[House Hearing, 107 Congress] [From the U.S. Government Publishing Office] HOW SECURE IS SENSITIVE COMMERCE DEPARTMENT DATA AND OPERATIONS? A REVIEW OF THE DEPARTMENT'S COMPUTER SECURITY POLICIES AND PRACTICES ======================================================================= HEARING before the SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS of the COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED SEVENTH CONGRESS FIRST SESSION __________ AUGUST 3, 2001 __________ Serial No. 107-56 __________ Printed for the use of the Committee on Energy and Commerce Available via the World Wide Web: http://www.access.gpo.gov/congress/ house _______ U.S. GOVERNMENT PRINTING OFFICE 74-853 WASHINGTON : 2001 ____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpr.gov Phone: toll free (866) 512-1800; (202) 512�091800 Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001 COMMITTEE ON ENERGY AND COMMERCE W.J. ``BILLY'' TAUZIN, Louisiana, Chairman MICHAEL BILIRAKIS, Florida JOHN D. DINGELL, Michigan JOE BARTON, Texas HENRY A. WAXMAN, California FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts CLIFF STEARNS, Florida RALPH M. HALL, Texas PAUL E. GILLMOR, Ohio RICK BOUCHER, Virginia JAMES C. GREENWOOD, Pennsylvania EDOLPHUS TOWNS, New York CHRISTOPHER COX, California FRANK PALLONE, Jr., New Jersey NATHAN DEAL, Georgia SHERROD BROWN, Ohio STEVE LARGENT, Oklahoma BART GORDON, Tennessee RICHARD BURR, North Carolina PETER DEUTSCH, Florida ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois GREG GANSKE, Iowa ANNA G. ESHOO, California CHARLIE NORWOOD, Georgia BART STUPAK, Michigan BARBARA CUBIN, Wyoming ELIOT L. ENGEL, New York JOHN SHIMKUS, Illinois TOM SAWYER, Ohio HEATHER WILSON, New Mexico ALBERT R. WYNN, Maryland JOHN B. SHADEGG, Arizona GENE GREEN, Texas CHARLES ``CHIP'' PICKERING, KAREN McCARTHY, Missouri Mississippi TED STRICKLAND, Ohio VITO FOSSELLA, New York DIANA DeGETTE, Colorado ROY BLUNT, Missouri THOMAS M. BARRETT, Wisconsin TOM DAVIS, Virginia BILL LUTHER, Minnesota ED BRYANT, Tennessee LOIS CAPPS, California ROBERT L. EHRLICH, Jr., Maryland MICHAEL F. DOYLE, Pennsylvania STEVE BUYER, Indiana CHRISTOPHER JOHN, Louisiana GEORGE RADANOVICH, California JANE HARMAN, California CHARLES F. BASS, New Hampshire JOSEPH R. PITTS, Pennsylvania MARY BONO, California GREG WALDEN, Oregon LEE TERRY, Nebraska David V. Marventano, Staff Director James D. Barnette, General Counsel Reid P.F. Stuntz, Minority Staff Director and Chief Counsel ______ Subcommittee on Oversight and Investigations JAMES C. GREENWOOD, Pennsylvania, Chairman MICHAEL BILIRAKIS, Florida PETER DEUTSCH, Florida CLIFF STEARNS, Florida BART STUPAK, Michigan PAUL E. GILLMOR, Ohio TED STRICKLAND, Ohio STEVE LARGENT, Oklahoma DIANA DeGETTE, Colorado RICHARD BURR, North Carolina CHRISTOPHER JOHN, Louisiana ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois Vice Chairman JOHN D. DINGELL, Michigan, CHARLES F. BASS, New Hampshire (Ex Officio) W.J. ``BILLY'' TAUZIN, Louisiana (Ex Officio) (ii) C O N T E N T S __________ Page Testimony of: Bodman, Hon. Samuel W., Deputy Secretary, accompanied by Thomas Pyke, Acting Chief Information Officer, U.S. Department of Commerce..................................... 40 Dacey, Robert F., Director, Information Security Issues, U.S. General Accounting Office.................................. 20 Frazier, Hon. Johnnie E., Inspector General, U.S. Department of Commerce................................................ 10 (iii) HOW SECURE IS SENSITIVE COMMERCE DEPARTMENT DATA AND OPERATIONS? A REVIEW OF THE DEPARTMENT'S COMPUTER SECURITY POLICIES AND PRACTICES ---------- FRIDAY, AUGUST 3, 2001 House of Representatives, Committee on Energy and Commerce, Subcommittee on Oversight and Investigations, Washington, DC. The subcommittee met, pursuant to notice, at 9:30 a.m., in room 2123, Rayburn House Office Building, Hon. James C. Greenwood (chairman) presiding. Members present: Representatives Greenwood, Burr, and Tauzin (ex officio). Staff present: Tom Dilenge, majority counsel; Mark Paoletta, majority counsel; Will Carty, legislative clerk; and Peter Kielty, legislative clerk. Mr. Greenwood. Good morning. The subcommittee will come to order. I apologize for starting a little late. It was a late night last night, and we are hoping some of the other members arrive, but we do not want to dishonor anyone's time. So we will start now. We are here today to continue the committee's review of computer security, or lack thereof, as the case may be, at Federal agencies under our jurisdiction. Since 1998, this committee has reviewed computer security policies and practices at the Environmental Protection Agency, the Department of Energy, the Health Care Financing Administration, and today we will be focusing our attention on the Department of Commerce. Without exception, we have found significant security problems at each of these agencies, all of which either took or are taking prompt action to correct the deficiencies identified as a result of our oversight. Unfortunately, it appears that information security rarely becomes a priority within an agency until the white hot lights of public and congressional attention focus on that agency's specific flaws. Today we will hear from information security experts at the General Accounting Office, who at this committee's request conducted an in depth evaluation of the department's management and implementation of computer security at seven of its operating divisions, including the Bureau of Export Administration, the International Trade Administration, the Economics and Statistics Administration, and the Office of the Secretary. GAO's team of ethical hackers identified and exploited vulnerabilities in the computer systems of these divisions to gain virtually unlimited access to them internally from within the department's network and externally from the Internet. Not only could these systems be accessed without authorization, but the information contained in them could be read, modified, or deleted at will, even with respect to the most sensitive systems and data files within these seven divisions. And with such access also comes the power to completely disrupt critical department operations. It is no secret that of the systems reviewed and found to be vulnerable by GAO, many contain highly sensitive personal, financial, commercial, and national security related data and are critical to the department's overall mission. Included in this list are the export control licensing systems and the networks that are used by the International Trade Administration for communications with our foreign commerce outposts around the world. The state of the department's security was truly deplorable. GAO found instances in which systems did not require passwords even for system administrator accounts. Other systems had easily guessed passwords, such as ``password.'' Certain passwords and password files were either unencrypted or not otherwise protected, permitting anyone on the network, authorized or unauthorized, to read and obtain even the most powerful account passwords. And six of the seven bureaus did not even limit the number of times an individual could try to log onto the system, allowing would be hackers excessive opportunities to crack these poor password controls. GAO also found that poor network security and configurations permitted GAO's experts to circumvent the limited security controls that were in place and thus, to travel between and among the seven connected bureaus, essentially finding that the lowest common denominator among these bureaus set the security standard for the rest of them. Some of the bureaus did not even have firewalls in place to protect all of their sensitive internal systems from the Internet or, if they did, they were either so poorly implemented as to be largely ineffective or could be easily bypassed by alternative access routes. These failures place all of the connected bureaus at significant risks of intrusions. Equally troubling, and despite advanced notice of the GAO hacking attempts, the department's monitoring of cyber intrusions failed to detect the overwhelming majority of GAO's intrusion and scanning efforts, including the successful ones. In fact, GAO reports that its hackers gained access to one system only to find that a Russian hacker had been there before them without the department's apparent knowledge. And only two of the bureaus reviewed by GAO had formal intrusion detection systems in place. In short, the department simply has no idea of whether its sensitive systems are being or have been compromised, a totally unacceptable situation. The reason for these failures, according to GAO, is the lack of an effective security management program at the department. Basic and longstanding Federal security requirements have essentially been ignored for years. Only 3 of the 94 sensitive systems reviewed by GAO had documented risk assessments, and only seven had current security plans, none of which have been approved yet by management. The department's computer security policies have not been updated since 1995, despite the tremendous growth of the Internet and the increased interconnectivity between Commerce bureaus and the outside world, and there are virtually no minimum security requirements for all Commerce computer systems, even, for example, on basic issues such as password lengths or characteristics. In addition to GAO, we will hear today from the department's Inspector General, which also has done work in this area. A recent IG report essentially confirmed that the lack of effective security management found by GAO with respect to seven of the department's operating divisions was not unusual. Across the department adequate risk assessments and security plans are the exception rather than the norm with roughly 92 percent of the department's systems failing to comply with at least one of these Federal security requirements. The IG's financial control audits, which beginning this year contained a limited penetration test of computer security controls, also confirm that access control problems similar to those identified at the seven bureaus reviewed by GAO exist at many other Commerce bureaus as well, including the Census Bureau, NOAA, NIST, and others, posing threats from both internal and external sources. How could this situation exist and for so long? The short answer is that until this committee started asking questions early last year, no one at the department was even seriously looking at these issues. Despite Federal requirements for independent reviews of security controls on major systems on a routine basis, GAO found that neither the department's Chief Information Officer nor six of the seven bureaus reviewed had conducted any such audits or oversight. Unfortunately the situation is not at all unusual. Our cyber security reviews have consistently shown that this lack of real world testing of the effectiveness of security controls is one of the major problems facing not just the Commerce Department, but the Federal Government as a whole. This lack of attention to cyber security is reflected by the lack of resource devoted to this purpose. At Commerce, for example, the department's Office of Information Technology Security, which is responsible for setting the department's computer security policies and conducting oversight to insure compliance by these various bureaus, was a one-person operation until March 2000, when the Director of this office was given two interns to assist with these important functions. I am pleased to hear that Secretary Evans recently approved a redirection of additional personnel and funding for this office, which in addition to computer security is also responsible for the department's overall critical infrastructure protection efforts. It certainly is time; indeed, it is well past time for the Commerce Department to start taking the security of its data system seriously, much more so than it was under the previous administration. In the 21st Century effective computer security is as much a part and cost of doing business as having locks on the front was during previous centuries. And we will continue our oversight in this area until Commerce and the other Federal agencies under our jurisdiction get this message loud and clear. I want to welcome and thank our witnesses for testifying today on this important topic, and we'll now recognize the Ranking Member. Actually, I will now recognize the chairman of the full committee, Mr. Tauzin, for his opening statement. [The prepared statement of Hon. James Greenwood follows:] Prepared Statement of Hon. James Greenwood, Chairman, Subcommittee on Oversight and Investigations We are here today to continue this Committee's review of computer security--or lack thereof as the case may be--at Federal agencies under our jurisdiction. Since 1998, this Committee has reviewed computer security policies and practices at the Environmental Protection Agency, the Department of Energy, the Health Care Financing Administration, and today we will be focusing our attention on the Department of Commerce. Without exception, we have found significant security problems at each of these agencies, all of which either took--or are taking--prompt action to correct the deficiencies identified as a result of our oversight. Unfortunately, it appears that information security rarely becomes a priority within an agency until the white-hot lights of public and congressional attention focus on that agency's specific flaws. Today we will hear from information security experts at the General Accounting Office who, at this Committee's request, conducted an in- depth evaluation of the Department's management and implementation of computer security at seven of its operating divisions, including the Bureau of Export Administration, the International Trade Administration, the Economics and Statistics Administration, and the Office of the Secretary. GAO's team of ethical hackers identified and exploited vulnerabilities in the computer systems of these divisions to gain virtually unlimited access to them internally, from within the Department's network, and externally, from the Internet. Not only could these systems be accessed without authorization, but the information contained in them could be read, modified, or deleted at will--even with respect to the most sensitive systems and data files within these seven divisions. And with such access also comes the power to completely disrupt critical Department operations. It is no secret that, of the systems reviewed and found to be vulnerable by GAO, many contain highly sensitive personal, financial, commercial, and national security-related data, and are critical to the Department's overall mission. Included in this list are the export control licensing systems and the networks that are used by the International Trade Administration for communications with our foreign Commerce outposts around the world. The state of the Department's security was truly deplorable. GAO found instances in which systems did not require passwords, even for system administrator accounts. Other systems had easily guessed passwords, such as ``password.'' Certain passwords and password files were either unencrypted or not otherwise protected, permitting anyone on the network--authorized or unauthorized--to read and obtain even the most powerful account passwords. And six of the seven bureaus did not even limit the number of times an individual could try to log on to the system, allowing would-be hackers excessive opportunities to crack these poor password controls. GAO also found that poor network security and configurations permitted GAO's experts to circumvent the limited security controls that were in place, and thus to travel between and among the seven connected bureaus--essentially finding that the lowest common denominator among these bureaus set the security standard for the rest of them. Some of the bureaus did not even have firewalls in place to protect all of their sensitive internal systems from the Internet--or, if they did, they were either so poorly implemented as to be largely ineffective, or could be easily bypassed via alternative access routes. These failures place all of the connected bureaus at significant risk of intrusions. Equally troubling, and despite advance notice of the GAO hacking attempts, the Department's monitoring of cyber intrusions failed to detect the overwhelming majority of GAO's intrusion and scanning efforts, including the successful ones. In fact, GAO reports that its hackers gained access to one system, only to find that a Russian hacker had been there before them, without the Department's apparent knowledge. And only two of the bureaus reviewed by GAO had formal intrusion detection systems in place. In short, the Department simply has no idea of whether its sensitive systems are being or have been compromised--a totally unacceptable situation. The reason for these failures, according to GAO, is the lack of an effective security management program at the Department. Basic and longstanding Federal security requirements have essentially been ignored for years. Only three of the 94 sensitive systems reviewed by GAO had documented risk assessments, and only seven had current security plans, none of which had been approved yet by management. The Department's computer security policies have not been updated since 1995, despite the tremendous growth of the Internet and the increased inter-connectivity between Commerce bureaus and the outside world. And there are virtually no minimum security requirements for all Commerce computer systems--even, for example, on basic issues such as password lengths or characteristics. In addition to GAO, we will hear today from the Department's Inspector General, which also has done work in this area. A recent IG report essentially confirmed that the lack of effective security management found by GAO, with respect to seven of the Department's operating divisions, was not unusual. Across the Department, adequate risk assessments and security plans are the exception rather than the norm, with roughly 92% of the Department's systems failing to comply with at least one of these Federal security requirements. The IG's financial control audits, which, beginning this year, contained a limited penetration test of computer security controls, also confirm that access control problems similar to those identified at the seven bureaus reviewed by GAO exist at many other Commerce bureaus as well, including the Census Bureau, NOAA, NIST, and others, posing threats from both internal and external sources. How could this situation exist, and for so long? The short answer is that, until this Committee started asking questions early last year, no one at the Department was even seriously looking at these issues. Despite Federal requirements for independent reviews of security controls on major systems on a routine basis, GAO found that neither the Department's chief information officer, nor six of the seven bureaus reviewed, had conducted any such audits or oversight. Unfortunately, this situation is not at all unusual. Our cyber security reviews have consistently shown that this lack of real-world testing of the effectiveness of security controls is one of the major problems facing not just the Commerce Department, but the Federal government as a whole. This lack of attention to cyber security is reflected by the lack of resources devoted to this purpose. At Commerce, for example, the Department's Office of Information Technology Security--which is responsible for setting the Department's computer security policies and conducting oversight to ensure compliance by the various bureaus--was a one-person operation up until March 2000, when the director of this office was given two interns to assist with these important functions. I am pleased to hear that Secretary Evans recently approved a re- direction of additional personnel and funding for this office, which in addition to computer security is also responsible for the Department's overall critical infrastructure protection efforts. It certainly is time--indeed, it is well past time--for the Commerce Department to start taking the security of its data systems seriously, much more so than it was under the previous Administration. In the 21st century, effective computer security is as much a part and cost of doing business as having locks on the front door was during previous centuries. And we will continue our oversight in this area until Commerce and the other Federal agencies under our jurisdiction get this message loud and clear. I want to welcome and thank our witnesses for testifying today on this important topic, and will now recognize the Ranking Member for an opening statement. Chairman Tauzin. Thank you, Mr. Chairman. And let me echo your comments regarding the need for Federal agencies to start devoting a great deal more attention and resources necessary to secure the computer systems of our country safe from the attacks or misuse from hackers. I want to congratulate you, Jim, on the excellent work you have done as our O&I chairman this year, and this, of course, may be some of the most important work you do, even ranking with the important work you have done in tire safety this year to protect Americans. Protecting the security of our systems is critical not only to the privacy of American citizens, who share information with these systems very often involuntarily, but they do not even have a chance to say, ``Please do not use it for something else,'' but it obviously has huge implications for the potential for someone to create some real mischief in some very sensitive data banks in this country. What we learned about the capability of hackers to move into, for example, CMS, (Center for Medicaid/Medicare Services) the agency formerly known as HCFA (Health Care Financing Administration), and interfere with the provision of health care services and reimbursement, sensitive medical accounts, it is pretty frightening. You know, there is one area where citizens are keenly aware of the privacy of their information and the sanctity of that privacy. It is in the health care area. I cannot tell you how appalled I was to learn that that information might be compromised and that the systems that my mother and so many other Americans depend upon for their health care might be ripped because somebody got in and managed it improperly and misused it. And so again, I want to stress how important it is. This subcommittee has been moving on this issue, and again, Mr. Chairman, I congratulate you. The Commerce Department, which is the focus of our hearing today, the GAO and Inspector General audit findings are alarming. Hackers from GAO and the Inspector General's Office were able to have their way with the department's various computer systems, violating the integrity of the department's computer networks virtually at will. You know, if our government ethical hackers can get in, I guarantee you there are kids in Russia and Cal Tech, somewhere all over this world who can get in. And while the findings are quite troubling, they don't surprise me based upon the committee's work on other agencies. When an administration, like the last administration, devotes so little time and attention to this particular matter, we are not surprised that these problems are so pervasive. It is clear to me that while the former President might have said that this was an area of importance, the administration simply failed constantly, consistently to make the protection of our Nation's critical cyber assets a true priority. There just was not enough attention paid to it. Somebody was asleep at the computer switch, and that is why I am pleased to see the new Secretary of Commerce is taking a very different approach. He has instituted a new management structure with increased authority, responsibility, and accountability for the department's information officers, and he has allocated more resources to the security functions at the departmental level. And probably most importantly, the Secretary has made clear to his Under Secretaries that they will make computer security a priority as an integral part of their programmatic missions and will allocate additional resources as necessary to get the job done. Those are strong words. We have heard strong words before. So we want to make sure those strong words are translated today and hereafter into very strong action. In this vein I'm very pleased to have the newly confirmed Deputy Secretary of the department here today, signifying, I think, the importance of this topic to the Secretary and the level at which these issues are now being handled by the department. That is very encouraging. Let me just finish by emphasizing that good computer security is not a simple fix. We have learned that in this committee. It is sort of like the radar systems, you know. For every new radar system they manufacture for the police, the same company is manufacturing a radar detection system for consumers to put in their cars. And we know that the people who make the best security systems also know how to break them, and very often the people that are really good at this stuff figure it out on their own. And while it takes consistent and sustained leadership, particularly in the beginning, effective long-term information security programs require their implementation, sound processes and policies that can carry on absent or despite the particular personalities involved. I hope the Commerce Department and all of the Federal agencies of our country keep this principle in mind as they take the long overdue steps to improve the security of sensitive data when the American people have entrusted them or that they have entrusted us, rather, to protect. When they give us their information, very often involuntarily, we have a sacred duty to protect their privacy and the integrity of that information, and we cannot look at it any less solemnly than that. Thank you, Mr. Chairman. [The prepared statement of Hon. W.J. ``Billy'' Tauzin follows:] Prepared Statement of Hon. W.J. ``Billy'' Tauzin, Chairman, Committee on Energy and Commerce Thank you, Mr. Chairman, and I want to echo your comments regarding the need for all Federal agencies to start devoting the attention and resources necessary to secure their computer systems from attacks or misuse. The government must do more to protect the sensitive personal, financial, proprietary and national security-related data on its systems. I also want to stress how valuable the work of this Subcommittee has been in moving the ball forward on these issues. There should be little doubt in anyone's mind that, absent the aggressive oversight of this Subcommittee, agencies such as EPA, DOE, HCFA (now known as CMS) and others would not have taken many of the actions that they recently have taken to improve the security of their sensitive data and systems. While none of them are yet perfected, and none will likely ever be perfected due to rapidly changing technology, keeping the pressure and the focus on these issues is critically important to our nation and to its citizens. As for the Commerce Department--which is the focus of our hearing today--the GAO and Inspector General audit findings are alarming. Ethical hackers from GAO and the Inspector General's office were able to have their way with the Department's various computer systems-- violating the integrity of the Department's computer networks virtually at will. While these findings are quite troubling, they don't surprise me at all, based on the Committee's work at other agencies. When an Administration, such as the Clinton Administration, devotes so little attention and resources to a particular matter, we shouldn't be surprised to find that such problems are so pervasive. It is clear to me that, despite what the former President might have said about the importance of computer security, his Administration failed to take actions to make the protection of our nation's critical cyber assets a true priority. That is why I am so pleased to see that the new Secretary of Commerce is taking a different approach. He's instituted a new management structure--with increased authority, responsibility, and accountability for the Department's information officers. He's allocated more resources to these security functions at the Department level. And, probably most importantly, the Secretary has made clear to his Under Secretaries that they will make computer security a priority as an integral part of their programmatic missions, and will allocate additional resources as necessary to get the job done. In this vein, we are pleased to have the newly-confirmed Deputy Secretary of the Department here today to testify, signaling the importance of this topic to the Secretary and the level at which these issues are now being handled within the Department. Let me finish just by emphasizing that good computer security is not a simple fix. While it takes consistent and sustained leadership, particularly in the beginning, effective long-term information security programs require the implementation of sound processes and policies that can carry on absent, or despite of, particular personalities. I hope the Commerce Department, and all Federal agencies, keep this principle in mind as they take these long-overdue steps to improve the security of the sensitive data which the American people have entrusted them to protect. I thank the Chairman, and yield back the balance of my time. Mr. Greenwood. The Chair thanks the chairman for his comments and for his presence and for his assistance and cooperation and help with this investigation, and recognizes for an opening statement the gentleman from North Carolina, Mr. Burr. Mr. Burr. I thank the chairman and full committee chairman. Having finished a hectic legislative schedule this week, if we look a little tired, it is because we are, and this committee contributed greatly to major legislation in the form of a comprehensive energy package and a patient's bill of rights that some dreamed would never happen. But the issue that we are here to look at today is of interest to every member, Republican and Democrat. That is certainly not indicative of the participation that we have this morning. It is more indicative of the lack of sleep that all have had and their anxiousness to go home since the business is over. This subcommittee has looked at computer security issues at a number of government agencies. As troubling as many of the problems that those agencies were, and still are in many cases, I am especially troubled by some of the concerns raised by the General Accounting Office audit of seven Commerce bureaus. In particular, I am more than a little concerned about the security of the Bureau of Export Administration, which is responsible, among other things, for regulating the export of sensitive goods and technology, enforcing export controls, anti-boycott and public safety laws, cooperating with and assisting other countries on export control and strategic trade issues, assisting U.S. industry to comply with international arms control agreements, and monitoring the viability of the United States' defense industrial base. That mission statement came straight off BXA's Web site. I imagine most of us recognize those as some very serious responsibilities, and I imagine most of us will be equally disturbed by the fact that BXA has one of the worst computer security problems and is among the most susceptible to unauthorized access of the seven bureaus examined by GAO. I suspect, based on the track record, that it is not a stand out among the rest of the department's bureaus either. Apparently BXA had not tested its system since 1991 and had not conducted a risk assessment since 1994. Many of the problems GAO will discuss were also identified by the Commerce Inspector General in a 1999 report. Here we are today, August 2001. It must be Groundhog Day, starting at the same point with the same problems once again. Now, what this means is that the Commerce Department has apparently not made much progress adhering to PDD 63 issued in May 1998 that set up groups within the Federal Government to develop and implement plans that would protect government operated computer and communications infrastructure. The directive identified 12 areas critical to the functioning of this country. Commerce was designated as lead agency for information and communications security. Foreign affairs and national defense are also key elements of the directive, and it is my understanding that the export control system is considered, under PDD 63, critical. And I have the sneaking suspicion that GAO is about to tell this subcommittee that it was able to gain unauthorized access to administrative level BXA systems. That's not the only portion of the mission statement on the Web site. It also states that another of the bureau's missions is to promote Federal initiatives and public-private partnerships across industry sectors to protect the Nation's critical infrastructure. To protect the Nation's critical infrastructure. I think that one phrase justifies why we are here today, and I think why everybody takes it seriously. In closing, I will say to our friends from the Department of Commerce: you inherited this problem. The challenge is that you have inherited a problem you have to fix. I hope the next Congress with the next Commerce Department--hopefully they are the same people we have today in the next Commerce Department--but heaven forbid we ever have a situation where we come back up here to talk about this problem again because I believe that this committee is serious about making sure that we work as a partner to make sure that the problem of security within BXA, within Commerce, within all Federal agencies is eliminated as it relates to the access that we've seen. Mr. Chairman, once again, let me thank you, and yield back the balance of my time. Mr. Greenwood. The Chair thanks the gentleman for his statement and welcomes our first two witnesses. They are the Honorable Johnnie E. Frazier, Inspector General, U.S. Department of Commerce, and Mr. Robert F. Dacey, Director of Information Security Systems at the U.S. General Accounting Office. You gentlemen are aware that the committee is holding an investigative hearing, and when doing so has had the practice of taking testimony under oath. Do you have any objections to testifying under oath? Mr. Frazier. No, sir. Mr. Greenwood. Seeing no such objections, the Chair then advises you that under the rules of the House and the rules of the committee you are entitled to be advised by counsel. Do you desire to be advised by counsel during your testimony today? Seeing a negative response, in that case if you would please rise and raise your right hands, I will swear you in. [Witnesses sworn.] Mr. Greenwood. Thank you. You may be seated, and you are now under oath, and, Mr. Frazier, we will begin with you for your opening statement. Please proceed. Welcome. TESTIMONY OF HON. JOHNNIE E. FRAZIER, INSPECTOR GENERAL, U.S. DEPARTMENT OF COMMERCE; AND ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY ISSUES, U.S. GENERAL ACCOUNTING OFFICE Mr. Frazier. Thank you, Mr. Chairman. Mr. Chairman and members of the committee, I am very pleased to be here today to talk about the OIG's work as it relates to the Department of Commerce IT security. The detailed results of our work have been included in my long statement, which I would like to have submitted for the record, but I would like to take a few minutes right now just to talk about a few of the projects that we have been working on. Commerce, as you know, has many complex computer systems that provide essential services to the public and support critical mission activities, such as the Nation's weather services, care of the environment, promotion of trade, economic growth, and scientific research. As the department's systems have become more interconnected, vulnerabilities have also increased, thus increasing the need to continuously improve IT security measures. I cannot overemphasize the importance of IT security. Indeed, in our recent semi-annual reports to the Congress, we have identified strengthening department-wide security over information technology as one of the top ten management challenges facing the Department of Commerce. During the past year, we have engaged in various audit, inspection, evaluation, and investigation activities aimed at strengthening IT security Commerce-wide. We have coordinated with GAO and the CIO to ensure that we address the most important issues and avoid duplication of effort. In our resulting reports and briefings, we have made numerous observations and recommendations aimed at improving IT security. Let me briefly mention a few of our efforts. One recent evaluation which examined the Office of the CIO's oversight of the department's IT security program found that despite some progress in recent years, additional improvements are needed. The department's IT security policy needs to be revised and expanded because it has not been updated to comply with significant revisions of OMB guidance, and it has not kept pace with recent trends in technology and related security threats. Additional IT security compliance procedures are needed because security for many of the department's systems has not been adequately planned. The security reviews have not been performed, and several of our agencies do not even have adequate awareness plans or training plans or even sufficient capabilities for responding to IT security incidents. Another one of our evaluations revealed that although the department made early strides in its critical infrastructure protection planning, important milestones had slipped. The inventory of critical assets needed to be reevaluated and vulnerability assessments, remediation plans, and budget justifications just simply had not been completed. A third evaluation identified privacy and security concerns raised by the department's use of Internet ``cookies'' and Web ``bugs'' on its Web sites. We have also identified security issues through our inspections of Commerce offices and activities, both domestically and overseas. Likewise our investigative work has identified and examined specific incidents or allegations involving IT security weaknesses, vulnerabilities, or threats. And finally, our systems security audits of departmental financial management systems are designed to identify IT security problems. These audits are performed by certified public accounting firms under contract with us and include security reviews of the department's financial management systems and related networks. The CPAs use the GAO Federal information system controls audit manual as their guidance. The fiscal year 2000 financial statement audits included review of general system controls at the department's seven data processing locations. We found weaknesses at all seven locations, including our observations that formal security plans either did not exist, were outdated, or were not approved for the major financial management systems and associated support systems. Moreover risk assessments needed to be completed and approved, and more security monitoring was clearly needed. In addition to the general system security control reviews, penetration testing was also performed at four of the seven locations to identify weaknesses in access controls. The penetration testing found open modems and ports that were accessible to potential hackers, readily accessible sensitive information on Web sites, and firewall configurations that could allow a hacker to introduce a virus. As for physical security, some computer rooms in sensitive work areas were not adequately secured. It is important at this point to note that the department and its operating units have reported progress on some of these weaknesses, and I should also note that we are aware that they are working to address others. But you should also note that we are in the process of performing our annual follow-up work to try and confirm many of these observations and reported accomplishments. We currently have other IT security reviews underway, including looking at some of the classified systems, looking at the background investigations behind some of the people who run these systems and a host of other projects. Finally, I am pleased to note that just last month my office entered into a memorandum of agreement with the department's Office of the CIO and the Office of Security to define our respective roles and responsibilities related to Commerce's IT security program. This agreement is intended to promote a partnership among the three offices to ensure improved coverage of IT security matters. In closing, it is clear to me that cooperative, continuous, and concerted efforts are needed by each of us, and I mean each of us, as we move to address IT security weaknesses. These same efforts are needed if we are to have any chance of at least staying one step ahead of hackers and others that see IT security as some sort of cat and mouse game. I am encouraged that the senior management of the department and its operating units increasingly recognize the need to take a proactive approach to do this. For example, the Secretary's recent directive increasing the authority of operating unit CIOs and making them a more integral part of the bureau management team is an important initiative. Likewise, the recent appointment of the Senior Advisor to the Secretary for Privacy should be instrumental in addressing such issues as ``cookies,'' Web ``bugs,'' and other security and privacy matters. Program officials are being strongly reminded that they, too, have key IT security responsibilities and need to work closely with operating CIOs and security officials to ensure a more effective security program. This concludes my statement, and I will gladly answer any questions. [The prepared statement of Hon. Johnnie E. Frazier follows:] Prepared Statement of Johnnie E. Frazier, Inspector General, U.S. Department of Commerce Mr. Chairman and Members of the Committee, I am pleased to appear before you today to discuss the Office of Inspector General's (OIG) work and other activities related to the security and protection of the Department's critical information technology (IT) systems, programs, and activities. The Department of Commerce has numerous complex computer systems that provide essential services to the public and support critical mission activities, such as the nation's weather services, environmental stewardship, promotion of trade and economic growth, scientific research, and technological development. As the Department's systems have become more interconnected, vulnerabilities have also increased, thus increasing the need to continuously improve IT security measures. Strong IT security measures are vital to (1) protecting the privacy of information, (2) safeguarding the integrity of computer systems and their networks, and (3) ensuring the availability of services to the American public and other users. I cannot emphasize too much how important these measures are. Indeed, in our recent Semiannual Reports to the Congress, we have identified ``Strengthening Department-wide Information Security'' as one of the top 10 management challenges facing the Department of Commerce because of that issue's: 1. Importance to the Department's mission and the nation's well-being, 2. Complexity and sizable expenditures, and 3. Need for significant management improvements. During the past year, we have engaged in a number of audit, inspection, evaluation, and other activities involving Commerce IT security matters--all aimed at strengthening IT security Commerce-wide. We have completed evaluations of the Department's efforts to implement its Critical Infrastructure Protection (CIP) plans. We also have assessed the Office of the Chief Information Officer's (CIO) IT security policy and the effectiveness of its oversight of the Department's IT security program. In addition, we have evaluated the use of persistent Internet ``cookies'' and ``web bugs'' on Commerce Internet sites. Furthermore, in support of the OIG's fiscal year 2000 financial statement audits, we have conducted security reviews of the Department's financial management systems and their related networks. Moreover, assessments of IT security policies and practices are often an integral part of the operational inspections we conduct of Commerce activities, units, and offices domestically and overseas. These inspections are intended to provide operating unit managers with useful, timely information about their operations, including IT security issues. IT security problems have also been identified through our investigative work. In addition, we have worked closely with many of the Department's key IT managers, top security personnel, and senior program officials in an effort to identify the most critical IT security issues and help craft corrective measures. Let me briefly summarize the results of some of our recent efforts. EARLY PROGRESS MADE IN CRITICAL INFRASTRUCTURE PROTECTION, BUT PLANNING AND IMPLEMENTATION HAVE SLOWED Last year, we evaluated the Department's CIP plan, identification of minimum essential infrastructure (MEI) assets, and vulnerability assessments of its cyber-based assets. MEI assets are the physical and cyber-based assets essential to the minimum operations of the economy and the government. Our evaluation found that although the Department had made initial progress by developing a Department-wide CIP plan, identifying critical infrastructure assets, and initiating vulnerability assessments, there were several areas that warranted management attention:The Department's CIP plan needed to be strengthened because several of its elements were outdated or missing, and important milestones had slipped. The asset inventory, vulnerability assessment framework, and budget estimates included in the plan were not current. The plan also did not include requirements for reviewing new assets to determine whether they should be included as MEI assets, periodically updating vulnerability assessments, or developing a system for responding to infrastructure attacks. The MEI asset inventory needed to be reevaluated because of limitations in data gathering. In most cases, asset managers were neither interviewed nor given adequate guidance before filling out complex questionnaires used to gather asset information, and the officials most knowledgeable about the assets were seldom interviewed because of logistical problems and limited resources. Establishing a reliable MEI inventory is important because it forms the basis for later activities, such as selecting the highest risk assets for vulnerability assessments and taking remedial actions. Vulnerability assessments, remediation plans, and budget justifications needed to be completed. Reportedly due to resource constraints, the Department had current vulnerability assessments for less than 10 percent of MEI assets and had not developed any remediation plans. The CIO's office agreed with our findings and stated that the Department's focus would be on the broad spectrum of IT security, which emphasizes assets critical to the Department's mission and includes most cyber-based MEI assets. Short-term actions were identified to improve guidance to operating unit personnel involved in vulnerability assessments and increase their involvement in the MEI asset inventory, revise the MEI asset list, and evaluate new assets to determine whether they should be included as MEI assets. ADDITIONAL FOCUS NEEDED ON IT SECURITY POLICY AND OVERSIGHT The CIO is responsible for developing and implementing a departmental IT security program to ensure the confidentiality, integrity, and availability of information and IT resources. The CIO's responsibilities include developing policies, procedures, and directives for IT security and providing oversight of the IT security programs of the Department's operating units. We conducted an evaluation to assess the CIO's policies and the effectiveness of his oversight of the Department's IT security program. Our review focused on the CIO's compliance with laws and regulations governing IT security and his actions in recent years to oversee the Department's IT security program. We found that although in the past IT security did not receive adequate attention, in more recent years, the CIO's office had expanded its focus on and increased the resources devoted to IT security. For example, the office conducted its first Department-wide assessment of IT security planning in 1999 and reviewed operating unit self- assessments in 2000, which resulted in increased compliance with security requirements. Nevertheless, policy and oversight need further improvements. Specifically: IT security policy needs to be revised and expanded. The Department's IT security policy is out of date because it was developed in 1993 and 1995, prior to a significant revision of OMB Circular A-130, which communicates policy on the security of federal automated information resources. The policy is also missing important components because it has not kept pace with recent trends in technology and related security threats. The Department's policy must be kept current and complete because the operating units use it as the foundation for their general and system-specific policies. We recommended that the CIO's office update and expand its IT security policy as soon as possible. Additional IT security compliance procedures are needed. Security for many of the Department's systems has not been adequately planned, and security reviews have not been performed. In addition, several operating units do not have adequate awareness and training programs or adequate capabilities for responding to IT security incidents. The Government Information Security Reform Act (GISRA) requires the CIO's office to conduct annual IT security evaluations in 2001 and 2002 similar to the self-assessments it monitored in 2000. We recommended that the office commit to a program of reviews that extends beyond GISRA's 2-year review requirement. Moreover, the CIO's office should work with the Department's acquisition and budget managers to ensure that IT-related procurement specifications include security requirements, and that funds for meeting these requirements are included in operating unit budgets. During our evaluation of the Department's IT security policy, we provided the Department with a written analysis that identified weaknesses and deficiencies in the policy, and made recommendations for specific changes to bring the policy into compliance with applicable laws and regulations. The CIO's office agreed with all of our recommendations and cited a number of corrective actions it planned to take to implement them. Among other things, it agreed to revise, expand, and update the Department's IT security policy; continue its compliance review program beyond the 2-year period required by GISRA; and begin security reviews as soon as possible. USE OF INTERNET ``COOKIES'' AND ``WEB BUGS'' RAISED PRIVACY AND SECURITY CONCERNS We evaluated the use of persistent Internet cookies and web bugs by departmental Internet sites, as well as the adequacy of the privacy statements posted on the main web pages of the Department and its operating units. We conducted our evaluation in response to Public Law 106-554, the Consolidated Appropriations Act of 2001, which required the Inspector General of each agency to submit a report to the Congress disclosing any activity regarding the collection of information relating to any individual's access or viewing habits on the agency's Internet sites. Persistent Internet cookies are data stored on web users' hard drives that can identify users' computers and track their browsing habits. Web bugs are software code that can monitor who is reading a web page. These technologies are capable of being employed in ways that could violate the privacy of individuals visiting the Department's web sites and can also pose security threats. Web bugs are considered security threats because they can perform malicious actions, including searching for the existence of specific information, such as financial information, on a user's hard drive, and downloading files from, or uploading files to, a user's computer. A web user would be unaware of the presence of web bugs without using detection software. Even if such software were used, the malicious actions performed by identified web bugs could go undetected. We found that most of the Department's Internet sites do not use either persistent cookies or web bugs. However, we did find several instances in which persistent cookies were being used without a compelling reason or the approval of the Secretary, as required by Department and OMB policy. We also found a number of web pages using web bugs. At the time we began our evaluation, the Department did not have a policy regulating web bug use, but it promptly developed and issued one when informed of the problem. Finally, we found that many of the operating units' privacy statements did not provide all of the information required by the Department's privacy policy. We recommended that the Department's CIO direct operating unit CIOs and senior management to implement a strategy to control the use of persistent cookies and web bugs and to certify annually that the operating unit is in compliance with the Department's applicable policies. We also recommended that the CIO direct operating unit CIOs and senior managers to revise their privacy policy statements to make them compliant with the Department's policy. The CIO's office agreed with our findings and worked with us to help ensure that the cookies we had identified were removed. The Secretary of Commerce's new Special Assistant for Privacy is working to remove all web bugs and develop a uniform privacy policy statement. SYSTEMS SECURITY AUDITS OF DEPARTMENTAL FINANCIAL MANAGEMENT SYSTEMS REVEAL PROBLEMS Our audits of Commerce operating units' financial statements, performed by certified public accounting (CPA) firms under contract with us, include security reviews of the Department's financial management systems and related networks that support the statements. Our CPA contractors use GAO's Federal Information System Controls Audit Manual (FISCAM) as a guide in performing these reviews. FISCAM provides guidance on assessing the reliability of computer-generated data that supports financial statements, including physical security and logical access controls designed to prevent or detect unauthorized access or intrusion into systems and networks. In 1999 we adopted a systems security review strategy that provides for full coverage of each financial management system and its related networks on a two-year basis. Every two years, a review addresses the six systems security areas identified in FISCAM: (1) entitywide security program planning and management, (2) access controls, (3) application software development and change control, (4) systems software, (5) segregation of duties, and (6) service continuity. In the alternate years, we routinely conduct penetration testing (in which someone playing the role of a hostile attacker tries to compromise systems security) and application-level testing. Review of the system environment for significant changes and follow-up on open recommendations occurs annually. The audits of operating units' individual fiscal year 2000 financial statements included reviews of the general system controls over the major financial management systems at the seven data processing locations. In the reports on our audits of the Department's fiscal year 1999 and 2000 consolidated financial statements, we noted that these systems security reviews disclosed weaknesses in controls over major financial management systems at all seven locations that provide data processing support. Specifically, these reviews found that: 1. Entitywide security program planning and management needed improvement at all seven locations. This control is the foundation of an entity's security control structure and a reflection of senior management's commitment to addressing security risks. It is intended to ensure that security controls are adequate, consistently applied, and monitored, and that responsibilities are clear and properly implemented. 2. Access controls for both operating systems and the financial management systems needed strengthening at all seven locations, and monitoring of external and internal access to systems needed strengthening at five locations. These controls should limit or monitor access to computer resources to guard against unauthorized modification, loss, and disclosure. 3. Applications software development and change control needed improvement at four locations. These controls should help prevent the implementation of unauthorized programs or modifications to existing programs. 4. Systems software improvements were needed at four locations. Controls in this area should limit and monitor access to the important software programs that operate computer hardware. 5. Segregation of duties improvements were needed at five locations. Appropriate controls in this area include policies, procedures, and an organizational structure to prevent one individual from controlling key aspects of computer-related operations, thus deterring unauthorized actions or access to assets. 6. To ensure service continuity, contingency plans needed to be prepared, updated, or improved at all seven locations. Appropriate controls in this area include procedures for continuing critical operations, without interruption and with prompt resumption of those operations, when unexpected events occur. Of particular note, among the weaknesses identified by the CPA firms in the area of entitywide security program planning and management, was the fact that formal comprehensive security plans either did not exist, were outdated, or were not approved for the major financial management systems and associated general support systems on which the applications were processed. In addition, risk assessments needed to be completed and approved, and security monitoring needed to be performed. At four locations, penetration testing was also performed on the network that supports the financial management systems to identify weaknesses in access controls. As part of the penetration testing, the CPA firms reviewed the adequacy of access controls, which include logical and physical controls. Logical access controls involve the use of computer hardware and software to prevent or detect unauthorized access, such as by hackers, to networks, systems, and sensitive files by requiring users to input user ID numbers, passwords, and other identifiers that are linked to predetermined access privileges. Physical controls involve keeping computers in locked rooms to limit physical access. The firms' penetration testing of logical controls found that in some cases: Open modems and ports were accessible to potential hackers. Sensitive information on websites was readily accessible. Sensitive active system services could allow unauthorized access, downloading of files, and gathering of information. Firewall configurations could allow a hacker to introduce a destructive virus. In addition, physical access controls over networks and financial management systems needed strengthening. For example, at one location, automated exterior locking systems had not been installed on doors to restrict access, and the key card lock for the data center's computer room was inappropriately placed on the inside of the door, rather than the outside. In addition, personnel did not consistently lock and secure their work areas. At another location, hardware that processed very sensitive information was located in an area accessible by numerous employees and contractors and was not segregated in an individually secure area. For fiscal year 2000, the CPA firms concluded that four operating units had system security weaknesses that rose to the level of ``reportable conditions.'' Taken together, these conditions, combined with the Department's lack of an integrated financial management system, constituted a material weakness in the audit of the consolidated financial statements. In our report on the audit of the consolidated statements, we recommended that the CIO's office continue to develop and implement a database for tracking and reporting on corrective actions planned and taken to address the outstanding general controls recommendations. We also recommended that the office review, monitor, and provide guidance to the reporting entities on their corrective actions planned and taken in response to our current and prior years' audit reports on general controls. We issued audit reports with recommendations to correct the control weaknesses identified at each of the seven data processing locations, and the operating units generally agreed with our recommendations. The Department and its operating units are required to provide us with audit action plans that address each of our recommendations. We have reviewed the plans submitted to date and concur with the actions taken or planned. Moreover, we are in the process of performing our annual follow-up of the adequacy of the corrective actions planned or taken. IT SECURITY ISSUES HAVE ALSO BEEN IDENTIFIED THROUGH OIG INSPECTIONS AND INVESTIGATIONS We have also identified IT security issues through our inspections and investigative work. Our inspections unit, for example, conducted a 1999 assessment of the Bureau of Export Administration's (BXA) Export Control Automated Support System as part of a larger review of BXA's administration of the federal export licensing process for dual-use commodities. While we determined that most of the system's general and application controls were adequate, we found that BXA's IT security controls could be enhanced by improving database access controls, preparing a security plan, performing periodic security reviews, officially assigning the security duties to its security officer, providing all users with current security training, and restricting the number of BXA employees with file manager access. BXA management implemented some corrective actions immediately and agreed to take action on our other recommendations dealing with the IT security of its licensing system. We are also conducting a series of inspections of the National Weather Service's weather forecast offices (WFOs) that have identified a number of IT security issues that need to be addressed by local managers. Among other problems, we noted that one WFO we visited did not have a designated security officer, and office personnel did not follow the Weather Service's policy on IT security. We found other problems, which I cannot describe in detail in a public hearing, that highlight how vulnerable some systems can be without proper management attention. Fortunately, the Weather Service has greatly improved its IT security both locally and nationally since the start of our review. During the past nine months, we visited two other WFOs. Although we continued to identify some IT security problems, we have found that designated security officers have been named and are receiving necessary training on IT security. More importantly, WFO personnel appear to better understand IT security concepts and requirements. IT security problems have also been identified through our investigative work. Through our OIG Hotline and other information channels, specific incidents or allegations involving IT security weaknesses, vulnerabilities, or threats have been brought to our attention and examined. For example: In one incident, a foreign hacker penetrated a network server and installed software without the knowledge of the system administrator. Had the software been activated, the server would have been prevented from performing its normal network services and would have been one of many computers simultaneously activated to overload a designated Internet site. As a result of the incident, the number of points of access to the network was reduced to a bare minimum, and existing monitoring software was activated. In another incident, a hacker caused extensive damage to an operating unit server, and it took more than 5 work days to repair the server and restore operations. Because the software on the server was destroyed, the system administrator was not able to determine how the attack had occurred. Security features were added when the software was restored, to reduce the risk of another shutdown. In a third incident, an after-hours contract cleaning employee used a computer that had not been properly secured to gain access to the Internet via a network system and view pornographic materials. Coordination with the contracting officer, property manager, and president of the contract company resulted in the employee's immediate removal from the facility contract and subsequent termination. In addition, the practice of routinely leaving the computer on overnight was discontinued. ADDITIONAL OIG REVIEWS OF IT SECURITY MATTERS ARE EITHER UNDERWAY OR PLANNED We are currently conducting IT security evaluations related to (1) the Economics and Statistics Administration's and the Census Bureau's preparation and release of the Advance Retail Sales Principal Economic Indicator, (2) the Department's classified information systems, and (3) the Department's IT security program and practices, as required by the Government Information Security Reform Act. The objective of our security evaluation of the Advance Retail Sales indicator is to determine whether adequate internal controls and system safeguards are in place to prevent the unauthorized disclosure or use of the economic indicator data before its release to the public. We have found that employees dealing with the indicator do not always have appropriate background investigations and that their positions are not always assigned the appropriate level of risk as required by Title 5, Part 731, of the Code of Federal Regulations and OMB Circular A-130. In some instances, the Department's records did not identify the type of investigation done, if any, for personnel working on Principal Economic Indicators. We also noted a lack of guidance from the Office of Human Resources Management, as well as from the Office of Security, suggesting that the problems associated with assigning appropriate risk levels to positions and ensuring that background investigations are performed may exist throughout Commerce. We are conducting additional work to examine this issue. Our review of the Department's classified information systems will assess the adequacy of its policies for protecting classified information and the effectiveness of its oversight of these systems. The GISRA-mandated review is the annual evaluation of the Department's IT security program and practices. This evaluation will incorporate information from our security reviews, as well as results of related evaluations performed by operating units, GAO, and contractors. We are also continuing our security reviews of Commerce's financial management systems and related networks as part of our fiscal year 2001 financial statements audits. These reviews will be in line with our IT security review strategy and will include penetration testing of the U.S. Patent and Trademark Office and FISCAM reviews for the other operating units. The need for the OIG to provide oversight and evaluation of IT security will be increasingly critical in the coming years. Our independent evaluation of the Department's IT security program being performed under GISRA and our security reviews of the Department's financial management systems show that although the Department is giving greater attention to IT security, serious issues remain to be resolved. These issues appear to be the result of an earlier lack of attention to IT security, limited resources, and an environment in which the risks, threats, and vulnerabilities have continued to escalate in number and complexity. The weaknesses identified by GAO's recent network vulnerability analysis of the Department underscore our concerns. In our independent GISRA evaluation for the next fiscal year, we plan to evaluate the effectiveness of operating unit IT security programs and to conduct security evaluations of specific general support systems and major applications. We will use the findings of our current GISRA evaluation and of GAO's security audit to assist us in identifying specific operating units, general support systems, and major applications to evaluate in the future. COOPERATIVE EFFORTS NEEDED TO ADDRESS IT SECURITY WEAKNESSES I am pleased to note that, just last month, my office entered into a memorandum of agreement with the Department's Office of the CIO and Office of Security to define our respective roles and responsibilities relating to the development, implementation, and management of the Commerce IT security program. This agreement is intended to promote a partnership among the three offices that both ensures complete coverage of IT security matters and prevents wasteful duplication of effort. Under the agreement, the CIO's office has the basic responsibility for developing and implementing the Commerce-wide IT security program, which includes developing IT security policies and procedures, promoting IT security awareness and training, serving as the Department's critical infrastructure assurance officer, and convening a meeting of the incident response group when incidents or intrusions occur. Commerce's Office of Security has the primary responsibility for security for the Department's classified systems and, in conjunction with the Department of State, for IT security at Commerce overseas posts. My office is responsible for conducting investigations of IT incidents and intrusions, and for conducting reviews of the Department's IT security program and individual systems, including the annual independent evaluations of the program required by GISRA. In closing, it is clear that cooperative, continuous, and concerted efforts are needed by each of us--and I mean each of us--if we are to address IT security weaknesses. These efforts are needed if we are to have any chance of staying at least one step ahead of the hackers and others that see IT security as some sort of cat-and-mouse game. I am confident that the senior management of the Department and its operating units increasingly recognize the need to take a proactive approach to do this. For example, the Secretary's recent directive increasing the authority of operating unit CIOs and making them a more integral part of the management team is an important initiative. Likewise, the recent appointment of a Senior Advisor to the Secretary for Privacy should be instrumental in addressing such issues as cookies, web bugs, and other security/privacy matters. And program officials are also being strongly reminded that they too have key IT security responsibilities and need to work closely with operating unit CIOs and security officials to ensure an effective security program. We intend to continue our partnership with all of these managers by identifying weaknesses and potential vulnerabilities in IT security and by searching for ways to improve it. Through this relationship, I believe we can help strengthen IT security within the Department. This concludes my statement. A list highlighting some of the reports we have issued that address IT security issues is included as an attachment. Mr. Chairman, I would be happy to answer any questions you or other members of the Committee might have. Attachment U.S. DEPARTMENT OF COMMERCE OFFICE OF INSPECTOR GENERAL RECENT AUDIT, INSPECTION, AND EVALUATION REPORTS ON INFORMATION TECHNOLOGY SECURITY MATTERS Evaluations 1--Office of the Chief Information Officer: Use of Internet ``Cookies'' and ``Web Bugs'' on Commerce Web Sites Raises Privacy and Security Concerns, OSE-14257, April 2001 2--Office of the Chief Information Officer: Additional Focus Needed on Information Technology Security Policy and Oversight, OSE- 13573, March 2001 3--Office of the Chief Information Officer: Critical Infrastructure Protection: Early Strides Were Made, but Planning and Implementation Have Slowed, OSE-12680, August 2000 4--Bureau of the Census: Computer Security for Transmission of Sensitive Data Should Be Strengthened, OSE-10773, September 1998 Financial Statements Audits [Note: These audits are performed annually; listed below are only the reports covering FY 2000. In addition, the reports on security reviews are not publicly available documents.] 5--Department of Commerce: Consolidated Financial Statements, FY 2000, FSD-12849-1, March 2001 6--National Institute of Standards and Technology, Improvements Needed in the General Controls Associated with Financial Management Systems, FSD-12859-1, February 2001 7--Economic Development Administration, Improvements Needed in the General Controls Associated with Financial Management Systems, FSD-12851-1, January 2001 8--Bureau of the Census, Improvements Needed in the General Controls Associated with Financial Management Systems, FSD-12850-1, January 2001 9--National Technical Information Service, Improvements Needed in the General Controls Associated with Financial Management Systems, FSD-12857-1, January 2001 10--Office of the Secretary, Follow-up Review of the General Controls Associated with the Office of Computer Services/Financial Accounting and Reporting System, FSD-12852-1, January 2001 11--International Trade Administration, Review of General and Application System Controls Associated with the Fiscal Year 2000 Financial Statements, FSD-12854-1, January 2001 12--National Oceanic and Atmospheric Administration, Improvements Needed in the General Controls Associated with Financial Management Systems, FSD-12855-1, December 2000 13--United States Patent and Trademark Office, Improvements Needed in the General Controls Associated with Financial Management Systems, FSD-12858-1, December 2000 Inspections 14--National Oceanic and Atmospheric Administration: San Angelo Weather Forecast Office Performs Its Core Responsibilities Well, but Office Management and Regional Oversight Need Improvement, IPE- 13531, June 2001 15--National Oceanic and Atmospheric Administration: Raleigh Weather Forecast Office Provides Valuable Services, but Needs Improved Management and Internal Controls, IPE-12661, September 2000 16--Bureau of Export Administration: Improvements Are Needed to Meet the Export Licensing Requirements of the 21st Century, IPE- 11488, June 1999 17--Office of Security: Vulnerabilities in the Department's Classified Tracking System Need to Be Corrected, IPE-11630, March 1999 Mr. Greenwood. We thank you very much for your testimony, and we will be getting to questions shortly. Mr. Dacey. TESTIMONY OF ROBERT F. DACEY Mr. Dacey. Mr. Chairman and members of the committee, I am pleased to be here today to discuss our review of information security controls over unclassified systems at the Department of Commerce. As you requested, I will briefly summarize our written testimony. At the seven Commerce operating units we reviewed, significant and pervasive computer security weaknesses place sensitive Commerce systems at serious risk. We demonstrated through commonly or readily available software and common techniques that individuals, both internal and external to Commerce, could gain unauthorized access to these systems and thereby read, copy, modify or delete sensitive financial, economic, personnel and confidential business data. Moreover, intruders could disrupt the operations of mission critical systems, and due to poor incident detection capabilities, unauthorized system access may not be detected. As an illustration of these points, a recent media report announced the discovery of security vulnerabilities that allowed sensitive business information to be publicly accessed from a Commerce Web site, forcing the department to temporarily shut down a part of that site. Our review identified vulnerabilities in four key areas. First, controls intended to protect information systems and critical data from unauthorized access were ineffectively implemented, leaving systems highly susceptible to intrusions or disruptions. Specifically, management of user IDs and passwords, including those related to powerful system administration functions, were not effective. As you alluded to earlier, in many systems passwords were not required or were easy to guess. Also, bureau operating systems were not securely configured, including exposing excessive amounts of system information and allowing unnecessary or poorly configured system functions to exist. Further, none of the Commerce bureaus reviewed had effective external and internal network security controls. Our testing demonstrated that extensive unauthorized access to the department's networks and systems could be gained as a result of weakly configured external control devices, poorly controlled dial-up modems, and ineffective internal network controls. Second, we found other significant weaknesses. Specifically, computer duties were not properly segregated to mitigate the risk of errors and fraud. Software changes were not adequately controlled to ensure that only authorized and tested programs were put in operation, and comprehensive and complete recovery plans were not developed to ensure the continuity of operations in the event of a service disruption. Third, Commerce bureaus did not adequately prevent, detect, respond to, or report intrusions, providing little assurance that unauthorized attempts to gain access to its systems would be identified and appropriate actions taken in time to prevent or mitigate damage. For example, software updates to correct known vulnerabilities were not installed, tested bureaus were generally unable to detect our extensive intrusion activities, and in two instances when our activity was detected, Commerce employees inappropriately responded by launching attacks back against our systems. Moreover, these two incidents were not reported to the security managers of the various bureaus. Also, we identified evidence of hacker activity that Commerce had not previously detected on a system containing sensitive personnel information. Fourth, and most important, Commerce does not have an effective, department-wide information security program, as Mr. Frazier earlier discussed, to proactively insure that sensitive data and critical operations are adequately protected. The lack of an effective security program is exacerbated by the highly interconnected nature of Commerce's systems. Key weaknesses existed in each of five critical areas. First, there was lack of a strong, centralized management function to oversee and coordinate department-wide security activities. Second, there was a widespread lack of risk assessment. For example, as of March 2001, of the bureau's 94 sensitive systems we reviewed, 91 did not have documented risk assessments, 87 had no current security plans; and none were authorized for processing by Commerce management. Third, there were significantly outdated and incomplete information security policies which did not reflect current Federal requirements in many important areas, had not been updated to reflect certain risks related to the Internet, and did not establish baseline security requirements for all systems. Fourth, there was inadequately promoted security awareness and training. Although each of the bureaus had informal programs in place, none had documented computer security training procedures that meet Federal requirements to ensure that security risks and responsibilities are understood by all managers, users, and system administrators. Fifth, there was a lack of an ongoing program to test and evaluate security controls. No oversight reviews of the bureau's systems had been performed by either the staff of Commerce's information security program or six of the seven bureaus. There had been isolated tests at one bureau. In a draft report to Commerce, we made recommendations, which are summarized in our written statement, to address these weaknesses. The Commerce Secretary's response stated that Commerce has developed and is currently implementing an action plan to correct the specific problems we identified. Mr. Chairman, this concludes my statement. I would be happy to answer any questions that you or members of the committee may have. [The prepared statement of Robert F. Dacey appears at the end of the hearing.] Mr. Greenwood. I thank you, Mr. Dacey. And the full statements of both witnesses will be entered into the record. Here is a question that I would like you each to respond to. Both of you used the term ``sensitive'' to describe the types of systems and the data at issue here. Can you be more specific with respect to the types of information that are susceptible to compromise and why it is that Congress and the American people should be concerned about these vulnerabilities? Mr. Frazier. I will be happy speak first. There are so many systems in the Department of Commerce that we view as sensitive. You can start with the Census Bureau, for example. The Census Bureau has lots of information that is protected by Title 13, and in fact, I have heard you speak to the concern about how the American public must come to trust and know that information that they share with us is going to be protected. Mr. Greenwood. That was a huge issue in this whole last census exercise where so many Americans were reluctant to fill out long forms because of the fear of compromise in the integrity of the system. And, of course, we all assured them that that was not a problem. Mr. Frazier. Yes. I should tell you that in 1998, in advance of the decennial census, we found an incredible vulnerability there, and we brought it to the attention of census managers, and that was handled as a red cover report for obvious reasons. The concern was that if that information got out, people would begin to question whether it was wise to send in information. It was just an oversight on the part of a security manager that we could not believe, something that we would think would be as obvious as this. I am not giving the details here for obvious reasons, but we were just amazed that something as basic as that could have that kind of potential consequence to the integrity of the system. Mr. Greenwood. To interrupt you for a moment, is it conceivable that a hacker could go in through the Census Bureau to my Greenwood family long forms, Census form, and scan it and identify information as being responses that our family gave to the Census form? Mr. Frazier. No. When we found this problem, fortunately it was before the decennial census. It was in doing the work we did for the dress rehearsal, and so we were able to plug that gap. Of course, once you brought that to the attention of the Department and Census officials, that was something that they were going to correct immediately. So that was not a problem there. But, again, I go back to tell you how something as important as that system would have been overlooked. You know, that was incomprehensible to us that that could be the case. As we have gone in to look at the work at BXA, as you are aware, we have done quite a bit of work in BXA, and for many years, too many years, we have raised concerns about the adequacy of its ECASS system, which has the sensitive information on export controls, licensing requests. We have made recommendations---- Mr. Greenwood. Could you elaborate on why that is sensitive? What makes that particular information sensitive? Mr. Frazier. Well, part of it is business proprietary from the standpoint if you are Company X and are getting ready to export radars to a certain country, you have to provide the department with certain information that they can use to assess your license request. In the process of doing that, that is information that you surely do not want your competitors to have. So that would be extremely sensitive. Mr. Greenwood. You mentioned radar. I assume that could apply to other military equipment that is being exported, information that we would certainly not want some individuals or organizations to have ready access to, who might have an interest in intercepting that military equipment. Mr. Frazier. As you know, Commerce handles what we call dual use items, which have both military and civilian uses, and so you are right on the money when you suggest that that is information that we would surely want to protect as much as we possibly can. Mr. Greenwood. In fact, in the GAO report, it says sensitive data such as relating to national security, nuclear proliferation, missile technology, and chemical and biological warfare reside in the bureau system. Mr. Frazier. Yes. Mr. Greenwood. Mr. Dacey, would you like to elaborate on the same subject? Mr. Dacey. Yes. Basically, in addition to the export license information we talked about, there is certain other information. There is something called the safe harbor, which I alluded to in my oral statement, which is a method for filing to satisfy European Union privacy requirements, and by filing you demonstrate that you meet certain requirements and then can obtain certain personnel information and bring it back to your company. And that included information like revenue, you know, what companies are you doing business with, number of employees and such nature of information which was exposed as well. There is, additionally, other information that the bureaus have on the personal side, and that would have to do with credit card information, for example the ESA subscription services. They collect credit card information. The bureau itself has data bases containing significant information on Commerce personnel, including various information, Social Security numbers, and that sort of thing. So there is a variety of information, including financial information, that is out there on the systems that are at Commerce. Mr. Greenwood. And what about the ability to go through the Commerce Department systems? Is it conceivable that one could go through the Commerce Department's system and then thereby reach out to consulates, to our consulates around the world? Mr. Dacey. One of the tests that we performed, we were able to--let me back up a minute. When we do our testing, our target or goal is to gain what we call administrative control of the systems we are looking at, and that means we could place ourselves in the position of system administrator and thereby do just about anything that we would want to do on that system, including reading files, copying files, deleting files, changing software, any number of things that a system administrator could do. We gained that level of access on several of Commerce's systems. Some of those allowed us to gain access to networks which went to the Foreign Commercial Service posts as well as the systems that contained some of this sensitive information. Mr. Greenwood. And those consulates are, of course, in turn, interconnected to other sensitive agencies of the Federal Government so that it would seem to me to heighten the sensitive nature of this leak. Mr. Dacey. We did not specifically look at the connectivity of those Commerce installations in foreign posts with other potential agencies, but that is an issue which might be explored in the future as another task. Mr. Burr. Would the chairman yield? Mr. Greenwood. Certainly. Mr. Burr. What I understand your answer to be that you did not try to go outside of the Commerce system within the embassy? Mr. Dacey. That is correct. We went to Commerce installations in the various foreign posts, and because that was the limit of our testing, we stopped at that point. We did not try. Mr. Burr. If the focus at the embassies was to keep people out of their system, but not to limit their movement from within their system that they were in, had you tried you might have been able to go anywhere within the embassy system. Mr. Dacey. It is hard to speculate where we could have gone, but if there was interconnectivity, we had significant rights on the system, Commerce's system. We just do not know what interconnectivity might exist. Mr. Greenwood. The Chair's time has expired, and the chairman recognizes the chairman of the full committee for 5 minutes to inquire. Chairman Tauzin. Thank you, Mr. Chairman. Mr. Dacey, I want to understand the concept of the weakness within the system, if you do not mind. In your testimony you state that the individuals both within and outside Commerce could compromise internal and external security controls to gain extensive unauthorized access. I want to know what you mean by ``extensive.'' Is that another term for what is call root access or total control of the systems? Mr. Dacey. Right. That is what I was referring to as administrative level access on the networks. That is referred to as root access, and we were able to gain that level of access on several systems. Chairman Tauzin. Now, you also state that the department was able to detect your extensive intrusion activities on only four occasions. How many intrusions should have been detected if they had had a good system in place? Mr. Dacey. We attempted to scan over 1,000 system devices. So I do not say that they would detect all 1,000, but certainly we would have expected a significantly higher number of those attempts to be detected. Chairman Tauzin. So you are saying 4 out of 1,000 were detected? Mr. Dacey. Over 1,000. Chairman Tauzin. Over 1,000? Mr. Dacey. Yes. Chairman Tauzin. What is that .4 of 1 percent, something like that were detected? So that in effect, if again my math is right, something like 99.6 percent of the intrusions were not detected. Mr. Dacey. Something like that, yes. Chairman Tauzin. That is purer than Ivory Snow. That is a huge number. It basically says that you could walk around undetected in cyberspace, in effect, within the department's data banks. Mr. Dacey. Right. That is one of our concerns, as I said in my oral statement. There was actual hacker activity on one of the systems which we discovered, which Commerce was not previously aware of. Chairman Tauzin. Can you give me a little more information about the fact that your auditors discovered the intrusion of a Russian hacker in the system? What exactly happened there? What was going on? Mr. Dacey. We identified a server, a network server, and when we went in to start to explore it, we identified certain tools that were left behind by a hacker, and at that point in time we turned that over to the agency and suggested that they investigate the situation and resolve it and figure out what happened. Chairman Tauzin. Well, did they find out what the Russian was up to? Mr. Dacey. I believe, based on my recollection, the IG really followed up on the process afterward. I don't know if Mr. Frazier has any further information. Chairman Tauzin. Could you tell us? Mr. Frazier. Vladimir was his name. Chairman Tauzin. Vladimir? Mr. Frazier. Yes. Chairman Tauzin. Good, old Vladimir. What was Vladimir doing in our data banks? Mr. Frazier. We found out that he had hacked into a number of government systems. Chairman Tauzin. Was he just having fun or was he up to mischief? Mr. Frazier. Well, we could not determine that. He got into the system. He got into the systems at other agencies, and he did not do any major damage to our knowledge, but that is part of the problem. You do not know how long he had been there. You do not know what else he had---- Chairman Tauzin. Well, I mean, you detected only .4 of 1 percent. So he could have been all over the place, and if he did not drop a tool here or there, you may never know he was there. Mr. Frazier. We would have never known he had been there. Chairman Tauzin. So he could have been in a lot of other places that he did not leave his tracks, right? Mr. Frazier. Yes. So what they will do is close that door. Chairman Tauzin. That is right. Mr. Frazier. But many other doors are left open. Chairman Tauzin. Yes, let's talk about doors. One of the thing you mentioned, Mr. Dacey, is the interconnectivity of the Commerce Department, the bureaus you reviewed. Interconnectivity is good, of course, in a sense because it allows all of the bureaus to share information and to relate to one another. It could be a problem if a hacker or Vladimir finds, excuse my expression, the weakest link in the system and through interconnection, he is everywhere, and then bye-bye, he is gone. Tell me about interconnectivity within the bureau, within the department, rather, among its bureaus. Mr. Dacey. One of the issues is the interconnectivity between us. As you suggested, it is a good thing. It is used to communicate between the bureaus at Commerce. One of the issues though is protecting those systems and that interconnectivity so that if someone gains unauthorized access to one bureau system, that there are measures to prevent them from going further once they are inside the network. What we found, in fact, was that some of the accesses that we obtained to some of the more sensitive information were actually through other bureaus that we---- Chairman Tauzin. So you actually did that. You found the weakest link, and then bingo, you had access to other information that you might not have directly been able to access, right? Mr. Dacey. That is correct. When we identified these, again, our tests were not designed also to detect every vulnerability, but we found sufficient evidence to---- Chairman Tauzin. Well, I guess here is probably the most important question. Have you done enough testing to be able to advise the Commerce Department on how to seal those doors and how to protect against the Vladimirs of the world? Mr. Dacey. We provided detailed out-briefings at the time that we performed our work in the field, and our understanding is that the agency has fixed some and is working on others, and that is consistent with their response to---- Chairman Tauzin. Was your testing complete? Mr. Dacey. But that was what I was going to suggest, is that we do a limited amount of testing. We spent about, let's say on average, 2 weeks at each bureau, and we found sufficient vulnerabilities to support our conclusions. I would not aver that, in fact, we found all of the vulnerabilities. In fact, we did not find all of the vulnerabilities. One of the important steps that Commerce needs to take is really to develop an active testing program of their own and identify these vulnerabilities from a management viewpoint and fix them. We certainly did not find them all. Chairman Tauzin. Mr. Chairman, one final thought, and I do not want to at all cast aspersions on either one of your operations because you do a very good job for us, but we heard from a lot of agencies that we are losing talented people, and they are reaching retirement age, and I assume that is true of your agency as well, that you are losing some of your best people. What we have learned in this area of the high tech commerce world is that some extraordinarily good people are the youngest people, and I just wonder, are you satisfied that within your ranks are, indeed, some of the brightest and most capable people who could be charged with determining whether we have left doors open and whether the systems are adequate or whether, in effect, we really know all the answers as to how inappropriate access can be obtained. I guess what I am asking you is: are we as bright within your agencies as the people out there, particularly the younger people who are coming up and know these kind of systems like the back of their hands? Are we as bright as they? And are we as capable as they in understanding what is possible when it comes to entries of access? Mr. Frazier. Let me comment on that on a number of levels. First, I think that we recognize the need to go out and get new talent, if you will, to stay current with this. We are using contractors like never before because, as you point out, we cannot literally keep IT specialists. The private sector will hire them away very, very, very quickly. But at the same time, I am fortunate that I have an assistant IG for systems who I think is one of the best in government. She has brought a lot of people from the private sector, and we have been able to keep them. It is not easy, you know, but I think that that is something that we have worked very hard to do. But I think that even more important is for managers to recognize that it is not just about the IT specialist or the security specialist. It is about program officials taking responsibility for this. You know, you used the term ``weakest link,'' and it is exactly the word that describes the problem. I can put in the best system. I can hire the best people. I can get the best contractors, but then if I get an employee who decides that he or she is going to leave his system on overnight so that a cleaning person can access the system, as we found in one case, then it does not matter that I have hired the best and the brightest. So the goal here, I think, is to get managers in the Department of Commerce involved. That is why we are so impressed with the Secretary's recent memo that said to the Under Secretaries and others: This is your responsibility. When we issue our reports to the CIO or if I issue my report to the Director of Security, I am preaching to the choir at that point, but the reality is that I've got to turn around and talk to the people who run those systems, who do not understand, who do not see that information security is their responsibility. It is an awareness program. I have to tell you when you go in and you brief many senior officials and you start to talk about security reviews and doing quarterly reviews, their eyes kind of gloss over because it sounds so boring or that is ``not my responsibility.'' Quite the contrary, it is something that has not been taken seriously in the past, and until all of us, until everyone recognizes the role that they are charged with playing, I think that we are going to come back to you year in and year out with the same kinds of problems. That is my frustration. Chairman Tauzin. Very well said. Thank you, Mr. Chairman. Mr. Greenwood. I thank the chairman of the full committee for his participation and note that with his heavy schedule and six subcommittees to cover, it is impressive that he manages to come to each one of our hearings and spend the time. We appreciate it. The Chair recognizes the gentleman, Mr. Burr, to inquire. Mr. Burr. Thank you, Mr. Chairman. Mr. Dacey, I have seen a lot of folks behind you going like this. So I assume that they are part of the security analysis team, and let me thank them for their good work. But let me ask you a real important question. Are they the best that is out there? I think we have a very good team actually, whether they are behind me or not. Mr. Burr. And I am sure you do, and I thought of another way to ask it, and I could not think of it, but the likelihood is there is somebody out there that is going to be as good if not better. Mr. Dacey. Our aggregate experience averages about 20 years per person on our staff doing this work at this point in time. Mr. Burr. Well, then you may have the best. Mr. Dacey. No, I do not profess we have the best. I do not think they would profess that, but we have some good folks here. The issues are in this whole environment that there are a lot of people who are out there that are finding these vulnerabilities and issues with systems that apparently have the time and abilities to go do that. We do not try to discover new ones. We just try to figure out if agencies have processes in place to find them and fix them, and that has been a challenge, and we have pursued that role to try to do that. Mr. Burr. The question that I am trying to get answered: there are a host of folks in the world who have skills at least equal to the folks that conducted this review of the deficiencies and security at Commerce. Would that be safe to say? Mr. Dacey. Yes. Mr. Burr. So we have got an ever looming threat of people who want to get into these systems. Now, I would assume that commerce is probably linked to the Department of Energy, and if one could hack into Commerce, they might find their way at least to try to get into the Department of Energy, and if the Department of Energy had an area that might have a deficiency and they got into that, the Department of Energy is linked to the nuclear labs, and you follow the path I am going, that one could enter in Commerce and potentially end up in the Los Alamos system. Is that conceivable? Mr. Dacey. We really did not look at that connectivity, but if, in fact---- Mr. Burr. If they were connected. Mr. Dacey. And if it was not adequately controlled, yes, that is conceivable, but again, given the particular facts I do not know. We did not look at the interconnectivity of Commerce to other bureaus. So it is an issue, but I think it is one that has not been actively explored, and that is not just Commerce, but the interconnectivity between various bureaus. I mean there is some of that interconnectivity. When we do our work, we find connections to other bureaus routinely. We have not tested those because our work has typically been focused on the bureau that we have been looking at at that time. Mr. Burr. And we know that employees of Commerce are paid by the United States Treasury. Therefore, there is probably a link to the Treasury, and because there is a link to the Treasury, the Treasury is probably linked to every other agency, and there might be a way to go that system and test numerous different agencies within the Federal Government. Mr. Dacey. It depends on the connectivity and the controls. In some cases, for example, the information may, in fact, be just downloaded and pushed down to another entity. There may not be a live connection, and there are a lot of other things that go on. So I think though that that is an increasing risk because what we are seeing overall is more interconnectivity as time goes on. It is certainly convenient, and it saves time and cost. At the same time, there need to be adequate controls in place to prevent someone from doing what you suggested. Mr. Burr. And am I correct that a scenario like that could happen if you had one entry point that they could get into? Mr. Dacey. In the situation, take Commerce, for example. As I said, some of our access to this sensitive data was obtained through other bureaus. So we were able to get in. Typically that is what we do. As I said before, we do not explore every conceivable opportunity to get into the systems because when we find one and gain the level of access we obtained---- Mr. Burr. You are completed. Mr. Dacey. [continuing] we do not need to go further to do what we do. So there are definitely weakest link concepts that we talked about earlier that need to be protected against. I would also like to reiterate that most of our testing that we have done here is technical in nature. We have tools that are available to virtually anyone that can identify these types of vulnerabilities and tools to exploit them. What we have not done much of, one thing that the hacker community does, is something called social engineering, where they try to gain information like passwords and other information from employees, which is why employee awareness is very important as we talked about earlier. And so those are the issues. The weakest link might be someone answering a phone and saying, ``Yes, here is my password and user ID,'' and someone else using it to log onto the system, and if you get a little bit into the door, oftentimes you can get information, including network traffic, that has other passwords and escalate your privileges to the level we seek to obtain. Mr. Frazier. And, in fact, as part of our penetration testing for the financial statements, our CPAs did exactly that, called up, pretended to be the system administrator, told someone that they needed their password to get in, and the person gave it to them over the phone, and so we know that that has, in fact, happened. Your questions are right on the money. Those are the questions that the system's administrators, that the program officials, and the security people should be asking every day. You should make the assumption that people are constantly trying to get into your system. And what is important is that you should make the assumption that they are trying to get into your system so that they can get into other parts of the Department of Commerce because you do not know what the interconnectivity is, and so until you do the extensive testing, which is seldom done at any agency, you have to make that assumption that this is happening on a continuous basis. Mr. Burr. Let me ask you real directly, Mr. Frazier: do you know all the connectivity point? Mr. Frazier. No. Right off the bat, no. Mr. Burr. Is there anybody at the Commerce Department that does? Mr. Frazier. And I would venture to say at this point, no. Mr. Burr. So even if it was not a technical deficiency that we had, a simple password management problem might create access for somebody intending to enter the system and figure out where they can go. Mr. Frazier. Yes. Mr. Burr. Okay. Let me ask you real quickly. Your testimony seemed to rehash some of the issues covered in the 1999 report your office sent to then Secretary Daley. I believe, in fact, the report had your name on it, if I am correct. Mr. Frazier. Yes, it did. Mr. Burr. Why should we have confidence in your office's ability to insure needed changes do take place, I guess, considering the fact that you have raised the issue? You have raised the issue. We know it has gone to the level of the Secretary, and we still have a problem. Mr. Frazier. It is an easy answer there. We identify the problems. We then report those problems to managers. We, as you know, report to the Congress also. We come to the Congress and tell them the same story. We send them our list of the top ten challenges. We sent that report up to the Hill. Unfortunately we have not been empowered with what I call the enforcement tool that says, ``You are going to put the resources into this area to develop it.'' If you use BXA, for example, you can go back 5 years and find out where the IG's Office--I was not the IG--recommended that that system be improved, that the system be updated. It identified many weaknesses as long ago as 5 years. In our 1999 report, we found a litany of problems, whereas we have checked recently and found out that about half of those issues have been addressed, but some of the most critical ones, the ones that say are you trying to see if people can penetrate your system, are you regularly developing the kinds of security plans that are required by the government rules and regulations, and the answer is still no. Now, we have not let that drop because we currently have an inspection team that is in there looking at the ECASS system again. And again we will take the message of our findings to the Congress, to the Secretary, and you hope that they will get the message. Again, I would go back and emphasize the program officials having the top responsibility for making sure that these are implemented. We have testified that in the case of BXA, that there should be additional funding to support the resources that were necessary to develop that system, and that's something that an IG usually does not do. We are usually trying to find ways to cut resources. But in that case, we went on record as saying, yes, we think that that system definitely needed to be upgraded. It needed additional support, and again, that's not an excuse. It says that this is the way it is in the sense that we do not have the authority, if you will, to go in and make somebody do anything. We can surely use the bully pulpit. That is why I am so pleased with this hearing today because it represents an opportunity for these issues to be aired. In fact, they should have long been done. Mr. Burr. Well, we hope you will continue to speak very loudly on it and not wait for the invitations from us. I think you have gotten an administration that is very anxious to solve some of these problems. Both of you in your testimony, I think, alluded to one phrase that I found very interesting, excessive user privileges, and I remember when we were in the heat of the investigation at our nuclear labs. One of the problems that we found was the lack of different levels of security within the lab. We had adopted this policy in the early 1990's where rather than offend somebody, we sort of brought everybody in at the same status and never thought about the fact that that gave everybody the same type of access to the sensitive areas of a computer system, and that contributed to the potential nightmare that we saw. Does there exist a separation of individuals' levels of access that they can get in the Commerce system, or once you are in, you are in everything or you are only in a compartmentalized area? Mr. Frazier. It is hard to generalize, but I can tell you examples where that has definitely been a problem in the Department of Commerce, without mentioning the bureau's name, where certain people who should have had the authority, for example, to only read information were inadvertently given the authority to not only read, but to alter the information. Now, that can have very dire consequences when you give 15 people access to a system that should not have access. Now, what was equally troubling, of course, when we found this out, the second time what was of great concern to us, if they had done what I call the quarterly monitoring, if they had done the risk assessment, that is something that would have been identified, and again, managers too often think of this as just these requirements that really do not have any impact, and you cannot overemphasize that these are things that are put on the books for a very good reason. So the answer is yes. Mr. Burr. Mr. Dacey? Mr. Dacey. There are different levels of access that one can give to different systems. Our main target in our review is to try to get at the system administrator level of access, which is the one that should be fairly tightly controlled and limited to only a limited number of folks. So there is the ability to do that. What we found in Commerce though is not a regular review process, as was just discussed, to look at those and see if, in fact, they have been properly allocated to the right people. Additionally, we also found system administrator passwords and information in files in certain bureaus that would give us that ability. So even if we had not been given the direct access, we could have gained information that would have allowed us to log on or sign on at that level of access. Mr. Burr. So that would sort of come under that header of password management problem? Mr. Dacey. And how is it stored in the system. Mr. Burr. I will ask one last question. The chairman has been very patient. Could we at least conclude that if an individual who had a password that allowed them the same access you were able to achieve as an administrator left the Department of Commerce, could we believe that their password would be canceled, altered, or are we convinced that they could not access the system when they left today? Mr. Dacey. We did not specifically look at that at Commerce. I know in other bureaus it is an issue of people revoking passwords on a timely basis, but I believe the IG has done some work in that area. Mr. Frazier. Yes, there are cases where that does not happen. If you are in the private sector, my brother-in-law works for CISCO, and he points out that when you go in and tell them that you are going to leave, they change your password before you leave the room, terminating your access to the systems. We have people who have been out of the Department of Commerce for 3 years and who still we found have access to the system. That is unacceptable, absolutely unacceptable, you know. Mr. Burr. I thank both of you. I yield back. Mr. Greenwood. The Chair thanks the gentleman for his inquiry. The gentleman asked if you folks had the expertise. It is my observation that you do not need the smartest hackers in the world to get into a department who has a computer security system that is the cyberspace equivalent of the Keystone Cops. So I do not think you need to worry about what your capacity is. Mr. Burr. Mr. Chair, could I say that I think Mr. Dacey has the smartest ones? Mr. Greenwood. Both of you have also found in your respective audits a failure on the part of the Commerce bureaus to prepare risk assessments and security plans for their sensitive systems, including some that have been designated as critical to our national security. Is this just a paper work problem, or should we be truly concerned about this lack of documented assessments and plans? Either gentlemen. Mr. Frazier. Well, see, I think that therein is part of the problem, is there are too many managers who perceive it as a paper work exercise. This is just another check list for us to go through. And I cannot overemphasize the importance of changing that thinking, establishing a different culture that says we need to do this, and it needs to be done on a regular basis. That is part of the problem, and again, I think I mentioned that. Mr. Greenwood. Let me ask this to both gentlemen. We have your official reports and so forth, but I also know that in some of these tests you gave advanced warning to the department that you were going to be doing this testing. I assume you had conversations with people in the department whose work you were examining and whose job--maybe you did not, but I would be interested in what those informal conversations were like. I mean, did people in the department say, ``Oh, God, you are going to look at our system, and I know you are going to find that it is awful and I am embarrassed,'' or, ``we are doing the best that we can, but we just are overworked. We will get to it?'' When you communicate with folks in the department whose job it is to set up these security systems, what kind of dialog is that? What has that been like? Mr. Frazier. Well, when we do our penetration testing with the CPAs through the financial systems, we usually identify one bureau official who is sworn to secrecy and will work with us, but as I have pointed out, usually once you identify these problems, these are people who are in the systems business, who understand systems, and you are preaching to the choir. The message has to be conveyed to their supervisors, to the top officials to let them know that they have got to get the message out on a broader level. This is not just a problem for the accountants to worry about or the systems people to worry about or the security people to worry about. And traditionally that is what happens. Mr. Greenwood. But I am talking about the people in the department whose job it has been to comply with the Federal law and to make sure that these systems are secure. When you communicate with them, have they said, ``Our hands are tied. We do not have the resources. We are not well trained enough. I do not have enough people?'' What do they say? Mr. Frazier. A number of things, but, in fact, I think that Bob alluded to the fact also that the department has agreed to implement the recommendations. We went back in preparation for this hearing and looked at the recommendations that we had issued, say, in the last 2 to 3 years in the areas of IT security, and almost without exception, I mean, let's say if there were 100 recommendations, there may have been 5 to 7 that the bureau said, ``We disagree with you on.'' So they give you the assurances that they are going to deal with this, and they send in what we call action plans to tell us how they propose to deal with it, but also, if you look at those audit action plans and inspection action plans, usually they raise questions about the limited resources that they have available to implement some of the recommendations. And then the other thing is that they, too, are faced with the problems of making sure that they have the talent to do this. Now, you take one bureau. I will not mention the name, that has plenty of resources, and they went out and hired a CPA firm to try and penetrate their system doing the exact same thing that we do or GAO would do, and any bureau can do that. In fact, most bureaus should have that as part of their risk management plan. So part of it does come down to resources, but, again, it comes down to a commitment. Mr. Greenwood. But when they have complained about inadequacy of resources and they have asked for the resources, did you get a sense of how far up into the hierarchy? Did those requests go to the Secretary's level? Did the Secretary transmit those requests to the administration? Where was the weakest link, so to speak, in terms of the folks in the department or in the administration who failed to provide the resources? Mr. Frazier. I send all of my reports to the head of the bureaus, the Under Secretary level or the Assistant Secretary level, and any finding or observation that has IT security implications would have been sent to the department's CIO and to the department's Deputy Assistant Secretary for Security. So the report, the information has surely been made available. Mr. Greenwood. And the problem, I think--correct me if I am wrong about this--but the CIO has a variety of responsibilities beyond. The security of the IT is a subset of the CIO's responsibilities; is that correct? Mr. Frazier. Yes, that is correct. Mr. Greenwood. Okay, and what were some of the other responsibilities of the CIO? Mr. Frazier. One of the things I looked at, how long we have had IT security on our list of the top ten management challenges, and it has been about 1\1/2\ years, and I asked my Assistant IG, ``Well, why didn't we have this on there earlier?'' Because we knew that there were problems. And she said, you know, a lot of times we forget that back in 1988 and 1989 most of us were preoccupied with the Y2K issues, which you know, we kind of forget. The concern was whether---- Mr. Greenwood. Do you mean 1988 or 1998? Mr. Frazier. I am sorry. 1998. Mr. Greenwood. Nobody was thinking about it in 1988. Mr. Frazier. The concern was whether the systems were going to function literally, and so people were not worried about some of the details. And the other thing, if the truth be told, is these systems have become more sophisticated and more interconnected. This problem has grown, and I do not think that our interest and attention has kept up with the way that the system technology has grown, and so I think that that is part of the problem. Mr. Greenwood. Mr. Dacey, do you have any other comments? Mr. Dacey. No. I think it is a matter of emphasis. Some of the things that we have found is that for some of the bureau's security officers, it was a part-time duty. They had other responsibilities even besides security management. They did not have a full-time security manager, even one in some bureaus. I think that is a major issue. In terms of thoughts, I know they had time to prepare, and I know in the process of doing our work things improved because they were aware we were there and we were certainly fixing issues. But when we raise these issues, they are generally not a big dispute, and generally the people we talk to appreciate the significance of the vulnerabilities that we highlight. So we do not have a lot of convincing to do. So the real issue is really focusing attention because I think if it was placed that they would be able to find the same kind of vulnerabilities that we find and use some of the same tools that we use to do that. Mr. Greenwood. Mr. Frazier, in your financial control audits for fiscal year 2000, you looked at seven Commerce bureaus including NOAA, NIST, the Census Bureau, and others, and found that access control problems existed at all seven locations. Can you be more specific about what you mean by access controls? Mr. Frazier. Well, we looked at the access controls at four of the seven, and what that means is that we were able to get into the system. I mentioned that we were able to get one individual system administrator to compromise his or her password. We also were able to get into the system in ways that we should not have been able to get into the system, and again, the CPAs use Cybercop and several other readily available software packages to try and do this penetration testing, and so it is not like they have some special techniques that need to be used, but in using what is readily available software, they were able to access these systems. Mr. Greenwood. Do you believe that this represented a material weakness or a reportable condition under the relevant statutory authorities? Mr. Frazier. Well, they were reportable conditions, but of course, once you pull them together and we issued our consolidated reports for the Department of Commerce, we became concerned that it was a material weakness. Individually it may not have been a material weakness at the various bureaus, but again when pulled together and looked at together, it would be a material weakness. Mr. Greenwood. Okay. A related question, again, for you, Mr. Frazier, and, Mr. Dacey, if you would like to comment, please do. GAO has testified that at the seven bureaus it reviewed, none of them had effective internal or external network security controls. It appears based on the body of IG audit work at other Commerce bureaus that there is nothing unique about these seven bureaus in this respect, and that in your opinion similar deficiencies either have been or would be found at virtually any commerce bureau. Would that be a fair statement? Mr. Frazier. Let me clarify one thing. GAO is looking at seven bureaus. We are looking at seven financial data centers. So we are talking about apples and oranges. There would be, for example, one financial data center, such as NOAA, and BXA would be the same one. So it is not the same seven. So when we talk about what we have found in problems at all of these seven locations, it is not the same seven. Okay? Mr. Greenwood. But the problems are similar. Mr. Frazier. The problems are definitely similar. Mr. Greenwood. And there is no indication that anybody at the department level Commerce-wide had been creating security systems in other bureaus that would make the seven that you looked at unique. Mr. Frazier. I'm sorry? Mr. Greenwood. I am assuming that what you found in these seven bureaus and these seven centers, there is no reason for us to believe that they were unique. One would assume that---- Mr. Frazier. If you look at seven and you find---- Mr. Greenwood. [continuing] the department as a whole allowed these weaknesses in these seven bureaus, there was nothing going on at the department at the top most level that would have presented these weaknesses in other bureaus. Mr. Frazier. Yes, I do not think so. Mr. Greenwood. Mr. Dacey, any further comments? Mr. Dacey. No. Just based upon a reading of some of the reports that the IG has issued, the nature of the vulnerabilities appeared to be similar. Mr. Greenwood. Okay. We are about to hear from the new Deputy Secretary. Let me just ask you in his presence if you could make one recommendation, each of you gentlemen, what would be your most critical recommendation to the department? Mr. Frazier. Well, I have had the pleasure of meeting with Deputy Secretary Bodman, and when we sat down at our first meeting, the first thing we talked about were the challenges facing the department. It was a lengthy meeting, and one of the things that I was encouraged about, as you know, he has an engineering background. He comes from the business sector. He comes out of the academic community, and it was very clear that he understands systems. But more to the point was getting the message out to the program officials to hold them responsible. I think often we look for very complicated fixes, and the point that I surely tried to convey to him, that part of this is an awareness program. And so there is a short memo that came out that said basically to the secretarial officers: you are now basically responsible for security in your agency. That will probably have a greater impact than putting an additional $2 million in every budget in the department. I mean if you begin to change that culture. So I am encouraged, is the word that I use, that I think he will bring a new dimension there. Chairman Tauzin. Mr. Chairman. Mr. Greenwood. The Chair recognizes the chairman. Chairman Tauzin. Could I be recognized and strike the last word for a second? Mr. Greenwood. The Chair yields to the gentleman. Chairman Tauzin. I thank the gentleman. Mr. Chairman, I have to be at the White House in about 10 minutes for a cabinet meeting on global warming, and so I am going to have to leave right now, and I will not have a chance to visit with the witness from the Commerce Department, but I wanted to put on the record at this point my deep concern about the existence of ``cookies'' and Web ``bugs'' within the Commerce Department systems, and my concern that even now that the department is focusing on the existence of these ``cookies,'' that as the testimony indicates are there without a compelling reason and without the approval of the Secretary, that the department's CIO is now recommending a strategy to control the use of persistent ``cookies'' and Web ``bugs.'' My concern is that I think we ought to go further than that. My understanding of the policy of the government is that unless there is a very good reason for a ``cookie'' or a Web ``bug'' to exist on Federal sites, that we will have a very serious concern about Americans having to deal with these devices when they are sharing their information, as I said, involuntarily with the government. I can understand ``cookies'' and Web ``bugs'' on commercial sites that I enter voluntarily and choose to visit and do business with, but when American citizens are asked to involuntarily do their business with the government with the Internet only to find that we have permitted someone else, some other institution, perhaps not even a government institution, to be collecting that information for other purposes sometimes without the knowledge or consent of the citizens of this country, that raises grave concerns. When leader Dick Army and I asked for a study by the GAO of the existence of security and privacy on Federal sites, we were appalled to find out; so was the Senate appalled to find out that there were so many ``bugs'' on the systems and so many ``cookies'' that were actually out there. We found one on an IRS site. We found a ``cookie'' for a private enterprise concern in this country collecting information from citizens on an IRS site. Now, how abominable is that? It is bad enough having to deal with the IRS, but to think that the IRS is sharing our information with other people without our consent is outrageous. And so, Mr. Chairman, again, my apologies for having to leave because this is such a good hearing and it is such a serious focus of your oversight investigations work that I hate to leave it, but I want to leave it with this thought, and I hope the department witnesses are prepared to speak out forcefully about their intention about how they intend to deal with these ``bugs'' and this ``cookie'' problem. Americans ought not to have to be surprised to find out that private information is being shared by their own government with people they might not want to share it with. It is as simple as that. Mr. Frazier. As you are aware, we did find 12 of them in the Commerce system, but to the department's credit, the Secretary has hired a special advisor for privacy. He has met with me and my systems people to ask about other particulars. Chairman Tauzin. Well, you do not need an expert consultant to tell you that when we have got a Federal Trade Commission that is pounding on private companies in America to have good policies of disclosure to consumers about what they are gathering and how they are using that information, you do not need an expert to tell you there is something deadly wrong about the government doing it without consumers' permission, particularly when it is information, as I said, that we are sharing not necessarily of our own volition. And if consumers have questions about privacy in the commercial world, I can promise you their concerns rise to astronomical levels when it comes to information they are sharing with the government very often only because they have to. So anything you can do to put a spotlight on this problem and anything the department can do to help us aggressively stop whoever it is in our government who thinks they have the right to do this without asking our consent as citizens of this country to allow others to come in and gather information about us without our consent, I hope you come down like a sledge hammer in your reports, and I hope the department comes down like a sledge hammer on any employee who thinks they have a right to do that without very important reasons that are well spelled out and well justified and approved at the top and with the disclosure to Congress of what is going on. And I thank you very much, Mr. Chairman. Mr. Greenwood. I thank the chairman, again, for his participation and for his keen interest in this issue. And before I recognize Mr. Burr for inquiry, I had a question on the table, to which Mr. Frazier has responded, and before I go to Mr. Dacey, Mr. Frazier made reference to the memo dated July 27 from Donald Evans, the Secretary, on the high priority to information technology security. The Chair would, without objection, enter it and several other documents provided to us by the department for the official record. Mr. Dacey, if you would respond to the question about your No. 1 recommendation, then I would following that recognize the gentleman from North Carolina. Mr. Dacey. I think it is important that a good foundation be established on which to build the future efforts to provide security at Commerce. There is currently an IT restructuring plan for IT overall, as well as a task force focused on computer security, and those groups are to provide recommendations and there are to be developed policies and procedures. I think in doing so there is an excellent opportunity for the department to put together that strong foundation and support, and they should do so, including clarifying the roles and responsibilities of the various parties for security in the department, including the department-wide CIO, as well as the bureaus' CIOs. It is also important to provide accountability and make sure those people are accountable for providing security, and also in that process, address the resource issue to insure that there are adequate resources put to bear to address the security issues. I think now is a critical time to do that, and it is important to proceed in that manner. Mr. Greenwood. Thank you. Mr. Frazier, were you about to say something? Mr. Frazier. No. Mr. Greenwood. Okay. The Chair recognizes the gentleman from North Carolina. Mr. Burr. Mr. Chairman, just for clarification if I could, Mr. Frazier, because in my last question you said that there had been instances where former employees' passwords stayed active in you said 3 years. Are there currently any former employees whose passwords are still active? Mr. Frazier. I could not answer that, but I would make the assumption that the answer is yes because it is not something that I have monitored. If someone left yesterday, it is that kind of situation. The concern is that there is not a system in place that would check that with such regularity to make certain that it could not happen. You know, I could not say that it is, but I would be amazed that it is not. Mr. Burr. Given your role, has a recommendation been made for a process to be set up to make sure that those passwords are eliminated? I mean, in the private sector they are eliminated as soon as you utter the words, ``I am leaving.'' Mr. Frazier. Yes. Mr. Burr. I think one of you alluded to that. Mr. Frazier. That is the recommendation that I would make. Mr. Burr. It has been made or---- Mr. Frazier. It has not been made, but it is interesting because I think I did not think of that until literally this morning. We raised the concern about people who had left, and we brought those to the attention, and we have a recommendation that says, on a bureau-by-bureau basis, that says when someone leaves, the password should be changed. And the question that I have to go to to look to see if we have elevated that to the CIO's office so that it could become a department-wide policy. It has been made at bureau level. Mr. Burr. I think you are going to get the answer. Mr. Frazier. Yes, it is at the bureau level as I have suggested. But is surely is one that should be made at the department level. Mr. Burr. I would hope before the end of the day that recommendation would be made. I thank you for the information. Thank you, Mr. Chairman. Mr. Greenwood. The Chair thanks the gentleman and wishes to thank both of the witnesses for your fine work, for your testimony, for your continued cooperation with this subcommittee. And allow me to thank both of your staff folks, those with you and those not with you, for the excellent service that they provide to the country. This is an issue that is in some ways obscure, but increasingly it becomes evident that this is so critical to our national security and to the confidentiality that our citizens demanded and have a right to, and so we thank you for your work and the work that you will do in the future. And we excuse you now. Mr. Dacey. Thank you. Mr. Frazier. Thank you. Mr. Greenwood. And call our next witness, who is the Honorable Samuel W. Bodman, Deputy Secretary for the Department of Commerce. He is accompanied by Mr. Thomas Pyke, the Acting Chief Information Officer. Welcome, Mr. Secretary. Welcome, Mr. Pyke. Thank you for being with us this morning. You are aware that the committee is holding an investigative hearing, and when doing so we have had the practice of taking testimony under oath. Do either of you have objection to testifying under oath? Seeing no objection, the Chair then advises you that under the rules of the House and the rules of the committee, you are entitled to be advised by counsel. Do you desire to be advised by counsel during your testimony? Mr. Bodman. No, sir. Mr. Greenwood. The gentlemen indicate negative in that case. If you would please rise and raise your right hand, I will swear you in. [Witnesses sworn.] Mr. Greenwood. So swearing, you are under oath, and you may now give your testimony, Mr. Bodman. Thank you, again, for being with us. TESTIMONY OF HON. SAMUEL W. BODMAN, DEPUTY SECRETARY, ACCOMPANIED BY THOMAS PYKE, ACTING CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF COMMERCE Mr. Bodman. Mr. Chairman, I appreciate the opportunity of being here. I have submitted my formal statement, and I will attempt to summarize it in the interest of time. I am accompanied today by Mr. Pyke, who is our Acting Chief Information Officer for the department. I will count on him for the answer to any technical questions that may come up, although he took on his role only recently. His background in security, I think, is notable--in particular, his having directed the National Institute of Standards and Technology's program for the development of governmentwide computer security standards and guidelines, which assignment he had prior to his becoming the CIO at NOAA. And then he was asked recently to take on the acting CIO job for the department as a whole. I can report to you that Secretary Evans and I are very concerned about the findings that have been reviewed this morning. I am as concerned as the committee, perhaps more so. I want to thank the committee, and I want to thank the GAO with sincerity, as well as the IG's Office for all of the hard work that they have done on this. I have had experience in my prior life of having managed IT security systems at both Fidelity and at Cabot Corporation, where I was previously employed. I appreciate the significance of this matter, and I hope that my previous experience will be of some value in dealing with these problems. Speaking for the Secretary and myself, we accept the findings of the GAO report, both specifically and as to their general causes. I do not have much more to say. The defense stipulates the evidence. We are here to assure you that we will work hard on dealing with these issues. You have alluded before to some of the actions that the Secretary has already taken to build a strong and effective IT security program. First, he has directed all of the Commerce agency heads to focus their personal attention on this matter. I think, as the Inspector General alluded to already, at least in the part of his discussion and testimony that I heard when I arrived, that this is really a matter of a general manager's responsibility, not the responsibility of the CIO. This is a general manager's job. It is my job. It is Secretary Evans' job, not Mr. Pyke's job. We hope to rely on him to help us get this done, but this is our responsibility, and frankly, I am embarrassed to be here in front of you to hear the nature of what we are dealing with. Mr. Greenwood. Mr. Bodman, how long have you been on the job? Mr. Bodman. Six days. Mr. Greenwood. You do not need to feel embarrassed yet. We will let you know. Mr. Bodman. I am sorry, sir, but that is just the nature of responsibility. We have it. It does not matter how long we have had it. We are here now, and it is our job. To be responsible for something that is in this great a difficulty is not something that I find a great deal of personal comfort in, however long I have been here. And I know I speak for the Secretary in this matter. He has ordered a department-wide IT restructuring plan. We referred to that. It features the department's Chief Information Officer. Mr. Pyke. This oversight function will ensure that appropriate action is taken at the agency level to implement new departmental IT policies. Mr. Bodman. In the past the departmental CIO apparently had relatively little management authority. We believe we have fixed that. In the past the policy seems to have stalled at times when it got to the agency heads, who had in their view more important matters. And I believe that the new priority the Secretary has given to IT security will be very helpful. The plan also gives each of our CIOs the authority to manage IT security, IT planning and operations, and IT capital investment review. This new approach is in sharp contrast to the old way of doing business, and as I said before, I think it will be helpful. Third, we have established an IT security task force chaired by Mr. Pyke that will work under my personal oversight. The task force will improve our IT security by developing a comprehensive department-wide plan. The task force is made up of individuals with a lot of expertise in this area, including people from NIST, which has had a governmentwide responsibility in this area in the past. We have also enlisted assistance from the National Security Agency, and we are grateful to the NSA that they have been forthcoming with personnel to be helpful to us in dealing with these matters. The new task force is already at work. They have met more than once, and they are working on a fast track to develop an effective security program for the department and to identify actions that we should take. We have already received some short-term recommendations, and these have been implemented. We are doing the best we can to get on top of the things that can be dealt with immediately and to bring these problems to a much higher level of consciousness among our managers. Furthermore, the program development task force will address the assessment of risks throughout the department and the means for providing security commensurate with those risks. They will provide a road map for updating our approach to security problems, develop an oversight process with compliance testing as a key component, and plan a department-wide IT security awareness training program. The task force is also addressing the specific issues that have been identified, including strengthening access controls. You have heard extensive discussion about that. We are working on it. The problem with this area involves more of a mind set--how everybody in the department feels about his or her responsibility for security. It is a challenge to deal with these matters because security is a personal responsibility, and it is something that is difficult at times. I would imagine that even the Congressman may find it difficult at times to change your password and make sure that it is updated. This is a natural, human problem. Certainly I find it a pain in the neck to have to change a password and than remember what my password is. Mr. Greenwood. It is impossible for me to do it. That is why I have a 15 year old daughter to take care of that. Mr. Bodman. Well, you are way ahead of me, sir. In any event, it is something that we believe we can and will get started on, and it is that factor that makes it difficult to forecast exactly when we will be done. I guess the truth is we will never be done because this has got to be an ongoing effort. The Secretary and I are committed to supporting all of these efforts ourselves under the leadership of our agency heads and our CIOs, and we think that we will get there. And I want to thank you all for this opportunity of coming here and addressing this matter relatively early in my tenure. And I know I speak for the Secretary, since both of us have come from the private sector and have managed publicly owned companies, in saying that we recognize the kind of responsibility we have for the management of these systems and will do our best to get on top of these problems as quickly as we can. Thank you. [The prepared statement of Hon. Samuel W. Bodman follows:] Prepared Statement of Samuel W. Bodman, Deputy Secretary, U.S. Department of Commerce Good morning, Mr. Chairman. I appreciate this opportunity to discuss the Information Technology Security Audit of the Department of Commerce that was recently conducted by the General Accounting Office (GAO). Accompanying me today is Tom Pyke, Acting Chief Information Officer for the Department. Although Tom took on this role only recently, his information technology (IT) security experience includes directing the National Institute of Standards and Technology's (NIST's) program for the development of government-wide computer security standards and guidelines. Secretary Evans and I are very concerned about the findings of this GAO review because much of the work of the Department on behalf of our citizens depends on the quality and integrity of our data and IT systems. We thank the Committee and GAO for bringing this serious issue to the attention of the Department's new leadership. Having managed the IT security programs at Fidelity Investments and the Cabot Corporation, I appreciate the critical importance of IT security, and I trust that my management experience in this area will be of some value in meeting the challenges presented by the findings of the GAO review. Speaking for the Secretary and myself, we accept the findings of the GAO report, as to both the specific weaknesses identified in the audit and their underlying causes. To correct these security problems and prevent future incidents, Secretary Evans is acting to build a strong and effective Commerce IT Security Program and to correct the technical problems identified by the GAO audit. First, Secretary Evans has directed all Commerce agency heads to focus their personal attention on establishing IT security as a priority. Working in conjunction with their Chief Information Officers, they will allocate necessary resources to assure that the Department's data and IT systems are protected in order to avoid data loss, misuse, or unauthorized access, and to assure the integrity and availability of Commerce data. In this connection, the Secretary has also recently appointed a Senior Advisor for Privacy, another area important to overall IT security. Second, the Secretary has ordered the implementation of a Department-wide IT restructuring plan. The plan provides the Departmental Chief Information Officer (CIO) with the authority to guide individual agency CIOs as they address IT security problems. This oversight function ensures that appropriate action will be taken at the agency level to implement new Departmental IT policies. In the past, the Departmental CIO apparently had little management authority, and policy often stalled when it reached the agencies. I believe that the new priority given this matter by Secretary Evans and me, our agency heads and our CIOs will produce positive results. The plan also gives each of our CIOs the authority to manage IT security, IT planning and operations, and IT capital investment review. This new approach is in sharp contrast to the old way of doing business in which CIOs apparently were not key members of the Commerce management team. Third, Commerce has established an IT Security Task Force, which will work under my personal oversight. This Task Force will improve Commerce IT security by developing a comprehensive, Department-wide IT security program. The Task Force is made up of individuals with expertise in IT security management, including people from NIST, which has a critical Government-wide role in developing standards and guidelines for effective IT security programs. We also have enlisted the assistance of the National Security Agency. We appreciate NSA's willingness to share its institutional knowledge and leadership in this field as part of the Task Force. The new Task Force is already working on a fast track to develop an effective IT Security Program for the Department and to identify actions that Commerce should take quickly to bolster its IT security posture. These recommendations for short-term action will be made in the context of the Corrective Action Plans already developed by Commerce agencies in response to specific concerns identified in the GAO review. Furthermore, the program developed by the Task Force will address the assessment of risks throughout the Department and the means for providing security commensurate with those risks. The Task Force will provide a roadmap for updating the Department's IT security policies, develop an oversight process with compliance testing as a key component, and plan a Department-wide IT security awareness training program. The Task Force is also addressing specific issues, including strengthening access controls for the Department's IT systems, segregating assigned duties consistent with mitigating risk, and developing policies and procedures for authorizing, testing, reviewing and documenting software changes prior to implementation. Special attention is being given to network security, an area the GAO audit singled out in light of the Department's reliance on network connectivity to carry out its mission. The Task Force is designing recovery plans for the Department's sensitive systems; developing a Department-wide IT security incident detection and response process; and looking at other areas essential to a comprehensive Commerce IT Security Program. The Secretary and I are committed to supporting the efforts of the Commerce IT Security Task Force and to implementing its recommendations throughout the Department. Under the leadership of our agency heads and our CIOs, and guided by the efforts of this Task Force, we are confident that we are moving in the right direction, and that the Department's IT security program will be effective. Again, thank you for this opportunity to discuss the IT security initiatives underway at the Department of Commerce. Secretary Evans and I appreciate that effective IT security is vital to the Department's mission, and I am pleased that this important issue is among the first I have devoted my time and attention to after having been sworn in last week. I would be pleased to respond to any questions you may have. Mr. Greenwood. Thank you very much, Mr. Bodman. We are delighted to have you here. We are delighted to see the prompt response to an issue that this subcommittee thinks is crucial to our Nation's security, and we are very optimistic that in the short time you have been here you have recognized this problem, grappled with it, and are prepared, you as well as the Secretary, prepared to move the department in the right direction. Let me ask you a question. GAO notes in its testimony that IT management at the department has been very decentralized over the years, 14 different data centers, 20 independently managed E-mail systems, hundreds and possibly thousands of separate networks managed by individual bureaus or offices within bureaus and lots of different connections to the Internet, so much so that we are still not sure the department even knows about all of them. How would the reforms you have discussed this morning address what appears to be one of the fundamental problems preventing the department from implementing an effective security program? And, Mr. Pyke, if you would like to comment, you can do so as well. Mr. Bodman. Well, let me comment generally, and then I will ask Mr. Pyke to give you more factual information. First of all, I think that is an accurate statement. We have a very formidable task to bring to ground the management of the information systems that currently reside within the Commerce Department. The Commerce Department is difficult enough to manage because of the highly disparate nature of the various bureaus that reside therein. On top of that, we have a set of systems, most of which are interrelated, that have grown a bit like Topsy over the years and that do not use a common approach. And so we have had a department-wide effort to try to bring more common systems such that they can be managed in a more reasonable way, and that has been underway for some time. I will ask Mr. Pyke to speak to that. So we think that the competence and capability of this task force will enable us to start getting our arms around this issue, but I would be misrepresenting the facts if I were to tell you that we were going to be done in any short period of time. This is a long-time fix, and it will require our attention over many years, and we expect to put a program in place initially led by Mr. Pyke, and I hope led by him for many years, that will deal with it. Tom, do you want to speak to that? Mr. Greenwood. Let me insert another question, Mr. Pyke, that is related to that so that maybe you can answer both at the same time. And that is can you describe the number of Commerce personnel in these bureaus and at headquarters that are dedicated to computer security and their level of training and other job duties? So when you talk about what you are going to be able to do, also if you could tell us how well equipped you are in terms of person power. Mr. Pyke. Thank you, Mr. Chairman. The CIO management structure that has now been put into place and empowered by the Secretary and the Deputy Secretary, which includes the department level CIO and CIOs for each of the Commerce agencies, is now in the position to get on top of the extensive IT systems and networks that the department has. It is going to take a while to bring the necessary discipline in the area of IT security into the management of all of those systems and networks. It is important that at the departmental level we provide suitable guidance that is generic and strong guidance that provides a basis for the individual bureaus or agencies to get moving and to devote the necessary resources to IT security. As the Deputy Secretary said, the department's mission is broad, and the various agencies have diverse activities. And so it is important that each one of them have a CIO leader who I work very closely with, who is in a position to address the specific kinds of issues relative to IT security and IT management in general, on a continuing basis, that relate to that agency's mission and the kinds of systems they have. At the present time, we have a very small number of people at the department level devoted to IT security. We are increasing that number of people and the amount of contract support very substantially very fast. As was mentioned in earlier testimony, basically up until very recently we had a single person and a couple of assistants, and we are moving very fast now to bring on additional people and have already begun doing that. At the bureau level, some of the bureaus have a significant staff. At NOAA, for example, there are several people, about three government folks and several contractor folks who spend full-time on IT security, and there are dozens of others across the bureau that spend a lot of their time on IT security. One of the things we are going to be doing is to make sure that each of the bureaus has an appropriate number of individuals who devote their time to IT security and to managing the program and making sure all of the technical processes are in place. Mr. Greenwood. Let me ask you kind of an organizational chart question, a twofold question. First off, looking at your position, describe if you would all of your responsibilities to the extent that this computer security is a subset of your total duties. Do a similar explanation for us for the CIOs of the different bureaus, and then if you could explain to me, so I am interested in to what extent this is a subset of their duties, and explain to me what is changing, if anything, in terms of your ability to directly command, if you will, activities on the part of the CIOs at the various bureaus. Mr. Pyke. First, the general role of the CIO at the department level is to oversee all of the department's information technology activities, both its planning, development of policy at the departmental level, providing guidance relative to procedures, standards, and guidelines that need to be administered on a department-wide level, to monitor the compliance of the entire department, all of the bureaus with the policies, with the standards, with the guidelines. And with regard to IT security, that includes actually conducting compliance testing, including penetration testing of a kind similar to what both GAO and the Inspector General's Office have been doing, and in fact, that function we expect to be carried out also at the Bureau level. The planning functions of the CIO at the department level, as well as at the bureau level, include systematic review of proposals for new expenditures in IT, budget initiatives, review in terms of all the way from return on investment to consistency with our IT architecture, which guides our planning and guides our implementation of systems, to the plans for operating the systems and plans for implementing them, and nothing gets through our review without an IT security plan being an integral part of each proposal. We also carry out control reviews of ongoing information technology projects and programs across the department, and we are involved in evaluating after the fact how development efforts have gone and putting that information in the hands of the bureaus to build on. So at the department level it is policy, procedures, guidance, compliance testing. At the bureau level the CIOs also are responsible for any specialized policy guidance that is necessary, procedures that may be unique to the bureaus, with oversight of the operations of IT within each of those information technology computer systems and networks within each of the bureaus, and with making sure that the policies and procedures that are provided at the departmental level, and in part, provided on a Federal Government-wide level, are followed. We expect that the bureau CIOs will include compliance testing as part of their portfolio, too, and so what we will be doing at the departmental level will be to oversee them and, on a sampling basis, analogous to what the IG and what the GAO have been doing---- Mr. Greenwood. So it will be your responsibility to make sure the CIOs and the bureaus have the resources they need so that the buck will to some extent stop with you. If a bureau or CIO says, ``I am sorry that we are not doing the things that we should be doing. We do not have the resources,'' that is when they call you back, and then that is when Mr. Bodman decides whether he is embarrassed again. Mr. Pyke. Yes, except this time we have two things in place. No. 1, we have this strong directive from the top to the agency heads themselves to get on top of IT security and to put the necessary resources into it, and this should be a big help to each of the CIOs and provide their marching orders basically from the top. Second, you asked about the reporting relationship a moment ago. Each of the CIOs in the bureaus, each of those CIOs have a dual reporting responsibility. They report first to their agency head or the deputy head, and they also report to me. They also report to the Commerce CIO. And in fact, when it gets to the end of the year, I have a cut at their performance evaluation in collaboration with their line manager. So they receive guidance from the CIO. They receive direction from the CIO. They are evaluated, in part, in their performance through the CIO. And I'm in a position to help them get the resources they need. But the person in charge of the resources when it comes right down to it is their agency head, and the agency head has now received appropriate direction. Mr. Bodman. If I could add. Mr. Greenwood. Please, sir. Mr. Bodman. At the risk of contradiction, the buck stops at the Secretary. The buck stops with me, and it is our responsibility, and that is how every general manager must feel in order to make this work. And this system that has been put in place calls for this dual reporting that Mr. Pyke has referred to quite correctly, and it is the only way that I am aware of, at least from my prior experience, when you have a crucial staff function to have it work, whether it is financial reporting, whether it is safety management, whether it is environmental management. It has to be handled at the local basis with an empowered individual who works for the local management, but who is audited and advised by a central, capable person. That is Mr. Pyke. And we believe that that dual reporting and that dual responsibility will work, but make no mistake. The ultimate responsibility, sir, is ours. Mr. Greenwood. Very well. I appreciate that. I would like to ask about the broader question, Mr. Bodman, of critical infrastructure. This will be my last question, and just for your information, we are aware that you have a commitment at noon. Mr. Bodman. Thank you, sir. Mr. Greenwood. And we will get you out of here in about 15 minutes at the most. As I understand it, the department has assigned one person at the headquarters level to work on these critical issues with little or no support or funding to oversee the bureau's efforts to identify, assess, and then fix vulnerabilities in its critical systems. As you know, the IG issued a report last year on this topic which was critical of the lack of progress from the department's efforts to date. I want to read you some comments that were written by the department's CIO office in response to last year's IG audit of computer security policies and management. ``Given the lack of priority in funding by the Clinton administration in the area of critical infrastructure protection, we must disagree with the IG assertion that using information as security assessments scheduled to be performed on the department's critical infrastructure system would result in more systems being certified while realizing significant savings. In the event that the Bush administration raises the priority of critical infrastructure through the application of funding, we will take advantage of assessments gained through this avenue.'' What do you and the Secretary plan to do about this important issue, given that your department has so many systems and assets critical to our national and economic security and the health and safety of our citizens? Mr. Bodman. Well, I cannot speak to the views of the previous CIO. I have never met the gentleman. I can tell you that the approach that we have put in place that I have described will, in fact, deal with these issues. I do believe that these are crucial. I do believe that--I am not quite sure I understood the quote in its entirety, but I do believe that the efforts that we will put in will bear fruit. In my view this is not so much a matter of additional funding. We may find that we need additional funding, but this is more a matter of priority. This is more a matter of management. This is a matter of placing importance on this function at the proper level so that we can deal with it. That is what this is about. I do not think it is a matter principally of money, and so we can count heads. We can count dollars, and we may need additional heads and additional dollars, but this is more about the people understanding that this has to be dealt with. This is more a matter of the bureau heads of the bureau CIOs understanding that we will deal with this and that we are going to do it. Tom, do you want to add? Mr. Greenwood. The Chair recognizes the gentleman from North Carolina to inquire. Mr. Burr. Mr. Secretary, welcome. Mr. Pyke. Mr. Secretary, let me thank you for one thing. I have been on the oversight committee for 7 years. You are the first--my memory is not great. I do not know if I could remember my password--but you may be the first; I think you are the first person who has testified who has ever, one, taken responsibility regardless of how long they have been there and, two, not used funding as a reason why it could not be accomplished. So if you keep those two things in the right perspective, I have more confidence in any answer you can give me that we will make tremendous progress at closing some of the problems that we have got. Mr. Bodman. Thank you, sir. Mr. Burr. Let me ask you two fairly lengthy questions, and my purpose for doing it is that these might be areas that you have not looked at, and I would be remiss if I did not double check with both of you to ask on that short term list. Did password management make it on that list today? From the conversation I had with Mr. Frazier, is password management now on that very quick to do list? Mr. Bodman. Yes, it did. It sure did. Mr. Burr. Thank you. Mr. Bodman. Today it will be done. Mr. Burr. Let me discuss and focus on BXA for a minute, which is one of the more sensitive bureaus within the department and the subject of negative audits by both the IG and GAO. The IG issued a report in June 1999 regarding BXA's management of its computer system, particularly the ECASS system, which is the export control licensing system. At that time the IG found that BXA did not have a security plan for the system. The risk assessment was 5 years old, and BXA had not conducted a security review of this system since the last Bush administration, all of which had long been required under Federal law and under the policy directives. And let me say my understanding of ECASS, given the nature of the licensing process that goes on, is that other agencies with direct interest in that process would be electronically linked: Department of Defense, the State Department, possibly the intelligence community. I won't ask you to assess whether that system is air gapped in any way, but I would have some belief that it is probably not from some of the things that I have heard today. Therefore, I would think that it is very susceptible to a potential entry point that sends them into some of the most sensitive areas singularly through the ECASS system. In response to the department's pledge to undertake those efforts promptly, yet as I understand GAO found the same things with respect to the ECASS nearly 2 years later: still no security plan, no risk assessment, and no security review conducted. Do you know why these issues weren't addressed by now? And how can we be confident that the department will take seriously these issues in the future? Mr. Bodman. First, I can tell you that we take it seriously. We take it so seriously that I am going to ask Mr. Pyke to give you a detailed answer rather than my trying to paraphrase what he told me before we walked in here. Mr. Burr. Thank you. Mr. Pyke. Mr. Burr, the problems with ECASS and Bureau of Export Administration are being addressed, and they will be addressed even more intensively as get the strengthened IT security program in place. As GAO conducted its audit, as they made specific findings of weaknesses, attempts were made on the spot, in a very short period of time, to correct those specific findings. The bureau has also prepared and put in place a corrective action plan that has attempted to address, either already in many cases, but certainly very quickly, all of the specific issues that GAO identified. As a part of the task force effort that we have now put in place at the department level, we are not only looking generically at computer security and all of the elements of a complete program, but we are looking at all of the specific findings of GAO and of the Inspector General over the last 2 to 3 years, to generalize on those, and to provide very quick advice and guidance to the bureaus, including the individuals in BXA responsible for ECASS. So all of the findings in each of the agencies can be responded to in a general sense by all of the bureaus. All of this is being applied toward ECASS, and I can assure you that attention is being given by the CIO in BXA and by us to the special concerns that have been expressed about ECASS, and some steps have already been made, as I say, some steps, and we will work with them to make sure that things are completely taken care of in an appropriate way and that adequate protection is in place relative to the risks that they are confronted with. Mr. Burr. I appreciate that answer, and I think you understand the sensitivity of where someone might venture if, in fact, the correct level of security does not exist within that system. Mr. Bodman, I note that NIST computer security personnel played a prominent role in your new task force, but I cannot help but be concerned about that, given that despite it, its purported role is the government's expert on computer security. NIST itself fared rather poorly in the recent IG penetration test and was the subject of a repeat finding in 1999 and 2000 regarding the lack of security plans for its system. In addition, the self-assessments that were performed by the bureau last year revealed that NIST was just as bad, if not worse, than most of the bureaus when it came to complying with the Federal guidelines on computer security, including those that NIST itself had crafted. Should we be concerned? If we were concerned before this hearing, should we be concerned after this hearing? Mr. Bodman. That is not one I am going to burden Mr. Pyke with answering since at one point in his life he was responsible for the information operations at NIST. Mr. Burr. That is why I directed the question to you. Mr. Bodman. I think it is entirely consistent with what we have been saying. This is not a problem with technology. This is a problem with management. This is a problem with priority. And to the extent that this becomes a matter that the bureau manager feels a responsibility for, then it will be dealt with, and to the extent that it is not something that the bureau leadership feels responsible for, it will not be dealt with because it is not something that the human being naturally does. This is something that is easily ignored, just given the nature of the fact that we all like to do something. We all have our own jobs. The thing that gives me great pleasure each day is not worrying about my password management. I have other things that I like to do that I am, I think, a little better at since I seem to have difficulty remembering the password from time to time. And so I think the fact that we are using the technical skills at NIST as a part of this is entirely understandable and bears no relationship to how that particular agency was evaluated with respect to the management of its information. Mr. Burr. I thank you for that answer. As a member of this committee, my goal every year is the hope that I will not see the same witnesses on the same issue at any point in the future. That goal has not been fulfilled yet, but I have reason to believe that as it relates to the security issue and you being here, this might be the last time that we have this conversation, unless it is to report on the progress that you have made. I thank you. Mr. Bodman. I thank you, sir. Mr. Burr. Thank you, Mr. Chairman. Mr. Greenwood. I thank the gentleman. And on that point, the report on progress, might we expect a report in 6 months from the department as to how you have responded to these issues? Mr. Bodman. We would be happy to report, sir, whenever you wish. Mr. Greenwood. Okay. We appreciate that. Again, thank you for your presence, for your testimony, for your good work. Welcome to Washington, and we look forward to working with you on a number of issues. Thank you again. Mr. Bodman. Thank you very much. Mr. Greenwood. This hearing is adjourned. [Whereupon, at 11:45 a.m., the subcommittee was adjourned.] [Additional material submitted for the record follows:] [GRAPHIC] [TIFF OMITTED] T4853.001 [GRAPHIC] [TIFF OMITTED] T4853.002 [GRAPHIC] [TIFF OMITTED] T4853.003 [GRAPHIC] [TIFF OMITTED] T4853.004 [GRAPHIC] [TIFF OMITTED] T4853.005 [GRAPHIC] [TIFF OMITTED] T4853.006 [GRAPHIC] [TIFF OMITTED] T4853.007 [GRAPHIC] [TIFF OMITTED] T4853.008 [GRAPHIC] [TIFF OMITTED] T4853.009 [GRAPHIC] [TIFF OMITTED] T4853.010 [GRAPHIC] [TIFF OMITTED] T4853.011 [GRAPHIC] [TIFF OMITTED] T4853.012 [GRAPHIC] [TIFF OMITTED] T4853.013 [GRAPHIC] [TIFF OMITTED] T4853.014 [GRAPHIC] [TIFF OMITTED] T4853.015 [GRAPHIC] [TIFF OMITTED] T4853.016 [GRAPHIC] [TIFF OMITTED] T4853.017 [GRAPHIC] [TIFF OMITTED] T4853.018 [GRAPHIC] [TIFF OMITTED] T4853.019 [GRAPHIC] [TIFF OMITTED] T4853.020 [GRAPHIC] [TIFF OMITTED] T4853.021 [GRAPHIC] [TIFF OMITTED] T4853.022 [GRAPHIC] [TIFF OMITTED] T4853.023 [GRAPHIC] [TIFF OMITTED] T4853.024 [GRAPHIC] [TIFF OMITTED] T4853.025 [GRAPHIC] [TIFF OMITTED] T4853.026 [GRAPHIC] [TIFF OMITTED] T4853.027 [GRAPHIC] [TIFF OMITTED] T4853.028 [GRAPHIC] [TIFF OMITTED] T4853.029 [GRAPHIC] [TIFF OMITTED] T4853.030 [GRAPHIC] [TIFF OMITTED] T4853.031 [GRAPHIC] [TIFF OMITTED] T4853.032 [GRAPHIC] [TIFF OMITTED] T4853.033 [GRAPHIC] [TIFF OMITTED] T4853.034 [GRAPHIC] [TIFF OMITTED] T4853.035 [GRAPHIC] [TIFF OMITTED] T4853.036 [GRAPHIC] [TIFF OMITTED] T4853.037 [GRAPHIC] [TIFF OMITTED] T4853.038 [GRAPHIC] [TIFF OMITTED] T4853.039 [GRAPHIC] [TIFF OMITTED] T4853.040 [GRAPHIC] [TIFF OMITTED] T4853.041 [GRAPHIC] [TIFF OMITTED] T4853.042 [GRAPHIC] [TIFF OMITTED] T4853.043 [GRAPHIC] [TIFF OMITTED] T4853.044 [GRAPHIC] [TIFF OMITTED] T4853.045 [GRAPHIC] [TIFF OMITTED] T4853.046 [GRAPHIC] [TIFF OMITTED] T4853.047 [GRAPHIC] [TIFF OMITTED] T4853.048 [GRAPHIC] [TIFF OMITTED] T4853.049 [GRAPHIC] [TIFF OMITTED] T4853.050 [GRAPHIC] [TIFF OMITTED] T4853.051 [GRAPHIC] [TIFF OMITTED] T4853.052 [GRAPHIC] [TIFF OMITTED] T4853.053 [GRAPHIC] [TIFF OMITTED] T4853.054 [GRAPHIC] [TIFF OMITTED] T4853.055 [GRAPHIC] [TIFF OMITTED] T4853.056 [GRAPHIC] [TIFF OMITTED] T4853.057 [GRAPHIC] [TIFF OMITTED] T4853.058 [GRAPHIC] [TIFF OMITTED] T4853.059 [GRAPHIC] [TIFF OMITTED] T4853.060 [GRAPHIC] [TIFF OMITTED] T4853.061 [GRAPHIC] [TIFF OMITTED] T4853.062 [GRAPHIC] [TIFF OMITTED] T4853.063 [GRAPHIC] [TIFF OMITTED] T4853.064 [GRAPHIC] [TIFF OMITTED] T4853.065 [GRAPHIC] [TIFF OMITTED] T4853.066 [GRAPHIC] [TIFF OMITTED] T4853.067 [GRAPHIC] [TIFF OMITTED] T4853.068 [GRAPHIC] [TIFF OMITTED] T4853.069 [GRAPHIC] [TIFF OMITTED] T4853.070 [GRAPHIC] [TIFF OMITTED] T4853.071 [GRAPHIC] [TIFF OMITTED] T4853.072 [GRAPHIC] [TIFF OMITTED] T4853.073 [GRAPHIC] [TIFF OMITTED] T4853.074 [GRAPHIC] [TIFF OMITTED] T4853.075 [GRAPHIC] [TIFF OMITTED] T4853.076 [GRAPHIC] [TIFF OMITTED] T4853.077 [GRAPHIC] [TIFF OMITTED] T4853.078 [GRAPHIC] [TIFF OMITTED] T4853.079 [GRAPHIC] [TIFF OMITTED] T4853.080 [GRAPHIC] [TIFF OMITTED] T4853.081 [GRAPHIC] [TIFF OMITTED] T4853.082 [GRAPHIC] [TIFF OMITTED] T4853.083 [GRAPHIC] [TIFF OMITTED] T4853.084 [GRAPHIC] [TIFF OMITTED] T4853.085 [GRAPHIC] [TIFF OMITTED] T4853.086 [GRAPHIC] [TIFF OMITTED] T4853.087 [GRAPHIC] [TIFF OMITTED] T4853.088 [GRAPHIC] [TIFF OMITTED] T4853.089 [GRAPHIC] [TIFF OMITTED] T4853.090 [GRAPHIC] [TIFF OMITTED] T4853.091 [GRAPHIC] [TIFF OMITTED] T4853.092 [GRAPHIC] [TIFF OMITTED] T4853.093 [GRAPHIC] [TIFF OMITTED] T4853.094 [GRAPHIC] [TIFF OMITTED] T4853.095 [GRAPHIC] [TIFF OMITTED] T4853.096 [GRAPHIC] [TIFF OMITTED] T4853.097 [GRAPHIC] [TIFF OMITTED] T4853.098 [GRAPHIC] [TIFF OMITTED] T4853.099 [GRAPHIC] [TIFF OMITTED] T4853.100 [GRAPHIC] [TIFF OMITTED] T4853.101 [GRAPHIC] [TIFF OMITTED] T4853.102 [GRAPHIC] [TIFF OMITTED] T4853.103 [GRAPHIC] [TIFF OMITTED] T4853.104 [GRAPHIC] [TIFF OMITTED] T4853.105 [GRAPHIC] [TIFF OMITTED] T4853.106 [GRAPHIC] [TIFF OMITTED] T4853.107 [GRAPHIC] [TIFF OMITTED] T4853.108 [GRAPHIC] [TIFF OMITTED] T4853.109