[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]
OVERSIGHT OF THE STATE DEPARTMENT:
TECHNOLOGY MODERNIZATION AND COMPUTER SECURITY
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON
INTERNATIONAL RELATIONS
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
__________
JUNE 22, 2000
__________
Serial No. 106-171
__________
Printed for the use of the Committee on International Relations
Available via the World Wide Web: http://www.house.gov/
international--relations
______
U.S. GOVERNMENT PRINTING OFFICE
68-288 CC WASHINGTON : 2000
COMMITTEE ON INTERNATIONAL RELATIONS
BENJAMIN A. GILMAN, New York, Chairman
WILLIAM F. GOODLING, Pennsylvania SAM GEJDENSON, Connecticut
JAMES A. LEACH, Iowa TOM LANTOS, California
HENRY J. HYDE, Illinois HOWARD L. BERMAN, California
DOUG BEREUTER, Nebraska GARY L. ACKERMAN, New York
CHRISTOPHER H. SMITH, New Jersey ENI F.H. FALEOMAVAEGA, American
DAN BURTON, Indiana Samoa
ELTON GALLEGLY, California MATTHEW G. MARTINEZ, California
ILEANA ROS-LEHTINEN, Florida DONALD M. PAYNE, New Jersey
CASS BALLENGER, North Carolina ROBERT MENENDEZ, New Jersey
DANA ROHRABACHER, California SHERROD BROWN, Ohio
DONALD A. MANZULLO, Illinois CYNTHIA A. McKINNEY, Georgia
EDWARD R. ROYCE, California ALCEE L. HASTINGS, Florida
PETER T. KING, New York PAT DANNER, Missouri
STEVE CHABOT, Ohio EARL F. HILLIARD, Alabama
MARSHALL ``MARK'' SANFORD, South BRAD SHERMAN, California
Carolina ROBERT WEXLER, Florida
MATT SALMON, Arizona STEVEN R. ROTHMAN, New Jersey
AMO HOUGHTON, New York JIM DAVIS, Florida
TOM CAMPBELL, California EARL POMEROY, North Dakota
JOHN M. McHUGH, New York WILLIAM D. DELAHUNT, Massachusetts
KEVIN BRADY, Texas GREGORY W. MEEKS, New York
RICHARD BURR, North Carolina BARBARA LEE, California
PAUL E. GILLMOR, Ohio JOSEPH CROWLEY, New York
GEORGE RADANOVICH, California JOSEPH M. HOEFFEL, Pennsylvania
JOHN COOKSEY, Louisiana
THOMAS G. TANCREDO, Colorado
Richard J. Garon, Chief of Staff
Kathleen Bertelsen Moazed, Democratic Chief of Staff
Kristin Gilley, Professional Staff Member
Marilyn C. Owen, Staff Associate
C O N T E N T S
----------
WITNESSES
Page
Fernando Burbano, Chief Information Officer, U.S. Department of
State.......................................................... 4
Jack L. Brock, Jr., Director of Government and Defense Systems,
U.S. General Accounting Office................................. 6
Mark T. Maybury, Ph.D., Executive Director, Information
Technology Division, The MITRE Corporation..................... 9
Wayne Rychak, Deputy Assistant Secretary for Diplomatic Security,
U.S. Department of State....................................... 17
APPENDIX
Prepared statements:
The Honorable Benjamin A. Gilman, a Representative in Congress
from New York and Chairman, Committee on International
Relations...................................................... 40
Fernando Burbano................................................. 43
Jack L. Brock.................................................... 88
Mark T. Maybury, Ph.D............................................ 108
OVERSIGHT OF THE STATE DEPARTMENT: TECHNOLOGY MODERNIZATION AND
COMPUTER SECURITY
----------
THURSDAY, JUNE 22, 2000
House of Representatives,
Committee on International Relations,
Washington, DC.
The Committee met, pursuant to notice, at 10:12 a.m. in
room 2200, Rayburn House Office Building, Hon. Benjamin A.
Gilman (Chairman of the Committee) presiding.
Chairman Gilman. This meeting will come to order. I want to
thank our panelists for joining us this morning and thank our
colleagues for being here.
I am pleased to convene this hearing on Oversight of the
State Department, Technology, Modernization and Computer
Security. This is the fourth in a series of oversight hearings
that this Committee will conduct relating to the Overseas
Presence Advisory Panel, the OPAP.
We began these hearings back in February when we heard from
the panel's members. At that time, and today, I believe the
panel highlighted some very important issues. This Committee
supports many of the recommendations made as a basis of
maintaining a more effective and efficient State Department.
We are asking our panelists to provide the Committee with a
comprehensive review of the condition of the State Department's
information technology program, the safeguarding of its
information and prospects of developing a common platform to
facilitate communication among the agencies at posts. Along
with the efficiencies of high tech systems comes a breadth of
possible vulnerabilities. These systems demand continual
security evaluations and resources that should be dedicated to
this activity.
Personnel at the State Department must have the capacity to
communicate quickly and precisely with a variety of people. The
Overseas Presence Advisory Panel observed that the Department's
current infrastructure does not provide the means either to
acquire information from a full range of sources or to
disseminate it to a full range of audiences.
Inefficient information systems leave the Department
impotent in the conduct of foreign affairs. The Department and
other agencies sharing the overseas platform have taken steps
to bring their systems up to private sector standards, but much
more is needed to be successful on an interagency basis. Our
private sector panelist, Mr. Maybury, will address the problems
associated with that issue.
An overriding concern as modernization proceeds is to make
certain that appropriate, usable systems are procured and that
security elements are addressed up front. The taxpayer is
providing an enormous amount of money over time for the
worldwide upgrades, and this Committee needs to be assured that
the right decisions and cost effective procurements are being
made.
With recent cyber attacks against web sites in both Federal
and congressional computer systems, serious questions arise
about computer systems' vulnerabilities. Investigation of
hacker assaults revealed that the techniques used over the past
months were fundamentally very simple. In May 1998, GAO
reported that State's computer systems were very susceptible to
hackers and to unauthorized individuals.
Given the important data bases that the Department
possesses, it would be a disaster if hacker penetration were to
occur in the State Department; to name just a few, the passport
system, the visa system, class systems. If a hacker were to
succeed, it would have a devastating effect on the functioning
of these items, not to mention the effect on commerce. The
Department takes in an enormous amount of revenue per day on
the issuance of those items.
I believe that in creating a modern infrastructure,
utilizing a common platform and spending the nation's money
wisely are certainly critical elements on the road to
successful information technology management. We will find out
today if our State Department is on the right road or if they
have hit a dead end.
Now I would like to turn to our other colleagues, the Vice-
Chairman of our Committee, the gentleman from Nebraska, Mr.
Bereuter.
[The prepared statement of Chairman Gilman appears in the
appendix.]
Mr. Bereuter. Thank you, Mr. Chairman. I have no comment. I
look forward to the testimony.
Chairman Gilman. Judge Hastings.
Mr. Hastings. Mr. Chairman, I have no opening statement at
this time.
Chairman Gilman. Thank you.
Mr. Rohrabacher.
Mr. Rohrabacher. Just a very short statement for the
record. I am very concerned, Mr. Chairman, over reports that
the Chin Wa news agency, a Chinese agency that has ties to the
Communist Chinese government in Beijing--in fact, it is known
as having an intelligence connection with the government in
Beijing--has purchased a building in Arlington with the State
Department--at least with no protest from the State Department,
overlooking the Pentagon. This building is a 12 story building
that has very serious implications to electronic intelligence
operations, especially in relationship to a direct overview of
the Pentagon.
I understand the State Department had no objection to this,
raised no objections to the Chinese taking over this building,
and I just think that there is--I do not know if this panel is
the one who could explain it. Probably not, but for the record
I would like to say that this is very unsettling news.
It seems to me that somebody has got to have the
responsibility when things like this happen, and having an
intelligence arm of the Beijing government setting up a spy
nest, an electronic spy nest, you know, just in this position
overseeing the Pentagon is something that deserves our
attention. I thought I would put that on the record.
Chairman Gilman. Thank you very much, Mr. Rohrabacher. I
hope some panelists will comment on it as we proceed.
Today we welcome Mr. Fernando Burbano, the chief
information officer of the State Department. Mr. Burbano
assumed the position in May 1998, is responsible for the
Department's information technology policy and operations. He
oversees a budget of more than $500 million and the activities
of more than 2,000 employees who are engaged in information
management. He holds advanced degrees from the American
University and Syracuse University.
Our second witness, Mr. Jack Brock, is director of the
government wide and defense information systems in the issue
area at the General Accounting Office. He is responsible for
information management, evaluations and reviews of computer
security issues for several agencies, including State, and he
has testified several times on these issues.
The General Accounting Office [GAO] has developed guidance
for improving responses to computer security threats. Thank you
for putting our system back in operation. He holds advanced
degrees from the University of Texas and Harvard. Welcome.
Our third witness is Dr. Mark Maybury. Welcome, Mr.
Maybury, of is it MITRE Corporation?
Mr. Maybury. MITRE.
Chairman Gilman. MITRE Corporation. Dr. Maybury comes to us
highly recommended because of his experience in the field of
worldwide system upgrades. He is the director of MITRE's
information technology division responsible for the advanced
research and development of intelligence and defense systems
supporting several government agencies.
Dr. Maybury has taken a look at what it takes to build a
common platform, collaborative computing and knowledge
management within the foreign affairs community. He holds
several advanced degrees, including a Ph.D. from Cambridge in
artificial intelligence. We certainly appreciate his
willingness to come down from Massachusetts and educate us in
this highly technical field.
We appreciate all of our witnesses being here today, and we
ask you to proceed with a summary of your statements. Without
objection, your full statements will be made part of our
record.
I also want to welcome Mr. Wayne Rychak, a Deputy Assistant
Secretary in the Diplomatic Security Bureau at the State
Department. He is a member of the Senior Foreign Service, and
his positions with Diplomatic Security have included being
regional security officer in Islamabad and Pakistan.
Mr. Rychak is here to respond to questions regarding
information security.
Please proceed, Mr. Burbano.
STATEMENT OF FERNANDO BURBANO, CHIEF INFORMATION OFFICER, U.S.
DEPARTMENT OF STATE
Mr. Burbano. Thank you, Mr. Chairman. Good morning, Mr.
Chairman and distinguished Members of the Committee on
International Relations.
As the CIO for the State Department, I am pleased to report
significant progress managing the Department's information
technology resources. This morning I will focus on actions we
have taken to, first, strengthen our computer security; second,
improve the integrity and quality of our IT strategic planning,
our IT capital planning and our management of IT resources;
and, third, to achieve compliance with the Overseas Presence
Advisory Panel, OPAP, recommendations.
Since my testimony is limited to 5 minutes, I have provided
a more detailed written report for the record.
Computer security. In the past 2 years since I was
appointed CIO, the State Department has taken significant steps
in strengthening our computer security and the security of our
global communications networks. For example, we now have in
place a corporate information system security officer and
computer security incident response teams.
Our systems are protected with an extensive array of
electronic firewalls, intrusion detection systems and a
comprehensive anti-virus program. We increased system security
training, conducted extensive independent network penetration
testing and installed a web based geographic information system
to collect cyber threat information.
As additional examples of the Department's commitment to
computer security awareness, I have hosted the CIO Council
Security Awareness Day, Critical Infrastructure Protection Day
and a hacker briefing presented by an industry expert. All of
these are open to the entire Federal IT community.
With our improved security posture, we have successfully
withstood numerous cyber attacks such as those that have
damaged other agencies and private sector web sites. For
example, we were successful in defending against an attack
after the NATO bombing of the Chinese Embassy in Belgrade when
we were bombarded with over 10,000 messages an hour for several
weeks.
However, despite significant improvements in our cyber
security, we realize that the cyber underworld continues to
improve its weapons. We routinely assess our presence on the
internet, and so far we have been successful in adjusting our
protection measures to meet the continuing and ever changing
challenges.
I also established a security infrastructure working group
known as SIWG to proactively oversee our enterprise
infrastructure and coordinate an integrated, department wide
security response. The SIWG is chaired by the Deputy CIO for
Operations and has representation from Diplomatic Security and
other bureaus.
Let me briefly highlight our accomplishments in our IT
security over the last 2 years. We achieved 100 percent
completion of the 72 technical findings and the eight
management recommendations identified in the 1998 GAO computer
security audit. We achieved closure on Federal Managers
Financial Integrity Act, FMFIA, issues open since 1984.
We revised the foreign affairs manual to include security
related policies. We globally deployed a computer security
self-assessment software tool known as Kane Security Analyst.
We conducted vulnerability assessments on our classified,
sensitive but unclassified and internet networks.
In a joint effort with the NSA, we have begun a pilot
program using public key infrastructure to implement strong
identification and authentication processes. We are
implementing the risk management cycle as recommended in best
practices published by GAO and OMB and are implementing a
robust certification and accreditation program incorporating
the recently released national information assurance
certification and accreditation process known as NIACAP. My
written testimony describes these achievements in more detail.
Now turning to Overseas Presence Advisory Panel
recommendations, particularly the actions we have taken to
address the challenges to obtain interagency coordination and
cooperation and to insure quality and cost effective program
management. To insure that all foreign affairs agencies are
partners in developing solutions to the OPAP recommendations,
we have convened the OPAP interagency technology subcommittee.
This subcommittee, which I chair as the representative of the
lead agency, consists of the CIOs of the principal foreign
affairs agencies.
To date, the cooperation between all of the foreign affairs
agencies in developing solutions to the OPAP report
recommendations has been outstanding. This reflects the fact
that over the past 2 years, through the CIO Council and its
various subcommittees, the CIOs had already established strong
relationships and had worked collaboratively on issues of
common concern.
Specifically, we are progressing in our plans to deploy an
interoperable infrastructure accessible to all agencies to
improve communication and collaboration. Our OPAP architecture
approach emphasizes interagency connectivity and collaboration,
minimizing technical risk and leveraging internet and web
technologies.
The intent is to build a browser based environment such
that agencies need not change their architectures to connect to
and use the OPAP facilities, and a range of connection options
will be accommodated. To provide the right information to the
right people at the right time, we are designing a knowledge
management system to share information across agency
boundaries. Security of the infrastructure will be addressed
through the use of technologies such as public key
infrastructure, data encryption and use of firewalls.
In order to insure quality and cost effective program
management and avoid excessive cost overruns, we are following
a disciplined, standard project management methodology which we
have used successfully in our Y2K worldwide remediation
program, IT modernization program known as ALMA and the global
emergency radio deployment program. I should point out that
this methodology includes regular interagency project review
and approval points, such as control gates and check points,
and prototype and pilot tests and assessments.
Accordingly, in fiscal year 2001, conditional on the
availability of timely and adequate resources, we plan to
implement a pilot program at two posts to test the interagency
developed solutions to the OPAP unclassified technology
recommendations. Mexico and New Delhi are being considered as
the pilot posts. Our goals and the effective participation of
other Federal agencies are achievable only with your support in
providing us the resources to continue.
Turning to IT management and planning, the last section, in
the time remaining I will address our progress in responding to
the 1998 GAO report which raised issues about our modernization
program being at risk absent implementation of best practices.
We have made significant improvements in the management,
policy, planning and governance of our IT resources as we
demonstrated in our success at turning our Y2K program from an
F to an A, closing FMFIA issues and completing of a large
scale, global IL modernization project.
Demonstrating the Department's compliance with the GAO's
management improvements recommendations, we have adopted an
enhanced capital planning process that involves all the key
stakeholders, including the CFO and other senior management,
Assistant Secretaries, to comply with the mandates of Clinger
Cohen and OMB Circular A-11;
Created the Configuration Control Board, whose role will be
expanded to further strengthen the interrelationship with the
capital planning process; established the enterprise IT
architecture that is modeled after guidance issued by the
Federal CIO Council; included output and outcome measures in
our IT tactical plan linking the relationship of those measures
to mission effectiveness and efficiency;
Instituted a disciplined life cycle management process
known as Managing State Projects to help insure a consistent
approach to all aspects of project manager; and, last, we
continued to focus on well articulated goals that are presented
in our new IT strategic plan published in January of this year.
Mr. Chairman and distinguished Committee Members, I would
like to conclude my testimony here today by assuring you that
the State Department, including senior management, is committed
to confronting the continuing challenges, including those which
will cogently be addressed by GAO today.
We will work in partnership with your Committee, the GAO
and other agencies and other bureaus in the Department,
including Diplomatic Security, to provide exceptional IT
support to American diplomatic activities in the twenty-first
century.
Thank you, and I would be pleased to answer any questions.
[The prepared statement of Mr. Burbano appears in the
appendix.]
Chairman Gilman. Thank you, Mr. Burbano.
Mr. Brock, GAO.
STATEMENT OF JACK L. BROCK, JR., DIRECTOR OF GOVERNMENT AND
DEFENSE SYSTEMS, U.S. GENERAL ACCOUNTING OFFICE
Mr. Brock. Thank you, Mr. Chairman. Thank you very much for
inviting us here today.
We first met with your staff several months ago about the
Overseas Presence Advisory Panel [OPAP]. The main concern was
we do not want to have a hearing in 2 or 3 years and find out
that the Department has wasted $300 million or $400 million. We
want a return on investment. We want to make sure that the
goals and the objectives that were set out in the OPAP report
are in fact and that they are met efficiently.
I think a concern that the staff had was based on a couple
of GAO reports on the IT environment at the State Department
and on the poor computer security, this concern was well
founded. Could in fact the Department spend the money wisely?
Could in fact the Department bring about the common platform
that is needed to support OPAP?
Our work in computer security showed that the State
Department was highly vulnerable to both inside and outside
threats. We were able to pretty much walk around the
Department. There was generally a lack of oversight at the
management level.
Chairman Gilman. Let me interrupt. You say there is a lack
of oversight in management at State?
Mr. Brock. Oh, absolutely. Yes.
Chairman Gilman. Thank you. We are curious about that
because we are working on the possibility of creating a new
management office. Thank you.
Mr. Brock. The same thing on looking at major investments,
IT investments in the Department. There were a lack of
management controls and a lack of management processes.
Both of those reports were done in 1998, and since then the
Department has made impressive strides in establishing good
management processes that should allow them, if implemented
correctly, to control their investments, to control their
computer security. I am a firm believer that good results come
from good processes. If you do not have good processes, good
results may or may not follow, but they are pretty much
sporadic.
The Department has now laid a foundation for having a
better opportunity for achieving good results, and in fact when
we are looking at the OPAP project, which the early planning
stages are still underway, they in fact have a disciplined
process that they are following in determining what the
requirements of the platform will be, how much it should cost,
what sort of technology should be in place, etc. They are doing
a number of things that make sense, and they are pretty much on
target by the end of this fiscal year to have a detailed
implementation plan.
While the Department I believe is well situated to move
forward into a planning process, we believe they also face I
think reasonably significant challenges in moving forward. I
would like to just spend a few moments discussing those
challenges.
First of all, they have to work with eight or nine agencies
on this common platform, and that is difficult to do. I mean,
on paper they have the agencies in place. They all meet
together. They have regular meetings. Nevertheless, they have
different objectives. They have different needs, and in order
to optimize the common platform some of the individual needs of
various agencies might have to be suboptimized.
It is this process that is difficult to negotiate and
achieve. We think that it is likely that many agencies may want
to continue operating their own technology, particularly if
they have systems that were recently acquired or upgraded.
Second, no one agency by itself has the authority or the
ability to dictate a solution to insure the implementation of a
mutually developed solution. Third, although negotiations are
ongoing, details are still being worked out as to who will
manage and administer the new collaborative network.
These challenges are answerable. They are doable, but,
nevertheless, they are challenges that have to face the
Department. This really has nothing to do with the Department's
status now in terms of good information over technology, but I
think a challenge that any organization would face trying to
bring together eight other organizations.
The second challenge is on the matter of an architecture.
Right now the State Department has a level of architecture, but
it does not have a detailed architecture.
If I could just briefly describe an architecture in more
common terms, if you have a Rand McNally atlas and you open up
the front page and you see the map of the United States, it
shows the major interstates going from the east coast to the
west coast and from the Gulf of Mexico to Canada. Well, you
sort of know how to get there and where you are going, but it
is only until you turn to the detailed maps inside the atlas
that you really know the best route to take from state to state
to state.
I think right now the State Department has a pretty good
overview map, but they do not have those detailed maps that are
really necessary to dictate where the State Department wants to
go in terms of matching business solutions with technology. The
danger of not having an architecture in place is that sometimes
you in fact let technology dictate business needs, or you let
business needs dictate the wrong kind of technology, so you
really need to merge those two things.
The danger of continuing or the risk of continuing in the
OPAP project while the architecture is still underway is that
there is a risk that the eventual OPAP architecture could
influence the State Department's final architecture in a way
that may not be optimal. Now, this is a risk I think they are
aware of and something that they need to follow throughout the
development of both the architecture and the project.
The last challenge that the State Department faces is
computer security. This is a challenge that we found every
agency faces. Our recent reports have indicated that the 22
major Federal agencies all have significant computer security
problems. The findings that we had at State Department a couple
years ago, they are not unique to the State Department. They
are true everywhere on a government wide basis.
The State Department has implemented our recommendations.
They have changed their management structure. They are in a
better position to deal with these problems. One of the things
that they have done at our recommendation is to begin to do
vulnerability assessments at key places. These vulnerability
assessments continue to find problems.
I think a difference now is the State Department is finding
these problems, and they are fixing them, but I think it is
indicative that computer security is an ongoing concern. You
are going to have a new network, a new platform, new
opportunities for intrusion, and I think that the diligence and
the level of effort that the State Department will have to
exercise to this is going to be considerable, so that is a
significant challenge.
The advantage is that you have now as an oversight body and
in fact an advantage that is also shared by the State
Department and the other agencies that are participating in the
OPAP project is that the planning for this is just now
seriously getting underway, and you have many excellent
oversight opportunities over the coming year.
First of all, the State Department is developing a detailed
project plan, and they are going to be testing the concept at a
couple of pilot locations. This is a good opportunity to take a
look at the detailed project plan, to take a look at the
results of the pilot projects and say is this an investment
that is going to pay off? Does it show promise? Is it something
we want to pay for? Is it something that is showing results in
a couple of limited locations? Does it show promise?
Second, the development of a detailed project plan also
allows the performance measures to be developed so that in fact
you will be able to say OK, here is where you said you would
be. Here is where you are. What is the gap? What do we need to
do to close the gap? Are you still on target--and gives the
State Department, the other agencies, as well as you as an
oversight entity, an opportunity to take corrective actions.
The State Department is well positioned to develop a plan,
and I think that again this Committee is well positioned to use
this plan as a vehicle for monitoring the development of the
platform over the next couple of years.
Mr. Chairman, that concludes my statement.
[The prepared statement of Mr. Brock appears in the
appendix.]
Chairman Gilman. Thank you very much, Mr. Brock. You have
given us a lot of food for thought.
Mr. Maybury.
STATEMENT OF MARK T. MAYBURY, EXECUTIVE DIRECTOR, INFORMATION
TECHNOLOGY DIVISION, THE MITRE CORPORATION
Mr. Maybury. Thank you, Mr. Chairman, distinguished Members
of the Committee.
As executive director for the Miter Corporation, I oversee
all collaboration computing activities at the corporation, and
for the past 5 years I have served and worked with the
Department of Defense very closely to develop a common
operating environment specifically responsible for the
collaboration and multimedia elements thereof.
I will summarize my prepared statement, but I have provided
a lot of details that I would like to make part of the formal
record.
Chairman Gilman. Without objection, it will be made part of
the record.
Please proceed.
Mr. Maybury. Thank you.
Just a comment on the requirements for, the impediments to,
the costs of and the lessons learned from using collaboration
computing in knowledge management and other activities across
the government. I have attempted to address each of these
issues in detail, but I would summarize my statements.
The first point I would like to make is that to create a
common operating platform for the Department of State and the
other agencies is a challenge, but it has great potential. By
common platform, I mean those infrastructure and applications
that are basic to long distance and cross agency collaboration,
things like directories, electronic mail, file sharing, desktop
video teleconferencing, skills or expert data bases and shared
applications.
I believe secure collaboration and knowledge management
solutions have promised to directly address some of the
fundamental problems outlined in the November, 1999, OPAP
report, including increased global complexity, dealing with
reduced overseas staffs, the need for increased global
engagement and influence.
For example, if we take a look at the intelligence
community and the Intelink, classified internet, which MITRE
helped engineer, it has become the primary method for
intelligence distribution throughout the intelligence
community.
Another example. In my written statement I detail how
collaborative technologies have fundamentally changed the way
the Air Force operates by creating virtual air operations
centers. Another example. The Navy and the Joint Forces have
been able to put Tomahawk cruise missiles on target faster and
more accurately during war.
At the MITRE Corporation, as I have also submitted in my
materials, there are several CIO magazine articles outlining
our internal internet which has been used to share knowledge
globally. These systems have improved the timeliness and
quality of operational processes. For example, in a major
exercise last year, the Air Force was able to improve their
efficiency of operations by 50 percent. With focused effort,
the foreign affairs community can enjoy these same benefits.
My second point is that the success of the common platform
for the Department of State will require both knowledge
management and collaboration technologies. I will not detail
these, but, in short, collaboration technologies are those that
allow people to share information across time in both different
times, as well as across different places.
For example, if you want to support a team working at a
different time and a different place, you could use electronic
mail, or if they are working at the same time, but in different
places, you could use technologies like instant messaging,
technologies like desktop video conferencing.
In contrast, knowledge management can be enabled by
collaboration, but it is distinct, and it refers to processes
that allow us to find experts, to map the knowledge in an
enterprise or across enterprises, to integrate knowledge and to
disseminate knowledge.
My third point. Because of the difficulty of predicting how
people and organizations will use collaboration tools and the
rapidly changing underlying communications, networking and
computing infrastructure, it is essential that the creation of
these systems be done in what is called an incremental spiral
acquisition process.
This is in contrast to the traditional waterfall approach
where development of a system follows a strict sequential
process from requirements to design to implementation to
testing and in contrast is more of an iterative process in
which these things are done in parallel.
Accordingly, the government needs to depart from its normal
lengthy purchasing process to build a little, test a little,
learn from mistakes and be willing to adapt to change. Planned
obsolescence is part of this process, and these systems can be
very costly. In fact, when you cost these systems you must look
at full life cycle costs to include the cost to acquire the
system, the cost to implement it, steady state costs, as well
as indirect costs, including intangibles such as down time and
user satisfaction.
Incidentally, I have included in these articles the cost
analysis that MITRE has utilized that was highlighted in the
February CIO article where we invested $7 million and were able
to show over $50 million in return on investment.
While a spiral development process does not guarantee an
inexpensive solution, it does minimize the risk that money will
be wasted. Success in creating a secure common platform for the
Department of State and other agencies requires clarity of
vision, buy in from the foreign affairs community, explicit and
measurable business outcomes, but flexibility in technology,
schedule, budget and specifications.
Mr. Chairman, I have a few more points. I do not know if
you would like me to stop or finish.
Chairman Gilman. Well, we are going to be called for a
vote. Why do we not dig into the questions, if you would?
Mr. Maybury. That is fine. Thank you.
[The prepared statement of Mr. Maybury appears in the
appendix.]
Chairman Gilman. I want to thank all of you for being
concise is your presentations.
We will continue right on through the vote with the
questioning. I am going to ask my colleagues if they would want
to go, and we will continue so we will not have a delay.
First of all, Mr. Burbano, last week Undersecretary Cohen
stated that various technology systems were still out of date,
even though the Department has replaced all of its Wang
systems. When can we expect the needed reorganization to be
achieved that is so sorely needed? Which systems are top
priority, and do we have the appropriations that are needed to
do what you are seeking?
Mr. Burbano. Mr. Chairman, the answer to that question I
think goes right to the heart. It is the funding. We do not
have the funding to completely overhaul the systems.
The majority of the unclassified systems have been
modernized. The classified system is where we still have a
lot----
Chairman Gilman. How much will be needed, Mr. Burbano?
Mr. Burbano. Approximately close to $200 million.
Chairman Gilman. I understood from my staff that there is
$500 million available for information technology. Is that fund
available to you?
Mr. Burbano. We are using it. I mean, it is not a fund that
is available for things we have not used it for. Believe me, we
are making use. Our budget is, you know, as stated earlier,
$500 million.
Chairman Gilman. So you are limited in the appropriations
available to you?
Mr. Burbano. Yes. Absolutely.
Chairman Gilman. And what is the shortage?
Mr. Burbano. For the classified systems, close to $200
million.
Chairman Gilman. You need another $200 million?
Mr. Burbano. Yes.
Chairman Gilman. Mr. Brock, your statement noted the State
Department networks remain highly vulnerable to exploitation of
unauthorized access. That is based on four computer security
evaluations of its unclassified networks.
What do these findings suggest for efforts to develop a
common platform? Both Mr. Brock and Mr. Burbano, has any
corrective action been taken? Have such risk assessments been
made on the classified system? I direct that to both of you.
Mr. Brock?
Mr. Brock. First, I do not think that it is unusual that
every time you do one of these vulnerability tests that you
continue to find holes. One of the reasons that we advocate a
continuing of vulnerability assessment is in fact to find holes
because they always creep up. If you are not constantly
vigilant, you will end up with a serious mess on your hands.
We did not go in and evaluate the repairs that the State
Department made. We did note that they did take corrective
action in the four reports that we examined. The fact that
reports, though, continue to show vulnerabilities, which again
I do not find particularly surprising, indicates that there is
still a need for constant vigilance.
The thing the Department has done differently since our
original report, though, is put in more centralized management
and in fact established a control. Before our initial report
they never did their own vulnerability studies. At least now
they have the capability of determining on their own where they
have weaknesses and then being able to take corrective action
on a more timely basis.
But again, that just points out that when you are putting
in a new platform, as I mentioned in my oral statement, that in
fact you are assuming a certain risk. You need to determine
what that risk is. You need to determine the appropriate
controls that should be in place to minimize that risk, and
those controls are going to cost you some money. That has to be
factored into the life cycle cost of the overall project.
Chairman Gilman. Mr. Brock, you noted that the panel
reported the condition of U.S. post submissions abroad as
unacceptable, and the panel found the facilities overseas had
deteriorated, human resource management practices are outdated
and inefficient, and there is no interagency mechanism to
coordinate overseas activities or manage their size and shape.
What is your recommendation to correct that?
Mr. Brock. Well, we did not specifically go over and
evaluate those conditions, so we have made a general assumption
based on other material that those conditions were reasonably
and accurately reported.
In fact, the process that the State Department is leading
now is supposed to address those conditions and make
improvements, which is one of the challenges that we mentioned.
In fact, to get all eight or nine agencies to agree to make
certain changes is going to be a difficult task.
Chairman Gilman. I am going to reserve my questions. Mr.
Bereuter has another engagement. I am going to pass the time to
Mr. Bereuter.
Mr. Bereuter [presiding]. Thank you, Mr. Chairman. I
appreciate that courtesy.
One of the difficulties for some of us is that you
gentlemen use terminology which is not always clear to us, and
I am sure we do the same, but, as I understand it, you are
preparing or are you updating information architecture, a plan
for information architecture for the State Department.
Is it an update would you say realistically, or is it the
first time you are comprehensively attempting to look at and
develop an architecture? Mr. Burbano.
Mr. Burbano. We have developed already, as in a written
testimony in April 1999. We put out our first high level, as
Mr. Brock stated. It is high level architecture that brings the
State Department into the modern age, and we are developing
right now the details of that IT architecture, so we came out
with the first published IT architecture.
There was a default one, you know, because you always
operate with one, but it was not necessarily a formally
published architecture prior to that one.
Mr. Bereuter. Mr. Burbano, you heard the analogy used by
Mr. Brock about the Rand McNally overall front page map, and he
suggested that what is lacking to some extent----
Mr. Burbano. Is the details.
Mr. Bereuter [continuing]. Are the details within that
overall framework.
You have a good framework in place, as I understand your
comment, Mr. Brock.
How far do you intend to go in Mexico City, and where is
the other pilot?
Mr. Burbano. New Delhi.
Mr. Bereuter. New Delhi. Are these picked because you think
that they will be good models for you to work with, to make an
assessment on?
Mr. Burbano. Yes. In fact, you know, those models were
picked with the whole interagency group; not just the IT
interagency group, but the interagency group for OPAP that is
overlooking the right sizing and the buildings/ facilities and
the IT portion, the three groups underneath that. They are the
ones that decided along with the three groups underneath that
those were the best sites.
The reason they are the best sites is because of the
representation there from the other agencies, which is what you
want to do for the collaboration.
Mr. Bereuter. Now, what I am looking for is some
reassurance that the plan that you are developing or refining
for the information technology for the State Department will
survive changes in technology.
Mr. Burbano. Yes, it will, and that is one of the key
points. It is a refresh. We are doing that right now with our
very successful ALMA program, which is another logical
modernization program that we have that replaced all these
Wangs on the unclassified system. That was very successful.
We have a refresh program, which is part of our Managing
State Project management system that Mr. Brock spoke about that
has been successful, and that includes a refresh to make sure
we stay up to date. We are doing that right now with the ALMA
system, and we did that also with the very successful Y2K
system and also with the global overseas radio program.
Mr. Bereuter. Thank you very much.
Mr. Brock, I want to have some assurance that what is being
developed in fact will survive upgraded technological changes
that are brought to bear in terms of new equipment, new
software, things that perhaps we do not even anticipate at this
point.
I want to understand that this plan is going to be
survivable, that it will be credible, that it will reach beyond
the current technology and that we will not find ourselves
having to start all over picking up the pieces as a result of
changes in technology.
Do you have anything you can say to me about the plan as
being developed?
Mr. Brock. Well, I cannot offer you those assurances
because the plan is not complete, but what you have really done
is laid out a very basic expectation that is true of any
architecture. That is one of the very first things that you
need to do is to use this to provide some assurance that the
dollars you are going to be spending are in fact not going to
be wasted.
The disadvantage of not having an architecture is that
every investment that you make may or may not fit into the
overall structure, so you have incompatible systems. You have--
in other words, they do not talk to each other. You know, you
buy Macs one place and PCs another place, and you cannot
exchange software.
We have numerous examples of where a lack of a defined
architecture has caused agencies billions of dollars in wasted
money, so I think the answer to your question, and I apologize
for going on, is that right now I cannot provide you that
assurance. I can provide you an assurance that they do have a
high level architecture that makes sense.
They are developing the necessary artifacts, the individual
Rand McNally pieces, and those need to be examined as we go
through the process to see if in fact they will provide that
richness that you are asking for.
Mr. Bereuter. I will just make one more statement really
before I turn it over to Mr. Rohrabacher as I go to vote.
I understand how difficult--I think I understand in part
how difficult this interagency process might be to develop an
agreement as to what is appropriate in taking secondary levels
of benefits perhaps in order for the uniform effort to move
ahead.
I believe I understand that the intelligence community and
the State Department have just basically decided they cannot be
as compatible as the Congress had hoped they would be and that
there is something in an appropriation bill, in an intelligence
authorization bill, which suggests that that is the case, so I
hope perhaps you might be able to address that in your comments
for the record here. If I have given you enough information to
proceed, I am asking any of you after I leave.
Mr. Rohrabacher, are you ready to take over?
Mr. Rohrabacher [presiding]. Thank you.
Mr. Bereuter. Thank you.
Mr. Rohrabacher. Oh-oh. I am in charge now.
Doug, you left a question on the table?
Mr. Bereuter. If they care to address it.
Mr. Rohrabacher. Please feel free.
Mr. Maybury. Yes. I would like to address that. The
intelligence community is part of my IT subcommittee,
interagency subcommittee. John Dams, who is the IC CIO for all
the intelligence community, is a member, and he also has
representation in the other groups.
As far as I have seen directly, along with my other two
subgroups, there has been excellent cooperation. There is buy
in. The only statements that I have personally heard and also
my group leaders has been that, you know, you have to make sure
that we do not lower our security standards, which I totally
agree, and nobody has said that we are going to lower them.
In fact, the opposite. We are upping our security
requirements because we know that the internet, you know, has
holes like Swiss cheese, so we want to make sure that we
strengthen our security. We are doing that, as I stated in my
oral and written statements.
You know, we are going to be using industrial strength
firewalls, PKI, digital certificate and signatures and also
encryption, anti-viruses, every available tool that is out
there to properly do and transact business on the internet in a
secure manner.
As far as my relationships, and I am also a member, by the
way, of the intelligence community CIO Council. I sit on the
executive council. I work closely with John Dams, and as far as
I know the intelligence community is, you know, on board with
us. I have talked to John. As I mentioned, he is the
representative for the intelligence community, and he is on
board.
Mr. Rychak. May I add to that?
Mr. Rohrabacher. Yes. Sure.
Mr. Rychak. I think it is also important that we make the
distinction between our classified systems and the
interconnectivity, the proposal to interconnect classified, and
what is being done right now, and that is looking at our
unclassified systems and interconnecting with the other
agencies.
Certainly the classified interconnectivity is a goal, but
that is much longer term, and indeed there are some strong
opinions as to how that could be done securely in the long run
bringing in agencies that have very different backgrounds and
sensitivities as it relates to information. The effort, though,
that is ongoing right now deals with unclassified systems.
Mr. Maybury. If I could make a comment? Two comments. One
on the architecture point and one on the interoperability
point.
In my written statement with respect to the Department of
Defense, we have been working for the past 5 years with many
architectures, and I would strongly urge that there not be one
architecture; there be several architectures that are tightly
coupled.
Just as you would not use the same map for a pilot as you
would for somebody who is driving a truck as you would for
somebody who is walking through a historic district in a city,
you similarly will not use the same architecture in an
information system for people who have different tasks or who
are looking at different levels.
To be specific, it is important to have a functional
architecture, what you want to do with the system; a systems
architecture, what are the components, what are the
connections; and a technical architecture, that is one that
specifies the standards, if you will, the rules of the road
that show how these systems are going to work with one another.
If you only have one of those, you have an incomplete
architecture.
With respect to technical standards, I have included in my
written testimony the standards we use, which are international
standards. They are not government standards. They are
standards such as the International Telephony Union, such as
the Engineering Task Force. These are standards bodies that
build or, if you will, that specify the building codes to which
commercial tools are created.
It is essential that we have standards in interoperability
that comes from those because if we want to protect ourselves
from our investment and to insure interoperability in the
future, those kinds of, if you will, building codes will help
us do that.
Mr. Burbano. If I can, I would like to add a point to that
since the architecture is a very key point.
To show you how committed and a firm believer I am in the
architecture, we have actually gone beyond the Clinger Cohen
requirements for IT architecture. We have also developed a
business architecture and a security architecture, which will
be a requirement in the near future, which is not a requirement
right now, and we have those in draft. We are working with GAO
on that.
In terms of the collaboration, I would just like to say,
because that was an issue that was brought out also in an
earlier question. As I stated, because of Clinger Cohen I think
that the OPAP implementation is going to be a lot easier than
prior to Clinger Cohen because there is now a CIO Council, and
the CIOs of the top 24 and also the other 50 CIOs or so of the
small and medium agencies get together on a monthly/quarterly
basis.
That has produced a very strong collaboration that will
spill over and is spilling over to the OPAP. That would not
have existed prior to the Clinger Cohen, so I think we have
excellent collaboration.
Mr. Rohrabacher. Thank you very much.
The Chairman is back, but I will, with the Chairman's
permission, proceed with my 5 minutes.
Chairman Gilman [presiding]. Please. Please.
Mr. Rohrabacher. Which I have not had yet.
Chairman Gilman. By all means.
Mr. Rohrabacher. Let me just say, first of all, I stated
something for the record at the beginning, and I just want to
followup on that 1 minute, but let me just say that from my
perspective it seems like we are starting this effort that you
are talking about really late in the game here. This is near
the end of this Administration, and all of a sudden we are
talking about security.
Quite frankly, Mr. Chairman, this Administration does not
have a very good track record in terms of security in the
operations of our Federal agencies. One need only look at the
ongoing crisis, for lack of a better word, surrounding Los
Alamos and what has been going on there for what appears to
have been going on for years and years and years. I realize you
folks are not responsible for that. Maybe you will have some
responsibility for that or parts of that. I do not know.
Then we hear stories about missing laptops. Now, where does
this missing--I mean, I understand there is at least one
missing laptop that dealt with top secret security information.
Where does that fit into what you are doing here?
STATEMENT OF WAYNE RYCHAK, DEPUTY ASSISTANT SECRETARY FOR
DIPLOMATIC SECURITY, U.S. DEPARTMENT OF STATE
Mr. Rychak. Sir, to answer your first question, security is
not a new issue. The comments that Mr. Brock made regarding the
improvements, and there have been substantial improvements
within the information and security program at the State
Department. Those have been occurring over the course of the
last 3 years.
When the GAO issued their report in the fall of 1998,
frankly it was a wake up call for many of us that are in the
operational side. We have focused great effort and attention in
enhancing processes, as Mr. Brock has pointed out; processes
such as security awareness training, vulnerability and risk
assessments, evaluations, audits, network monitoring.
Mr. Rohrabacher. Let me interrupt you for one moment.
Mr. Rychak. Yes.
Mr. Rohrabacher. And I respect all the procedural things
and the descriptions of the type of--I mean, you are going
through this in a systematic way and saying how can we make
things better in relationship to a GAO report.
It is difficult for me to understand how to instill a
security consciousness among professionals like we have at the
State Department who work for the government when we have an
administration that is claiming that America's most severe
potential enemy, America's worst potential enemy, is a
strategic partner.
I mean, for 2 years, for 3 years, we had the State
Department over here, of course, doing what they were told to
do because the President of the United States was making the
policy that the Communist Chinese should be referred to and the
operating words were strategic partner.
It is difficult for me, frankly, to sit and to listen to a
very serious discussion, which you are having here, about your
procedures when it is done under an umbrella of or an
atmosphere that is being created by an administration insisting
on calling our worst potential enemy a partner, and not only
just a partner, but a strategic partner.
Now, I am not going to ask you to attack the Administration
because you would not be diplomats if you did, but I just
wanted to note that for the record.
Let's go back. Let me go back to that first issue that I
raised in my opening statement. Here we have, and I think
rational people have to--I think rational people all along
understood that Communist China was not our strategic partner,
but was instead a potential enemy. I am not saying that they
are an enemy, but at least our worst potential adversary.
Here we have what almost everyone recognizes as our most
dangerous potential adversary buying a building right across
from the Pentagon with obvious electronic capability, spying
capabilities. Has there been any discussion? There was no
apparent objection from the State Department, which would have
had some say in this.
Have there been discussions with the Defense Department or
the CIA concerning this potential security problem?
Mr. Rychak. Sir, when you first raised this question you
surmised that there would probably be no one on this panel that
could directly answer, and you are correct.
I will tell you that the Department's Office of Foreign
Missions would be the entity that would normally deal with
these types of issues, any acquisitions by foreign governments
of property. I am sure that this office was involved.
I cannot speak of any of the details. I learned of this, as
you did, this morning on the news. We would have to get back to
you on your question.
Mr. Rohrabacher. But would it be the FBI would then be in
touch with the State Department, who would then do something
official in terms of looking into that to see if the charges
that this was an arm of Chinese intelligence and if it was to
make the appropriate moves to prevent this from happening?
Mr. Rychak. It is normally----
Mr. Rohrabacher. Is that the way it would work?
Mr. Rychak [continuing]. FBI, State Department and then the
intelligence community. It is normally a coordinated effort to
look at the potential hazards and threats that could be posed
by a foreign government's presence anywhere in the United
States.
Again, I cannot speak to any of the details, though, on
this particular issue.
Mr. Rohrabacher. And your role that we were talking about
earlier is that when the agencies get together and they want to
communicate via their computer system that you are just trying
to see now that the computer system--someone does not hack into
that or that that is a protected communications apparatus? Is
that right?
Mr. Rychak. Yes. Certainly one of my roles is to do what is
necessary to put into place a comprehensive and effective
security program to protect that information. Yes.
Mr. Maybury. If I could make a comment on that?
Mr. Rohrabacher. Sure. Go right ahead.
Mr. Maybury. With respect to there are a whole set of
vulnerabilities that I know the State Department is aware of
and they have been actively addressing via a variety of
mechanisms, such as access by unauthorized users, denial of
service and so on.
I think that it is important to note particularly when we
talk about distributed collaboration systems that there are new
classes of vulnerability that are inserted or potentially
there. In fact, we are actively working with, and I cannot
speak to this in this open session, but with government
agencies to develop new technologies to apply to essentially
protect some of these systems.
For example, one might want to have if you are
communicating instead of over a phone using a computer to
communicate, you may want to encrypt that kind of audio, for
example. These are new functions that will be made available in
the future, but we do not have them yet. There are new
vulnerabilities that we do not yet have protection for that we
need to either invest in or create.
Mr. Rohrabacher. Well, I am pleased to see that we have
some people who understand all of this computer. We were just
discussing this. Congressman Hastings and I were discussing
that we are not experts, unlike Ben, who understands all of the
new computer system and the new technology. We are very happy
that we have some real professionals who are involved in this,
and we thank you, Mr. Maybury, and you gentlemen for spending
your time and your professional expertise in this.
Just again for the record, I would like to say just again I
am not doing this to be political, Al, but I just think the
record of this Administration in this area has been--I worked
for the White House for 7 years, and I remember what it was
like, the atmosphere in the Reagan Administration concerning
security issues, and the record of this Administration when you
consider Los Alamos and some of these other things that we know
about has just been abysmal.
This Administration should hang its head in shame in terms
of the national security interests of our country in terms of
this area. I am pleased, however, at this part of the game and
that some professional attention is being spent in this area.
Thank you very much, Mr. Chairman.
Chairman Gilman. Thank you, Mr. Rohrabacher.
Judge Hastings.
Mr. Hastings. Mr. Chairman, thank you so very much. My dear
and good friend from California would not dare do anything
political, nor would I.
Under the circumstances, I remind him that when he worked
at the White House in the Reagan Administration a call on a
cell would have been from a jail. The IBM machine was
considered something forward thinking, and everybody thought
they had arrived. Indeed, most of what you were doing was using
dictating machines.
The problem that I have is that it seems that the
technology is overwhelming, and I see that as problematical for
not only our governmental agencies, but for all of us until we
reach whatever the optimum condition is that it is likely to
reach, and the way it is spiraling that is hard to envision
taking place at some point in the not too distant future.
I would like to ask two quick questions, and then I would
like to just, if I could, give you an overview of what I just
said with more specifics in mind.
Mr. Burbano or Mr. Rychak, has the Diplomatic
Telecommunications Services, which you know is an interagency
common platform for secure communications, been a wise and
effective investment from an electronic communications
perspective, and how crucial do you feel the continued
operation of DTS-PO as an interagency run common system to be
for the success of a common computer system? Either of you.
Mr. Burbano. OK. I will take first a first stab at it. DTS-
PO, which you are speaking to, I think is important, and I
think the collaboration among the agencies in the support of it
is important.
I think the problems have definitely been there due to not
the organization, but funding. Frankly, it has been severely
underfunded, and what has resulted, the biggest problem is the
lack of band width to support the overseas community. That is
funds, so it is a funding problem, but we need to maintain the
organization, and it needs to be, you know, collaboration
between parent companies.
Mr. Hastings. All right. Thank you. Some years ago I had
the good experience of visiting Australia for the first time,
and I use this as just a metaphor, so to speak, for what I am
about to suggest or ask.
I did not know the fierce rivalry between Melbourne and
Sydney. Apparently at one point they disliked each other so
intensively that when they were building their rail systems,
they built them in a manner that when they came together they
did not fit.
I am curious from your perspective whether or not we are
involving enough people when we talk about collaborative
networks, collaborative technology, interagency connectivity,
and by that I meant this. I served in the judiciary, and we
always were last to get stuff that was needed, yet we were
involved in matters of security far beyond some of the things
that I see here in the legislative branch.
My concern is that at some point there has to be not just
for the State Department or the CIA or the FBI or the Defense
Department, but there has to be some collaboration with all of
them, including the legislative, executive and judicial
branches of our government, and calling upon experts from each
of those areas to work with the people that are developing it.
In other words, the State Department may fool around and
develop the best, and GAO may not have that. We have seen that
happen over and over again.
Do any of you have that concern, or if I am talking about
breadth as it pertains to security including all of government
is that too much to ask?
Mr. Brock. No, it is not. It gets back to a question Mr.
Rohrabacher was going into.
We have testified many times over the past year. The
government has overall very poor computer security. There is no
central leadership or management or limited central leadership
and management. Some of the things that you are talking about
such as the building overlooking the Pentagon going to threat
assessment, the United States is not well equipped to do threat
assessment. Information is not shared freely among agencies.
The ``I LOVE YOU'' virus, which the State Department was
internally successful at resisting, was not successfully
resisted by many other agencies. The National Infrastructure
Protection Agency at FBI did a very poor job of sharing
information on the virus and coming up with relevant
information.
Earlier this year, the President released the national plan
to protect the critical infrastructure. The key element of that
plan was to say that the government will be a model so that the
private sector will want to participate, and they acknowledge
in that that the government is not a model; that there is a
long way to go.
So the issues you are talking about are much broader than
the State Department.
Mr. Hastings. Right.
Mr. Brock. They do encompass other agencies, and they need
to be looked at as part of a whole cloth.
Mr. Hastings. Right. The other thing, Mr. Chairman, that I
raise, and this will be my final question on this round, has to
do with what I think is just good sense, and that is that, for
example, on the criminal side of matters totally unrelated to
the State Department.
When a 17-year-old hacker is discovered that is brilliant
and they take him to court, a lot of times they give him a
job--do you understand what I am saying--so they can decide to
use this kid. Now, that raises the question that I have.
I listened to you all this morning, and just generally
everyone that I have heard, from encryption all the way back
across to all of the agencies that I have been faced with in my
responsibilities as a policymaker, I have heard over and over
and over from extraordinarily competent individuals like
yourselves, and I do not mean that patronizingly. I do not know
what either of you make. I suspect from my point of view you
are underpaid by comparison to what happens in Silicon Valley
and other places.
I guess, Mr. Burbano, since you have the highest budget as
I heard the Chair announce, do you feel that in an effort to
accomplish just inside your agency the things that you need to
accomplish that you would--a special category of funding to
give to exceptional individuals to keep them on board or to
bring in bright people? Would that be helpful?
In other words, you have a GS whatever--I never have known;
GS-14, GS-15--when you need to be paying somebody $200,000 to
do what needs to be done. Am I off the mark here?
Mr. Burbano. No. No. You are right on target. In fact, one
of the things that I addressed besides computer security and
Y2K was the work force issue was a priority of mine, and that
was in fact what you were saying. Not only to recruit, but also
train and also retain----
Mr. Hastings. Retain.
Mr. Burbano [continuing]. IT workers in security and all
the other areas.
What we in fact have done as a first step--I call it a
first step because we need long term steps. We created the
first agency in the Federal Government to create both a
recruitment and retention allowance and bonus program, so for
recruitment we have up to 25 percent recruitment bonus, and
also we worked out with OPM so we can bring them in at higher
grades and steps than normal, so that is on the recruitment
end.
On the training, we have added up to around $4 million
extra to train our new employees, and to retain them we were
certainly the first agency to come up with what we call
retention allowance based on certifications like Microsoft,
Oracle, Sysco, and also on, you know, whether you have a
Bachelor's in Electronic Engineering or Master's in Computer
Science and so forth. You can get up to 15 percent in retention
pay, so we can keep those employees and not just bring them in
the pipeline.
We have done that. What still needs to be done, though, for
the long term is we are still working with the ceiling, so you
are very right. What we need to do, and the CIO Council and the
State Department is working with the CIO Council to try to
create a new IT pay scale across the whole Federal Government,
not just State Department, that will be competitive with
private industry.
The National Academy for Public Administration [NAPA], has
actually been chartered to do that study, which as you well
know was chartered by Congress and is independent of the
executive branch, is doing a study at the request of CIO
Council and working with the CIO Council and OPM to look at the
IT pay scale.
Mr. Hastings. Well, I thank you all, and I thank you, Mr.
Chairman.
Mr. Maybury. Could I add a comment to that if it were
useful? Just some facts for the record again in industry
perspective.
Seven out of the top ten fastest growth, according to the
Department of Labor statistics, job categories are information
technology job categories. Several years ago that was only
about two or three. The average annual attrition rate of IT
professionals in this country is roughly 14\1/2\ percent.
Mr. Hastings. Would you say that again?
Mr. Maybury. Fourteen and a half percent is roughly the
average turnover rate nationally in terms of----
Mr. Rohrabacher. Per year?
Mr. Maybury. Per year. That means if you have 10 employees,
all right, 1.4 of them will leave every year.
Fifty thousand new graduates, both undergraduate and
graduates, according to Education's statistics, will graduate
every year. The annual growth rate in the IT industry is about
130,000 jobs added every year. So you do the math, and, yes,
there are the disciplines that people can come from, but there
are not that many. You do the math, and there is a huge
shortfall.
We have been tracking this actually very closely in Defense
obviously in the private sector, and I strongly concur with the
activities that State and others have been doing in this area,
and it will only get worse.
Mr. Hastings. Thank you very much.
Chairman Gilman. Thank you, Judge Hastings.
Gentlemen, I have a few questions. Mr. Rohrabacher, if you
have any additional questions.
Dr. Maybury.
Mr. Maybury. Yes, sir?
Chairman Gilman. Your statement addresses the
recommendation that State and the embassies have greater
internet access, acknowledging the expansion of the internet
can provide more pathways for intruders.
How does one balance the need for a safe and secure system
and yet greater access to the internet?
Mr. Maybury. Well, I think one needs to do a business case
analysis and to sort of have a managed approach to security.
One needs to understand the risks and the vulnerabilities
within those systems and then come up with a very specific
understanding of what the costs, either those that are
financial, national security or potential human life loss if it
is a rather serious set of information, and one has to measure
the associated reactions or preparations one can engage in to
respond to those.
In my testimony I give some specific examples of particular
approaches, some of which State has already employed, to
address those vulnerabilities.
Chairman Gilman. So what you are saying is you can make any
system secure. It is just how much you are willing to pay for
it. Is that right?
Mr. Maybury. Well, I want to be careful because, you know,
there is no absolute security. Security includes personnel
security, physical security, as well as electronic digital
security.
There are areas where we simply today do not have answers
because, as I mentioned before, there are new technologies, new
functions, including new vulnerabilities that are introduced
into the infrastructure every day.
What that means is if the risk is constantly changing, you
have to be vigilant. You have to have a process that
continually looks at those literally on a daily basis and comes
up with corrective technologies, procedures, policies to
address them.
Chairman Gilman. Mr. Brock, in examining security aspects
of all of this, is State Department doing something about
making security a priority amongst its personnel?
Mr. Brock. I think the State Department has made it a
priority, but I think, as Dr. Maybury was alluding to, it has
to be ongoing. It has to be constant.
If I could just add a bit to his response? Most of the
problems that we see on computer security when you are doing
the tradeoffs between security and how much you want to spend
is based on the absence of any sort of risk assessment; that
you should not establish controls until you know what your risk
is, and risk is a function of the threat and of the
vulnerability of the system. So if you had a system with very
limited threat and not very vulnerable, you do not need to
spend much on control.
Chairman Gilman. Who at State has the authority or the
oversight on risk assessment?
Mr. Brock. That would be Mr. Burbano.
Chairman Gilman. Mr. Burbano, is someone doing the risk
assessment?
Mr. Burbano. Yes. In fact, it is a joint effort with my
colleague, Wayne, in Diplomatic Security.
We have established a very strong program. As an example,
when I first came on board I worked with the Assistant
Secretary for Diplomatic Security to bring in the first outside
penetration testing, Lawrence Livermore, NR systems or
unclassified systems.
Since then we have done about three or four other
penetration tests on not only the unclassified, but the
sensitive but unclassified, classified systems. DS has done
those.
We also brought in Secure Computing Corporation to do
penetration tests prior to the Y2K rollover when it was
predicted there were going to be hundreds and thousands of
hackers out there. We did that in November.
We not only do the penetration vulnerable assessments and
the risk management, but, more importantly, we do the
remediations and make sure that whatever was found as holes
that they are plugged up. As was stated earlier, you are always
going to find holes, but we keep on plugging them. I feel we
have done an excellent job of that.
Not only have we done penetration tests, but we have also,
as Mr. Rychak has stated, we have done an excellent outreach
training program to make sure that the employees are cognizant
of that such as I stated earlier with the Security Awareness
Day, Critical Infrastructure Day, Hacker Day and individual
training sections.
You cannot log on to the internet without getting some DS
training. You have to be certified to get that training for the
internet in order to log on to our RICH internet access system.
We have implemented the intrusion detection boxes, anti-
viruses. You know, I can go on and on.
Chairman Gilman. I am trying to understand, gentlemen, the
division responsibility for computer security matters between
DS and the CIO shop. Can you explain the division and why it
makes sense?
Mr. Rychak, do you have any special concerns about the
splintering of responsibilities between the Diplomatic Security
office and the chief information officer?
Mr. Rychak. Sir, I would be happy to give you a background
as it relates to the split of responsibilities.
There are--there have been--overlapping authorities. The
Diplomatic Security Act, going back to 1985, vested the Bureau
of Diplomatic Security with a broad range of responsibilities.
The Clinger Cohen Act and other Acts vest the CIO also with a
broad range of security responsibilities as it relates to
information and computer systems.
Beginning about 2 years ago, the CIO's office, NDS, worked
to identify the strengths and the operational capabilities of
each of our organizations so that we could put together a clear
delineation of roles, of responsibilities.
Chairman Gilman. Are you satisfied with that delineation
today?
Mr. Rychak. The delineation I think is working well. Mr.
Burbano and I may have some differences in opinions ultimately
in perhaps who should be the senior lead authority, but let me
say that that decision has been made. Our Undersecretary for
Management has made the decision that the CIO is the lead
authority for that.
You are aware that the Secretary has proposed the creation
of an Undersecretary for Security in an effort to further
consolidate and establish senior level accountability for
security.
Computer security/information security I think will be
reviewed in that context, and I do not know how that will come
out, but I have to say that the system is working I think quite
well, and it is collegial. It has been a partnership
arrangement between the CIO and DS.
Chairman Gilman. Let me interrupt you a moment.
Mr. Rychak. Yes.
Chairman Gilman. Between the two of you, who is responsible
for the maintenance and computer security at the overseas posts
and at main State office? Can you tell us? Between the two
shops, how much money does State spend for security, and is
there money dedicated to security for the information
technology fund?
Mr. Rychak. I can speak for my side. For the programs that
DS administers, we are expending roughly $11.2 million this
fiscal year for computer security related programs, and that
deals with security awareness and training and vulnerability
assessments, intrusion detection capabilities, and this is a
program, frankly, we are very excited about that we are in the
process of implementing on a global perspective.
That is one piece of the puzzle. There are other programs
that the CIO and IRM administer, and I am sure Fernando would
like to address it, everything from virus protection to
implementing these policies, etc.
Mr. Burbano. Yes. I think one easy way at a high level to
differentiate DS and IRM is DS is involved in the development
of policy and also in the evaluations, assessments and so
forth. IRM is involved, the CIO, in the implementation of that
policy and so, I mean, that is one high level way of looking at
that.
Chairman Gilman. Are you pretty much both working
collaboratively in main State and overseas?
Mr. Burbano. Yes. Absolutely. I would like to reinforce
what Mr. Rychak said. We have an excellent relationship. We
work together. We created the matrix, and ever since we have
had that I think things have gone very smoothly, and in fact we
understand each other's areas, and we collaborate on all
decisions.
Chairman Gilman. Mr. Burbano, Mr. Brock's report at GAO
pointed out that computer security lacks a focal point within
State to oversee and to coordinate its security activities.
Do you have the expertise available in your shop to manage
the responsibility for computer security?
Mr. Burbano. Yes, and in fact I think that was May, 1998.
We are in 2000, and that has changed over the last year so that
is no longer--I think Mr. Brock stated that that in fact was
true when they did the assessment, but that was 2 years ago.
That is not----
Chairman Gilman. You have dedicated security----
Mr. Burbano. Yes. Absolutely.
Chairman Gilman [continuing]. Personnel.
Mr. Burbano. We have computer incident response teams just
like DS has that works around the clock, 7 by 24, in not only
monitoring, but also in----
Chairman Gilman. So it is not left up to non-professionals?
Mr. Burbano. No. No. These are computers that carry
specialists that are dedicated and trained in the field just
like DS. DS and IRM and the CIO both have computer security
staffs that are professionals.
Chairman Gilman. Mr. Burbano, I understand Diplomatic
Security sends out teams to audit security of computer systems
at the various posts overseas, and they produce reports and
recommendations.
Who is responsible for seeing that any recommendations are
carried out? Does Washington followup on those reports or
supply technical experts if a post requests assistance to make
a proper review?
Mr. Burbano. Yes. IRM is responsible, along with the post
and the bureaus, in implementing those changes because the
posts are underneath the bureaus. So it is a joint effort, but
the responsibility for implementing those recommendations do
fall to IRM and the bureaus and the posts, and we do implement
the changes.
We work very closely together on these teams. In fact, we
send out IRM computer security specialists along with DS on
some of these assessments.
Chairman Gilman. Mr. Brock, how would you characterize the
effectiveness and the improvements that State has made in their
computer security program today as compared to 2 years ago? Do
you have any plans to reexamine the Department's security
program?
Mr. Brock. We believe that the organizational changes that
have been made are very positive, and one of the key concerns
that we had was the bifurcation of computer security
responsibilities throughout the Department.
When we have gone out and done our best practices work,
even in highly decentralized organizations computer security
was centralized. I think it is appropriate in an organization
like State that you may have multiple entities carry out tasks,
but it is clear that one person or one organization needs to be
overall responsible, and that is something that we would like
to continue to examine within the State Department.
Chairman Gilman. Do you have any recommendations with
regard to that?
Mr. Brock. Well, at the present time, no. We currently are
engaged in a number of agency reviews, and we do not have a
request, if this is what you are moving toward. We have not had
a request to go back in and do a thorough computer security
review of the State Department.
Chairman Gilman. Mr. Rychak or Mr. Burbano, who is
responsible for investigating computer security violations, and
who resolves the intrusions or attacks in the Department? Who
conducts the followup?
Mr. Rychak. I can address that. The response to an incident
actually takes two different forms. DS has what is called a
CIRT, a computer incident response team. It is a 24 hour
operation of personnel, largely investigative, that would
respond from an investigative standpoint.
In sync with that, the CIO has a CERT, a computer emergency
response team, that deals with the operational issues relating
to mitigating any problems that would develop in our system.
Chairman Gilman. Are they able to react very promptly to
those?
Mr. Rychak. Yes. Actually, those terms work together and
often do it jointly.
Mr. Burbano. If I can add, during the Y2K rollover we had
our two teams sitting together in the same room sharing the
monitors, sharing the times and everything, and it worked
extremely well. We were not hacked during the Y2K rollover.
Chairman Gilman. Mr. Burbano, is computer security training
mandatory at State----
Mr. Burbano. Yes, it is mandatory.
Chairman Gilman [continuing]. For all State employees?
Mr. Burbano. For all State employees, and that is not just
recent. As I mentioned earlier, in order to connect to the RICH
internet access system you have to have DS, you know, training,
and you have to get certified first before you can log on.
Chairman Gilman. How long a period of training is there?
How extensive is it?
Mr. Burbano. We have various levels. Since DS does them, I
will let Wayne talk about it.
Mr. Rychak. Well, the internet training is a briefing that
would last maybe an hour, an hour and a half. It presumes that
the employee already has the background of security procedures
and requirements.
There is a new training program that was begun about 18
months ago that was the result of the GAO audit that I would
just like to comment on, and that was training for our
information systems security officers. We did not have a
program in place prior to 18 months ago to train the people who
worked on a day to day basis to insure that computer security
policies were being carried out.
We did put that program into effect. We have trained
hundreds and hundreds of personnel. It has gotten excellent
reviews. We have more senior level training that also is
available to these personnel, and----
Chairman Gilman. Mr. Rychak, are you satisfied that all of
the important employees that use secure computers have been
properly trained now?
Mr. Rychak. No, I cannot say that I am completely
satisfied. You may recall that the Secretary of State announced
a directive following the discovery of the laptop computer that
it would be mandatory for all employees of the Department of
State, all cleared employees, to annually receive a briefing.
We are in the process of a very intensive effort to do just
that, and every day that goes by we have formal briefing
sessions that are ongoing in our auditoriums at the Department.
Chairman Gilman. How extensive has this program been, and
how many have been brought in at this point? What percentage of
the employees?
Mr. Rychak. Sir, I think we are somewhere in the
neighborhood of 8,000. Now, that is not addressing our overseas
operations, which are being done individually by our
professional regional security officers.
Chairman Gilman. So what percentage of people who should be
brought in have already been brought into your briefing
session?
Mr. Rychak. On the latest exercise since the Secretary's
directive, I would say we are probably at about 30 or 40
percent with the goal of completing this by the end of August
or first of September. In other words, 100 percent.
We are taking a role and roster of everyone that receives
the briefings, and we will be able to identify anyone that has
not. It is again a firm directive of the Secretary that this be
done.
Chairman Gilman. Dr. Maybury and Mr. Brock, does the
Federal Government need a Federal chief information officer?
Mr. Brock. Yes. When the Clinger Cohen bill was first
introduced, it really established the framework for management
of information technology from the agencies. At that time we
testified that a national CIO was needed to in fact identify
both opportunities and challenges across government that needed
to be explored in a collegial manner, and we still support that
position.
Chairman Gilman. Have there been any steps undertaken to do
just that?
Mr. Brock. Yesterday I read an article that apparently both
Mr. Gore and Mr. Bush support a national CIO, and one of your
colleagues, Mr. Turner, has introduced legislation calling for
a national CIO.
Chairman Gilman. Mr. Burbano or Mr. Rychak, have you seen
any progress made with regard to that proposal?
Mr. Burbano. Other than what Mr. Brock just mentioned, no,
but I would like to say that my personal opinion is I agree
that one needs to be done, and I think one model could be right
across the river here.
In the State of Virginia, the Governor has created, you
know, a Secretary of Technology to look both within the state
government, but also outside for IT management. That is one
model you might want to take a look at.
Mr. Maybury. If I could suggest one other model would be a
cross agency CIO would be the intelligence community CIO, Mr.
John Dams' office.
Chairman Gilman. Dr. Maybury points out that the success of
instituting a collaborative system requires clear objectives
that can drive change. Mr. Burbano, has the interagency working
group identified such objectives?
Mr. Burbano. At the high level, as Mr. Brock mentioned. We
are getting down to the detail level, but for right now it is
at the high level. Those were submitted in the written
testimony both for the IT common platform and the knowledge
management system. Some other detailed documents have been
delivered to GAO and the Committee.
Chairman Gilman. Dr. Maybury says one of the values of a
collaborative environment is it can reduce the number of
forward deployed personnel. That is, jobs can be done back
home.
Mr. Burbano, are you examining that kind of a prospect, and
do you think that technology will in fact allow for fewer
personnel to have to be stationed overseas, and would those
jobs be mostly administrative?
Mr. Burbano. The answer to the first part I would say is
that the right sizing committee is the committee that is
actually examining that. That is the right sizing committee.
My committee, the IT, will support that effort, but, you
know, will not be, you know, making the recommendations or the
decisions on actually, you know, reducing or shifting staff.
That is the right sizing committee.
Yes, IT will support the right sizing efforts fully and
can, but there are other issues other than technology when you
are trying to make decisions. Right sizing does not
automatically mean reduction of staff. It means shifting to,
you know, proper support where you need that staff.
Chairman Gilman. Dr. Maybury, the Committee is concerned
about the risks involved in developing an overseas common
information technology platform and whether State Department is
positioned to lead that kind of a project.
In your view, what can our Committee do to effectively
oversee that kind of a project as it enters development and
requires additional funding?
Mr. Maybury. Well, I think, Mr. Chairman, regular oversight
expectations have explicit objectives. I know in my testimony
that the organization that does this needs to have a set of key
characteristics that include excellence in acquisition, systems
engineering experience, technical expertise in not only
security, but in collaboration, knowledge management, cleared
staff, especially if we are talking about secure and unsecure
systems, domain knowledge of overseas activities, perhaps
personnel overseas.
That is another risk is do you have the IT talent or the
infrastructure overseas, and do you have a strong contractor
base or contractor oversight. I think having explicit plans,
these blueprints or these maps we talked about before, these
architectures, at various levels of detail and monitoring those
activities, monitoring the investments and looking for actual
outcomes, looking for specific measurable impact, business
outcomes, of the investments.
Chairman Gilman. Have you had an opportunity to discuss
those proposals with Mrs. Cohen, Assistant Secretary for
Management?
Mr. Maybury. No, sir, I have not.
Chairman Gilman. I hope you might take advantage of trying
to do just that so that she would have the benefit of your
thinking.
One last question before I call on Mr. Sherman. Mr.
Burbano, several U.S. Government agencies with global
operations are seeking funding for separate communications
systems. Different agencies want their own system.
What are we doing to persuade those agencies that a single
connected system designed on an interagency basis is probably
much more preferable?
Mr. Burbano. What we are doing is with the OPAP I think
that gets down to the heart of this because those agencies are
represented on the various OPAP committees. Also with the CIO
Council we have an interoperability committee that works with
the various CIOs of the various agencies, and then you have the
IC, intelligence community, as was just stated earlier by Dr.
Maybury, and I also sit on that, on the executive committee for
the intelligence CIO committee, so we are all sitting in each
others' committees and so we are well aware of all the things
that are going on.
I think OPAP is bringing to the forefront because the
President's mandate and OMB and also the congressional
leadership of wanting to implement OPAP that for the first time
we actually have more than just, you know, intentions, but we
actually have a mandate to implement these government wide
systems.
These are the same agencies that you are talking about, and
there is a lot of collaboration going on, and I think it is
beginning to take an effect. As we stated, first we are working
on the unclassified first in the first 18 months, and then
after that we work on the classified systems.
Chairman Gilman. Well, we hope you can convince all of
these competing agencies to work together. I think it is
extremely important.
Mr. Sherman.
Mr. Sherman. Thank you, Mr. Chairman.
I think we are all concerned with security of our
information. Some recent problems experienced by another
Federal department have highlighted that recently. I want to
commend the Chairman for holding these hearings, which I think
focus on information security, but I think others will ask
questions about our national security information, and I want
to focus my questions on the visa process.
This is a process that has flabbergasted me because I did
not think that governments could be this inefficient, and it
takes really bad computers and bad management to achieve some
of the problems that we have experienced in this area, and yet
my hope is that the information technology system as it gets
better will begin to solve some of those problems.
One of the many areas of problems are difficulties in
communicating via computer between the INS and the State
Department. Have those been worked out?
Mr. Burbano. I think we have worked some of them out,
especially during the Y2K rollover. We had to make sure the
systems, you know, communicated. There are other issues, and,
you know, those--Consular Affairs, CA. You know, if you got to
particulars I guess we could address them with Consular
Affairs.
Mr. Sherman. Well, I mean, first the Y2K thing. There are a
number of countries in the world that thought the whole Y2K
thing was a crock, invested nothing and tried to solve it and
did just fine.
We in Congress provided billions to try to improve our
computer systems and deal with Y2K. I am glad the sky did not
fall, but we paid an awful lot of money to keep the sky from
falling, and it did not fall elsewhere.
As to particular problems, when I hear from my district
that a fiance visa is taking 2 years in some places and 2 days
in other places and that the State Department will not
reallocate resources to be fair to Americans, one who decides
to marry a Filipino and another who decides to marry and
English woman, that is bad management.
When I am told that we do not have any records on whether a
particular visa officer by visa officer as to their success
rate--which visa officers are rejecting 30, 40, 50 percent of
the requests? Which visa officers are seeing over stays or
violations of U.S. immigration laws in 5 or 10 or 15 percent of
the visas they grant?
The problem with information technology is that you would
provide accountability and require good judgment or spotlight
bad judgment. When I have suggested various actions that would
privatize these decisions by allowing people to get bail bonds,
you know, we have the same--virtually an analogous issue on
whether somebody will over stay in the United States and
whether somebody will over stay their period of freedom before
their trial.
In the private area, in the domestic area, we have turned
to bail bondsmen who privatize that decision and put their
money where their mouth is. We refuse to do that in the State
area because total capricious power unaccountable through any
technology system seems to be the goal.
I have been told that this continues only because it does
not affect American citizens. Once the DMV in California was
about 10 percent as bad, and the whole state demanded that it
get better. It never reached these levels.
What information technology do we have with regard to how
long it takes from application to grant in visa matters in the
various consulates and embassies around the world? Do we have
that information?
Mr. Burbano. No, but I can get it for you because that is
in the Consular Affairs Office, in that bureau, and they have
that.
Mr. Sherman. Have you spent much time looking at their
information system?
Mr. Burbano. I would not say a tremendous amount of time
because I have been dealing with the security and all these
other elements, and they----
Mr. Sherman. I cannot tell you that it is more important
than national security, but----
Mr. Burbano. Right.
Mr. Sherman [continuing]. If you have some time, that is
where you ought to deploy it because it is a bad system, and
all the questions I have asked have come back, and just basic
questions we ought to have.
No accountability by person. The accountability works two
ways. What I am worried about is that every visa officer will
strangle our tourism industry if they feel oh, we will be held
accountable for how many over stays. We ought to hold visa
officers accountable for under grants and for excessive
rejections, but we cannot because we do not have a system that
will tell us.
I do not know if you have anybody on the panel who is
familiar with these issues. I see people shaking their heads.
Chairman Gilman. We do not have people here from Consular
Affairs. Do you have anything, Wayne?
Mr. Rychak. No.
Mr. Sherman. It surprises me to have a hearing on
information technology, to have a distinguished panel of four
and a back up group of several more and not to have anybody
familiar with information technology in this area, but that
shows that this is kind of a stepchild.
We recently did receive a report. It was produced at my
request. We have not been able to review it thoroughly, but it
provides averages that I know are false because I have talked
to people out in the field. When I complained that it took 2
years to unify an American family I was told gee, that is
standard. That is kind of what we do here in the Philippines.
Then I get a report that says the average is 20 days, 30 days.
I know it is not accurate.
I realize none of you have come prepared to talk about
these subjects. I hope that we would develop a visa system and
perhaps, Mr. Burbano, you could let me know whether we are on
the way,
Mr. Burbano. Yes. I would be happy to get back to you.
Mr. Sherman. That would keep track of how long things last,
if things are lasting too long why, whether there have been
congressional inquiries and how those have been resolved.
I mean, I am dealing with a part of the State Department
where I have been told that congressional involvement is
detested and will also result in intentional delays, so this is
an area where we need a good information system and appreciate
your attention to it.
Mr. Burbano. Yes. We will get back to you.
Chairman Gilman. Thank you.
Mr. Sherman. Thank you, Mr. Chairman.
Chairman Gilman. Gentlemen? Dr. Cooksey? Gentlemen, I am
going to have to go to another meeting, and I am going to ask
Dr. Cooksey if he would lead further discussion in our
subcommittee.
I want to thank our panelists for your excellent testimony.
You have given us a great deal of food for thought of what we
arguably should be doing in our oversight capacity and even
suggested some legislation that we will take a good, hard look
at.
We wish you continued success in what you are doing. Thank
you very much.
Mr. Cooksey [presiding]. Thank you, Mr. Chairman.
It is great to be here. It is great to be here with people
of your educational background. There are too many politicians
in this city, and there are not enough scientists and computer
experts.
I do not have but about 35 questions. We should be through
by 5 or 6 o'clock. Dr. is it Maybury?
Mr. Maybury. Yes, sir.
Mr. Cooksey. Yes. We have been together in a committee, and
I forget which one. You have a Ph.D. in artificial intelligence
I understand. Is that correct?
Mr. Maybury. Yes, sir.
Mr. Cooksey. What do you think about Kakoos' book, Visions?
Have you seen the book? He is a theoretical physics professor
in New York.
Mr. Maybury. I have not seen the book, sir.
Mr. Cooksey. It is really a good book, but he says we have
a ways to go in artificial intelligence and robots, but it is
fascinating some of the things that he proposes.
Mr. Maybury. I would agree with that statement.
Mr. Cooksey. Yes. He is very well documented. He talks
about who is doing the good research and who is doing the other
research.
Along those lines, what do you think about change in the
biometric system? I am a physician. I am an ophthalmologist.
Change the password system from whatever you use now to a
biometric system; for example, retinal patterns?
Mr. Maybury. In fact, actually I referred in my oral
testimony that there are a couple of technologies like
fingerprint detection, like biometrics that, of course, can
enhance security specifically for authentication. One could
think even if you wanted to go so far as DNA testing to
determine that you actually had the individual that you knew
was accessing the system.
I think authentication is an important area. I think that--
I am not a biometric expert, but certainly those technologies
have been used in secure facilities to control access.
Mr. Cooksey. And they work?
Mr. Maybury. Unfortunately, I cannot speak specifically to
the performance. Obviously there are both probably precision
and recall measures, technical measures, in terms of their
performance. Perhaps others can.
Mr. Rychak. Sir, I can address part of that.
Mr. Cooksey. Yes?
Mr. Rychak. There is a tremendous amount of research that
is going on in the whole biomedical/biometric area. I think
what you will find throughout the government and throughout the
private sector is that no one countermeasure by itself is
adequate, but used in combination and layered with other things
you do--you can end up with a high level of security.
We have a pilot program, for example, in the State
Department right now of looking at combining biometrics with
SMART card technology--you are probably familiar with SMART
card and its capability--and combining those two to allow
access into highly restricted areas to include highly
restricted information systems.
We really think that that probably is the future here, as
opposed to simply relying on a password that obviously can be
easily duplicated or in some cases found out about, you know.
Mr. Cooksey. The passwords that we have used since the
1970's.
I helped a company in Boston design electronic medical
records from ophthalmology. We have updated a lot of my
technology, but still some of the passwords are old. It is very
old technology.
Yes, Mr. Burbano?
Mr. Burbano. Yes. I wanted to add a comment. I agree. I
think the biometrics systems are excellent, but it is a
question of funding. That is the problem, you know. These
systems are----
Mr. Cooksey. Do you mean Congress will not give you enough
money?
Mr. Burbano. Well, that, but more importantly, the system,
wherever the money comes from. What I am saying is it is very
expensive compared to the password, so it is always a question
of funding, to be honest with you. I mean, I think there are
good systems, but you have to have the money to do them.
As Mr. Rychak said, you know, we look at other
alternatives. SMART card, you know, does not have the--
necessarily. Somebody else could pick up the SMART card, PIN
number or whatever, but you cannot pick up your eye, but it is
a lot cheaper than that system, so it is a question of funding.
Mr. Maybury. If I could say something? It is also obviously
a question of technology. We at MITRE Corporation and many
other companies have for years been using SMART cards with PINs
to control and to authenticate users.
In the future we can expect, among other things, for
example, video cameras to be built into laptops, for example,
so the opportunity to do facial ID, which is another area,
also, potentially retinal scans cheaply is something that
certainly, I cannot predict or give you a year, but it is
certainly going to be cheaper in the future than it is
presently.
Mr. Cooksey. Kakoos says that computer chips will cost
between 1 and 5 cents apiece. He says they will be in the
drapes, and----
Mr. Maybury. Right.
Mr. Cooksey [continuing]. They will be able to sense
weather changes, body temperature changes.
Mr. Maybury. They will be built into your clothing.
Mr. Cooksey. Clothing. Right.
Mr. Maybury. Sure.
Mr. Cooksey. He also said that they will use DNA instead of
computer chips. That is a fascinating concept to think about.
There is research being done on that.
Mr. Maybury. Yes. In fact, we have some research on micro
electronics. DARPA has a large program and specifically atonic
level storage devices, computing devices and the like, so that
is actually----
Mr. Cooksey. That is an ongoing research.
Mr. Maybury [continuing]. A new wave of computing
technology.
Mr. Cooksey. Well, it is exciting to think about, and that
is the reason, that when you design an information system you
have to think about the future and be able to move to it.
Mr. Burbano, you had indicated in your testimony that your
systems are protected with intrusion detection systems, that
you will know if someone has intruded into the State Department
system.
Now, Mr. Brock said in his testimony that the State
Department's automated intrusion detection system does not
cover all of the domestic and overseas posts. Who is right?
Mr. Rychak, you get to referee.
Mr. Burbano. Actually, he is the one.
Mr. Rychak. I probably can answer it.
Mr. Burbano. Yes. He should answer it. I just wanted to
make an initial statement and then I will turn it over, and
that is that we are in the midst of implementing it so, I mean,
he is right. We are not finished implementing it.
Mr. Cooksey. Because your testimony basically--you
contradicted each other.
Mr. Burbano. No. I do not think so. It is a matter of
implementation.
Mr. Cooksey. You are not finished.
Mr. Burbano. I will let Mr. Rychak give you the status of
that.
Mr. Rychak. Yes. We started the intrusion network program
in December of this past year. Our goal is to have it completed
by the second quarter of next fiscal year. Essentially what it
encompasses is installing hardware/ software on every system at
every embassy around the world to include our domestic
facilities.
As we speak, we have it in place at about 60 locations. The
majority of our domestic sensitive but unclassified systems
have coverage. Our financial centers overseas have coverage.
The majority of our posts in South America have coverage, and
we are systematically going through it in terms of the
implementation.
We do have a 24 hour by 7 monitoring operation that is
fully in place, but, as Fernando says, we are not there yet. We
are aggressively implementing this, but given the scope of what
we are trying to do it just takes time to do it right.
Mr. Burbano. Also the funding.
Mr. Rychak. And the funding, although the funding for the
first----
Mr. Cooksey. Another appropriations matter.
Mr. Rychak. Well, that is a good point because the funding
for the first phase is covered. In other words, we have enough
funding to continue the installation of the systems on our
unclassified but sensitive systems.
The second phase is to put identical protection for our
classified systems. That is important. It has not been as
critical in terms of our priority because the State
Department's classified systems were not as interconnected as
our unclassified systems. Frankly, we benefited from the fact
that we had and continue to have a fair amount of antiquated
technology out there.
The unclassified systems were becoming increasingly
vulnerable as we got into internet and as we became much more
interconnected, so that became our first priority.
Mr. Cooksey. Mr. Brock.
Mr. Brock. One of the issues that has come up at other
agencies where we have looked at automated intrusion protection
programs is, first of all, this technology is fairly new. It is
not very mature, and lots of advances are being made.
You get an incredible amount of information. In some
organizations it has literally overwhelmed the organization's
capability to do the analysis, and as a result we have gone
into some agencies where they made a good faith attempt
initially to handle the information coming in, but then
ultimately it began to stack up and pile up in back rooms and
was not looked at, so a tool that is turned on but not used is
pretty useless.
I think a challenge that the State Department has in
rolling this out is to make a decision or series of decisions
on what kind of information they really want and how are they
going to do the analysis because it is fairly people oriented.
Even though the tools are automated, a lot of the analysis is
not and does require trained personnel.
Mr. Cooksey. Needless to say, that is a potential problem.
Of course, you get into the issue of one big system that serves
all needs. The IRS did not do very well. I think they spent $3
billion or $4 billion and gave up. I think CSC has a contract
now to do the IRS' work.
Mr. Brock. Yes.
Mr. Cooksey. Another question. I understand that the
State--this is for you, Mr. Burbano. Does the State Department
use a bulk e-mail system whereby the e-mails are held up until
enough are collected, and then they are sent in bulk to reduce
cost?
Mr. Burbano. To reduce cost?
Mr. Cooksey. Do you do bulk mailing of e-mail? If I sent an
e-mail or let's say you sent an e-mail from Foggy Bottom to
Bangkok and then there are ten other people on your staff that
send e-mails there, are they all sent at one time in bulk, or
are they sent--do they each go individually?
Mr. Burbano. My understanding is that they go as they go.
They have to go through Washington for the most part, but, I
mean, they do not get bulked or anything.
Wayne, do you have anything to add to that?
Mr. Rychak. Yes. I am sorry. I cannot. I do not know.
Mr. Burbano. I can look into it, but, I mean, the e-mail
does not sit there. In fact, we have made a lot of improvements
in our e-mail system in the last 6 months not only for
security, but for speed wise where we have actually improved
response time tremendously as a result of getting rid of a lot
of the overhead that these e-mail systems have by implementing
X.500, that type of technologies, directory type systems.
Mr. Cooksey. Well, today I would like to ask everyone who
is not here representing the PRC or Russia to stay and have all
the rest of you leave, but I am afraid we still would not know
who was here.
I just assume. Every time I come to one of these meetings,
I assume that there is someone here from some of our potential
adversaries that I hope will become allies, but, you know, that
is part of the intelligence game. They are here, and we have a
democracy.
Hopefully those countries will move to--until we have this
perfect world where we trust all of our former adversaries and
they trust us, intelligence is going to be necessary. We are
going to spy on them, and they will spy on us.
I just think it is absolutely mandatory that you maintain
your diligence in having security in the information systems
because people's lives are at stake, and there are people's
lives probably that have already been lost or compromised just
because of some less than perfect security measures in this
country.
You can look at what has been going on in New Mexico. I
think it is really terrible that that has happened. I am still
a clinical professor, and I got the feeling that there was an
attitude of these professors that were involved, that were
running that laboratory, that they were above having to go
through all the security measures, and that is part of the
reason things were lax.
I think that there was some reason to believe that there
was some active information gathering by some of our
adversaries, and yet we have to be diligent to make sure that
we have good countermeasures and make sure that they do not get
information.
I appreciate your coming. I think there are some real
professionals over at the State Department. I do not always
agree with the political decisions that are made there. The
biggest problem we have in this city is you have too many
career politicians that instead of voting first what is best
for the Nation and then their state and then their district,
they do what is best for their political career.
I feel that the people that are permanent in the State
Department do not make those decisions, and I think some of the
worst mistakes that have been made in Republican
administrations, and probably they are getting ready to gavel
me down. I am getting out of line. And in Democratic
administrations is because people do not have their priorities
right, and it causes problems.
I think that one of the most disgraceful things going on
right now is what is going on in Africa. This Administration
and this Congress have been so Euro centered and so centered on
the Middle East. They have just totally ignored the fact that a
million people were killed in Rwanda and Burundi and Ethiopia
and Eritrea and Sierra Leone.
It is cowardess on the part of the executive branch and
callousness on the part of the legislative branch, which is my
party that is in control, and the net result is that a lot of
people have lost their lives that did not need to lose their
lives.
I hope you have courage of your convictions and continue to
function in a very professional manner. It will be better for
the nation, and what is better for our national will be better
for the world.
Thank you.
[Whereupon, at 12:06 p.m. the Committee was adjourned.]
=======================================================================
A P P E N D I X
June 22, 2000
=======================================================================
[GRAPHIC] [TIFF OMITTED] T8288.001
[GRAPHIC] [TIFF OMITTED] T8288.002
[GRAPHIC] [TIFF OMITTED] T8288.003
[GRAPHIC] [TIFF OMITTED] T8288.004
[GRAPHIC] [TIFF OMITTED] T8288.005
[GRAPHIC] [TIFF OMITTED] T8288.006
[GRAPHIC] [TIFF OMITTED] T8288.007
[GRAPHIC] [TIFF OMITTED] T8288.008
[GRAPHIC] [TIFF OMITTED] T8288.009
[GRAPHIC] [TIFF OMITTED] T8288.010
[GRAPHIC] [TIFF OMITTED] T8288.011
[GRAPHIC] [TIFF OMITTED] T8288.012
[GRAPHIC] [TIFF OMITTED] T8288.013
[GRAPHIC] [TIFF OMITTED] T8288.014
[GRAPHIC] [TIFF OMITTED] T8288.015
[GRAPHIC] [TIFF OMITTED] T8288.016
[GRAPHIC] [TIFF OMITTED] T8288.017
[GRAPHIC] [TIFF OMITTED] T8288.018
[GRAPHIC] [TIFF OMITTED] T8288.019
[GRAPHIC] [TIFF OMITTED] T8288.020
[GRAPHIC] [TIFF OMITTED] T8288.021
[GRAPHIC] [TIFF OMITTED] T8288.022
[GRAPHIC] [TIFF OMITTED] T8288.023
[GRAPHIC] [TIFF OMITTED] T8288.024
[GRAPHIC] [TIFF OMITTED] T8288.025
[GRAPHIC] [TIFF OMITTED] T8288.026
[GRAPHIC] [TIFF OMITTED] T8288.027
[GRAPHIC] [TIFF OMITTED] T8288.028
[GRAPHIC] [TIFF OMITTED] T8288.029
[GRAPHIC] [TIFF OMITTED] T8288.030
[GRAPHIC] [TIFF OMITTED] T8288.031
[GRAPHIC] [TIFF OMITTED] T8288.032
[GRAPHIC] [TIFF OMITTED] T8288.033
[GRAPHIC] [TIFF OMITTED] T8288.034
[GRAPHIC] [TIFF OMITTED] T8288.035
[GRAPHIC] [TIFF OMITTED] T8288.036
[GRAPHIC] [TIFF OMITTED] T8288.037
[GRAPHIC] [TIFF OMITTED] T8288.038
[GRAPHIC] [TIFF OMITTED] T8288.039
[GRAPHIC] [TIFF OMITTED] T8288.040
[GRAPHIC] [TIFF OMITTED] T8288.041
[GRAPHIC] [TIFF OMITTED] T8288.042
[GRAPHIC] [TIFF OMITTED] T8288.043
[GRAPHIC] [TIFF OMITTED] T8288.044
[GRAPHIC] [TIFF OMITTED] T8288.045
[GRAPHIC] [TIFF OMITTED] T8288.046
[GRAPHIC] [TIFF OMITTED] T8288.047
[GRAPHIC] [TIFF OMITTED] T8288.048
[GRAPHIC] [TIFF OMITTED] T8288.049
[GRAPHIC] [TIFF OMITTED] T8288.050
[GRAPHIC] [TIFF OMITTED] T8288.051
[GRAPHIC] [TIFF OMITTED] T8288.052
[GRAPHIC] [TIFF OMITTED] T8288.053
[GRAPHIC] [TIFF OMITTED] T8288.054
[GRAPHIC] [TIFF OMITTED] T8288.055
[GRAPHIC] [TIFF OMITTED] T8288.056
[GRAPHIC] [TIFF OMITTED] T8288.057
[GRAPHIC] [TIFF OMITTED] T8288.058
[GRAPHIC] [TIFF OMITTED] T8288.059
[GRAPHIC] [TIFF OMITTED] T8288.060
[GRAPHIC] [TIFF OMITTED] T8288.061
[GRAPHIC] [TIFF OMITTED] T8288.062
[GRAPHIC] [TIFF OMITTED] T8288.063
[GRAPHIC] [TIFF OMITTED] T8288.064
[GRAPHIC] [TIFF OMITTED] T8288.065
[GRAPHIC] [TIFF OMITTED] T8288.066
[GRAPHIC] [TIFF OMITTED] T8288.067
[GRAPHIC] [TIFF OMITTED] T8288.068
[GRAPHIC] [TIFF OMITTED] T8288.069
[GRAPHIC] [TIFF OMITTED] T8288.070
[GRAPHIC] [TIFF OMITTED] T8288.071
[GRAPHIC] [TIFF OMITTED] T8288.072
[GRAPHIC] [TIFF OMITTED] T8288.073
[GRAPHIC] [TIFF OMITTED] T8288.074
[GRAPHIC] [TIFF OMITTED] T8288.075
[GRAPHIC] [TIFF OMITTED] T8288.076
[GRAPHIC] [TIFF OMITTED] T8288.077
[GRAPHIC] [TIFF OMITTED] T8288.078
[GRAPHIC] [TIFF OMITTED] T8288.079
[GRAPHIC] [TIFF OMITTED] T8288.080
[GRAPHIC] [TIFF OMITTED] T8288.081
[GRAPHIC] [TIFF OMITTED] T8288.082
[GRAPHIC] [TIFF OMITTED] T8288.083
[GRAPHIC] [TIFF OMITTED] T8288.084
[GRAPHIC] [TIFF OMITTED] T8288.085
[GRAPHIC] [TIFF OMITTED] T8288.086
[GRAPHIC] [TIFF OMITTED] T8288.087
[GRAPHIC] [TIFF OMITTED] T8288.088
[GRAPHIC] [TIFF OMITTED] T8288.089