[House Hearing, 106 Congress] [From the U.S. Government Publishing Office] COMPUTER SECURITY REPORT CARD ======================================================================= HEARING before the SUBCOMMITTEE ON GOVERNMENT MANAGEMENT, INFORMATION, AND TECHNOLOGY of the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED SIXTH CONGRESS SECOND SESSION __________ SEPTEMBER 11, 2000 __________ Serial No. 106-260 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpo.gov/congress/house http://www.house.gov/reform U.S. GOVERNMENT PRINTING OFFICE 74-495 WASHINGTON : 2001 _______________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON GOVERNMENT REFORM DAN BURTON, Indiana, Chairman BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California CONSTANCE A. MORELLA, Maryland TOM LANTOS, California CHRISTOPHER SHAYS, Connecticut ROBERT E. WISE, Jr., West Virginia ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York STEPHEN HORN, California PAUL E. KANJORSKI, Pennsylvania JOHN L. MICA, Florida PATSY T. MINK, Hawaii THOMAS M. DAVIS, Virginia CAROLYN B. MALONEY, New York DAVID M. McINTOSH, Indiana ELEANOR HOLMES NORTON, Washington, MARK E. SOUDER, Indiana DC JOE SCARBOROUGH, Florida CHAKA FATTAH, Pennsylvania STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland MARSHALL ``MARK'' SANFORD, South DENNIS J. KUCINICH, Ohio Carolina ROD R. BLAGOJEVICH, Illinois BOB BARR, Georgia DANNY K. DAVIS, Illinois DAN MILLER, Florida JOHN F. TIERNEY, Massachusetts ASA HUTCHINSON, Arkansas JIM TURNER, Texas LEE TERRY, Nebraska THOMAS H. ALLEN, Maine JUDY BIGGERT, Illinois HAROLD E. FORD, Jr., Tennessee GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois DOUG OSE, California ------ PAUL RYAN, Wisconsin BERNARD SANDERS, Vermont HELEN CHENOWETH-HAGE, Idaho (Independent) DAVID VITTER, Louisiana Kevin Binger, Staff Director Daniel R. Moll, Deputy Staff Director James C. Wilson, Chief Counsel Robert A. Briggs, Clerk Phil Schiliro, Minority Staff Director ------ Subcommittee on Government Management, Information, and Technology STEPHEN HORN, California, Chairman JUDY BIGGERT, Illinois JIM TURNER, Texas THOMAS M. DAVIS, Virginia PAUL E. KANJORSKI, Pennsylvania GREG WALDEN, Oregon MAJOR R. OWENS, New York DOUG OSE, California PATSY T. MINK, Hawaii PAUL RYAN, Wisconsin CAROLYN B. MALONEY, New York Ex Officio DAN BURTON, Indiana HENRY A. WAXMAN, California J. Russell George, Staff Director and Chief Counsel Ben Ritt, Professional Staff Member Bryan Sisk, Clerk Trey Henderson, Minority Counsel C O N T E N T S ---------- Page Hearing held on September 11, 2000............................... 1 Statement of: Dyer, John R., Chief Information Officer, Social Security Administration............................................. 142 Gilligan, John, Chief Information Officer, Department of Energy, cochair, security, privacy and critical infrastructure committee, Chief Information Officers Council.................................................... 116 Hobbs, Ira L., Deputy Chief Information Officer, Department of Agriculture............................................. 184 Hugler, Edward, Deputy Assistant Secretary for Administration and Management, Department of Labor........................ 179 Singleton, Solveig, director of information studies for the CATO Institute............................................. 201 Spotila, John T., Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget........ 27 Tanner, Mark A., Information Resources Manager, Federal Bureau of Investigation, Department of Justice............. 193 White, Daryl W., Chief Information Officer, Department of the Interior................................................... 155 Willemssen, Joel, Director, Accounting and Information Management Division, U.S. General Accounting Office, accompanied by Robert Dayce, Director for Computer Security Issues, General Accounting Office.......................... 95 Letters, statements, etc., submitted for the record by: Dyer, John R., Chief Information Officer, Social Security Administration, prepared statement of...................... 145 Gilligan, John, Chief Information Officer, Department of Energy, cochair, security, privacy and critical infrastructure committee, Chief Information Officers Council, prepared statement of............................. 120 Hobbs, Ira L., Deputy Chief Information Officer, Department of Agriculture, prepared statement of...................... 186 Horn, Hon. Stephen, a Representative in Congress from the State of California: Letter dated July 27, 2000............................... 46 Prepared statement of.................................... 4 Hugler, Edward, Deputy Assistant Secretary for Administration and Management, Department of Labor, prepared statement of. 181 Singleton, Solveig, director of information studies for the CATO Institute, prepared statement of...................... 204 Spotila, John T., Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget, prepared statement of...................................... 31 Tanner, Mark A., Information Resources Manager, Federal Bureau of Investigation, Department of Justice, prepared statement of............................................... 196 Turner, Hon. Jim, a Representative in Congress from the State of Texas, prepared statement of............................ 25 White, Daryl W., Chief Information Officer, Department of the Interior, prepared statement of............................ 157 Willemssen, Joel, Director, Accounting and Information Management Division, U.S. General Accounting Office, prepared statement of...................................... 97 COMPUTER SECURITY REPORT CARD ---------- MONDAY, SEPTEMBER 11, 2000 House of Representatives, Subcommittee on Government Management, Information, and Technology, Committee on Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 10 a.m., in room 2154, Rayburn House Office Building, Hon. Stephen Horn (chairman of the subcommittee) presiding. Present: Representatives Horn and Turner. Staff present: J. Russell George, staff director and chief counsel; Randy Kaplan, counsel; Ben Ritt, professional staff member; Bonnie Heald, director of communications; Bryan Sisk, clerk; Elizabeth Seong, staff assistant; George Fraser, intern; Michelle Ash and Trey Henderson, minority counsels; and Jean Gosa, minority assistant clerk. Mr. Horn. The quorum being present, this hearing of the Subcommittee on Government Management, Information, and Technology will come to order. We're here today to discuss one of the Federal Government's most important and ongoing challenges, the security of government computers. Computers and the Internet are revolutionizing the way we do business, conduct research and communicate with friends and associates. The benefits are enormous as vast amounts of information flow instantly from business to business and individual to individual, but widespread access to computers and the Internet also carries the significant risk that personal, financial or business information can fall into the hands of computer hackers or others with more malicious intent. Similarly, as the Federal Government becomes increasingly dependent on computers and the Internet, the computer systems and the sensitivity of information they contain come under an increasing number of attacks. Unlike the year 2000 or Y2K computer challenge, this threat has no deadline. Rather it is a day-to-day challenge created by an increasingly sophisticated technology. In order to guarantee the integrity of the Federal programs and to protect the personal privacy of all Americans, government leaders must focus their attention on the security of their vital computer systems. Today the subcommittee is releasing its first report card on the status of the computer security at executive branch departments and agencies. These grades are based on self- reported evaluation of agency information, in addition to the results of audits conducted by the General Accounting Office and the various agency inspectors general. This is the first time such governmentwide information has ever been compiled. As you can see, only two agencies have made progress toward protecting their computers against invasion. Although auditors found some significant weaknesses at the Social Security Administration and National Science Foundation, both agencies received Bs, the highest grade awarded. But the rest of the picture is very dismal. Overall the government earned an average grade of D minus. More than one-quarter of the 24 major Federal agencies received a failing F; the Department of Labor, charged with maintaining vital employment statistics, an F; the Department of the Interior, which manages the Nation's public lands, an F; the Department of Health and Human Services that holds personal information on every citizen who receives Medicare, another F; Agriculture and Justice, the Small Business Administration, the Office of Personnel Management, the personnel office for the entire executive branch of the Federal Governments, all Fs. Six other vital agencies nearly failed. The Department of Defense, whose computers carry some of the Nation's most sensitive secrets, earned only a D plus for its computer security program; Veterans Affairs and Treasury, along with the Environmental Protection Agency, General Services Administration and National Aeronautics and Space Administration, more Ds. Four other government agencies received grades of incomplete. These vital agencies oversee key elements of the Nation's infrastructure and emergency services. They are the Departments of Energy and Transportation, the Nuclear Regulatory Commission and the Federal Emergency Management Agency [FEMA]. These agencies could not receive a grade because there has been insufficient auditor resources and scrutiny to validate the agencies' self-evaluations. Obviously there is a great deal of work ahead. Regardless of grade, each agency must recognize that the daily challenges to their computer systems will continue to grow in number and sophistication. They must take the necessary steps to mitigate those threats. There is no room for complacency, for the stakes are simply too high. We have with us today witnesses representing six of the agencies that were graded. They will discuss their agency's progress and plans to develop acceptable computer security procedures. Mr. John Gilligan from the Department of Energy will also testify on behalf of the Chief Information Officers Council. In addition, we have the Honorable John Spotila from the Office of Management and Budget, which is charged with overseeing the agency's computer security efforts; and Mr. Joel Willemssen from the General Accounting Office, which works for the legislative branch, headed the Comptroller General of the United States. And I want to thank Comptroller General Walker and the staff for their excellent help in regard to the grades and everything else. I take the responsibility for the grades, but they sat for hours with us on making sure that we've been fair. We have the ability, the government has the ability, to protect the integrity of the vital computer systems. As I look back, this is sort of where we were on Y2K in April 1996. There are a lot of Fs, a lot of Ds, but the executive branch came through on midnight January 1 where it counted, and I am confident that the executive branch will do the same thing this time. We welcome all of our witnesses, and we look forward to their testimony. I now yield to the ranking member for an opening statement, the gentleman from Texas Mr. Turner. [The prepared statement of Hon. Stephen Horn follows:] [GRAPHIC] [TIFF OMITTED] T4495.001 [GRAPHIC] [TIFF OMITTED] T4495.002 [GRAPHIC] [TIFF OMITTED] T4495.003 [GRAPHIC] [TIFF OMITTED] T4495.004 [GRAPHIC] [TIFF OMITTED] T4495.005 [GRAPHIC] [TIFF OMITTED] T4495.006 [GRAPHIC] [TIFF OMITTED] T4495.007 [GRAPHIC] [TIFF OMITTED] T4495.008 [GRAPHIC] [TIFF OMITTED] T4495.009 [GRAPHIC] [TIFF OMITTED] T4495.010 [GRAPHIC] [TIFF OMITTED] T4495.011 [GRAPHIC] [TIFF OMITTED] T4495.012 [GRAPHIC] [TIFF OMITTED] T4495.013 [GRAPHIC] [TIFF OMITTED] T4495.014 [GRAPHIC] [TIFF OMITTED] T4495.015 [GRAPHIC] [TIFF OMITTED] T4495.016 [GRAPHIC] [TIFF OMITTED] T4495.017 [GRAPHIC] [TIFF OMITTED] T4495.018 [GRAPHIC] [TIFF OMITTED] T4495.019 [GRAPHIC] [TIFF OMITTED] T4495.020 Mr. Turner. Thank you, Mr. Chairman. As we all understand, our Federal agencies rely on computers and electronic data to perform functions that are essential to our national welfare and directly affect the lives of millions of Americans. This technology greatly benefits Federal operations through the speed and accessibility it provides, but it also creates vulnerability to attack. Individuals, organizations and virtually anyone today with a computer and a modem has the potential to interrupt and to eavesdrop on government operations around the world. Many experts are predicting that future wars will be in the form of cyberattacks and fought out over a computer grid rather than a battlefield. I want to commend the chairman for his interest and his work on this important issue. Computer security is without a doubt one of the most critical and difficult technical challenges facing our government. Like Y2K, this subcommittee has an important oversight role in holding our Federal agencies accountable for implementing computer security efforts, and while I commend the chairman's efforts to reduce the task to a simple report card grade, I also realize that improving computer security is a very complicated, timely and costly process. Additionally, I do understand that the subjective format of our grading system could in some cases unfairly portray the significant efforts an agency has made to take corrective actions. I realize that some agency computer systems are critical to national security, while others may not be. I also realize that this Congress has an obligation to provide adequate funding to agencies so that they might meet the requirement that we have imposed on them. While I want to commend the agencies that are moving forward, it is clear that the Federal Government has a long way to go before an effective, comprehensive Federal computer security system is in place. It is my hope that as a result of these hearings, we will be closer to achieving our mutual goal. We want to make sure that the Federal managers have the tools and the funds in place to be accountable for the protection of agency infrastructures. Again, I thank the chairman for calling this hearing. I appreciate the good work that the committee and the staff has done, and I look forward to hearing from each of our witnesses. Thank you, Mr. Chairman. [The prepared statement of Hon. Jim Turner follows:] [GRAPHIC] [TIFF OMITTED] T4495.021 [GRAPHIC] [TIFF OMITTED] T4495.022 Mr. Horn. Well, we thank you, and I agree with you. We need to be talking to the authorizers and the appropriators to make sure that what is needed will be there. So I imagine the next round we should have some improvement. We will now start with the witnesses, and along the agenda the Honorable John Spotila is the Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget, part of the President's Executive Office of the President, and he is speaking on behalf of OMB today. So, Mr. Spotila. STATEMENT OF JOHN T. SPOTILA, ADMINISTRATOR, OFFICE OF INFORMATION AND REGULATORY AFFAIRS, OFFICE OF MANAGEMENT AND BUDGET Mr. Spotila. Good morning, Mr. Chairman and members of the committee. Thank you for inviting me here to discuss OMB's efforts in the vital area of computer security. OMB policies build on a statutory framework requiring that Federal agencies adopt a set of risk-based management controls for all Federal computer systems. The agencies must periodically review their security controls to ensure continued effectiveness. In an effort to identify strengths and weaknesses in agency security programs, OMB sought updated information from the agencies in June 1999 on their risk management processes. We are now focusing on the security posture of 43 high-impact government programs where good security is particularly important. These programs include Medicare, Medicaid, the air traffic control system, Social Security and Student Aid. In late May of this year, we asked the agencies to send us specific information regarding the management, operational and technical controls in place for each application or general support system sustaining these programs. Our preliminary findings are illuminating. We have made significant progress, but can still do better. Agencies are working to integrate security into their capital planning and investment control processes. We have made this a high priority. Many agencies have completed a security review of their systems and have updated their security plans within the last 2 years. Many agencies develop and share their security plans with their partner organizations and other agencies. This promotes a comprehensive understanding of the interconnections prevalent in a shared risk environment. Due to their extensive Y2K work, most agencies have tested their continuity of operations plans within the last 2 years. Most agencies have provided users and system administrators with IT security training within the last year. Most agencies update their virus detection and elimination software on an ongoing basis and have successfully implemented processes to confirm the testing and installation of software patches in a timely manner. Nearly all agencies have documented incident handling procedures and have a formal incident response capability in place. More agencies need to install firewalls at external entry points to exclude unauthorized users and within their networks to ensure that authorized users do not exceed authorization. Agencies can better protect the confidentiality of sensitive material through increased use of encryption for password files and personal information. Agencies should improve their intrusion detection capabilities and procedures. This should include increased involvement of agency privacy officers and legal counsel in reviewing the monitoring activities. More agencies should ensure that agency managers specifically authorize the processing of each new or updated system before actual operations begin. More agencies should have independent review of their security plans. We are working with the agencies on all of these areas. The President, his chief of staff and the Director of OMB have all taken a personal interest in enhancing security for our interconnected systems. This has gone a long way to establish senior management support at the agencies. In February, OMB issued important guidance to the agencies on incorporating security and privacy requirements in each of their fiscal year 2002 information technology budget submissions. A well-known computer security expert, Robert Courtney, once said, ``Good security is the ultimate non-event.'' In that phrase, he summarized the difficulty of measuring effective security. We face a significant challenge. We must devise a method to assess security for the whole of government, its thousands of vastly diverse systems and millions of desktop computers. No other organization faces demands in this area that are as broad as those the government confronts. Since last fall, OMB has worked with the CIO Council, NIST, GAO and the agencies to develop security performance measures against which agencies can assess their security programs. As you know, CIO Council and NIST representatives have met with your staff to discuss this effort. We have made great progress in a relatively short period of time, but, not surprisingly, there is more to be done. Even the private sector is struggling with this challenge. Mr. Chairman, clearly you are focused on the need to assess agency security programs. While we appreciate your serious interest in security and your belief that grades will help the agencies improve their performance, we do have some concerns with this approach. We look forward to working closely with you to develop better ways of measuring progress in this area. We learned much from our collegial efforts with the committee, GAO and the agencies in developing good Y2K measurements. Ideally, we should work together to develop a similar workable set of measurements for assessing agency security programs. Measuring agency security effectiveness is at least as complex as the Y2K measurement effort. We must assess programs and implementation at three different levels: the relatively uniform agency management or executive level; the expansive mix of individual programs where agency business operations take place; and at each of the thousands of government information systems that support actual agency program operations. Cursory measurements can be misleading. A well-documented security program without the periodic evaluation of control effectiveness can give a false sense of security. A weak central organization can obscure highly effective component, program or system-level security. We must take a comprehensive approach to evaluating security if we are to generate meaningful results. Our assessment approach begins with the premise that all agency programs and systems must include a continuing cycle of risk management, appropriate methods to evaluate and measure performance, and the ability to anticipate or quickly react to changes in the risk environment. We are putting great emphasis on agency self-assessment. This fall all agencies will use a NIST-prepared questionnaire that focuses on overall agency programs as well as on specific management, operational and technical controls applied to each system or group of systems. Assessing the effectiveness of the program and the individual controls, not simply their existence, is vital to achieving and maintaining adequate security. The NIST questionnaire will help agencies identify whether the program and controls are properly documented, implemented and continuously tested and reviewed. We can then determine a security level for an individual system, an agency or component, or an aggregated form, an entire agency. Self-assessments improve security. They are less costly and can be performed more frequently than compliance inspections and audits. They can be performed by system users, thereby helping to promote buy-in and greater compliance. They promote openness and cooperation among all participants. They can also give us good information on a timely basis. In seeking to measure security effectiveness, we should not equate it to our Y2K experience. While Y2K was a complex management challenge, it was a relatively straightforward technical one, and we could measure progress toward a known event. Security challenges, on the other hand, are unpredictable, ongoing, ever-changing and multidimensional. Security threats often arise from malicious parties who probe for vulnerabilities and risks. These threats can strike at the confidentiality of our information, the integrity of our systems and data, and our ability to ensure that information in systems will be ready for use when needed. These threats are ever-changing and our approach to security must be equally dynamic. While a general progress report at an agency level can be valuable when used in the proper context, it is but a snapshot taken at a point in time. It may or may not even be a clear picture. Because a security program comprises physical, personnel, technical and other controls, accurately assessing a program is an extremely complex undertaking. In our view, the differences between the two call for different responses. Just as we must resist the simplicity of a one-size-fits-all security program for the wide variety of agency systems, we must also avoid a one-size-fits-all approach to measuring successes and shortfalls. If we are to improve the government's approach to information security, we need to work together. We very much appreciate the committee's interest in this important area and look forward to continuing our close cooperation with you. We value our partnership with you and hope that this hearing will mark a further strengthening of our joint efforts on behalf of the American people. Thank you. Mr. Horn. We thank you. And in courtesy to the executive branch, we let you go beyond the 5-minute rule. Mr. Spotila. Thank you. [The prepared statement of Mr. Spotila follows:] [GRAPHIC] [TIFF OMITTED] T4495.023 [GRAPHIC] [TIFF OMITTED] T4495.024 [GRAPHIC] [TIFF OMITTED] T4495.025 [GRAPHIC] [TIFF OMITTED] T4495.026 [GRAPHIC] [TIFF OMITTED] T4495.027 [GRAPHIC] [TIFF OMITTED] T4495.028 [GRAPHIC] [TIFF OMITTED] T4495.029 [GRAPHIC] [TIFF OMITTED] T4495.030 [GRAPHIC] [TIFF OMITTED] T4495.031 [GRAPHIC] [TIFF OMITTED] T4495.032 [GRAPHIC] [TIFF OMITTED] T4495.033 [GRAPHIC] [TIFF OMITTED] T4495.034 [GRAPHIC] [TIFF OMITTED] T4495.035 [GRAPHIC] [TIFF OMITTED] T4495.036 Mr. Horn. I will say for all the other witnesses after Mr. Willemssen, who speaks for the General Accounting Office of the legislative branch, that we would like you to summarize, and we will bring the gavel down every 5 minutes now or we're not going to be out of here, and we want to be out of here by roughly 11:45. I know a number of you have commitments. What I would like to put in the record at this point for the hearing record--and tell me if there's anything else that ought to go into it, or some of these are classified, just to redact them, as the saying goes--Presidential Directive 63; OMB-A130, the Budget Director Mr. Lew's guidance, to agencies; the appendix 3 and associated NIST--what was once the Bureau of Standards and Security--guidance. And I would like these simply as appendices to your testimony, and if there's a problem, work it out with staff. Mr. Spotila. That's fine. [The information referred to follows:] [GRAPHIC] [TIFF OMITTED] T4495.037 [GRAPHIC] [TIFF OMITTED] T4495.038 [GRAPHIC] [TIFF OMITTED] T4495.039 [GRAPHIC] [TIFF OMITTED] T4495.040 [GRAPHIC] [TIFF OMITTED] T4495.041 [GRAPHIC] [TIFF OMITTED] T4495.042 [GRAPHIC] [TIFF OMITTED] T4495.043 [GRAPHIC] [TIFF OMITTED] T4495.044 [GRAPHIC] [TIFF OMITTED] T4495.045 [GRAPHIC] [TIFF OMITTED] T4495.046 [GRAPHIC] [TIFF OMITTED] T4495.047 [GRAPHIC] [TIFF OMITTED] T4495.048 [GRAPHIC] [TIFF OMITTED] T4495.049 [GRAPHIC] [TIFF OMITTED] T4495.050 [GRAPHIC] [TIFF OMITTED] T4495.051 [GRAPHIC] [TIFF OMITTED] T4495.052 [GRAPHIC] [TIFF OMITTED] T4495.053 [GRAPHIC] [TIFF OMITTED] T4495.054 [GRAPHIC] [TIFF OMITTED] T4495.055 [GRAPHIC] [TIFF OMITTED] T4495.056 [GRAPHIC] [TIFF OMITTED] T4495.057 [GRAPHIC] [TIFF OMITTED] T4495.058 [GRAPHIC] [TIFF OMITTED] T4495.059 [GRAPHIC] [TIFF OMITTED] T4495.060 [GRAPHIC] [TIFF OMITTED] T4495.061 [GRAPHIC] [TIFF OMITTED] T4495.062 [GRAPHIC] [TIFF OMITTED] T4495.063 [GRAPHIC] [TIFF OMITTED] T4495.064 [GRAPHIC] [TIFF OMITTED] T4495.065 [GRAPHIC] [TIFF OMITTED] T4495.066 [GRAPHIC] [TIFF OMITTED] T4495.067 [GRAPHIC] [TIFF OMITTED] T4495.068 [GRAPHIC] [TIFF OMITTED] T4495.069 [GRAPHIC] [TIFF OMITTED] T4495.070 [GRAPHIC] [TIFF OMITTED] T4495.071 [GRAPHIC] [TIFF OMITTED] T4495.072 [GRAPHIC] [TIFF OMITTED] T4495.073 [GRAPHIC] [TIFF OMITTED] T4495.074 [GRAPHIC] [TIFF OMITTED] T4495.075 [GRAPHIC] [TIFF OMITTED] T4495.076 [GRAPHIC] [TIFF OMITTED] T4495.077 [GRAPHIC] [TIFF OMITTED] T4495.078 [GRAPHIC] [TIFF OMITTED] T4495.079 [GRAPHIC] [TIFF OMITTED] T4495.080 [GRAPHIC] [TIFF OMITTED] T4495.081 [GRAPHIC] [TIFF OMITTED] T4495.082 [GRAPHIC] [TIFF OMITTED] T4495.083 [GRAPHIC] [TIFF OMITTED] T4495.084 [GRAPHIC] [TIFF OMITTED] T4495.085 Mr. Horn. So we will now move to have the oath since I didn't begin it that way. If you will all stand. [Witnesses sworn.] Mr. Horn. The clerk will note all the witnesses affirmed. And we now go to the agent of the Comptroller General of the United States, which is Joel Willemssen, Director, Accounting and Information Management Division, U.S. General Accounting Office. Mr. Willemssen. STATEMENT OF JOEL WILLEMSSEN, DIRECTOR, ACCOUNTING AND INFORMATION MANAGEMENT DIVISION, U.S. GENERAL ACCOUNTING OFFICE, ACCOMPANIED BY ROBERT DAYCE, DIRECTOR FOR COMPUTER SECURITY ISSUES, GENERAL ACCOUNTING OFFICE Mr. Willemssen. Thank you, Mr. Chairman, Ranking Member Turner. Thank you for inviting us to testify today. Accompanying me is Robert Dayce, GAO's Director for Computer Security Issues, and as requested I'll briefly summarize our statement. Overall GAO and inspector general reviews done over the past year continue to show that Federal agencies have serious and widespread computer security weaknesses. Our analysis of recently issued GAO and inspector general reports revealed significant weaknesses at each of the 24 major Federal agencies. As displayed on the board, these weaknesses were reported in all six major areas of general computer security controls. For example, in the area of security program management, weaknesses were identified at 21 agencies. Security program management is fundamental to the appropriate selection and effectiveness of the other categories of controls shown on the board. This area covers a range of activities related to understanding risks, selecting and implementing controls appropriate with risk levels, and ensuring the controls, once implemented, continue to operate effectively. Another critical area where weaknesses have been found at each of the 24 agencies is access controls. Weak controls over access to sensitive data and systems make it possible for a person to inappropriately modify, destroy or disclose data or computer programs. For the other highlighted areas of security controls, we've also found significant weaknesses at most of the agencies in which audit work has been done. I think it's noteworthy to point out that since our last analysis of issued reports in 1998, the scope of audit work performed has expanded to more fully cover all six major control areas at each agency. Not surprisingly, this has led to the identification of additional areas of weakness. However, this does not necessarily mean that security is getting worse, although it is clear that serious pervasive weaknesses persist. These serious weaknesses present substantial risk to Federal operations, assets and confidentiality. Because virtually all Federal operations are supported by automated systems and electronic data, the risks are very high, and the breadth of the potential impact is very wide. The risks cover areas as diverse as taxpayer records, law enforcement, national defense, and a wide range of benefit programs. While a number of factors have distributed to weak Federal information security, I want to emphasize that we believe the key underlying problem is ineffective security program management. With that in mind, we have issued two executive guides that discuss practices that leading organizations have employed to strengthen the effectiveness of their security programs. In conclusion, the expanded body of audit evidence that has become available shows that important operations at every major Federal agency continue to be at risk as a result of weak controls. Reducing these risks will require agencies to implement fundamental improvements in managing computer security. Thank you, Mr. Chairman, and I would be pleased to address any questions that you may have. Mr. Horn. Well, thank you very much. We will have the questions after all the witnesses have made their presentation. [The prepared statement of Mr. Willemssen follows:] [GRAPHIC] [TIFF OMITTED] T4495.086 [GRAPHIC] [TIFF OMITTED] T4495.087 [GRAPHIC] [TIFF OMITTED] T4495.088 [GRAPHIC] [TIFF OMITTED] T4495.089 [GRAPHIC] [TIFF OMITTED] T4495.090 [GRAPHIC] [TIFF OMITTED] T4495.091 [GRAPHIC] [TIFF OMITTED] T4495.092 [GRAPHIC] [TIFF OMITTED] T4495.093 [GRAPHIC] [TIFF OMITTED] T4495.094 [GRAPHIC] [TIFF OMITTED] T4495.095 [GRAPHIC] [TIFF OMITTED] T4495.096 [GRAPHIC] [TIFF OMITTED] T4495.097 [GRAPHIC] [TIFF OMITTED] T4495.098 [GRAPHIC] [TIFF OMITTED] T4495.099 [GRAPHIC] [TIFF OMITTED] T4495.100 [GRAPHIC] [TIFF OMITTED] T4495.101 [GRAPHIC] [TIFF OMITTED] T4495.102 [GRAPHIC] [TIFF OMITTED] T4495.103 [GRAPHIC] [TIFF OMITTED] T4495.104 Mr. Horn. The next witness is John Gilligan, the Chief Information Officer for the Department of Energy, the cochair for Security, Privacy and Critical Infrastructure Committee of the Chief Information Officers Council. I will give you another minute besides the 5 because you're speaking for the Chief Information Officers Council. Mr. Gilligan, you've prepared a very thorough statement, but we can't obviously get over 25 pages into the record at this point, but it is in the record, but not having been spoken. So if Mr. Gilligan will proceed. STATEMENT OF JOHN GILLIGAN, CHIEF INFORMATION OFFICER, DEPARTMENT OF ENERGY, COCHAIR, SECURITY, PRIVACY AND CRITICAL INFRASTRUCTURE COMMITTEE, CHIEF INFORMATION OFFICERS COUNCIL Mr. Gilligan. Thank you, Chairman Horn and Ranking Member Turner. I want to thank you for the opportunity to appear before this subcommittee to address the very important issue of improving security of our Federal information systems. My remarks today will focus on my perspectives as cochair of the CIO Council's Security, Privacy and Critical Infrastructure Committee. Federal CIOs share the concerns that have been expressed by Members of Congress, senior members in the administration, and the public, that we need to improve the security of our government information systems. Federal CIOs take their responsibility to oversee agency efforts in cybersecurity very seriously. We share the frustration of members of this committee that progress in securing government systems has not been more rapid. Let me assure you that Federal CIOs are not asleep at the wheel. Rather, they are laboring hard to get a handle on one of the Nation's most complex technological and management problems. Perhaps it is useful to put the difficulty of cybersecurity into perspective. I recall an exchange I had with a military four-star general a few years ago. We were discussing his frustration with the slow progress on an information technology project. This very successful commander with hundreds of thousands of troops under his command was clearly exasperated. He commented to me after we had discussed the project status, ``John, after all, this is not rocket science.'' As I later examined his comment, it became clear that he was right. The problem could not correctly be compared to rocket science where we have literally hundreds of years of experience, including a well-defined set of engineering principles. Due to the rapid pace of evolution of information technology, we are typically faced with applying information technology solutions that have been in existence for months or, at best, a few years. I submit that the situation is acute for cybersecurity. It is not rocket science. No, many aspects of cybersecurity are indeed much more difficult than rocket science. When I addressed this committee in March of this year, I stated that the single biggest challenge that I saw for CIOs in cybersecurity was making line management aware that cybersecurity is not just a complex technological issue. At the core cybersecurity is also a complex risk management issue. Another challenge that I see facing CIOs is helping line management answer the question, ``what is adequate security?'' Security experts tell us that no system is impenetrable if network access is provided. However, the collective inexperience of government and industry in applying security to a range of functions including public Web sites, financial data bases, procurement-sensitive data, citizen benefits and corporate-sensitive or government-sensitive research, makes this a hard problem. The primary focus of the CIO Council efforts in this area has been to help Federal organizations address the question of what is adequate security. The CIO Council has sponsored a Web- based repository for sharing best practices. This repository can be found at http://bsp.cio.gov. We have developed sample security policies for use by agencies in intrusion reporting and procuring security projects. We have worked to improve governmentwide processes for reporting security incidents and distributing warnings in a rapid fashion. An ongoing effort is to develop a set of benchmark security practices for electronic services. The Council has also sponsored a number of training and education forums addressing privacy and critical infrastructure protection. The CIO Council is also leading efforts to establish a governmentwide encryption infrastructure using public key technology called a public key infrastructure [PKI]. An additional CIO Council effort that is particularly relevant to today's hearing is the development of an Information Technology Security Assessment Framework. This effort was initiated about 10 months ago to provide a tool to help guide security efforts within Federal agencies. This framework has been developed largely with the leadership of the National Institute of Standards and Technology and built upon existing policy and guidance from the Office of Management and Budget, the General Accounting Office, and the National Institutes of Standards and Technology. The framework provides a road map for Federal organizations to guide them in focusing and prioritizing their efforts to improve security. For each of five levels in the framework, a set of activities is defined that should be undertaken to assure a sound and effective security program. The framework reinforces the importance of a solid foundation for an organization security program and is based on sound policy, clearly defined management responsibility, and organizationwide coverage. The CIO Council has completed a final draft of version one of the Information Technology Security Assessment Framework and hopes to publish this version in October. Following the example of similar efforts by Carnegie Mellon University to develop security frameworks for software and other disciplines, we plan to continue to refine the framework over the upcoming months. With advice and input from GAO, we have started working on enhancements to the framework that would permit organizations to better assess the effectiveness of the security programs that have been documented and implemented. The final area that I would like to address is the need for stronger funding support from Congress for a small set of cross-government security initiatives that serve as the foundation for governmentwide improvements in cybersecurity. The cochairs of the Security, Privacy and Critical Committee of the CIO Council recently sent a letter to all Members of Congress that highlighted our concern in this area. The letter points out that while there is almost $2 billion identified in the administration's fiscal year 2001 budget request for cybersecurity-related items, only a very small portion of this request totaling less than $50 million is requested for these essential governmentwide foundation programs. The efforts of this group include the Federal Computer Incident Response Capability [FEDCIRC], which is managed by GSA and provides alerts and warnings of virus attacks to all Federal agencies. It has become clear to the CIO Council that these necessary foundation efforts to improve cybersecurity governmentwide are being hampered by a patchwork of funding and oversight structures in both the executive and legislative branches. We cannot hope to achieve robust governmentwide security without these programs. We urge the respective congressional committees who have jurisdiction over these efforts not to view them as politically driven projects, but as essential elements of a governmentwide foundation for cybersecurity. Moreover, we believe that a $50 million investment for these efforts is a very small investment in view of the great leverage that these efforts will provide. I would like to enter into the record a copy of the letter entitled ``Essential Programs for Ensuring Security of the Federal Cyber Infrastructure.'' Mr. Horn. Without objection, it will be in the record at this point in your testimony. Mr. Gilligan. It is clear to Federal CIOs that the lack of a single integrated budget for cybersecurity items--these foundation cybersecurity items--keeps these efforts from getting the proper attention that they deserve and makes progress and governmentwide efforts more difficult. In similar fashion, the efforts of the CIO Council Security Committee and other CIO Council committees continue to be hampered by lack of effective methods to fund these cross- government initiatives that we undertake. The synergistic benefit and opportunity for savings across the government are enormous. However, due to the use of pass-the-hat funding approaches for the CIO Council, for example, funding for the best security practices efforts that was mentioned earlier had to be limited to $200,000 and was received 9 months into the fiscal year. We will not be able to continue to operate and expand this site or undertake other projects with operational demands without an adequate level of funding. I would suggest that this committee, working with the administration, should examine ways to provide better methods to fund and manage cross-government initiatives in the information technology area. As a taxpayer, I am dismayed by the difficulty of funding these efforts which have the ability to yield tremendous efficiencies. It is an area where our executive and legislative branches are truly failing, unable to leverage the potential of information technology. In my written testimony, I've included descriptions of efforts within the Department of Energy to improve the security of our many security systems. In summary, let me again express my appreciation for the opportunity to share my views on the important subject and encourage the committee to continue to support the CIO Council- sponsored efforts, especially the Information Technology Security Assessment Framework. While our joint challenge to improve cybersecurity may be more difficult than building rockets, chief information officers are committed to rapidly improving the protection afforded to information systems managed by the Federal Government. This concludes my remarks. Thank you. [The prepared statement of Mr. Gilligan follows:] [GRAPHIC] [TIFF OMITTED] T4495.105 [GRAPHIC] [TIFF OMITTED] T4495.106 [GRAPHIC] [TIFF OMITTED] T4495.107 [GRAPHIC] [TIFF OMITTED] T4495.108 [GRAPHIC] [TIFF OMITTED] T4495.109 [GRAPHIC] [TIFF OMITTED] T4495.110 [GRAPHIC] [TIFF OMITTED] T4495.111 [GRAPHIC] [TIFF OMITTED] T4495.112 [GRAPHIC] [TIFF OMITTED] T4495.113 [GRAPHIC] [TIFF OMITTED] T4495.114 [GRAPHIC] [TIFF OMITTED] T4495.115 [GRAPHIC] [TIFF OMITTED] T4495.116 [GRAPHIC] [TIFF OMITTED] T4495.117 [GRAPHIC] [TIFF OMITTED] T4495.118 [GRAPHIC] [TIFF OMITTED] T4495.119 [GRAPHIC] [TIFF OMITTED] T4495.120 [GRAPHIC] [TIFF OMITTED] T4495.121 [GRAPHIC] [TIFF OMITTED] T4495.122 [GRAPHIC] [TIFF OMITTED] T4495.123 [GRAPHIC] [TIFF OMITTED] T4495.124 [GRAPHIC] [TIFF OMITTED] T4495.125 [GRAPHIC] [TIFF OMITTED] T4495.126 Mr. Horn. Well, thank you very much. And I would hope that when there is some budget negotiations going on toward the end, that the President's list will include this, and we hope that the Speaker will include it. The next witness is John R. Dyer, the Chief Information Officer for the Social Security Administration. Mr. Dyer. STATEMENT OF JOHN R. DYER, CHIEF INFORMATION OFFICER, SOCIAL SECURITY ADMINISTRATION Mr. Dyer. Good morning, Mr. Chair, Mr. Turner. Thank you very much for inviting us to testify. We, too, as this committee, consider security to be an actual vital concern, particularly in this day as we move more into the systems world. At the onset let me emphasize that the Social Security Administration has always taken the responsibility to protect the privacy of personal information in agency files very seriously. The Social Security Board's first regulation published in 1937 dealt with the confidentiality of SSA records. For 65 years SSA has honored its commitment to the American people to maintain the confidentiality of the records in our possession. We understand in order to address privacy concerns, we need a strong computer security program in place. Today I would like to discuss where we are with computer security, what improvements we're making. SSA approaches computer security on an entitywide basis. By doing so we address all aspects of the SSA enterprise. Overall the Chief Information Officer, who reports directly to the Commissioner and Deputy Commissioner, is responsible for information system security. In my role as CIO, I assure that our security initiatives are enterprisewide in scope. At the Deputy Commissioner level, Social Security's Chief Financial Officer assures that all new systems have the required financial controls to maintain sound stewardship over the moneys entrusted to our care. We have also placed our system security policy function with this Deputy Commissioner. In order to meet the challenges of data security in today's highly technological environment, this agency has adopted an enterprisewide approach to system security, financial information, data integrity and prevention of fraud, waste and abuse. We have full-time staff devoted to system security stationed throughout the agency, in all regions and in the central office. We have established centers for security and integrity in each Social Security region. They provide day-to- day oversight control over our computer software. In addition, we have a Deputy Commissioner-level Office of Systems which supports the operating system, develops new software and the related controls, and, in general, assures that Social Security is taking advantage of the latest in effective systems technology. SSA has been certifying its sensitive systems since the original OMB requirement was published in 1991. Our process requires Deputy Commissioners responsible for those systems to accredit them. SSA's planning and certification activity is now in full compliance with NIST 800-18 guidance. SSA sensitive systems include all programmatic systems needed to support programs administered by the agency as well as critical personnel functions. They also include the network and the system used to monitor Social Security's data center operations. As an independent agency we have our own inspector general who can focus his efforts on the agency needs and concerns. The IG is also very active working with other Federal, State and local law enforcement agencies to assure all avenues for investigation and prosecution are being pursued, especially for systems security-related issues. In summary, we have in place the right authorities, the right personnel, the right software controls to prevent penetration of our systems and to address systems security issues as they surface. As I mentioned, SSA has maintained an information security program for many years. Key components, such as deploying new security technology, integrating security into the business process, and performing self-assessment of our security infrastructure, to name a few, describe the goals and objectives that will touch every SSA employee. Of particular importance this year are the activities related to the Presidential Decision Directive PDD-63 on cyberterrorism and infrastructure protection and continuity of operations. We have recently completed an evaluation of all critical SSA assets. I am pleased to note that SSA was one of the first agencies to do so. Originally, SSA was not a tier I agency, but given the importance of our ongoing monthly payments, we were elevated to this level by the Critical Infrastructure Assurance Office. As part of this effort we have completed an inventory of all critical assets and implemented an incidence response process for computer incidents. We have also revised our physical security plans to assure our facilities are properly secured. An independent auditor, Pricewaterhouse Coopers, has evaluated our security program over the last 4 years working with the IG. They have given us many recommendations to strengthen our security program, and we have implemented 77 percent of their recommendations. We are addressing the remainder at this time. Most of the ones that will take us to finish up over the next fiscal year are facility-related, and that's what takes a little bit of time. In addition, we have ongoing site reviews, corrective actions, and we also have another independent contractor, Deloitte and Touche, reviewing our systems and overall management. In the contingency area this year, we actually tested all of our sites at one time, which was an area of recommendation that Pricewaterhouse Coopers had recommended for us. And so we believe that when we get the next report from PwC, it will indicate that we have made substantial progress. In terms of the new increasing technology, and as we're moving toward Internet, we are putting in place all the latest security features from firewalls to filters to head off specific attacks. So I would like to say in conclusion, Mr. Chairman, the Social Security Administration has a longstanding tradition of assuring the public that their personal records are secure. Both the Commissioner and the Deputy Commissioner give system security their highest priority. We all recognize this is not a one-time task to be accomplished, but rather it's an ongoing mission that we can never lose sight of. We know we cannot rest on past practice. We must be vigilant every way we can to assure that these records remain secure and that the public confidence in Social Security is maintained. I want to thank the committee for the opportunity to testify at this hearing, and I will be glad to answer any questions you might have. Mr. Horn. Thank you very much, Mr. Dyer. [The prepared statement of Mr. Dyer follows:] [GRAPHIC] [TIFF OMITTED] T4495.153 [GRAPHIC] [TIFF OMITTED] T4495.154 [GRAPHIC] [TIFF OMITTED] T4495.155 [GRAPHIC] [TIFF OMITTED] T4495.156 [GRAPHIC] [TIFF OMITTED] T4495.157 [GRAPHIC] [TIFF OMITTED] T4495.158 [GRAPHIC] [TIFF OMITTED] T4495.159 [GRAPHIC] [TIFF OMITTED] T4495.160 [GRAPHIC] [TIFF OMITTED] T4495.161 [GRAPHIC] [TIFF OMITTED] T4495.162 Mr. Horn. As usual, Social Security is at the top of the heap even though it's a B. So we're used to you getting As under the Y2K situation, and we look forward to you keeping ahead of the pack, shall we say. Thank you very much for coming. Thanks to your colleagues that led to a B grade. We now go to Daryl W. White, the Chief Information Officer of the Department of the Interior, who has presented us with quite a full platter of documentation. We appreciate that. It's all in the record, and now you have 5 minutes to summarize it. STATEMENT OF DARYL W. WHITE, CHIEF INFORMATION OFFICER, DEPARTMENT OF THE INTERIOR Mr. White. Good morning, Mr. Chairman and Mr. Turner. Thank you for the opportunity to appear before you today to discuss the status of computer security at the Department of the Interior. The Department of the Interior appreciates being afforded the opportunity to complete the recent computer security questionnaire. We are pleased to report that we are making substantive progress to improve our computer security posture. The Department of the Interior recognizes that computer security is of agencywide importance and is actively working to implement a well-structured program to protect our information assets. It is anticipated that the vast majority of issues identified in the questionnaire will be adequately addressed through implementations of our program. Let me summarize the steps that Interior has taken over the past 14 months to improve our computer security posture. During 1999, Interior performed extensive work in Y2K readiness for mission-critical systems and major data centers. As a result of Y2K preparation, policies and guidance for contingency planning and physical security were issued and several implemented. In September 1999, we acquired limited funding for contractor services to perform automated vulnerability scanning of our most critical systems. Based on the results of the scanning, remediation was performed where needed. January 2000, Interior accomplished priority filling of the Department Information Technology Security Manager position with a well-qualified and experienced individual. We were fortunate to have obtained Steve Schmidt from the State Department's Bureau of Diplomatic Security. Mr. Schmidt has brought a wealth of experience and practical knowledge to Interior. It is through his leadership and direction that we have seen a revitalizing of the Department IT Security Working Group. Also in January 2000, $175,000 was allocated for computer security program development. Funding was obtained through an internal competitive process whereby senior Department managers clearly chose computer security as a high priority issue in competition with other equally important issues. This funding was obligated to obtain contractor computer security services in program development and limited as-needed vulnerability scanning. February 2000, Interior was successful in including in the fiscal year 2001 President's budget request $175,000 for electronic data security. The House and Senate omitted this funding from their versions of the fiscal year 2001 appropriations bill. Interior continues to clarify the urgent need for the funding to the Appropriations Committee. In May 2000, the Departmental Information Technology Security Manager issued the Interior Information Technology Security Plan, fully specifying the National Institute of Standards and Technology [NIST], published generally accepted principles and practices for securing Federal computer systems. This plan provides the basis for ensuring a computer security program that meets or exceeds the minimum Federal requirements as required by public laws, Federal regulations and executive branch directions. July 2000, the Department issued agencywide budget guidance that further supported Office of Management and Budget instructions on incorporating computer security funding in all information technology projects. This guidance advised that computer security spending should average 5 percent of the total budget for information technology spending and placed a high priority on increasing resources for security. August 2000, a contract was awarded by the General Services Administration under the SafeGuard program to Science Applications International Corp. to provide computer security program development services to the Department. This is significant to our approach to computer security, and I wish to elaborate further. One of the primary means to improve IT security across the Department of the Interior is to establish proven structured and self-documenting methodologies for working through the security life-cycle process. I am pleased to report that realizing this goal has begun through the award of the mentioned contract. The associated statement of work divides the task into two phases. The first phase tasks will provide Interior with the technical and administrative assistance to put in place proven structured methodologies for information technology security development. The second phase will produce minimum requirements for risk mitigation in the form of policies for agencywide information technology security issues. From here we will develop technology and product-specific implementation guides. Dependent upon the availability of resources, we will then implement operating capabilities. In August 2000, an additional $240,000 was obtained for computer security program development. This funding will be used to accomplish the development and implementation of selected security practices. In closing, it must be noted that our ability to completely implement an adequate computer security program is strongly dependent upon the availability of necessary resources. This concludes my statement. I will be happy to respond to any questions that you or any members of the committee may have. Mr. Horn. Well, we thank you very much, Mr. White. [The prepared statement of Mr. White follows:] [GRAPHIC] [TIFF OMITTED] T4495.163 [GRAPHIC] [TIFF OMITTED] T4495.164 [GRAPHIC] [TIFF OMITTED] T4495.165 [GRAPHIC] [TIFF OMITTED] T4495.166 [GRAPHIC] [TIFF OMITTED] T4495.167 [GRAPHIC] [TIFF OMITTED] T4495.168 [GRAPHIC] [TIFF OMITTED] T4495.169 [GRAPHIC] [TIFF OMITTED] T4495.170 [GRAPHIC] [TIFF OMITTED] T4495.171 [GRAPHIC] [TIFF OMITTED] T4495.172 [GRAPHIC] [TIFF OMITTED] T4495.173 [GRAPHIC] [TIFF OMITTED] T4495.174 [GRAPHIC] [TIFF OMITTED] T4495.175 [GRAPHIC] [TIFF OMITTED] T4495.176 [GRAPHIC] [TIFF OMITTED] T4495.177 [GRAPHIC] [TIFF OMITTED] T4495.178 [GRAPHIC] [TIFF OMITTED] T4495.179 [GRAPHIC] [TIFF OMITTED] T4495.180 [GRAPHIC] [TIFF OMITTED] T4495.181 [GRAPHIC] [TIFF OMITTED] T4495.182 [GRAPHIC] [TIFF OMITTED] T4495.183 [GRAPHIC] [TIFF OMITTED] T4495.184 Mr. Horn. Our next presentation is from Edward Hugler, the Deputy Assistant Secretary for Administration and Management, Department of Labor. STATEMENT OF EDWARD HUGLER, DEPUTY ASSISTANT SECRETARY FOR ADMINISTRATION AND MANAGEMENT, DEPARTMENT OF LABOR Mr. Hugler. Thank you, Mr. Chairman and Ranking Member Turner. I will be brief, as you requested. We share your view that computer security is a high priority, a priority that the Department of Labor takes very seriously at the highest levels. Quite frankly, I am disappointed at the grade we received today, and in some small measure dismayed by it. Following a successful transition or the century date change, we have directed significant attention to enhancing our security program and strengthening our security perimeter to defend against its attack. While this surely is an ongoing and very complex task, I am pleased to report that we have made solid progress to date and are continuing to improve our ability to defend against cyber attacks. As we began the fiscal year, we had a number of security- related issues identified by our Office of the Inspector General in their audit of our financial statement. The issues encompassed work to done in six areas of Department-wide security program planning and management structure. The good news is, because computer security is a high priority, we had already identified areas that needed attention and had plans under way for corrective action. This proactive posture was acknowledged by the OIG in their audit findings. At this stage we have resolved all of the audit report issues at the departmental level and are working toward closing out the remaining issues with specific agency systems. In addition to dealing with immediate day-to-day issues, such as continued attempts to gain unauthorized access to our systems and responding to malicious codes such as the I Love You virus, we have invested substantial effort in planning ahead. Led by the Department's Chief Information Officer, our strategy in this undertaking has been twofold: First, align our information technology investments with legislative mandates and other direction; and second, bring a departmental focus to our information technology investments where a unified approach and economies of scale are advantageous. Information technology approaches that are common across the Department, such as the implementation of a common architecture and needed improvements in the infrastructure, lend themselves to a common cross-cutting strategy. The use of a common strategy then enables us to effectively leverage the use of individuals' expertise and other scarce resources for the good of all at the Department of Labor. Utilizing this approach for fiscal year 2001, the Department identified three cross-cutting areas for investment, one of which is computer security. The computer security cross- cut represents approximately 18 percent of the Department's information technology cross-cutting investment portfolio for fiscal year 2001. It includes plans to ensure that the information security policies, procedures and practices of the Department are adequate, as well as reflect the first step toward implementing a multiyear plan for protecting our critical infrastructure. Notably this will be a separate budget activity, and the funds will be administered by the Department's Chief Information Officer to ensure an organized, disciplined approach to implementing a stronger security program. Mr. Chairman, our plans for next year should not, however, overshadow what we've accomplished this year, 2000. I would like to submit a brief highlight of those accomplishments for the record, if I may. Mr. Horn. Without objection, it will be in the record at this point. Mr. Hugler. Thank you, Mr. Chairman. Mr. Chairman, we concur with the need to assess the overall state of the Federal Government's computer security environment, and we welcome the opportunity to work with you and the subcommittee to devise an instrument that will provide the flexibility necessary to accurately assess agencies' progress. We also recognize that work remains to be done at the Department of Labor to further improve our computer security. I share with you your confidence that we will come through as we did with the year 2000 challenge. I am confident as well that we have sound plans for making these improvements and the skill on hand to do so. However, the key to our success, as has been mentioned by other witnesses at the table this morning, will be making the necessary funding available. Thank you, Mr. Chairman. I appreciate the opportunity to be here, and I will be happy to take your questions. Mr. Horn. Well, thank you very much. [The prepared statement of Mr. Hugler follows:] [GRAPHIC] [TIFF OMITTED] T4495.185 [GRAPHIC] [TIFF OMITTED] T4495.186 [GRAPHIC] [TIFF OMITTED] T4495.187 Mr. Horn. And our next presenter is Ira L. Hobbs, the Deputy Chief Information Officer for the Department of Agriculture. Mr. Hobbs. STATEMENT OF IRA L. HOBBS, DEPUTY CHIEF INFORMATION OFFICER, DEPARTMENT OF AGRICULTURE Mr. Hobbs. Thank you, Mr. Chairman. Good morning, Mr. Chairman and Ranking Member Turner. I am pleased to appear before the committee this morning to update you on the status of the computer security program of the U.S. Department of Agriculture. With your permission, I will make a few brief comments and submit my written testimony for the record. USDA's programs touch the lives of every American every day. We manage a diverse portfolio of over 200 Federal programs throughout the Nation and the world at a cost of about $60 billion annually. The information we manage, which includes Federal payroll data, market-sensitive data, geographical data, information on food stamps and food safety, proprietary research data, is among USDA's greatest assets. The Department is committed to protecting its information assets as well as the privacy of its customers and its employees. Audit reports conducted by both USDA's own Office of the Inspector General and the General Accounting Office have identified significant weaknesses in our overall computer security program, which we are working hard to correct. As an example, the Department is acquiring and installing necessary equipment to upgrade security at our highest priority Internet access points, and we are strengthening our intrusion detection capabilities. We are working diligently to correct all of the deficiencies that have been identified by the reports and hope to be able give you a much more expanded impact in terms of the changes that we have made. Reports such as those cited above, as well as internal security reviews mandated by the Secretary of Agriculture in July 1999, made it clear that the Department requires an overall coordinated and corporate approach to cybersecurity if it is to succeed. The USDA agencies include some security funding in their respective budgets. Departmental funding is critical to ensuring the creation of a standard security infrastructure, and departmental leadership is required to ensure that we have a comprehensive set of policies and guidelines. The Secretary's security review also resulted in a multiyear action plan to strengthen USDA's information security, which addresses program organization, staffing needs, policy and program operations, and security and telecommunications technical infrastructure. When fully enacted our plan will align USDA security practices with those of leading organizations. Our recent focus primarily has been upon building upon the competency and skill of our security staff. We are extremely fortunate working with the Secretary to establish the first Associate Chief Information Officer for Cybersecurity at the Department of Agriculture and able to select a senior level executive, Mr. William Hadesty, formerly with the Internal Revenue Service, as our first CIO for Cybersecurity. With the recent addition of Mr. Hadesty, we have already started to implement the priority actions in our action plan. The Congress provided a $500,000 budget increase for the Office of the Chief Information Officer for security in fiscal year 2000. With these funds and existing resources, we are assembling a well-qualified staff of security experts to lead the Department's efforts. Since joining with us in February 2000, the Associate CIO for Cybersecurity has carefully analyzed and made adjustments to our ongoing program. In addition, our most critical information resources, including the National Information Technology Center in Kansas City and the National Finance Center in New Orleans, have been or are now undergoing critical review. We recognize, though, that we still have a long way to go. The Office of the Chief Information Officer's fiscal year 2001 budget request included an increase in funding for cybersecurity of approximately $6.5 million. If enacted as requested, our security budget will provide the resources to complete the development of a USDA risk management program, continue to expand our cybersecurity office, increase our capacity to conduct onsite reviews, and provide training and hands-on assistance to augment the skills of our agency's security staff. Additionally our project plans call for a major effort in 2001 to further define requirements for a security architecture and begin its redesign and implementation. In fiscal year 2002, we will continue to develop and implement our USDA-wide computer security program. The information survivability program and the sensitive systems certification program we plan to establish will complete USDA's computer security umbrella. Mr. Chairman, we believe that fulfillment of our cybersecurity action plan will position the Department to comply with Federal computer security guidelines and best management practices. The reality is, though, that until our computer security program is fully funded, we will remain much too vulnerable. I appreciate the opportunity to speak to the committee. I look forward to being able to answer any questions you may have. Mr. Horn. Thank you very much, Mr. Hobbs. [The prepared statement of Mr. Hobbs follows:] [GRAPHIC] [TIFF OMITTED] T4495.188 [GRAPHIC] [TIFF OMITTED] T4495.189 [GRAPHIC] [TIFF OMITTED] T4495.190 [GRAPHIC] [TIFF OMITTED] T4495.191 [GRAPHIC] [TIFF OMITTED] T4495.192 [GRAPHIC] [TIFF OMITTED] T4495.193 [GRAPHIC] [TIFF OMITTED] T4495.194 Mr. Horn. Our next presenter is Mark A. Tanner, Information Resources Manager, Federal Bureau of Investigation, Department of Justice. Mr. Tanner. STATEMENT OF MARK A. TANNER, INFORMATION RESOURCES MANAGER, FEDERAL BUREAU OF INVESTIGATION, DEPARTMENT OF JUSTICE Mr. Tanner. Good morning, Mr. Chairman, Mr. Turner and other members of the audience. I thank you for inviting us here to discuss computer security at the FBI. The FBI shares your conviction that computer security is a vital concern. That concern is manifested in a variety of levels: First, the concern within the FBI as to how the FBI collects and handles sensitive personal information; the concern as a member of the U.S. intelligence community where there is a growing awareness and desire to achieve a collaborative sharing of intelligence information while at the same time securing highly sensitive and classified sources and techniques; the concern as a member of the law enforcement community often called upon to investigate, identify and apprehend those responsible for hacking into government systems and critical infrastructures of this Nation; and the concern as a Federal law enforcement agency called upon to investigate computer and computer-related crimes as diverse as a pedophile seeking to prey on a youngster, Internet fraud crimes which victimize all elements of our society, including persons and businesses, and those who would seek to enrich themselves by manipulating stock prices. The FBI's internal computer policies and practices present a somewhat unusual picture as far as Federal agencies are concerned. The FBI is, as I have stated, an agency charged with investigating many computer-related crimes and it is charged with the conduct of all counterintelligence activities in the United States. In addition, the FBI operates several systems on which State and local law enforcement agencies have come to rely as a necessity. As such, the FBI must operate both classified and unclassified systems, and many of those unclassified systems have strong requirements for the protection of personal data about American citizens as well as a need to maintain instant availability. In addition, the nature of some of these, some of these systems presents special requirements in that the data represents information gathered through a variety of methods, each requiring its own specialized method of handling and protecting the information. These methods includes Federal grand jury subpoenas which are subject to the requirements of rule 6(e) of the Federal Rules of Criminal Procedure, material identified as Federal taxpayer information, and thus, subject to specialized handling and disclosure requirements, as well as other many other specialized requirements. Of course, the specific requirements of classified information such as that obtained as a result of title 50, the Foreign Intelligence Surveillance Act, activities or by other intelligence community agencies, which must be respected. To accomplish these tasks, the FBI operates 35 general support systems and 12 major applications; 24 of the 35 general support systems are classified and 6 of the 12 major applications are classified. In other words, the FBI operates 30 national security systems. It should be noted that the vast majority of the FBI's classified systems are currently internal systems and thus do not have external connections to nonsecure or unclassified systems. The FBI's information systems security policy is codified in our Manual of Investigative Operations, section 35. A copy of this policy has previously been provided to this subcommittee. The policy is a compilation of requirements which are outlined in section 35-11 of this policy. In general, let me state that because of the variety of types of systems used by the FBI, our practice, where practical, involves using a hierarchical approach to any requirement from these sources based on the selective system's criticality and risks. This is to avoid any possible confusion as to whether or not a system should follow this or that set of rules and regulations. To choose any other course of action would be folly. The FBI's policy is coordinated with the Information Systems Security Unit which is a part of our National Security Division. The security unit works closely with the Department of Justice entities which oversee classified and unclassified computer systems. In addition, they maintain a good working relationship with the national entities responsible for computer security policy, such as the NSTISSC and NIST and the Security Policy Board to ensure that the latest information is available. There are many challenges which face the FBI in today's computerized world. One of the biggest challenges involves the rapidly changing environment and the rapidly changing world in which we all live. New technologies are moving into the marketplace at a frenetic pace; old technologies are undergoing metamorphosis. Each of these new products presents particular problems and a careful and thoughtful analysis to ensure that the FBI continues to maintain a policy which recognizes the business needs of the computerized world and still providing meaningful security practice. The FBI is practicing risk management approach in its certification and accreditation of all computer system security. As I previously noted, most systems are internal and not connected to nonsecure unclassified systems. This isolation provides some sense of comfort in that these systems are not connected to the outside and far less vulnerable to compromise and attack. In this manner, our approach has been to identify both systems which pose the largest risk in terms of their data and sensitivity of the data. These systems are approached before systems which play a lesser role in either their data or sensitivity. The FBI is currently engaged in a series of activities which will hopefully lead to the speedy completion of the certification and accreditations. Resources have been on loan from the Department of Justice as well as other intelligence community under the ICAP program. The FBI has undertaken a--an effort to make system owners cognizant of system security requirements in their initial and life-cycle development of plans for systems, in that way ensuring that systems security is built into all systems and that the continuing costs are specifically identified as a separate line in each proposal. In conclusion, let me just reiterate that the FBI appreciates the interest of this subcommittee, indeed the interests of all parts of Congress in this area where we share your interests and concern. Our efforts will continue to ensure that all systems, including those of the FBI, meet the expectations of the American public to appropriately protect that information which must be protected. The FBI respects the trust placed in it by the American public and the Congress and will do the utmost to maintain that trust. Thank you. [The prepared statement of Mr. Tanner follows:] [GRAPHIC] [TIFF OMITTED] T4495.195 [GRAPHIC] [TIFF OMITTED] T4495.196 [GRAPHIC] [TIFF OMITTED] T4495.197 [GRAPHIC] [TIFF OMITTED] T4495.198 [GRAPHIC] [TIFF OMITTED] T4495.199 Mr. Horn. Well, thank you Mr. Tanner. We appreciate very much what the FBI has done in tracking down a lot of these hackers, and some I believe are in Federal prison now. So we thank you for that effort, and I think you were very on top of the situation in the Philippines when that occurred. Our last presenter before questions is Solveig Singleton, Director of Information Studies for the CATO Institute. Am I correct to say the CATO Institute would be called a libertarian-based institute? Ms. Singleton. Yes. Mr. Horn. OK. Ms. Singleton, it's all yours for 5 minutes. STATEMENT OF SOLVEIG SINGLETON, DIRECTOR OF INFORMATION STUDIES FOR THE CATO INSTITUTE Ms. Singleton. Thank you, Mr. Chairman. My testimony today is going to offer examples of some of the types of data bases maintained by Federal agencies and offer a big-picture perspective on the significance of any security problems within those data bases. With the power to command, powers of arrest, police, courts and armies, the government has powers that the private sector lacks. You can hang up on an annoying telemarketer but it's hard to hang up on the IRS. Recognizing that in the Constitution we have the fourth amendment which limits the means by which government may collect information and we also had the idea originally of a government of relatively limited powers, and inherently a government of more limited power has less need for hundreds and hundreds of data bases than a government of broader powers. Now, for better or for worse, we have drifted away from this concept of limited government, and there's a natural consequence. The amount of detailed information about private citizens in Federal files has grown by leaps and bounds. To underscore the importance of keeping this information secure, I will offer an overview of the types of information that are held by Federal agencies. Essentially, Federal agencies collect an enormous array of information. The Federal Government will inexorably record, obviously, your name, your address, your income, but also your race, details of how you spend your money, your employer, updated quarterly, whether you've asked for information from government agencies, student records, whether your banker thinks you've engaged in any suspicious activities like making an unusually large withdrawal or deposit, and finally, of course, a surprising number of agencies hold different types of medical records and not simply Health and Human Services. I am going to run down some of the departments that we looked at very quickly and offer a very small number of examples of the type of information that they hold. Let me start with the Commerce Department. One file maintained by this Department keeps individual and household statistical surveys which include individual's names, age, birth date, place of birth, sex, race, home business phone and address, family size and composition, patterns of product use, drug sensitivity data, medical, dental, and physical history and other information as they consider necessary. The Department of Education has the national student loan data system and, among other items, a registry of deaf-blind children nationwide. The Department of Energy maintains, among some very sensitive counterintelligence data bases, records of human radiation experiments. The Federal Bureau of Investigation, obviously, is home to the FBI central records system, alien address reports, witness security files and information on debt collection and parole records. The Department of Health and Human Services has massive quantities of medical record information, filling hundreds of data bases. Some of these data bases include the personal Medicaid data system and the national claims history billing and collection master records system. Next comes the Department of Housing and Urban Development. Now, this agency is perhaps best known among privacy advocates over the last few years, urging that residents of Federal housing agree to warrantless searches of their apartments in their lease agreements. This agency holds data such as single family research files, income certification evaluation data, and tenant eligibility verification files. The Department of Labor has a lot of data bases including a data base with information on applicant race and national origin, records from the workers' compensation system and records from the national longitudinal survey of youth, which is a longterm study of certain individuals as they grew up over the past few decades. Obviously the Social Security information collects information on lifetime earnings, as well as information related to insurance and health care and census data. What may be less well known is the extent to which they share and match information with Health and Human Services, the IRS, and other agencies. So, for example, one data base at the Social Security Administration is--matches Internal Revenue Service and Social Security Administration data with census survey data and records of Cuban and Indo-Chinese refugees. The Department of Treasury, last but not least, holds a financing data base which contains millions of reports of banking activities of privately named U.S. citizens. They have also got the national data base of new hires, which holds records of the income and employment of every working American, updated quarterly. Now, to sum up, I don't want to suggest that all this data is part of some kind of sinister plot and we should all go around wearing tinfoil hats on our head, nor do I want to denigrate the well-intentioned efforts that have been made to make many of these data bases more secure, but what I would like to point out is that the growth of these data bases makes security and the need for internal controls against unauthorized use by government employees a systemic problem rather than an occasional problem, and it generally--the growth of these data bases threatens to shift the balance of power between individuals and the Federal Government. So this really is a systemic issue and it will be become more and more acute as we move away from a vision of limited government and want the government to be involved more and more in our day-to-day lives. Thank you. [The prepared statement of Ms. Singleton follows:] [GRAPHIC] [TIFF OMITTED] T4495.200 [GRAPHIC] [TIFF OMITTED] T4495.201 [GRAPHIC] [TIFF OMITTED] T4495.202 [GRAPHIC] [TIFF OMITTED] T4495.203 [GRAPHIC] [TIFF OMITTED] T4495.204 [GRAPHIC] [TIFF OMITTED] T4495.205 [GRAPHIC] [TIFF OMITTED] T4495.206 [GRAPHIC] [TIFF OMITTED] T4495.207 [GRAPHIC] [TIFF OMITTED] T4495.208 [GRAPHIC] [TIFF OMITTED] T4495.209 Mr. Horn. We thank you and now begin the questioning. What we'll do is alternate the questioning, 5 minutes for myself and 5 minutes for the ranking member and back and forth until we get the questions out of our system. I'm going to start with the Department of Agriculture. As I recall in your statement, Agriculture repelled 250 hacker attacks. Were any of these successful attacks, Mr. Hobbs, and if so what kind of damage was done? Mr. Hobbs. In some instances, Mr. Chairman, the attacks were successful. They resulted in things like changes to Web pages. We report all of our intrusions. Some of them like changes to Web pages. We were able to identify where people had been able to access systems, but in no instance were there any major or significant damages done. In most instances we've taken the necessary steps to shut down what we consider to be backdoor ways that people were getting into the systems, and are trying to be more vigilant in our monitoring and tracking of those activities and those kinds of concerns. Mr. Horn. On the Agriculture, you completed the security questionnaire and it states the Department doesn't really feel that the system accreditation is important. A lot of other agencies feel the system accreditation, where possible, is important. Why isn't accreditation that important to the Department of Agriculture? Mr. Hobbs. I don't think that we said that it was not important. I believe that what we are doing is we have a prioritized program that we are working toward completion of, with systems accreditation being a part of that. So I don't think we said it was unimportant. I think what we said is we have a prioritized effect--direction in terms of which we're trying to proceed, and that we're moving with deliberate speed in that sense of looking at all aspects and all phases of our security program. Mr. Horn. Well let me ask Mr. Willemssen, on behalf of the General Accounting Office, as I understand, system accreditation is a formal management process to test and accept the adequacy of the system's security before putting it into operations. So how important is it to an agency's security computer programs that they're accredited; and could you explain that process and why most of the Departments are doing that where they can? Mr. Willemssen. We believe system accreditation is especially critical, and it represents management's judgment that they have gone in, made an assessment of the risk of a particular system and the associated data; that given the risk associated with the system and data, appropriate controls have been put in place to fend off any attacks that may occur, and that management is therefore making a declaration that the appropriate controls are there to deflect or at least be aware of any such attacks that may happen. We think it's especially important. Most agencies agree. We do see at times differences in nomenclature. Some agencies may actually be doing something similar to accreditation but may call it something else. Mr. Horn. Moving to the Department of Labor, Mr. Hugler, as I looked at the information, the computer security questionnaire indicated weaknesses in all six general control areas and the weaknesses were confirmed by the Inspector General's audit results. So I'm curious, what does the Department consider to be its most critical weaknesses? Mr. Hugler. Well, Mr. Chairman, I think you're correct to state what the Inspector General found last year and they did find weaknesses in all six areas. I think what's important to recognize is that we have now addressed all of those issues, and in fact the Inspector General's audit findings, as I recall, acknowledged that if we did two important things, one is put out the rules for the Department's computer security and put out the rules for the Department, in terms of systems development and life-cycle criterion rules, if we did those two things, that we would have addressed all six of the categories with which they found issues. We have done that and, more importantly I think, we have gone ahead aggressively with implementing those rules. And the example, I would cite to you, is our experience with the I- love-you virus. We have incident response procedures now in place at the Department. We had some 33,000 attacks from that virus. A small number of computers, 243 as I recall, were infected. I think the most--the best measure of our response, however, was the fact that we notified our employees of that virus and what to do with it 3 hours in advance of the official Federal notification. So I would commend your attention to that as an example of the kind of things we've been able to do over the last year. So really the OIG's findings from last year are just that, a year old, and we have improved dramatically since then. Mr. Horn. And so you would say the corrective action for these has been completed? Mr. Hugler. Yes, sir. At the Department level we have done that and I am very comfortable with that. Mr. Horn. I now yield 5 minutes to the gentleman from Texas, Mr. Turner. Mr. Turner. Thank you, Mr. Chairman. As I listen to each of you who come from your respective agencies, it causes me to come back to a comment Mr. Gilligan made about the importance of cross-government initiatives. As many of you know, I have been an advocate of having a Federal CIO, a chief CIO for the Nation, someone who had the expertise, the competence, the leadership role, as well as the budgetary support necessary to be sure that we can have stronger cross-government initiatives in the area of information technology and certainly in the area of computer security. And I think I'd like to ask you, Mr. Gilligan, to expand upon your assessment of the need for these cross-government initiatives, and I would be interested in your insight on it, because not having nearly the expertise in the area that you do nor the experience in the area, I still am left, after hearing all this testimony, with the conviction that the area of information technology certainly provides the potential for the expenditure of vast sums of Federal dollars in a very inefficient way. And I would be interested in your comments on the idea of more emphasis on cross-governmental initiatives and what kind of leadership might be necessary to ensure that happens. Mr. Gilligan. Mr. Turner, I'd be happy to comment. What I have found in my activities in the CIO Council is that the potential that you allude to for enormous sufficiencies as a result of cross-government IT efforts is there, but that potential is difficult to realize because our fundamental government structures in the executive branch and in the legislative branch tend to be stovepipe-oriented on particular agencies and particular missions, and in fact, what I have found is the most difficult efforts to get support for are cross-government initiatives. And relatively small sums of money that would have enormous benefits often fall through the cracks because there is no clear forum for advocacy. And individual committees, whether they be in the executive or the legislative branch, tend to be very narrowly focused on that portfolio to which they're assigned responsibility. In my testimony, I noted our best security practices effort. This is an effort that is enormously compelling. The objective is to pull together best security practices from across the Federal Government, provide a Web repository where they can be accessed easily, and to share this wealth of experience that we have across the government. We have found that getting small sums, hundreds of thousands of dollars for this initiative, is very difficult, and it's not that the effort is not supported. It is supported. And when I talk to members in the administration and Members of Congress, it is supported. But the question is, ``who should pay for it and where should that funding come from?'' The Federal incident response capability, FedCIRC, which is our government's central point for disseminating information on viruses and patch updates, is funded through a set of committees. It is sponsored by Department of Defense, the FBI and GSA. We have found in the recent remarks that the report has not been strong, and again I don't think it's because the merits of this effort are not supported in general. It's that there is no central focus that helps bring this together and to help identify that these individual, relatively small dollar items in individual budgets, are in fact of far greater importance than their small dollars would indicate. And so I think as you suggest, this is an area where we desperately need to focus attention. I think not only in the security area will it help us improve security, but we can far better leverage the enormous resources that we do have in attacking a whole range of information technology issues. Mr. Turner. Thank you. Mr. Spotila, I know you have worked in this area, and one of your duties at OMB is to try to be sure that we move toward the kind of things Mr. Gilligan is talking about. I know there is a Presidential directive that established two tiers of agencies. It strikes me, and you might want to explain that a little bit, but it strikes me that it is certainly appropriate to acknowledge that the importance of computer security may vary from agency to agency, and that when we try to focus our resources, perhaps we should choose certain agencies over another. If we did that, we would expect to see different grades from the agencies because we would have made a choice regarding where to place the initial dollars to improve security. But describe for us a little bit that Presidential directive that established those first, those two tiers. Mr. Spotila. Yes, Mr. Turner. First of all, let me just mention that OMB has been very supportive, as I've testified to the committee before, of these cross-cutting initiatives. We share Mr. Gilligan's belief that these are very important, that they would make a great deal of difference, and that they do need support. The President, in May 1998, put out a Presidential Decision Directive aimed at critical infrastructure protection. It was at that time that he designated Mr. Richard Clark as his adviser on counterterrorism. He's worked with the committee and has been very active. The Critical Infrastructure Assurance Office was then established. What we have tried to do in the administration is to prioritize in this area. I mentioned in my testimony that OMB's focus has been on the same 43 high-impact programs that we focused on during the Y2K effort. We have more than 26,000 systems in the government. If we're going to enhance our ability to serve the American people by promoting effective information security, we need to prioritize. We need to start with the areas that have the greatest impact, whether they be agency by agency, or, more accurately, within agencies, program by program, system by system. The Critical Infrastructure Assurance Office has tried to zero in on those areas, those agencies, and those aspects within agencies that have the greatest importance and perhaps would be at risk the most. We've tried to work at OMB at focusing on the programs that we think have the greatest impact on the American people; as I'd mentioned, Medicare, Medicaid and the like. We think that we have to begin with the most important things. That's where we're going to have the most significant improvement and have the most significant benefit, which is not to say that we ignore all the other areas. We put out general guidance. We're working with the agencies. We're relying on the agencies to try to improve their efforts in this regard across the board. But in terms of White House attention, we're obviously starting with the things that matter the most. Mr. Turner. Thank you. Mr. Horn. Let me add to that the following. This is the last month of a fiscal year. This is the time Cabinet officers, deputy secretaries, assistant secretaries, all of them sit around and say, what can we do with the surplus we have in our budget? And having been in administration, I know exactly what they do, and this is the time, if they're serious about this, to reprogram some of that money into what everybody's saying, oh, we've got to have new money. That isn't the way we started with Y2K. We started when I urged a lot of the people to start reprogramming. When Dr. Raines came in as budget director, he said, You're absolutely right, and that's what I'm going to tell them. And he did, and that's how we got the job done. We also made sure Congress provided the money. But if they're serious in these various executive branch agencies, this is the time to get a few million here and there. And then besides that, let's just talk about a few simple steps such as policies requiring regular changing of passwords, safeguarding equipment, turning off computers. That doesn't cost a thing. That just costs doing it, if any. And I guess I would ask, because energy has certainly been in the papers for the last 2 years on this, but I'd ask, is there in OMB the concern about policies to just get those basic areas done? Mr. Spotila. Let me respond in a couple of respects. First of all, I agree with you, Mr. Chairman, that some agencies are going to have discretionary funds available this September. We would certainly hope that they would apply them to this area. I know that the various CIOs at this table and others around government are going to do all they can to try to impress that upon their agency heads. So I think that we do need to be serious; just as all of us need to be serious, the executive and the legislative branch, because this is a really important area. We have a lot of policy out there, even things that you mentioned about passwords, changing passwords and the like. The key is getting people to implement and follow the policy that may be out there. One of the things I emphasized in my testimony today and in my written testimony is that, in order to have effective security, it is essential that nonsecurity people buy in, that they participate, that they understand the significance and that they buy into it. Because we can have all the policies in the world and we can have all the centralized supervision in the world, but if that person at the desk doesn't follow it, it doesn't do any good. You know, we tell the story about having very complex passwords that people write on little yellow sticky notes and paste to their computer screen. You can't have effective security without cooperation at all levels, and it's a message that we're trying to impart throughout the government. I think it will be an ongoing challenge to continue to do that. Mr. Horn. I thank you very much. Let me ask Mr. Dyer, who's got the B grade, the social security system, there is--apparently you're farther along than most other agencies now. Do you have a best practices that others might implement and what are they? Mr. Dyer. Mr. Chair, I think it's just like when we approached Y2K. Early on we saw it coming, and we institutionalized the process, the resources to deal with it. And we've done the same thing with security. It's part of our life cycle with our programs. Anytime we think about bringing up a new system, we look at the security aspects. Any modification to any system, we check the security all the way through and how it could roll over into other security systems. I pick up on what GAO said and what John Spotila said. The biggest challenge we're finding is managing it. You can have good procedures, policies, rules in place, but you constantly have to be working with your managers, your employees that they follow them, and that's where we've been putting a tremendous amount of our effort. We've had conferences across the country. We've set up centers so that we're able to make sure that we have people in place that are doing the dogging and checking it. We change passwords every month now. We found that it just didn't happen the way it should. So we have instituted it. We're going through. We found out that they change the passwords to something they could remember. We now have software to check to see if it's dates of birth or names of family members or whatnot so you can start to screen those things out. So, to me, it's a constant management challenge. You can do the systems, but you've got be there, right there on top of it all the time. Mr. Horn. In my 26 seconds remaining, Mr. Willemssen, anything you want to add to that as to what might be done that isn't being done? Mr. Willemssen. One thing that I would add, Mr. Chairman-- and it somewhat extending off of Mr. Spotila's comment--and that is, it's one thing for agencies to have the policies and procedures which I think in many cases they do. It's quite another to see whether the accompanying practices have actually been put in place. That's been particularly the case when we and Inspectors General go out and we test whether these policies and procedures are actually being implemented. They often have not been. And that really is a key distinction I think often between what the agencies believe is going on and what may actually be happening, although I think there is clearly many of the agencies are on the road for improvement in that direction, also. Mr. Horn. I now yield 5 minutes to the gentleman from Texas, Mr. Turner. Mr. Turner. Thank you, Mr. Chairman. The designation of the Presidential directive--is it tier 1, tier 2, phase 1, phase 2, whatever it's called--I'm curious as to what kind of impact that has and how is that designation significant; and I'd like, Mr. Hugler, if you would, to comment on that because I know Department of Labor is a tier 2 designation. Mr. Hugler. Yes, sir. Thank you, Mr. Turner. It is an important distinction, because it is important to recognize that some agencies handle more sensitive information and have more sensitive systems than others do. We certainly believe that our mission is important to American workers, but, frankly, we do not have critical information that directly implicates national security. So, as such, if we are going to prioritize funding and implementation priorities, I think it is appropriate for the Department of Labor to be a phase 2 agency or tier 2 agency. I think it's also important to note, though, that we take those responsibilities as a tier 2 agency as important and that we meet them and we are on target to meet all the milestones for which we are accountable. Mr. Turner. Mr. Spotila, when you think about funding for these various agencies to be sure they move forward in the area of computer security, do you make budgetary recommendations based on this phase 1, phase 2 designation? Mr. Spotila. What we do in the first instance is to actually have the agencies themselves come to OMB with their own determinations as to what they'd like to accomplish and what they feel they need in the information security area. They do so within their overall budget submissions when they go through the OMB review process. With the guidance that OMB put out earlier this year, focusing on the next budget year, we've made it very clear that information security needs to be part of that agency initial analysis. It needs to be integrated within the entire area of information technology planning for budget purposes because we don't believe that doing it as an add-on is effective at all. Within the budget review process, obviously if an agency is a higher priority, if the need is greater, that will be recognized in the process. Very often, the budget issues turn more on whether or not the proposal has been well thought out, whether it is likely to be a good use of money and a good expenditure of money and one that is likely to contribute not only to increased security but the agency's performance of its mission. Those are the kinds of factors that OMB takes into account, just as later on the Congress will take that into account. And your comment earlier about the risk, that money could be wasted in this area, is also something that we take very seriously. You can't just fund a proposal because it sounds good or because the agency is an important agency or the area is an important area. You have to make certain that the proposal will work, that it will contribute something that will add value and will involve money well spent. And so this analysis is actually a very comprehensive and thorough one. We think in the next budget cycle we're going to get better submissions from the agencies. We've been working with the agencies directly one on one to get them to understand the change. We're expecting that in the IT area we are going to receive budget submissions that are better thought out and that will have better justifications. Mr. Turner. Mr. Gilligan made a strong case for greater emphasis on cross-agency initiatives. What has OMB done to promote greater cross-agency efforts? Mr. Spotila. We've actually been doing a variety of things. We've worked closely with the CIO council, which I've chaired since last year until their DDM was confirmed. We've worked closely with John and his committee in that regard trying to identify areas. We've worked closely with Dick Clark and the Critical Infrastructure Assurance Office and the national security community and with others throughout OMB and the agencies trying to identify areas where crosscutting initiatives would help. John mentioned public infrastructure which would enable us to authenticate signatures. We think that's an important area. We know we need better intrusion detection capability. We think we need expert review teams that can get out onsite in the various agencies and help them not only assess security but try to improve their efforts in security. We think we need more efforts in the R&D area. We need scholarships for people to start learning this area so that the Federal Government can get the kind of personnel it needs with the kind of experience and educational background it needs to work in this area over the long term. So we have tried to identify areas of need, working closely with all these other parties, and then within the budget process we've actually given it a huge amount of support to try to help develop proposals that make sense, that will have credibility with the Congress, that will work once implemented. I think that the reality is we do start with a stovepipe approach. We all need to think outside of the box. We need to make certain that, as we do crosscutting initiatives, that they work so that we can buildup credibility and support for further efforts in the future. That's something we take very seriously, and I think that will be an ever-growing need in the future. Mr. Turner. How many dollars have you expended on cross- agency initiatives and how many of them have been accomplished? Mr. Spotila. Well, I think the reality is that in the past, as John has said, when there have been efforts like crosscutting initiatives, for example, support of the CIO Council and its efforts, we've done that by what John indicates is passing the hat. Under the Clinger-Cohen Act, we have some ability to do that, to have agencies contribute toward support of crosscutting measures. The President's budget, as I outlined in my testimony, not only includes an increase for computer security in general, but it highlights crosscutting initiatives that we think are very important. John mentioned that for $50 million an awful lot can be accomplished. I think the President's request is actually greater than that in this area because we're also focusing on research and development and on cyberscholarships and the like. Still, we're looking at a relatively small amount of money. $150 million would make a huge impact in this area. The key is to get it appropriated. And so when we talk about past crosscutting initiatives it's hard to track because we haven't had the kind of appropriations in large numbers that we're talking about here. We have used relatively small amounts of money to support the CIO Council and some other developmental areas along these lines. The GITS Board, for example, worked on the PKI--public key infrastructure-- issue for some time. The Board has now been rolled into the CIO Council. We've identified a need to do much more of this going forward. I think the key now will be to see what happens in the appropriations process this fall. Mr. Turner. You've requested how many dollars for cross- agency initiatives? Mr. Spotila. We have a list in my testimony that I can just mention, highlight real quickly. Mr. Turner. Where would that be found? Mr. Spotila. In my written testimony? Mr. Turner. I mean in the budget itself. Is it appropriations in OMB? Is that where the money would reside currently? Mr. Spotila. No. Actually, although these are crosscutting initiatives in the budget, they appear in the departmental submissions. So, for example, the Department of Commerce is seeking $5 million for NIST to establish an expert security review team that can then go to agencies, to a number of different agencies outside of Commerce. That's an example. When we talk about crosscutting initiatives, because of the nature of the appropriations process, it needs to appear in an individual agency's budget. Part of the difficulty is--not to single out Commerce--if that particular appropriations committee or subcommittee doesn't think it a priority, that an expert security review team at Commerce will be helping 25 other agencies, they might give it less support. That's where the difficulty comes in the budget process. So all of these so-called crosscutting initiatives still appear in individual agency budget submissions. Mr. Turner. I think that's one of the things that I have concern about, that perhaps we need some central location, some leadership for this that would flow through our Federal CIOs to be sure that these things happen. Because I think what you're left with, even after you secure the appropriations agency by agency, you're still in the pass-the-hat mode, which I think is one of the problems that we perhaps face in the area that we are discussing. Thank you, Mr. Chairman. I know my time's expired. Mr. Horn. Thank you. Let me followup on that again. There's obviously a concern when you have these cross--the boundaries, if you will, initiatives. Now, can--on reprogramming, you know, $5 million, that's chicken feed to any agency. They have got the--they can reprogram that. So you don't really need to worry too much. But you're right. If they're trying to help four or five other agencies, the appropriations and authorizers here might say, hey, not on my beat, put them somewhere else. So--but, hopefully, that's why OMB is there, to sort of help straighten it out. I am not going to embarrass any of the CIOs here, the chief information officers, but have the secretaries and heads of the agencies within the executive branch been responsive to the efforts to strengthen computer security? And I just--perhaps Mr. Gilligan on behalf of the CIO Council, Chief Information Council, do you get a feeling in those meetings that some of them just--these are not, obviously, here. They're other places. But do you get a feeling that they're not getting good backing from the top executives in the agency? Mr. Gilligan. It's my clear sense that the senior executives across the agencies are getting the message. It's a complex issue, and I think the difficulty, as I addressed in my testimony, is understanding both that cybersecurity is important, and understanding what to do about it are two different things, and I think that's, in many cases, where agencies are stuck. It is not an issue that can be delegated down. It has to be undertaken and aggressive leadership has to be provided by senior management, as we found with Y2K. So I reiterate, I think the actions of the senior levels of the administration, and of this committee and others are going to be important in helping to get that message across. While there are complex technical issues that equate to rocket science, there is a foundation that must be built that is just good sound management practice that requires aggressive involvement at the senior levels. Mr. Horn. Let me move to another question, that when we had this discussion a few minutes ago on the libertarian suggestions, what message do the grades that we have given you send to the American people regarding the security of the citizens' personal information? Should we have a special category in that as to how that's dealt with in an agency and on those files that such as the census and others are the obvious one over in Commerce? Should we have a category as to how high in the agenda and hierarchy of things to be done that you first protect the information of the American citizen from getting out for people making use of those data and, therefore, perhaps as we've seen what's happened in credit card operations is some of these idiots take exactly the whole name and number and all the rest of it, and the result is that those poor souls can never get a loan again because somebody's running around the country with their credit card. Well, isn't that also true in some of the agencies here? What do you think, Mr. Spotila? Mr. Spotila. Well, let me start by saying that we take very seriously the importance of preserving the confidentiality of information that the government holds. As we've been discussing throughout this morning, we recognize that, although a lot of progress has been made, we are not done. We cannot afford to be complacent because the challenge in this area is a dynamic one. The threat changes; new technology, new threats can appear. And so, on a day-by-day basis, we need to continue to do the best we can and to improve our efforts. Without getting into the grades themselves, we all agree here that there is room for improvement. I'm perhaps more sanguine in the sense that I think that the information that we're talking about here is not at great risk. I think the agencies are very careful about protecting that information, as John Dyer indicated at Social Security. They take it very seriously and realize the importance of it. This is not to say that we're complacent. A new threat could emerge tomorrow that hasn't been anticipated, and a part of what you need in the security area is the ability to detect intrusions and to react to them and to correct problems when they surface. So I would say to the American people that we take security very seriously and that we all need to work together on behalf of the American people in this area. Mr. Horn. Mr. Willemssen, you've looked at a lot of agencies over the years. What is your answer to that question and how worried should the American people be about this situation? Mr. Willemssen. Well, I think--point one, Mr. Chairman, I think it's imperative to point out that absolute protection is not possible, and so we've got to look at this from a risk perspective. And in doing those risk assessments, the higher the sensitivity of systems and data, then the more rigid and tight the controls need to be and agencies need to make that up-front judgment on how much risk for particular systems and data they're willing to accept and, given that acceptance of risk, then put in the appropriate controls. And I think in many cases we still have agencies who haven't done the in-depth risk assessments of systems and data in order to come to those judgments because not all systems and data are created equal. There has to be some judgments up front on what we absolutely have to protect as best as possible, again recognizing that there is no absolute as it pertains to protection but that we can narrow the margin significantly. Mr. Horn. Ms. Singleton, would you like to get your licks in, shall we say? Ms. Singleton. I'd like to offer one additional comment along those lines, which is to say that part of the problem that I think the American people might perceive with this system as a whole is that in the private sector if you leak a document--say you work in a law firm and you leak a document about a client. The law firm stands a good chance of losing its client and you stand a good chance of losing your job. But there's a greater perception I think on the part of the American people--and partly it's correct that, in a Federal Government agency, if there's a leak or a mistake or an error, that there will be relatively lesser consequences for the agency as a whole and for the employee of that agency than there would be in the private sector. For example, if somebody in the agency does lose your file or give it to the wrong person, you still have to deal with that agency. You can't go to say another Department of Agriculture or another Department of Labor and find a, you know, better security practice there. So I think that also goes to the issue of some of the expense involved, is that it would be very helpful for the perception of the American people to have an understanding that if these policies are violated that there will be real consequences for the agency and for the employees involved. Mr. Horn. Well, we thank you on that. I'm going to have a few closing words, and I want to thank the staff and tell you what we're doing tomorrow here. It's clear that a great deal of attention must be focused on this vital issue. There's a lot of computer security policy out there, but it isn't necessarily being followed by some agencies and others. And when we look at all of the State governments you've got another matter there in terms of privacy. What does it take, legislation? You can be assured if it does we will continue to monitor the government's progress in this area. This report card sets a baseline for the future oversight. It also is a wake-up call for Federal departments and agencies to begin taking the necessary steps to ensure that the sensitive information contained in the computers will be protected. Tomorrow at 10 a.m. the subcommittee will hold a related hearing to examine two proposals that would establish the position of a Federal chief information officer. The gentleman from Texas has proposed that. Among other responsibilities, this governmentwide position would be responsible for the government's computer security efforts, and that's one approach, and that's in essence what we asked the President to do in the summer of 1997, was get somebody to put them in charge. Now, they didn't move for about a year, but when they did move that was exactly what was needed to get the coordination, somebody to be assistant to the President as Mr. Constant was when he was brought back into government, and he did a very fine job of pulling all the pieces together. Because I would ask, has the President brought this up at a Cabinet meeting? And, Mr. Spotila, I don't know if you know the answer to that, but in the Eisenhower administration, that thing would have been up there 10 years before. That's what Social Security was under the Y2K. They were on their own. There was no administration. They went through three of them in that period that didn't really face up to it until the bells were really ringing. So that's one of our concerns. But I think the next round we'll have a better feel for how accurately and diligently the agencies are doing it. I want to thank each of these witnesses today, and I want to thank the staff on both the minority and majority: J. Russell George, staff director, chief counsel of the subcommittee; Randy Kaplan, counsel; on my left, your right, Ben Ritt, professional staff member on loan from the GAO and the one that has had a lot of effort on putting this particular hearing together; Bonnie Heald, director of communications; Bryan Sisk, clerk; Elizabeth Seong, staff assistant; Earl Pierce, also a professional staff member; and George Fraser, intern. On Mr. Turner's side, Trey Henderson, minority counsel; and Jean Gosa, minority clerk. Court reporters, Colleen Lynch and Melinda Walker. May I say that we're now going to end this, and I know the media have wanted to have some questions, and those of you that would like to stay, please, gentlemen, and Ms. Singleton, you're welcome to stay. You're the experts in a lot of these, and I'm sure they'd like to ask you a few questions, but we won't do it in a formal hearing, and we--I don't know how the oath spreads over to a press conference, but we're in recess here. So--till tomorrow anyhow. [Whereupon, at 11:50 a.m., the subcommittee was adjourned.]