--and these should be incorporated into DOE orders as soon as possible. Additionally, he directed my office to make an immediate assessment on an expedited basis of the adequacy of security procedures and administrative controls for such information at Los Alamos, Livermore, and Sandia National Laboratories. We completed reviews of Livermore and Sandia and we will conduct a similar review at Los Alamos after the FBI has completed its criminal investigation surrounding the classified hard drives. This concludes my comments. Thank you, Mr. Chairman. [The prepared statement of Glenn S. Podonsky follows:] Prepared Statement of Glenn S. Podonsky, Director, Office of Independent Oversight and Performance Assurance, U.S. Department of Energy Thank you Mr. Chairman. I appreciate the opportunity to appear before this subcommittee to discuss classified information security controls at DOE's nuclear weapons laboratories. As you are aware, my office provides the Secretary of Energy with an independent view of the effectiveness of departmental policies, programs, and procedures in the areas of safeguards and security, emergency management, and cyber security. At the outset of my statement, I believe it is particularly important to inform you about some significant aspects of DOE's current administrative requirements for protecting classified information and how those requirements came about. Historical Summary Ten years ago, DOE required a formal accountability system for all Secret and Top Secret information. Each document or item was accounted for from origination to destruction, and each was identified by a unique number, page count, and various other specific markings. A chain of custody was maintained throughout the item's life. Additionally, periodic inventories were required to ensure that all documents or items were present or accounted for. In early 1991 DOE began modifying its requirements for classified matter accountability. This action was in response to a government-wide initiative that had as its foundation a 1990 National Security Council assessment intended to establish a single efficient national industrial security program that could be applied to both industry and government. Consequently, in February 1991 DOE modified its policy to eliminate the requirement to account for Secret level information that was categorized as National Security Information--that is, information that could impact national security but was not directly related to nuclear weapons design or nuclear material production. In May 1992, DOE again modified its requirements based on the provisions of Part 2001 of Title 32 of the Code of Federal Regulations, this time eliminating formal accountability requirements for Secret Restricted Data--that is, nuclear weapons-related information. In January 1998, under the authority of Executive Order 12958 of April 1995, DOE eliminated accountability requirements for all Top Secret information. With these modifications, current DOE policy only requires sites to individually account for certain types of documents, such as sensitive compartmented information, foreign government information, some sensitive (nuclear weapons) use control information, and some special access program information. These reductions of accountability requirements were part of a general trend toward reduction in security that occurred in the early to mid 1990s, partly as the result of the end of the cold war. During that period DOE initiatives were aimed at reducing security costs, declassifying information, and increasing ``openness'' at DOE sites to promote interactions with local communities and with industry. That general trend included DOE's encouragement for sites to reduce security costs through such actions as downsizing protective forces, downgrading clearances, and eliminating or consolidating security areas, all elements of the overall program for protecting classified information. In response to the 1999 allegations of espionage at Los Alamos, Secretary Richardson took some extensive and unprecedented actions. Security within DOE, and particularly at the three national weapons laboratories, received high-level management attention. Secretary Richardson directed the implementation of an extensive set of cyber security enhancements, strengthened DOE's security management organization through functional reorganization and addition of personnel and expertise, elevated the oversight function to a direct report to his office, implemented a polygraph program, and issued a zero tolerance policy for security violations. At the same time, the Headquarters Office of Defense Programs published a ``goal post'' document that established expectations for near-term improvements that would enable each site to achieve a satisfactory security program. Under these initiatives, DOE sites took aggressive action and strengthened their security programs and practices in several areas, including cyber security, control of foreign national visitors, and storage of classified weapons components. However, since these efforts were initiated within DOE, they did not address the government-wide policy deficiencies associated with the control of Secret and Top Secret classified information. Minimal security requirements that are subject to a wide range of interpretations for the purpose of implementation do not, as we have seen, enhance the security posture of our government. Recommendations DOE is unique in that it possesses and is responsible for safeguarding certain types of information that no other agencies possess--specifically, information categorized as Restricted Data that deals with nuclear weapons design, manufacture, and testing, and includes information about disabling or enabling nuclear weapons. Such information merits a higher degree of protection than other types of classified information (categorized as National Security Information). Consequently, at the direction of Secretary Richardson, DOE is currently evaluating and/or implementing four Department-wide recommendations:First, re-institute requirements for a formal accountability system for certain types of information (i.e., Top Secret and Secret Weapons-Related Data). Second, establish a clear and comprehensive graded approach for information protection and issue appropriate implementing guidance. This approach should include practical guidelines for determining relative importance of information; provide more sensitive information greater protection, and apply recent enhanced requirements for vaults to other storage containers. Third, clarify the need-to-know policy. In order to better limit access to information, DOE needs to determine prudent measures for identifying specific need-to-know for access to information and establish expectations for partitioning information stored in large repositories. Fourth, continue efforts to expand the human reliability programs. DOE's human reliability program, which includes drug testing and regular medical evaluations and ensuring that personnel who handle nuclear weapons and special nuclear material are reliable and fit for duty, should be expanded to include personnel with access to the most sensitive nuclear secrets. When the Secretary was informed in June 2000 of the security incident at Los Alamos involving missing classified hard drives, he demanded to get to the bottom of the situation and, once again, he took a number of aggressive steps to increase the control and protection of particularly sensitive weapons-related data. The Secretary directed immediate implementation of several recommendations. Other recommended changes, including the four I specifically mentioned, should be incorporated into DOE orders as soon as possible to ensure that they are institutionalized and become part of a permanent policy base. Additionally, he directed my office to make an immediate assessment, on an expedited basis, of the adequacy of security procedures and administrative controls for such information at Los Alamos, Lawrence Livermore, and Sandia National Laboratories. We completed reviews of Lawrence Livermore and Sandia, and we will conduct a similar review at Los Alamos after the FBI has completed its criminal investigation surrounding the classified hard drives. That concludes my comments. Thank you, Mr. Chairman. Mr. Upton. Thank you both. Mr. Wells, as I read your testimony back in Michigan, I came back last night after being back for the July 4 break, I was, I have to say, a little astounded at looking at the charts that you shared here and were part of your testimony, and I know that we are going to be asking Mr. Glauthier questions about some of this. But did you get any response back from DOE in terms of how they could change some of these requirements in the past years? I mean, I look at myself back home and actually I do a fair amount of the grocery shopping. There is one store there called Myers, and they now have checkout lines where there is no cashier. You verify it yourself. It is scanned yourself. They have an absolute record in terms of the inventory of the store, and for those that hadn't done it before, I think there is one person for every four or five lanes going out. When I look at no sign-out sheets, unique identification numbers requirement discontinued, I mean just a whole series of things, it is rather amazing when I see these changes that in my view have weakened our security, particularly with security lapses. I know a number of members went out to look at the labs. At least from my perspective, I was very impressed with the physical security, the swat teams that are out, ready to defend against the mission impossible days that we saw on TV a number of years ago. But it was the cyber security, the Wen Ho Lee case, other things, that trouble us the most. By discontinuing a number of things that were once in place, it seems that we have provided perhaps an open invitation to losing documents as we saw with the two hard drives. What is your comment with regard to that? What reaction do you have? Mr. Wells. Regarding my reaction, when the committee inquired about GAO coming forth in a week or 2 to testify on what they had found so far, my audit team presented the results that you see on that chart, I did not believe them. I was somewhat concerned that I wanted the audit team to go back and verify and double-check. I found, like yourself, that I was astounded. Given the problems that we are now seeing across the complex, it is unclear to us what objective was trying to be achieved when these requirements were reduced. We have not been able to document why some of these changes have occurred yet. Quite frankly, we asked for documentation for 1992, for instance, in the security Secret area, why all of those accountability-type requirements were dropped, and the Department supplied us with a single one-page memorandum that basically acknowledged that accountability requirements are being modified. Nowhere on this single sheet of paper is there any discussion of why these requirements were being dropped. So as of this moment, we still don't have a good handle on the why part. Mr. Upton. You know, one of the concerns that I saw with your testimony, and with particularly these two missing hard drives, I mean as we learned what was on those hard drives, I can't imagine a more important document that was missing. For the life of me, I don't understand why it was classified as Secret versus Top Secret. I will get to that a little bit later. And Top Secret obviously ought to have a higher classification in terms of its tracking and its whereabouts. Do you have any idea why the Top Secret control officer, which you mentioned in your testimony, was dropped? Mr. Wells. No, sir, I don't have a good answer for you yet. Mr. Upton. Mr. Podonsky, do you have a reaction to those first two questions, these charts and the Top Security control officer? Mr. Podonsky. Well, we can confirm that what the GAO is reporting is an accurate portrayal in terms of the requirements. But I think part of what we have found over the years, and we have a long history in 1991, 1992, 1993, 1994, regarding concerns about the policy, is that this was a clear national initiative back in 1990; and there is a long stream of documentation that outlines how this came about, starting with President Bush's request of the National Security Council to prepare a review of how to consolidate into a single security program an industrial requirement that the government could align itself to. It finally resulted in a National Industrial Security Program Manual that came out in 1995 that lays out this. Why the Department elected over the years to continue to change its requirements, that's not clear. I would have to yield to the policy arm of the Department. Mr. Upton. I know we are going to have a couple of rounds so I am going to try to stick to the 5 minutes. Mr. Stupak. Mr. Stupak. Thank you, Mr. Chairman. Mr. Wells, I am looking at page 3 of your testimony. You are talking about DOE's requirements over the past 12 years. It starts off, and in the first paragraph, middle of the paragraph, it reads, According to DOE classified matter protection and control officials, these changes were implemented to promote governmentwide uniformity among contractors and to account for technological changes such as computers, copiers, and faxes in the processing and storage of classified information. In our ongoing evaluation, we will be looking at how other agencies protect and control classified documents.'' So these changes that have occurred over the last 12 years was to make everybody--contractors, the government, DOE, the labs--all get on the same page? Am I reading that right? Mr. Wells. That's correct. We are talking about CIA, Department of Defense. Mr. Stupak. National security? Mr. Wells. National security agencies. Mr. Stupak. So that started back in about 1988? Mr. Wells. It was begun then; yes, sir. Mr. Stupak. When you go to make everybody on the same page, isn't that when, really, breaches of security start to break down; or start to occur, I should say? Mr. Wells. Clearly, from what we understand, much of the discussion that occurred in terms of whether that would work or not was centered on unique requirements that may exist in individual agencies under different circumstances. There were many people that did not agree with that initiative for uniformity. That's what we understand. Mr. Stupak. Well, do you agree with this need for uniformity amongst contractors and government and private industry and DOE and NSA? Should they all be on the same page, or should there be different degrees of security as you move forward within government or within industry, depending on the weapon or the research you are doing? Mr. Wells. I agree that GAO as an audit team will go in and continue to look at the reasons why the requirements may or may not need to be different throughout the agencies, but clearly we shouldn't lose sight of the objective of all security protection is to prevent the loss and prevent the compromising of material. And what we are currently seeing, the existing uniformity of regulations are not achieving that objective. So we may have a situation where we need to look at some unique requirements, particularly as regards to our nuclear weapons. Mr. Stupak. Okay. But in answer to my question, do you agree that they all should be on the same page or should it be different? Mr. Wells. I am unable to agree or disagree until we have had a further chance to further investigate. Mr. Stupak. I thought GAO's job was to evaluate this situation and to give us some recommendation to give this committee and others, oversight, as to how we should approach these things? Mr. Wells. Absolutely. We have an ongoing audit and investigation. We have been in it about 3 weeks. That work is continuing and we hope to have that work finished for the full committee and this subcommittee shortly. Mr. Stupak. But over the last 3 weeks, obviously you have done more--other audits; because going back to 1976, I think Mr. Dingell started the first letters, and periodically every 2 years he was on GAO to do an investigation, to do an audit because things weren't working right with the secrecy of our top secrets in this country. Mr. Wells. Clearly, GAO has a history of 20 years of oversight in classified security matters and each and every time we have gone in and looked, there have been problems. Each and every time we have heard corrective action being promised by the Department of Energy. When we have looked at some of these, we have found that the implementation has not been as successful and problems seem to be recurring. Mr. Stupak. When you would look at it and you would see problems recurring over the last 20 years, you would make your recommendations and go back and see it was never done? Mr. Wells. We have made 50 recommendations in the last 20 years. I had my team count up the number of recommendations that have been reported. Mr. Stupak. You have had 50. How many of them were carried out? Mr. Fenzel. I can answer that. In almost all cases with our recommendation, what DOE does is agree with the recommendations, take corrective action; but then what happens is things start to change and the implementation of the recommendation falls through and the problem resurfaces. Case in point with the classified documents: We issued a report in 1991 that pointed out missing classified documents. At Lawrence Livermore over 10,000 documents were missing. At other facilities at DOE, hundreds of documents were missing. DOE agreed, said they had a problem with controlling classified documents and were going to institute tighter controls. A year after that is when they began reducing the requirements for Secret. So the history is they take corrective action, but then in the implementation that corrective action usually falls down in many cases. Mr. Stupak. So we hear your recommendations; we agree with those recommendations; we begin to implement it, but the wheels come off the cart halfway through? Mr. Fenzel. A year, 2 years down the road, a lot of security issues are cyclical in this fashion. Mr. Stupak. How long--if anyone knows, how long has the longest Secretary of Energy ever been in the position? It seems to be like a resolving door there with Secretaries of Energy. Mr. Fenzel. A lot of them. The tenure of the Secretary of Energy--we did some work on that about 2 years ago. I can't comment on the present Secretary's tenure, but on average it is usually less than 2 years. Mr. Stupak. Less than 2 years? Mr. Fenzel. Right. Mr. Stupak. So there really is no accountability or responsibility going on when we have a revolving door at the top, is there? Mr. Fenzel. I think that hinders any type of security. Mr. Stupak. Thanks. Mr. Upton. Mr. Burr. Mr. Burr. Mr. Fenzel, after doing your assessment for the GAO, can you sum up in a couple of sentences not what you found, but what you felt like after you finished? Mr. Fenzel. You mean this present assessment? Mr. Burr. Yes, sir. Mr. Fenzel. Our work is still ongoing. And I can verify that when our boss, Mr. Wells, did get these tables, he didn't believe us at first. So in a way, we had to convince him that this was the situation. As for my reaction, I was more concerned on the Top Secret situation and the decreases in requirements there. I would like to put a caveat on that. These are the minimum requirements of DOE. The laboratories can do a lot more, and I think what you will probably hear is that there are other things they are doing beyond the minimum controls. My problem is that these are the minimum controls and while there are more controls out there right now, they are not necessarily going to be followed 1 year from now, 2 years from now, 5 years from now, and that eventually if these minimum controls are kept in place, somebody, somewhere, is going to follow these minimum controls and that's---- Mr. Burr. Let me read you something from Mr. Podonsky's review. It is found on page 17. It says--it is talking about various DOE elements and individuals that advocated reestablishment of formal accountability systems for Top Secret documents and Secret weapons data. Most noticeably, March 1999, the director of the three nuclear weapons laboratories sent a joint recommendation to the DOE Under Secretary and the DOE Director of the Office of Counterintelligence in which they advocated that DOE reinstate accountability for documents that contained Secret restricted data and Top Secret restricted data. Would it surprise you that the lab directors were on record in March 1999 saying we want to reinstitute this? Mr. Fenzel. Well, that doesn't surprise me. Mr. Burr. It doesn't surprise you, does it? Mr. Fenzel. No. Mr. Burr. Let me ask you, Mr. Podonsky--let me just read the conclusion of that paragraph: They indicated that without formal accountability, counterintelligence reviews are much more difficult because it is not feasible to determine specifically who had had access to certain design information. They also cite the Cox Commission report as a basis for reinstating formal accountability. I mean, is that an accurate depiction in your report of the lab directors and their requests? Mr. Podonsky. As far as we know, everything that we put in our report is valid. Mr. Burr. Is it not difficult to turn around and blame the lab managers if they have been out there formally requesting reinstituting some of the accountability methods? I am not saying that you are accusing them, but there certainly are some. Mr. Podonsky. Congressman Burr, as you have heard me state, we have been in this Department--I have been in the Department for 16 years, and we have been writing on a lot of these issues for as many years as I have been here. So clearly there is a frustration that there is a tendency in the Federal Government that there is always fingerpointing as to who is responsible. And clearly in our collective opinion, from an oversight, laboratories have the responsibility and so does DOE. There is a shared responsibility here. As our colleagues from GAO have pointed out, is the requirements don't say that you can't go above what those--what the standard is. You can raise the bar. In some cases the labs have done that. Mr. Burr. They in fact have, and I think you point out very clearly in your report, and let me just read on page 6: The current national requirements for controlling classified matter are not as stringent and clear as needed in light of DOE's particularly sensitive nuclear weapons-related information. Improvements in policy are needed to further enhance security at DOE sites. And then on page 10: In many cases in the past, independent oversight had determined that sites were complying with the established requirements but that the security interests were not provided sufficient protection because the applicable DOE policies are not sufficiently clear or comprehensive. I guess I would ask of you, given that they had exceeded where they thought they understood it in the other areas, how much of a problem was the fact that the guidelines were unclear or that improvements in the policy were needed? Mr. Podonsky. We believe that clearly there can be more granularity to the DOE requirements so people understand, without exception, what the requirements are meant to be. However, we also believe that there is--while you can have good policies, it is also the implementation of those policies. So there are two sides to this: How are the policies being implemented? And are the policies really clear? Mr. Burr. I am going to respect the chairman's time. Mr. Upton. You better. Mr. Burr. It is not too difficult to understand if a lab director says we didn't know something was our responsibility. There are some things that are unclear relative to the guidelines where one might understand how they came to that conclusion; is that accurate? Mr. Podonsky. I think in some areas you can say that, but mostly I would harken back to there needs to be a core value of security applied, just like safety. It is everybody's responsibility, and the fact that people have a clearance, they have accepted a certain responsibility, and that means accountability as well. Mr. Burr. I think the lab directors will agree with you, as would these members. I yield back, Mr. Chairman. Mr. Upton. Dr. Ganske. Mr. Ganske. I would like to go to this chart for a few minutes. Some things I think are self-explanatory. Frequency of inventories in 1988, every 6 months; in 1995, annually; and then 1998, requirement discontinued. Accountability record required in 1988 and 1995, and then discontinued. Unique identification number, I think probably everyone understands. What does the Top Secret control officer do or did? Mr. Wells. A Top Secret control officer was basically performing custodial duties and was ultimately charged with the responsibility for Top Secret documents. He was the accountable guy. He was the one that said, I know where this document is; I know where it is stored; I know who had it, and I know when it was put back. That was the basic thrust of that position responsibility. Mr. Ganske. And that---- Mr. Wells. Top Secret. Mr. Ganske. [continuing] control officer was able to do that because he or she had end-of-the-day verification? Mr. Wells. He had a responsibility to certify at the end of each day. Mr. Ganske. Had an access record? Mr. Wells. Who was entitled to look at a document or check a document out. Mr. Ganske. And there were receipts for internal distribution? Mr. Wells. That's correct. Mr. Ganske. But those things were discontinued in 1998? Mr. Wells. 1992---- Mr. Ganske. Some were discontinued in 1995? Mr. Wells. Yes, Top Secret, some in 1995. Mr. Ganske. And some in 1998? Mr. Wells. Yes, some in 1998. Mr. Ganske. Then we have here, approval for reproduction, copying documents, in 1988, required; 1995, required; in 1998, requirement discontinued. Mr. Wells. Discontinued, that's correct. Mr. Ganske. Where was this copy machine that the disk drives were found behind? Where was that located? Mr. Wells. We don't know that. We are basically waiting for the investigative team to get through. We understand it might-- well, do you know? Mr. Podonsky. No, we have not been into the area of X division since the investigation started. Mr. Ganske. Doesn't it strike you gentlemen as sort of unusual that we have a copy machine there, we don't have any method to determine who is checking out this stuff or copying it, taking copies wherever? Not very good security, is it? Mr. Wells. It does not appear to be. Even if you were an originator of the document, the intent was to ensure that your document--you became aware of how many of those documents were out there and who had them. Even that's been lost. Mr. Ganske. All right. Well, we had a bunch of changes here in 1995, and then in 1998. The Secretary of Energy back in 1995 was Hazel O'Leary. Did she give--did she sign off on these changes? Do you know whether she did or did not? Mr. Wells. The 1995 date was to correspond with the revision of DOE's security manual. So whichever office secretary signed the security manual in 1995, which again was updated and there were additional changes in 1998, it was put out under a DOE cover and was signed by some top official in the Department of Energy. I don't have those documents with me. Mr. Ganske. So I mean, it could have been an Under Secretary? Mr. Wells. Yes, that's correct. Mr. Fenzel. It could have. Mr. Ganske. Should not something of this importance also be reviewed by the Secretary? Would any of you care to answer that? Mr. Podonsky. From my experience in the Department, up until this Secretary, and with the exception of Admiral Watkins in the 1990 period, we did not have a Secretary that really focused on security in the Department. Mr. Ganske. Okay. Well, 1998, I believe the Secretary was Mr. Pena. Is that correct? Mr. Wells. Yes. Mr. Ganske. Okay. So we had a whole bunch of requirements discontinued in 1998. Am I to assume that Mr. Pena did not sign off on these, or do you know? Mr. Podonsky. I don't know. Mr. Wells. I do not know. Mr. Ganske. Would it be your recommendation that when we are dealing with changes in security requirements that the Secretary take a personal interest and review these before this becomes Department policy? Mr. Wells. Absolutely. I think if anything, from a lessons learned standpoint of the many years we have looked at these problems, it continues to concern us--and I used the word ``mindset'' that was mentioned earlier--about the lack of attention and perhaps lack of a priority that's been placed on some of these security matters. Mr. Ganske. One last question, Mr. Chairman. Now, you mentioned an Executive Order, I believe, in your testimony, that was for changes. When was that Executive Order issued? Was it 1995, 1998? Mr. Podonsky. There is an April 1995 Executive Order entitled Classified National Security Information, and that was April 17, 1995, that was issued. Mr. Ganske. Okay. Now that's signed by the President, right? Mr. Podonsky. Correct. Mr. Ganske. The President should receive, you know, a recommendation, I would think, from the Secretary of the Department of Energy before he would sign an Executive Order like this. Would that be your impression? Mr. Podonsky. I would imagine that would be the case. Mr. Ganske. Do we know whether that happened or not? Mr. Podonsky. We have not seen any paper trail to that effect. Mr. Ganske. Are you looking for that, for this committee to try to find out how to improve this situation in the future? Mr. Podonsky. We issued an interim report, as you probably are aware, and when we continue on with the Los Alamos piece we will complete the whole package and one of the things that we have is we are trying to put together the entire trail from 1990, from the original President Bush direction on the National Security Council to present, as to how this whole thing evolved. Mr. Ganske. Is it your current recommendation that these discontinued requirements be reinstituted? Mr. Podonsky. That's our recommendation to the Secretary. Mr. Ganske. Has that--what has happened since your recommendation? Mr. Podonsky. The Secretary's response to our report was to immediately turn to the policy folks and tell them that they need to take a look at implementing this right away. Mr. Ganske. Just to take a look, not to do it? Mr. Podonsky. They need to take a look at what the implications are going to be, so consequently they are--and I think the second panel can probably testify to more current what they are doing with those recommendations. Mr. Ganske. Since we have lost the disk drives there has not been a reinstitution of these requirements to date? Mr. Podonsky. No, there was guidance put out and requirements put out by the Secretary on June 19 and further followed up by General Habiger on June 23. So they did start tightening up right now. Mr. Ganske. Thank you, Mr. Chairman. Mr. Upton. Mr. Bryant. Mr. Bryant. Thank you, Mr. Chairman. You may have already stated this but I would ask unanimous consent to put my statement in the record. Mr. Upton. It has been done. Mr. Bryant. Thank you. I thank the panel for being here and the second panel. I apologize for not being here on time and probably leaving early also because we do have conflicting committees, and we have to go back and forth between these. Mr. Podonsky, you may have--I know we have been talking about this already around this subject, but you note in your report the absence of specific requirements, the Department of Energy sites often decide to implement only the minimum requirements because of cost concerns. Can you elaborate on this point and indicate whether you are aware of instances in which DOE or the sites have refused to fund proposed control requirements beyond this minimum standard? Mr. Podonsky. I realize in our report we talk about minimum standards, and perhaps it is the complexity of the English language but what we have found is that the--while the standards that are out there are needing of clarity that if implemented properly we think that they are good standards, they need to be raised to be--account for what they call the graded approach so that different types of information can be afforded the protection commensurate with that sensitivity of the information that we are talking about. But we have seen over the years that if left to open interpretation of what the requirements are, then we are basically, as an agency, leaving potential vulnerabilities as to whether enough is enough or when you have too much security applied. So our recommendation to the Secretary and to General Habiger is that we recommend that they revisit and reinstitute an accountability system similar to what we had back in the early--the early 1990's and late 1980's. That's not to say that we don't want the Department to take into accountability the technology that can be used today, but clearly accountability of some of our most sensitive information needs to be reinstated. Mr. Bryant. I think I agree with you. I notice that you mentioned specifically problems with lack of specificity and clarity in DOE orders, and then combined with the system I would say minimum requirements and couple that with the cost reimbursement nature of DOE's contracts with labs, this all seems to work together in effect to create a race to the bottom, so to speak, on the security issues. Again, Mr. Podonsky, could you address this need-to-know issue and what more needs to be done by the Department of Energy and the labs in this area? Mr. Podonsky. Need to know is an old standing requirement of a lot of government agencies dealing with sensitive information, and our position with the Department is that the need to know needs to have some additional clarity to it for individuals that have the responsibility. Say for a program manager in a vault, if that custodian or program manager needs to be able to determine who has access to that vault, need to know needs to be established, but rather than just limit it to the individual accountability and saying, okay, you are the manager, you determine what need to know is, we think there needs to be a little higher degree of granularity as to what the Department expects. For example, and this is just an example, if somebody has daily access to information, they probably have a need to know, but if they only have occasional need for that information perhaps they don't have a regular need to know. So that needs to be discussed further with the policy group in the Department of Energy, but we feel that need to know over the past couple of years has been left to pretty much the interpretation of the individuals that are executing that. And while they have the ultimate responsibility to execute that, we also think there needs to be clear guidance from the Department. Mr. Bryant. Do you--and my last question to you, are you satisfied with the Department's response to your recent recommendations on tightening controls on classified matter? Mr. Podonsky. We believe that the initial steps that the Secretary and General Habiger are taking are, in fact, in the right direction and we are going to be closely monitoring that. We would like to see a continued evolution of that. Mr. Bryant. Thank you. Mr. Upton. Thank you. Mrs. Wilson, though not a member of the subcommittee but a member of the full committee, you have been allowed to participate in other subcommittee hearings, I need to ask unanimous consent. Do you desire that? Mrs. Wilson. Yes, Mr. Chairman. Mr. Upton. I would make a request, a unanimous consent request, that you may ask questions as part of this hearing today. Any objection? Mr. Stupak. No objection. Mr. Upton. Thank you. Mrs. Wilson, you are recognized for 5 minutes. Mrs. Wilson. Thank you, Mr. Chairman. I am interested in this question of policy and compliance with policy, and I note from the records from up here that General Habiger testified last month before the House Armed Services Committee that the national labs were in full compliance with DOE security policies. I believe that was before the most recent incident at Los Alamos. And then we have a significant change in security policies on June 19. And subsequently some very specific changes to what the minimum requirements are on everything from data bases to vault security to whether things are classified properly and how to--how to encrypt data and so on and so forth. Mr. Podonsky, is it your view as well that Los Alamos and Sandia and Lawrence Livermore were in compliance with the security policies at the time General Habiger testified to that? Mr. Podonsky. As exemplified by our most recent review that the Secretary directed at Livermore and Sandia and Los Alamos, the answer is, yes, we found that they were in compliance with the DOE, what we call the minimum requirements that the DOE has. Los Alamos we still need to go back up to, but we haven't finished that because of the FBI investigation. However, before you came in I also made a statement that you can be in compliance but it is also more--equally as important is how those requirements are being implemented. It's the practice that's also important. We can tighten up all of these requirements, and I hope that we do. I believe we will. But that still doesn't take into accountability the individual error that either is deliberate or by sloppy practice. It is the human factor. These people that are cleared to have access to this information, have a need to work with information, and as long as they have that need to work with that information there is always going to be the reliance on the individual. That is something that you can never have an absolute. Your question is, are they in compliance? Yes, as far as we can tell, they are in compliance. Mrs. Wilson. But it was the Department of Energy's view that the standards needed revision following that incident. I guess what I am getting at is, they were in compliance with the standards before this happened. There has been a significant revision of standards by the Department of Energy after it happened. So really this is a question of what our security policy is in the Department of Energy, isn't it? Mr. Podonsky. And I would defer that to the second panel for General Habiger, but over the years, as I also made a statement earlier, we have been encouraging the Department to, instead of going down the path from 1990 to where we are today of decreasing requirements but go back to the path that Secretary Richardson and General Habiger are now taking the Department in increasing the requirements. Mrs. Wilson. Since when? Mr. Podonsky. Since 1991. Mrs. Wilson. But we have seen the decline through 1998. I mean, since when have you been encouraging things to go back in the other direction? Mr. Podonsky. We have correspondence to the policy group of this Department from 1991, 1992, 1993, 1994, and again up until this past year a lot of what we were reporting on was not necessarily heeded. Mrs. Wilson. In other words, you were ignored when you said we needed to have higher standards? Mr. Podonsky. I did not want to say that, but yes. Mrs. Wilson. Thank you, Mr. Chairman. Mr. Upton. Thank you. We will start a second round. Mr. Podonsky, I know that you have not been allowed to go back to Los Alamos while the FBI is conducting the investigation. Have you visited the other two labs? Mr. Podonsky. Yes, we have. Mr. Upton. What is your reaction as to trying to make sure that something like what happened at Los Alamos doesn't happen at one of the other two labs? Have they tightened up their security? Have they made some changes that would prevent something like the missing disks, the hard drives from happening again? Mr. Podonsky. Yes, sir. We believe that the other two laboratories that we reviewed in a very short period of time have tightened up their security, and we don't believe-- especially with the further initiative that the Secretary directed on June 1, we don't believe that that is likely to happen. But, again, nothing is an absolute. Mr. Upton. Now, one of the chart lines, and I touched on this a little bit earlier, the Top Secret control officer is not a requirement. Do any of the three labs actually have a Top Secret control officer? Mr. Podonsky. At Sandia they are controlling TS and they have been controlling TS, Top Secret, and to a lesser extent at Livermore. Whether or not they have a Top Secret control officer, I don't know. I would have to find out. Mr. Upton. Okay. I want to read just a couple of comments from the redacted version of the GAO report and get your--from the Podonsky report, and get the reaction by both of you. DOE policies make no real distinction between documents and electronic media with respect to storage and control. Most of the requirements in DOE orders were written before the advances in cyber technology and were primarily developed with paper documents in mind. There has been little revision of the orders or manual that reflect technology advances, and it goes on and says in some instances large vaults containing many types of information that had no additional partitioning such that anyone with access to the vault would have access to any of the information therein with no explicit provisions for need to know, and a couple of pages later it says although there are some differences the minimum protection requirements for Top Secret are not significantly more stringent than those for Secret or Confidential. Isn't that the bottom line problem that we had at Los Alamos? Mr. Podonsky? Mr. Podonsky. Yes, sir, it is. Mr. Upton. Do you believe that there--and Mr. Wells, do you have a comment in that regard, too? Mr. Wells. Clearly, you cannot think of fax machines, you cannot think of e-mails and then turn around and look at DOE's security manual, which clearly strikes you as being old fashioned and out of date. Mr. Upton. Have any of you seen any evidence that DOE's orders even acknowledge the dramatic changes that were under way with this information change in technology during that last number of years? Mr. Wells. No, we have not. Mr. Upton. Mr. Podonsky? Mr. Podonsky. We have seen anecdotal evidence that there are changes taken about as we inspect the cyber security. Mr. Upton. What did your teams observe with respect to how the other two labs were handling NEST material and other similar assets and what do you attribute those differences to? Mr. Podonsky. We did not go into great detail into the investigation into NEST because of the FBI desire to expand the scope of their investigation to include all NEST activities, but what we did look at, we did find that there was good procedures--that they were following the DOE procedures that were established. Mr. Upton. At some point--I mean, I don't know at what point the FBI will allow you back in, but are you planning to-- -- Mr. Podonsky. Yes, sir, we are not only planning to go back to Los Alamos, we are also going to do a specific inspection of the entire NEST operation of all the locations that the DOE has. Mr. Upton. Do you expect that to happen in the next couple of weeks before the summer is out? What is your timetable? Mr. Podonsky. We expect to go back to Los Alamos at the time that we can go back in when the investigation is complete. In terms of the NEST inspection, we plan to do that before the fall. Mr. Upton. Had the hard drives been designated as Top Secret versus Secret, do you think they would have been missing? Mr. Podonsky. I don't have the information on what the particulars are in the investigation and whether they would have been missing or not. Mr. Upton. Mr. Wells? Mr. Wells. While I could not speculate, clearly looking at the two charts many of those document control requirements, whether it be Secret or Top Secret, are not a requirement. So one could speculate that they perhaps might still be missing. Mr. Upton. Thank you. Mr. Stupak. Mr. Stupak. Thank you, Mr. Chairman. When I asked questions earlier, we sort of established that these minimum controls were not only in DOE but NSA, CIA, private contractors, correct? Mr. Wells. We were told that the changes that were initiated in 1992, 1995 and 1998 were in response to trying to get uniformity across the government, yes. Mr. Stupak. Sure. So the breaches we have had here in security in Top Secret could have happened in any one of these agencies, departments, even from private government--I mean private contractors, correct? Mr. Wells. We understand that the chart was prepared for only looking at and assessing the DOE orders. We, the GAO audit team, had not looked at the other DOD-type orders or requirements to confirm that they are similar. Mr. Stupak. Okay. Mr. Podonsky, it could have happened somewhere else other than DOE? Mr. Podonsky. We believe that to be the case, irrespective of what the chart shows. Mr. Stupak. In fact, the Walker spy case did not involve DOE but that was one where they made copies of classified documents on copy machines and gave them away because we had these so-called minimum standards, correct? Mr. Podonsky. I believe that to be the case. Mr. Stupak. You are nodding your head yes, but you have to give something verbal so we can record it. Mr. Podonsky. Sure. Mr. Stupak. I know when I shake my head, it rattles once in awhile. Mr. Podonsky. Mine doesn't rattle, sir. Mr. Stupak. But the minimum controls, that would also apply to University of California and the labs, correct? Mr. Podonsky. Correct. Mr. Stupak. Even though the director of DOE may be--a Secretary may only be there less than 2 years, these contracts are 5 years so even if there is a change in Secretary, the contract still must be fulfilled by the labs to these minimum standards, correct? Mr. Podonsky. Correct. Mr. Stupak. Regardless of what the minimum controls are, I would hope that the labs don't feel that even though we have these minimum controls that does not give them a right to lose documents or to lose hard drives, things like that; correct? Mr. Podonsky. Correct. Mr. Stupak. And I would hope that if you are doing a contract, whether it is with the government or private industry, you would always try to perform to the maximum potential of a contract and not the minimum levels of a contract; correct? Mr. Podonsky. Correct. Mr. Stupak. All right. Mr. Podonsky, in your testimony you indicated that Secretary Richardson has put in four things, and I summarized them briefly as accountability, graded approach, need to know limited access and human liability. That is just when I was taking my notes there. You have indicated that the graded approach to protecting classified material should be implemented. Under this approach, some Top Secret documents would have more restrictions than others. In the next panel, Mr. Aftergood is probably going to testify about the higher fences initiative. Are you familiar with this, the higher fences initiative? Mr. Podonsky. I am vaguely familiar with the initiative. Mr. Stupak. Is this a similar concept to the graded approach? Mr. Podonsky. I believe it is. Mr. Stupak. Could you explain a little bit more clearly to me what you mean by this graded approach? Mr. Podonsky. The Department has in place and has had for some time now the concept of graded approach, which means that the sites have to protect documents according to the type of information that's there. So, in other words, not all secrets that we hold in this country should be afforded the same type of protection. So the graded approach is meant to allow folks--allow the people that have to be accountable for the maintaining of these sensitive or classified documents at a higher level. Mr. Stupak. So the graded approach is not just the site specific but also what happens internally within that site? Mr. Podonsky. Yes. Mr. Stupak. Okay. Thank you. Higher fences, if I remember correctly, was one of the recommendations of Secretary O'Leary's Interagency Fundamental Classification Review submitted in 1996. Since the Department of Defense shares much of this information, DOE has been negotiating, and I understand unsuccessfully, with the Department of Defense since 1997 over what should be included. But the whole effort appears to be dead at this point because DOD says it costs too much and has operational impact. Can DOE implement the graded approach when DOD refuses to have the same level of security for the same documents if we are talking about these minimum requirements and graded approach? Can you apply it? Mr. Podonsky. General Habiger would be more equipped to answer that but I will answer that from our perspective, and irrespective of what DOD is willing to do or not do, I think this agency should take the initiative and raise the bar on its own requirements. Mr. Stupak. Okay. Thank you, Mr. Chairman. I will yield back. Mr. Upton. Thank you. Mr. Burr. Mr. Burr. Thank you, Mr. Chairman. Mr. Chairman, I referred to a letter earlier from the lab directors to Secretary Moniz at the Department of Energy on 3-1-99. I would ask unanimous consent that that be entered into the record. Mr. Upton. Without objection. [The information referred to follows:] [GRAPHIC] [TIFF OMITTED] T7110.001 Mr. Burr. Mr. Podonsky, you referred earlier to the fact that Secretary Richardson had implemented a number of new security policies, some recent, some last year, when the first incident at Los Alamos took place. One of them was the polygraph. Has anybody been polygraphed? Mr. Podonsky. Yes, sir. I can tell you personally that almost my entire office has been polygraphed. Mr. Burr. Your office, the investigators have been polygraphed. From the standpoint of the original scope of who was to be polygraphed, individuals at the labs, has that taken place? Mr. Podonsky. I believe it has, and again I would defer to the second panel for the specific numbers. Mr. Burr. I will be sure to cover it with them. Let me go back to your report and again read from page 6. ``Secretary Richardson has again taken prompt and aggressive action to address residual weaknesses that have become apparent in the course of security incidents. On June 19, 2000, the Secretary issued directions to enhance classified matter protection. For example, he specifically required nuclear weapons laboratories to immediately implement measures for better control entry and egress to vaults, including mandating that logs be kept.'' I take it that was a directive from the Secretary that you are referring to? Mr. Podonsky. Yes, sir. Mr. Burr. Let me ask you, if the labs were responsible for security, why would it need a secretarial mandate or referral to address specifically those vaults? Mr. Podonsky. Well, because since there was no requirement prior to that. Mr. Burr. But there was a request prior to that, correct? Mr. Podonsky. I am not following the request. Mr. Burr. Did you find at any time that any of the labs had tried to upgrade the security to their vaults? Mr. Podonsky. There were anecdotal examples that the teams have found that they were upgrading at Sandia and to a lesser extent to Livermore. Mr. Burr. In one case, if I remember, at Sandia, it was met by the Albuquerque office with ``we won't pay for the upgrade in security.'' Mr. Podonsky. I am not familiar with that. Mr. Burr. We will get into that later. Let me again go to your report on page 14. ``The recent independent oversight review concluded that the laboratories had addressed identified weaknesses,'' parenthesis, ``including long-standing weaknesses with classified parts, met DOE's expectations defined in the goals posted in the goal post memorandum and generally met current DOE requirements.'' Now we are talking about moving the security totally outside of these contractors and possibly renegotiating a contract with contractors where security is done by a third party, I take for granted, is the initiative. Let me just ask you, honestly, will this work if that's all we do? Mr. Podonsky. I guess, Congressman, to get to the heart of the answer to your question, I would say that no matter what we put in place, in this Department or any other agency, it goes back down to whether people are going to be held accountable for violating practices, how those practices are put into place. If you go to a third level contractor, I can only give you a personal opinion, and my personal opinion is it is dependent on the management of that contract and how people are held accountable for that contract. We have seen a variety of examples of contracts in the Department. Some work better than others. A lot of it is driven by the individual at the top. Mr. Burr. Have you ever done an evaluation or study of the Albuquerque office as related to their involvement in the security at the two labs they are responsible for? Mr. Podonsky. Yes, sir, we have. Mr. Burr. And what was your finding, if you could just summarize that? Mr. Podonsky. Dependent on who the field office manager was at the time which is responsible for the Albuquerque operation, we found varying degrees of effectiveness from the Albuquerque office. Mr. Burr. Is it safe to say that Albuquerque was fully aware of the intricacies of the NEST program? Mr. Podonsky. I don't know. Mr. Burr. Would they have been fully aware of the security requirements that the labs instituted at the vaults? Mr. Podonsky. They should be, because they are required to do an annual survey of the lab. Mr. Burr. Is it safe to believe that Albuquerque DOE office knew that that particular vault had shared resources in it? Mr. Podonsky. I would assume that since the Albuquerque office, as I said, does the annual survey of its sites that they should have known what was contained in that vault. Mr. Burr. Have you ever found anything that would suggest that the Albuquerque office had concerns about the security procedures in place at Los Alamos, specifically that vault? Mr. Podonsky. Not specifically that vault. Mr. Burr. NEST program? Mr. Podonsky. I have not been made aware of that. Mr. Burr. Is it safe to assume that Albuquerque knew that at least in Los Alamos, and I believe true in all of the--in Sandia as well, and I am sure I will be corrected later, knew that no logs were required for access to those vaults? Mr. Podonsky. I think there seems to be--I think it is safe to assume that they knew that, but I also think that it is clear from our going through the requirements that it is not clear throughout the Department and the security community of the Department as to what all the requirements are, because a lot of the requirements have not been memorialized in policies. A lot of them go back to memorandum, and that's why one of the recommendations in our report was to also memorialize these requirements into DOE orders. Mr. Burr. If the chairman would allow me one last question, is it safe for this committee to assume that the security directives to these labs would be filtered from DOE headquarters to the DOE field office and then to the labs or is security a process that takes place only between headquarters and the labs themselves? Mr. Podonsky. It is supposed to work that they go--that it goes through the lines. So General--the policy arm under General Habiger would promulgate the policy and it would be implemented by the new NNSA, General Gordon, and he in turn would pass it down to the labs through the Albuquerque field office. Mr. Burr. I thank you for that. I yield back, Mr. Chairman. Mr. Upton. Ms. DeGette. Ms. DeGette. Thank you, Mr. Chairman. I apologize for my tardiness. I know Mr. Green and I at least, probably a few other members, are also downstairs at the YNY hearing. So thank you. And I hope I don't repeat anything, but thanks for having this hearing because I know a number of us at the last hearing thought it would be important to have this and I appreciate it. I think we should keep doing it until we hammer this thing out. Mr. Podonsky, my first question, I guess, is that I was reading Dr. Browne's testimony and he says that almost all of Secretary Richardson's directives have now been instituted. You have been at the labs quite often in the last year. How many of these changes have you seen that have actually been instituted? Mr. Podonsky. Most recently at Los Alamos we were not allowed to come--prior to your attendance, I talked about the fact that the FBI investigation was still ongoing. Ms. DeGette. Right. Mr. Podonsky. But for the most part what we have seen at Sandia and Livermore, in the last month, is that most all of the Secretary's initiatives have been, if not started, they are well underway. Ms. DeGette. Do you know when they were started? Mr. Podonsky. No. I would have to go point by point to see which ones, but while we were at the site and--both sites, Sandia and Livermore, last month, when the Secretary's memo came out they immediately started initiating corrective action. Ms. DeGette. So that was last month? Mr. Podonsky. June 19. Ms. DeGette. And what about before June 19, do you know how many had been instituted? Mr. Podonsky. Everything that we have seen, when the Secretary first created our office to go out last--starting last May, everything that we saw promulgated from headquarters was at some stage being implemented. Ms. DeGette. What about the integrated safeguards and security management system that's supposed to raise employees' security awareness levels? Have you looked at the implementation of that in any of the labs? Mr. Podonsky. We, before we were doing security, we looked at integrated safety--integrated safety management and the concept has resonated well enough throughout the Department that I know General Gordon and General Habiger have been talking about having the same concept of integrated security management. Ms. DeGette. Right. Mr. Podonsky. It is still in the conceptual form. There is a lot of acceptance to that, but it has not been implemented. Ms. DeGette. Do you know if there is a timeframe for implementation? Because I thought the standards had been agreed upon and that they were starting to implement it. Mr. Podonsky. I would have to defer to the second panel. Ms. DeGette. Okay. So you don't know? Mr. Podonsky. No. Ms. DeGette. The Rudman Report concludes that to have safe and successful security management systems mean that the security staff have a voice in every management decision and a voice equal to that of the program people. Is that model in the new management system that you know of? Mr. Podonsky. I am not aware of what it is comprised of. Ms. DeGette. So you don't even know anything about the system? Mr. Podonsky. Not in its present state. Ms. DeGette. Okay. Who would know about that? Mr. Podonsky. I think perhaps General Habiger or General Gioconda or perhaps even the lab directors might be able to address that. Ms. DeGette. Mr. Wells, do you know anything about this system? Mr. Wells. At the request of this committee, we have been on the job a couple of weeks and we bought our airline tickets and we are heading out. Ms. DeGette. So you haven't even---- Mr. Wells. We will look at it. Ms. DeGette. All right. Okay. Now, Mr. Podonsky, back to you, over the years DOE has significantly relaxed its inventory controls over Secret and Top Secret documents in order to be consistent in the way that the Defense Department and other agencies handle this classified material. As I looked at your testimony before I came in today, this change did not originate in the DOE but at the National Security Council in 1990. Can you explain why there had to be one industrial security standard? Where did the push for that come from? Mr. Podonsky. All I can tell you from my reading of the documents and my staff's reading of the documents was that President Bush asked the National Security Council to prepare a comprehensive review to explore the development of a single industrial security program and determine whether there could be cost-benefits of aligning the private sector with the government. It was in an effort, as far as we could tell, for both the cost savings and also to bring--to bring into control whether or not we protected all secrets and to, what we talked about, have a graded approach where those more sensitive documents or information were protected at the same standard. Ms. DeGette. And I assume that some of that push or at least there was support from the industry, from the outside contractors who had to comply with various different standards; would that be accurate? Mr. Podonsky. I would conclude that that would be the case. Ms. DeGette. Do you think here today that industrial security is as tight as national security should be? Is there accountability, do you think, for the most secret documents? Mr. Podonsky. Not for--when you look at the Department of Energy, the Department of Energy is unique in the type of information it has. So while we believe that there can be a more even playing field for industrial security for some of our resources, the most sensitive documents that are contained, and information contained in the Department, need to have a much higher standard. Ms. DeGette. Now, what about documents that have been given up decades ago by the Defense Department? Where is the accountability for those? Do you know? Mr. Podonsky. I have no idea. Ms. DeGette. Now, last September you wrote a memo to General Habiger telling him that the biggest security threat was from the active insider. [The information referred to follows:] [GRAPHIC] [TIFF OMITTED] T7110.002 [GRAPHIC] [TIFF OMITTED] T7110.003 Ms. DeGette. You said there were not adequate steps to deal with the active insider, and I know this is a concern that a lot of people on this panel and other places have. What steps did you have in mind? Mr. Podonsky. Well, as General Habiger actually has already begun to take this--you are talking about the human reliability program, and what I can say in open session here is that they have already taken steps to combine some programs to further enhance the reliance on the human reliability program. When you talk about threats in security, you talk about an external threat and you talk about an internal threat. An external threat is protected against various things such as barriers, a security force, fences, alarms, sensors. When you talk about internal, you talk about access controls, clearances. And as we have talked about before your arrival, one of the things that's vitally important to take into consideration is while there is never going to be an absolute there is going to be a reliance on the individual responsible for maintaining their security responsibilities. A lot of these people that we are talking about, where there are violations, are actually creators of the information that we are talking about. So there is intellectual property that one needs to take into consideration as well. Our comment---- Ms. DeGette. Yes, but, you know, the guy who invented Coca- Cola was subject to company security policies that he not reveal that formula even though he thought of it. Mr. Podonsky. And for the most part, I believe that--I don't have the statistics but I would believe you would find that for the most part the Department has been--has a pretty good track record in terms of the individuals, now that notwithstanding the aberrations that we have seen over the last 14 months. Ms. DeGette. Yes, but just to finish up, the problem is when you had the aberrations over the last 14 months that can undermine our national security network. Mr. Podonsky. And that---- Ms. DeGette. You have to set up a system, as you say, both external and internal, that's going to eliminate, as much as possible, chances for problems, because even one problem can be devastating. Mr. Podonsky. Correct, and that's why we wrote the letter to General Habiger to encourage them to take another look at their controls against the insider. Ms. DeGette. Thank you, Mr. Chairman. Mr. Upton. Dr. Ganske. Mr. Ganske. I have here Executive Order 12958, dated April 17, 1995, signed by President Clinton. It deals with the classified national security information. [The information referred to follows:] [GRAPHIC] [TIFF OMITTED] T7110.004 [GRAPHIC] [TIFF OMITTED] T7110.005 [GRAPHIC] [TIFF OMITTED] T7110.006 [GRAPHIC] [TIFF OMITTED] T7110.007 [GRAPHIC] [TIFF OMITTED] T7110.008 [GRAPHIC] [TIFF OMITTED] T7110.009 [GRAPHIC] [TIFF OMITTED] T7110.010 [GRAPHIC] [TIFF OMITTED] T7110.011 [GRAPHIC] [TIFF OMITTED] T7110.012 [GRAPHIC] [TIFF OMITTED] T7110.013 [GRAPHIC] [TIFF OMITTED] T7110.014 [GRAPHIC] [TIFF OMITTED] T7110.015 [GRAPHIC] [TIFF OMITTED] T7110.016 [GRAPHIC] [TIFF OMITTED] T7110.017 [GRAPHIC] [TIFF OMITTED] T7110.018 [GRAPHIC] [TIFF OMITTED] T7110.019 [GRAPHIC] [TIFF OMITTED] T7110.020 [GRAPHIC] [TIFF OMITTED] T7110.021 [GRAPHIC] [TIFF OMITTED] T7110.022 [GRAPHIC] [TIFF OMITTED] T7110.023 [GRAPHIC] [TIFF OMITTED] T7110.024 [GRAPHIC] [TIFF OMITTED] T7110.025 [GRAPHIC] [TIFF OMITTED] T7110.026 [GRAPHIC] [TIFF OMITTED] T7110.027 [GRAPHIC] [TIFF OMITTED] T7110.028 [GRAPHIC] [TIFF OMITTED] T7110.029 Mr. Ganske. Now on page 3, there is something that bothers me a little bit because it says, for classification under section 1.3, that if there is any significant doubt about the appropriate level of classification it shall be classified at the lower level. That bothers me a little bit. But as I have briefly perused this, you know, the closest I can come to the order for these changes that occurred with the requirements discontinued for various types of security arrangements, is on page 18, in which it says, each agency head shall establish and maintain a system of accounting for special access programs consistent with directives issued pursuant to this order. My question to you gentlemen is: No. 1, are you familiar with this Executive Order? And No. 2, am I missing something in this Executive Order? I do not see in this Executive Order specifics for discontinuance of, let's say, approval for reproduction. I don't see specifics for discontinuance of Top Secret control officers. This is a much more general document. Am I correct in reading this document? Mr. Podonsky. Yes, you are. Mr. Wells. Yes, you are. Mr. Fenzel. Yes. Mr. Ganske. Okay. Well, I am getting kind of frustrated because I am trying to figure out who is responsible for these changes. Now this is a generalized Executive Order, so these types of specifics aren't in this Executive Order. Who specifically directed that, for instance, the approval for reproduction of documents, which was required in 1995, would be discontinued? Can you gentlemen tell me that? Mr. Fenzel. My guess is DOE is responsible because in 1998 there was a---- Mr. Ganske. Well, who in DOE gave that order and where is the paper order for that? Mr. Fenzel. I don't know who signed. I don't know who signed. We can go back and look at the order, who actually signed it. Mr. Ganske. Would you please provide the committee with that information? Mr. Fenzel. We can provide that. [The following was received for the record:] Signers of DOE Orders DOE-5635.1A: Control of Classified Documents and Information, 2-12-88 Signer: Lawrence F. Davenport, Assistant Secretary, Management and Administration Action: Initiated 100 percent inventory. Accountability over secret and top secret documents Jan. 30, 1992, Memo: Change in Requirements for the Inventory of Classified Matter Signer: Edward J. McCallum, Director, Office of Safeguards and Security, Office of Security Affairs Action: Periodic inventories of classified matter below top secret will no longer be required when matter is maintained within a DOE- approved limited or exclusion area. May 15, 1992, Memo: Accountability Requirements for Secret Documents Signer: George L. McFadden, Director Office of Security Affairs Action: Secret matter is removed from accountability if it is confined to a limited or exclusion area. DOE 5635.1A Chg 1, Control of Classified Documents and Information, 6- 14-93 Signer: Linda Sye, Acting Assistant Secretary for Human Resources and Administration Action: Defines accountable matter as top secret matter and secret that is maintained outside of limited or exclusion areas. DOE M 471.2-1A: Manual for Classified Matter Protection and Control, 1- 9-98 Signer: Archer L. Durham, Assistant Secretary for Human Resources and Administration Action: Defines accountable matter as top secret or secret mater stored outside of a limited area (or higher). Mr. Ganske. We need to find out who that individual is and we then need to ask that individual in a hearing who did he talk to about that. I want to find out similar information, who was the individual in the Department of Energy that, for instance, discontinued the requirement on copy and series designation? Who changed the requirement on the Top Secret control officer, because then we need to ask that individual who did he talk to? Did he talk to the Secretary of the Department of Energy about that? Did the Secretary of Energy at that time talk to the President about that? Look, I am getting tired of having these hearings and not finding out who is responsible for this. You can't blame it on this Executive Order except in the generalized sense that it loosened--it allowed a loosening of these, but this Executive Order, as I read it, doesn't deal with this type of specifics. So, gentlemen, I am asking you to provide to this committee, within the next week or 2, the information, the paperwork, from the Department of Energy on the specific memos that went out to these laboratories saying that these requirements which were in place in 1995 could be discontinued. Can you give our committee that kind of information? Mr. Wells. Yes, sir. Mr. Fenzel. We should be able to. Mr. Ganske. Is it there? Do you know if that information is available? Mr. Podonsky. I can't speak for GAO but, yes, we do believe that there is a paper trail and we are still--we are still gathering that now for the Secretary. Mr. Ganske. How long will it take you to provide this committee with that information? Mr. Podonsky. We can do it within the week. Mr. Ganske. I thank you very much and that's all the questions I have. Mr. Stupak. Could you provide us a copy of the Executive Order you are speaking of? Mr. Ganske. Sure. Mr. Stupak. Thanks. Mr. Ganske. Thanks. Mr. Upton. Mr. Bilbray. Mr. Bilbray. Thank you, Mr. Chairman. I guess my question will go to the Department of Energy, and I apologize if I seem to be approaching this from a simpleton approach. Right now we have an individual supervising a log system for access to the vault; is that what we have now? Mr. Podonsky. Yes. Mr. Bilbray. We reinstituted the log system? Mr. Podonsky. Yes, General Habiger did reinstitute that under the Secretary's direction. Mr. Bilbray. The log system is supervised by an individual who specifically checks identification and supervises the sign- in and sign-out process? Mr. Podonsky. That's what we understand. We have not gone back out to inspect to make sure that that is how it is being implemented. Mr. Bilbray. How long ago did we implement this? Mr. Podonsky. June 23. Mr. Bilbray. So we assumed it has been but in the last couple of weeks you haven't--no one has checked to make sure it is operating the way it was directed? Mr. Podonsky. No. Our oversight folks have not done that. Perhaps the policy group in the next panel could tell you whether they have actually done that. Mr. Bilbray. Okay. Do we have any electronic inventory tracking system on these documents? Mr. Podonsky. I am not aware that that is the case right now. Mr. Bilbray. Okay. Do we have any video surveillance systems on these documents or on the environs for access and egress? Mr. Podonsky. At some locations we might. I don't know across the board. Mr. Bilbray. Okay. So it seems like right now we are sort of operating under a 1941 model of a piece of paper, people sign in by a security person and sign out; basically a system that would have been right at home to our fathers during World War II and our mothers during World War II? Mr. Podonsky. And again, Congressman, there may be other pieces that are currently in place but the currency of my teams, we came back off the road on June 23. Mr. Bilbray. Okay. This change in the 1995--or the changes we have seen over the last few years, why were these changes made? Mr. Podonsky. I don't have a good answer for you because we asked the same questions. Mr. Bilbray. I will tell you something. What I am concerned about is that we can change systems, we can go through procedures. What I am really worried about is the institutional mindset of why were these changes made and who made them? What were they thinking? Is this an attitude that now that the so- called cold war is over that now don't worry about it? Was it sloppiness or was there a real intention on the fact that this is no longer--national security or national secrets are no longer a high priority? I think the biggest question is not the institutional--I mean, not the structural system but the institutional mindset. Like I said before, I am really worried that this is being perceived as being a huge responsibility. Mr. Wells, are we going to be looking at developing an internal system within our own government structure? Are we going to be looking at bringing the private sector into some called-for proposals to see how we can upgrade this and make it a system that's more compatible with this millennium rather than 1941? Mr. Wells. Cyber technology is here today. We need to catch up quick in terms of what the requirements are. Mr. Bilbray. You know, I mean I know right now from maybe because San Diego is a high tech center that--I mean I have got companies that use a strip about the size of a hair on every one of their documents and anywhere that document moves anywhere in the building they know exactly when and where it was there. I am just wondering how are we going to gain access to what the private sector has been using for over a decade and use it for our most precious secrets? Is there any vehicle being considered to be able to go out and draw on these resources and have them participate in the development of the new upgraded security mode? Mr. Wells. Certainly I don't have an answer for you today but we will certainly pose that question to our audit teams and try to find out if there is something out there that would be applicable to be used under these circumstances. [The following was received for the record:] We are exploring that question as part of our ongoing work. Mr. Bilbray. I just hope those of us in government take advantage of this knowledge. And the way to do it is not to go out for bid, don't say what you want and how much it is going to cost but go out for proposals and say bring us the best packages you guys can develop so that you see exactly what's out there. I think the call for proposal is the only responsible way to go, but this is one member's opinion. Thank you very much, Mr. Chairman, and I yield back. Mr. Upton. Mr. Cox. Mr. Cox. Thank you, Mr. Chairman. I thank our panel for being with us. Two weeks ago, Congress received a report of the Redmond panel. Paul Redmond, of course, is well-known to you. He is one of America's leading counterintelligence experts and was the head of counterintelligence at the Central Intelligence Agency until recently. Have you all read this Redmond Report, the unclassified or the classified version? Mr. Podonsky. No, I have not. Mr. Wells. No, I have not. Mr. Fenzel. No, I have not. Mr. Cox. I would like to ask you some questions about it and so I will share it with you as part of the question so you at least have the relevant portion to which to respond. Mr. Stupak. Mr. Cox, I am sorry to interrupt, but do you plan on putting that in the record then so we all have it? Mr. Cox. Yes, we ought to add it to the record of this committee. It has already been put on the Union Calendar and introduced in the Committee of the Whole House. Mr. Stupak. Okay. None of us have it here. Mr. Cox. In fact, this is the House print of it. It is a House document and that is, of course, only the unclassified version of the report. It is dated as entered into the record of the House June 21, 2000. But if the chairman agrees---- Mr. Upton. Without objection it will be made a part of the record here. [The information referred to follows:] [GRAPHIC] [TIFF OMITTED] T7110.030 [GRAPHIC] [TIFF OMITTED] T7110.031 [GRAPHIC] [TIFF OMITTED] T7110.032 [GRAPHIC] [TIFF OMITTED] T7110.033 [GRAPHIC] [TIFF OMITTED] T7110.034 [GRAPHIC] [TIFF OMITTED] T7110.035 [GRAPHIC] [TIFF OMITTED] T7110.036 [GRAPHIC] [TIFF OMITTED] T7110.037 [GRAPHIC] [TIFF OMITTED] T7110.038 [GRAPHIC] [TIFF OMITTED] T7110.039 [GRAPHIC] [TIFF OMITTED] T7110.040 [GRAPHIC] [TIFF OMITTED] T7110.041 [GRAPHIC] [TIFF OMITTED] T7110.042 [GRAPHIC] [TIFF OMITTED] T7110.043 [GRAPHIC] [TIFF OMITTED] T7110.044 [GRAPHIC] [TIFF OMITTED] T7110.045 [GRAPHIC] [TIFF OMITTED] T7110.046 [GRAPHIC] [TIFF OMITTED] T7110.047 Mr. Cox. It will also be included in the record of this committee, as well it should be because it is precisely the same topic and a great deal of work went into the preparation of this report. The Redmond Report finds two areas of greatest shortcoming. The first is gaining employee acceptance of the polygraph program and the second is counterintelligence awareness training. With respect to the polygraph program, this is as of 2 weeks ago, the report states, the Department of Energy has failed to gain even a modicum of acceptance of the polygraph program in the laboratories. With respect to counterintelligence, it states, the Department of Energy's efforts to improve CI awareness training have failed dismally. Mr. Podonsky, do you share that evaluation? Mr. Podonsky. I have no information to conclude that that is accurate. The information that I have is that there has been polygraphs being administered at the national labs, as well as other organizations such as my own and General Habiger's. But whether or not the counterintelligence program is effective or being accepted or whether the polygraphs are being accepted, I have no information. Mr. Cox. The reason that the Redmond Report is concerned with the lack of acceptance of polygraphs at the laboratories is the lack of implementation. Can you tell us how many people at Los Alamos, how many people at Livermore, how many people at Sandia, have been polygraphed? Mr. Podonsky. I can only ask you to defer that question to the second panel. Mr. Cox. Do you have a rough idea? Mr. Podonsky. Just ballpark numbers which I wouldn't want to quote because they are fourth party. Mr. Cox. Well, the answer is not very many and we can go into that with the next panel, but this program of polygraphing sensitive employees in the most sensitive nuclear weapons security positions is incipient. It is barely beginning and there has been a great deal of temporizing and, according to the Redmond Report, worse than that in putting the program into place. Let me share with you more of what he has to say and what the panel has to say. First, the panel notes that Congress has mandated these polygraphs and also the President of the United States in President Decision Directive 61, which was issued in February 1998. So even a few months before the Congress created the Select Committee that issued its report on counterintelligence and security at the national weapons laboratories, the President of the United States had issued a direct order to the Secretary of Energy to implement polygraphing at the national laboratories. That polygraphing, until very recently, had not even commenced and now it has barely commenced. The Redmond Report further states with respect to this that Department of Energy headquarters personnel have made little effort to consider the views of senior laboratory managers and have not involved them in the planning process for determining who will be polygraphed. I can say that the chairman of this subcommittee, Mr. Burr and myself found this also to be true on our field visits to the labs as members of this subcommittee. The Department of Energy headquarters' efforts to meet with the laboratory employees to explain the polygraph program have been ineffective, if not counterproductive. To make matters even worse, DOE headquarters, by vacillating and changing the policy over time, appeared inconsistent, and I am sure where the opposite is essential, to instill confidence in the program parameters and professionalism. And the authors of this report saw the same thing that the subcommittee members did when they went to visits the labs. The scientists are wearing buttons that say ``Just say no to polygraphs.'' Now these, of course, are employees of the University of California, contractors to the Department of Energy, in cleared positions. Why is it that there is a direct order from the President of the United States that this program go forward, a direct legislative mandate from Congress and we can have a report in June of 2000 that tells us that the Department of Energy not only isn't doing it properly but is getting in the way? Mr. Podonsky. Congressman, I am not about to sit here and give you answers to information I know nothing about. I would only, again, defer to those who have been involved, Ed Kern and General Habiger. Mr. Cox. Mr. Wells, do you care to comment? Mr. Wells. Mr. Cox, to my knowledge we don't have any ongoing work involving that issue. Mr. Cox. Do you, Mr. Podonsky, think that polygraphing is an important part of security at the labs, and counterintelligence? Mr. Podonsky. I can only give you my personal opinion in doing oversight in this Department for quite some time and I think if polygraphs are administered in a reasonable fashion, that it can be--it can be employed to be useful. That's a personal opinion. Mr. Cox. Okay. Are you aware that at the labs, one of the complaints of the scientists was that President Clinton had issued an Executive Order that had exempted from polygraphs political appointees and Schedule C appointees? Mr. Podonsky. I wasn't aware of that, no, sir. Mr. Cox. The, I think, diplomatic statement in the Redmond panel about the ineffective, if not counterproductive, efforts of DOE headquarters in meeting with the scientists refers to the sensitivity sessions that have been held about polygraphs that have really made the problems worse in full public view. I will say, if the chairman will permit, that when we have scientists at the labs responsible for very sensitive military secrets and we entrust them with this responsibility we also have to entrust them with enough information so that they can understand why they are being asked to change their behavior. And there is more information being shared in court these days with Federal judges than is being shared with our scientists. We have got to, as this report states, deal much more effectively with that problem. And the rest of these things that we are talking about here today, it seems to me, are symptomatic virtually so of this underlying problem. The counterintelligence issues, I don't know whether my time has expired and I can come back to this. Mr. Upton. Your time has expired some time ago, but you can get more. I will allow you to have another round. Mr. Cox. I think we ought to do that because the counterintelligence issue, which the Redmond panel raises, is equally important. I thank the chairman. Mr. Upton. And I might ask if we could retrieve temporarily your copy of the Redmond Report so we can make copies for the minority as well. Mr. Cox. Sure. Mr. Upton. Temporarily. We will get the copies back to you. Thank you. Mrs. Wilson. Mrs. Wilson. Thank you, Mr. Chairman. Mr. Podonsky, I may be asking a question that Mr. Burr may have covered before I came, but I would like to hear your answer to it. In your report, you refer to a request--which I believe is on page 19 of your redacted report--that early last year the weapons labs proposed to Under Secretary Moniz, that tighter controls be reinstituted for certain sensitive matter, including things like hard drives. Do you know what happened to that recommendation? Mr. Podonsky. At the time of our special review out at Sandia, the staff at Sandia provided that fax to us. That was the first time that we had seen it, and specifically we don't know what happened after that was sent to Washington. Mrs. Wilson. You say at the time of your review at Sandia. Which review would that be? Mr. Podonsky. Over Father's Day, the June 19 timeframe. Mrs. Wilson. So that was after the problem at Los Alamos? Mr. Podonsky. Yes, ma'am. Mrs. Wilson. So you had no knowledge of a recommendation to tighten security procedures before that? Mr. Podonsky. We had no knowledge of this memorandum or fax from the laboratory directors. Mrs. Wilson. Would it be unusual for you to be excluded from the staffing of that kind of recommendation? Mr. Podonsky. No, not unusual at all. Mrs. Wilson. Who in the Department of Energy would be involved in the staffing of that kind of recommendation? I am assuming that, you know, you can't expect the deputy to be seeing everything. What organization would that normally be routed to? Mr. Podonsky. That would be routed to the line responsibility, so that would be perhaps General Gioconda's organization, as well as the policy group for security, which would be under General Habiger. Mrs. Wilson. Are you familiar with a program called ISecM that was instituted last year with respect to cyber security? Mr. Podonsky. My cyber security people are very familiar with that. Mrs. Wilson. As I understand it, it was a response to the Wen Ho Lee incident, to try to deal with the insider security problem. Do you know what the cost estimate was to implement ISecM? Mr. Podonsky. No, ma'am, I do not. Mrs. Wilson. Who in the Department of Energy would have that information? Mr. Podonsky. If I'm not mistaken, that originated out of the defense organization program so perhaps General Gioconda might have that information. Mrs. Wilson. Thank you, Mr. Chairman. I yield my time. Mr. Upton. Thank you. For those members wishing another round of questions, I am going to pass and yield to Mr. Burr. Do you have additional questions? Mr. Burr. I do. I thank the chairman. Let me follow up with where Ms. Wilson was. If I understood you correctly, you have the responsibilities for independent oversight? Mr. Podonsky. Yes, sir. Mr. Burr. You said that it is not unusual for you to be excluded from requests about security upgrades from the laboratories? Mr. Podonsky. That's correct. And--I am sorry. Mr. Burr. No, I am somewhat baffled by that as to how you could be excluded from the--given that you are responsible to do evaluations. I mean, we have had you do numerous ones, or DOE certainly has--that a document like that and a request from the directors of these labs might not have been supplied for you, as you evaluated what the current and--for your own recommendations, what they felt. That's accurate? Mr. Podonsky. That is accurate. I really--we don't find that terribly unusual from the standpoint of we do not manage any of the sites. We do not have responsibility that the line has, so I would not expect that we would be exposed to a lot of decisions that are made in the security arena that involve either policy, upgrades---- Mr. Burr. But it is clearly helpful to committees like this that are trying to look at the process that your report include, this is a deficiency; the directors of these labs have made a recommendation. I can't imagine that the Department of Energy would let you go through a review process and not make available anything that they felt was pertinent, or anything that was pertinent; but it is not unusual? Mr. Podonsky. No, and I would agree with your--with your statement that if--we should be exposed to a lot of the background of how decisions arise, but as those decisions are underway I don't find that to be unusual. Mr. Burr. Let me read some of Mr. Browne's testimony because we won't have an opportunity to have you back up, and just get some comments on it. ``There are a number of special programs at Los Alamos in which line managers have little or no access to ensure that laboratory safety and security rules are met.'' ``Prior to this incident, it was not clear to our line management and security people whether or not they had the necessary authority to accept responsibility for the detailed security procedures of these programs.'' They are referring to SAP and--nonSAP and nonSCI programs. Is that inconsistent or consistent with your findings? Mr. Podonsky. From our past inspections, that is not consistent. We have found that the folks that in last year's inspection that we interviewed and looked at their programs, that they seemed to understand what their responsibilities were. Mr. Burr. He goes on as it relates to the NEST program: ``The NEST program has been operated as a closely held need-to- know program but not a formal special access program. Los Alamos has made a good faith effort to participate in this program, as we understood the guidance of the program sponsors in DOE. Oversight of NEST by our security division was limited. Not all aspects of the NEST security plan were reviewed and approved by laboratory managers for compliance with DOE rules or for best security practices. Even if NEST was treated as closely held need-to-know programs, it was subject to DOE policy for handling SRD and that policy was in place at the laboratory.'' Can you comment on that statement by Mr. Browne? Mr. Podonsky. We believe that security at a site is the responsibility of the site and it is a shared responsibility with the DOE headquarters and the line organization. Specifically on NEST, we do know, as I mentioned, that we are going to do an inspection of all the NEST activities. We have not inspected the entire NEST activities since 1992, but looking at NEST as a program, we do know that there has been-- prior to this past year and a half, there has been some confusion as to where the responsibilities and accountability for NEST lie. Mr. Burr. Clarified in a memo several weeks ago by one of the Under Secretaries to the labs; am I correct? Mr. Podonsky. Yes, sir. Mr. Burr. So clearly everybody knew there was a lack of understanding, or there wouldn't have been a need for a memo; safe to say? Mr. Podonsky. Yes. Mr. Burr. Since this was a DOD project, was DOD involved in the security requirements for the NEST program? Mr. Podonsky. I am not conversant on that. I would defer that to General Boomer--or I would say General McBroom. Mr. Burr. Let me just say, Mr. Chairman, that it is my understanding from staff that the committee did make an invitation of DOD to participate in this hearing. They did not accept our invitation. I am sorry that they didn't because I would hope that anybody who had relevant information would be willing to come in. One last question, if I could, from the standpoint of the individual in charge of independent oversight and the extensive work that you have done in the labs, do you have any recommendations to this subcommittee and to the three directors of those labs that are in our audience and here testifying after you, about the dual use of vaults in the future and if you have any specific comments about the dual use of the vault that NEST equipment kits were kept in? Mr. Podonsky. I would say that, Congressman, we addressed that with our recommendations for a closer look at the need-to- know policy, but for a general statement I would say, as--I would like to iterate the point I said earlier, is that the fingerpointing needs to cease between the lab and the Department, as well as the legislative arm and the executive branch, and we need to get on with fixing our national security interests. Mr. Burr. I agree with you totally. I hope I am--I hope I understand correctly what took place in that vault facility. I think even a layman would agree that if you have got two separate projects in there, and you have got individuals who are approved for one and not approved for the other and vice versa, all with the ability to go in alone, that you have got a potential breach. It doesn't mean that one will happen, but you have got the opportunity for a breach of that information to happen. As a security expert, would you agree with that? Mr. Podonsky. Yes, sir. Mr. Burr. So it is probably a policy that we ought to look at very seriously in the future about the dual use of a secure facility? Mr. Podonsky. Yes, sir. Mr. Burr. Okay. I thank all of our witnesses, and I yield back. Mr. Upton. Thank you. Mr. Cox. Mr. Cox. Thank you. Before I leave the subject of polygraphs, I note that in the Interim Report to the Secretary of Energy on the Control of Classified Weapons Data at the National Weapons Laboratories--which I believe, Mr. Podonsky, you have provided? Mr. Podonsky. Yes, sir. [The information referred to follows:] [GRAPHIC] [TIFF OMITTED] T7110.048 [GRAPHIC] [TIFF OMITTED] T7110.049 [GRAPHIC] [TIFF OMITTED] T7110.050 [GRAPHIC] [TIFF OMITTED] T7110.051 [GRAPHIC] [TIFF OMITTED] T7110.052 [GRAPHIC] [TIFF OMITTED] T7110.053 [GRAPHIC] [TIFF OMITTED] T7110.054 [GRAPHIC] [TIFF OMITTED] T7110.055 [GRAPHIC] [TIFF OMITTED] T7110.056 [GRAPHIC] [TIFF OMITTED] T7110.057 [GRAPHIC] [TIFF OMITTED] T7110.058 [GRAPHIC] [TIFF OMITTED] T7110.059 [GRAPHIC] [TIFF OMITTED] T7110.060 [GRAPHIC] [TIFF OMITTED] T7110.061 [GRAPHIC] [TIFF OMITTED] T7110.062 [GRAPHIC] [TIFF OMITTED] T7110.063 [GRAPHIC] [TIFF OMITTED] T7110.064 [GRAPHIC] [TIFF OMITTED] T7110.065 [GRAPHIC] [TIFF OMITTED] T7110.066 [GRAPHIC] [TIFF OMITTED] T7110.067 [GRAPHIC] [TIFF OMITTED] T7110.068 [GRAPHIC] [TIFF OMITTED] T7110.069 [GRAPHIC] [TIFF OMITTED] T7110.070 [GRAPHIC] [TIFF OMITTED] T7110.071 [GRAPHIC] [TIFF OMITTED] T7110.072 [GRAPHIC] [TIFF OMITTED] T7110.073 [GRAPHIC] [TIFF OMITTED] T7110.074 [GRAPHIC] [TIFF OMITTED] T7110.075 [GRAPHIC] [TIFF OMITTED] T7110.076 [GRAPHIC] [TIFF OMITTED] T7110.077 [GRAPHIC] [TIFF OMITTED] T7110.078 [GRAPHIC] [TIFF OMITTED] T7110.079 [GRAPHIC] [TIFF OMITTED] T7110.080 [GRAPHIC] [TIFF OMITTED] T7110.081 [GRAPHIC] [TIFF OMITTED] T7110.082 [GRAPHIC] [TIFF OMITTED] T7110.083 [GRAPHIC] [TIFF OMITTED] T7110.084 [GRAPHIC] [TIFF OMITTED] T7110.085 [GRAPHIC] [TIFF OMITTED] T7110.086 [GRAPHIC] [TIFF OMITTED] T7110.087 [GRAPHIC] [TIFF OMITTED] T7110.088 Mr. Cox. You have recommended that the human reliability program should be reevaluated to make sure that it is providing assurance of an individual's trustworthiness, and you specifically mentioned polygraphs for that purpose. I take it it is your view that polygraphs are an integral part of the security function that you are trying independently to evaluate? Mr. Podonsky. As I answered in the last round of questions, yes, sir, we do believe that if it is applied in a reasonable way, that it can, in fact, be a way to enhance security. Mr. Cox. Are you troubled by the fact that it has taken so many years to get started? Mr. Podonsky. There are many things in the Department that trouble me, but this one in particular we haven't really focused on. Mr. Cox. I wonder whether I ought to address my questions next about changing the results of security surveys to GAO or to you, Mr. Podonsky? Mr. Podonsky. I am not familiar with how much GAO is cognizant of the survey program. Mr. Cox. Well, the Inspector General's report, of course, dated May 30, 2000, tells us that Department of Energy management changed ratings for the 1998 and 1999 surveys at Los Alamos without providing a documented rationale for the changes; that they did not fully address concerns about a compromise of force-on-force exercise; that they destroyed work papers contrary to policy. And I wonder, Mr. Wells, whether you have any thoughts on that? Mr. Wells. Whether it be the survey program, whether it be reducing the minimum requirements that we have testified here today about, given the problems that seem to surface weekly or monthly regarding security lapses, one just clearly comes to the conclusion it is unclear what objective they are trying to achieve when they put forth reductions in surveys and reductions in oversight and reductions in accountability controls. Mr. Cox. Now this same Department of Energy office in Albuquerque comes in for criticism in the Redmond Report for its frustration of counterintelligence programs. Specifically, I am reading now from the Redmond Report: ``The Department of Energy Operational Field offices at Albuquerque and Oakland continue to refuse to share relevant information from employee personnel files under their control with the Department of Energy counterintelligence or the lab counterintelligence components. The team,'' that is, the Redmond team, ``learned that Department of Energy counterintelligence is not even informed by these three offices''--by DOE offices with the records, with the files--``when an employee loses his or her security clearance.'' So counterintelligence can't even find out, because DOE husbands the information and refuses to share it with counterintelligence when an employee loses a security clearance for cause. Mr. Podonsky, what can we do about this? Mr. Podonsky. Well, the first thing I would suggest is that I would--I would want to know whether Ed Curran, the director of the Counterintelligence Office, is familiar with this and if he was, then I would expect Ed Curran and his oversight program of counterintelligence to remedy this in consultation with the rest of the Department that has responsibility over those areas. Mr. Cox. Are you comfortable with the compartmentalization of CI from security? Mr. Podonsky. This is an initiative that the Secretary created, and the answer is so far we have been working very closely with Ed Curran's organization, counterintelligence, as well as with General Habiger's security organization. So the answer is we have no reason not to be comfortable with it. Mr. Cox. Do you know what the views of lab management are? We will have a chance to ask them directly in the next panel, but do you know what the lab's view is on this? Mr. Podonsky. Other than not necessarily liking Podonsky's oversight organization, no, sir, I don't know what their views are. Mr. Cox. I ask the question because, for example, with respect to human reliability, it is awfully difficult to separate out the expertise that is required for CI from the expertise that's required for security. Let me read just another passage from this report, the Redmond Report: ``It has been the sad experience in many espionage cases that only after the spy is uncovered does it become clear that a plethora of counterintelligence indicators concerning various facets of the individual's life, performance, and behavior have been known in different places by different individuals but never effectively collated or holistically evaluated. The Department of Energy must ensure that the CI officers at the laboratories are part of a formal system set up locally to ensure that all relevant CI and security data information is collected, assembled, and analyzed by means that are not solely dependent on personal relationships''--and on and on. It is often difficult, it would seem to me, to arbitrarily characterize a bit of information as security information but not CI, or as counterintelligence information but not security. If you have an unreliable person in the building, that's a security issue; it is also a CI issue, isn't it? Mr. Podonsky. Yes, sir, and I think that you will find that both the Office of Security Operations and the Counterintelligence work hand in glove, as we also try to ascertain how they are proceeding in some of their operations. In years gone by, Congressman, the counterintelligence, the intelligence and the security organizations were all contained in the Defense Programs Office and they worked the same way. The difference now is that they all have separate direct reports to the Secretary. So that we have Secretarial attention on these matters. Mr. Cox. I would conclude by observing that Congress created the NNSA, the National Nuclear Security Administration, with a view to centralizing authority over all of these concerns, so there would be a single chain of command, a single line of direction. And we first faced the two-hatting exercise where the Secretary of Energy and the White House decided that they were going to frustrate the intent of Congress and not let the NNSA do its job. We also had a long political delay in getting it started, and only when there was this latest public embarrassment with the hard drives could we even confirm General Gordon as the first Administrator. So now, a year after passing the legislation, we have it in place but we have all of these efforts to keep power, bureaucratic power and turf in DOE and not let NNSA be the independent agency that it must be to do its job. I hope that with the experience under our belt, with all of the months and years that are being consumed with people saying that they are doing their jobs but not actually accomplishing it, we can finally see the value of doing this properly, having the NNSA and General Gordon be in charge. There is one other aspect of the Redmond Report that I think deserves mentioning, and it is the disconnection that this report finds between DOE's glowing reports on its own accomplishments of the initiatives that it has put in place and so on and what actually has been done. What this report says is that whenever an initiative is started or if an order is promulgated, then DOE takes credit for doing it; whereas most of this is unfinished business. It is a useful remark for the report, and I just wonder whether, Mr. Wells or Mr. Fenzel, you have any comment on that point? Mr. Wells. We would agree--and I think we used almost those exact same words earlier in response to a question--that our 20 years' and 50 recommendations' worth of effort in oversight clearly pointed out that they are quick to take action for corrective action, but the implementation isn't necessarily always completed nor is success fully achieved, and the next thing we know the problem recurs. Mr. Cox. Well, Mr. Chairman, I thank you for your indulgence. Mr. Podonsky, I thank you for your efforts in this area; Mr. Wells and Mr. Fenzel as well. It is vitally important that we not make this a fingerpointing exercise and that we get on with it, but there are big changes that have to be made if we are going to get on with it. While no one means to be critical or fingerpoint, if you have months and months and years and years of inactivity or inadequate response to these challenges, then call it what you will, somebody has to raise hell about it. Mr. Upton. Thank you. I think that that leads us to the conclusion of Panel I. Thank you very much for being with us this morning. You are now formally excused. Thank you. Thank you for your time and your reports. We will now go to Panel II, that includes the Honorable T. J. Glauthier, Deputy Secretary from the Department of Energy; who is accompanied by General Eugene Habiger, the Director of the Office of Security and Emergency Operations; General John McBroom, Director of the Office of Emergency Operations, and also accompanied by General Tom Gioconda, Deputy Administrator for Defense Programs at the National Nuclear Security Administration; also Dr. Paul Robinson, President and Laboratory Director of Sandia; Dr. John Browne, Director of Los Alamos; and Dr. Bruce Tarter, Director of Lawrence Livermore National Lab; as well as Mr. Steven Aftergood, Senior Research Analyst from the Federation of American Scientists. It will just take a moment to get the names placed correctly. As you all know, we have a longstanding tradition of taking testimony under oath. Do any of you gentlemen have objection to that? If not, you are also, under committee rules, allowed to be represented by counsel. Any objection to that? Do any of you desire counsel? [Witnesses sworn.] Mr. Upton. Thank you very much. You are now under oath, and we will start with Mr. Glauthier. TESTIMONY OF HON. T.J. GLAUTHIER, DEPUTY SECRETARY; ACCOMPANIED BY: GENERAL EUGENE E. HABIGER, DIRECTOR, OFFICE OF SECURITY AND EMERGENCY OPERATIONS; GENERAL JOHN McBROOM, DIRECTOR, OFFICE OF EMERGENCY OPERATIONS; AND BRIGADIER GENERAL TOM GIOCONDA, ACTING DEPUTY ADMINISTRATOR FOR DEFENSE PROGRAMS, NATIONAL NUCLEAR SECURITY ADMINISTRATION, DEPARTMENT OF ENERGY; C. PAUL ROBINSON, PRESIDENT AND LABORATORIES DIRECTOR, SANDIA NATIONAL LABORATORIES; JOHN C. BROWNE, DIRECTOR, LOS ALAMOS NATIONAL LABORATORY; C. BRUCE TARTER, DIRECTOR, LAWRENCE LIVERMORE NATIONAL LABORATORY; AND STEVEN AFTERGOOD, SENIOR RESEARCH ANALYST, FEDERATION OF AMERICAN SCIENTISTS Mr. Glauthier. Thank you, Mr. Chairman. Thank you for this opportunity to appear today to provide an update on the security situation at the Department of Energy's weapons laboratories. I will be brief. My overall testimony has been submitted in writing. I would like to reiterate Secretary Richardson's statement in reference to the missing Los Alamos hard drives. That is, that the Energy Department security procedures were not followed, and since coming to the Department the Secretary has emphasized security issues. We are outraged at what has taken place in this particular incident. Now, as much as can be discussed, I would like to give a brief update on the current FBI criminal investigation. A grand jury has been convened to examine issues related to the case. It has been determined by the FBI that these are the authentic disk drives. Based upon the investigation by the FBI, there is no evidence of espionage. It can be assured that personnel will be held accountable and disciplinary action will result from this incident, but the Department will not take action until all the facts are established. During the last 2 years that Bill Richardson has been Secretary, security has been a top priority and the security-- and the Secretary has gone to extreme lengths to improve the agency security and counterintelligence profile. Through his leadership, we have implemented over 50 major security and counterintelligence initiatives. For example, the Secretary has established the Office of Independent Oversight which is headed by Mr. Podonsky that you just heard from, and he is reporting directly to the Secretary. The purpose of that office is to focus on implementation and to give an independent oversight on the practices that are actually being carried out at our various sites. A lot has been made in the last 2 hours about changes that have occurred in the practices at the facilities. I am sure we will talk more about that. I would comment that the changes that were made over the last decade were changes to introduce more flexibility into the individual practices, the actions that are taken. There was no change in that timeframe on the responsibility for protecting secure information, and I think that is important to recognize that all the individuals at our facilities, all the contractors, all the Federal employees, maintained the same responsibility for protecting secure information throughout this whole timeframe. And the over 120,000 Federal and contractor employees of the Department of Energy have an outstanding record. Unfortunately, it only takes a few individuals to cause a serious problem which is, of course, what we have seen. We have implemented additional security procedures in light of the recent incident at Los Alamos, and I would like to just mention a couple of those; things that in some cases changed the kinds of items you were talking about on the earlier chart, and in other cases are new and additional actions, such as encrypting selected classified electronic media, enhancing verification procedures, including log-in and log-out requirements for vault and vault-type room access; staffing all open vaults and vault-type rooms; increasing security measures for certain classified encyclopedic data bases; conducting immediate inventory of all Nuclear Emergency Search Team, or NEST, data; and placing serial numbers and identification codes on sensitive materials. Additionally, as you probably noticed, the Secretary has informed the University of California that its contract for managing the Department's national weapons laboratories must be restructured in order to bring in a separate organization to be responsible for security procedures and some other facility operations. Under Secretary John Gordon will oversee the negotiations and work with the university to identify new mechanisms and procedures to address the serious security shortcomings. It is expected that he will have his recommendations to the Secretary by September 5. The last action that I want to highlight is the assignment that former Senator Howard Baker and former Congressman Lee Hamilton have accepted. Jointly they will conduct a thorough investigation and assessment into the circumstances surrounding the incident at Los Alamos. Their expected assessment, separate from the FBI investigation, will provide recommendations for necessary corrective actions. In summary, the Department of Energy has a significant responsibility for the American people regarding our overall nuclear security. We are responsible for sustaining America's nuclear deterrent, the cornerstone of our national defense, and for securing nuclear weapons materials and know-how at home and abroad. We must ensure our security measures are stringent, but also that they do not stifle the science that allows us to have that deterrent and that underpins our national security decades into the future. I know I can speak for my colleagues at the labs and throughout the Department in reiterating our commitment to carrying out this mission in a safe, secure and sensitive manner. I think General Habiger would like to make a couple of comments, and then Dr. Browne, the director of Los Alamos, in particular wants to comment on these. [The prepared statement of Hon. T.J. Glauthier follows:] Prepared Statement of Hon. T.J. Glauthier, Deputy Secretary of Energy Thank you for this opportunity to appear before you today to provide an update on security at the Department of Energy's weapon laboratories. To begin, at the end of June the Secretary Bill Richardson informed the University of California (UC) that its contract for managing the department's national weapons laboratories must be restructured in order to make much-needed improvements to security and other facility operations. We have begun negotiations with the University to bring into their operations specific security and management expertise to implement these improvements. Although the Secretary recognizes UC's unparalleled scientific reputation and its contribution to the scientific vitality of the laboratories, he is sharply critical of their failure to bring the same degree of expertise to the management of security and facility operations. Secretary Richardson has asked Under Secretary John Gordon to oversee this and to work with the University to identify new mechanisms and procedures to address the serious security shortcomings of the University of California at the weapons laboratories. It is expected that General Gordon will make his recommendations to the Secretary by September 5. situation update I would like to reiterate Secretary Richardson's statement in reference to the missing Los Alamos hard-drives, that the Energy Department security procedures were not followed. Since coming to the Department, the Secretary has emphasized security issues. We are outraged at what has taken place. There are no excuses. Now, as much as can be discussed, I would like to give a brief update on the current FBI criminal investigation. A grand jury has been convened to examine issues related to the case. The FBI is still looking at the two hard drives found on June 16 at the Los Alamos National Lab. The Secretary has been speaking with FBI Director Louis Freeh throughout the investigation. It has been determined by the FBI that these are the authentic disk drives. Based upon the investigation by the FBI, there is no evidence of espionage. The Bureau continues to treat the area where the hard drives were found as a crime scene. Over the last several weeks, the FBI and Energy Department investigation has focused on a handful of X-Division employees, who have offered conflicting statements to investigators. I can also tell you that, according to its latest findings, the FBI's working theory puts the loss of the drives at the tail end of March of this year. This time-line would be further refined as the investigation continues. This information helps clarify some details surrounding this case. Prior to this incident, the Secretary's directive required the Department to be notified of any such problem within eight hours of their discovery. That is his policy. Instead, the University of California neglected to inform the Department until three weeks after the initial discovery. As you know, the Department immediately brought in the FBI, informed the President, advised others in the Administration with a need to know, and shared what we knew with the relevant Congressional committees. It can be assured that personnel will be held accountable and disciplinary action will result from this incident. But the Department will not take action until all the facts are established. latest security actions During the last two years, security has been a top priority, and the Secretary has gone to extreme lengths to improve this agency's security and counterintelligence profile. Through his leadership we have implemented more than 21 major security initiatives and have completed 36 recommendations in the Counterintelligence Implementation Plan. However, when the recent breach came to our attention, we immediately implemented an elevated slate of security procedures to be followed in our sensitive divisions. I reviewed a number of enhanced security protection measures directed by General Eugene Habiger, Director of Security and Emergency Operations, and who is with me. These new steps will effect immediately. They include: Encrypting selected classified electronic media; Enhancing verification procedures for vault and vault-type room access; Manning all open vaults and vault-type rooms; Evaluating existing vault and vault-type room procedures; Increasing security measures for certain classified encyclopedic databases; and, Conducting an immediate inventory of all Nuclear Emergency Search Team (NEST) and Accident Response Group (ARG) assets. These steps are in addition to measures the lab has put in place: Placing serial numbers/identification on sensitive materials; Changing combinations to vaults; and Reviewing vault access policy, including a vault ``stand- down'' to ensure procedures are followed. NEST Next I would like to give a description of the Department's Nuclear Emergency Search Team, familiarly known as NEST, and the policies and procedures in which it operates. NEST is one of seven major Department of Energy Emergency Response assets tasked with responding to nuclear incidents or accidents. NEST members are dedicated volunteers who, when called, form a highly skilled force specially trained to deal with all types of nuclear and radiological emergencies. The concept of the response teams and how the program runs on a daily basis may provide some valuable insight. Ordinarily, the Department has no standing teams formed. The all-volunteer personnel who would comprise these teams are working their normal jobs within the lab/site structure. An example of this concept would be a volunteer fire department in which a member's full time occupation is working in the local school system. That person only becomes a responder when the siren goes off; up until then he or she is a school teacher. Similarly at the Department, when an event such as a training exercise, or an actual emergency occurs, the Secretary, through the Director of Security and Emergency Operations ``stands-up'' a response team. Until that time, most personnel are working full time on the laboratories' scientific and technical missions. Once a team is formed, the operational responsibility shifts from the laboratory to the Department's headquarters chain of command. The administrative responsibility continues with the laboratories. For example, the Director of Emergency Management cannot fire or suspend a University of California team member, however, the ultimate administrative responsibility continues with the laboratory's director. Training deployments or real world events, such as the World Trade Organization meeting in Seattle,Washington or the 50th NATO Summit in Washington, DC, present unique and difficult challenges in moving and securing the classified equipment on the road. Sometimes the teams work in US cities and other times they find themselves in overseas locations. RECENT REPORTS Now I would like to take this opportunity to address recent reports criticizing the Department's security. We have recently reviewed the Inspector General's report entitled ``Inspection of Allegations Relating to the Albuquerque Operations Office Security Survey Process and the Security Operations' Self- Assessments at Los Alamos National Laboratory.'' We are concerned about these results, particularly with respect to the reported changes to the 1998 and 1999 surveys without providing a documented rationale for the changes. We note however, that making such ratings decisions always involves a degree of objective judgment. However, we are more concerned with the reported destruction of work papers regarding the survey ratings at the Albuquerque Operations Office, and reports that thirty percent of the laboratory security staff felt pressured to ``mitigate'' security self-assessments and other related allegations. We are reviewing the report carefully and are not ruling out changes to existing procedures regarding our security surveys and self-assessments. We also are reviewing the role and actions of the personnel involved in these particular surveys and assessments, and stand ready to hold personnel fully accountable for any improper actions taken, if our review indicates that to be the case. I will now discuss the responsibilities of the Department's Counterintelligence (CI) Program inspections. This program was directed by Presidential Decision Directive No. 61, which directed the establishment of a CI Program at Energy, and the inspections of the CI Programs in the laboratories, sites and operations offices. These inspections assess program performance in seven topical areas, which include subjects such as investigations, training, analysis and management. The inspections also evaluate the degree to which the programs are in compliance with the measures identified by the CI Implementation Plan. The CI Programs of the three national laboratories were inspected in August, September and October of 1999. As the Committee knows, the CI Program at Lawrence Livermore received a satisfactory rating. The CI Programs at Los Alamos and Sandia, however, received a marginal and an unsatisfactory rating, respectively. Many of the problems stemmed from the newness of these CI Programs and the personnel involved. Shortfalls identified by the inspections were responded to in corrective action plans developed by the programs; progress on the corrective actions was tracked by Office of Counterintelligence management. The Office of Counterintelligence reinspected the Los Alamos and Sandia CI Programs in April of this year. These special inspections focused on the problem areas that were identified during the initial Inspections. In both cases, the inspections found that the corrective actions had been completed and both programs received satisfactory ratings. The Lawrence Livermore CI Program will be reinspected in September. Next, I would like to make a few comments on the recently publicized General Accounting Office (GAO) report on the Department's foreign travelers. The Department agrees with the GAO that travelers to nonsensitive countries may also encounter incidents similar to those experienced by sensitive country travelers and that any Department employee traveling overseas could be an intelligence target. It is true that the initial focus of the CI Program has been on Departmental employees working in classified programs who have sensitive country contact. However, our CI Program does not focus only on those employees and programs. The Department's Counterintelligence Program collects information of any kind or any location that may show a foreign intelligence presence. Moreover, all employees and contractors are required to receive an annual CI awareness briefing that instructs on the methods and capabilities of foreign intelligence services. During these briefings, employees are instructed to inform their CI officers of anything they observe that may be an indicator of intelligence activity. In short, our relatively new CI Program, which truly only got underway after Secretary Richardson arrived to the Department in late 1998, leaves the Department far better prepared to protect its personnel and programs overseas than ever before. Our defensive CI Program now can be said to be one of the best in government, and it will continue to improve. The fact that the report cites a number of overseas incidents is not an indicator of CI Program deficiencies; rather, the existence of these incident reports demonstrates that Energy's CI Program is getting the information it needs to build a good defense to these ongoing hostile intelligence activities. Moreover, as a result of the incident reporting the CI Program is getting, we believe we are steadily improving our ability to get the message to our employees on how they can protect themselves during overseas travel. LARGER PICTURE The Department of Energy has a greater charge from the American people. Our overall nuclear security. It is a task far more complex than can be described by me or debated to a satisfying conclusion here today. We are responsible for: Sustaining America's nuclear deterrent--the cornerstone of our national defense; and Securing nuclear weapons materials and know-how--at home and abroad. The Department has taken its security responsibility very seriously. The challenges of the Department of Energy have crossed decades and administrations. Ultimately, security will always also be an individual responsibility, and must rely on the dedication, loyalty, and patriotism of our weapons scientists. And these people must be accountable like anybody else. Individuals are, indeed, fallible, and no amount of policy--no amount of legislation--will protect us from irresponsibility and human failings. We must remember that a successful security policy is one that results in the detection of security violations. The worst security violations are the ones that go undetected. We will continue to keep you and other key Congressional committees informed of further developments immediately as they become available. Thank you for this opportunity to appear before you today to provide an update on security at the Department of Energy's weapon laboratories. Mr. Upton. General Habiger. Mr. Habiger. Mr. Chairman, thank you. I just want to clarify three things. First, I am a little disappointed at our colleagues from the General Accounting Office in terms of the chart that they put up there, in terms of what you saw was characterized as Department of Energy. What you saw in that chart is across the government in every respect. That's point No. 1. Point No. 2, and I think it is equally important, is if you--if he had included time lines, you would have clearly seen that we didn't get credit for dragging our feet like we normally do. We lagged the rest of government for some very, very good reasons. Point No. 3, sir, Ms. DeGette raised the point about human reliability program and a letter from Podonsky to Habiger. Mr. Chairman, I asked for Glenn's input because I had only been in the job 6 weeks and I saw we had two human reliability programs at the Department of Energy. It didn't make sense; two different rice bowls. It has taken awhile, but we are in the final stages of putting out a strengthened single human reliability program. But to characterize questions to Glenn as to whether or not I accepted his inputs, I am the one that asked for those inputs. Thank you, sir. Mr. Upton. Thank you. Dr. Robinson. TESTIMONY OF C. PAUL ROBINSON Mr. Robinson. Thank you very much, Mr. Chairman. It is a pleasure to again be with you. I did prepare a formal written statement for the record, and with your permission---- Mr. Upton. All the statements will be made a part of the record. Mr. Robinson. Good. I will summarize and move to your questions. Several of you, in fact, visited our laboratories to sample the security environment. You saw for yourselves the physical security measures, the personnel security measures both to enter or egress from one of our facilities. We discussed the challenges which cyber security is placing before us and some of the measures we are taking to counter that threat. Most of you know the unique missions of Sandia National Laboratories: U.S. nuclear weapons, related areas of nuclear intelligence and nonproliferation. You may not be aware of our mission responsibilities in security research and development, both for nuclear weapons storage and transport, and computer security technologies. We carry these functions out for not only the Department of Energy but for other high-security agencies as well. Because of these core responsibilities, we believe we should and can be held to a higher standard for security, and I believe the record will show that we are meeting that higher standard. Now, this is certainly not an area to ever be boastful. Security is something that does require eternal vigilance. I will try to explain, and I think I try to discuss in my testimony, the complexity that accompanies security. Most importantly, at its heart, security requires the care and devoted effort of the people who perform the classified work. There is always the danger of a mental lapse, a mental lapse which could cause great harm. Besides trying to design in approaches of defense and depth into all of our security practices and procedures, which could allow for that inevitable human error that will occur, we must also involve our people, those who carry out the classified work in the design of the best practices. I believe their understanding, their faithfulness, their care in fulfilling these duties as holders of our important secrets is an essential part of the formula for success. In my testimony, I would like--I do describe security management at Sandia; our unique role within emergency response functions, our controls to protect classified material, both documents and electronic media. We have made more stringent controls on vaults and vault-like rooms. Finally, in that wonderful clarity that's hindsight, I do discuss some of the weaknesses, both in document accountability and in classification, or rather declassification. I think these are areas where we can all agree we need to make improvements. Let me close with the statement that I said in my formal text. I have been in classified work, associated with nuclear weapons, for just over 32 years. I can validate Secretary Richardson's remark several weeks ago that indeed he has done more to focus on and improve security than any prior Secretary. Doubtless, that is true, but I believe we are all culpable. Indeed, across the government, standards were lowered after the end of the cold war, in classification and accountability for classified documents and levels of background investigation to obtain clearance to work at our laboratories. Also, we have been facing in more recent years a growing threat of cyber security which is real and it is challenging. What is the road back? I think we need to use the opportunity you have provided us in the creation of the NNSA to streamline responsibilities and accountabilities, to clear out the bureaucracy that often confuses this line and paralyzes actions by both Department Secretaries as well as laboratory directors. I want to assure you, we did not lose our concern for security. We are a unique enterprise, conducted on behalf of the Nation. We can and we will strengthen the protections to once again win your respect to manage nuclear weapon affairs with confidence. Thank you very much. [The prepared statement of C. Paul Robinson follows:] Prepared Statement of C. Paul Robinson, Director, Sandia National Laboratories INTRODUCTION Mr. Chairman and distinguished members of the committee, thank you for the opportunity to testify today. I am Paul Robinson, director of Sandia National Laboratories. Sandia National Laboratories is managed and operated for the U.S. Department of Energy by Sandia Corporation, a subsidiary of the Lockheed Martin Corporation. Sandia National Laboratories is a multiprogram laboratory of the National Nuclear Security Administration (NNSA). We share responsibility for the design and stewardship of nuclear weapons with Los Alamos and Lawrence Livermore National Laboratories. Sandia's job is the design, development, and certification of nearly all of the non- nuclear subsystems of nuclear weapons. Our responsibilities include arming, fuzing, and firing systems; safety, security, and use-control systems; engineering support for production and dismantlement of nuclear weapons; and surveillance and support of weapons in stockpile. We perform substantial work in programs closely related to nuclear weapons, such as nuclear intelligence, nonproliferation, and treaty verification technologies. As a multiprogram national laboratory, Sandia also performs research and development for DOE's energy offices, as well as work for other agencies when our unique capabilities can make significant contributions. SECURITY AND BUREAUCRACY I appreciate your invitation to make a statement today addressing the topic, ``Weaknesses in Classified Information Security Controls at DOE's Nuclear Weapon Laboratories.'' Secretary Richardson said in testimony before the Senate Armed Services Committee on June 21 that he has done more to improve security during his two years in office than had been accomplished in the previous twenty years by his predecessors. I have been active in the DOE/AEC community for all my career, and I can vouch for his claim. Yet, for all the well-motivated actions and strong leadership that has been so evident, I cannot say that our important restricted data and national security information are more secure than ever before. My hesitancy derives from a surfeit of complications that surround security. The Secretary and the laboratory directors share the same desire for effective security performance; we are not at odds. But I believe we are both stymied by the bureaucratic sclerosis of the agency. From below, the laboratories are frustrated with a maze of conflicting rules and directives from various offices of the Department, together with team after team of inspectors that descend upon us. From above, the Secretary has resorted to managing the security problems by issuing directives from his own office, rather than relying on the agency's internal mechanisms to generate and implement reforms. This game of catch-up between the top of the agency and those who must implement the directives, with far too little communication on the chances for success or the unforeseen consequences of new policies, has been a problem in almost all areas of support for DOE missions--in environment, safety, and health issues, in business practices, and in security. The President's Foreign Intelligence Advisory Board (PFIAB) appreciated the magnitude of this problem. Their report, ``Science at Its Best; Security at Its Worst,'' issued last year, referred to DOE as a ``big, byzantine, and bewildering bureaucracy.'' In regard to security performance, the PFIAB found that ``multiple chains of command and standards of performance negated accountability, resulting in pervasive inefficiency, confusion, and mistrust'' (page I). It concluded that ``real and lasting security and counterintelligence reform at the weapons labs is simply unworkable within DOE's current structure and culture'' (page 46). The PFIAB's recommendations, of course, were the impetus for the legislation creating the semi- autonomous National Nuclear Security Administration within the Department of Energy. It is my belief that the circumstances in DOE are not the fault of any individuals, certainly not the people who are in charge or occupy key positions in the Department of Energy today. As the President's Foreign Intelligence Advisory Board found, the single most identifiable factor that led to the current state of affairs was the relentless growth of bureaucracy. My definition of bureaucracy is when well- meaning, capable people find it difficult to accomplish their mission responsibilities because of multiple lines of authority and bureaucratic hurdles that must be overcome. I believe the National Nuclear Security Administration is our last best hope for fixing our security problems in a systematic way. By ``fixing'' I mean creating a security culture across the complex (federal workers and contractors) that achieves teamwork and mutual commitment to the goals of security. As things stand now, there is little sense of collaborative work toward a shared goal in security. Security in DOE is a ``house divided''--those who make the rules, and those who must follow them. There is little discussion with the field by those who write guidance and policy. The people who really know the technologies that can be helpful have little input. It is, as has been said before, a ``dysfunctional'' relationship. The new administrator of the NNSA, General John A. Gordon, has quite a challenge before him. But as qualified and as competent as he is, he will not succeed unless he has full authority and free rein to redesign the structure of the nuclear complex from the ground up. I know that the laboratory directors and the federal managers of the NNSA will fully support him in this undertaking. SANDIA HAS A POSITIVE SECURITY CULTURE An erroneous perception has arisen that the laboratories have a culture of indifference or even contempt for security. I can tell you that this perception is grossly inaccurate for Sandia National Laboratories, and I believe it is inaccurate for the other NNSA laboratories as well. Certainly we have had challenges and problems in various aspects of security performance, but I take issue with the belief that we have an ingrained or widespread ``attitude problem'' toward security at Sandia. Sandia's laboratory culture was shaped by its industrial heritage, which began in 1949 under the management of AT&T Bell Laboratories and continued after 1993 with Lockheed Martin Corporation. Our industrial roots gave us a strong cultural commitment to security. Industrial laboratories are very conscious of the need to keep proprietary information secure. As I enumerated in previous testimony to this committee, Sandia has a long history of originating and implementing innovations that have improved security without direction from DOE (see Questions for the Record for my testimony to this subcommittee on October 26, 1999). And we also have a history--as I will illustrate later in my statement--of challenging policy changes mandated from above that would weaken our protections and controls on classified materials. In June 1999, the Secretary of Energy called for a stand-down of operations at the Defense Programs laboratories to conduct an intensive two-day session of security training. Contrary to reports that laboratory staff were resistant to this training, our staff participated with great interest and with a positive attitude. We had 93 percent staff participation during the stand-down, and we achieved the full 100 percent shortly thereafter. (The seven percent difference consisted of people on previously scheduled vacations or essential business travel, illness absences, and critical job functions such as security and medical staffing.) The thoughtful dialog and suggestions offered by employees during the security sessions clearly demonstrated a laboratory culture of positive concern and advocacy for effective security. I was not at all surprised that the inspectors from the DOE Office of Independent Oversight and Performance Assurance remarked on the positive and cooperative attitude among Sandia managers with whom they worked during the 1999 inspection of Sandia National Laboratories. I frequently get similar comments from other audit and inspection teams. Sandia has a culture of respect for security, and people notice it. At the close-out meeting of the most recent visit of the DOE Oversight and Performance Assurance Team in June, it was encouraging to receive informal verbal feedback from the inspectors to the effect that Sandia is currently meeting all requirements and is above and beyond minimal requirements in many areas. The team commented that they found it refreshing to see a sense of ownership for security at the manager level. They also remarked that Sandia's custodians of classified matter are well-versed in their responsibilities; they know what to do and are doing it well. SECURITY MANAGEMENT AT SANDIA Sandia has implemented an Integrated Safeguards and Security Management System (ISSMS) for all its security responsibilities. As the name implies, the goal of Integrated Safeguards and Security Management is to incorporate responsibility for security into the daily work of every employee. We can't just bring in security experts and give them the job of inspecting-out the defects; every single person bears responsibility to build-in and maintain sound security measures. This is a necessary attribute of a stable security culture. ISSMS establishes clear and unambiguous lines of authority and responsibility for ensuring that secure operations are established and maintained at all organizational levels. Authority and responsibility for security at Sandia National Laboratories begins with me and flows via my deputy laboratory director to the line vice presidents that report to her. Sandia's Chief Security Officer coordinates the enabling resources that support the line executives in their security responsibilities. ISSMS ensures that personnel possess the training, knowledge, and abilities necessary to discharge their security responsibilities. It also provides a way to allocate resources efficiently to address security and operational needs. Our ISSMS methodology stresses the need to identify applicable security standards and requirements before work is performed. Administrative and engineering controls to prevent and mitigate security risks are tailored to the work being performed and are designed into work processes. While we make use of a ``fresh-set-of- eyes'' in examining security practices and draw on the knowledge and experience of security professionals, we gain the involvement and creativity of those actually carrying out the work in developing security procedures that make sense in the workplace. SANDIA'S PARTICIPATION WITH THE NNSA'S NUCLEAR EMERGENCY SEARCH TEAM (NEST) The National Nuclear Security Administration plays a vitally important support role in combating acts of nuclear terrorism through its Nuclear Emergency Search Team (NEST). NEST provides the FBI with technical assistance in response to terrorist use or threat of use of a nuclear or radiological device in the United States. NEST also supports the State Department in a similar role overseas. Another team, the Accident Response Group (ARG), has the different mission of providing technical support in response to accidents involving U.S. nuclear weapons while they are either in the custody of DOE or the military services. The highly selective force that makes up the cadre of deployment personnel for NEST and ARG are mostly from the nuclear weapons laboratories. To be on the NEST team, an individual must be approved by both line and program management, have certain essential technical skills, pass a physical examination, and take additional training. My experience is that NEST members are conscientious and dedicated individuals with a high sense of duty. NEST personnel volunteer for a mission which, if not successful, could have severe consequences for the nation and be fatal for the team. Sandia National Laboratories contributes a number of team members to the NEST. Sandia does not possess any NEST computer media similar to that reported as missing by the Los Alamos group. Sandia's role in NEST is different from that of Los Alamos and Lawrence Livermore, focusing largely on the non-nuclear electronic subsystems of warheads and bombs as well as methods for calculating the consequences of dispersal events and methods for containment. Sandia does maintain some classified computer media and lap-tops under the ARG program. This information is significantly different from the NEST media at Los Alamos. This classified material has all been accounted for. Furthermore, within the last three weeks, we instituted stricter controls for these items, including a two-person rule and formal sign-in/sign-out procedures. CLASSIFIED MATERIAL PROTECTION AND CONTROL Sandia employees and contractors who handle classified matter are required to protect and control classified material from unauthorized, casual, and deliberate access. This requirement is one of the first things a new-hire is briefed on when he or she joins Sandia National Laboratories, and we continue to educate our personnel on the procedures that implement this policy throughout their careers through annual refresher training courses. The core principles that we teach our employees regarding access to classified material are contained in Sandia's Safeguards and Security Guide, which is readily available as a reference on our internal network. Access to classified matter requires a job-related need-to- know, as determined by an individual's manager, as well as a proper security clearance. As you know, Secretary Richardson distributed a memorandum on June 19, 2000, directing the implementation of certain enhanced protection measures at the NNSA laboratories. I welcome the emphasis on accountability that the memorandum so clearly communicates. Sandia took immediate steps to implement or commence work on the enhancement measures that are the responsibility of the laboratories, and we will cooperate with the NNSA offices responsible for implementing other measures in their purview. Controls for Vault Access Sandia has explicit rules governing the storage of classified matter. Briefly, classified material must be stored in vaults or vault- type rooms (or in a military-style igloo similar to a vault-type room), or in key- or combination-lock containers approved by the General Services Administration and located in a locked and alarmed building. Sandia National Laboratories manages 166 vaults or vault-type rooms that store classified matter (documents or material)--114 at our New Mexico location and 52 at our California site. In compliance with Secretary Richardson's memorandum of June 19, 2000 (received late on June 20), Sandia modified operating procedures for all vault access on June 21. We modified our log sheets to record the entrance and exit of all personnel. We also required that access/ egress points for vaults be under continuous, positive control by personnel authorized for access to that specific vault. Or, for vault- type rooms (large vaults in which a number of people work) we required that the vault be occupied and that access by authorized personnel be controlled by an electronic system. In the absence of these controls, the vault must be in a locked and alarmed state. Controls over Electronic Media On June 15, 2000, Sandia's chief information officer initiated a lab-wide survey of removable classified electronic storage media. The objective of this survey was to determine that removable media are accounted for (to the extent possible in the absence of formal document accountability) and are properly stored. The survey found that all holdings were accounted for, except for two relatively minor issues which were immediately communicated to DOE via the Department's incident reporting system. The first issue involved a set of unclassified commercial software program disks that were treated as classified. The inquiry is still active, but has concluded that those disks contained no classified information. The other issue (reported on June 30) involves a single 3\1/2\ inch, 1.44-megabyte diskette that has not yet been located. An inquiry is currently underway in accordance with DOE procedures. Significant overall improvements in the cyber-security of the nuclear weapons complex have been accomplished at substantial cost in 1999 and 2000. However, many potential vulnerabilities continue to present formidable challenges to computer security. There are no easy solutions. Although encrypted removable media or media-less computing may have their places in a defensive system (and I believe they do), there are many ways for a sophisticated adversary to extract information in today's modern electronic environment. Removable media, email, hot mail, ftp file transfer, http file transfer, port-enabled file transfers, laptops, modems, network sniffers, video-monitor-to-VCR converters, faxes, mail, copiers, two-way pagers, telephones, cell- phones, and computer trash are all potentially exploitable. Cyber- security is certainly the most formidable security challenge facing DOE and the federal government as a whole. Because of the magnitude of the cyber-security challenge, a systems approach across the entire NNSA complex is required. I am very pleased that emergency supplemental funding for cyber-security upgrades has been approved by Congress as part of the FY2001 Military Construction Appropriations Bill. The funding is badly needed to combat cyber threats and vulnerabilities in a coordinated fashion throughout the nuclear weapons complex. WEAKNESSES IN THE DOCUMENT ACCOUNTABILITY PROGRAM Prior to 1991, DOE practiced full document accountability for all Secret data under its control. Document accountability was a formal system for inventorying and recording access to classified documents over the lifetime of the document, from creation to destruction. The system was analogous to--although much more rigorous than--the common library check-out system that was aptly cited by a member of this committee. In February 1991, DOE modified its accountability rules to drop the requirement for formal document accountability over Secret National Security Information and ``non-weapon Secret Restricted Data.'' (Restricted Data is a category of protected information created by the Atomic Energy Act that includes ``data concerning the manufacture or utilization of atomic weapons, the production of fissionable material, or the use of fissionable material in the production of power.'') In May 1992, DOE extended its Modified Accountability Program to include weapon-related Secret Restricted Data. DOE notified the laboratories that accountability requirements were being modified for all categories of Secret data for organizations that had met certain requirements, including having completed a 100 percent inventory and reconciliation of controlled documents in accordance with DOE Order 5635.1A. The Modified Accountability Program was instituted by DOE to accommodate the National Industrial Security Program, which was intended to standardize security requirements among all federal agencies. It should be noted that prior to the Modified Accountability Program, DOE protected Secret Restricted Data with the same level of protection employed by the Department of Defense for Top Secret. The modified accountability program eliminated the requirements for unique document numbers and maintenance of accountability records for documents, inventories, destruction certificates, written authorizations to reproduce, and some internal receipting. Other security procedures not explicitly changed by the modified accountability program were unaffected. Unfortunately, with the change in accountability, DOE lost the ability to track who was accessing which secret documents, a feature that had been a useful tool for counterintelligence analysis. While this change clearly saved money and made sense in the broader context of consistency across all federal agencies, it reduced our ability to quickly detect the absence of a document, and it eliminated our capability to formally monitor the access to secret classified matter. This statement applies to documents and information in printed form as well as to electronic media. The laboratory directors were never comfortable with the change to Modified Document Accountability. At Sandia, we originally told DOE that we intended not to implement the Modified Accountability Program. In response, DOE told us that costs for full accountability would no longer be reimbursable under the operating contract. Sandia complied with DOE's requirement, but we left open local options for higher levels of accountability. In January 1998, DOE moved to eliminate full document accountability for Top Secret Restricted Data as well (and for other categories of Top Secret information). As part of this change, DOE eliminated the ``Top Secret Control Officer'' positions at the laboratories. I am proud to say that staff at Sandia had better sense and continued to protect Top Secret data with full document accountability--a decision that I have fully endorsed. Sandia National Laboratories has consistently maintained full accountability for all Top Secret data under its control. And in fact, we have also maintained document accountability over selected sets of Secret data that we felt merited ongoing accountability. These examples demonstrate the culture of respect for security that exists at our laboratory. Rather than resisting efforts to improve security (as has been charged by some critics of the laboratories), the record shows that we are more likely to resist efforts to weaken it. On March 1, 1999--following a conference call of the three nuclear weapon laboratory directors with Under Secretary Ernest Moniz on the topic of Secret and Top Secret accountability--I faxed a request on behalf of the directors to the Under Secretary in which we recommended that the former controls over document accountability be reinstated as quickly as possible. We requested that the Under Secretary and the Department's counterintelligence official evaluate the feasibility of promptly reinstating full document accountability. This request was submitted to the Department's security bureaucracy, and to our knowledge it has never emerged. I have twice brought the modified accountability problem to the attention of Congress in testimony: in my statement to the Senate Committee on Energy and Natural Resources on May 5, 1999, and to this very subcommittee on October 26, 1999. In my judgment, we can no longer afford to wait for official reinstatement of the full document accountability policy. The security and counterintelligence benefits afforded by formal accountability decisively outweigh the costs. Moreover, formal document accountability will help protect conscientious employees from the indignity of criminal suspicion similar to what some employees had to endure in the recent Los Alamos incident. Therefore, I have decided that Sandia National Laboratories will re-implement formal document accountability for Secret Restricted Data under its control at the earliest feasible date. I have directed Sandia's Chief Security Officer to develop an implementation plan for this change. WEAKNESSES IN THE CLASSIFICATION PROGRAM In parallel with the changes in document accountability introduced by the Department of Energy in the middle 1990s, changes were also made to DOE's classification program that, in my view, introduced systemic weaknesses. A Fundamental Classification Policy Review was recommended by a Classification Policy Study in July 1992. Based on that recommendation, Secretary Hazel O'Leary committed DOE to review all classification policies and related technical guidance, and then to revise classification guidance to reflect changes in policy. DOE's Fundamental Classification Policy Review was initiated in March 1995, and was a major component of Secretary O'Leary's Openness Initiative. In April 1995, the President issued Executive Order 12958, ``Classified National Security Information.'' This directive modified some of the existing rules concerning classification, but it introduced significant new provisions requiring agencies to perform large-scale reviews of material for potential declassification. However, the order explicitly exempted Restricted Data (RD), which is governed by the classification provisions of the Atomic Energy Act. Even though Executive Order 12958 excluded Atomic Energy Act Restricted Data, the directive dramatically influenced DOE's thinking toward classification and declassification of RD during its Fundamental Classification Policy Review. The review concluded in July 1996 with recommendations for regulatory changes that substantially applied the provisions of Executive Order 12958 to Atomic Energy Act Restricted Data. The new regulations (10CFR1045) required large-scale periodic and systematic reviews of RD documents for declassification ``based on the degree of public and researcher interest and likelihood of declassification upon review.'' The declassification regulations, while well-intentioned, required a level of effort by the Department that it was not equipped to handle. As a result, the primary emphasis and deployment of manpower in the classification organization at DOE changed from effective administration of classification responsibilities to effective management of the declassification efforts. The organization even changed its name from ``Office of Classification'' to ``Office of Declassification.'' It should be noted that some federal agencies used the process of ``bulk declassification'' as a mechanism to meet the requirements of Executive Order 12958. This practice often resulted in inappropriate information being released into the public domain without document-by- document review. The negative impact of these actions is still being felt today throughout the federal government. It has become evident in the last few years that DOE's classification program is in crisis. As a profession, the classification field has become needlessly complex and arcane. The federal government's classification rules evolved over several decades and from different agencies, and they are rife with inconsistencies and legalistic complexities. The system is poorly indexed and coordinated. DOE classification officers rely on a body of some eight hundred sources of classification guidance for DOE source material alone; and they must be familiar with hundreds of other sources that govern the classification of National Security Information from other agencies. Classification professionals in the DOE community--and they are all technical-degreed personnel--often must use their subjective good judgment to resolve conflicting or unclear guidance. To their credit, the DOE Office of Declassification embarked on a ``Guidance Flattening Initiative'' two years ago which should go a long way toward simplifying classification guidance and reducing conflicts. It would also be helpful if the classification community could define subsets of need-to-know categories to help us in administering the need-to-know principle. However, the classification community in DOE is disproportionately assigned to the management of the declassification effort, with a need to devote more effort to the efficient and effective management of the classification program. IMPACT OF SECURITY ON THE WORK ENVIRONMENT As a laboratory director, I am responsible for maintaining in top condition the infrastructure and human talent of one of the nation's foremost laboratories supporting vitally important national security objectives. I am worried about our pool of human talent to carry out this mission. Clearly, the NNSA laboratories need to continue their focus on enhancing security. But if security enhancements are implemented in a way that creates an atmosphere of mistrust, or generates unnecessary procedural burdens, or is perceived to be discriminatory against some groups, or dictates prescriptions that technical people have no input to, then the talent pool at the laboratories will begin to suffer. Even without the security issues that the laboratories face today, we would still be having a tough time attracting and retaining talent in an economy that offers very attractive opportunities to technical graduates. Frankly, we are beginning to have a serious multidisciplinary staff retention issue. Poorly thought-out security and human reliability programs will only make that situation worse. Rather, the NNSA must strive to create conditions that make security a natural way of doing one's job. We need user-friendly work environments that incorporate robust security features in a way that achieves maximum protection for secrets with minimal obstruction of productive activity. I am certain that the best solutions will be system solutions that begin by focusing on specific work activities and move outward from there to establish rules--as opposed to those that begin with rules, directives, and policies that originate at a great distance from the workplace. Robust and lasting security can only be achieved through the cooperative efforts of the laboratories, their M&O contractors, and NNSA management, with the firm but supportive oversight of Congress. Mr. Upton. Thank you very much. The second bells are just about ready to ring, so we are now going to adjourn until 1 o'clock, and we will start with Dr. Browne when we come back. Thank you. [Brief recess.] Mr. Upton. Thank you, everyone, for being prompt and coming back. Dr. Robinson, thank you for your testimony. Dr. Browne, welcome. STATEMENT OF JOHN C. BROWNE Mr. Browne. Mr. Chairman, members of the committee, thank you. It has been 6 weeks since I first found out about these missing hard drives. That was on June 1 of this year, and my anger and frustration has increased over these 6 weeks because we have not been able to understand how this incident occurred or, in fact, what led to even the missing hard drives being found on June 16. Their finding really gives me no comfort, and we certainly did not celebrate. We were pleased that we had control back of the hard drives, but we were not pleased because we did not understand the circumstances. I would like to clear up something for the record. It has been stated that the University of California did not notify the Department of Energy for over 3 weeks. It is true that some employees at the laboratories kept that information from my management team. But when we found out, we immediately and promptly notified the Department of Energy. As a matter of fact it was less than 2 hours between the time I was informed and the formal notification of the Department of Energy. I would like to start out by saying that there are no excuses that I can give you for this hard drive incident, and I certainly did not want to come here and point fingers between myself and the Department of Energy. When we look at this, there may be some contributing factors. Again, none of them really are excuses, but they are contributing factors. One is, I do think that we have to look at the adequacy of both DOE laboratory procedures and practices, both to prevent and detect this type of incident. I think we have to determine whether our human reliability programs are adequate. And did we have the appropriate oversight of a closely held need-to-know program like NEST, and fundamentally, did we have the right formality of operations in the NEST program. Let me say that I am accountable for the actions at Los Alamos National Laboratory, and I take those responsibilities very seriously. We have taken significant corrective actions since the finding of the hard drives being missing, and I will take disciplinary action once the FBI case has been concluded, I have been precluded from further internal investigations by the FBI. I believe we must return Secret RD and Top Secret to accountability and tracking. There is a cost and a time factor involved. I think we should review our human reliability programs to make sure we have the right people and we have the right program in place. Science is essential to do our mission. We will fail without science. But it is not sufficient. If we have indifference or carelessness on the part of any of our people, regardless of their scientific or technical accomplishments, we cannot allow that to occur and to affect national security. I think the challenge facing General Gordon and the NNSA is to reinforce the security culture while maintaining science at its best. And I think he should be given the opportunity to do that, and we certainly will support him in that. Let me make just a few points. We have discussed a lot this morning, the 1990 period of security deemphasis. I will not go into any more of that. I think it has been covered pretty clearly. I would like to point out that before this committee last year, I think all three laboratories testified to the point that we felt L Clearances and the use of L Clearance as a default clearance was a mistake and that we would prefer to have Q Clearances at our site. And I think we still feel the same way. Also the color of badges. We brought that up saying that we thought a single-colored badge really hurt our ability to maintain security environment at our laboratory. The Department has returned to a colored-badge system that we think is very effective now. When I became director about 2\1/2\ years ago, I started a lot of security enhancements. I have increased the budget that we spend on security by 50 percent in the last 3 years. We have made improvements in cyber security, counterintelligence, and since the hard drives incident, we have been logging people in and out of vaults since about June 12. We now have our computer media, the high-density type of media, whether they are hard drives or Zip drives or any of that type, we have 66,000 of those bar-coded, and they are able to be tracked. We are waiting for guidance from the Department of Energy on how best to put in place a tracking system that is consistent across the entire Department of Energy so that we do not have incompatibilities between various sites. Let me mention something that Mr. Podonsky brought up this morning, which I think is a very important issue about the role of UC in the laboratory and the Department of Energy. I know my time is up, but if it is okay, I would like to make this point. It is a shared and joint upon responsibility. There is no doubt that the University of California signed a contract with the Department of Energy, which assigns responsibility for security to the university, and that as an officer of the university, they delegate that responsibility to me as laboratory director. And I accept that responsibility. The Department shares, I believe, in our accomplishment of that, because they do set rules. They do evaluate our performance, and they also provide the resources. And I think it is important for the committee to realize that there are no separate resources provided for security. The security dollars come out of the programs directly. Which means there always has to be a prioritization between safety, security, programmatic. And it is a balancing act that both the labs and the DOE have to maintain. With that, I will stop and be happy to answer any questions that you might have. The last statement I guess I would like to conclude with is I would hope this committee does not judge all 8,000 Los Alamos employees by the acts of a few individuals. Our people are really dedicated to national security. I would like to tell you today that they are hurt and angry. They feel let down by their other employees. People are really angry. I get lots of e-mail from laboratory employees who have been pretty outspoken about this latest incident in the wake of the one a year ago. I believe that science and security can coexist. I think it is critical to our Nation's defense, and I believe that we need to move on from this incident; learn from it, but not throw out the good things that we have and are doing for our country. Thank you. [The prepared statement of John C. Browne follows:] Prepared Statement of John C. Browne, Director, Los Alamos National Laboratory INTRODUCTION Mr. Chairman and members, thank you for the opportunity to discuss the security environment within which the Laboratory operated when the recent serious security incident occurred. When I first heard about this incident my reaction was probably the same as yours--how could this happen at Los Alamos after all the events of last year? I am angry and frustrated. The fact that the hard drives with classified information were found on June 16 by one of our people does not diminish accountability or responsibility to address the root causes. We made many significant improvements to security in the last year, with a strong emphasis on cyber security. We enhanced our security awareness training for our employees and subcontractors. Nevertheless, this incident still occurred at our Laboratory, leaving us to ask what more needs to be done. Although there are no excuses for this incident, there may be some contributing factors. The issues I have identified so far involve the adequacy of required DOE and Laboratory security procedures, human reliability in following procedures, and the oversight and acceptance of responsibility for security in special programs. Key Messages I have these key messages to emphasize today: We are accountable. Corrective actions have been taken; more are underway; disciplinary actions will be taken, subject to the immediate requirements of the ongoing criminal investigation. There is a need to return to more formal accountability for handling of Secret Restricted Data materials. Increased accountability will enhance the sense of personal responsibility, and reduce the opportunity for and consequences from human error. Human reliability programs need to be evaluated to ensure that people with access to the most sensitive information are included and that the program is effective. Outstanding science is essential to achieve our mission--we will fail without it--but it is not sufficient. Indifference or carelessness toward security, regardless of an individual's or an organization's accomplishments, will not be allowed to compromise our nation's interests. The National Nuclear Security Administration has a major challenge to reinforce the security culture while retaining science at its best in the National Laboratories, and they should be given the opportunity to do so. SCIENCE AND SECURITY Criticism of the National Laboratories recently has taken the form that security is in direct conflict with an elite scientific culture because security emphasizes keeping information from people while science flourishes in an open environment. I reject the notion that science and security are incompatible. The tension that exists between the characteristics of security and science has been and can continue to be managed effectively. The most sensitive information in our custody--information about the design and operation of our country's nuclear arsenal--has been developed by the very scientists who are responsible for assuring that it is securely managed. More than any others, these scientists understand the information entrusted to them and appreciate the risks involved should it end up in the wrong hands. They have devoted their careers to public service in the national interest. They have demonstrated since the early days of the nuclear weapons program their ability to accomplish outstanding science and to simultaneously satisfy the requirements of effective security. For over 50 years, our nation has been well served by the relationship between the University of California and the Department of Energy and its predecessor agencies. It is one of the longest lasting and most productive partnerships between a state entity and the federal government in our history. The University has provided an outstanding workforce to help the government solve some of its most challenging national defense problems. The challenge today and in the coming decade to ensure the safety and reliability of the US nuclear deterrent without nuclear testing is as great as any faced in our history. The University's role is as important now as ever. Security management is a responsibility assigned to the Laboratory by the DOE through the management and oversight contract with the University of California. I would like to emphasize that as Laboratory Director, I am an officer of the University of California. In that role I represent the University and carry out the responsibilities assigned to it. I take that responsibility very seriously. The DOE sets the security rules within which we work. DOE evaluates our security performance through a series of programmatic and independent audits. DOE provides the financial resources to implement the security systems that are required. If resources do not match requirements, DOE sets the priorities. The University's obligations in all aspects of contract performance were made more explicit in the performance-based contract starting in October of 1993. This arrangement, which became a federal norm in that time frame, was to have clearly defined the contractor's accountability by establishing quantitative performance goals. However, in the last implementation of this process to the security function, the previously agreed-to criteria were dropped and our performance was judged solely by the outcome of the final 1999 DOE ``go green'' audit. This left our evaluation dependent on the auditors' criteria rather than a set of pre-established performance standards and metrics covering the major areas of security. The University has greatly enhanced its ability to provide oversight by adding a dedicated laboratory management office in 1993 that provides an interface with the DOE on contractual issues. The UC Board of Regents has had a standing Laboratory Oversight Committee that regularly interacts with the Laboratory directors. The University of California President also has a Committee on the National Laboratories that is composed of individuals who previously served in senior positions in industry, government and academia. Recently the University of California Office of the President (UCOP) appointed a security advisory panel chaired by Adm. Tom Brooks and hired a former military security officer as UC security director for contractor oversight on these matters. The UCOP and Admiral Brooks have assembled an outstanding panel of security experts that has begun to evaluate security practices across a broad spectrum at the two UC weapons labs. This panel has not been in existence long enough to have an impact on our security performance. Committees and offices by themselves do not ensure security, but they do demonstrate the University's commitment to improvements in this area. The Department of Energy announced on June 30 that it will begin working with the University of California to explore ways in which security expertise can be brought into the UC and the Laboratory to achieve improvements in security. UC and the Lab welcome the study and will fully cooperate with the Department. Although the UC contract might be restructured to provide external security expertise, the day- to-day responsibility for handling classified information will still rest on the shoulders of the scientists and engineers at the Laboratory. There are important lessons from our recent improvements in safety. Safety and security are line responsibilities. Additional expertise from outside can be very helpful, but it must reinforce line responsibility. This is where the day-to-day work occurs. SECURITY DE-EMPHASIS FROM 1990-98 To understand the current situation in security it helps to review the changes that have occurred in the nuclear weapons program over the last 10-12 years. After the end of the Cold War, the budgets for the nuclear weapons laboratories dropped rapidly. There was considerable pressure from the DOE and the Congress to reduce overhead costs, and this included security. Security funding dropped to a new low, especially for physical security. Policies changed as well as funding. Individual accountability for classified documents was done away with as a cost saving measure across the government. Secret Restricted Data document accountability was dropped as federal policy in 1992 and by 1993 after some debate Los Alamos ended this practice. In 1997, Top Secret Restricted Data document accountability was dropped as a federal requirement by DOE and other agencies. For Top Secret material and Sigma 14 and 15 weapons data we have continued to require more accountability and control than has been required by DOE. There were other changes as well. Significant amounts of information were declassified. The name of the DOE Office of Classification was changed to the Office of Declassification. A policy of openness was promoted that aimed to make more information available to the public, especially information related to the safety and environmental impacts of nuclear activities. A significant change of practices was instituted in the 1994-95 time frame when we were instructed to reduce the number of Q-cleared personnel (Top Secret) by downgrading many of our employees' clearances to L (Secret). The result was many more people with lower level clearance in our secure work areas. Not long after that, distinctive colors for Q-cleared versus L-cleared badges were dropped, which made the identification of the security access of individuals much more difficult. While none of the above changes can be shown to have a direct bearing on the hard-drive incident, they were part of the atmosphere that was created after the end of the cold war. A few years after these budget reductions and policy changes occurred, we began having difficulty earning satisfactory ratings in security reviews and audits by the DOE. In addition, information technology was expanding at an incredible rate. Reinvestment in security began to occur, but too slowly to address the new environment. I faced this condition when I became Director of Los Alamos in November of 1997. I began to increase our overhead funding of security to make the changes mentioned elsewhere in this testimony. We have made significant progress. We still have further progress that needs to be made, and we are dedicated to doing that. SECURITY ENHANCEMENTS SINCE 1998 In early 1998, I provided greater emphasis on security and environment, safety, and health by creating a Deputy Laboratory Director position that would concentrate on operations, including security and safety. Previously, a single deputy director had oversight of all operational, business, and outreach functions. In April 1998 I formed a separate Security Division, reporting to my operations deputy, with a former Air Force security officer specializing in nuclear security at the head. Consequently, a greatly improved Site Safeguards and Security Plan was developed and approved by DOE--our first since 1994. In a similar manner, I created a new Counter-Intelligence office, headed by a former FBI CI expert and reporting to the operations deputy but with full access to me. In response to last year's criticism of cyber security at the defense national laboratories (Los Alamos, Livermore, and Sandia), these laboratories and DOE developed a Tri-Lab Information Security Plan in April 1999. The Laboratory is implementing this plan, and to ensure continued coordination of these improvement efforts, I formed a senior Information Security (INFOSEC) Policy Board, headed by my principal deputy. In addition, a formal technical program was created to lead our technical efforts to identify and develop solutions to present and projected computer security challenges. This program interacts directly with the INFOSEC Policy Board to ensure tight communications regarding Laboratory objectives, priorities, and oversight. The Security and Safeguards (S) Division is represented on the INFOSEC Policy Board to ensure compliance with the security regulations and guidance issued by DOE Safeguards and Security organizations. Cyber security upgrades in the past year include Strict site and cyber access for foreign nationals. Network separation with firewalls between Laboratory unclassified administrative computing and public information computers--an additional layering beyond complete isolation of the classified computing network completed six years ago. Eliminated except in very special cases authorized use of any computer for both classified and unclassified computing (dual- use computers eliminated). Actions After The Hard-Drive Incident As soon as the hard-drive incident was reported to me on June 1, I initiated all actions that were required, prudent to limit further damage, or appropriate to facilitate further inquiry. Those actions include temporarily eliminating SRD access for members of the NEST team who had unescorted access to the vault in question until we had a better understanding of the FBI investigation. Some of the actions taken in June have become continuing policy, such as: Logging of all vault entries and exits, with positive identification. Reduced access lists for vaults and Limited Access Control Areas (LACAs). Placed barcodes on all portable high-density computer storage media with Secret Restricted Data (SRD: secret nuclear weapons data) to facilitate inventory. Initiated a review of all nuclear weapons programs to ensure that they have security plans consistent with DOE and Laboratory policy. These activities addressed immediate concerns, but we recognize that more may be required. We are working with the DOE to identify and implement additional measures that address root causes. Last year I established a Lab-wide goal of ``Zero Safeguards and Security Violations.'' Upgrades in personnel practices to ensure suitability of staff for critical national security jobs includes intensified security awareness training, enforced by automatic rejection of personnel at entry badge readers if their training is overdue, and implementation of the DOE's counterintelligence polygraph program. To reinforce the message of low tolerance for serious violations, strong sanctions are being taken by line managers for serious or deliberate security infractions. Since I have become Director, I have found it necessary to terminate 3 employees and suspend 4 others for serious security infractions and violations. For lesser infractions, sanctions such as salary reductions and reassignment to less responsible jobs have been applied. I have also empowered my managers to pull the Laboratory badges of non-UC subcontractor workers in their organizations who had the privilege of site access but failed to follow our procedures. This action also has been taken a number of times recently for visitors who did not comply with security procedures. After the investigations are complete in the hard-drive incident, appropriate personnel actions will be taken. It is not fair to our thousands of conscientious employees to tolerate the deliberate, careless or indifferent acts of a few individuals. Oversight The quality of the Laboratory's security program is monitored through regular self-assessments and DOE evaluations. UC had also added detailed oversight through its new security office and panel that reports to the UC President's Council. In the last few years we have made substantial investments to provide a stronger security environment. The improved status of our whole security posture was validated by the DOE's Office of Independent Oversight and Performance Assurance (OIOPA) at the end of 1999 with a rating of ``Satisfactory,'' the highest of their three rating levels, following a year of preliminary visits and final audits. The GAO followup report, ``Improvements Needed in DOE's Safeguards and Security Oversight'' (February 2000) primarily addressed needed integration of oversight findings and followup records in DOE's methods. In this regard, the GAO report also calls out as a noteworthy practice that Los Alamos maintains its own database with ``virtually every known security problem at the laboratory'' as a method to track findings and corrective actions--although improvements were recommended in root cause and risk/benefit analyses. The DOE Inspector General investigated security inspection ratings at Los Alamos for 1998 and 1999 and in May wrote the Summary Report on Inspection of Allegations Relating to the Albuquerque Operations Office Security Survey Process and the Security Operations' Self Assessment at Los Alamos National Laboratory. Most of the report is related to DOE ALO. I will not comment on those findings. The portion of the IG report dealing with LANL self-assessments in 1998 and 1999 alleges that a) all self-assessments were not completed by LANL as required; and b) ratings on some self-assessments were manipulated by LANL management to make the Lab look better than the facts would have indicated. Self-assessments are a valuable internal tool to senior management because they allow us to determine where we need improvements. The DOE OIOPA audit reviewed our self-assessment function after the IG visit to LANL and found that the LANL self-assessment program was operating and communicating the results to management effectively. Manipulating self- assessments as alleged would be counterproductive to our goals of having an effective security. Self assessment findings have no direct impact on DOE's annual evaluation of our security performance. If the DOE IG will share more information on those allegations with me, I will investigate further. It is correct that we did not complete as many self-assessments as we had planned. We went beyond the DOE requirement for self-assessments and set a ``stretch goal'' that we missed. However, I would like to point out the Laboratory's security program was reviewed 16 times in 1999 alone. The DOE-IG report is the only audit for which we objected to the findings, and our objections were only because the findings could not be validated. Current Regulatory System The regulatory system for security, like safety, is complex and multilayered. At the top level public laws provide general principles and objectives. Next, the DOE has established a layer of rules in the Code of Federal Regulations and then has a layer of requirements in their Orders system. The Orders system has many thousands of pages of orders, manuals, and guides that are under constant revision. Requirements can be modified in real time by DOE direction. One of the contract roles for the University of California is to help, with the DOE and the Labs, review regulations as they are developed and to maintain a list of applicable requirements. INTEGRATED SAFEGUARDS & SECURITY MANAGEMENT (ISSM) To deal with this complex environment we are taking the same approach to security that we took with safety. It is called Integrated Safeguards and Security Management (ISSM) and uses a simple five-step approach that every employee can understand. We are writing plain language ``Laboratory Implementation Requirements'' (LIRs) that capture all the government requirements in a form that allows the employees to understand what they must do in a given circumstance. Many requirements are common sense and we must continue to work toward a simple system that is easily understood but is difficult to circumvent. Ultimately, security depends on individual performance. This is not unlike the individual's responsibility for safety. With the general security objectives in mind, the logic of the rules can be followed. Following the rules offers the worker protection when some failure occurs. More importantly, we have found that formality of operations encourages work habits that prevent failures. To reinforce these expectations, I have directed all employees to participate in mandatory security awareness training, and review their security responsibilities with their next level of supervision. We have the experience from implementing Integrated Safety Management (ISM) over the last three years that self-reporting is an important tool for performance improvement. Self-reporting is defeated in a climate of fear. We must maintain the support of the employees for self-reporting while carrying out our responsibilities for management oversight of the lab. Over the last five years, we have averaged around 40 security ``occurrences'' per year. Most of these were self-reported and were administrative security infractions that had no or minimal impact on loss of control of information. Those that were serious were dealt with swiftly. It is important that we retain honest internal reporting and self-evaluation, if we are to improve our performance in security. I would be suspicious if only a few security occurrences or safety incidents were reported in an organization of 8,000 employees. Our goal of zero security violations can only be met by honest reporting and by addressing root causes. CLASSIFIED MATERIAL PROTECTION AND CONTROL Security implementation includes providing secure work and storage places for classified material, controlling the movement of that material, and qualifying personnel to ensure trustworthiness, and regular training. Physical Security The Laboratory has several layers of physical security, providing graded protection and defense in depth around classified materials. The outermost layer is the Laboratory site boundary, which encompasses DOE property. Inside this boundary, all persons are subject to DOE rules including following guard force directions. Vehicles and personal belongings are subject to search. A professional protective force with approximately 400 armed guards enforces these rules and site security. The next layer is the security fence. Unescorted access to the Administration Building security area (which incorporates X-Division's principal work space) is through portals using a Q- or L-cleared (secret--national security information [NSI]) badge plus identification either by a guard from the badge photo or by means of the badge plus a hand-geometry biometric reader. About 8000 people have badge access to the Administration Building. Other Q-cleared buildings have similar measures. X-Division's principal workspace is located within a Limited Access Control Area (LACA) inside the Administration Building. The LACA is an additional layer of security that we use to identify and authorize a group of people doing related work inside a more general security area. Unescorted LACA access, through another badge reader, was allowed to about 1300 Q-cleared people who required emergency access or who routinely work in or with X-Division, usually involving Secret Restricted Data--secret nuclear weapons data. (Once inside the LACA, personal recognition provides a strong deterrent to unauthorized access.) The access list for the LACA badge readers has been pruned to 600 people. Another higher-level security environment can be provided by a Sensitive Compartmented Information Facility (SCIF). These areas can be multi-office work areas, like a LACA, but with more extensive access control features specified in federal standards. SCIFs are normally used for intelligence work or for Special Access Programs (SAPs). The next layer of physical security in classified workspaces is provided by personal control or secure storage of the classified materials. When not in the possession of an authorized user, classified material must be in approved storage. Approved non-work-hours storage can be a safe in an office, a vault, or a vault-type room meeting standards specific to each kind of system, its security environment, and the classification level of the material inside. The DOE standards cover the storage device location, construction, and door locks. For a vault, a GSA-approved standard lock and intrusion detection alarms are required. Los Alamos vaults have always been equipped with GSA approved locks and intrusion alarms that meet DOE standards. Until June, workday practices for control of classified material were met by various means allowed by the DOE requirements. For some vaults, including the vault in question, a number of Q-cleared persons were authorized for unescorted access. No entry logging process was required by DOE or the Laboratory or routinely in place when the vault was attended. After the hard-drive incident, we immediately instituted a vault access-logging requirement that subsequently became DOE policy per Secretary Richardson's June 19 memo. We are now meeting that requirement for all of our 96 vaults on site. Since 1994, we have had 19 DOE inspections that covered vault operations. These resulted in two findings. One finding is closed and the other, involving a technical issue regarding alarm testing, has a corrective action plan. Neither of these two findings addressed the issues surrounding this incident. DOE is planning to review vault operations across the complex and establish upgraded standards on a very fast track. We have already reviewed the security practices at all 96 vaults at LANL. We welcome the DOE review. Information Security Information security is provided by physical security as described above and by controlling the movement of the information. The rules for controlling computer media have evolved to be somewhat different than for hard copy on durable media such as paper and film because the expansion of digital storage capacity challenges the traditional concept of ``document.'' Some hard drives in personal computers can hold more than the equivalent of a million pages of text. The increase in the amount of material that can be compromised and the speed with which it can be transmitted as digital capabilities increase is a government-wide problem that must be broadly addressed. Many of our cyber security improvements of the past year were aimed at this problem and we continue to deploy technology to address what may be the most volatile security issue we face. In 1992 when SRD accountability changes occurred, DOE was not prepared to give guidance for the secure handling of computer based information. The technology was changing so rapidly it was difficult for anyone to keep up. The computer technology moved faster than security technology or policy. We needed clearer overall guidance in order to follow priorities on expenditures. This all occurred in an environment when great pressure was being applied to reduce overhead accounts. In such an environment, it was essential that we follow DOE policy and expenditure guidance. As said earlier, government-wide policy from 1992 ended the requirement to maintain an auditable inventory of Secret Restricted Data material. This is often referred to as the ``end of accountability,'' but of course, everyone is still responsible for the classified documents in one's possession. The Laboratory follows DOE policy for accountability of SRD material. Positive inventory control for all of the approximately 6 million classified items now in the Laboratory's possession raises the issue of cost vs. benefit that caused the downgrading of requirements eight years ago. We estimate that the effort to reinstate an inventory listing of all SRD items would be at least $60M. Maintenance of the accountability system plus periodic inventories would cost on the order of $25M per year. An inventory system can help reinforce careful work habits as well as providing more positive document control. The cost and difficulties could be reduced by a graded implementation. For example, the first focus could be on inventorying portable high-density digital storage devices. We have now completed that task. Sigma categories can be used to prioritize items for inventory. Security and subject matter experts should be involved in detailing standards. It would be costly and ineffective for the Laboratory to attempt to create its own inventory system without DOE guidance. Any system must be DOE-wide to be effective. The magnitude of such an effort will raise issues of costs and benefits. DOE will need to establish priorities for resources. Prior to this incident there was no government requirement to protect a compendium of secret information beyond the requirement that applies to the highest level of classification of any item in the compendium. This is regardless of the volume of information. Immediately following the hard-drive incident, I directed that portable high-density digital storage devices with SRD must be put under inventory control. For this purpose, bar-coding on some 65,000 such devices is essentially complete. As announced in June, the DOE will institutionalize the inventory control requirement for selected compendia of secret information on high-density media. We strongly endorse the development of such a plan. There is no formal DOE or Laboratory requirement associated with transfer of SRD ownership within a Q-cleared security area. In particular, the previous owner is not required to retain a record of change of ownership, so in a sense, everybody owns it--and therefore nobody does. The opportunity to lose track of ownership is high in multi-user vaults if there is no formal accountability. This may have been a contributing factor in the hard-drive incident. Prior to the 1992 changes, the originator of a document had to record any copies made, number the copies, and the tracking system retained a record of all copies and their owners. We recommend re-establishment of rules for tracking SRD (and higher) document ownership. Transport of SRD outside of a security area requires physical security measures, but without inventory controls, there is no unique identifier to track removal, transport, and arrival of the item. Document accountability is important when documents are transferred between owners and transported outside of the security perimeter. Tracking document transfers and movements would be enabled by and should be part of a revitalized accountability system. With modern technology, there is an opportunity to develop centralized electronic repositories with a high degree of security, tracking, and access control. This would, however, create a security vulnerability by concentrating information. Security measures would have to be very high for such a system, but may be the best approach for a cost-effective document control system. The digital age has created new problems for information security and may also provide means to help that should be further considered. Encryption of classified information could be an important augmentation to other security measures. Secretary Richardson directed that encryption be utilized in protection of large quantities of SRD. A limited set of software encryption tools are available now, but are likely to improve rapidly in coming years. We plan to utilize these developments in concert with DOE. Personnel In my opening comments I identified human reliability as one of my core concerns. This concern is widespread in security management. A recent DoD study 1 ``Insider Threat Mitigation'' identified maliciousness, disdain for security procedures, carelessness, and ignorance as four kinds of insider behavior that can generate security incidents. Our system attempts to minimize these behaviors by thorough selection, training, mentoring, and re-evaluation of personnel, but needs to be strengthened. --------------------------------------------------------------------------- \1\ DoD Insider Threat Mitigation: Final Report of the Insider Threat Integrated Process Team, available by subscription from http:// www.insidedefense.com/ --------------------------------------------------------------------------- Access to various levels and kinds of classified material can be authorized to persons with corresponding clearance levels and need-to- know. Clearances are provided through the federal departments for their own personnel and contractors. Although periodic reinvestigations check external risk factors such as indebtedness for cleared personnel, it may be necessary to strengthen personnel requalification through a better human reliability program. The 1995 DOE policy to make L (Secret) the default clearance level instead of Q (Top Secret) introduces many less-scrutinized people within our security perimeter. We recommend that only Q-cleared personnel have routine access within our security areas. This would require a much higher quota of new Q clearances. Personnel develop sound security work habits through initial training, work experience in a supportive environment, and refresher training. This is the normal process at my Laboratory. I know these people and I know their work style. It is not an atmosphere of widespread disdain for security. However, to ensure that current requirements are clearly understood, we conduct required periodic security retraining and hold occasional special events for security awareness. The basic retraining program has a number of elements and is largely computer-based on the Lab's internal web, to ensure currency and standardization. The retraining system is highly automated, including reminders emailed to the individuals and their administrative offices, and automatic rejection of personnel at security area badge readers if their training has lapsed. We have conducted a number of special events for security awareness that consist of presentations by respected security experts and use of professionally-prepared training materials. This follows a pattern developed by Integrated Safety Management that has been well-accepted by the workforce. We had very good employee feedback from these sessions. I have directed that security awareness training be conducted this summer for all employees. This will be an occasion for presentation of the Integrated Safeguards and Security Management System to the whole workforce. Additional security training will be focused on areas of need; for example, last week we conducted a security immersion day for NEST. I am particularly concerned about the apparent human failure involved in this incident. Losing or misplacing secret information is a serious matter but does not necessarily expose the individuals involved to severe disciplinary action if promptly reported. The rules are intended to accommodate a certain level of inadvertent security infractions through self-reporting. Through prompt reporting it can sometimes be established that the material was never left unprotected, and if not, then its movement can reconstructed and perhaps the material can be found. With prompt action the consequent damage to national security can be more effectively determined and limited. We will have to ensure that our security awareness training strongly re- emphasizes the reporting requirement to our employees. DOE has several special personnel programs, such as the Personnel Security Assurance Program (PSAP) and the Performance Assurance Program (PAP), to assure fitness for particular duties. For example, personnel handling nuclear weapons are evaluated for psychological stability and drug abuse. It is important that an expanded human reliability program be wisely employed to help us determine if we have risks with people in our most sensitive programs. The DoD report cited above reaches a similar conclusion. Access to Programs There are rules specifying access privileges to information in various categories according to the clearances held by a person. Beyond a Q-clearance, which enables access with need-to-know (NTK) to SRD and Top Secret material, there are Special Access Programs (SAPs) and Sensitive Compartmented Information (SCI) access. SCI information is often intelligence-related and compartmentalization helps protect sources and methods as well as highly sensitive information. Access to a SAP or SCI program can be granted only by a designated government program manager. Los Alamos works in many SAPs and SCI programs with the DOE and other federal sponsors. A DOE rulebook dictates the formal steps required for in these relationships to ensure that roles and responsibilities are documented. There are a number of special programs (non-SAP, non-SCI) at Los Alamos into which line managers have had little or no access to ensure that Laboratory safety and security rules are met. Prior to this incident it was not clear to our line management and security people whether or not they had the necessary authority to accept responsibility for the detailed security procedures of these programs. By their very nature, sponsors try to limit the number of people who have access to such programs. It is important that the line management maintain oversight of the security and safety of all such activities with assistance from security experts. NEST SECURITY The NEST program has been operated as a closely held need-to-know program but not a formal Special Access Program. Los Alamos has made a good faith effort to participate in this program as we understood the guidance of the program sponsors in DOE. Oversight of NEST by our Security Division was limited. Not all aspects of the NEST security plan were reviewed and approved by laboratory managers for compliance with DOE rules or for best security practices. Even if NEST was treated as a closely held need-to-know program, it was subject to DOE policy for handling SRD, and that policy was in place at the Laboratory. We have been asked by the FBI not to interview the current Los Alamos NEST team, so we cannot report on any security audits that the team may have conducted. I also do not have the results of any security audits of NEST that DOE may have conducted. However, our preliminary review of NEST operations prior to the FBI being engaged indicates to us that the program operated using normal SRD security measures, although additional factors may be uncovered by the present FBI or future investigations and could cause us to modify this judgment. The vault where the X Division NEST toolkit was stored was subject to normal inspections by our Security Division. Since there was no accountable matter in the vault, inspections were related to physical security and spot-checks on document markings. Adequate equipment, procedures, training, and personnel qualifications were in place to enable secure handling of NEST items. Execution of security oversight is less clear. Our discussions with DOE have revealed that some personnel at DOE did not have the same understanding as LANL personnel of how NEST program security was to be administered. Elimination of such misunderstanding is a mutual responsibility of the DOE and the Laboratory. We believed in good faith that this program was indeed considered special in a very real sense, i.e., a ``close-hold'' program. There was a list of the people allowed access to the information. Deployment details were very closely held. We are addressing this issue with DOE and are working together to eliminate the ambiguity that we have discovered. In fact, the Deputy NNSA Administrator for Defense Programs sent me a letter on June 16 clarifying that we are responsible for the security of all programs unless directed to the contrary. There are a number of other closely held need-to-know programs that have some of the characteristics of the NEST program. On the basis of the NNSA letter we are undertaking a comprehensive review of their security. I believe that NEST and other closely-held need-to-know programs should have a level of formality that includes, at a minimum, a security plan reviewed and approved by DOE and laboratory management delineating roles and responsibilities for security for all participants, strict accountability and tracking control for all SRD ( and higher) information and equipment, regular security/counter- intelligence training and certification, and regular audits. Such measures would not necessarily have prevented the hard-drive incident , but would have made it easier to detect someone violating security. SUMMARY OF CURRENT ACTIVITY It is critically important for national security that our recent security incident be analyzed, the lessons learned, and corrective actions taken. At the local level, many changes already have been implemented and many are planned or under consideration. At the national level, actions are underway that provide an enhanced focus on security, especially for computer media. I will summarize recommendations and actions underway. First, the National Nuclear Security Administration will provide a new setting for our nuclear weapons programs, including a strong focus on security management. It is important that the NNSA and its new leader, Gen. John Gordon, be given the opportunity to create a new management team and processes that will ensure we accomplish our mission with effective security for these times. I am also very pleased that the Administration has created the Hamilton-Baker panel to review the hard-drive incident. I believe that these two distinguished public servants will provide a thorough and thoughtful analysis and recommendations. We are implementing upgrades to current security practices to address some of the underlying factors that may have contributed to the recent security incident. I have explained most of these in context above. In summary: Upgraded access control measures now in place include positive identification and logging of persons for vault entries by the vault custodian during work hours and through the central alarm system manned 24 hours per day by our guard force. In addition, if a vault custodian leaves his/her station, the vault must now be locked and alarmed. Entry to Limited Access Control Areas is also under review to improve controls. We are implementing inventory control of portable high-density data storage devices with Secret Restricted Data. Device bar- coding for this purpose is nearly complete. Development of requirements are underway with the DOE for reinstating inventory control of SRD information. We are also considering how to reduce the volume of secret information held in distributed storage, to facilitate inventory control, yet not lose the valuable information from the past. Encryption will be evaluated and incorporated as DOE guidance is received. This will preserve the secrecy of information regardless of control of the physical media. In our security awareness training, we will emphasize the importance of continuing self-reporting. We must ensure that our security practices do not discourage this. We are considering how to provide a graded approach to personnel evaluations according to their access to the most sensitive information. It may be necessary to include PSAP-like features in evaluating fitness for duty for some positions. CONCLUDING REMARKS If we made all these significant improvements in security over the past year, why didn't it prevent the latest security incident? It appears that there are a number of contributing factors, none of which can be or should be used as an excuse. Policies, procedures, and security systems are all necessary to make it difficult for someone to compromise our nation's secrets, but also to make it easier to detect someone who tries to do so. Such measures will not be able to wholly prevent inadvertent or intentional human error. There are additional improvements we can make. We will follow DOE guidance when it is received. To initiate further changes without that guidance usually leads to backing up and starting over, which wastes scarce resources. We have worked very hard and invested many resources in physical and cyber protection, but nonetheless we have suffered severely damaging incidents. Many people have stated that security, due to its inherent desire to keep information closed, is totally incompatible with science, whose fundamental premise is openness. There is no doubt that there is a tension between these two objectives--but it has been managed at Los Alamos and elsewhere for many years. It requires great diligence and continual improvements to deal with changing situations. It must be managed because science is too important to the future of our nation's security. Science creates the ideas that strengthen our national defense. Science created the information on the hard drives. We look forward to the leadership of the NNSA to help us strengthen our security environment while preserving science at its best. Although we incorporated all existing DOE policies in our requirements and had highly qualified workers involved, it appears a failure to execute required duties occurred, possibly from deliberate human action or omission of action. Security is not just the rules and the systems. We must engage the hearts and minds of the people. I reject the conclusion that this latest incident is typical of our workforce. Our people are dedicated to national security. Many have spent a large fraction of their lives contributing to our most important national problems. At the same time, we must insist that arrogance, carelessness and indifference to security not be an excuse for inadequate protection of our nation's secrets, regardless of the scientific accomplishments of the individual or the organization. Our goal is zero security violations. We are accountable and committed to make the needed changes to improve our security. We can have science at its best and security at its best. Our nation needs both and should demand no less. Mr. Upton. Thank you. Dr. Tarter. STATEMENT OF C. BRUCE TARTER Mr. Tarter. I will try to be very brief also. Let me first reinforce and reaffirm what I think Dr. Browne has just said, that security, and I think it also restates something I think Mr. Podonsky said several times this morning, both in its testimony and in answer to questions. Security on our site is our site's responsibility, and responding to basically the set of Department of Energy requirements. It is not some third party. It is not somebody else. It is mine as the leader of the site. It is the responsibility of the employees on the site. And that is ours to do in response to DOE requirements. And I think you pointed out occasionally that comes into some degree of conflict of knowing exactly how to implement those, but that is the way the system works. There aren't magical silver bullets in the sky that you invoke to make it happen. We have to do it onsite in response to the DOE regulations and what will now become the NNSA part of those regulations. I think, as I said to the committee last year, we have, I think, done well in many aspects of security. I think there are two that I think are still very much works in progress. And I think the committee has covered one this morning very, very thoroughly, but let me mention the two I think--one that has come out of the hearing and one which several committee members have alluded to. And as I was listening to all the testimony this morning, I was struck again and again about details of vault access, details of document control. A whole variety of different things. And you do not want to go back to one thing. But whatever the set of events that created the set of actions taken in the early 1990's, which basically took accountability of documents out--off the table, I think almost everything else in dealing with the inside treatment of information has flowed from that. And in agreement, I think with Dr. Robinson and Dr. Browne, and I believe the Department, I think we do need to return to a system of full accountability for the documents inside the system. It is not as simple as just saying it. It is a major task. The interface with other agencies is complex. Contrary to some testimony, the Department of Defense does not have as close a security system in those documents as we had before the 1990's period. But I think we need to do that. The second thing--and I think Congressman Cox has made this point on a number of occasions, I think when you visited this you saw this, too--that technology has outstripped, in many cases, what I would call your intuition, and our intuition, about how to treat--how to protect great masses of concentrated information of high value. And I think that is something which is still a work in progress. I think all of us appreciate the supplemental money which has been, I think, added to help us this year now to work on that problem. But this is not a simple problem, because taking all of the documents we have, we can still put them in very small concentrations, and I think we need a different way of treating that information. Let me close by simply stating that I think there are two other comments. I think as with the other laboratories, in spite of the change in document control, we continue to treat Top Secret information differently. We have had that under almost a complete control, and I am confident that that information has been handled well over this period of time. Second, one of the first things that I did after I was informed of the Los Alamos incident was go through our NEST procedures. I would be happy to do that for the committee, but we found everything was where it was supposed to be. And I went through our procedures, and I believe they were quite adequate. But I would agree that I believe there should be a formality of operations complex-wide because as I learned, most of our particular NEST regulations were ones that were done by our own site. I think they were good ones, but I think it should be done uniformly across this system. Thank you very much. [The prepared statement of C. Bruce Tarter follows:] Prepared Statement of C. Bruce Tarter, Director, Lawrence Livermore National Laboratory, University of California OPENING REMARKS Mr. Chairman and members of the Committee, I am the Director of the Lawrence Livermore National Laboratory (LLNL). Our Laboratory was founded in 1952 as a nuclear weapons laboratory, and national security continues to be our central mission. The specific events that prompted these hearings are most regrettable. However, I welcome the opportunity to report to you the progress we are making to increase security at our Laboratory. My statements before this Committee during the past year provide a record of the many specific actions we have taken in this area. And, in January 2000, our Laboratory was visited by three members of the Subcommittee--Chairman Upton, Vice Chairman Burr, and Representative Cox--to see our security measures first hand and to discuss issues with senior managers as well as working nuclear weapons specialists in their workplace. We were very grateful for that opportunity. These prior interactions and my testimony today focus on three points: Progress. In December 1999, Livermore's security programs received an overall Satisfactory (Green) rating from DOE's Office of Independent Oversight and Performance Assurance. Since the Los Alamos incident, we have been expeditiously implementing enhanced protection measures--those directed by DOE Secretary Richardson and those taken on our own initiative. Commitment. Our national security mission and safeguards and security are inextricably linked, and we take both obligations very seriously. I am ultimately accountable for the Laboratory's performance and have made very clear to all employees, who have been specially trained in security measures, their individual and collective responsibilities. Challenges. An extensive security and counterintelligence infrastructure is in place. However, we continually have to adjust to new security threats and challenges, and those arising from rapid changes in information technologies warrant particular attention and investment. improvements to increase confidence in security A Satisfactory (Green) Security Performance Rating. Throughout 1999, we worked expeditiously to address all issues that arose in self- evaluations or resulted from the May 1999 inspection by the DOE Office of Independent Oversight and Performance Assurance. In particular, we took steps this past year to upgrade each leg of our security triad-- physical security, cyber security, and personnel security (including counterintelligence). Actions included steps to improve: The protection of Special Nuclear Materials (SNM), by executing an action plan to analyze, document, performance test, and enhance the Laboratory's comprehensive protection strategy. We also made numerous physical and procedural upgrades and increased the size of our Special Response Team. Procedures for Materials Control and Accountability, by demonstrating the ability to consistently meet SNM measurement and inventory requirements and resolve inventory differences in a timely manner. The physical security and protection of classified matter, by addressing performance issues in several of our vault-type rooms (VTR), upgrading classified parts storage areas, replacing non-GSA-approved repositories, and installing additional barriers to segregate L-cleared employees from Q- clearance-only areas. Cyber security, by implementing scheduled steps in a Nine Point Action Plan to better protect both unclassified and classified computer systems. For example, the installation of a firewall between the open and restricted portions of the unclassified network has increased protection against outsider threats. For the classified system, which is not connected to the outside world except through NSA-approved encryption, steps were taken to protect against ``insider'' threats: ensured physical incompatibility of removable media between classified and unclassified systems, logged access to centralized weapons data bases, rigorous new procedures for the transfer of unclassified data from classified computers, and additional internal firewalls to enforce stringent need-to-know separations. Counterintelligence, by adding staff to a Counterintelligence Program at Livermore that was established in 1986 and has been well integrated into the U.S. counterintelligence community for many years. Polygraph testing of identified classes of employees has also begun and we are committed to completing the necessary testing. Employee security awareness and training, through a comprehensive security awareness program that exceeds DOE mandatory requirements. In addition, all Laboratory staff participated in two two-day stand-downs of activity in 1999 for intensive training and to review their individual and collective responsibilities. As an outgrowth of these efforts, we received an overall Satisfactory (Green) rating from the Office of Independent Oversight and Performance Assurance in their Follow-up Inspection in December 1999. We continue to make upgrades to strengthen all aspects of security, address identified issues--such as those that arose because of the Los Alamos incident--and deal with any perceived weaknesses. LLNL Actions Following the Los Alamos Incident. Lawrence Livermore personnel also support emergency response activities such as the Nuclear Emergency Search Team (NEST). In conjunction with this responsibility, the Laboratory has classified hard drives and computers that are taken to the field to complete assignments as requested by DOE. Livermore officials were made aware of the security incident at Los Alamos as soon as their top management was informed. We conducted our own, parallel review at Livermore to assure that our emergency- response assets had not been compromised. All NEST data stored at the Laboratory was and is accounted for. Beyond NEST, the incident raised broader issues about access to vaults and portable, highly-concentrated collections of sensitive data at Livermore. A working group was immediately chartered to review the Laboratory's classified data holdings, identify the locations of especially sensitive and portable collections of high concentrations of data, and recommend appropriate procedures to provide additional protection. This review has been completed and found that we were compliant with DOE requirements. Nonetheless, enhanced chain-of-custody controls and access procedures have been implemented at the identified locations. Access control to vaults and vault-type rooms (VTR) at the Laboratory is managed in accordance with current DOE requirements. An access control list is maintained for each, and an area custodian uses the list to determine who may enter without an escort. We are upgrading our vault-access verification procedures in accordance with the Enhanced Protection Measures directed by DOE Secretary Richardson on 19 June 2000. In addition, the Laboratory has instituted a working group to address the effectiveness of our vault and VTR operations and management. They are in the process of identifying additional protection measures beyond those required by DOE that can further enhance security. A Review of Classified Matter Protection and Control Procedures. Following the Los Alamos incident, the DOE Office of Independent Oversight and Performance Assurance conducted a review of the effectiveness of Classified Matter Protection and Control (CMPC) procedures at the Laboratory. The review focused on the protection of the most sensitive classified assets--weapons design information and use control information--within the Defense and Nuclear Technologies Directorate and Top Secret information. Key aspects of protection, including information generation, storage, marking, destruction, and control of access, were examined. Particular attention was devoted to the role of Laboratory management in ensuring that DOE policies related to control of classified matter are established and implemented. The review was conducted from June 19 through June 21, 2000, and the results--as summarized in the draft report--were satisfactory. Particular mention is made of strong management attention to issues, including a proactive approach to emerging needs to enhance protection, attention to training programs, inclusion of security considerations in personnel performance evaluations, and pursuit of an enhanced security self-assessment program. AN INSTITUTIONAL COMMITMENT TO SECURITY Security and Science. Security and science are both central to Livermore's purpose and its operations. They are tightly coupled in our programmatic activities, and we are deeply committed to both. Through the Stockpile Stewardship Program, we further national security by applying advances in science and technology to maintain the nation's nuclear stockpile in the absence of nuclear testing. With less than 2% of the world's research and development being conducted at DOE national laboratories, many of the scientific advances that we adapt and apply to national security problems are made elsewhere. Hence, we interact with the broad science and technology community to be cognizant of major advances and to acquire needed special expertise. We also engage foreign nationals as part of our national security mission through participation in international efforts to prevent the spread of nuclear weapons, materials, and know-how. Accomplishing our mission depends critically on these external interactions, and we must manage them in a way that protects sensitive information. It is a challenge, but not the ``clash of cultures'' that is so often portrayed. Since the Laboratory's founding, both security and science have been central to our ``culture.'' The staff at Livermore take great pride in their scientific and technical accomplishments. They are also attracted to the Laboratory and are motivated by the opportunity to serve the nation. Few groups of people in the world are more painfully aware than Livermore employees what the loss of nuclear weapons secrets means to the security of the nation. Few groups are more concerned about the impact of the diffusion of information on proliferation. Few have been more at the forefront of initiatives to limit the spread of weapons of mass destruction and to develop capabilities to prepare the nation to deal with the threat of their use. Security is not just our business, it is part of the way we operate, but so are outside technical interactions. Security and science are not incompatible objectives, but they require threat awareness, proper training, and vigilance. Security Awareness and Training. As I have said, I am ultimately accountable for the Laboratory's security performance, and our success depends on the vigilance of everyone--from senior managers to individual employees. Increased vigilance is evidenced by a three-fold reduction in the number of security infractions that have occurred over the past year. All Livermore workers are aware of the ``zero tolerance'' policy for security violations that place nuclear secrets at risk. They rely on a comprehensive Safeguards and Security Awareness Program at the Laboratory to understand their responsibilities, proper procedures, and best practices. In addition to a series of DOE mandatory briefings--many of which are annual requirements--the Laboratory offers nearly a dozen additional programs, some of which train people for specialized security responsibilities. Each year, all employees are required to complete security refresher training, and those that do not or fail the follow-on test have their clearance suspended or lose it. As an example of training, regardless of previous assignment, employees joining the Defense and Nuclear Technologies Directorate are required to be thoroughly instructed as to their responsibility for protecting classified matter as well as specific procedures used within the program to generate, use, store, transmit, and destroy classified material. Significant additional training is required for classified- document administrative specialists and custodians. Laboratory-Wide Implementation of Security into Day-to-Day Activities. Our institutional commitment to security is reflected in the way that we centralize authority for key functions while distributing responsibilities for execution. For example, we established in 1991 a Classified Document Project Office (CDPO) to provide Laboratory-wide programmatic direction and oversight of classified document protection and control. Interfacing with all levels of Laboratory management, the CDPO ensures development of protection and control procedures, develops and implements training activities, performs self-assessments, and manages the Livermore Administrative Document System (LADS). LADS is a centralized computer system that provides modified accountability (tracking access to material rather than specific pieces of paper) for all classified documents at the Laboratory except those that are in Special Access Programs or are in Sensitive Compartmented Information Facilities, which have additional restrictive controls. In the area of cyber security, the Laboratory has a Chief Information Officer (CIO). The CIO leads a Laboratory-wide Computer Security Council that reviews the Computer Security Program and approves computer security policies. Program products include policies and guidelines that locally implement DOE's Computer and Telecommunications Security Orders, templates to assist the development of system-specific security plans, and checklists and testing guidelines to support certification of classified computer systems. In addition, an individual in each directorate serves as the central point of contact for cyber security. These Directorate Cyber Security Officers, who meet regularly with the Computer Security Program, oversee and ensure uniformity of Cyber and Telecommunications Security implementation. This system of Cyber Security Officers has been in place for the last six years. University of California Actions to Enhance Security. As the Laboratory has developed and continues to develop plans for and implemented changes to enhance confidence in security, we depend on outside review to help surface the best ideas and provide quality assurance. We have benefited considerably from the efforts of the University of California Office of the President. In addition to hiring a security expert, retired Air Force Colonel Terry Owens, to serve as UC Director for Safeguards and Security, the University formed a Laboratory Security Panel of the UC President's Council. It was able to attract highly respected counterintelligence and security experts to participate. The panel, chaired by retired Rear Admiral Thomas A. Brooks III, is helping us to identify potential security weaknesses and develop improvements. Just last April the panel conducted a high-level review of our computer security program. The University's commitment to work with the DOE to improve security at the two laboratories is further demonstrated by the specific actions UC has taken since the Los Alamos incident. In addition, since early this year, UC and representatives from the laboratories have been pursuing an initiative to develop and implement an Integrated Safeguards and Security Management System (ISSM) at both Livermore and Los Alamos national laboratories. This system, when in operation, will fully integrate security awareness, the principles of sound security practices, and the needed tools into the day-to-day performance of individuals and institutional activities. CHALLENGES IN THE CONTROL OF CLASSIFIED INFORMATION Accountability of Classified Materials. Accountability requirements for classified restricted data documents go back to the days of the Atomic Energy Commission. At first, these requirements included tracking and keeping precise inventory of specific pieces of paper by document and copy number. As copying machines multiplied the number of documents and copies, the inventory requirement was dropped in the late 1970's and then reinstated in the late 1980's. With changing missions and decreasing budgets, DOE aligned with the requirements of the NISPOM (National Industrial Security Program Operating Manual) and moved away from full accountability in 1992. Basically, it was concluded total accountability does not necessarily translate into total control and effective protection of the material in an age of copying machines and FAX machines. An unfortunate consequence of the change is that it created an overall environment in which the formality of handling classified information has been reduced. In some areas--the handling of Top Secret documents and Sigma 14 and 15 weapons data--Livermore has continued to follow more stringent than DOE-required control procedures. Greater accountability and control of such materials system-wide may be warranted. Major concerns also arise because of the revolutionary changes that have occurred in information technologies. Accountability of pieces of paper is a far different issue than accountability of hard drives that can hold Gigabytes of data, roughly a thousand times more than the main memory of the Cray-1 computer, the Laboratory's most capable machine in the late 1970s. As recent events make it very clear, we need to enhance controls over and the accountability of portable, highly-concentrated collections of sensitive data. We are taking steps to do so. The Need for Investments. Security upgrades do not come without cost. For example, at Livermore, resources devoted to our Computer Security Program increased from $1.3 million two years ago to $18.4 million this year. To implement the cyber security upgrades that we are expected to complete over the coming year without seriously eroding programmatic work, additional funds--beyond what was in the President's budget request--are needed. This is a DOE Defense Programs complex-wide issue that merits serious attention. Adequate funding must be complemented by a consistent set of policies and thoroughly vetted planning to make certain that costs and benefits are carefully weighed as we deliberate about new directives and revised procedures. CLOSING REMARKS I appreciate the opportunity to address the Committee on our efforts to increase security at our Laboratory and to enhance the control of classified information based on the painful lessons learned from the recent security incident at Los Alamos. As I have stressed, secure operations are vitally important to Livermore--they underpin all our research and development activities and protect some of our nation's most closely held secrets. We continue to upgrade physical security, cyber security, and our counterintelligence program to strengthen these areas, address new threats and concerns, and deal with any perceived weaknesses. Our efforts are made more challenging by rapid changes in information technologies and would benefit from an infusion of new investments--particularly directed at cyber security. Mr. Upton. Mr. Aftergood. STATEMENT OF STEVEN AFTERGOOD Mr. Aftergood. Thank you, Mr. Chairman. Thank you for holding this hearing. We have been talking not about security as much as about the rules for security. And I think that is an important distinction that has gotten lost. GAO presented a list of rules that have been modified over the past 10 years in the direction of relaxing security. They did not ask whether those rules, in their prior form, had actually been implemented. I provide some evidence in my written statement that such rules were not implemented, in particular, annual inventories and others. A deeper question is whether the rules were tighter or not and whether they were implemented or not? Was security better or not? An investigation done in 1990 found that there were over 5,000 Secret restricted data documents that were missing and unaccounted for. It is at least a logical possibility that security is better today, not worse, than it was 10 years ago. And because we have been focusing on the rules and not the reality of security, we are missing that important possibility. Let me just skip very quickly. Dr. Robinson mentioned a few words critical of the declassification program of the 1990's. I would like to suggest to you that declassification is not a problem, but it is part of the solution. It is how we take this vast mass of classified information and turn it into a tractable management problem. We are always adding stuff to the mountain of classified material. It is important that we have an orderly process to remove information control. Congressman Cox spoke about the polygraph tests, the scientists wearing buttons. I would suggest to you that the scientists are well within their rights. Polygraph has not been proven as a useful device for employee screening. There is some data that the polygraph is useful for incident-specific investigations. In other words, to investigate a particular security violation. There is no documentation to support polygraph testing for employee screening. You may recall that Secretary of State George Schulz famously threatened to resign during the Reagan administration rather than undergo polygraph testing. It wasn't because he was a scientist or indifferent to national security, but because the polygraph is a problematic and dubious technology. Last, I would just like to stress the point about balance. Balance is not a word that has been mentioned much today, I think until Dr. Browne mentioned it. It is a mistake, I believe, to look at security in isolation. Security is part of a larger picture. The larger picture is the health and vitality of our national laboratories. And whenever we think about changes to security, we should ask at least two questions: What would those changes cost financially, and more important, what will their impact be on the viability of the laboratories? You know, the Department of Defense has research laboratories also, and we do not hear any complaints about security there. The problem is we do not hear anything good about them either. Army General William Odom, many of you know I am sure, has actually called for the DOD research labs to be abolished. He said they haven't invented anything of value for years and years. That should not be our goal for the DOE national laboratories. Security is an important part of the picture, but it is only a part. And we should always think about the larger picture. Thank you very much. [The prepared statement of Steven Aftergood follows:] Prepared Statement of Steven Aftergood, Senior Research Analyst, Federation of American Scientists My name is Steven Aftergood and I am a senior research analyst at the Federation of American Scientists (FAS), which was founded in 1945 (as the Federation of Atomic Scientists) by Manhattan Project scientists at Los Alamos. FAS performs policy research and advocacy on a range of national security policy issues, with an emphasis on nuclear arms control. I direct the FAS Project on Government Secrecy, which studies government secrecy and information security policies, and generally advocates a reduction in the scope of the national security classification system. As required by Committee rules, I hereby state that neither I nor FAS has received any federal grants or contracts that are relevant to the subject of this hearing during the current fiscal year or the two preceding fiscal years. BALANCING COMPETING INTERESTS The basic conundrum for information security policy is how to balance security with other competing interests such as cost and mission performance. Security is ``too good'' if it precludes or significantly interferes with achievement of program goals. And since funding resources are finite, there are practical limits to security in any case. It is necessary to accept the fact that there can be no absolute security. The best one can aim for is to manage the security risks, keeping them to a reasonable minimum, while optimizing mission performance and limiting costs. The proper balance is not obvious, because it depends on multiple considerations, including threat level, resource availability, and other factors, all of which may change over time. In practice, a different balance has been proposed at different times over the last decade. Some benchmarks of shifting security policy positions, as they apply to document ``accountability'' and classification, follow. a. The 1990 Freeze Report: Thousands of Unaccounted-For Secret Documents In 1990, DOE conducted a major review of security policy, which raised many of the same issues of accountability for classified documents that have recently surfaced. The Report of the Secretary's Safeguards and Security Task Force, chaired by Major General James F. Freeze, USA(ret.), noted that DOE document accountability requirements had come and gone and come again: Historically, the Department had not required Secret document inventories except for weapons data, and the Task Force was advised that requirement had been dropped ``in the early 1970's for cost benefit reasons.'' However, weaknesses in the accountability for Secret documents were identified by a Classified Document Control Action Team in late 1986. Therefore, the requirement to conduct an ``initial inventory'' of Secret documents was included [for both Department elements and contractors] . . . This new Secret document inventory requirement was not fully implemented. Even so, a partial inventory revealed that thousands of Secret documents were accounted for: Failure to complete the required complex-wide 100% inventory of Secret documents on a timely basis has resulted in an unsatisfactory condition . . . The estimated number of Secret documents throughout the complex was 6,165,969. The number of documents inventories at that time [October 1989] totaled 3,299,936, and there were 5,716 unreconciled or unaccounted for documents. Interestingly, control of Top Secret documents was found to be satisfactory. No Top Secret documents were unaccounted for.\1\ --------------------------------------------------------------------------- \1\ Report of the Secretary's Safeguards and Security Task Force (the ``Freeze Report''), December 1990, pp. 17, 70-71, emphasis added. --------------------------------------------------------------------------- b. National Industrial Security Program Eliminates Secret Accountability The National Industrial Security Program arose in response to President Bush's National Security Review 25 (4 April 1990). It was an attempt to develop uniform security policies for government contractors in the interests of cost efficiency. As President Bush put it: ``The development of a single, coherent and integrated industrial security program should be explored to determine the extent of cost savings for industry and government while improving protection of our national security interests.'' In the early post-cold war days, cost savings were given higher priority than improved protection, and requirements for Secret document accountability at contractor facilities were soon dispensed with. (Secret document accountability within most government agencies had been abandoned decades earlier.) A DOE security official articulated DOE's opposition to document accountability at a 1993 meeting of the NISP steering committee:\2\ --------------------------------------------------------------------------- \2\ Minutes of the NISP Steering Committee Meeting of 20 July 1993 (unpublished). --------------------------------------------------------------------------- Ed McCallum, DOE, advised that DOE does not concur with retention of SECRET accountability, stating that it is very expensive to account for SECRET when such a security requirement can so easily be circumvented. Moreover, Ed stated that in his opinion, such a security requirement dictates that an inspector spends a good portion of their time in an inspection ``chasing paper,'' rather than concentrating on the real security vulnerabilities at the facility. The Central Intelligence Agency representative at the meeting also expressed opposition to accountability for Secret documents. The Defense Department favored accountability, but ``with a more liberalized approach to the administrative methodology employed by the contractor.'' Ultimately, a requirement for Secret accountability was eliminated government-wide by the National Industrial Security Program Operating Manual, published in 1995. c. The Higher Fences Initiative: Increased Classification for the Most Sensitive Information In 1993, then-Energy Secretary Hazel O'Leary established a ``Fundamental Classification Policy Review'' (FCPR), a comprehensive review of all DOE classification policies that was intended ``to determine which information must continue to be protected and which no longer requires protection and should be made available to the public.'' It was endorsed by Congress in the conference report on the FY 1994 Energy and Water Appropriations Act. This was the first comprehensive review of DOE classification in fifty years, and was conducted by government scientists from DOE and DoD. To my knowledge, no other government agency has undertaken a comparable review of its own classification policies. Along with numerous recommendations for declassification, the Review also include a call for increased classification of 137 categories of certain highly sensitive nuclear weapons information.\3\ This recommendation became known as the Higher Fences Initiative, since it envisioned higher, Top Secret security ``fences'' around a small, select subset of very sensitive information. [It may be noted that any such upgrade to Top Secret would entail document accountability for the affected information, among other increased protections.] --------------------------------------------------------------------------- \3\ Report of the Fundamental Classification Policy Review Group, Dr. Albert Narath, Chair, unclassified version, December 1997, page 26. An initial draft report was published for public comment on February 1, 1996. --------------------------------------------------------------------------- Contrary to some erroneous news reports, the recommendations of the FCPR were accepted by Secretary O'Leary and formed the basis for ongoing negotiations with the Department of Defense beginning in 1997. However, the proposal to upgrade certain Secret information to Top Secret was rebuffed by DoD for cost reasons, even after DOE had significantly shortened the recommended list of 137 topics. DoD explained its opposition to Higher Fences in a 1999 letter:\4\ --------------------------------------------------------------------------- \4\ Letter to General Eugene E. Habiger, Director, Office of Security and Emergency Operations, U.S. Department of Energy, from Hans Mark, DDRE and Arthur Money, ASD(C3I), Office of the Secretary of Defense, December 17, 1999. --------------------------------------------------------------------------- Even working with this significantly shortened list, we anticipate that the costs of implementing such a program would be substantial. They would extend to such requirements as the upgrade of clearances with Single-Scope Background Investigations, the establishment or addition of TOP SECRET storage facilities at government and contractor facilities, the sanitization of SECRET-level computers and computer networks where this information currently resides and institution of new TS-level capabilities, etc . . . In addition to purely financial considerations, the DoD is concerned that there may also be operational costs. For example, the ability to respond to urgent stockpile problems may be inhibited if it should happen that the necessary responders are not cleared at the appropriate level . . . This DoD assessment provides a vivid illustration of how security professionals may balance the competing interests of security, cost, and ease of operational use in different ways. Neither DOE nor DoD is obviously wrong, nor is either agency clearly derelict or oblivious to security. They have simply reached different, and conflicting, professional judgments. (It should be noted in passing that DOE's Secret-Restricted Data [SRD] category is comparable in some respects to ``ordinary'' [i.e. non-Restricted Data] Top Secret elsewhere in the government. So, for example, the ``Q'' clearance required for access to SRD is approximately as rigorous as the Top Secret clearance. For that reason, DOE relies heavily on SRD and has rarely used the classification category ``Top Secret Restricted Data,'' which entails security measures beyond those required for ordinary Top Secret elsewhere in the government. The 1990 Freeze Report found that there were no more than 3,451 Top Secret documents throughout the entire DOE complex, a comparatively minuscule number.) DECLASSIFICATION AS A SECURITY MEASURE Neither the declassification measures nor the classification upgrades recommended by the Fundamental Classification Policy Review have been fully implemented by the Department of Energy. Both aspects of the Higher Fences Initiative deserve continued consideration. Since the need for increased protection may seem obvious at the moment, I would like to stress the equal importance of relaxing protection in areas of lower sensitivity, i.e. declassification. There is a tendency among some to believe that greater secrecy translates directly into greater security, and that declassification means increased vulnerability. This is not so. Declassification is an indispensable component of a rational information security program. Removing information that is obsolete or no longer sensitive from security controls through declassification keeps security focused where it is most needed. It also preserves the credibility of classification, which can otherwise become simply a bureaucratic habit, instead of a vital instrument of national security. Any information security reform program that does not provide for appropriate declassification is incomplete. NUCLEAR SECRECY IN PERSPECTIVE The Department of Energy should make every reasonable effort to ensure the protection of sensitive nuclear weapons information. But no more than a reasonable effort. The limits of what information security can achieve should be understood by everyone concerned so that responsible security policies can be formulated and implemented. In the first place, it should be obvious that information is only one ingredient in nuclear proliferation, and it is not the most important one. No nation or sub-national group can use classified information to build a bomb unless it also has access to sufficient quantities of suitable nuclear material, and an engineering and manufacturing infrastructure to produce the bomb. But if it has the latter two items--the nuclear material and the engineering capacity-- then it can dispense with classified information. Thus, ``Access to classified information is not necessary for a potential proliferator to construct a nuclear weapon,'' according to a 1995 report of the National Academy of Sciences.\5\ This is partly due to the fact that much information about nuclear weapons design has been declassified since 1945, and partly due to the fact that such information, classified or not, can be independently replicated. --------------------------------------------------------------------------- \5\ ``A Review of the Department of Energy Classification Policy and Practice,'' National Academy Press, 1995, p. 19. --------------------------------------------------------------------------- Fundamentally, it is not within the power of any classification system or any information security policy to prevent the proliferation of nuclear weapons. The most that classification of scientific or technological information can generally accomplish is to delay the independent achievement of any particular scientific discovery or technological feat. But discovery or duplication cannot be prevented. Thus, according to a DOE report, ``The considerable progress of Iraq toward becoming a nuclear power was largely independent of U.S. classification policy.'' \6\ --------------------------------------------------------------------------- \6\ ``Classification Policy Study,'' prepared for the Department of Energy by Meridian Corporation, July 4, 1992, p. 35. --------------------------------------------------------------------------- Finally, everyone should understand that the number of nuclear weapons secrets is diminishing and will, in time, approach zero. The ``economics'' of nuclear secrecy favor disclosure, not continued secrecy: Secrets that took hundreds of person-years and billions of dollars to invent can be disclosed by a single individual and disseminated around the world in an instant at no cost--whether through official declassification, independent discovery, foreign disclosure, espionage, malice, dissent, or error. In short, it is far easier to disclose nuclear secrets than to create them. And unlike the secrets of diplomacy or intelligence, nuclear secrets are not replenished on a daily basis. There aren't many fundamentally new ones being created. As a result, we must anticipate that, whether in five years or twenty-five years, there will be no appreciable nuclear secrets left to protect. Some would say we are there already. CONCLUSION: ENDS AND MEANS Information security is a means to a larger end, and is not an end in itself. The frustration generated by recurring security failures at the weapons labs tends to obscure this distinction. So, for example, a proposal recently offered in the Senate would ``short-circuit'' the necessary balancing of security, costs, and mission performance discussed above by simply declaring that ``the protection of sensitive and classified information'' should be ``the highest priority of the National Nuclear Security Administration.'' \7\ But in the real world, the NNSA must have higher priorities than protecting information. Sometimes, one or more of its mission priorities--including the promotion of international nuclear reactor safety and nonproliferation, for example--will require the sharing or disclosure of classified information, not its protection. --------------------------------------------------------------------------- \7\ ``Implementation of Security Reforms at the Department of Energy,'' a sense of the Senate resolution introduced by Senators Kyl and Domenici, June 21, 2000, Congressional Record, pp. S5573-4. --------------------------------------------------------------------------- The biggest risk of all concerns the institutional health of the DOE national laboratories. Whether one is committed to stockpile stewardship, to deep cuts in the U.S. nuclear arsenal, or to dismantlement and eventual abolition of nuclear weapons, the availability of a cadre of skilled nuclear weapons professionals is a prerequisite for the foreseeable future. These professionals are becoming an endangered species, and the laboratories are becoming a deeply unattractive place to work. Whatever the defects of current security policy, and whatever reforms are ultimately determined to be necessary, the viability of the national laboratories is an even larger and more important issue. The labs should not be sacrificed in the name of an unachievable absolute security. Mr. Upton. Thank you very much as well. We will now proceed to rounds of questions like we did with the first panel of 5 minutes for each member. Lab directors, Drs. Robinson, Browne and Tarter, what authority did you have as individuals in terms of overseeing the NEST security at your particular labs? Dr. Robinson? We will start and go in order. Do you have a direct chain-of-command link in overseeing in terms of what they did in security? Mr. Robinson. Certainly all the activities conducted on my site, I am directly responsible for including the security and the operations. When the NEST team is deployed to the field, they must operate under the rules of the particular site. We, thank God, have mostly deployed them for exercises at other sites, rather than actual threat conditions. They operate under the site rules at that site under those conditions. Mr. Upton. Dr. Browne? Mr. Browne. My answer would be very similar. I am responsible for all activities at the laboratory. I think in the case of this particular NEST program at our laboratory, I did uncover some issues that I believe could have contributed to the particular incident. One of those was that in looking at the security plans that were in place, they are pretty explicit that people are supposed to take care of the information, according to DOE Secret restricted data rules. What was missing for me personally was that there was no cross-cutting NEST security plan. There were pieces of security plans. There was computer security plans, et cetera. There was no signature on those computer security plans or other security plans of any line manager of my laboratory. That is not typical of how we would run a program. Someone in line management who is responsible for the people, the facilities, would be in the chain of command for ensuring that the practices of the activities of the people were being actually followed. So I think that may have been a shortfall. Mr. Upton. You did not know about those shortcomings until it was discovered that the two hard drives were missing? Mr. Browne. That is correct. Mr. Upton. Dr. Tarter. Mr. Tarter. Again, a very similar answer on our site. I am responsible. We are responsible for the security process. I think our NEST program people had a set of procedures, both for having personnel within the program, for having them vetted for the program, for having the spectacular security things that we implemented on the site. On-site, of course, they are under the direction and the rules of whatever site they do their work within. Mr. Upton. Can you also tell me the differences in functions, if there are any, between the NEST teams at each particular lab? Mr. Robinson. Let me go first. I think ours are the most unique. Sandia's responsibility concentrates on the arming devices, the electronics and how one might overcome those, rather than the nuclear design. Consequently, we had no analogous cores for NEST in any of our vaults. Mr. Browne. We have several functions in the NEST program. One is a group of people who are very good at measuring radiation so that one can detect the presence of nuclear devices and determine what might be there. There are also some people who are good about analyzing how one might--not disarm but disable a device. And the third party is the device assessment team. That was the team that was involved in the X Division incident in the loss of the hard drives. Those are the people that one would turn to to evaluate if you found an unknown object in the field--what it was. Mr. Tarter. Essentially identical with Los Alamos. Mr. Upton. General McBroom, what type of relationship did you have in establishing the security of the NEST team? And specifically, why--you know, again, I mentioned this in the first panel, I would--it would seem to me that there is no data--there is no data more important than what was on those hard drives that were missing and how in the world could it possibly be classified as Secret versus Top Secret? Mr. McBroom. Yes, sir, I not do classification, although I am going to take a course in it so that I can do it in the future. I would like to make those calls. We are looking at an equipment guide that we are going to put out pretty soon, which will classify all the equipment which we deal with in NEST. But I really can't address the equipment on the hard drive. Those are classified at the site and primarily with the scientists and with the security people. Mr. Upton. And to answer the second part of the question, what type of oversight did you have working with the lab directors to try and ensure---- Mr. McBroom. Oversight at the lab is lab daily business. They may have 40 different programs or 50 different programs going on there. They can't have 50 different people trying to manage everything. There is a comprehensive lab program that manages all equipment, all security; they do the training, they do everything at the lab. Now, when they deploy to the field, then we provide some oversight, but they still use the procedures from the site. Mr. Upton. So did you feel removed then from the security aspect of the material that they use? Mr. McBroom. Well, to some degree, because my focus is emergency management. My title is director of emergency operations, so what I do is handle an emergency. In handling that emergency, I look at security, safety, all of these things as normal course of business. But that is not my focus. I am more worried right now about Los Alamos floods than I am anything else. Mr. Upton. How about their fire? Mr. McBroom. I was worried about that when it happened, sir. Now it's all burned up and it is not going to be a problem. Mr. Upton. Mr. Stupak. Mr. Stupak. Well, it will be a problem with flooding because of the pollution that is there, and it is going to affect the river and the streams and everything else around there, correct. Mr. McBroom. It could be a big problem. I am heading out there next week. Mr. Stupak. General Habiger, you indicated that you were going to provide a time line. You had those minimum controls up there and you said you wanted to show how DOE developed though time lines, you could provide a time line? Mr. Habiger. That was my request of GAO. If GAO were to go look across the government, you would see that we lagged the rest of the government. Mr. Stupak. By ``rest of the government,'' NSA, CIA? Labs? Mr. Habiger. State, Defense, yes, sir. Mr. Stupak. Because we are all under this one national security standard that came up in 1988, 1990 I think it was implemented? Mr. Habiger. Yes, sir. Mr. Stupak. So that was the impetus for these minimum controls? Mr. Habiger. Yes. Mr. Stupak. Regardless--I will direct this to the lab directors--regardless of what minimum controls at the labs may be under, there is no reason to lose documents or hard drives, is there? That does not fall under some minimum control saying that it is okay to lose these; right? Mr. Robinson. Of course not. Mr. Stupak. Okay. So we can't blame these time lines or minimum controls for what happened? Mr. Browne. Correct. Mr. Stupak. Were the labs--excuse me, the University of California, were they involved in this one national security standard? Do any of you gentlemen know that? Mr. Browne. In setting the standards? Not to my knowledge, I don't believe they were involved at all. Mr. Stupak. Okay. Dr. Browne, how long is a contract usually? Mr. Browne. It is a 5-year contract. Mr. Stupak. So the earlier testimony about the Secretary, average lifetime of a Department of Energy Secretary being less than 2 years, that wouldn't impact your contract in any way, would it? Mr. Browne. Well, the contractual relationship is usually handled by more than just the Secretary. There are people in the Department who have the continuity between various contracts. Mr. Stupak. So the change in Secretary really doesn't affect the continuity of that? Mr. Browne. Not directly. It can, I guess, depending on the Secretary's personal interest. Mr. Stupak. And the University of California, if my memory serves me right, has had these contracts for the last 50 years; correct? Mr. Browne. That is correct. 47 years at Los Alamos. Mr. Tarter. 48 years. Mr. Browne. 57 at Los Alamos. Excuse me. Mr. Stupak. In those contracts it talks about security, do they not? Mr. Browne. The most recent contracts that I have looked at which date back to 1992, it is explicitly called out in the contract. Mr. Stupak. For security? Mr. Browne. That's correct. Mr. Stupak. So if there's been a problem with security, we can't blame DOE, we can't blame U of C, we have security responsibilities that we all have to adhere to; correct? Mr. Browne. That's my opinion. We all must share responsibility for security. Mr. Stupak. Well, in the short time that I have been on this subcommittee now, 6 years, it seems like we are always back here talking about security at labs. So we just can't blame DOE, the labs have to share some responsibility here too. Mr. Browne. Absolutely. Mr. Stupak. Okay. And if the hard drives were missing at the end of March, it would appear that they were not lost in the confusion of the fire then at Los Alamos. Mr. Browne. That's correct. I don't think you can blame this incident on the fire. Mr. Stupak. Okay. Mr. Glauthier, in June, I and six other members of this subcommittee asked the Secretary to terminate the contract with the University of California for the Los Alamos Laboratory because of its repeated security and other violations, and, frankly, its refusal to take responsibility for or to fix the problems. This contract has never been up for bid. I think we have established today it's 47, 48 years. But from your testimony it sounds like the Department is going to make some cosmetic changes and let UC continue on. Am I reading it properly? Mr. Glauthier. No, we believe that this is a significant change. The current contract at Los Alamos I think is 57 years, the director said. And what we are going to do now is a change. For the first time, we are going to have another firm be responsible for the security and probably some of the other industrial-type practices at the site. I do want to be clear, though, that that is not to relieve the university or any of the laboratory employees from their responsibility to also take the proper care of secure information, classified information and materials and the like. But the practices of who is inspecting the vaults, who is actually being sure that the procedures are being carried out properly---- Mr. Stupak. But if you are going to have a separate firm or separate entity be involved with security operations, which UC does not control or is responsible for, it sounds like it's just really another disaster waiting to happen. How is this new firm, entity, going to really carry out the mandates of the Department or what Secretary Richardson wants and what GAO pointed out? It seems like there is an atmosphere within these labs that just doesn't do it. How is another entity going to fix that? Mr. Glauthier. Well, the atmosphere is necessary to deal with no matter how security is done. What we are talking about with this firm is some organization to actually have a targeted responsibility to see that the requirements are sensible, appropriate ones at the site, follow through, make sure they are being implemented. We talked earlier about implementation. We need to see that they are actually being carried out. There are several models and the Secretary---- Mr. Stupak. Who is going to carry them out, this new firm or UC? Mr. Glauthier. The responsibility for actually performing security is going to be one that individual scientists will have to have. For example---- Mr. Stupak. So University of California, then? Mr. Glauthier. If the scientist has got a classified document, that person is responsible for putting it in the right place at the end of the day or transporting it in a proper way. Mr. Stupak. If I am a scientist and I work for UC and I am responsible for this document and I am responsible for it and I am there, and this other firm or entity comes in and tells me to do something different, who would I look to then as the scientist? Am I supposed to listen to the so-called new security entity who I have no contractual relationship with, who I can say buzz off because you have nothing to do with my evaluation, or do I listen to UC? Mr. Glauthier. First of all, we are not sure whether there will be a contractual relationship or not. That is part of what Under Secretary Gordon will be looking at over the next several months, whether this ought to be a subcontract to the university, a joint venture, or separate contracts. All of those models are on the table. But the management of the university at the laboratory will be responsible for seeing that all of its employees are carrying out procedures. They have the line responsibility to make sure it's all being managed properly. Mr. Stupak. Have you discussed this with Dr. Browne? Mr. Glauthier. Yes, we have. Mr. Stupak. Any comment on it? This other entity? Mr. Browne. My opinion is that whatever mechanism the Department of Energy comes up with, we are still going to ultimately be responsible because we not only have the information, we create the information. The scientists are creating the information that winds up on the hard drives or pieces of paper. So we can't get away from that individual personal responsibility at the working level or at the management level. Mr. Stupak. Thank you. Thanks for letting me go over, Mr. Chairman. Mr. Upton. Mr. Burr. Mr. Burr. To both the generals, do you both agree with what the Secretary just said about a decision at the labs to break out security separately and negotiate a new contract with the labs that would allow you to put a security entity in place to be in charge of security? General Gioconda? Mr. Gioconda. Sir, I am the staff officer that is assigned by the Secretary to come up with the range of recommendations. Mr. Burr. Is this your recommendation? Mr. Gioconda. The range of options to choose--yes, sir. Mr. Burr. It is? General Habiger, are you in agreement with it? Mr. Habiger. Sir, I will defer to see what General Gordon comes up with, sir. Mr. Burr. I will take that as a very hesitant answer. Mr. Habiger. It is. Mr. Burr. I appreciate it, then. I appreciate the honesty. Because I am sitting here as a member, and the last thing I want to do is try to make some decision as to what the proper security is for Los Alamos or for Livermore or for Sandia. And for some of the people that come in here and testify, I feel like I have been there as many times as they have, once. And the last thing you need is input from me. But we have had an opportunity over the last several years to see the problem in its totality. And one of the problems is the right and the left hand never see each other. One of the problems is that the line of communication--and I think Mr. Robinson said it very well in his testimony--just does not exist to the degree it has to for something as sensitive as national security. And for that reason, I am flustered, for the lack of a better word right now, to believe that we can just go out and renegotiate a contract, bring in a new entity, call this a security program and without fundamental changes in the line of communication, both with the labs, the new security company, walk away and feel good and believe that anything is different. One of the problems I am convinced today, right or wrong, it was believed that there were areas that the labs weren't responsible or did not think they were responsible for as it related to special programs, because I can't believe that there wouldn't have been stricter things in place if they thought it was their decision. And I think they have expressed, through faxes and through conference calls, hesitancy with the deterioration of some of the security methods. So it sounds great, Mr. Secretary, but I don't think it can work without a significant fundamental change to the operation, both on the labs' part and the security part. And if we can accomplish that, I am not yet convinced that they can't continue to supply the appropriate security, and we have eliminated another layer that might further blur the problem down the road. It is a personal observation, and I wait with some degree of anxiousness to watch how, in fact, this is structured. Mr. Secretary, on March 1, 1999, these three directors had a conference call with Secretary Moniz, and they faxed to him a recommendation to reinstate the formal accountability. Do you know what happened to that recommendation? Mr. Glauthier. I am not clear exactly what happened. I understand that that was written up after a meeting at which some of those topics were discussed. Mr. Burr. I believe it was a conference call between the three directors, am I correct, to any of the directors? Mr. Robinson. That was my memory, yes. Mr. Glauthier. When I discussed it with the Under Secretary yesterday, he did not have a recollection of the specific memo and the like. It's clearly a topic that was discussed at some level, and it was at a time when security issues were very prominent last year, as you recall. The Secretary and the Department took a lot of action on various fronts. We had, as I indicated in the testimony, about 50 different security and counterintelligence measures that were implemented as a result of last year's event. So I think that this must have been a part of the overall pattern. But it came in just before I arrived and I am not sure exactly what happened to it. Mr. Burr. Let me just read the last paragraph. I don't think I read it when I entered it into the record. And I assume that it got there, and maybe somebody can tell me whether it was acknowledged: ``The directors of all three of the DOE nuclear weapons design laboratories are in agreement that the former controls should be reinstated as quickly as possible. This recommendation is presented to the Under Secretary and counterintelligence officials for their evaluation of what, if any, problems might result from prompt reinstatement of the previous policy.'' Let me ask General Habiger--I think you have been there the longest--next. Did you have any recollection of this? Or was it ever mentioned to you? Mr. Habiger. No, sir. The first I was made aware of that was approximately 2 weeks ago. Mr. Burr. I hope all of you can understand how that makes us feel as we try to wade through this. There were some pretty good signs from our lab directors, we do not think we are doing the right thing, that seem to not only have been discarded by the individuals that were given those, they can't even be uncovered now except for the process that we are going through. I know that we will have another round, and I thank the chairman and I yield back. Mr. Upton. Thank you. Mr. Cox. Mr. Cox. Thank you. I just want to register--I'm sorry Mr. Stupak has left--my strong agreement with my colleague from Michigan. He is absolutely right. The Department of Energy used private security at foreign launches--the Department of Defense, I should say, used private security at foreign launches, and it was a failure. And one of the recommendations of Congress was to make sure that we take that responsibility on as the U.S. Government. The U.S. Government is responsible for the national security. It must not be privatized. And the notion that we are going to, because we necessarily use academics when we are trying to contract for science, that we are going to contract now additionally for security ought to be unacceptable on its face. That is why Congress created the NNSA. Congress created the NNSA so that there would be a clear line of authority virtually independent of all the rest of the bureaucracy at the Department of Energy, and it would have exclusive responsibility at the national labs over intelligence and counterintelligence, for example. But I am hearing here today another endorsement of blurred lines of authority, and I wonder whether you could, Mr. Glauthier, explain why it is that Congress should look favorably upon bringing in additional private contractors to be a new layer of authority in providing security direction for the national laboratories? Mr. Glauthier. Certainly, Congressman. First of all, we agree very much with the need for line accountability and for clearing up what has been, in many cases, a blurred sense of responsibility, of staff versus line responsibilities in the Department. We want very much to see the NNSA responsibility carried out very directly from Under Secretary Gordon to Defense Programs, to the field offices, to the laboratories, and have that accountability apply to missions and security and safety and all the other functions there. Having said that, we also see in the past that the experience of the laboratories has not always been outstanding in some areas that are not the science areas. Science is clearly their forte. It is the strongest area. But security, construction management, some other things that are not as closely allied to the academic areas, for the University of California labs at least, have not been as outstanding. And it is those areas we are looking to try to strengthen. We might do it through a joint venture with the university and another firm. I have talked with the provost and the management of the university about different models. They feel very strongly that they ought to have some continued responsibility. Mr. Cox. What the laboratories are telling us is that they are creating the information--and I think we are misusing the term ``responsibility'' here, because--or at least we are using it in multiple senses. Obviously, lab employees, scientists and others, are responsible for the information they handle. They are responsible in that sense. But it should be equally obvious that every employee cannot be equally responsible for establishing the rules. And that ought to be the responsibility of someone who clearly has authority to implement those rules. And when the rules aren't followed, there ought to be clear accountability, which we have been lacking every time we have had an oversight hearing when something goes wrong. And every group that has looked at this, the Select Committee that I chaired, was one in a long stream that extended earlier and went beyond that, all said the same thing. Everybody that has looked at this has said that the lines of authority are not clear, and that is why the Congress created the NNSA. Now, earlier when we had a report from the Office of Independent Oversight and Performance Assurance, we heard from the head of that office that he does not know much about polygraphing; he does not know much about counterintelligence, and so on. The compartmentalization of this and the blurring of lines of authority is incongruous with the real world. If you take now a private contractor and slide them in between the Department of Energy, the NNSA, the lab management, and so on, I cannot imagine how that does not make matters worse. Obviously, they are going to be setting the rules--or are they not going to be setting the rules? What are they going to be doing? Mr. Glauthier. Their focus will largely be on implementation. They will set some of the specific practices for how to actually live up to the standards. Mr. Cox. So when they are setting specific practices, do the labs report to them? Mr. Glauthier. Well, I think, for example, what kind of a log should there be in the vault? Mr. Cox. Let me ask a more specific question. How does this private contractor relate to the NNSA? Does it work for the NNSA? Mr. Glauthier. Yes. Mr. Cox. All right. And does it work for the lab or above the lab? Mr. Glauthier. Well, that is part of what General Gordon is supposed to decide this summer with the university. Should it work directly for the NNSA in parallel with the University of California contract or---- Mr. Cox. What is the advantage of not making these people employees of the U.S. Government and the NNSA? What is the advantage of having it be privatized? Mr. Glauthier. Well, they are it is already not employees of the Federal Government. They are now the University of California employees, in the case of those two laboratories. Mr. Cox. The function you are talking about creating does not presently exist. You are talking about going out presumably to the private sector and sliding it in. So it is not fair to say that presently it exists when it isn't created yet. The NNSA does not yet exist. Even though the Congress passed the law a year ago, the administration has so dragged its feet that we have had nothing. And of course, the politics in the Senate as well, the minority in the Senate held up the confirmation of the administrator, as you know. Now we are finally getting it off the ground and it is just a matter of weeks now. With the NNSA just now getting up and running, why would we not want to have the NNSA perform the functions that Congress just gave it in statute? Those very functions you are talking are about the statutory functions of the NNSA. Mr. Glauthier. And we do intend for the NNSA be responsible for carrying this out. The way they perform most of their functions is through contractors at the various facilities. So it will be natural for them to use a contractor in some mode. The question is in what mode? What's the right way? Should it be through the university or in parallel to it? Those are things I think they need to---- Mr. Burr. Will the gentleman from California yield for a clarification? Do you also envision that the field offices would be in charge of the evaluations for the security company as well, the DOE field offices? Mr. Glauthier. The field office, in their role as administering the contracts, would continue to do that. We have, as you saw this morning also, an Independent Office of Security Oversight headed by Glenn Podonsky. We would expect that office to also provide oversight and evaluation of these activities. Mr. Burr. I thank the gentleman for yielding. Mr. Cox. Well, I think we are headed off in the forest here. I think it is going to get much worse if you do this. Mr. Upton. Ms. Wilson. Mrs. Wilson. Thank you, Mr. Chairman. I would like to pick up this same line of questioning here, and I am glad that there are some members of the DOE at this table who are skeptical about this proposed new arrangement, because I think it exacerbates the very problem that we are identifying here, and it sounds pretty dysfunctional to me. I have to always put things in a little bit simpler terms, I am afraid. At our house we have some rules. You have to close the front door when you come in and out. You are supposed to keep the lid on the jug of milk. You are supposed to close the refrigerator door and push in your chair after you get up from the table. We repeat those rules. We try to be clear about those rules. We train to those rules. And there are consequences if you do not follow those rules. But what I hear you saying with this new contract here is that you are going to bring somebody in and post the rules on the refrigerator, and then you are going to come in and check and see if people have done what they are supposed to do. But I am no longer in charge of training and controlling and repeating and consequences and all those things. That may be a little simple, but that is kind of the way I see this new security contractor. And I wonder if perhaps, since I noticed, Paul, you referred to, in your testimony, the importance of integration, and since you are not the direct guy who is immediately affected by this possibility of a new contract, if this kind of thing were imposed on the other labs, would it work? Mr. Robinson. I am worried about anything that splits the authority and responsibility. As I said in my written testimony, I believe the preferred direction is to try and streamline authority, responsibility, and accountability. Only if you do that do you have a chance of knowing who is responsible and being able to take action. I also am a believer with a little bit of experience over time that when you have that clean line of responsibility, people, in fact, grow to deserve it instead of shrinking from it if the lines are blurred. Mrs. Wilson. Thank you. I want to change the subject a little bit, because I have some questions about the NEST chain of command. And I wonder if maybe General McBroom, you are the person to ask this. Can you describe the chain of command for the NEST and who is responsible for what? Mr. McBroom. There is normally--we pay for a couple of people in each site. The number varies. Most of them we pay them, I think, seven full-time salaries at Los Alamos, but that includes the secretary, and we have a small contingent there that works primarily on NEST operations, and then we will have another couple hundred people that do not. Normally, there is a designated point of contact at each site that we deal with from the staff that deals directly with the NEST team. So that chain of command would go from myself to my program manager at the staff, right down to that program manager at the site. Mrs. Wilson. The University of California said in a letter on June 20, and Dr. Browne also mentioned it in his testimony, that line managers at labs had little or no access to ensure that lab safety and security rules are met for these close-hold programs. Is that--do you agree with that? Mr. McBroom. I think that there was nothing preventing them from doing that. I think that there was some confusion at the site. I would go that far. But I mean, there is nothing--I went back to the--I have been there for 9 months now. I went back to the two previous directors and talked to both of them and they both said no, definitely we've never said that people can't look at it, that it shouldn't be looked at or anything like that. Mrs. Wilson. But there was confusion as to who was responsible? Mr. McBroom. I think there was some confusion there. I hope--I sent something out the first week of June moving the control to Albuquerque Operations. Because the operation, when I got there, was done with the headquarters deploying with the teams. And I thought that kind of confused the mission, the oversight mission and the--and what we were really supposed to be doing at the headquarters. Mrs. Wilson. General, when was the last time the Department of Energy did a program-wide security audit or assessment of the NEST program? Mr. McBroom. I have no idea. I am a force employer. I am not a security person. That is a security question. Mrs. Wilson. Who would be responsible within DOE? You talk about this is a team drawn from people from all over the country, all different responsibilities; they end up in some airport somewhere. Who within DOE is responsible for this whole thing? Mr. McBroom. When they are on the road? Mrs. Wilson. No--well, for the program. Who runs the program? Mr. McBroom. I run the program. I am responsible for the team when they are on the road. When they leave that lab, I have operational control. I do not have administrative control. Administrative control, disciplinary action, firing, things like this, remains with the lab. Just like when they are on the road, they follow lab procedures. My people are out there to focus on the emergency and to help the scientists do their job. At the same time, we look at security and safety just from a standpoint of doing the way the headquarters said we should do it. Mrs. Wilson. Dr. Browne, did your folks feel as though they had the authority to do security audits of the NEST team? Mr. Browne. Well, I think you hit one of the points that the General referred to about some concerns at our laboratory. Our program manager, who I am no longer allowed to talk to because of the FBI investigation, but what I can talk to you about is that he wore a couple of different hats. He wore a hat inside the laboratory where he reported to our management for organizing and coordinating the program inside the laboratory, and he also wore a hat for the Department where he was responsible for activities at Livermore and Sandia. He made some comments to our security people that they were not allowed to look at the NEST operational security because that was his function. And my opinion is that there was a lack of formality of operations that would have clearly defined the roles and responsibilities of people at Los Alamos for this program. I think it's missing. You know, I'll share some of the blame for that. I think we should have caught that. But, in fact, I believe it was missing. There was no line manager that had his or her signature on that plan, the security plan. Mrs. Wilson. One final question, Mr. Chairman, if I may. This memorandum from the lab directors concerning increasing level of security from March, I understand the Under Secretary has no recollection of receiving this. And I can understand that. All of us up here get about 5,000 letters a month. But in our office, we do have a process for identifying, by number, each incoming letter. Does the Under Secretary have a similar system? Mr. Glauthier. We do have that kind of tracking system, and my understanding yesterday, when I discussed this in our office, was that this was never actually submitted to us in the mail or in the normal transmittal system. It was faxed to his office and, thereby, avoided the regular process. It wasn't captured in the regular tracking system. Mrs. Wilson. Let me make sure I understand. The Under Secretary's correspondence management system, you have checked it and you can find no reference to this memo? Mr. Glauthier. That was what I was told yesterday, that's right. Mrs. Wilson. Thank you, Mr. Chairman. Mr. Upton. Thank you. I want to go back to a question that was I focussing on when my time expired a little bit early. Mr. Glauthier, who is the individual or the department that is actually responsible for the classification in terms of security with regard to the material at the labs? Mr. Glauthier. The classification responsibility? Mr. Upton. Who determines whether it is Secret or Top Secret? Mr. Glauthier. I think it is actually at the laboratories themselves, the people who develop the material. No? Mr. Upton. Dr. Tarter? Mr. Browne. There is a classification guide that is developed by the Department that the laboratories provide technical input to. Mr. Glauthier. But the actual decision on a particular document using the guide I thought was actually done at the lab. The guide itself is developed by the Security Office. Mr. Upton. So who would have been responsible? For example, these hard disks--the hard drives that were missing, who actually determined that it was Secret versus Top Secret? Mr. Habiger. We have---- Mr. Upton. Whose chain of command? Mr. Habiger. Chain of command would go from the program office to the laboratory. I have a group of people, who are subject matter experts, develop classification guides. Those guides are then sent to the field offices, the laboratories, and the program offices. Mr. Upton. So are you saying are the directors--ultimately, as they are in charge of the security of the entire lab site, are the three lab directors, these particular NEST tapes that the NEST team lost, is it--was it Dr. Browne's responsibility that they were Secret versus Top Secret? Mr. Habiger. It would be classifiers at the laboratory. Mr. Upton. Who did they report to? I mean, ultimately to Dr. Browne and up, or did they go back to General McBroom or who? Mr. Browne. Mr. Chairman, let's see if I can explain this. Each piece of information on the hard drive by itself was secret RD and would have been classified as such if it were a piece of paper or on an electronic medium. Mr. Upton. Right. Mr. Browne. The compendium, I think, is the issue here, the large amount of information. There was no guidance in existence about how we treat large encyclopedic data bases at a higher level. I would like to mention that I just found out, after I read--after I wrote my testimony, that we did submit in September 1999 to the Department a letter requesting that these hard drives be encrypted. One of the difficulties is that the software for encrypting information, until recently, and I believe General Habiger can point out in more specificity, that it did not exist. So even though we made a request in September, it was not possible to accommodate it. Mr. Upton. Although I am told that, at least at Livermore, some portions of the hard drives have, in fact, been encrypted and at least for a number of months, is that not true? Mr. Tarter. What we did, we used a nonNSA-approved encryption technique because, as Dr. Browne said, there was not an NSA-approved encryption. It was our decision that--we call it--some encryption was better than no encryption. Mr. Upton. Did you share that information with the other labs, or did the NEST teams--was it actually a part of the NEST team that did that? Mr. Tarter. It was part of the NEST team that did that. Mr. Upton. And did they not share that information with the NEST teams at the other two sites? Mr. Tarter. They did, and I have the--you know, we can go into more detail if you wish. I have the head of the NEST team here. I think we had those discussions, and I think in the absence of an official NEST policy and since ours was not approved in the NSA sense, I think it became local option. Mr. Upton. General McBroom, were you aware of that at all? Mr. McBroom. No, sir. Mr. Upton. So you have really wiped your hands clean altogether of the security at the site of the material, is that right? Your role is really just the operations; the phone rings and then out the door and then you have them under charge; is that right? Mr. McBroom. Yes, sir. I am the force employer. They provide a head, two arms, two legs, and a 20-pound brain with a piece of equipment. I employ those people out there. I watch to make sure, while they are in my charge, what they do when they are at that site, but primarily they still come under those rules. Mr. Upton. Dr. Tarter, your answer again as to whether that information was shared between the three teams, it just wasn't done; or was it? Mr. Tarter. We did--we had those discussions with Los Alamos. We said what we were going to do, and I think they chose, in the absence of either an approved status for the encryption technique we were using or formal guidance, to continue with the local option. Mr. Upton. Did you talk to DOE about what you were doing? Was DOE aware? Mr. Tarter. Apparently yes. Again, if you wish, you could swear in the head of our NEST team for a more precise---- Mr. Upton. We might just do that. Just get that--is that individual here, behind you? Mr. Tarter. He retired a week ago but, yes, he is here. Mr. Upton. Just come up and identify yourself for the record. Mr. Tarter. This is Dr. Alan Mode. Mr. Upton. Just remain standing there for just a second. [Witness sworn.] Mr. Upton. You are now under oath. If you would just describe the set of circumstances behind this. I know my time has expired, and I will yield to Mr. Stupak. Mr. Mode. It is, as Dr. Tarter has described, the request and information had been discussed within the NEST community. There was not an approved encryption technique available at the time. DOE had made that request some time ago for an approval from--NSA-approved encryption technique. It was purely a local option. We--our people just felt a little more comfortable. We also recognized that it was not an approved encryption technique, and in one sense you could argue that we were, in fact, acting outside of our bounds by imposing an encryption technique that had not been approved. We encrypted the Livermore portions of the information. We did not encrypt the Los Alamos portions. Again, with their knowledge and---- Mr. Upton. How long did it take to encrypt the information? Mr. Mode. I am sorry. I don't know. We used--in open hearing, I won't say exactly how we did it, but not an extended period of time. Mr. Habiger. Mr. Chairman, if I could point out that NSA, National Security Agency, certified encryption on June 19 and we were the first ones in the government to buy it. Mr. Upton. Right. I understand that, but I think this actually took place--nonNSA-approved happened, what, September last year, thereabout? Mr. Mode. Approximately January 1999. Mr. Upton. January 1999? Mr. Mode. Yes. Mr. Upton. So literally a year and a half it took. Okay. Mr. Stupak. Mr. Stupak. Thank you, Mr. Chairman. Dr. Browne, you said something that bugs me a little bit. You said that you are responsible for the information that would go on the hard drive that--whatever segment it is--and there are many Top Secret segments on this hard drive. Mr. Browne. Secret. Secret RD. Mr. Stupak. Okay. Secret? Mr. Browne. Correct. Mr. Stupak. So in, say, year one, there might be a thousand pieces of Secret on that hard drive? Mr. Browne. It is less than that, but let's say many. Mr. Stupak. But then you said you weren't responsible for the encyclopedia of the information on it there. Mr. Browne. No. I said there is no DOE guidance that tells anyone that once you have accumulated any amount of information, that you should classify it at a higher level. Mr. Stupak. But do you really need a guideline to figure this out? Mr. Browne. We don't have the authority---- Mr. Stupak. I mean, if you have one piece of information that's so important, now you have all kinds of pieces on there, I think that hard drive just becomes more valuable. I don't think I need a government guideline to tell me not to drop it behind the copier. Mr. Browne. Well, I don't disagree with that, but we don't have the authority to classify something Top Secret or not. Mr. Stupak. But you have the authority to provide security and control---- Mr. Browne. Correct. Mr. Stupak. [continuing] for this? Mr. Browne. Absolutely. Mr. Stupak. Because I guess my concern--and is it your testimony that you did not believe you were responsible for security over the NEST team and the information under their control? Mr. Browne. No. I believed I was. My comment was that our security people were told by our NEST program manager that they did not have the right to come in and look at the NEST program operations; that it was a closely held need-to-know program. A limited number of people had access to that program and access lists, and so they were--they were told that they were not to look at this program. Mr. Stupak. Who do the security people work for? Mr. Browne. They work for me. They did not bring that to my attention. Mr. Stupak. So even the people under your control who are doing security, plus your scientists, they don't agree who can look at what and who has control over what? Mr. Browne. That's an issue, and I brought that up with them since I found out about this. Mr. Stupak. So now the proposal is to put another entity out here, yet to be hired, to even have more arguments on who is controlling and who has the authority? Mr. Browne. No. General Gioconda sent me a very excellent letter, I believe it was June 16, saying if there is any confusion about any program, you have the authority to investigate it unless you are directed not to investigate it. I have used that letter now to look into a series of programs that are very similar to NEST. Mr. Stupak. When did you get that letter? Maybe I was out of the room and I had to make a phone call. Mr. Gioconda. I happen to have a copy. [The information referred to follows:] [GRAPHIC] [TIFF OMITTED] T7110.089 Mr. Stupak. How long ago--when was that written? Mr. Gioconda. Well, sir, I sent that letter on June 16 because I was surprised, too. John brought it to my attention. Let me read it to you. Mr. Stupak. Okay. Mr. Gioconda. It says, ``This memorandum is to reconfirm the responsibility of the Nation's nuclear weapons laboratories for assuring that proper security procedures are followed in ALL''--all capitalized--''activities performed on laboratory property or under laboratory auspices. No program can be exempt from such oversight without written approval from me or my superiors.'' Mr. Stupak. That was because labs were saying that they didn't have responsibility here? Mr. Gioconda. They were--as Dr. Browne described, apparently the program manager said stay away from my program. No, he did not have the authority to do that. Mr. Stupak. Well, this is really sort of the same argument that we have been hearing since about 1976 when Mr. Dingell first brought this to our attention. And if you go through this, this responsibility, this lack of accountability, we have had these concerns brought up in 1976, 1982, 1988, 1992, 1997, 1998, 1999 and now again in 2000. We always get these assurances things will be different. Now we have a letter saying they have to be different, but they never really are. And I guess that's the frustration we see on this side of the dais. Mr. Glauthier. Congressman, may I comment? Mr. Stupak. Sure. Mr. Glauthier. One of the changes that Secretary Richardson made in April of last year was a reorganization to make explicit staff versus line responsibilities, and at that time we actually had iscovered that the head of Defense Programs claimed he had no responsibility for security; it was somebody else's responsibility. We made it very clear that that responsibility is a line responsibility, and implementation and accountability for security flows right through the whole organization, but that has been a problem over the years. Mr. Stupak. Sure, but that was last year. And now it seems like we don't get this thing really cleared up now until this June 16 letter here from the General. Mr. Glauthier. I think what you are hearing is one specific area. These NEST programs were a point of confusion at one of the laboratories. I believe, you know, the vast majority of the people understood the responsibility was in fact much clearer, and this was just to clear that one piece up. Mr. Stupak. But it really should be clear that the NEST program manager is a lab employee, right? Mr. Glauthier. Absolutely. Mr. Stupak. I was really interested, Dr. Tarter, you mentioned your own little local option that you put on the hard drives, the encryption? Mr. Tarter. Yes. Mr. Stupak. That's just something that you thought was necessary? Mr. Tarter. It seemed good practice. Mr. Stupak. And security is part of your responsibility, right? Mr. Tarter. Right. Mr. Stupak. Thanks. Mr. Upton. Mr. Burr. Mr. Burr. We have spent a lot of time on the 3-1-99 fax, whether it came or didn't come. Let me just share with you, Mr. Secretary, and this is out of the Redmond report: ``Comprehensive classified document control system--document controls for the most sensitive data of the weapons lab should be reinstituted by the agency director. The program should be constantly monitored by a centralized agency authority to ensure compliance''--basically what the three directors said. So if you didn't get it in March, in June you certainly got the same message from Senator Rudman; and still today, a year later, we don't have that policy back in place, or if we do it's a recent one. And, General Gioconda, I want to commend you for recognizing there might have been a lack of communication on the labs' understanding of their jurisdiction and where it did or did not stop, and your quick response to get a memo out that says, no, here is where it extends to; because I think that's the type of thing we have got to clear up, some of the misunderstandings that exist, if we are going to move forward at all, and I think that the directors, though they may not always be in agreement, I think they are appreciative of clarification. Mr. Gioconda. Sir, I have only been in an acting capacity since August of 1999. I am a history major, so I went back and read all of the history that you have read. It really boils down to--and I just want to say--because I got the impression that when I gave you a ``yes sir,'' that I am supportive of the decision to go and look at options and how to make this situation better, that somehow was a problem. I would wait until you see what Under Secretary Gordon comes out with on 5 September, regarding negotiations with the University of California before you make your judgment about whether this can work, because this decision will be made within the NNSA process. General Gordon is my boss. I am the Acting Deputy Administrator to him for Defense Programs. But it really boils down to four things. When I took over and told everybody here at the table that it is, one, you have to stay focused on the mission, and we have to be very clear to do that. Really, the mission is safe, secure, and reliable nuclear weapons. It isn't harder than that. And if we do anything to damage that, I am concerned about any security, any arrangement we have. That's important. Mr. Burr. So you feel confident--I may not be here and you may not be here, but there will be someone on this subcommittee, if it doesn't work, who asks the question why did they do this and why didn't they have more vision than that? Mr. Gioconda. Yes, sir. Mr. Burr. I am not prejudging it. I am raising what I think are legitimate questions but, more importantly, legitimate concerns based upon my interpretation of the history that I have read and certainly what I have seen firsthand for the last 5\1/2\ years since I have been here as it relates to the relationship between the agency and these labs. Mr. Gioconda. Sir, if I may, two more things. Mr. Burr. You may. Mr. Gioconda. Accountability and responsibility has to be in this environment. I agree with you, as the staff officer that's going to put some of the ideas together, that if you remove accountability and responsibility from individual scientists who create a lot of this data, this won't work. And then the third thing I will tell you is the chain of command. The chain of command has to be followed in this organization, and that's a lot of what happened back in April when they made sure that the line is involved. That's why I am at this table. I am responsible for this incident. Defense Programs is responsible down to the weakest link in its program. We have got to get that across to everybody in Defense Programs, and if you walk around the complex, sir, as I know you have, 99 percent of them know that. Mr. Burr. Well, one of the questions that I had earlier was from--and I can't lay my fingers on it right now, but it was basically the fact that many of the Secretary's initiatives of late, this last round, were not decisions that were based upon conversations with the directors of the labs. And it may have come from Mr. Robinson's testimony, that this was a--this was a somebody makes the rules and somebody else lives by them. This is not a shared process of adults that get together to try to figure out how to make it work the most effectively and the most securely that we can. And I would tell you, that's an important part of the process and any criticism of how we reach that, I would hope that you and others would take it hard and that we would find inclusion in the process. I have just a couple of--I know my time is already out, but I have to finish this before I go because I have got a meeting. Let me just ask one of the directors, do all scientists sign a commitment to take a polygraph if the need ever arises? Mr. Robinson. They do not. Mr. Burr. They do not. But my understanding, and correct me if I am wrong, NEST members have signed an agreement for a polygraph, if needed? Mr. Robinson. They have not. Mr. Tarter. No, they have not. Mr. Mode. No. Mr. Robinson. What is the case--and let me first go to non- DOE programs where polygraphs have been employed for a decade. If a scientist were going to be assigned to that compartment, they had to then agree to take a polygraph or they could not go into the information in that compartment, but it is not a general thing throughout the laboratory. So it is program- specific, compartment-specific for polygraphs. Over the course at our laboratory, about 220 people were polygraphed as a part of those programs. Under DOE programs, we identified just above 200 people who are members of the compartments that were just made--that polygraphs were just made mandatory. Taking some of the people who had been polygraphed within the previous 5 years, so you didn't have to do them again, our number came down to 171 people. We have polygraphed 46 of those as of a week ago, so I suspect the number is well above 56 at the present time. Some of the members of our NEST team, when faced with the question of a polygraph to continue as members of NEST, chose to opt out and resign from this responsibility. Mr. Burr. So it is not a requirement of NEST now? Mr. Robinson. It is a requirement now. Mr. Browne. I don't think so. Mr. Tarter. No. Mr. Robinson. No? Mr. Burr. Just to express my own frustration, somewhere in--since the latest problem at Los Alamos, somewhere in the conversations, whether it is with labs or whether it is with DOE, I was led to believe that it was standard protocol that every member of the NEST team signed a waiver that said I will be polygraphed if you ever need it. So we can even be mistaken up here, based upon the information that we hear. I hope that if there is a policy on that, somebody would let us know. Mr. Robinson. I have got a clarification from my own folks. Those who are in certain roles within the program have to be, but not all members of NEST have to be polygraphed if they are a part of what is called the PSAP program, Personal Security Assurance Program. Mr. Burr. I would say to Mr. Aftergood, if those people have signed a pre-waiver on a polygraph, I would not expect to see them with a badge on in the facility saying no polygraphs. And you are right, they do have a right to. They also have a choice of where they work. One last thing, Mr. Robinson. You said in your testimony-- and if this is not something we can get into, then certainly feel free to tell me, we will follow up in another way. In your testimony it said, talking about controls on electronic media, said the other issue--talking about two things that you have found as you have gone back and looked at your system--reported on June 30 involved a single 3\1/2\ inch 1.44 megabyte disk that had not been yet located. Inquiry is currently underway in accordance with DOE's procedures. Is that still the case? Have we still got something that's missing? Mr. Robinson. It is unaccounted for at the present time. Mr. Burr. And is that of a nature that we should be concerned? Mr. Robinson. It is always a concern if you have anything that's a secret item that is accountable. I might point out that only because that work group, which is our largest holder of classified information in the weapons engineering department, never took off the accountability system for Secret or Top Secret information, that we in fact know that it is missing; but the content of what is on the disk we know, and it is not of the same magnitude as other things. It is very high-level information. There is no detailed information. There are no figures. Mr. Burr. Well, we are relieved with that. And just for the purposes of my colleagues, I want to point out two things in Mr. Browne's testimony. The first one was, ``since 1994 we have had 19 DOE inspections that cover vault operations. These resulted in two findings.'' One finding that's closed, involving a technical issue regarding alarm testing, and has corrective action. Neither of the two findings address the issues surrounding this incident. And later on in--or earlier in your testimony, I would like to point out, ``the laboratory security programs were reviewed 16 times in 1999 alone.'' I say this for the purpose of everybody here. This is not a question of whether we have investigated, whether we have had enough inspections. I truly think that if we asked Mr. Podonsky to go back six more times to every facility, he would very politely do it. He would come in with a very detailed analysis. Folks, until we all care, until we decide that we are going to make the fundamental changes that have to be made and that I believe the people that we have got in place are capable and willing to make, we are not going to solve the problem. No matter what we come up with in the way of new inspections, no matter what we come up with in breaking the security entity out separately, if you are not willing to make the structural changes and to require the accountability, then you have got to be prepared to keep coming back to this subcommittee. Mr. Chairman, I yield back. Mr. Upton. Thank you. Mr. Cox. Mr. Cox. Thank you. Mr. Glauthier, earlier, not in this round but in the previous round, Mr. Burr asked a question. And then perhaps Mr. Burr can help me. Mr. Burr, as you leave, you and Mr. Glauthier had an exchange about the field offices and the relationship potentially to these new privatized security people we are thinking about hiring. Do you remember what your question was and what the answer was? Mr. Burr. My question was, did the Secretary envision that the field offices would be in charge of the evaluations of this new security entity, just like they are currently responsible for the evaluation of the contractors of the labs, both for their administrative and their security performance? Mr. Cox. And my recollection, Mr. Glauthier, is that you answered yes. Mr. Glauthier. Yes, that's right. Mr. Cox. Now, I don't know whether you have read the House Armed Services Committee Report dated February 2000 on the proposed DOE implementation plan of Title 32? Mr. Glauthier. No. Mr. Cox. Which sharply criticizes the maintenance of pre- Title 32 reporting relationships and specifically focuses on the role that the field offices have played. Let me just read a portion of it. ``The panel notes with concern that the plan''--this is the Department of Energy's plan--``explicitly sustains current reporting relationships between the NNSA contractors''--and these new contractors would fall, of course, into this category--``field offices, and headquarters staff. Thus, NNSA contractors will report to the Deputy Administrator for Defense Programs through the field offices rather than directly to the Deputy Administrator. Several studies have found that this arrangement has generated redundant and confusing lines of authority in the past. Despite strong criticism in the President's Foreign Intelligence Advisory Board and other reports, no changes in the field office reporting structure are contemplated. Furthermore, section 3214 of Title 32 states''--that's the law--``that the NNSA facility should report to the Deputy Administrator.'' Now I have just read while we were sitting here, the whole Title 32 again to make sure I understood the law. Why is it that you are violating the law? Mr. Glauthier. My recollection of the law, I don't have it in front of me, is that it permits us to use a field structure in the line organization if we wish. Mr. Cox. Is the field structure part of the NNSA? Mr. Glauthier. Yes. Mr. Cox. Are the people who work in the field offices NNSA employees and not employees of the Department of Energy? Mr. Glauthier. They are both. NNSA is a part of the Department of Energy. Mr. Cox. Are they people who are hired exclusively by the Administrator of NNSA? Mr. Glauthier. It depends on the field office. The Albuquerque---- Mr. Cox. Well, no, the law doesn't say that. The law says that except for certain named positions in the statute, it is the role of the Administrator to hire and fire people within the Administration, and furthermore the Administrator is given the statutory authority to set policies within the NNSA that are different from the policies and procedures in the Department of Energy, and only the Secretary of Energy himself can reverse those. Mr. Glauthier. Or the Deputy Secretary, if he is given that responsibility by the Secretary; that's correct. And in fact, the Secretary has the authority under the law to set policies that will apply to the NNSA as well. Mr. Cox. So why are we using these structures from the old system before the creation of NNSA? Mr. Glauthier. The field offices are part of a line organization, and that's where the contracting is done. They have processing of vouchers. Mr. Cox. I know that's how it used to work, but what about the new statute? Mr. Glauthier. The new statute doesn't require that we change that. It is up to the NNSA administrator, as you indicate, how that structure is going to be carried out and the implementation plans---- Mr. Cox. Well, now, General Gioconda used to be an employee of the Department of Energy and now is a--is that correct, General? Mr. Gioconda. I am not the best example to use, sir. I am a detailee from DOD to DOE. Mr. Cox. But you had a DOE function before? Mr. Gioconda. Yes, sir. Mr. Cox. Now you have an NNSA function? Mr. Gioconda. Yes, sir. Mr. Cox. So your relationship to the Department of Energy is semiautonomous. Mr. Gioconda. Yes. Mr. Cox. In other words, the authority of the people who work at the Department of Energy over you can be exercised only through the Secretary himself or, if the Secretary is incapacitated or otherwise unavailable, by other statutory authority through his deputy, but acting qua Secretary because the statute is very explicit about that, and not in any other way. Is it your understanding that the same can be said for every employee in, say, the Albuquerque field office? Mr. Gioconda. Sir, in Albuquerque they are all in the NNSA. That is clear. Mr. Cox. And then the DOE exercises no authority over that field office? Mr. Gioconda. No, sir. The business functions are connected to DOE. They do have authority over the business functions that are connected to DOE. Mr. Cox. That sounds awfully confusing. Which is which? How do we know? Mr. Glauthier. May I? Congressman, may I respond? Mr. Cox. Well, the---- Mr. Glauthier. The policies---- Mr. Cox. I just want to remind you why I am concerned about this, because in questioning an earlier panel I read this portion of the report of 2 weeks ago from the Redmond panel, chaired by the former head of counterintelligence at the Central Intelligence Agency. He said the DOE operational field offices at Albuquerque and Oakland continue to refuse to share relevant information from employee personnel files under their control with DOE CI, counterintelligence, or laboratory counterintelligence components. The Department of Energy counterintelligence is not even informed by these three offices when an employee loses his or her security clearance. That's a mess. Now, if NNSA is in charge of these people, then I want to call NNSA on the carpet for this performance. If DOE is responsible, then I want to call DOE on the carpet for this performance. But the truth is, as we sit here in this hearing we don't know. Whose responsibility is it? Whose responsibility is that failure, NNSA or DOE? Mr. Habiger. Mr. Cox, if I may, sir, that is very dated information and is no longer applicable. Mr. Cox. Well, it is 2 weeks old. Mr. Habiger. Well, the report may be 2 weeks old, sir, but the assertions have been corrected some time ago. Mr. Cox. Were those assertions relevant to a time period prior to the enactment of Title 32? Mr. Glauthier. Before the implementation of it. Mr. Cox. Well, I understand you didn't obey the law for a very long time. And I am quite serious about this, because starting with the President of the United States own signing statement, there was a direct effort, documented by the Congressional Research Service, to subvert the statute. But I wonder whether or not this situation--independent of who shot John in this circumstance--obviously nobody is willing to own up to responsibility for this. But let me ask this question: Who is responsible for any defalcation today at the field offices? Would it be DOE? Would it be NNSA? Or is the answer, it depends? Mr. Glauthier. If it is a practice that they should be carrying out, the policy is in place and they are not doing what they are supposed to be doing, there is an NNSA responsibility; their line accountability to NNSA. On the specific information sharing of those personnel files, I would be willing to go back and get the specifics. I don't have those at this point. [The information referred to was not received at time of printing.] Mr. Cox. Is there any aspect of the performance of the field offices for which DOE is responsible and not NNSA? Mr. Glauthier. Only in establishing some of the policies. There may be Department-wide policies on procurement, for example, that are issued to the NNSA and then implemented through the NNSA. Mr. Cox. Obviously that's not how the statute is supposed to work. The NNSA has ample authority to do its own procurement. Mr. Glauthier. But the statute also provides for the Secretary to determine policies that would be applicable to the NNSA. Mr. Cox. Well, I think the answer, plainly, which you have just given, is it depends on whether it is one or another kind of function at that field office. And sometimes presumably the very same people working in the Albuquerque or Oakland field offices we are describing here would be responsible to headquarters DOE, and other times they would be responsible to the NNSA. And what we are now talking about doing is sliding in a new contractor that will have the same questions about who it reports to, because it is going to be reporting to somehow this field office which is itself a hybrid of DOE and NNSA, exactly what the statute was meant to prevent. I think if I were out at the labs, I would not know who in the hell I am supposed to report to, and this is making it worse, not better. Mr. Glauthier. One point we are clear on is no one in the NNSA can take direction from people who are not in NNSA. We do understand that and have tried to implement it that way. Mr. Cox. Well, I think the chairman is being--perhaps I have more time. Do I have time further? Mr. Upton. I stopped the clock. If you want to ask another question, you may. Mr. Cox. The chairman is being generous. I do hope that we will recognize that there is a Presidential election in a few months, that whether it is a Gore administration or a Bush administration, if past transitions are any guide, most of the people in the Presidential appointment positions, not for terms of years, will be changed and so this ought not to be viewed as a turf battle. It shouldn't be about somebody in Congress taking away my power. We are not trying to take away the power of any individuals. This is not a threat to Bill Richardson. This is a question about whether or not there can be an independent agency with only rare reporting relationships through the Secretary himself in charge of this function. And this administration, the Clinton-Gore administration, has fought it every step of the way, and I think it is doing a great disservice to our national security. Mr. Upton. Mr. Bilbray. Mr. Bilbray. Thank you, Mr. Chairman. I am going to ask one open question and would ask anybody to answer it as truthfully as possible. Can this Member of Congress assure his constituency, or, more important, assure his children that the security and the problems we have articulated here in this hearing, both structural and institutional, will be corrected before January of next year? Will the next administration have to solve this problem or will we have it corrected before January 1? Is anybody here willing to say that we think we will have it all taken care of by January 1; it will be wrapped up? Mr. Glauthier. I will be the first one to try to respond to you. I simply can't give an absolute answer, I think, to anything. One of our experiences over the years has been that that has always been a mistake. We are working our hardest to try to deal with the institutional and structural issues, as you have put it, and our hope is to have those in place, to have the NNSA elements in implementation, and then to have the continuing problem of, of course, the human element being something we always will have to deal with. But our hope is to be as far along that path as possible. Mr. Bilbray. Well, Mr. Chairman, I just want to say in closing that I grew up in a family where my father was a damage control officer who was at Bikini, at Eniwetok, who studied nuclear arms--was involved in the nuclear arms development in a peripheral manner as a warrant officer. And I darn well believe that we all have a responsibility to make sure that his grandchildren do not have the technology he helped develop turned against those children, and I certainly hope that we can take care of this before we expect a new administration will have to take care of the problems of the past. I yield back, Mr. Chairman. Mr. Upton. Mrs. Wilson. Mrs. Wilson. Thank you, Mr. Chairman. Just to follow-up on what Congressman Burr was talking about a little bit, and what I asked as well about this issue of the facts. I don't want to belabor the point too much, but as you well know, representing Albuquerque, New Mexico, we have quite a bit of correspondence with the Department of Energy. And I asked my staff to go back and check, and everything that we send, whether by letter or by snail mail or by fax, gets a registration number and that registration number comes back as a reference on the reply. And so without being too difficult about this at first, I would ask the chairman if he would request from the Department of Energy, copies of records of all items entered into DOE correspondence management systems for the week surrounding March 1, 1999, and also for a record of the fax receipts for March 1, 1999, for what I believe is Under Secretary Moniz's fax number, which is 586-7210. Mr. Upton. Without objection, Mr. Glauthier, if you can provide that for us? Mr. Glauthier. Yes, we will be happy to provide it. Normally, this would be logged in, so you are correct to expect that the system should have captured it. [The information referred to was not received at time of printing.] Mrs. Wilson. Dr. Robinson, there are some statements in your testimony which I found very interesting in light of your 32-year perspective of security. You talk a little bit about changes to the classification system that introduced systemic weaknesses in DOE's security system. I wonder if you could elaborate on that a little bit. Mr. Robinson. I wonder if you would let me have 1 minute to comment on the question of the fax. In addition to the lab directors expressing our views in March of last year, as I say on page 9 in my testimony, I twice brought up in congressional testimony, once to this committee, exactly the same content that is the conclusion of this fax. So it has been something that has been a botherment to not only the three of us but to most of the folks who work in the laboratories; that all of this material, Secret, Restricted data as well as Top Secret, must be accountable. The classification has taken on some serious problems in the decade of the 1990's. There was an order to declassify a larger amount of material and to speed up the declassification. In particular, within the Department of Defense, a lot of documents were declassified by category rather than someone looking at the document to see if there are paragraphs within the document that should not be released. Unfortunately, in that process, some things went into the open that should not have gone into the open; and when we learned of it, we have been trying to pull it back. The one unique thing about Restricted data, the Atomic Energy Commission controlled information, is it never has a time line associated with it, that it's declassified after X years, as is the practice in Department of Defense and most other parts of the government, Department of State, et cetera. If the information could lead to the building of a nuclear weapon, as Mr. Bilbray suggests, to threaten our children, we would like to keep that information as bottled up as we possibly can in perpetuity. So I considered it a fairly serious breach in the 1990's of declassification that led to some information going out. I believe that was not the intent of the people who did the higher fences initiative. It was to still keep anything that could make a functioning nuclear weapon more possible to keep it classified, to keep it restricted from distribution. Mr. Cox. Would the gentlewoman yield for just a moment for a point of clarification? Dr. Robinson, I think I understood you to say that the material at the labs is classified under the Atomic Energy Act. Mr. Robinson. Correct. Mr. Cox. Is it the case that it is never classified under the Executive Order 12958? Mr. Robinson. No. Some of the information in other programs than nuclear weapons that we work on and contribute to fall under that Executive Order and we carry out and use the stamps of declassify after 12 years, declassify after 25 years; but not information that could lead to a functioning nuclear weapon. Mrs. Wilson. With respect to that, I understand that the lab directors resisted a lot of the changes that happened in the 1990's with respect to security and material control and so on. Were you ever told by the Department of Energy that if you didn't reduce your security controls you wouldn't be compensated for the cost? Mr. Robinson. There is such a statement from the Albuquerque Operations Office, that this would not be cost reimbursable. I must tell you it was at that point not an issue of whether we were reimbursed or not. It is a question of national security. Mrs. Wilson. So as a contractor, in this case not University of California but I would assume either AT&T or Lockheed Martin, you were told that you couldn't have a higher standard anymore; is that right? Or if you had a higher standard, it would come out of the hide of the contractor? Mr. Upton. Can I inquire about the date of that? Mr. Robinson. I am quoting from a memorandum of June 19, 2000--whoops. Is this an attachment to it? Oh, the attachment is June 29, 1992, and it says--the question is: May sites continue to account for all secret documents on a voluntary basis? And the answer given by the Department was: Sites may continue to account for documents that do not require accountability under paragraph 2 but it must be at no cost to DOE. Costs associated with document accountability will be calculated only for documents that must be accounted for. Mrs. Wilson. Mr. Chairman, I would like to ask if we could add that document to the record, if possible? Mr. Robinson. Sure. Mr. Upton. Yes. [The information referred to follows:] [GRAPHIC] [TIFF OMITTED] T7110.090 [GRAPHIC] [TIFF OMITTED] T7110.091 [GRAPHIC] [TIFF OMITTED] T7110.092 [GRAPHIC] [TIFF OMITTED] T7110.093 [GRAPHIC] [TIFF OMITTED] T7110.094 [GRAPHIC] [TIFF OMITTED] T7110.095 [GRAPHIC] [TIFF OMITTED] T7110.096 [GRAPHIC] [TIFF OMITTED] T7110.097 [GRAPHIC] [TIFF OMITTED] T7110.098 [GRAPHIC] [TIFF OMITTED] T7110.099 [GRAPHIC] [TIFF OMITTED] T7110.100 Mrs. Wilson. So basically you were told by DOE Albuquerque that you could have a higher standard if you wanted to but it was going to be at no cost to the government? Mr. Robinson. Correct. Mrs. Wilson. Thank you, Mr. Chairman. Mr. Upton. Thank you. I just have one further question and then a comment. We are expecting a vote in the next 5 or 10 minutes. Mr. Glauthier, I know you have a meeting downtown as well, and I will let other members ask if they have additional questions. Dr. Browne, the list of new controls that you mentioned in your testimony, you did not include procedures to ensure that those who remove materials from vaults check out such documents or disks. And I just wondered why you did not include that type of reform. And I am wondering, maybe from General Habiger, in terms of why that was not required in his June 23 list of new security directives. Dr. Browne? Mr. Browne. With respect to the NEST program, we have had that vault closed as part of the FBI investigation and have done a full inventory of all the NEST equipment. So that program is sort of an off-limits program right now. With respect to all the other information, until we reestablish tracking ability for the documents, we don't have a mechanism to find where the information goes. We have started down that path with the computer storage media that I mentioned earlier, the 66,000 devices. So we can track those, but we are not in a position to track everything that comes out of a vault unless it is done by hand; you know, the name of the person, et cetera. We have not done that. Mr. Upton. Do you expect to have some type of tracking, whether it be a bar code or something of that nature? Mr. Browne. That's what we had before, and the mechanism for transfer of documents between one individual and another one required a tracking of the bar code and the copy number, and so one had a record of when it left and went somewhere else. Mr. Upton. And are you on the path to encrypt some of this data as well? Mr. Browne. That's correct. That's part of the Department's---- Mr. Upton. On both Top Secret and Secret data material? Mr. Browne. That's correct. Mr. Habiger. Mr. Chairman, the big problem we have with encryption is that we have one certified software package that is only good for Windows NT. The Department of Energy had many, many operating systems. The vendor tells us it could be up to a year before we are able to have other operating systems covered. Mr. Upton. General McBroom, what has happened to this particular NEST team while the investigation is going on? Are they in limbo? Have they gone back to their other functions? Mr. McBroom. Well, sir, that's really a lab question. I haven't been allowed out there or to see them. I am going out there next week. I can tell you in talking to Dr. Browne, they have been through a lot, sir. Personally and professionally it has been very hard on them. We are going to have to really stroke some of these people because--and I think Dr. Browne had a very, very valid point. Ninety-nine percent of these people are just really neat United States American citizens. Mr. Upton. You need to find that 1 percent. Mr. McBroom. Yes, sir, I have to find them in a hurry. Mr. Gioconda. Sir, also for the record to understand, the NEST team are a group of volunteers. They volunteer to be in this program. They are not assigned to this particular program. They step up to be assigned. I think that it is important to understand that when you go through a situation like this, and we have talked about this often, what are we going to have on Monday morning. Will that person volunteer after going through this? And we are all very, very concerned about that. Mr. Browne. Mr. Chairman, may I add a comment to that? Mr. Upton. Yes. Mr. Browne. What we did with our NEST team was essentially had the entire team stand down to go through in great detail their security procedures for the entire team, not just the device assessment team that I mentioned but the entire team, because we wanted them to update all of their security procedures and to assure themselves, not just assure us but assure themselves that they had the best practices in place. They have just completed that and they are back at work. We have some compensatory measures in place because of the FBI investigation that's going on, but I feel very comfortable that we are doing the right thing by allowing the NEST team members back to work. Mr. Upton. Mr. Glauthier, I know you mentioned at the very beginning of your testimony sort of the update in terms of where we were with regard to the investigation. I am certainly not a police officer or a detective, as my colleague Mr. Stupak was with the Michigan State Police. But are we getting close to the end of this? I mean, I know that a number of folks, in fact, were polygraphed. It has been almost a month since those began. Where are we in terms of the end of this investigation so we can put things back together? Mr. Glauthier. I think it is all right to mention here that one of the delays has been that the lawyers for these individuals felt they needed to get clearances in order to properly deal with their clients and to deal with these issues. Those clearances were granted last week. It took some time for them to submit the paperwork to us. We turned it around in a matter of few days. Mr. Upton. But they were polygraphed almost from the beginning, right? June 15 or so? Mr. Glauthier. The individuals were, but the lawyers representing those individuals needed to get clearances, they said, in order to proceed with the case. So some of the investigation has been on hold. Now, those clearances have been in place for a matter of a few days at least and I understand that the FBI and the U.S. Attorney out there are proceeding. Our hope is that this will---- Mr. Upton. Do you expect some charges to be brought within this month, July? Mr. Glauthier. You would have to ask the FBI and the U.S. Attorney's Office. I can't comment on that. Mr. Upton. Okay. Let me just say this, as part of my conclusion. As Chairman of this subcommittee, we have had more hearings on security at our energy labs than on any other topic--Medicare fraud, anything else--maybe, I would guess, 12 to 15 hearings in the last year and a half. At the suggestion of the lab directors last year, for a number of us that had not ever been to one of these labs and really not been to the West Coast much, I know that we did take your suggestion. We visited the labs, and I have to say that for me, I could not have been more impressed with the physical security of those labs; the drills that the teams did, all the different things that were shown to us over those couple of days, Mr. Cox, myself, Mr. Burr and Mrs. Wilson and some of our staff that went out. It seems as though we have focused on--we have gone from one thing to the next.The hearings last year followed along the lines of the Q clearances and the access to some of our secret material by folks that really should not have been in those areas. Changes were made. One of the things that we focused quite a bit on in our visit last January was looking at the cyber security details and to make sure that there were air locks and a whole number of different things that would prevent someone from hacking in and getting access to that material. I just hope that as we have looked now at this GAO report, that again it sort of goes back to the basics, logging in material; I mean, what we can do at a Meyers, a Thrifty Acres, or maybe a Safeway here in the Washington area type of thing, a library logging in material using the tools that we have, encryption and others, to make sure that, in fact, that material--you know, if we find that 1 percent that, in fact, may be out there that, in fact we can prevent that individual or individuals from leaking or selling that information someplace else, let alone misplacing it, I mean that to me is fundamental. We--as Chairman of this subcommittee, and I know I speak for every member of this subcommittee--we have got to have accountability by all of you to make sure that the system works. We are tired of the blame game. We would rather be focusing on other things than this. But these really are the crown jewels. And whether it is a culture, whether it is just mistake after mistake, we need to get to the bottom of this and we need to get it resolved. We don't necessarily need another level of bureaucracy. We want results and we want to know that when the lights get turned off, that that material is safe and cannot get into the hands of the wrong people. Virtually every one of you, with the exception of Mr. Aftergood, are Federal employees; particularly General McBroom and others, you need to take every effort. We are prepared as a Congress to fund whatever it takes to make sure that these secrets remain just that. Now you have a tremendous responsibility. The American public has entrusted you and we want to make sure it works. I would just hope that as we follow up on this hearing today that, in fact, we won't see further miscues. Mr. Glauthier, your comment earlier about taking the pledge--I think it was by Mr. Bilbray--by January 1, Secretary Richardson did that. You might have offered him some different advice last year when he assured us in fact that those things would not take place. We want your word to be good and we want the fire doors to be closed so that this does not happen again. As we look at further GAO reports and other things that may come our way, we want to hear from you first and see what suggestions you might have that we might help you do a better job to make sure that, in fact, that fire door remains closed. Mr. Cox, I don't know if you want to make a closing statement, Mrs. Wilson, but I yield to you if you would like to do that. Mr. Cox. I thank you, and I just want to thank every member of our panel. These are difficult topics and they are made more difficult by the fact that there have been so many things that everybody wishes hadn't happened go on over the last few years. My greatest concern is the seeming consistency of the bureaucratic problems, notwithstanding all of the renewed vigor to attack them at this time and to get it right. When the House of Representatives nearly unanimously created this select committee that I chaired, it was 4 months after the President had issued PDD 61, and then we went through a whole year on our select committee and had more public impact with that, and then we had damage assessment by the CIA which confirmed what our select committee had found. We had the President's Foreign Intelligence Advisory Board complain about security and counterintelligence at the laboratories and about DOE mismanagement. We had recommendations for reform. And yet it was not until March of this year that one of the key elements of the President's directive to the Secretary of Energy, polygraphing, was even begun to be implemented. It was not really until these hard drives turned up missing that people in sensitive positions in that connection were subjected to polygraphs. I think that it is a fair thing to argue, particularly for scientists who are technically minded, to argue about the relative merits and demerits of polygraphs. They are well equipped to do so. But once the President of the United States orders it done, it oughtn't take the bureaucracy so many years to begin it. The same holds with the creation of the NNSA. The NNSA was created in direct response to recommendations from all the outside groups that have looked at it and the bureaucracy has been fighting it because of turf. Now we are talking about new creative ways to restructure the bureaucracy, all of them compounding the prolix nature of the Department of Energy's relationship to the labs, and I am very sorry for that. I hope that one of these days they will listen to the advice and follow the legislation. I thank the chairman. Mr. Upton. Thank you. Mrs. Wilson, do you have a closing comment? Mrs. Wilson. Thank you, Mr. Chairman. I wanted to thank you again for allowing me to sit in and participate in this hearing. I think I walk away with kind of a reconfirmation that the problems relating to security in the nuclear weapons complex are systemic. They relate more to policy and the implementation of that policy than they do to isolated acts by individuals. And I look forward to General Gordon taking the reigns and being able to look at the complex systematically over a long period of time to ensure its continued health for the country, and I think that's the right direction to go in. And I thank the chairman again. Mr. Upton. Again, I thank all members for participating. I would note for the record that there are a number of subcommittees meeting during these hours. We do look forward to hearing from General Gordon probably this fall, once Congress returns from the August break. Again we thank you for your testimony. We look forward to working with you. This hearing is now adjourned. [Whereupon, at 2:55 p.m., the subcommittee was adjourned.] [Additional material submitted for the record follows:] Federation of American Scientists August 1, 2000 Hon. Fred Upton, Chairman Subcommittee on Oversight and Investigations Committee on Commerce U.S. House of Representatives 2125 Rayburn House Office Building Washington, DC 20515-6115 Dear Mr. Chairman: Attached please find my answers to the questions for the record from the July 11, 2000 hearing on weaknesses in classified information security control's at DOE's nuclear weapons laboratories. Thank you for the opportunity to present my views to the Subcommittee. Sincerely, Steven Aftergood Senior Research Analyst Questions for Steven Aftergood Q. In your testimony, you quoted a National Academy of Sciences report which states that ``access to classified information is not necessary for a potential proliferator to construct a nuclear weapon.'' The Academy said that access to nuclear material and an engineering and manufacturing infrastructure to build a bomb are most important. Iraq became a nuclear power without stealing our secrets, as did India. Was the Cox Commission and the Congress in error last year when they placed so much emphasis on the alleged theft of our technology for China's weapons advances? A. The espionage threat from China and other nations is certainly a legitimate and necessary subject of inquiry. But I believe the Cox Committee and Congress erred by failing to place the espionage threat in proper perspective. The People's Republic of China has possessed thermonuclear weapons since 1964 and has a mature nuclear weapons manufacturing capacity. Yet today, fifteen years after China's alleged theft of W-88 warhead design information described by the Cox Committee, there has been no ``apparent modernization of their deployed strategic force or any new nuclear weapons development,'' according to the CIA's Jeremiah panel. Espionage, if it occurred, evidently did little to alter the threat facing the United States. Instead of clarifying the issues, the continuing emphasis on Chinese nuclear espionage has led to a serious distortion of public perceptions. Senator Bob Kerrey said last year that the Cox Committee report ``has left the impression that China is a bigger threat to the United States in terms of nuclear weapons than Russia is. Nothing can be further from the truth.'' But a Time-CNN public opinion poll found that 46 percent of Americans consider China a serious threat, compared to 24 percent who hold that view of Russia. Finally, the preoccupation with espionage has incurred serious damage to the nuclear weapons laboratories where morale a,'Id recruitment have fallen precipitously. This is a potentially far more serious blow to national security than any espionage that may have taken place. Q. What do you see as the solution to these embarrassing security breaches at DOE? A. There is no solution. That is to say, it is impossible to guarantee that security breaches will not occur in the future. Again, it is important to keep these matters in perspective. There can be no absolute security. There is no national security agency in the U.S. government that has not been deeply penetrated by a foreign intelligence service at one time or another. Meanwhile, minor security infractions are literally a daily occurrence. It is easier to say what is not the solution. I do not believe that Congress should legislate specific security requirements (such as document accountability, polygraph screening, etc.) because such system-wide requirements can have unintended consequences and may need to be modified to meet local needs and circumstances. On the other hand, it would be appropriate to identify an official at each facility who is responsible for security at that facility. While I believe it was absurd to suggest that the Secretary of Energy should be accountable for the fact that a particular classified item at Los Alamos was missing, it would be entirely sensible to assign responsibility for such cases to a particular official at every laboratory. That official should have the flexibility and discretion to tighten or relax baseline security requirements, as appropriate, and then should be held responsible for overall security performance. I would only add, as I stated in my testimony, that security should not be permitted to significantly erode the quality of the labs. If it were necessary to choose, I would prefer second-rate security at a first-rate laboratory to first-rate security at a second-rate laboratory. Q. What will it take to implement the ``higher fences'' initiative? A. The ``higher fences'' concept of focusing security resources on the most sensitive information makes obvious, intuitive sense. But like any change to established practices in a bureaucracy, it faces resistance that will require high-level leadership to overcome. DOE officials now refer to the adoption of a ``graded approach'' to security, involving stronger protection for more sensitive materials, The ``graded approach'' seems to be similar to the ``higher fences'' initiative except that it omits declassification. This is a mistake, in my opinion. Proper declassification is an essential component of an information security classification system. The system will not function properly, and will eventually break down, if there is no reliable mechanism for removing controls on information that no longer warrants protection. For this reason, I believe that the DOE Fundamental Classification Policy Review group (which last reported in 1997) should be reconvened at perhaps 5-year intervals to identify which categories of information should be newly declassified and which categories, if any, should receive increased protection. I also believe that Congress should increase support for declassification review. Congress should clearly communicate to DOE the expectation that while sensitive information must be properly classified, information that is no longer sensitive should be efficiently removed from classification controls. ______ Answers to Questions for the Record of Dr. C. Paul Robinson, Director, Sandia National Laboratories Question: The Committee understands that Sandia played a big role in the Higher Fences initiative. Can you describe your lab's involvement and why you believe DOE has not reached closure on this issue after four years of trying? Did Sandia object to DOE's initial proposal on higher fences, and if so, why? Did Sandia object to reclassifying these sensitive categories as Top Secret, and if so, why? What value would there be in re-classifying these sensitive topics as Top Secret, as proposed by DOE, if DOE didn't require additional controls for Top Secret, as evidenced by its January 1998 decision to eliminate such controls? Response: Sandia National Laboratories was a major participant and contributor in the Higher Fences Initiative beginning with the Fundamental Classification Policy Review, which began its work in May 1995. Secretary O'Leary appointed Dr. Albert Narath, the director of Sandia, to be chairman of the review group. (It should be noted that Dr. Narath left Sandia in August 1995 to accept a position with the Lockheed Martin Corporation. He continued to chair the review team while in his new position.) The Fundamental Classification Policy Review Group consisted of about 50 experts from the DOE community and other agencies, including several individuals from Sandia. The review team issued a final report in January 1997. Sandia National Laboratories also played a major role on the second of two Higher Fences working groups. A first working group had been formed at DOE headquarters shortly after the Fundamental Classification Policy Review issued its report, but the results of this first effort were deemed inadequate by many reviewers in the field and at headquarters. The considerable criticism of the first working group's proposal prompted the DOE Office of Declassification to charter a second Higher Fences Working Group in July 1998 to resolve the issues identified in the critiques. The DOE Office of Declassification appointed the classification officer at Sandia National Laboratories to lead this group of classification experts from the field and DOE. Sandia National Laboratories fully supported (and continues to support) the initial Higher Fences recommendation of the Fundamental Classification Policy Review Group (January 1997). However, Sandia and other DOE elements in the field and at headquarters had several criticisms of the work of the first Higher Fences Working Group, which issued a memorandum for comment in March 1998. That report received a largely negative response. A major concern shared by Sandia and the other nuclear weapon laboratories was that DOE had recently removed (in January 1998) the longstanding requirement for formal document accountability of Top Secret Restricted Data. To classification professionals in the field, it seemed inconsistent to propose to reclassify certain information to Top Secret while at the same time weakening the accountability controls on Top Secret. Thus, reclassification on the Higher Fences criteria would be a paper exercise resulting in no significant increase in protection within the DOE community. In May 1998, the DOE Technical Evaluation Panel submitted its concerns on the initial Higher Fences guidance in a memorandum to the director of the DOE Office of Security Affairs. The Technical Evaluation Panel is a committee of weapon designers that provides consultation for the DOE classification community, and it was chaired at that time by a Sandia weapon program manager. The panel's basic criticism of the initial Higher Fences guidance was that the lack of consistency in the level of protection provided for Top Secret Restricted Data by the various DOE orders governing security of documents and computer systems undermined the initiative. The panel predicted that these inconsistencies, together with the failure to address the costs of implementation, would result in failure of the Higher Fences Initiative. The second Higher Fences Working Group issued an unclassified draft report to the DOE Office of Declassification in February 1999, followed by a full, classified report in April. The report filled in some of the detail that would be required for implementation and added much-needed rigor to the sensitivity criteria for reclassification. This work provided a foundation for moving forward with the Higher Fences Initiative within the Department's decision structure, and eventually to DoD. DOE issued a final report for implementing the Higher Fences recommendation in October 1999. At that point, considerable disagreement still existed both within the Department and in the field concerning how Higher Fences should be implemented, although the concept and intent of the Higher Fences Initiative were generally accepted. The most significant issues of concern were: 1. DOE's decision in January 1998 to remove the requirement for formal document accountability for Top Secret Restricted Data; 2. The lack of consistent guidance within DOE on handling paper and electronic forms of Top Secret; 3. The lack of implementation guidance and associated funding for segregating new Top Secret and handling existing Top Secret; 4. The lack of funding to upgrade Secret-level computer networks to Top Secret networks, which was estimated to run $20 to $30 million per site. Notwithstanding these concerns, the DOE leadership decided to press forward with implementation. In October 1999, the Assistant Secretary for Defense Programs and the Director of the Office of Security and Emergency Operations sent a letter to the Nuclear Weapons Council (a joint DoD/DOE coordinating group of senior officials) requesting the assistance of the Council in encouraging DoD to participate in a joint working group to develop an implementation plan for Higher Fences. Buy- in by DoD was essential because much Secret Restricted Data that would be reclassified to Top Secret under the Higher Fences plan was in the custody of DoD. In December 1999, DOE received a response from the Office of the Secretary of Defense (signed by the director of Defense Research and Engineering and by the Assistant Secretary for Command, Control, Communications, and Intelligence) in which DoD declined to participate in an interagency working group for the Higher Fences Initiative. The letter cited increased costs, operational difficulties, and DoD's belief that such information is adequately protected at the Secret level. The letter also indicated that DoD would review the Higher Fences recommendations from a cost-benefit perspective so that the initiative could receive serious consideration. At this time, I am unaware that DoD has completed its review. However, the evident lack of serious interest by DoD is the principal reason for the failure of the Higher Fences Initiative to continue to move forward toward implementation. ______ General Accounting Office Responses to Questions For the Record Q. Was the 1992 change in DOE Secret-level accountability controls mandated by Executive Order or government-wide changes that occurred in that year, as DOE has suggested in article in the Washington Post, or was DOE free to set its own policies in this regard? A. The 1992 change in DOE Secret-level accountability controls was not mandated by Executive Order or any government-wide requirements as far as we can determine. The Executive Order in force at the time--EO 12356, dated April 2, 1982, and its implementing directive-allowed heads of agencies to set policies for accountability for Secret-level documents. Therefore, DOE could set its own policies within this framework. Q. This same article also states that, in January 1993, just two weeks before the end of the Bush Administration, an executive order extended these new relaxed rules to government contractors, such as Los Alamos. Is that an inaccurate statement based on your research? What did the Executive Order actually do? Please provide a copy of the Executive Order for the record. A. The statement ``in January 1993, just two weeks before the end of the Bush Administration, an executive order extended these new relaxed rules to government contractors, such as Los Alamos'' is inaccurate. Executive Order 12829, dated January 6, 1993, created a National Industrial Security Program to establish a single, integrated, cohesive program to protect classified information that is released to contractors, licensees, and grantees of the United States Government. While the Program was created to promote uniformity, the Executive Order did not specify that accountability requirements were to be relaxed. Q. To your knowledge, was there any government-wide decision made to reduce controls on Secret data prior to 1995? A. Our audit work concentrated on DOE actions in accountability for Secret documents. As such we did not examine what other government agencies were doing to control Secret data. We will examine this issue as part of our ongoing work in the area. [GRAPHIC] [TIFF OMITTED] T7110.101 [GRAPHIC] [TIFF OMITTED] T7110.102 [GRAPHIC] [TIFF OMITTED] T7110.103 [GRAPHIC] [TIFF OMITTED] T7110.104 [GRAPHIC] [TIFF OMITTED] T7110.105