[House Hearing, 112 Congress] [From the U.S. Government Publishing Office] THE DEPARTMENT OF HOMELAND SECURITY: AN ASSESSMENT OF THE DEPARTMENT AND A ROADMAP FOR ITS FUTURE ======================================================================= HEARING before the COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED TWELFTH CONGRESS SECOND SESSION __________ SEPTEMBER 20, 2012 __________ Serial No. 112-119 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.gpo.gov/fdsys/ _____ U.S. GOVERNMENT PRINTING OFFICE 81-128 PDF WASHINGTON : 2013 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON HOMELAND SECURITY Peter T. King, New York, Chairman Lamar Smith, Texas Bennie G. Thompson, Mississippi Daniel E. Lungren, California Loretta Sanchez, California Mike Rogers, Alabama Sheila Jackson Lee, Texas Michael T. McCaul, Texas Henry Cuellar, Texas Gus M. Bilirakis, Florida Yvette D. Clarke, New York Paul C. Broun, Georgia Laura Richardson, California Candice S. Miller, Michigan Danny K. Davis, Illinois Tim Walberg, Michigan Brian Higgins, New York Chip Cravaack, Minnesota Cedric L. Richmond, Louisiana Joe Walsh, Illinois Hansen Clarke, Michigan Patrick Meehan, Pennsylvania William R. Keating, Massachusetts Ben Quayle, Arizona Kathleen C. Hochul, New York Scott Rigell, Virginia Janice Hahn, California Billy Long, Missouri Ron Barber, Arizona Jeff Duncan, South Carolina Tom Marino, Pennsylvania Blake Farenthold, Texas Robert L. Turner, New York Michael J. Russell, Staff Director/Chief Counsel Kerry Ann Watkins, Senior Policy Director Michael S. Twinchek, Chief Clerk I. Lanier Avant, Minority Staff Director C O N T E N T S ---------- Page Statements The Honorable Peter T. King, a Representative in Congress From the State of New York, and Chairman, Committee on Homeland Security....................................................... 1 The Honorable Bennie G. Thompson, a Representative in Congress From the State of Mississippi, and Ranking Member, Committee on Homeland Security.............................................. 3 Witnesses Mr. Richard L. Skinner, Former Inspector General, Department of Homeland Security: Oral Statement................................................. 5 Prepared Statement............................................. 7 Mr. Stewart A. Baker, Former Assistant Secretary for Policy, Department of Homeland Security: Oral Statement................................................. 14 Prepared Statement............................................. 15 Mr. Frank J. Cilluffo, Former Principal Advisory to Governor Tom Ridge, White House Office of Homeland Security: Oral Statement................................................. 20 Prepared Statement............................................. 22 Mr. David C. Maurer, Director, Homeland Security and Justice, Government Accountability Office: Oral Statement................................................. 30 Prepared Statement............................................. 32 Appendix Questions From Chairman Peter T. King for Richard L. Skinner..... 63 Questions From Chairman Peter T. King for Stewart A. Baker....... 64 Questions From Chairman Peter T. King for Frank J. Cilluffo...... 64 Questions From Chairman Peter T. King for David C. Maurer........ 65 THE DEPARTMENT OF HOMELAND SECURITY: AN ASSESSMENT OF THE DEPARTMENT AND A ROADMAP FOR ITS FUTURE ---------- Thursday, September 20, 2012 U.S. House of Representatives, Committee on Homeland Security, Washington, DC. The committee met, pursuant to call, at 10:07 a.m., in Room 311, Cannon House Office Building, Hon. Peter T. King [Chairman of the committee] presiding. Present: Representatives King, Lungren, Rogers, McCaul, Bilirakis, Miller, Walberg, Marino, Turner, Thompson, Jackson Lee, Cuellar, Richardson, Richmond, Clarke of Michigan, and Hahn. Chairman King. Okay. Good morning. The Committee on Homeland Security will come to order. The Ranking Member has been delayed, but he will be here. His staff has suggested that we start the hearing, since our witnesses are here. The committee is meeting today to examine the current state of the Department of Homeland Security--oh, the Ranking Member is here, thank you--and the solution to the future. I will now recognize myself for an opening statement. I want to thank each of the witnesses for being here today. I believe all of you have testified here before. Mr. Baker has done double duty, also, by being in the Department testifying and now coming back. He is also a noted author. Again, it is great to have all of you here today. This, I think we always try to keep this committee as bipartisan as possible. But I would say that today's hearing will probably be the essence of bipartisanship because everyone on the committee wants the Department to succeed. All of us believe that progress has been made. There are questions, of course, of where more progress can be made where there are still deficiencies. Each of you is an expert on the issues so we really look forward to your testimony. I know since September 11 we had four Islamist attacks or attempted attacks within the United States. In addition to that, there have been dozens of disrupted terrorist attacks against the homeland. Just in the last 2 years alone we have had a series of them, including bomb plots against the Capitol Building. There was a young man arrested in Chicago last week. So this is an on-going threat against the United States. I think the fact that none of these attacks has succeeded is at least partially due to the efforts of the Department of Homeland Security and also how it fits into the overall counterterrorism matrix that has been established since September 11. Now, the current unrest in the Middle East involving radicals and affiliates of al-Qaeda further underscores how threats from that part of the world impact our counterterrorism efforts to prevent weapons of mass destruction from getting into the hands of those who want to kill Americans in the homeland. Now, during the 112th Congress, this committee has examined a series of issues. Obviously, there was a lot of publicity and notoriety, or interest, in the hearings we had on the issue of radicalization in the Muslim-American community, steps to address the issue. But we also had a series of other hearings, including cybersecurity, hardening our critical infrastructure, protecting chemical facilities. The operations of TSA, Chairman Rogers has been especially active on that. That is an area of particular concern to us on both sides of the aisle as far as making the TSA more efficient and also more effective. Also, what it can do to, again, improve its image. Not in the sense of image, but in gaining the confidence of the American people, which it has not been able to do. Also, we have looked into issues regarding reforms to the Department--in its management, improve employee morale, cut red tape, save taxpayer dollars. Also emergency communications, the effective administration of Homeland Security grants, reduce our vulnerability to attacks on the homeland using IEDs such as the Times Square car bomb. Also the whole issue of border security along the land and maritime borders. We look forward to building on this oversight. But this hearing today, and your testimony, can, I believe, help guide us in the right direction and provide a more coherent framework for us. As we consider the road map for DHS, some of the questions we have is: How can the Department use scarce taxpayer dollars? Because unlike after 9/11, when basically the money that was felt was needed was given, the fact is that we do face budget restraints. I believe, in too many cases there has been too much money cut from the Department of Homeland Security. Whether I like it or not or the Ranking Member likes it or not, for the foreseeable future that is the reality that DHS is going to have to face. Even if the cuts are not as severe in the future as they have been over the last several years, it is going to be a very, very tight, tight budget no matter what. So how can the Department use the taxpayers' dollars more wisely? How effective are the Department's efforts to counter violent extremism? To what extent is DHS able to work with our allies overseas? To what extent have they become a player in the intelligence community, both here and overseas? Also, just what recommendations that you believe the Department should make to strengthen the overall homeland security of the United States. Now, there has been progress made in a lot of areas. I am sure you are going to touch on that, and all sides can agree that there has been progress made. Certainly involving FEMA, involving strategic and operational plans, allocating funding based on risk, raising public awareness about the importance of reporting suspicious activity. Yet there is so much more work to be done as far as integrating management functions, strengthening information technology and financial management, improving contracting and acquisition practices and controls, ultimately establishing a biometric exit screening system, securing the border using objective measures, enforcing penalties against immigration violators, exercising authority to secure chemical facilities, developing a risk-based approach to screening airline passengers, strategically managing risks and assessing program performance. Also, I think one thing we all agree on is that Congress has to undertake its own reform. If we are going to be able to effectively oversee the Department of Homeland Security, we can't have this number of committees and subcommittees-- depending on what number you want to use, it is in the eighties or nineties, it is more than 100 of committees, subcommittees-- commissions, boards that the Department has to report to, often giving the same testimony, just to a different set of Members of Congress; some of whom are just interesting in getting their spot on the evening news on a committee that has, at best, tangential association with the Department of Homeland Security. So that is really our burden and not yours. But any testimony you could give us to strengthen our case for both sides of the aisle would be greatly appreciated. So I want to thank all of you for being in here today. I look forward to your testimony. This will be, I assume, the last full committee hearing of the year; certainly until after the recess. I want to thank the Ranking Member. We haven't always agreed, but I believe we have been able to work in a collegial way. I say, that is all Members on the committee. Considering the divisions that there have been in Congress over the past 2 years, while maybe everything isn't perfect on this committee I think we can say we have done, I think, as well if not better than almost any other committee in Congress in trying to find ways to work together. So with that softball approach, I am recognizing the Ranking Member, the distinguished gentleman from Mississippi, for his opening statement. Mr. Thompson. Thank you very much, Chairman King. I do agree with you on your last statement. We, I think, have set the bar for a lot of other committees on our ability to work. I look forward to continuing to work with you on that. But there are differences, and I think from time to time those differences are reflected. But the greatness of this country is that people who differ can still come together for the common good. We do that. Again, thank you for holding this hearing. In March 2003 the Federal Government stood up the Department of Homeland Security in response to the separate 2001 terrorist attack. Today, the Department of Homeland Security is the third-largest agency in the Federal Government, employing about 220,000 people and operating both domestically and internationally. Prior to the September 2001, the United States used various approaches to handle catastrophic dangers, including National Guard involvement, law enforcement, and emergency management. But the events of 2001 forced us to begin a process aimed at the development of a cohesive homeland security policy. Over the last 10 years, the concept of homeland security has evolved and expanded. While the need to address terrorism remains central to our understanding of homeland security, we now understand that homeland security must include other catastrophic incidents. We must remain concerned about the risks that may threaten the lives of our people. But we cannot fail to recognize those things that may threaten the strength of our democracy, the vitality of our economy, as well as the continuation of public and private- sector activities that impact our daily lives. From critical infrastructure protection to cybersecurity, the evolution and expansion of our understanding of homeland security has required us to ask the Department about risk assessment, strategic development, and operational priorities. From my vantage point, the ability to come to grips with these questions of risk strategy and operations has formed a core of the Department's struggles as well as form the basis for its successes. So as we begin to discuss the Department's road map to the future, we must acknowledge that its presence on GAO's high-risk list remains a continuing cause for concern. The importance of the Department's high-risk designation, and its ability to implement its plans to resolve the transformation and integration issues that continue to hamper its development into a cohesive organizational unit, cannot be understated. For several years, I have noted the need to strengthen the ability of the under secretary for management to require and enforce uniform administrative practices and procedures through each component. It seems to me that the lack of power in the management office will continue to permit ineffective and inconsistent practices in procurement and personnel throughout the components. We see the results of these inconsistencies each time we learn about wasted money. We read about the fallout of these inconsistent practices every year when a Department ends up near the bottom of OPM's annual survey of employee satisfaction. So as we consider the road map forward, let us be sure to consider how the Department can achieve the mission, and improve its internal operations. The biggest challenge, however, is whether Congress will fully fund Homeland Security efforts as opposed to slashing the Homeland Security budget as proposed by the Majority. While the threat to homeland security has not diminished, the Department of Homeland Security has been required to do more with less. The fiscal 2012 Homeland Security appropriations short-changed homeland security from border security to aviation security, science, and technology. In particular, the management directorate and the budget environment for fiscal year 2013 has not changed. In fact, it may have worsened. I would like to also say at this point that Congress hasn't been really helpful in some of these situations because we have not, when I was chair--and now Chairman King, since he is back--been able to convince our leadership that a consolidated jurisdiction for the Department of Homeland Security would be in the best interests of this country. I think we still agree on that, right? Chairman King. Absolutely. Mr. Thompson. Okay. Just checking. So I want to make sure that everybody understands that as long as jurisdiction is split the Department is tasked with responding to over 100 committees and subcommittees on this Hill. That is just too much. So I look forward to hearing from our witnesses on these and other issues as we discuss the path forward for the Department. I yield back the balance of my time. Chairman King. I thank the Ranking Member for his statement and for yielding back. Also emphasize again that we stand as one on the whole issue of jurisdictional consolidation. It makes absolutely no sense, the current situation; absolutely none whatsoever. As I mentioned before, we are pleased to have a distinguished panel of witnesses before us today on this vital topic. It is, again, a privilege to have you here today once again. Let me begin with Mr. Richard Skinner, who was the first Senate-confirmed inspector general of the Department of Homeland Security. He served in that capacity from 2008 to early 2011. He has held managerial positions in various agencies throughout the Federal Government, including FEMA, the Department of Agriculture, the Department of Justice, the Department of Commerce and the State Department. In 1998, he received the President's meritorious executive rank award for superior accomplishment in management programs of the United States Government. I would just say, as Chairman and as former Ranking Member, your testimony before our committee has always been extremely helpful. I think we would agree, totally nonpartisan and in the best interests of the country. With that, the gentleman's recognized for 5 minutes. Mr. Thompson. If the gentleman will yield, we agree on that, too. [Laughter.] STATEMENT OF RICHARD L. SKINNER, FORMER INSPECTOR GENERAL, DEPARTMENT OF HOMELAND SECURITY Mr. Skinner. Well, thank you very much and good morning, Chairman King and Ranking Member Thompson. It is good to see everyone again. It is truly an honor to be here today, and I really thank you very much for this opportunity. Since its inception in 2003, the Department has worked to accomplish the largest reorganization of the Federal Government in more than a half a century. This task has presented many challenges. While it is making progress, the Department still has much to do to be a cohesive, efficient, and effective organization. Today, I would like to talk about four often-overlooked management support functions that constitute the platform upon which the Department's programs must operate and are critical to the successful accomplishment of the Department's mission. That is financial management, IT management, acquisition management, and grants management. Concerning financial management, in 2011 the Department was again unable to obtain an opinion on its financial statements. Numerous material internal control weaknesses were again reported. Although it has reduced the number of material weaknesses and has received a qualified audit opinion on its consolidated balance sheet and custodial activity, it is unlikely this progress will continue unless the Department modernizes its financial systems. Due to 2012 budget reductions--and also it looks like in 2013, as well--recent modernization initiatives have been on hold indefinitely. It is not clear now when the Department will resume its modernization strategy, nor is it clear whether these initiatives, if and when they are ever implemented, will ensure that financial management systems can generate reliable, useful, timely information for day-to-day decision-making. In the interim, the Department must continue to use archaic, unreliable systems to manage its financial resources. Also, the Department and its components are still struggling to upgrade and integrate their respective IT infrastructures. According to recent OIG reports as recent as this past July, program and field offices continue to develop information technology systems independently of the CIO, and have been slow to adopt the Department's standard information technology development approach. As a result, critical systems are not integrated, do not meet user requirements, and do not provide the information technology capabilities that agency personnel and its external partners both in the Federal Government as well as the State and local levels need to carry out critical infrastructures in a timely, effective, and efficient manner. With regard to acquisition management, Secretary Napolitano and her executive team have demonstrated a genuine commitment to improve the Department's acquisition management function. However, much work remains to be done. Most notably, the Department needs to identify and acquire the resources needed to fulfill its acquisition management responsibilities. The urgency and complexity of the Department's mission will continue to demand rapid pursuit of major investments in high- risk, complex acquisition programs. To effectively manage these large-dollar procurements, the Department will need a sustained commitment, increased resources, and smarter processes to administer and oversee the contractors' work. Finally, since its inception the Department has distributed over $18 billion through the Homeland Security Grant Program. Yet, according to an OIG report released earlier this year, the Department does not have a system in place to determine the extent that these funds enhance the State's capabilities to prevent, deter, respond to, and recover from terrorist attacks, major disasters, and other emergencies. Consequently, the Department has been awarding Homeland Security Grant funds to States each year for on-going programs without knowing the accomplishments from prior years' fundings or the extent to which additional funds are needed to achieve desired results. Strategic planning, performance measurement, and oversight are essential management controls to ensure that grant funds are used for their intended purpose and that enhancements in preparedness capabilities are being achieved. Otherwise, it is impossible to determine whether annual investments are actually improving our Nation's homeland security posture. In today's economic climate, it is critical that the Department concentrate its limited resources on those threats that pose the greatest threat to the country. In summary, it is evident that the Department's senior officials are well aware of these challenges and are attempting to remedy them. Yet they have actually made headway, Mr. Chairman, as you pointed out. The question is, however: Does the Department have the resolve and wherewithal to sustain those efforts? The ability of the Department to do so is fragile, not only because of the early stage of development of those efforts, but also because of the Government's budget constraints and the current lack of resources to implement planned corrective actions. In today's environment of large Government deficits and pending budget cuts, the new challenge will be to sustain the progress already made and, at the same time, continue to make necessary improvements. Unless the Department and Congress stay focused on these challenges, it will be harder than ever to facilitate solutions to strengthen the Department's critical management support functions and, ultimately, to ensure the success of the Homeland Security mission. Mr. Chairman, this concludes my prepared statement. I will be happy to answer any questions the committee may have. [The prepared statement of Mr. Skinner follows:] Prepared Statement of Richard L. Skinner September 20, 2012 Good afternoon, Chairman Rogers, Ranking Member Thompson, and Members of the committee. It is truly an honor to be here today to discuss what the Department of Homeland Security needs to do in the years ahead to become a more efficient organization. I thank you for this opportunity. Since its inception in 2003, the Department has worked to accomplish the largest reorganization of the Federal Government in more than half a century. This task, creating the third-largest Cabinet agency with the missions of protecting the country against another terrorist attack, responding to threats and hazards, ensuring safe and secure borders, welcoming lawful immigrants and visitors, and promoting the free flow of commerce, has presented many challenges. While the Department has made progress over the past 9 years, it still has much to do to establish a cohesive, efficient, and effective organization. The OIG's latest major management challenges report, dated November 10, 2011, continues to address a broad range of issues, including both program and administrative challenges. In total, the OIG identified nine categories of challenges: Financial Management, Information Technology Management, Acquisition Management, Grants Management, Emergency Management, Infrastructure Protection, Border Security, Transportation Security, and Trade Operations and Security. These are essentially the same management challenges that the the OIG reported as early as 2005. Today, I would like to talk about four of those management challenges:Financial management, Information technology management, Acquisition management, and Grants management. These management support functions constitute the platform upon which the Department's programs must operate and are critical to the successful accomplishment of the Department's mission. Some of these challenges were inherited by the Department from the legacy agencies. Nevertheless, the complexity and urgency of the Department's mission have hampered its efforts to make sustainable progress in implementing corrective actions. Senior officials at the Department recognize the significance of these challenges and understand that addressing them will take a sustained and focused effort. They have, in fact, taken actions over the past several years to implement, transform, and strengthen the Department's management support functions; albeit, in my opinion, at a snail's pace. financial management Financial management has been and continues to be a major management challenge for the Department since its creation in 2003. In fiscal year 2011, the Department was again unable to obtain an opinion on its financial statements, and numerous material internal control weaknesses were again reported. These weaknesses, due to their materiality, are impediments to obtaining a clean opinion and providing positive assurance over internal controls at the Department level. The Department has made progress from its early days, however. It has reduced the number of material weaknesses in internal controls from 18 to 5. It also received a qualified audit opinion on its consolidated balance sheet and custodial activity for the first time in fiscal year 2011. Unfortunately, unless the Department modernizes its financial systems, it is unlikely this progress will continue. The Department twice unsuccessfully attempted to implement an integrated Department-wide financial management system, wasting millions of dollars. In 2007, the Department ended its first attempt, the Electronically Managing Enterprise Resources for Government Effectiveness and Efficiency system after determining it would not provide the expected functionality and performance. In 2011, the Department decided to change its strategy for financial system modernization. Rather than implement a Department-wide integrated financial management system solution, the Department decided to take a decentralized approach to financial management systems modernization at the component level. Specifically, the Department reported in its December 2011 strategy that it plans to replace financial management systems at three components it has identified as most in need, e.g., FEMA, USCG, and ICE. However, due to fiscal year 2012 budget reductions, these initiatives have been put on hold indefinitely. It is now not clear when the Department will resume its modernization strategy, nor is it clear whether this new, decentralized approach, if and whenever it is implemented, will ensure that components' financial management systems can generate reliable, useful, timely information for day-to-day decision making; enhance the Department's ability to comprehensively view financial information across the Department; and comply with related Federal requirements at the Department and its components. In the interim, the Department must continue to use archaic, unreliable systems to manage it financial resources, which is unfortunate, particularly in this day and age of budget austerity and the public demand for increased fiscal transparency and accountability. information technology management According to recent OIG and GAO reports, DHS and its components are still struggling to upgrade or transition their respective IT infrastructures, both locally and enterprise-wide. Integrating the IT systems, networks, and capabilities of the various legacy agencies to form a single infrastructure for effective communications and information exchange remains one of the Department's biggest challenges. For example, on October 20, 2011, the Assistant IG for Emergency Management Oversight, Matt Jadacki, testified that FEMA's existing information technology systems do not effectively support disaster response activities. FEMA has not completed its efforts to establish an enterprise architecture, and its IT strategic plan was not comprehensive enough to coordinate and prioritize its modernization initiatives and IT projects. The plan did not include clearly-defined goals and objectives, nor did it address program office IT strategic goals. Without these critical elements, FEMA is challenged to establish an effective approach to modernize its information technology infrastructure and systems. According to Mr. Jadacki, there is not an adequate understanding of existing information technology resources and needs throughout the agency. Specifically, FEMA's Office of the Chief Information Officer (CIO) does not have a complete, documented inventory of systems to support disasters. Further, program and field offices continue to develop information technology systems independently of the CIO and have been slow to adopt the agency's standard information technology development approach. As a result, systems are not integrated, do not meet user requirements, and do not provide the information technology capabilities agency personnel and its external partners need to carry out disaster response and recovery operations in a timely, effective, and efficient manner. Furthermore, according to a report issued recently by GAO, FEMA does not have an effective system to manage flood insurance and claims data, although it invested roughly 7 years and $40 million on a new system whose development has been halted because it did not meet users' needs. Most recently, on June 29, 2012, the Assistant IG for Information Technology Audits, Frank Deffer, reported that the information technology environment and the aging IT infrastructure within CBP does not fully support CBP's mission needs. According to Mr. Deffer, interoperability and functionality of the technology infrastructure have not been sufficient to support CBP mission activities fully. As a result, CBP employees have created workarounds or employed alternative solutions, which may hinder CBP's ability to accomplish its mission and ensure officer safety. Similar problems also have been reported at the Coast Guard, Citizen and Immigration Services, Immigration and Customs Enforcement, and Secret Service. Technical and cost barriers, aging infrastructure that is difficult to support, outdated IT strategic plans to guide investment decisions, and stove-piped system development have impeded the Department's efforts to modernize and integrate its IT systems, networks, and capabilities. Information Sharing The Homeland Security Act of 2002 makes coordination of homeland security communication with State and local government authorities, the private sector, and the public a key Department responsibility. However, due to time pressures, the Department did not complete a number of the steps essential to effective planning and implementation of the Homeland Security Information Network (HSIN)--the ``sensitive but unclassified'' system it instituted to help carry out this mission. For example, the HSIN and the Homeland Security State and Local Community of Interest systems, both developed by DHS, are not integrated. As a result, users must maintain separate accounts, and information cannot easily be shared across the systems. State and local fusion center personnel expressed concern that there were too many Federal information sharing systems that were not integrated. As such, effective sharing of the counter-terrorist and emergency management information critical to ensuring homeland security remains an on-going challenge for the Department. Resources, legislative constraints, privacy, and cultural challenges--often beyond the control of the Department--pose obstacles to the success of the Department's information-sharing initiatives. On a broader scale, the Department is also challenged with incorporating data mining into its overall strategy for sharing information to help detect and prevent terrorism. Data mining aids agents, investigators, and analysts in the discovery of patterns and relationships from vast quantities of data. The Homeland Security Act authorizes the Department to use data mining and tools to access, receive, and analyze information. However, the Department's data mining activities consist of various stove-piped activities that use limited data mining features. For example, CBP performs matching to target high-risk cargo. The Secret Service automates the evaluation of counterfeit documents. TSA collects tactical information on suspicious activities. ICE detects and links anomalies indicative of criminal activity to discover relationships. Without Department-wide planning, coordination, and direction, the potential for integrating advanced data mining functionality and capabilities to address homeland security issues remains untapped. acquisition management DHS has taken notable action to implement, transform, and strengthen its acquisition management capabilities. During my tenure as the IG of the Department, the Secretary and Deputy Secretary of Homeland Security, and other senior officials demonstrated a genuine commitment to improve the Department's acquisition management function. In its December 2011 strategy for high-risk management, the Department presented detailed plans to address a number of acquisition management challenges. However, much work remains to fully implement these plans and address these challenges. Most notably, the Department needs to identify and acquire the resources needed to implement its acquisition policies. OIG and GAO audits over the past 9 years have identified problems related to acquisition oversight, cost growth, and schedule delays, resulting in performance problems and mission delays, as illustrated by the problems the Department experienced with the Coast Guard's Deepwater program, CBP's SBINet program, FEMA's flood map modernization program, and the CFO's financial systems consolidation initiatives. Each of these efforts failed to meet capability, benefit, cost, and schedule expectations. For example, in June 2010 my former office reported that over half of the programs we reviewed awarded contracts to initiate acquisition activities without component or Department approval of documents essential to planning acquisitions, such as mission need statements outlining the specific functional capabilities required to accomplish DHS' mission and objectives; operational requirements; and acquisition program baselines. Additionally, the OIG reported that only a small number of DHS' major acquisitions had validated cost estimates. The urgency and complexity of the Department's mission will continue to demand rapid pursuit of major investment programs. Between fiscal years 2003 and 2010, the Department spent about 40 percent of its budget through contracts. Although that figure may have decreased over the past 2 years, the Department will continue to rely heavily on contractors to accomplish its multifaceted mission and will continue to pursue high-risk, complex acquisition programs. The Department must have an infrastructure in place that enables it to effectively oversee the complex and large-dollar procurements critically important to achieving its mission. Both the OIG and the GAO have reported that the Office of the Chief Procurement Officer needs more staff and authority to carry out its general oversight responsibilities. The GAO recommended that the Department provide the Office of the Chief Procurement Officer sufficient resources and enforcement authority to enable effective, Department-wide oversight of acquisition policies and procedures. The OIG made a similar recommendation. Common Themes in Audits of Department Contracts Over the past several years, the OIG and GAO conducted numerous audits of individual Department contracts, such as TSA's information technology services, CBP's SBInet program, the Coast Guard's Deepwater program, and FEMA contracting. Common themes and risks emerged from these audits, primarily poor planning, the dominant influence of expediency, poorly-defined requirements, and inadequate oversight that contributed to ineffective or inefficient results and increased costs. To ensure that its acquisition programs are successful, the Department must lay the foundation to oversee and assess contractor performance, and control costs and schedules. This requires a sustained commitment, increased resources, and smarter processes to administer and oversee the contractors' work. FEMA Procurements The Assistant IG for Emergency Management Oversight, Matt Jadacki, testified on October 20, 2011 that FEMA has developed and strengthened acquisition management policies and processes, but it continues to face challenges. For example, weak internal controls have resulted in multi- million dollar contracts with vague and questionable requirements and no performance measures. Agency employees responsible for managing and monitoring the contractors do not always receive written guidance or training on how to evaluate contractor performance or certify billing invoices. Continued improvements are needed in FEMA's oversight of contracts. During my tenure as the IG, my office issued several reports recommending improvements to FEMA's acquisition processes. Those recommendations have resulted in policies and procedures on contract closeout, transferring contract files from one contracting officer to another, and labeling and organizing contract files so all contract actions are properly documented. In fiscal year 2010, FEMA deployed Disaster Assistance Employees to accelerate contract closeout efforts for the Disaster Relief Fund, de- obligating $1.2 billion. These contract closeout efforts continue annually and are in direct response to an OIG recommendation. I was pleased to learn that FEMA has created Disaster Acquisition Response Teams, whose focus on contract administration and oversight of large disaster contracts is much needed. My office also reported FEMA's need for an overarching sourcing strategy. Headquarters, regional, and local FEMA representatives were ordering goods without communicating with their counterparts at other locations. This resulted in goods ordered that were not needed, purchased from the wrong source, or at the wrong time. My former office recommended that FEMA adopt the single-point ordering concept, to coordinate all sourcing decisions through the Logistics Section. As a result of this recommendation, FEMA piloted the single-point ordering concept during its response to Hurricane Irene. Strategic Sourcing The Department can improve management of its strategic sourcing. In March 2011, the OIG reported that the Department did not have a logistics process in place to facilitate strategic sourcing of detection equipment. Strategic sourcing would require that management standardize equipment purchases for explosive, metal, and radiation detection equipment; identify common mission requirements among components; and develop standard data elements for managing the inventory accounts of detection equipment. Improving its management of detection equipment will offer the Department opportunities to streamline the acquisition process and improve efficiencies. Acquisition Workforce DHS made progress in the recruitment and retention of a workforce capable of managing a complex acquisition program. At the time of my retirement on March 1, 2011 the number of procurement staff had more than doubled since 2005. In addition, participation in the Acquisition Professional Career Program, which seeks to develop acquisition leaders, increased 62 percent from 2008 to 2010. Nevertheless, DHS continues to face workforce challenges across the Department. For example, according to GAO, the Coast Guard reduced its acquisition workforce vacancies from approximately 20 percent to 13 percent, and had filled 832 of its 951 acquisition positions as of November 2010. Although acquisition workforce vacancies have decreased, program managers have on-going concerns about staffing program offices. Also, according to its August 2010 human-capital staffing study, program managers reported concerns with staffing adequacy in program management and technical areas. To make up for shortfalls in hiring systems engineers and other acquisition workforce positions for its major programs, the Coast Guard must use contractors. Likewise, according to the OIG's Major Management Challenges report, dated November 2011, acquisition staff turnover in FEMA has exacerbated file maintenance problems and resulted in multimillion- dollar contracts not being managed effectively or consistently. One of FEMA's challenges is hiring experienced contracting officers to work disaster operations. The majority of FEMA staff at a disaster site work on an on-call, intermittent basis, and, oftentimes, they lack the training and experience to manage large disaster response and recovery contracts. FEMA also has made great strides in improving its contracting officer's technical representative (COTR) cadre. FEMA has designated staff to oversee the COTR program; developed a tiered system which ties training requirements to dollar values of contracts a COTR can monitor; and established an intranet site containing tools for COTR use. However, many trained COTRs have never been assigned a contract and are unsure of their ability to be effective. And, although they represent the contracting officer, the COTRs' appraisals are completed by their supervisors in the program offices for which they work, rather than the applicable contracting officer, thus leading to divided loyalties. Finally, the Department has not fully planned for or acquired the workforce needed to implement its acquisition oversight policies. According to a GAO report issued in February 2011, the Department needs to continue its efforts to: (1) Identify and acquire resources needed to achieve key actions and outcomes; (2) implement a program to independently monitor and validate corrective measures; and (3) show measurable, sustainable progress in implementing corrective actions and achieving key outcomes. The Department needs to demonstrate sustained progress in all of these areas to strengthen and integrate the acquisition management functions throughout the Department. Knowledge Management and Information Systems According to the OIG's annual Major Management Challenges report, the Department has made progress in deploying an enterprise acquisition information system and tracking key acquisition data. The Department's acquisition reporting system of record, known as nPRS (next-Generation Periodic Reporting System), tracks components' major acquisition investments. It also has capabilities to store key acquisition documents, earned value management information, and risk identification. Component personnel are responsible for entering and updating information, which includes cost, budget, performance, and schedule data. However, components did not complete and report all key information in nPRS. The OIG reported that only 7 of 17 programs (41%) reported Acquisition Program Baseline required milestones. These milestones establish the acquisition cost, schedule, and performance values. Only 13 (76%) programs reviewed contained required key documentation such as mission needs statements, acquisition plans, operational requirements documents, and integrated logistics support plans. In addition, the Department reported in its December 2011 strategy for high-risk management that senior executives are not confident enough in the data to use the Department's Decision Support Tool which was developed to help make acquisition decisions, address problems meeting cost or schedule goals, and prepare for program review meetings. Although the Department continues to make progress in improving its acquisition management, it remains a significant challenge, in part because of the magnitude of the number, dollar value, and complexity of its acquisition activity. grants management Disaster Grants Management FEMA oversees billions of dollars in disaster grant funds each year, and, due to the environment under which these funds are administered, they are highly vulnerable to fraud, waste, and abuse. To illustrate, during fiscal years 2010 and 2011, the OIG's audits of 105 disaster grants identified $365 million in questionable cost and funds that could be put to better use. The extent of the fraud, waste, and abuse that the OIG uncovers year after year in the disaster relief program, for the past 20 years, is unacceptable, and it needs to be vigorously addressed. Yet FEMA still has not developed a robust program to curtail fraud, waste, and abuse within its disaster relief programs. Preparedness Grants Management During fiscal years 2002 through 2011, FEMA distributed over $18 billion through the Homeland Security Grant Program. According to an OIG report released this past July, FEMA does not have a system in place to determine the extent that Homeland Security Grant Program funds enhanced the States' capabilities to prevent, deter, respond to, and recover from terrorist attacks, major disasters, and other emergencies. Also, FEMA does not require States to report progress in achieving milestones as part of the annual application process. As a result, when annual application investment justifications for individual continuing projects are being reviewed, FEMA does not know whether prior year milestones for the projects have been completed. FEMA also does not know the amount of funding required to achieve needed preparedness and response capabilities. Furthermore, according to the OIG's annual Major Management Challenges report, dated November 2011, FEMA continues to face challenges in mitigating redundancy and duplication among preparedness grant programs, including barriers at the legislative, departmental, and State levels. The preparedness grant application process is ineffective because FEMA does not compare and coordinate grant applications across preparedness programs. Since grant programs may have overlapping goals or activities, FEMA risks funding potentially duplicative or redundant projects. Public Law 110-53, Implementing Recommendations of the 9/11 Commission Act of 2007, required the OIG to audit individual States' management of State Homeland Security Program and Urban Areas Security Initiatives grants and annually submit to Congress a report summarizing the results of these audits. In the audits completed to date, the OIG concluded that the States have generally done an efficient and effective job of administering the grant management program requirements, distributing grant funds, and ensuring that all the available funds were used. However, on March 20, 2012, the assistant inspector general for audits testified that FEMA needs to make improvements in strategic management, performance measurement, and oversight. According to Ms. Richards, FEMA needs to improve its guidance on strategic plans for State Homeland Security Grants. While current guidance for State Homeland Security strategic plans encourages revisions every 2 years, the language is such that it does not require revisions to be made--it is just strongly encouraged. Consequently, many States have outdated strategic plans, and many do not have Homeland Security strategic plans with goals and objectives that are specific, measurable, achievable, results-oriented, and time-limited. Without some form of measurable goal or objective, or a mechanism to objectively gather results- oriented data, States have no assurance of the level of effectiveness of their preparedness and response capabilities. Also, States are less capable of determining progress toward goals and objectives when making funding and management decisions. The OIG reported deficiencies in strategic planning in 15 of the 20 State audits completed as of March 2012. In regard to performance measurement, Ms. Richards said that FEMA needs to improve its guidance on establishing metrics and measuring performance. The OIG continues to report that many States have not received proper guidance and, consequently, have not adequately documented or tracked their progress and performance. Providing guidance on the appropriate metrics and requiring those metrics to be documented would provide the States with tools to help them understand the effectiveness of each grant program. FEMA also needs to strengthen its guidance on reporting progress in achieving milestones as part of the States' annual program justifications. Because of insufficient information on milestones and program accomplishments, FEMA has been annually awarding Homeland Security Grant Program funds to States for on-going programs without knowing the accomplishments from prior years' funding or the extent to which additional funds are needed to achieve desired capabilities. Tracking accomplishments and milestones are critical elements in making prudent management decisions because of the evolving, dynamic changes that can occur between years or during a grant's period of performance. OIG audits reported problems with performance measurement in 19 of 20 State audits completed as of March 2012. Finally, Ms. Richards said that FEMA needs to improve its oversight to ensure the States are meeting their reporting obligations in a timely manner to ensure FEMA has the information it needs to make program decisions and oversee program achievements. Further, FEMA needs to improve its oversight to ensure that States are complying with Federal regulations in regard to procurements and safeguarding of assets acquired with Federal funds. In its annual audits of the State Homeland Security Program, the OIG repeatedly found weaknesses in the States' oversight of grant activities. Those weaknesses include inaccuracies and untimely submissions of financial status reports; untimely allocation and obligation of grant funds; and not following Federal procurement, property, and inventory requirements. Delays in the submission of Financial Status Reports hampers FEMA's ability to effectively and efficiently monitor program expenditures and prevents the State from drawing down funds in a timely manner, ultimately affecting the effectiveness of the program. Strategic planning, performance measurement, and oversight are important management controls for FEMA to ensure that Federal funds are used for their intended purpose and that enhancements in preparedness capabilities are being achieved. Without a bona fide performance measurement system, it is impossible to determine whether annual investments are actually improving our Nation's homeland security posture. Furthermore, without clear, meaningful performance standards, FEMA lacks the tools necessary to make informed funding decisions. In today's economic climate, it is critical that FEMA concentrate its limited resources on those threats that pose the greatest risk to the country. While some aspects of the Department's management support challenges were inherited from the Department's legacy agencies, the complexity and urgency of the Department's mission has oftentimes exacerbated the Department's ability to address them in a disciplined and effective manner. It is evident that the Department's senior officials are well aware of these challenges and are attempting to remedy them, and they have actually made some headway. The question is, however: Does the Department have the resolve and wherewithal to sustain those efforts? The ability of the Department to do so is fragile, not only because of the early stage of development that the initiatives are in, but also because of the Government's budget constraints and the current lack of resources to implement planned corrective actions. In today's environment of large Government deficits and pending budget cuts, the new challenge will be to sustain the progress already made and at the same time continue to make the necessary improvements that are critical to the success of the Department's management functions. Unless the Department and Congress stay focused on these challenges, it will be harder than ever to facilitate solutions to strengthen the Department's management support functions and, ultimately, its homeland security mission. Mr. Chairman, this concludes my prepared statement. I will be pleased to answer any questions you or the Members may have. Chairman King. Thank you very much, Mr. Skinner, for your testimony. Our next witness, Stewart Baker, is a partner in the law office of Steptoe & Johnson here in Washington, DC. I first met Mr. Baker when he was the first assistant secretary for policy at the Department of Homeland Security. In that role, he led a staff of 250 people and was responsible for the Department-wide policy analysis as well as the Department's affairs, strategic planning, and relationships with law enforcement and public advisory committees. Other than that, he had nothing to do. It was a 48-hour-a- day job, and Secretary Baker did an outstanding job. He was named the top lawyer in international security by Washingtonian magazine in 2011, and is an exceptionally distinguished attorney and public servant. I am privileged to recognize Secretary Baker for 5 minutes. STATEMENT OF STEWART A. BAKER, FORMER ASSISTANT SECRETARY FOR POLICY, DEPARTMENT OF HOMELAND SECURITY Mr. Baker. Thank you, Chairman King, Ranking Member Thompson. It is a pleasure to be back here. I have almost recovered from my time in Government. You have seen my prepared testimony. What I thought I would do is just touch on three areas where the Department has big challenges, and actually challenge myself to give the Department a grade. So I will give the Department a grade on these things. On the question of unity, coordination, making the Department work as a whole, I think a C-minus is the best the Department can get. It gets that because we have had three strong Secretaries in a row who will not be denied when they are paying attention, the components, the Department act more or less as a whole. But the spotlight of Secretarial attention is not the only place that coordination has to take place. Outside that spotlight, we are not seeing the coordination that is necessary. Probably more important in times of tough budgets than any other because we can no longer afford duplication of effort or initiatives that may meet a particular component's priorities but don't fit into the overall National priorities that the Secretary is setting. I think Ranking Member Thompson pointed out how important it is that we have a cohesive Department. I couldn't agree more, and we are not there and not even close. As I think the Chairman pointed out, having 100 oversight committees means there is one committee in each body that actually wants a single policy to come out of the Department. Everybody else sees that the Secretary and the Secretary's priorities as potentially getting in the way of their ability to oversee some component of the Department. So having reform of jurisdiction is absolutely essential if you are going to get that grade above a gentleman's C-minus. Let me turn to something where I think the story is very good, in contrast, and where I would give the Department an A. That is in carrying out the vision of the Homeland Security Act, of thinking seriously about keeping terrorists from crossing our borders. That used to be spread among three or four different agencies, and none of them thought that was their most important mission. Putting all of those authorities in one place has led to a transformation of the way we think about border security. The way we have transformed that is in getting more data about the people who are coming across the border--whether it is the ESTA or PNR or the overseas interviews that Customs and Border Protection does, or for the first time--we actually know whether the people who are coming from other countries are criminals or not, something we never knew. None of that would have happened because all of it came with a privacy resistance, an international resistance that three Secretaries in a row have stood up to, to build a much clearer sense of who is coming across our borders so we focus our attention on the riskiest travelers. Chairman King, you mentioned all of the domestic attacks, many of them thwarted. What is little covered--although I think this committee knows it quite well--is that in practically every one of those CBP, thanks to its data programs, knew something about, and contributed to the thwarting of, those attacks, or the apprehension of the attackers. That is a complete change from where we were when the Homeland Security Act was passed. Finally, let me turn to someplace where I would give the Department, I guess, a B-plus for defending its turf but a D- plus for actually making us safer. That is in cyber. We are not safer than we were when the Homeland Security Act was passed. Things have gotten worse there. We need to be doing much more. I believe that more regulatory authority is necessary. Certainly the Department needs a better relationship with NSA than they have today. But I think even without taking on the regulatory issue, there are ways to work with the private sector to build a better information-sharing system than we currently have without having to go back and change some of the privacy laws that have made it hard to do that. By opening up the resources of the private sector to actually fund more investigations. I won't dwell on that, but I think the Department, if they are serious about this, can make a big difference in cyber. But they are going to need to improve their workforce substantially. Thank you. [The prepared statement of Mr. Baker follows:] Prepared Statement of Stewart A. Baker September 20, 2012 Thank you, Chairman King, Ranking Member Thompson, and distinguished Members of the committee, for this opportunity to testify on the state of the Department of Homeland Security. This is a timely hearing. We are approaching the tenth anniversary of the Homeland Security Act that created the Department. It's time to ask what the Department has done well, where it has failed, and how it can do better in the future. where dhs still falls short I will cut to the chase. The Department's biggest unmet challenge is making sure that its components are working together to the same goal. This was a central objective of the Homeland Security Act. It combined many agencies into a single Department so that all of them would use their authorities cooperatively in the fight against terrorists. That may seem obvious, but this is Washington, and doing the obvious is not easy. The coordination efforts of a 10-year-old Department do not always impress component agencies that can trace their origins to the founding of the Republic. The good news of the last 10 years is that the Department has had three Secretaries who had no doubt about who was running the Department and who insisted on the cooperation of all parts of the Department to implement their highest priorities. The bad news is that, in my view, these accomplishments owe more to the Secretaries' personalities than to the institutions they have built. In general, the offices that support the Secretary, from the various management offices to the office of policy, have not created a framework that can coordinate the big, proud components of DHS on issues that are outside the spotlight of Secretarial attention. The need to strengthen those institutions is especially pressing now. We face a possible change of leadership at DHS no matter who wins the next election. And the Department faces a difficult budget outlook. Even in a time of record deficits, DHS's budget has hit a ceiling. There is almost no prospect of overall budget increases in the future, and cuts are likely. Budget decisions simply must be based on how each component's expenditures fit the Department's highest priorities. The Department will have to identify redundancies and may have to eliminate programs with powerful constituencies. If that is not done on the basis of a careful, institutionalized review of the Department's overall strategy, we will not use the scarce dollars that remain in a way that best protects the country. That would be a tragedy. three case studies That, of course, is a very general evaluation. Let me be more specific about several important DHS initiatives. 1. Data-based security screening One of the Department's unquestionable successes is the way it has unified the Government's screening and enforcement on the border, something that was once a side business for three or four departments with other priorities. DHS realized early that it couldn't spend even 5 minutes with every traveler who was crossing the border. Instead, it had to concentrate on the riskiest travelers, and to do that it needed more information about travelers, as far in advance as possible. As with so much at the Department, this has been a bipartisan priority; Secretary Napolitano has preserved and improved many data programs launched under earlier Secretaries. And DHS's data programs have contributed to the identification and apprehension of several travelers seeking to commit acts of terror on U.S. soil in recent years. This initiative has been a great success--one that could not have been achieved without the Department. The use of travel reservation (``PNR'') data to screen travelers has come under constant attack on bogus privacy grounds from the European Union, which has torn up its earlier agreement to honor the program every time a new Secretary has been sworn in. Every time, the new Secretary has insisted on maintaining the program. The Department has also gone on the offensive to get other important data about travelers. Before the Department was created, remarkably, our border inspectors had no way to know whether travelers from other countries had been convicted even of the most serious crimes. Now, thanks to the leverage of the Visa Waiver Program, every participating country other than Japan has a ``PCSC'' agreement with the United States, that will provide access to travelers' criminal records. The Department has also implemented ESTA, a ``reservation'' system that allows the Department to screen VWP travelers for potential risk before they begin their trips. The Department has further expanded available information by launching Global Entry, which speeds clearance at the border for travelers who have been vetted in advance. Going forward, it will have background information on frequent travelers from a number of foreign partners, including the Netherlands, South Korea, Germany, Australia, and Brazil. As a result, DHS can focus more resources on riskier travelers. Finally, DHS has begun gathering more data in foreign airports, successfully posting U.S. Government officers there to interview and in some cases to pre-clear travelers, a security enhancement that benefits both the individual traveler and the host government. These data programs have improved the efficiency of border screening while also speeding most travelers across the border more quickly. Despite the hostility of privacy campaigners, the programs have proved themselves. There have been no known abuses of the data. This is a success that could only have been achieved by a unified Department. It is a success that DHS can be proud of. That does not mean that it is perfect. In my view, our international negotiation strategy needs a coherent plan, with priorities, to make sure we get the most important information about the riskiest travelers at least cost to the United States. I also fear that our last PNR agreement accepted too many of Europe's limitations on PNR while surrendering too many protections for the program. And I'm disappointed that we have not persuaded Japan to supply information about the yakuza, or professional criminals, who may be traveling to the United States. But these are tactical criticisms of a program that is a great strategic victory. Indeed, it is a victory that is paying dividends in airports around the country. Everyone likes to criticize TSA, and one of the most valid criticisms is that it treats all of us like suspected terrorists. What's less known is that this treatment was more or less mandated by privacy campaigners, who persuaded Congress that TSA could not be trusted with the same travel reservation data that our border officials use every day. Lacking any information about travelers, TSA had no choice but to treat them all alike. Now that the use of data for screening at the border has proven itself, the dam is beginning to break for TSA as well. TSA now has access to each traveler's name, gender, and date of birth. Increasingly, it also knows about the traveler's travel history, based on the voluntary provision of frequent flier data. It has shown how this data allows risk-based variations in screening, using date of birth to reduce screening hassles for children under 12 and seniors over 75. And overseas, in response to the Christmas day bomb attempt, CBP and TSA are combining forces to do data-based screening of passengers on U.S.-bound foreign flights. Finally, TSA is using Global Entry and other data to create a known traveler screening process for domestic flights. This is all great progress, though more is needed. In the next 5 years, TSA should expand its use of data-based screening further, expediting travel for the great majority while demonstrating that it can be trusted with personal data. Because of past privacy limitations, it is likely that TSA will need Congressional assistance to achieve this goal. 2. cybersecurity Sometimes it's easier to persuade the team to give you the ball than to actually run with it. That is DHS's problem in cybersecurity right now. DHS seems to have successfully fended off the many agencies and committees that wanted to seize parts of its cybersecurity mission. Whether DHS can carry out the mission, though, remains uncertain. Although the Homeland Security Act clearly gave DHS authority over civilian cybersecurity issues, it did not give DHS the kind of trained personnel it needed. Finding talented cyberwarriors is a challenge even for private-sector firms. Attracting them to the Department has been doubly difficult, especially with a hiring process that in my experience was largely dysfunctional. The Department's biggest challenge is hiring and maintaining a cybersecurity staff that can earn the respect of private cybersecurity experts. With the exception of a handful of officials, DHS has not yet built a cadre of employees who can match their counterparts at NSA or Goldman Sachs. This is critical. If DHS fails in personnel, it will likely fail in the rest of its cybersecurity-related activities. There are other challenges for DHS in cybersecurity. They include: Building a better relationship with NSA.--The outlines of a working relationship with NSA are obvious. DHS should provide policy guidance based in law and prudence for any cybersecurity mission affecting the civilian sector, but it must rely heavily on NSA's technical and operational expertise. This fundamental truth has been obscured by personalities, mistrust, and impatience on both sides. It's got to end, especially in the face of adversaries who must find the squabbling email messages especially amusing because they are reading them in real time. Gaining authority to insist on serious private-sector security measures.--DHS has plenty of legislative authority to cajole and convene the private sector in the name of cybersecurity. It's been doing that for 10 years. The private sector has paid only limited attention. In part that's because DHS had only modest technical expertise to offer, but it's largely because few industries felt a need to demonstrate to DHS that they were taking its concerns seriously. That is one reason that DHS needs at least some authority to demand that industry respond to the cybersecurity threat, especially where it poses risks to civilian life that are not adequately recognized by the market. I fully recognize that cybersecurity measures do not lend themselves to traditional command-and- control regulation, and that information technology is a major driver for economic growth. That's a reason to be cautious about how Government approaches the private sector. But it's not a reason for Government to ignore the risk of a cybersecurity meltdown. It's worth remembering that, for a couple of decades, we were told that the financial derivatives trade was too complex for traditional Government regulation and a major driver of economic growth, and that the private sector could do a better job of internalizing risk than any Government regulator. We should not wait for the cybersecurity equivalent of the financial meltdown to give DHS a larger role in cybersecurity standards. Sometimes the businessmen arguing against regulation are wrong--so wrong that they end up hurting their own industries. I believe that this is true of those who oppose even the lightest form of cybersecurity standards. Most of the soft quasi-regulatory provisions that business groups rejected in talks with the Senate will likely be incorporated into an Executive Order that they will have little ability to influence. Even worse from their point of view, the pressure for legislation is likely to continue--and will become irresistible if we suffer a serious infrastructure failure as a result of hacking. In that event, the cybersecurity legislation that Congress adopts will have to go beyond the Executive Order and into the territory of much tougher regulation. By failing to adopt more limited legislation now, Congress is sowing the seeds for more aggressive regulation in the future. Moving beyond the fight over ``regulation''.--That said, DHS cannot wait for a National consensus on its regulatory role. There are many other steps that DHS could take to improve cybersecurity without touching the regulatory third rail. Let me outline a few of them here: Information-sharing.--It should be obvious why the targets of cyber attacks need to share information. We can greatly reduce the effectiveness of those attacks if we use the experience of others to bolster our own defenses. As soon as one victim discovers a new command-and-control server, or a new piece of malware, or a new email address sending poisoned files, that information can be used by other companies and agencies to block similar attacks on their networks. This is not information sharing of the ``let's sit around a table and talk'' variety. It must be automated and must occur at the speed of light, not at the speed of lawyers or bureaucrats. I supported CISPA, which would have set aside two poorly-conceived and aging privacy laws that made it hard to implement such sharing. I still do. But if CISPA is going to be blocked for a time by privacy objections, as seems likely, we need to ask a different question: Can the automated information-sharing system that we need be built without rewriting those aging privacy laws? I believe that it can; we simply need a more creative and determined approach to the law. Administration lawyers, who have taken an unnecessarily rigid view of existing law, should be sent back to find ways to build automated information sharing under existing law. Emphasize attribution.--We will never defend our way out of the cybersecurity crisis. I know of no other crime where the risk of apprehension is so low, and where we simply try to build thicker and thicker defenses to protect ourselves. The obvious alternative is to identify the attackers and to find ways to punish them. But many information security experts have grown skeptical of this alternative. As they point out, retribution depends on attribution, and attribution is difficult; attackers can hop from country to country and from server to server to protect their identities. That skepticism is outmoded, however. Investigators no longer need to trace each hop the hackers take. Instead, they can find other ways to compromise and then identify the attackers, either by penetrating hacker networks directly or by observing their behavior on compromised systems and finding behavioral patterns that uniquely identify the attackers. It is harder and harder for anyone to function in cyberspace without dropping bits of identifying data here and there. If our security is inherently flawed, so too is the security of our attackers. This means that it is realistic to put attribution at the center of our response to cyberattacks. We should take the offense, surrounding and breaking into hacker networks to gather information about what they're stealing and who they're giving it to. That kind of information will help us prosecute criminals and embarrass state-sponsored attackers. It will also allow us to tell the victim of an intrusion with some precision who is in his network, what they want, and how to stop them. DHS's intelligence analysis arm should be issuing more such reports and fewer bland generalities about terrorism risks for local law enforcement agencies. Use DHS law enforcement authorities more effectively.--Law enforcement agencies have a vital role to play in cybersecurity--even when the prospect of actually arresting the attacker is remote. Law enforcement agencies have investigative authorities, including search warrants and wiretaps, that can help identify attackers. Those authorities should be used strategically to aid in the overall attribution effort. The best way to achieve that goal is for DHS's cybersecurity office to be fully coordinated with law enforcement agencies that have criminal investigative authorities. By pooling information, authorities, and resources, these agencies should pursue a common strategy--one that identifies the bad guys, first to disable their attacks and eventually to bring them to justice. Coordination between DHS and the FBI may have its challenges, but today it seems that there is only modest coordination even between DHS's cybersecurity office and its own cybercrime investigators. Certainly I have seen no sign that ICE and Secret Service investigations are prioritized strategically based on guidance from the DHS cybersecurity office. The result is wasted opportunities and wasted resources. Instead, ICE and Secret Service cybercrime investigators should be detached to a task force ran by the cybersecurity office as a way of dramatizing the need for an all-of-DHS approach to the problem. Law enforcement authorities create a second opportunity that we are not fully exploiting. Increasingly, it is law enforcement that tells businesses they have been compromised. But usually the first question from businesses is one best directed towards the cyber defenders rather than the cyber cops: ``What can we do to get the attacker out?'' This is a ``teachable moment,'' when all of DHS's cyberdefense and industry-outreach capabilities should be engaged, talking to the compromised company about the nature of the intruder, his likely goals and tactics, and how to defeat them. Currently, however, DHS's cybersecurity office and its cybercrime investigators do not present themselves as a unified team when visiting the victims of attacks. Better coordination within the Department would pay dividends and provide a model for coordination across Department lines. Recruit private-sector resources to the fight.--In my private practice, I advise a fair number of companies who are fighting on-going intrusions at a cost of $50 or $100 thousand a week. The money they are spending is going almost entirely to defensive measures. At the end of the process, they may succeed in getting the intruder out of their system. But the next week, the same intruder may get another employee to click on a poisoned link and the whole process will begin again. It's a treadmill. Like me, these companies see only one way off the treadmill: To track the attackers, figure out who the attackers are and where they're selling the information, and then sanction the attackers and their customers. When private companies' cybersecurity executives were surveyed recently, ``more than half thought their companies would be well served by the ability to `strike back' against their attackers.'' W. Fallon, Winning Cyber Battles Without Fighting, Time (Aug, 27, 2012). And the FBI's top cybersecurity lawyer just this week called our current strategy a ``failed approach'' and urged that the Government enable hacking victims ``to detect who's penetrating their systems and to take more aggressive action to defend themselves.'' Washington Post (Sep. 17, 2012). He's right. But under Federal law, there are grave doubts about how far a company can go in hacking the hackers. I happen to think that some of those doubts are not well-founded, but only a very brave company would ignore them. Now, there's no doubt that U.S. intelligence and law enforcement agencies have the authority to conduct such an operation, but by and large they don't. Complaining to them about even a state-sponsored intrusion is like complaining to the D.C. police that someone stole your bicycle. You might get a visit from the police; you might get their sympathy; you might even get advice on how to protect your next bicycle. What you won't get is a serious investigation. There are just too many crimes that have a higher priority. In my view, that's a mistake. The Department, drawing on the resources of the entire Government, should do some full-bore criminal and intelligence investigations of private-sector intrusions, especially those that appear to be state-sponsored. We can identify the attackers, and we can make them pay. But if we want do that at scale, we have to let the victims participate in, and pay for, investigations that the Government will never have the resources to pursue. Too many Government officials have viewed such private countermeasures as a kind of vigilante lynch mob justice. That just shows a lack of imagination. In the real world, if someone stops making payments on a car loan but keeps the car, the lender doesn't call the police; he hires a repo man. In the real world, if your child is kidnapped, and the police aren't making it a priority, you hire a private investigator. And, if I remember correctly the westerns I watched growing up, if a gang robs the town bank and the sheriff finds himself outnumbered, he deputizes a posse of citizens to help him track the robbers down. Not one of those solutions is the equivalent of a lynch mob or of vigilante justice. Every one allows the victim to supplement law enforcement while preserving social control and oversight. DHS could probably experiment with that solution tomorrow if it chose, as could the FBI. Its law enforcement agencies often have probable cause for a search warrant or even a wiretap order aimed at cyber intruders. I know of no legal barrier to obtaining such an order, then relying on a private contractor paid by the victims to actually carry out the search or the tap, as long as that happens under Government supervision. (The Antideficiency Act, which arguably prohibits the Government from accepting free services, has more holes than my last pair of hiking socks, including exceptions for protection of property in emergencies and for gifts that also benefit the donor.) If systematic looting of America's commercial secrets truly is a crisis, and I believe that it is, why have we not already unleashed the creativity and resources of the private sector that attackers are victimizing? Mr. Chairman, that concludes my prepared testimony. I will be pleased to answer any questions the committee may have. Chairman King. Thank you, Secretary Baker. Our next witness, Frank Cilluffo, is associate vice president at George Washington University, where he directs the Homeland Security Policy Institute. I have had the privilege of being out there. You know, it is accurate to say that Mr. Cilluffo was present at the creation. Shortly after the 9/11 attacks, Mr. Cilluffo was appointed by the President to the Office of Homeland Security, and served as the principle advisor to Governor Tom Ridge. Prior to his White House appointment, Mr. Cilluffo served in policy positions at the Center for Strategic and International Studies. His work has been widely published in academic, law, business, and policy journals, as well as magazines and newspapers around the world. Without giving away too much, I can tell you often, before we prepare our committee agenda or look into topics we are going to cover, we look at what you have been saying on it lately. We certainly appreciate your wisdom and input. With that, Mr. Cilluffo, I am privileged to recognize you for 5 minutes. STATEMENT OF FRANK J. CILLUFFO, FORMER PRINCIPAL ADVISORY TO GOVERNOR TOM RIDGE, WHITE HOUSE OFFICE OF HOMELAND SECURITY Mr. Cilluffo. Thank you, Mr. Chairman. Thank you for the opportunity to appear before you today. Mr. Thompson, good to see you again, as well. Let me also, before jumping in--and I was asked to talk on the threat-related issues--thank you for your leadership in this committee. I mean, you really have taken on the hard issues facing this country. I think you have tackled them head-on. Not an easy set of issues. I will be very brief, not my strong suit as I have never had an unspoken thought. But what I thought I would do is touch on some of the counterterrorism issues that we see and the current terrorism threat, as well as some of the cyber challenges where I am very much in agreement with Stewart's prognosis. Firstly, as the recent terrorist attack in Benghazi clearly demonstrated, as well as unrest not only the Middle East, in North Africa, but also in Southeast Asia, there is no time to be lulled into a sense of complacency. A set of issues that I think a lot of people have been. Yes, we have had a number of successful counterterrorism events of late. Most notably, the successful strike against Osama bin-Laden, Anwar al-Awlaki, Ilyas Kashmiri, probably the most dangerous unknown terrorist out there. But by no means does this mean that ding-dong, the witch is dead. Unfortunately, what we have seen is the threat metastasize. It has morphed. Today, it comes in various shapes, sizes, flavors, and forms, ranging from al-Qaeda senior leadership, still operating out of the Fatah as well as its affiliates, most notably al-Qaeda in the Arabian Peninsula; home to probably the world's most dangerous bomb maker, in Ibrahim al- Asiri, to al-Qaeda and the Islamic Maghreb, which is growing leaps and bounds not only across the Maghreb but also throughout the Sahel, as well as like-minded jihadi organizations in the African continent as a whole. Ansar al-Dine in Mali, you are seeing Mauritania being taken over by Islamist groups, all the way through to the Horn of Africa, with Al Shabaab in Somalia. So the prognosis is not very good. Actually, if you have seen the way it has spread, I am not sure that some of our traditional counterterrorism instruments are the most appropriate right now. Moreover, the reason you have seen some success in the Fatah is because we have--think of it as--suppressive fire. It is based on our successful counterterrorism initiatives. If we ease off that gas pedal, don't think that that vacuum isn't going to be instantaneously filled not only by al-Qaeda, but other like-minded individuals. Bottom line here is, is the more time they are looking over their shoulder the less time they are plotting, training, and executing attacks. So I just warn the Congress to be able to support some of our counterterrorism measures. African continent, I can get into that in greater depth later. But you literally are seeing swaths; the entire Maghreb, northwest Africa, all the way through from Mauritania to the Horn of Africa, in Somalia. These are areas where you are seeing Jihadi groups take advantage of under- and un-governed spaces. Why any of these regions? Because they are un-governed spaces. I would also note that you have seen the homegrown threat in the United States. This is not an insignificant set of issues. We have had 58 cases, 58 plots, that have been prevented since 9/11. Some of those very significant. In New York City, for example, Naji Bolazazi. That was a very significant plot. That was blinking red as red could be red. Faisal Shahzad, also a very significant plot. So as much as we can lean forward and support our State and local law enforcement authorities, I think we need to be able to do so very quickly on cyber. I think it is fair to say that our cyber community is where homeland and counterterrorism community was shortly after 9/11. We have a lot to do. Long on nouns, short on verbs. We have been talking about it, but we are not actually addressing some of the most significant issues. To rack and stack the threat, you have got countries that are integrating computer network attack and computer network exploit into their warfighting capabilities. Russia, China, at the top of the list. But also, you have countries like North Korea, Iran, who are increasingly becoming a terrorist threat. Their proxies, Hezbollah, are of great concern. What they lack in capability they more than make up for in intent. In the cyber domain, you can buy capabilities. Intent and cash can take you a long way, something I think we need to be thinking about. Finally, in terms of recommendations--and I will be very quick here--one policy recommendation. The biggest, biggest missing dimension of our counterterrorism statecraft thus far, in my eyes, has been, ``It is the ideology.'' To paraphrase Bill Clinton, it is not, ``the economy, stupid,'' but, in this case, ``the ideology, stupid.'' We have got to get a comprehensive approach that exposes the hypocrisy of the jihadists and ultimately helps facilitate it fall under its own weight. Think of negative political campaigning. We need to do more in this respect. We also need to start focusing on the victims, not only the perpetrators. Ultimately, to me, this is where we have an awful lot we should and can do beyond the traditional battlefields. Second, a structural one. That Department of Homeland Security, I would argue, needs an office of net assessment; someone who is not fettered by day-to-day intelligence needs, not fettered by day- to-day policy needs, but has the ability to step back, think big, ask the what-ifs, look for the game-changers. That doesn't currently exist because everyone is running out of their inboxes daily. A very tactical one, NPPD as well as intelligence and analysis at DHS. I think they have a very unique thing that they can bring to the counterterrorism fight. That is, coming up with new intelligence products that are very oriented around critical infrastructures. No one else in the intelligence community has that capability. We need to make that a reality. Information sharing, we have got to move at least the CISPA bill that Mr. Rogers and others had proposed, if you ask me. Is it enough? Probably not. But at the very least, we need to move on those measures. Finally, in the cyber domain we are never going to firewall our way out of the problem. At the end of the day, the initiative stands with the offender, on the offense. So we have got to clearly articulate a cyber deterrent strategy, one that is actor-specific. Because right now, we are lumping China and Russia with a kid operating out of his basement, drinking a lot of Jolt Cola or whatever they drink nowadays. But at the end of the day we need to get to the point where we can actually have a clearly articulated cyber deterrent strategy, and one that we are willing to act when red lines are crossed. Thank you, Mr. Chairman. [The prepared statement of Mr. Cilluffo follows:] Statement of Frank J. Cilluffo September 20, 2012 Chairman King, Ranking Member Thompson, and distinguished Members of the committee, thank you for the opportunity to testify before you today. Throughout your tenure as Chairman of this committee, Congressman King, you have consistently taken on the hard issues facing our country, and have committed to addressing them. Thank you for your leadership. Turning to the timing and subject of today's hearing both are well-selected. As recent events from the Middle East and North Africa through to Southeast Asia regrettably illustrate, violent extremism continues to thrive. With the United States and its interests still in the cross-hairs of jihadi and Islamist militants across the globe, the present moment is sadly opportune to assess the activities of the Department of Homeland Security (DHS) and give careful consideration to a roadmap for its future. Despite significant progress, especially on the counterterrorism front, the existing and projected threat climate is such that continued vigilance and a robust as well as proactive posture is needed--not only at DHS but throughout Government, at all levels, and supported by approaches that effectively integrate the private sector and the efforts of individual citizens too. the threat ecosystem of today and tomorrow: challenges for dhs and beyond Al-Qaeda (AQ) has been a shrewd practitioner of the art of stoking, piggybacking upon, and exploiting local grievances in order to further AQ's own goals and objectives and the broader global jihad. In a military context, this is referred to as tactical, operational, and strategic ``swarming''; and it has clearly been adopted by others as well, as recent incidents around the globe have unfortunately demonstrated. Usama bin Laden may be dead, but the toxic ideology that he left behind lives on, and the narrative that it informs continues to resonate powerfully in certain quarters. Today perhaps the most significant locus of his legacy and methods is in Africa; though Pakistan's Federally Administered Tribal Areas, better known as FATA, remain a combustible region, one where it would be imprudent to ease up on U.S. pressure against militants.\1\ --------------------------------------------------------------------------- \1\ U.S. military actions, including the use of drones, have had significant operational effects on al-Qaeda (and associated entities) by disrupting foreign fighter pipelines to the region, activities of key facilitators, and training camps. Think of it as suppressive fire. The more time al-Qaeda and associated entities spend looking over their shoulders, the less time they have to train, plot, and execute terrorist attacks. And with al-Qaeda senior leaders on their back heels, now is the time to exploit this unique window of counterterrorism opportunity by maintaining the operational tempo to consolidate these gains. --------------------------------------------------------------------------- In Africa, al-Qaeda in the Arabian Peninsula (AQAP), al-Qaeda in the Islamic Maghreb (AQIM), Al Shabab (Somalia), Ansar al-Dine (Mali), Boko Haram (Nigeria), and their ilk persist in sowing discord and violence in a cross-continental swath ranging from east to west, leaving not even Timbuktu untouched. Indeed, even Yemen, the subject of significant counterterror efforts on the part of the United States (and others), remains home to AQAP and to one of the world's most dangerous bomb-makers, Ibrahim al-Asiri. Notwithstanding U.S. and allied counterterrorism efforts that have yielded a good measure of success, these terror affiliates remain committed to carrying forward the mantle of bin Laden, and to exploiting both ungoverned and under-governed spaces. The latter tactic pre-dated the Arab Spring, but evidenced reinforcement and magnification thereafter. The tragic violence of recent days, beginning in Benghazi and directed against U.S. personnel and interests (and those of allies), may come to further prove this point, though key facts remain under investigation. As observed in a report on Mauritania published earlier this year by the Carnegie Endowment for International Peace, Africa is a hot spot because of the confluence of multiple factors, including poverty, corruption, and weak governance. The ensuing void left in countries like Mauritania, where state infrastructure like the education system is weak, offers an opening to ``mahadras'' (religious schools) propagating violent ideologies, which in turn spur the growth of militancy. The outlook for the Continent is not entirely bleak however; as the study points out, ``there is a high level of distrust between black Africans and AQIM, a movement led and dominated by Arabs''--which portends a recruitment challenge for al-Qaeda forces in the area, at least in the longer term.\2\ The outcome is not predetermined, though, as AQ was able to surmount and ingrain itself into the tribal populations indigenous to the FATA by pursuing a concerted strategy of marrying into these clans. Whether a similar or other course might further pave the way for inroads into African countries remains to be seen and merits continued U.S. vigilance, as well as that of our allies. --------------------------------------------------------------------------- \2\ Anouar Boukhars, The Drivers of Insecurity in Mauritania Carnegie Paper (April 2012) http://carnegieendowment.org/2012/04/30/ drivers-of-insecurity-in-mauritania#. --------------------------------------------------------------------------- The various terrorist organizations cited above are exhibiting, moreover, an increasing willingness to reach out and partner with one another, as well as with others, who may be able to help build their indigenous capacities and further their particular goals. The twin phenomena of violent extremism and cross-group cooperation of such forces is assuredly not limited to Africa, and extends to the veritable witch's brew of forces that ranges from Iraq, Pakistan, and the Caucasus, to Mali, Nigeria, and Somalia--where militants linked to al- Qaeda tried to kill the country's new President just last week in a double suicide/homicide blast. Pakistan is especially complex, and dangerous. Groups that were once regionally focused now subscribe ever- more to al-Qaeda's goals and the broader global jihad. This toxic blend includes the Haqqani network,\3\ Laskhar-e-Taiba (LeT), Tehrik-i- Taliban Pakistan, Harkat-ul-Jihad al-Islami (HuJI), Jaish-e-Mohammed, and the Islamic Movement of Uzbekistan; all of which cooperate with al- Qaeda on a tactical and sometimes strategic basis, linked by an affinity for militant Islamist ideology--with United States, Indian, Israeli, and Western targets increasingly in their cross-hairs. Historically, collaborative efforts among such groups were primarily linked to covert logistical support, including the provision of money, safe havens, and arms, as well as the movement back and forth of key personnel from one entity to another. --------------------------------------------------------------------------- \3\ Recently designated a Foreign Terrorist Organization by the Department of State (a too-long delayed move, though one rightly supported by the Chairman of this Committee). http:// translations.state.gov/st/english/article/2012/09/ 20120907135632.html#axzz26kbUie00; see also Frank J. Cilluffo, ``U.S.- India Counterterrorism Cooperation: Deepening the Partnership'' Hearing before the House of Representatives Committee on Foreign Affairs, Subcommittee on Terrorism, Non-proliferation and Trade (September 14, 2011) http://www.gwumc.edu/hspi/policy/testimony9.13.11_cilluffo.pdf. --------------------------------------------------------------------------- Not so today, where the relationships between terrorist groups are becoming more overt and strategic in nature. As events on the ground in Syria demonstrate, there will be no shortage of opportunities for foreign fighters who wish to travel to jihadi conflict zones. Consider also Africa, where the head of U.S. Africa Command General Carter Ham has stated that ``the linkages between AQIM and Boko Haram are probably the most worrisome in terms of the indications we have that they are likely sharing funds, training and explosive materials that can be quite dangerous.''\4\ So too closer to home, where the Commander of U.S. Southern Command General Douglas M. Fraser has observed a similar type of convergence (based on convenience) between terrorist and criminal organizations in the Tri-Border area of Argentina, Brazil, and Paraguay.\5\ Within the Continental United States, furthermore, the New York City Police Department has expanded its decade-plus focus on core al-Qaeda, affiliates, and the homegrown threat (inspired by AQ), to include Iran and Hezbollah--as part of NYPD's continuing efforts to build a robust and independent counterterror posture for the City of New York.\6\ In turn, the Los Angeles Police Department recently elevated the government of Iran and its proxies (notably Hezbollah) to a Tier I threat.\7\ This last development is particularly concerning given Iran's on-going drive to achieve nuclear weapons capability, and the statement this month of Lebanese Hezbollah leader Sayyed Hassan Nasrallah to the effect that there will be no distinction drawn between Israel and the United States in terms of retaliation, should Israel attack Iran to halt its progress toward the nuclear goal: ``If Israel targets Iran, America bears responsibility.''\8\ Both the Director of the (U.S.) National Counterterrorism Center and the Director of National Intelligence have underscored concern about Iran and their proxies, suggesting respectively in recent testimony (the former before this committee) that ``Iran remains the foremost state sponsor of terrorism''\9\; and that Iran is ``now more willing to conduct an attack in the United States.''\10\ --------------------------------------------------------------------------- \4\ Tristan McConnell, ``Triple threat: Coordination suspected between African terrorist organizations'' Global Post (June 26, 2012) http://www.globalpost.com/dispatches/globalpost-blogs/africa/triple- threat-coordination-suspected-between-african-terrorist-or. \5\ Statement before the Senate Armed Services Committee (March 6, 2012) http://www.armed-services.senate.gov/statemnt/2012/03%20March/ Fraser%2003-13-12.pdf. \6\ Testimony of Mitchell D. Silber before the U.S. House of Representatives Committee on Homeland Security Iran, Hezbollah, and the Threat to the Homeland (March 21, 2012) http://homeland.house.gov/ sites/homeland.house.gov/files/Testimony-Silber.pdf. \7\ Frank J. Cilluffo, Sharon L. Cardash, and Michael Downing, ``Is America's view of Iran and Hezbollah dangerously out of date?'' FoxNews.com (March 20, 2012) http://www.foxnews.com/opinion/2012/03/20/ is-americas-view-iran-and-hezbollah-dangerously-out-date/ \8\ Reuters, ``Nasrallah: Iran could strike US bases if attacked'' The Jerusalem Post (September 3, 2012) http://www.jpost.com/ IranianThreat/News/Article.aspx?id=283706. \9\ Matthew G. Olsen, ``Understanding the Homeland Threat Landscape'' Hearing before the House Committee on Homeland Security (July 25, 2012) http://homeland.house.gov/sites/homeland.house.gov/ files/Testimony-Olsen.pdf. \10\ James R. Clapper, ``Unclassified Statement for the Record on the Worldwide Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence'' (January 31, 2012) http:/ /intelligence.senate.gov/120131/clapper.pdf. --------------------------------------------------------------------------- All this to say there is little ground for complacency, as toxic forces converge and cooperate in multiple spots across the globe, more than ever before; as ideology and narrative continue to inspire, including those here in the United States--recall that 58-plus homegrown jihadi terrorism plots have been discovered in this country since 9/11; and as foreign fighters return to their homelands battle- hardened and armed with Western passports--10 feet tall in the eyes of those who admire their exploits, and more importantly, a direct threat to Western security given their familiarity with potential targets they may select to attack.\11\ Where foreign fighters are concerned, so- called ``bridge figures'' are of special importance, as they ensure that particular fighter pool is replenished, by helping to inspire, radicalize, and motivate. These figures exude charisma, and exhibit cultural and linguistic fluency as well as other skills that propel them to positions of leadership, guidance, and prominence. Abdullah al- Faisal, a Jamaican with ties to shoe bomber Richard Reid and to (attempted) Times Square bomber Faisal Shahzad, is but one example.\12\ --------------------------------------------------------------------------- \11\ Frank J. Cilluffo, ``Open Relationship'' ForeignPolicy.com (February 15, 2012) http://www.foreignpolicy.com/articles/2012/02/15/ open_relationship?page=0,0; and Jerome P. Bjelopera ``American Jihadist Terrorism: Combating a Complex Threat'' CRS Report for Congress (November 15, 2011) http://www.fas.org/sgp/crs/terror/R41416.pdf (but note that numbers have increased since the Report was published). \12\ Frank J. Cilluffo, Jeffrey B. Cozzens, and Magnus Ranstorp, Foreign Fighters: Trends, Trajectories & Conflict Zones (October 1, 2010 http://www.gwumc.edu/hspi/policy/report_foreignfighters501.pdf. --------------------------------------------------------------------------- Just as the threat has gravitated and metastasized to areas in the physical world that will best support the ideology and activities at issue, so too has the threat taken hold in (and of) the cyber domain-- where terrorists are still afforded too much freedom of maneuver. Being squeezed in Pakistan's FATA, the Sahel, Yemen, or elsewhere, does not mean ``game over'' when the internet offers a transnational base and springboard for a variety of operations, including fundraising, recruitment, planning, training, and even implementation and execution of plots and plans.\13\ As I outlined in testimony before the Senate 5 years ago: ``Extremists value the internet so highly that some have adopted the slogan `keyboard equals Kalashnikov'. Terrorist groups now have their own media production arms (al-Qaeda relies on As-Sahab and the Global Islamic Media Front, for example). Terrorists produce their own television programs and stations, websites, chat rooms, on-line forums, video games, videos, songs, and radio broadcasts.''\14\ Having said that, and as I have indicated in further Senate testimony, this one more than a decade ago: ``Bits, bytes, bugs, and gas will never replace bullets and bombs as the terrorist weapon of choice.''\15\ --------------------------------------------------------------------------- \13\ The George Washington University Homeland Security Policy Institute (HSPI) and the University of Virginia Critical Incident Analysis Group (CIAG), NETworked Radicalization (Special Report: May 2007) http://www.gwumc.edu/hspi/policy/NETworkedRadicalization.pdf. \14\ ``The Internet: A Portal to Violent Islamist Extremism'' (May 3, 2007) http://www.gwumc.edu/hspi/policy/testimony5.3.07_cilluffo.pdf. \15\ ``Critical Infrastructure Protection: Who's In Charge'' (October 4, 2001) http://www.gwumc.edu/hspi/policy/ testimony10.4.01_cilluffo.pdf. --------------------------------------------------------------------------- However, as kinetic measures (U.S. and allied) generate gains in the real-world, this may lead al-Qaeda and its sympathizers to enter even more deeply into the cyber domain. Indeed, al-Qaeda and their jihadi ilk may be surfing in the wake of ``Anonymous'' and other such groups, to learn from and perhaps also exploit their actions. The cyber threat writ large is much broader and more multifaceted, though. It may emanate from individual hackers, ``hacktivists,'' criminal or terrorist groups, nation-states or those that they sponsor. Moreover, the threat spectrum affects the public and private sectors, the interface and intersections between them, as well as individual citizens. From a homeland security perspective, foreign states are (by and large) our principal concerns in the cyber domain, at least in terms of sophistication; specifically those countries that pose an advanced and persistent threat, namely Russia and China. Their tactics may also be exploited by others.\16\ Furthermore, as laid out in my testimony to a joint hearing of two subcommittees of this body in April 2012, the government of Iran and its terrorist proxies are serious concerns in the cyber context. What Iran may lack in capability, it makes up for in intent; and our adversaries do not need highly sophisticated capabilities--just intent and cash--as there exists an arms bazaar of cyber weapons, allowing our adversaries to buy or rent the tools they need or seek.\17\ --------------------------------------------------------------------------- \16\ Frank J. Cilluffo, ``The U.S. Response to Cybersecurity Threats'' American Foreign Policy Council (AFPC) Defense Dossier (August 2012) http://www.afpc.org/files/august2012.pdf; see also Office of the National Counterintelligence Executive (NCIX), Foreign Spies Stealing U.S. Economic Secrets in Cyber Space: Report to Congress on Foreign Economic Collection and Industrial Espionage 2009-2011 (October 2011) http://www.ncix.gov/publications/reports/fecie_all/ Foreign_Economic_Collection_2011.pdf. \17\ ``The Iranian Cyber Threat to the United States'' Statement before the House of Representatives Committee on Homeland Security, Subcommittees on Counterterrorism and Intelligence, and on Cybersecurity, Infrastructure Protection, and Security Technologies (April 26, 2012) http://www.gwumc.edu/hspi/policy/ Iran%20Cyber%20Testimony%204.26.12%20Frank%20- Cilluffo.pdf. --------------------------------------------------------------------------- The cyber threat (and supporting technology) has markedly outpaced our prevention and response efforts. Use of cyber means as a force multiplier for kinetic activities, which would represent the convergence of the physical and cyber worlds, constitutes probably the area of greatest concern over the next 5 to 10 years. Foreign militaries are increasingly integrating computer network attack (CNA) and computer network exploitation (CNE) capabilities into their warfighting, and military planning and doctrine.\18\ Such activity may involve ``intelligence preparation of the battlefield,'' to include the mapping of perceived adversaries' critical infrastructures. To my mind, the line between this type of reconnaissance and an act of aggression is very thin, turning only on the matter of intent. Foreign intelligence services, too, are engaging in cyber espionage against us, often combining technical and human intelligence in their exploits. Here, everything from critical infrastructure to intellectual property is potentially at risk. These exploits permit others to leapfrog many bounds beyond their rightful place in the innovation cycle, by profiting from (theft of) the research and development in which private and public U.S. entities invested heavily. At worst, these exploits hold the potential to significantly degrade our National defense and National security, and thereby undermine the trust and confidence of the American people in their Government. --------------------------------------------------------------------------- \18\ Bryan Krekel, Patton Adams, and George Bakos, Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage, Prepared for the U.S.-China Economic and Security Review Commission by Northrop Grumman Corporation (March 7, 2012) p. 54 http://www.uscc.gov/RFP/2012/USCC%20Report_Chinese_Capa- bilitiesforComputer_NetworkOperationsandCyberEspionage.pdf. --------------------------------------------------------------------------- New opportunities for resilience, generated by forces including changing technologies, will assuredly present themselves. Indeed it is this ability to reconstitute, recover, and get back on our feet is in fact perhaps the best deterrent. The storms that battered the National Capital Region this summer leaving close to a million people without power during a week-long heat wave are instructive in terms of our shortcomings on resilience. Mother Nature may be a formidable adversary, but just imagine the level of damage and destruction that a determined and creative enemy could have wrought. There is no lack of trying, as a recently published DHS report makes clear, noting the spike in attacks (from 9 incidents to 198) against U.S. critical infrastructure from 2009 to 2011.\19\ The good news, on the other hand, is that the most serious of these incidents could have been avoided through the adoption of basic security steps and best practices. The bad news, of course, is that these fundamental measures were not yet put into place. --------------------------------------------------------------------------- \19\ Suzanne Kelly ``Homeland security cites sharp rise in cyber attacks'' CNN.com (July 4, 2012). http://security.blogs.cnn.com/2012/ 07/04/homeland-security-cites-sharp-rise-in-cyber-attacks/. --------------------------------------------------------------------------- dhs: a look back and ahead Looking ahead, U.S. and allied counterterrorism efforts that achieved localized successes must be woven into a larger, sustained, and strategic effort; one that continues to apply targeted pressure to deny adversaries the time and space to maneuver, including in cyberspace. Since the threat now comes in various shapes, sizes, and forms--ranging from al-Qaeda's Senior Leadership (Ayman al-Zawahiri and his top deputies), to its principal franchises and affiliates, to individuals inspired by (if not directly connected to) al-Qaeda's ideology, which includes the ``home-grown'' threat--the U.S. response, and that of DHS in turn, must be at once both sufficiently comprehensive in scope and sufficiently nimble in approach to address effectively the multi-dimensional threat landscape of today as well as tomorrow. Unfortunately our efforts to counter and defeat the jihadist ideology have been lacking, with the result that the terrorist narrative lives on, and continues to attract and inspire those who wish us harm. A sustained, comprehensive, integrated, and effective effort to combat violent Islamist extremism is, in my view, the biggest element missing from U.S. statecraft on counterterrorism. Although the Department of State's Center for Strategic Counterterrorism Communications (CSCC) is doing some good work and represents a positive development in this space, now is the time to double down, do more, and hit back harder. The power of negative imagery, as in a political campaign, could be harnessed to hurt our adversaries and further chip away at their appeal and credibility in the eyes of peers, followers, and sympathizers. A sustained and systemic strategic communications effort aimed at exposing the hypocrisy of Islamists' words versus their deeds, could knock them off balance, as could embarrassing their leadership by bringing to light their seamy connections to criminal enterprises and drug-trafficking organizations. The increasingly hybrid nature of the threat presents additional opportunities in this last regard, as drugs and arms trafficking are used to finance terrorism, and so too kidnapping for ransom (think Abu Sayyaf and AQIM). Brokering in-fighting between and among al-Qaeda, its affiliates, and the broader jihadi orbit in which they reside, will damage violent Islamists' capability to propagate their message and organize operations both at home and abroad. Locally administered programs are especially significant, as many of the solutions reside outside the U.S. Government and will require communities policing themselves. In short, we could and should do more to drive wedges and foment distrust (including by exploiting points of conflict between local interests and the larger global aims of AQ); encourage defectors; delegitimize and disaggregate our adversaries' narrative; and above all, remember the victims.\20\ --------------------------------------------------------------------------- \20\ Frank J. Cilluffo, ``The Future of Homeland Security: Evolving and Emerging Threats'' Hearing Before the Senate Committee on Homeland Security & Governmental Affairs (July 11, 2012) http://www.gwumc.edu/ hspi/policy/Testimony%20-%20SHSGAC%20Hearing%20- %2011%20July%202012.pdf. --------------------------------------------------------------------------- As the distinction between home and abroad increasingly blurs, due in part to technologies and tools such as social media, it is important to study and ultimately institutionalize counterterrorism lessons learned elsewhere, including about tactics, techniques, and procedures. In the aftermath of the ``26-11'' Mumbai attacks, for instance, the Los Angeles, Las Vegas, and New York City Police Departments each sent a team of experts to Mumbai. The objective was to meet with Indian counterparts to learn about Mumbai's response model and then-existing loopholes, which knowledge LAPD, LVPD, and NYPD could then apply to their home cities, with an eye to closing gaps in their own counterterrorism strategies and operations. More initiatives of this kind are needed, as is the continuation of those that already exist (such as police exchanges). Endeavors of this type are particularly important in a resource-scarce environment, as they can help avoid the need to reinvent the wheel.\21\ --------------------------------------------------------------------------- \21\ Cilluffo, ``U.S.-India Counterterrorism Cooperation.'' --------------------------------------------------------------------------- To obtain a truly ``rich picture'' of the threat in this country, we must focus on the field--not the Beltway. As recent history shows, the military and intelligence communities have come to just such a field bias. For the counterterrorism community to do otherwise is to risk stifling and stymieing the good work being done where the rubber meets the road. State and local authorities can and should complement what the Federal Government does not have the capacity or resources to collect (or is simply not best-suited to do) in terms of intelligence; and thereby help determine the scope and contours of threat domains in the United States. Further leveraging our decentralized law enforcement infrastructure could also serve to better power our Fusion Centers, which should be given ample opportunity to flourish. The equivalent of Commanders' Intent, which gives those in the field the leeway to do what they need to do and which incorporates an honest ``hotwash'' after the fact to determine what went wrong and how to fix that, is needed in present civilian context for counterterrorism and intelligence purposes. Moreover, opportunities still exist to tap and apply intelligence and information from the field of organized crime to the field of counterterrorism, and vice versa. Hybrid thinking that marries up the two fields in this way, in order to further build our reservoir of knowledge on the counterterrorism side could prove valuable. Straightforward yet powerful steps remain to be taken. This was revealed starkly in multiple rounds of survey work--first with the major metropolitan intelligence chiefs and later with the fusion centers--that the Homeland Security Policy Institute (HSPI) recently completed in an attempt to bring a little science to the art of intelligence. For example, too few Fusion Centers currently do threat assessments. This is unacceptable, especially in a climate of limited resources in which allocation decisions (regarding human, capital, and financial resources) should be priority-ordered, meaning that scarce resources should be directed to those counter-threat measures, gaps, and shortfalls that constitute areas of greatest need. And Fusion Center-specific threat assessments are just a start. Regional threat assessments are also needed. Our adversaries do not respect local, State, or even National boundaries hence our response posture must be similarly nimble and cohesive. Yet according to HSPI survey research published in June of this year, only 29% of Fusion Center respondents reported that their Center conducted a regional threat assessment on at least a yearly basis. Almost half reported that their Centers simply did not conduct regional threat assessments. Furthermore, those working in the Fusion Centers have yet to be invested with the analytical skill-craft and training necessary for them to accomplish their mission. Current incentive structures place too much emphasis on information processing and not enough on analytical outcome. Greater resources should be allocated to the professional development of those working in the Centers. Within them lies untapped collection and analysis potential. Realizing and unleashing that potential will further bolster State and local law enforcement efforts, and help develop anticipatory intelligence to prevent terrorist attacks and the proliferation of criminal enterprise operations.\22\ In tandem, and without taking anything away from the Fusion Centers, Joint Regional Intelligence Groups (JRIGs) also have a role to play, including by helping to place National threat information into State and local context. --------------------------------------------------------------------------- \22\ Frank J. Cilluffo, Joseph R. Clark, Michael P. Downing, and Keith D. Squires ``Counterterrorism Intelligence: Fusion Center Perspectives'' HSPI Counterterrorism Intelligence Survey Research (CTISR) (June 2012). http://www.gwumc.edu/hspi/policy/ HSPI%20Counterterrorism- %20Intelligence%20- %20Fusion%20Center%20Perspectives%206-26-12.pdf. See also Frank J. Cilluffo, Joseph R. Clark, and Michael P. Downing ``Counterterrorism Intelligence: Law Enforcement Perspectives'' CTISR (September 2011). http://www.gwumc.edu/hspi/policy/HSPI%20Research%20Brief%20- %20Counterterrorism%20Intelligence.pdf. --------------------------------------------------------------------------- DHS continues to mature over time. However its capacities generally still remain reactive in nature. As a result, the Department's internal capabilities to assess future threats and then take actions are not yet evolved to the level that the security ecosystem demands. This is a significant shortfall, especially relative to the cyber domain where threats may morph and metastasize in milliseconds. Volume and pace in the cyber arena alone make for a serious challenge, including the potential for damage to critical U.S. infrastructure such as water and power systems, and telecommunications and finance. Since (as mentioned above) cyber tools/attacks may also be leveraged, acting as a force multiplier in connection with kinetic actions undertaken by our adversaries, the ability to look over the horizon and think creatively, including through the eyes of those of those who may bear hostile intent towards this country, is to be prized. Yet DHS does not currently have the built-in structural capacity to do so. Precisely because the Department must be able to respond to a wide range of threats that may materialize quickly, an Office of Net Assessment (ONA) could and should be created. The ONA would fill the much-needed role of brain trust, while remaining unfettered by the ``crisis du jour'' or the day-to-day demands flowing from intelligence needs and operations. The ever- shifting and unpredictable security environment facing the United States requires the constant questioning of assumptions, the asking of what-ifs, and the thinking of the unthinkable, all in order to identify game changers. The ONA should take a comprehensive, multi-disciplinary approach to its analysis, looking at the full range of factors which will alter and shape the security environment of the future, including social, political, technological, economic, demographic, and other trends. The duties of ONA should include studying existing threats in order to project their evolution into the future; studying trends in the weapons, technologies, modalities, and targets utilized by our adversaries (i.e., the events that can transform the security landscape); reviewing existing U.S. capabilities in order to identify gaps between current capabilities and the requirements of tomorrow's threats; conducting war games and red team scenarios to introduce innovative thinking on possible future threats; assessing how terrorist groups/cells could operate around, and/or marginalize the effectiveness of, policies and protective measures. Admittedly, this is a tall order. The alternative, however, is to walk into the future partly blind and thus remain more vulnerable than we need to or should be. This proposal is not new, I should add. To the contrary, it appeared in the January 2007 Homeland Security Advisory Council Report of the Future of Terrorism Task Force, for which I served as Vice Chairman together with Chairman Lee Hamilton.\23\ Now is the time-- indeed it is well past time--to take this recommendation off the page and enact it. Our adversaries are patient and they are long-term thinkers whose horizons extend well beyond weeks and months. To help counter them effectively, we must not lose sight of the long game either. Indeed, the general qualities needed from an organizational standpoint (U.S./DHS) mirror many of the traits that our adversaries have exhibited over time. They are proactive, innovative, well- networked, flexible, patient, young and enthusiastic, technologically savvy, and learn and adapt continuously based upon both successful and failed operations around the globe. We and our Government must be and do likewise. Our institutions, both their structure and culture, must be responsive to the ever-changing threat environment. This entails much more than rearranging boxes on an organization chart. Together with policy and technology, people are a crucial component of the equation. Organizational change will not take root unless supported by cultural change, which in turn takes time, leadership, and both individual and community commitment. Many at DHS have worked long and hard to bring about a cohesive and collaborative culture that drives mission success; but we would do well to keep striving on that front, if only because sustaining an end-state can be as difficult as arriving at it in the first place. --------------------------------------------------------------------------- \23\ http://www.dhs.gov/xlibrary/assets/hsac-future-terrorism- 010107.pdf. --------------------------------------------------------------------------- The type of forward-leaning assessment and evaluation described above could have a range of salutary knock-on effects, including the possibility of better-calibrated budgeting, operational planning, and acquisitions, through the provision of a foundation from which forward- estimates may be derived. As things now stand, the Department still has a ways to go in terms of aligning actions with future threats--although the Quadrennial Homeland Security Review (QHSR), while less than perfect, has served as a useful starting point. Still, as a mechanism and process for helping to bring DHS resources and plans into sync with the threat environment, the QHSR is not as forward-leaning as it could or should be. The country would be better served by a more robust posture and process, one that anticipates threats before they manifest, and that allows the Secretary to determine what tools are needed for meeting them, what force structure is needed (at the Federal, State, and local levels), and what resources are needed from Congress to make that plan a reality. Importantly, we do not yet have a true ``rich picture'' of the domestic threat landscape because the National Intelligence Estimate (NIE) does not fully elaborate upon that dimension. This gap must be remedied, with State and local officials at the heart of that exercise, because they are best-positioned to undertake the task. Cyber threats in particular manifest in nanoseconds, and we need to be able to enact cyber response measures that are almost as quick. This means developing and implementing an ``active defense'' capability to immediately attribute and counter attacks and future threats in real- time. Although much work remains to be done on the counterterrorism side, the country has achieved significant progress in this area. In contrast, the U.S. cybersecurity community's state of development is akin to that of the counterterrorism community as it stood shortly after 9/11. Despite multiple incidents that could have served as galvanizing events to shore up U.S. resolve to formulate and implement the changes that are needed, and not just within Government, we have yet to take those necessary steps. Officials in the homeland security community should therefore undertake contingency planning that incorporates attacks on U.S. infrastructure. At minimum, ``red- teaming'' and additional threat assessments are needed. The latter should include modalities of attack and potential consequences. Working together with DHS Intelligence and Analysis colleagues, the Department's National Protection and Programs Directorate (NPPD) could and should do more in terms of threat and intelligence reporting, especially in relation to critical infrastructure, where DHS is well- positioned to add real and unique value given the Department's relationship with and responsibilities towards the private sector. Consider the cyber-attacks on Saudi Aramco and Qatari RasGas this past summer, which hit thousands of computers at these critical oil and gas producers with a virus. As events unfolded, one would expect that counterpart industries here in the United States would have welcomed DHS products that directly assessed these events and kept U.S. owners and operators abreast of latest developments, their broader significance and potential follow-on implications. The United States should also develop and clearly articulate a cyber-deterrence strategy. Such a deterrence policy should apply generally, and also in a tailored manner that is actor/adversary- specific. A solid general posture could serve as an 80 percent solution, neutralizing the majority of threats before they manifest fully. This, in turn, would free up resources (human, capital, technological, etc.) to focus our limited resources and bandwidth on the high-end of the threat spectrum and on those which are most sophisticated and persistent. To operationalize these recommendations, we must draw lines in the sand. Preserving flexibility of U.S. response by maintaining some measure of ambiguity is useful, so long as we make parameters clear by laying down certain markers or selected redlines whose breach will not be tolerated. More investment needs to be made in our offensive capability as well, in order to support the foregoing proposals in terms of practice and at the level of principle (to signal a credible commitment). Cybersecurity by definition is transnational in nature and will require some level of transnational solutions, yet it must not be approached like an arms control treaty (i.e., attribution and verification are still a ways away). Notably NPPD, which manages the cyber-portfolio for DHS, has done some good work in the international arena, including cyber-specific capacity-building efforts and exercises, in multilateral settings and with bilateral partners. However, as the Department's Inspector General noted in a report issued just this month,\24\ DHS must continue to build on its Cybersecurity Strategy of November 2011,\25\ such as by clearly delineating ``roles and responsibilities'' for NPPD.\26\ --------------------------------------------------------------------------- \24\ DHS Office of Inspector General, DHS Can Strengthen Its International Cybersecurity Programs (Redacted) (August 2012) http:// www.oig.dhs.gov/assets/Mgmt/2012/OIGr_12-112_Aug12.pdf. \25\ Blueprint for a Secure Cyber Future: The Cybersecurity Strategy for the Homeland Security Enterprise http://www.dhs.gov/ xlibrary/assets/nppd/blueprint-for-a-secure-cyber-future.pdf. \26\ Mickey McCarter, ``NPPD Lacks Strategy To Guide International Cybersecurity Efforts'' Homeland Security Today (September 4, 2012) http://www.hstoday.us/ index.php?id=3392&no_cache=1&tx_ttnews%5Btt_news%5D=25801. --------------------------------------------------------------------------- Plainly we have not yet made the requisite business case for the private sector to undertake and implement needed cybsecurity measures. This represents a fundamental problem, given that the majority of critical infrastructure in this country is owned and operated by the private sector. The urgency for making this case needs no further explanation, but we must take care to strike just the right balance of carrots--such as tax breaks, priority in Government contracting opportunities, and indemnification of liability, allowing those who have done what has been asked of them to avoid costly litigation--and sticks; and of measures that ensure both privacy and security. To help ensure compliance with standards and best practices, a ``Good Housekeeping'' seal of approval could be granted to those who meet the bar. To the extent that this encourages industry-wide adoption and robust outcomes, such measure could spur the insurance and reinsurance sectors to step into the fray. In addition, the Federal Government has a responsibility to share threat information (i.e., signatures, hostile plans and techniques to degrade, disrupt or destroy systems) that places our critical infrastructures at risk. The pilot program introduced within the confines of the defense industrial base offers a solid starting point, and an example of a promising information-sharing environment.\27\ It probably should go without saying, but part of leading by example also entails the U.S. Government striving to place its own house in order, as a crucial corollary to meeting the threat. --------------------------------------------------------------------------- \27\ Frank J. Cilluffo and Andrew Robinson, ``While Congress Dithers, Cyber Threats Grow Greater'' Nextgov.com (July 24, 2012) http://www.nextgov.com/cybersecurity/2012/07/while-congress-dithers- cyber-threats-grow-greater/56968/. --------------------------------------------------------------------------- In conclusion, the challenges that lie on the horizon remain substantial, but with the requisite will and leadership--to lean forward and exhibit a field bias towards military, intelligence community, and law enforcement experts on the front lines--the country can and will continue to make progress towards meeting those imperatives. Again, I wish to thank the Committee and its staff for the opportunity to testify today, and I would be pleased to try to answer any questions that you may have. Chairman King. Thank you, Mr. Cilluffo. Our final witness is Mr. David Maurer. He is a GAO director in the Homeland Security and Justice Team, where he leads GAO's work reviewing DHS and DOJ management issues. His recent work in these areas includes DHS management integration, the Quadrennial Homeland Security Review, Secret Service financial management, DOJ grant management, Federal prison system, and an assessment of technologies for detecting explosives in the passenger rail environment. Mr. Maurer has testified before this committee several times and, surprisingly, he has agreed to come back again. So we thank you very much for your testimony, and look forward to it. Thank you for your service. STATEMENT OF DAVID C. MAURER, DIRECTOR, HOMELAND SECURITY AND JUSTICE, GOVERNMENT ACCOUNTABILITY OFFICE Mr. Maurer. Great. Thank you very much. Good morning, Chairman King, Ranking Member Thompson, other Members and staff. I am pleased to be here today to talk about DHS's on- going efforts to build a unified Department and position itself for the future. Since it began operations nearly a decade ago, DHS has made significant strides. Today, it has almost $60 billion in budget authority to carry out a wide variety of critical missions. Fending off terrorist threats, securing the border, safeguarding cyberspace, and providing disaster relief. However, DHS has considerable work ahead to address weaknesses in its current operations and management that hinder the Department's ability to achieve its full potential. As a result, DHS remains on our high-risk list. My main message today is this. At the root of many of the Department's problems is a fundamental cross-cutting and significant challenge; namely, DHS needs to do a better job managing its resources. Specifically, DHS needs a strong, unified management foundation that enables its components to execute their vital missions. DHS also needs to ensure that increasingly scarce resources are strategically managed and aligned with risk-based priorities. Making tough, informed resource decisions is important because DHS will never have enough people, money, and systems to fully address every threat. DHS has a lot of work ahead to achieve these goals. Two years ago, to help DHS with that task we identified 31 actions and outcomes that are critical to addressing the Department's challenges. DHS agreed to achieve these outcomes, and has taken actions to do so. But DHS isn't there yet. It currently lacks vital management capabilities to integrate the Department into something greater than the sum of its parts. For example, nearly every major DHS acquisition program has experienced funding instability, workforce shortfalls, and/or changes to their planned capabilities. DHS morale scores consistently among the lowest in the Federal Government. DHS has twice attempted, and failed, to build an integrated Department-wide financial management system. The Department has also struggled to achieve strategic visibility over how it allocates its resources. For example, Congress has appropriated nearly $40 billion for DHS grant programs, however DHS has limited visibility over how these funds are used, does not effectively coordinate across its various programs, and lacks mechanisms for assessing grant effectiveness. DHS also does not know how much it spends on research and development activities, and lacks policies to define and coordinate R&D across the Department. DHS says it plans to spend $167 billion on major acquisition programs in the coming years. But that is, at best, an educated guess. Most programs lack validated cost estimates, and DHS is still in the early stages of grappling with strategically managing these programs as a portfolio rather than on an individual basis. In recent years, DHS has worked hard to fix problems like these, and has achieved some key successes. For example, DHS obtained a qualified audit opinion on its balance sheet for the first time since its operation last year. It has significantly lowered its senior leadership vacancy rates. It has developed a promising new approach for reviewing its IT investments. We have also seen substantial senior-level support for a series of plans to help ensure that DHS's missions are supported by a sound management infrastructure. In particular, the Department's June 2012 strategy for addressing its high-risk designation is a good road map for taking DHS to where it wants to be. Looking ahead, DHS needs to show continued progress executing this ambitious agenda. Now, I know that ``management'' is not the most exciting word in the world, but it is vital. In fact, management is the glue that holds DHS together, the daily missions of the various DHS components, and the threats that they address very widely. To ensure the Department works as one, DHS needs a clear common vision, a unified management structure, and the ability to make tough, risk-based resource decisions to ensure that strategies drive budgets and not the other way around. DHS has made important strides achieving these goals, but the Department still has a great deal of work ahead. Improving how it manages its resources will help DHS carry out its vital missions and help secure the homeland. Mr. Chairman, thank you for the opportunity to testify this morning. I look forward to your questions. [The prepared statement of Mr. Maurer follows:] Prepared Statement of David C. Maurer September 20, 2012 department of homeland security.--continued progress made improving and integrating management areas, but more work remains gao-12-1041t Chairman King, Ranking Member Thompson, and Members of the committee: I am pleased to be here today to discuss the Department of Homeland Security's (DHS) efforts to strengthen and integrate its management functions. DHS now has more than 200,000 employees and an annual budget of almost $60 billion, and its transformation is critical to achieving its homeland security and other missions. Since 2003, GAO has designated the implementation and transformation of DHS as high- risk because DHS had to combine 22 agencies--several with major management challenges--into one Department, and failure to effectively address DHS's management and mission risks could have serious consequences for our National and economic security.\1\ This high-risk area includes challenges in strengthening DHS's management functions-- financial management, acquisition management, human capital, and information technology (IT)--the effect of those challenges on DHS's mission implementation, and challenges in integrating management functions within and across the Department and its components. --------------------------------------------------------------------------- \1\ GAO, High-Risk Series: An Update, GAO-03-119 (Washington, DC: January 2003); GAO, High-Risk Series: An Update, GAO-09-271 (Washington, DC: January 2009); High-Risk Series: An Update, GAO-07-310 (Washington, DC: January 2007); and High-Risk Series: An Update, GAO- 05-207 (Washington, DC: January 2005). --------------------------------------------------------------------------- In November 2000, we published our criteria for removing areas from the high-risk list.\2\ Specifically, agencies must have: (1) A demonstrated strong commitment and top leadership support to address the risks; (2) the capacity (that is, the people and other resources) to resolve the risks; (3) a corrective action plan that identifies the root causes, identifies effective solutions, and provides for substantially completing corrective measures in the near term, including but not limited to steps necessary to implement solutions we recommended; (4) a program instituted to monitor and independently validate the effectiveness and sustainability of corrective measures; and (5) the ability to demonstrate progress in implementing corrective measures. --------------------------------------------------------------------------- \2\ GAO, Determining Performance and Accountability Challenges and High Risks, GAO-01-159SP (Washington, DC: November 2000). --------------------------------------------------------------------------- On the basis of our prior work, in a September 2010 letter to DHS, we identified, and DHS agreed to achieve, 31 actions and outcomes that are critical to addressing the challenges within the Department's management areas and in integrating those functions across the Department to address the high-risk designation.\3\ These key actions and outcomes include, among others, obtaining and then sustaining unqualified audit opinions for at least 2 consecutive years on the Department-wide financial statements; validating required acquisition documents in accordance with a Department-approved, knowledge-based acquisition process; and demonstrating measurable progress in implementing its IT human capital plan and accomplishing defined outcomes.\4\ In January 2011, DHS issued its initial Integrated Strategy for High-Risk Management, which included key management initiatives (e.g., financial management controls, IT program governance, and procurement staffing model) to address challenges and the outcomes we identified for each management area. DHS provided updates of its progress in implementing these initiatives in later versions of the strategy--June 2011, December 2011, and June 2012. Achieving and sustaining progress in these management areas would demonstrate the Department's ability and on-going commitment to addressing our five criteria for removing issues from the high-risk list. --------------------------------------------------------------------------- \3\ See appendix I for a summary of the 31 actions and outcomes. \4\ An unqualified opinion states that the audited financial statements present fairly, in all material respects, the financial position, results of operations, and cash flows of the entity in conformity with generally accepted accounting principles. --------------------------------------------------------------------------- My testimony this morning, as requested, will discuss our observations, based on prior and on-going work, on DHS's progress in achieving outcomes critical to addressing its high-risk designation for the implementation and transformation of the Department. This statement is based on prior reports and testimonies we issued from June 2007 through September 2012 and letters we submitted to DHS in March and November 2011 providing feedback on the Department's January and June 2011 versions of its Integrated Strategy for High-Risk Management.\5\ For the past products, among other methodologies, we interviewed DHS officials; analyzed DHS strategies and other documents related to the Department's implementation and transformation high-risk area; and reviewed our past reports, issued since DHS began its operations in March 2003. All of this work was conducted in accordance with generally accepted Government auditing standards; more-detailed information on the scope and methodology from our prior work can be found within each specific report. This statement is also based on observations from our on-going work related to DHS IT investments.\6\ For this work, we analyzed recent cost and schedule performance for DHS's major IT investments as reported to the Office of Management and Budget as of March 2012. We will report on the final results of this review later this month. We are conducting this work in accordance with generally accepted Government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. --------------------------------------------------------------------------- \5\ See the related products list at the end of this statement. \6\ This review is being conducted at the request of this Committee's Subcommittee on Oversight, Investigations, and Management; and Senator Thomas Carper, Chairman, Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security of the Senate Committee on Homeland Security and Governmental Affairs. --------------------------------------------------------------------------- dhs has made progress in addressing its management challenges, but has significant work ahead to achieve high-risk outcomes Since we designated the implementation and transformation of DHS as high-risk in 2003, DHS has made progress addressing management challenges and senior Department officials have demonstrated commitment and top leadership support for addressing the Department's management challenges. However, the Department has significant work ahead to achieve positive outcomes in resolving high-risk issues. For example, DHS faces challenges in modernizing its financial systems, implementing acquisition management controls, and improving employee satisfaction survey results, among other things. As DHS continues to mature as an organization, it will be important for the Department to continue to strengthen its management functions, since the effectiveness of these functions affects its ability to fulfill its homeland security and other missions. Financial management.--DHS has made progress in addressing its financial management and internal controls weaknesses, but has been unable to obtain an unqualified audit opinion on its financial statements since the Department's creation and faces challenges in modernizing its financial management systems. DHS has, among other things, reduced the number of material weaknesses in internal controls from 18 in 2003 to 5 in fiscal year 2011;\7\ --------------------------------------------------------------------------- \7\ A material weakness is a significant deficiency, or a combination of significant deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented or detected and corrected on a timely basis. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. --------------------------------------------------------------------------- achieved its goal of receiving a qualified audit opinion on its fiscal year 2011 consolidated balance sheet and statement of custodial activity for the first time since the Department's creation;\8\ --------------------------------------------------------------------------- \8\ A qualified opinion states that, except for the effects of the matter(s) to which the qualification relates, the audited financial statements present fairly, in all material respects, the financial position, results of operations, and cash flows of the entity in conformity with generally accepted accounting principles. The matter(s) to which the qualification relates could be due to a scope limitation, or the audited financial statements containing a material departure from generally accepted accounting principles, or both. --------------------------------------------------------------------------- established a goal of obtaining an audit opinion on all of its fiscal year 2012 financial statements; and expanded the scope of the annual financial audit to the complete set of fiscal year 2012 financial statements, which DHS believes will help it to obtain an unqualified opinion for fiscal year 2013.\9\ --------------------------------------------------------------------------- \9\ DHS's complete set of financial statements consist of the Balance Sheet, Statement of Net Cost, Statement of Changes in Net Position, Statement of Budgetary Resources, and Statement of Custodial Activity. --------------------------------------------------------------------------- However, DHS continues to face challenges in financial management. For example, DHS anticipates difficulties in providing its auditors transaction-level detail to support balances reported in its fiscal year 2012 financial statements in order to obtain an opinion on its financial statements. This is due to, among other things, components not retaining original acquisition documentation or enforcing policies related to recording purchases and making payments. DHS also anticipates its auditors issuing a disclaimer in their fiscal year 2012 report on internal controls over financial reporting due to material weaknesses in internal controls, such as lack of effective controls over the recording of financial transactions related to property, plant, and equipment. In addition, in December 2011, DHS reported that the Federal Emergency Management Agency (FEMA), U.S. Coast Guard (USCG), and U.S. Immigration and Customs Enforcement (ICE) have an essential business need to replace their financial management systems, but DHS has not fully developed its plans for upgrading existing or implementing new financial systems at these agencies. According to DHS's June 2012 version of its Integrated Strategy for High-Risk Management, the Department plans to extend the useful life of FEMA's current system by about 3 years, while FEMA proceeds with a new financial management system solution, and is in the process of identifying the specific approach, necessary resources, and time frames for upgrading existing or implementing new financial systems at USCG and ICE. Without sound processes, controls, and systems, DHS faces long-term challenges in obtaining and sustaining an unqualified opinion on both its financial statements and internal controls over financial reporting, and ensuring its financial management systems generate reliable, useful, timely information for day-to-day decision-making. We currently have on-going work related to DHS's efforts to improve its financial reporting that we expect to report on in the spring of 2013.\10\ --------------------------------------------------------------------------- \10\ We are doing this work at the request of the Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security of the Senate Committee on Homeland Security and Governmental Affairs. --------------------------------------------------------------------------- Acquisition management.--DHS has made progress in the acquisition management area by enhancing the Department's ability to oversee major acquisition programs. For example: DHS has established eight Centers of Excellence for cost estimating, systems engineering, and other disciplines to bring together program managers, senior leadership staff, and subject matter experts to promote best practices, provide expert counsel, technical guidance, and acquisition management tools; and each DHS component has established a Component Acquisition Executive (CAE) to provide oversight and support to programs within the component's portfolio. According to DHS, as of June 2012, 75 percent of the core CAE support positions were filled. In March 2012, DHS completed the development of a Procurement Staffing Model to determine optimal numbers of personnel to properly award and administer contracts. In June 2012, DHS reported that it is taking steps to implement the staffing model throughout headquarters and the components. DHS included a new initiative (strategic sourcing) in its December 2011 Integrated Strategy for High-Risk Management to increase savings and improve acquisition efficiency by consolidating contracts Department-wide for the same kinds of products and services. The Office of Management and Budget's Office of Federal Procurement Policy has cited DHS's efforts among best practices for implementing Federal strategic sourcing initiatives. Earlier this month, we reported that the Department has implemented 42 strategically-sourced efforts since the Department's inception.\11\ According to DHS data, the Department's spending through strategic sourcing contract vehicles has increased steadily from $1.8 billion in fiscal year 2008 to almost $3 billion in fiscal year 2011, representing about 20 percent of DHS's procurement spending for that year. --------------------------------------------------------------------------- \11\ GAO, Homeland Security: DHS Has Enhanced Procurement Oversight Efforts, but Needs to Update Guidance, GAO-12-947 (Washington, DC: Sept. 10, 2012). --------------------------------------------------------------------------- However, DHS continues to face significant challenges in managing its acquisitions. For example: Earlier this week, we reported that 68 of the 71 program offices we surveyed from January through March 2012 responded that they experienced funding instability, workforce shortfalls, and/or changes to their planned capabilities over the programs' duration.\12\ We have previously reported that these challenges increase the likelihood acquisition programs will cost more and take longer to deliver capabilities than expected.\13\ --------------------------------------------------------------------------- \12\ GAO, Homeland Security: DHS Requires More Disciplined Investment Management to Help Meet Mission Needs, GAO-12-833 (Washington, DC: Sept. 18, 2012). \13\ GAO, Department of Homeland Security: Assessments of Complex Acquisitions, GAO-10-588SP (Washington, DC: June 30, 2010). --------------------------------------------------------------------------- Our recent review of DHS acquisition management also identified that while DHS's acquisition policy reflects many key program management practices that could help mitigate risks and increase the chances for successful outcomes, it does not fully reflect several key portfolio management practices, such as allocating resources strategically.\14\ DHS plans to develop stronger portfolio management policies and processes, but until it does so, DHS programs are more likely to experience additional funding instability, which will increase the risk of further cost growth and schedule slips. We recommended that DHS take a number of actions to help mitigate the risk of poor acquisition outcomes and strengthen the Department's investment management activities. DHS concurred with all of our recommendations and noted actions it had taken or planned to address them. --------------------------------------------------------------------------- \14\ GAO-12-833. --------------------------------------------------------------------------- Human capital management.--DHS has taken a number of actions to strengthen its human capital management. For example: DHS issued human capital-related plans, guidance, and tools to address its human capital challenges, including a Workforce Strategy for 2011-2016; a revised Workforce Planning Guide, issued in March 2011, to help the Department plan for its workforce needs; and a Balanced Workforce Strategy tool, which some components have begun using to help achieve the appropriate mix of Federal and contractor skills. The Department implemented two programs to address senior leadership recruitment and hiring, as we reported in February 2012.\15\ While DHS's senior leadership vacancy rate was as high as 25 percent in fiscal year 2006, it varied between 2006 and 2011 and declined overall to 10 percent at the end of fiscal year 2011.\16\ --------------------------------------------------------------------------- \15\ GAO, DHS Human Capital: Senior Leadership Vacancy Rates Generally Declined, but Components' Rates Varied, GAO-12-264 (Washington, DC: Feb. 10, 2012). \16\ GAO-12-264. --------------------------------------------------------------------------- DHS developed outreach plans to appeal to veterans and other underrepresented groups. While these initiatives are promising, DHS continues to face challenges in human capital management. For example: As we reported in March 2012, based on our preliminary observations of DHS's efforts to improve employee morale, Federal surveys have consistently found that DHS employees are less satisfied with their jobs than the Government-wide average.\17\ DHS has taken steps to identify where it has the most significant employee satisfaction problems and developed plans to address those problems, such as establishing a Department-wide Employee Engagement Executive Steering Committee, but has not yet improved employee satisfaction survey results. We plan to issue a final report on our findings later this month.\18\ --------------------------------------------------------------------------- \17\ GAO, Department of Homeland Security: Preliminary Observations on DHS's Efforts to Improve Employee Morale. GAO-12-509T (Washington, DC: Mar. 22, 2012). \18\ We are doing this work at the request of this Committee's Subcommittee on Oversight, Investigations, and Management; and Senator Susan Collins, Ranking Member of the Senate Committee on Homeland Security and Governmental Affairs. --------------------------------------------------------------------------- As we reported in April 2012, changes in FEMA's workforce, workload, and composition have created challenges in FEMA's ability to meet the agency's varied responsibilities and train its staff appropriately.\19\ For example, FEMA has not developed processes to systematically collect and analyze agency-wide workforce and training data that could be used to better inform its decision making. We recommended that FEMA, among other things, identify long-term quantifiable mission- critical goals, establish lines of authority for agency-wide workforce planning and training efforts, and develop systematic processes to collect and analyze workforce and training data. DHS concurred with our recommendations and reported actions underway to address them. --------------------------------------------------------------------------- \19\ GAO, Federal Emergency Management Agency: Workforce Planning and Training Could Be Enhanced by Incorporating Strategic Management Principles, GAO-12-487 (Washington, DC: Apr. 26, 2012). --------------------------------------------------------------------------- Information technology management.--DHS has made progress in strengthening its IT management, but the Department has much more work to do to fully address its IT management weaknesses. Among other accomplishments, DHS has: strengthened its enterprise architecture;\20\ --------------------------------------------------------------------------- \20\ An enterprise architecture can be viewed as a blueprint for organizational transformation and IT modernization. --------------------------------------------------------------------------- defined and begun to implement a vision for a tiered governance structure intended to improve program and portfolio management, as we reported in July 2012;\21\ and --------------------------------------------------------------------------- \21\ GAO, Information Technology: DHS Needs to Further Define and Implement Its New Governance Process, GAO-12-818 (Washington, DC: July 25, 2012). --------------------------------------------------------------------------- established a formal IT Program Management Development Track and staffed Centers of Excellence with subject matter experts to assist major and non-major programs. Based on preliminary observations from our review of DHS's major at-risk IT acquisitions we are performing for the committee, these improvements may be having a positive effect. Specifically, as of March 2012, approximately two-thirds of the Department's major IT investments we reviewed (47 of 68) were meeting current cost and schedule commitments (i.e. goals). DHS has made progress, but the Department has much more work to do to fully address its IT management weaknesses. For example, the Department needs to: finalize the policies and procedures associated with its new tiered governance structure and continue to implement this structure, as we recommended in our July 2012 report;\22\ --------------------------------------------------------------------------- \22\ GAO-12-818. --------------------------------------------------------------------------- continue to implement its IT human capital plan, which DHS believed would take 18 months to fully implement as of June 2012; and continue its efforts to enhance IT security by, among other things, effectively addressing material weaknesses in financial systems security, developing a plan to track and promptly respond to known vulnerabilities, and implementing key security controls and activities. Management integration.--DHS has made progress in integrating its individual management functions across the Department and its component agencies. For example, DHS has put into place common policies, procedures, and systems within individual management functions, such as human capital, that help to integrate its component agencies, as we reported in September 2011.\23\ To strengthen this effort, in May 2012, the Secretary of Homeland Security modified the delegations of authority between the Management Directorate and their counterparts at the component level. According to DHS, this action will provide increased standardization of operating guidelines, policies, structures, and oversight of programs. Additionally, DHS has taken steps to standardize key data elements for the management areas across the Department to enhance its decision making. For example, in April 2012, the under secretary for management appointed an executive steering committee and tasked this committee with creating a ``Data Mart'' to integrate data from disparate sources and allow the dissemination of timely and reliable information by March 2013. Further, consistent with our prior recommendations, DHS has implemented mechanisms to promote accountability for management integration among Department and component management chiefs by, among other things, having the Department chiefs develop written objectives that explicitly reflect priorities and milestones for that management function.\24\ --------------------------------------------------------------------------- \23\ GAO, Department of Homeland Security: Progress Made and Work Remaining in Implementing Homeland Security Missions 10 Years after 9/ 11, GAO-11-881 (Washington, DC: Sept. 7, 2011). \24\ GAO, Department of Homeland Security: Actions Taken Toward Management Integration, but a Comprehensive Strategy Is Still Needed, GAO-10-131 (Washington, DC: Nov. 20, 2009). --------------------------------------------------------------------------- Although these actions are important, DHS needs to continue to demonstrate sustainable progress in integrating its management functions within and across the Department and its components and take additional actions to further and more effectively integrate the Department. For example, DHS recognizes the need to better integrate its lines of business. The Integrated Investment Life Cycle Model (IILCM), which the Department is establishing to manage investments across the Department's components and management functions, is an attempt at doing that. DHS identified the IILCM as one of its most significant management integration initiatives in January 2011. However, the June 2012 update reported that this initiative is in its early planning stages, will be phased in over multiple budget cycles, and requires additional resources to fully operationalize. In September 2012, DHS reported that it has developed draft policy and procedural guidance to support implementation of the IILCM and now plans to begin using aspects of this new approach to develop portions of the Department's fiscal years 2015 through 2019 budget. DHS strategy for addressing GAO's high-risk designation.--In January 2011, DHS issued an agency-wide management integration strategy--the Integrated Strategy for High-Risk Management--as we recommended in our March 2005 report on DHS's management integration efforts.\25\ DHS's most recent version of the strategy, issued in June 2012, greatly improved upon prior versions and addressed feedback we previously provided by, for example, identifying key measures and progress ratings for the 18 initiatives included in the strategy and the 31 outcomes.\26\ We believe the June 2012 strategy, if implemented and sustained, provides a path for DHS to address our high-risk designation. --------------------------------------------------------------------------- \25\ GAO, Department of Homeland Security: A Comprehensive and Sustained Approach Needed to Achieve Management Integration, GAO-05-139 (Washington, DC: Mar. 16, 2005). \26\ GAO-10-131. --------------------------------------------------------------------------- DHS can further strengthen or clarify its Integrated Strategy for High-Risk Management to better enable DHS, Congress, and GAO to assess the Department's progress in implementing its management initiatives by, among other things: Determining the resource needs for all of the corrective actions in the strategy; communicating to senior leadership critical resource gaps across all initiatives; and identifying program and project risks in a supporting risk mitigation plan for all initiatives. Going forward, DHS needs to continue implementing its Integrated Strategy for High-Risk Management and show measurable, sustainable progress in implementing its key management initiatives and corrective actions and achieving outcomes. We will continue to monitor, assess, and provide feedback on DHS's implementation and transformation efforts through our on-going and planned work, including the 2013 high-risk update that we expect to issue in January 2013. Chairman King, Ranking Member Thompson, and Members of the committee, this concludes my prepared statement. I would be pleased to respond to any questions that you may have. Appendix I: Summary of Actions and Outcomes for Addressing the Implementing and Transforming the Department of Homeland Security High- Risk Area On the basis of our prior work, in a September 2010 letter to the Department of Homeland Security (DHS), we identified 31 actions and outcomes that are critical to addressing the challenges within the Department's management areas and in integrating those functions across the Department, thus addressing the high-risk designation. This appendix provides a summary of the 31 actions and outcomes. financial management 1. Maintain top management commitment to correcting weaknesses. 2. Address internal control, business process, and systems weaknesses. 3. Commit sufficient resources to implement financial system modernization and complete a full-scope audit of the Department's basic financial statements. 4. Expand scope of financial statement audit to include an opinion on all of the Department's basic financial statements. 5. Sustain clean opinions for at least 2 consecutive years. 6. Comply with the Federal Financial Management Improvement Act of 1996. 7. Embrace best practices for financial system modernization. 8. Establish contractor oversight mechanisms for financial system modernization. 9. Successfully implement new or upgrade existing financial systems as needed throughout the Department, including the U.S. Coast Guard (USCG), Federal Emergency Management Agency (FEMA), and U.S. Immigration and Customs Enforcement (ICE). acquisition management 1. Validate required acquisition documents in a timely manner at major milestones, including life-cycle cost estimates, in accordance with a Department-approved, knowledge-based acquisition process. 2. Improve component acquisition capability. 3. Establish a Joint Requirements Council or a similar body. 4. Ensure a sufficient number of trained acquisition personnel are in place at the Department and component levels. 5. Establish and demonstrate measurable progress in achieving goals that improve programs' compliance with the Department's established processes and policies. For major acquisitions, demonstrate that actual cost and schedule performance are within baseline thresholds. human capital management 1. Implement a human capital strategic plan. 2. Link workforce planning to other Department planning efforts. 3. Enhance recruiting to meet current and long-term needs. 4. Base human capital decisions on competencies and performance. 5. Seek employees' input to strengthen human capital approaches and activities. 6. Improve scores on the Office of Personnel Management's Federal Employee Viewpoint Survey. 7. Assess and improve training, education, and development programs. information technology management 1. Demonstrate achievement of stage 4 of GAO's Enterprise Architecture Management Maturity Framework (that is, completing and using an enterprise architecture for targeted results). 2. Establish and implement information technology (IT) investment management best practices. 3. Establish and implement IT system acquisition management processes. 4. Show progress in implementing the IT strategic human capital plan. 5. Demonstrate for at least two consecutive investment increments that cost and schedule performance is within the established threshold baseline for major investments. 6. Enhance the security of internal IT systems and networks. management integration 1. Implement actions and outcomes in each management area. 2. Revise management integration strategy to address characteristics we previously recommended, such as set implementation goals and a time line to monitor progress. 3. Establish performance measures to assess progress made in achieving Department-wide management integration. 4. Promote accountability for management integration among Department and management chiefs through the performance management system. Chairman King. Thank you, Mr. Maurer. Now I will recognize myself for questions. I would ask this question of each of you. Mr. Baker gave the Department an A as far as thinking seriously about keeping terrorists out. I would like to ask each of you, though, how effective do you think DHS has been in making itself part of the counterterrorism community, the intelligence community, and receiving the cooperation from the other big players? What appeared to be my personal experience at the time, at least anecdotally, they were not getting the respect early on. They were considered, you know, the new kids on the block. Has that improved, and how well-integrated are they into a cohesive counterterrorism system? Mr. Skinner. Mr. Skinner. I do agree that early on they did not get the respect that they should have. At the time I left, I think they were still facing challenges with bringing something to the table, so to speak, in the intelligence community. A lot of this dealt with the simple issues of trust. Other issues were just the mere nature of what they were bringing to the table. It was historic data. It wasn't something, a strategic dialogue, as to where the challenges were. I think someone hit on this earlier today. That we need to do a better job of actually stepping back and thinking the what-ifs that can occur in this country. Also the things that we can be doing better with regard to infrastructure. So in my assessment, I think we have a very, very long way to go yet in the intelligence community as far as being a major player, at least at the time I left about 18 months ago. Chairman King. Thank you. Secretary Baker. Mr. Baker. Well, I used to say that--at the beginning of DHS, your assessment is quite correct. I once described hiring Charlie Allen as the equivalent of the Mets hiring Casey Stengel. It gave us more credibility than we had before, but we still have a long way to go. DHS is an unusual participant in the intelligence community. There are a lot of participants who are basically takers of intelligence and analysts of the intelligence that they get. Then there are some very big producers of intelligence. DHS is neither of those things. It does analyze intelligence, and it does produce intelligence of a sort. Particularly travel data. That has proven to be increasingly useful. So my sense is that, indeed, there is a little bit of tension between them and NCTC over who is in charge of gathering and using this data. You know, if you have turf tension that suggests you are contributing something that somebody else would like to be contributing. So I think they have moved forward substantially. One area they are not yet maximizing their opportunities in is cyber, where we know a lot about the attackers. We learn that by using law enforcement authorities. DHS has all these law enforcement investigators, Secret Service and ICE, that should be carrying out law enforcement investigations strategically to learn more about our attackers and then embarrass them as dramatically as possible. My sense is that the law enforcement guys are all overdoing their investigations without a lot of coordination and a lot of strategy from NPPD and the cyber operations. We could contribute more if we were a little more strategic about how we used our law enforcement resources. Chairman King. Thank you. Mr. Cilluffo. Mr. Cilluffo. Clearly, intelligence is the lifeblood for our campaign against terrorism in all facets. I would argue that I probably take a less positive view in terms of where the Department is writ large. First, I don't think we have the equivalent. We all know National intelligence estimates in terms of racking and stacking capabilities of our adversaries overseas. We have intelligence estimates that look at threats to the homeland. But what do we have where you have a legitimate home- grown threat? The foreign-domestic divide is blurring today. Social technology and everything else makes it very difficult. The word over here has an effect over there, and vice versa. So I would argue the emphasis should be pushing out our capabilities to support and enable our fusion centers on the front lines. State and local law enforcement is ultimately best positioned and, in many cases, most competent to deal with these issues. The joint regional intelligence groups that the FBI is standing up, we have got to find ways to make sure that all these pieces can, in fact, come together. To take National data, to put it into local context. Ultimately, that is translating that data for our State and local authorities who are best positioned to address these issues. On the cyber side, we have a long ways to go. I mean, if you look back since 9/11, I would argue the greatest breakthroughs which no one is really talking about in our counterterrorism efforts have been the synchronization of Titles 10 and Title 50; basically, where the intelligence community meets the defense establishment. Cyber. This is an area where we clearly need to look at some of those same synchronizations of authorities and capabilities. Doesn't exist at the State and local. Then when you start looking at the homeland, in particular, I think Stewart captured it. NSA has got the capability, DHS has the authority. NSA doesn't have many of the authorities, and DHS doesn't have many of the capabilities. How do we start bridging that gap in a way that is true to who we are as a country from a privacy perspective? I think that is the big issue we are all struggling with right now. Chairman King. Thank you. Mr. Maurer. Mr. Maurer. Yes. Mr. Chairman, I mean obviously, over the course of the last decade there have been a number of substantial changes in the overall structure of the intelligence community. I mean, sort of operating in parallel with a stand-up in operation of DHS was the creation of the NCTC, the standing up of OD&I, the fundamental restructuring and refocus of the FBI. All these things were happening simultaneously. DHS is clearly at the table as part of this on-going effort. I wouldn't characterize them as playing their leading role. In some respects, appropriately so. FBI is late on some things, for example. We issued a report earlier this morning looking at DHS's central efforts to improve information sharing of terrorist-related information. What we found there was encouraging. We think that DHS is on a good path on that front. They have shown good leadership. We are concerned about their lack of metrics to be able to establish whether or not they are making progress towards their goals. But we think they are off to a good start in that respect. So we will be certainly watching that area, as well. That is another one of our high-risk issues, and DHS is one of 5 main agencies that play in that realm. Chairman King. Thank you. My time has expired. I would ask you if you could get back to me in writing. I have two quick questions. No. 1: How significant is it that the Saint Elizabeths project has been pushed back? How important is it for the Department to have, you know, one coherent central location? Second: Is there any way that the progress of DHS could be compared to the growth of the Defense Department after World War II? Are they on the same path? With that, I yield to the gentleman. If you can get back to me in 30 days, in writing, I would appreciate it. The gentleman from Mississippi. Mr. Thompson. Thank you very much, Mr. Chairman. Some will argue that the direction of this Department mirrors the direction it receives. Part of that direction comes from Congress. I have shared with you my concern about jurisdiction. But since we have four very qualified individuals to talk about the subject of jurisdiction and the Department, can you just share individually whether or not you believe it is a good thing for Congress to vest jurisdiction for DHS within one committee like a number of other departments have? Agriculture, just to talk a little bit about one, there are some small pieces elsewhere. But primarily, jurisdiction is there. I will start with you, Mr. Skinner. Mr. Skinner. Absolutely. My own experiences when I was the IG at DHS, people talk about over 100. I dealt with about 88 committees and subcommittees. This is very time-consuming, resource-intensive. We receive, constantly, mixed messages as to the direction the Congress wanted the Department to go. It created, in my opinion, a lot of problems. Not only for our office, but this is also compounded when you look at it from a Department-wide perspective. Having to answer to so many different committees, so many different directions. The time spent, I think, can be better spent in building a better Department. But yes, absolutely. I think it would be very worthwhile if we could consolidate some of this oversight into one committee. Mr. Thompson. Mr. Baker. Mr. Baker. I completely agree. It is a sign of lack of seriousness that the Congress did not accept even the 9/11 Commission recommendations on this regard. It is very disappointing that it has continued as long as it has, very strong. I do agree. Imagine trying to run a company and you have 88 outside boards of directors you are held accountable to, none of whom agree in the common end-state. Well, everyone agrees that we want to make the country more safe, but with changes. I think it is debilitating. I don't think the Department can mature when it has so many different approaches in terms of oversight. The big issue, I would also suggest, is to be able to align budgets to priorities. You have got to also look at the appropriator-authorizer connect, which--I know, I chuckle myself. I sometimes say we have three parties in this country-- Republicans, Democrats, and Appropriaters. But at the end of the day---- Mr. Thompson. You are correct. Mr. Baker [continuing]. That is a big issue. Mr. Cilluffo. That has certainly been an issue that DHS has--been a burden for them from the time the Department has been created. But I think as you know that, you know, GAO works for the Congress as a whole. Obviously, we are strong advocates of very aggressive and hands-on oversight. So we don't take a position on how Congress divides up its jurisdiction, other than to say that we are there to support making those decisions. So if there is any information we can offer to help with that, we would be glad to offer that. I will say that this problem is not necessarily unique to DHS, but it is probably unusual relative to other departments in the Executive branch. Mr. Thompson. Thank you. I would like just to go on the record in support of what Mr. Baker and the others have said. That the 9/11 report, Commission report, this is really the only thing that is still left outstanding. Is that somehow we all agree that it is outstanding, but we can't agree to do it. I think that is a failure on Congress' part to step up. I will just say for the record again, Mr. King--whether you are Chair or I am Chair--we need to send that letter again to our leadership, jointly signed by us, saying it should be done and already has been made part of the record. We agree on it. I look forward in January to authoring or coauthoring a letter indicating a continuing interest on our part for that consolidated jurisdiction. I yield back. Chairman King. The Ranking Member yields back. I recognize the gentleman from Alabama, the subcommittee Chairman, Mr. Rogers. Mr. Rogers. Thank you, Mr. Chairman. It is good to have Mr. Skinner and Mr. Baker back before us, as they have been many times in the past. I look forward to hearing from our other witnesses. As you all are aware, I chair the TSA subcommittee. We have held, as a part of our hearing process, three hearings on the procurement acquisition process, which has a problem in TSA. But it has a problem Department- wide, as you all know. GAO just released its most recent report examining this acquisition process. One of the most disappointing facts, which we also found in our hearings, was that most of DHS's major programs reported their planned capabilities changed well into the procurement process. Which obviously costs money, but not just for the Department. But it costs money for the private sector. When you throw out these requests for proposals without talking to anybody first about what is possible, and then when they come back and say, ``Well, we can't do that, but here is what we can do,''--and they have spent several hundred thousand dollars--you say, ``Well, that is not what we want,'' and they pull it back, it is completely unfair to the private sector. But it also doesn't help us achieve the goals that we are trying to achieve with the Department. I am interested in your thoughts on what we can do to remedy that. What is practical? Let us start with Mr. Baker. Mr. Baker. I will not pretend to be an acquisition expert. But my overall view of the acquisition process of the various parts of the Department is, this has turned out to be something that only a truly mature agency can do well. CBP certainly has problems, but has managed its procurements better than most of the components of the Department. TSA, as a new agency, doesn't have the kind of depth of staff and experience to do it as well as CBP. Mr. Rogers. Right. Well, that is one of the things I have mentioned to them in the hearings, is you are exactly right. A mature department does it well. And the best example is DoD. They found all the potholes in the road, and they know how to get around them. I have urged TSA and DHS as a whole to model their process after DoD, and they pushed back hard against it. I don't understand why. Mr. Baker. You know, it is the process, it is certainly true, where DoD has been in every pothole that you can find out there. Part of it is just personnel. You need personnel who have been doing this and made some mistakes, and understand how those mistakes are going to play out, and who are not wooed away by contractors to get new business in the future. I have often thought that we ought to find a way to penalize people who hire our procurement officials in the first 5 years of their service. Because part of the problem is having a real depth of staff. Mr. Rogers. Anybody else? Mr. Maurer. Mr. Maurer. Yes, I think the first thing that DHS needs to do is just follow their own policies and procedures on acquisition. One of the things we found in the report that was issued yesterday was that we actually gave their policies pretty good marks. Their best practice, the problem has been they haven't been consistently following them. If they followed their own rules they would have better outcome. Mr. Rogers. Why do you think that is? Mr. Maurer. Well, I think in the early years of the Department, and it continues even today, there is an overriding sense of urgency, which is important. It is part of their mission. But it leads to---- Mr. Rogers. Purchasing puffer machines. Mr. Maurer. Puffer machines that don't work. It leads to rushing to failure. There has been a whole host of those. SBInet and ASP and CAARS. There is a whole alphabet soup of failed acquisitions that DHS has had over the years. This report is the latest example of that. I know the subcommittee--Mr. McCaul's subcommittee-- tomorrow is having a hearing on this to talk more in depth. So I think, yes, first-off DHS needs to follow their policies. I think they have some real shortages in terms of qualified staff to help oversee and review these acquisition programs. The third issue they really have to come to terms with is that they probably signed themselves up to purchase more acquisition programs than they are likely to be able to afford in outyears. I mentioned in my statement, there is almost $170 billion in sort-of total life-cycle costs. That is a rough guess. I mean, they don't really know what they have signed themselves up for. If we are going to continue to face tough budget times, they are going to have to make some really hard decisions on where they are going to put their resources. Mr. Rogers. I agree. One of the things I have pushed them to do, though, and it is hard to get them to do, is to start conversing with the private sector in advance. To call the private sector in, do a notice on FedBizOpps or whatever. Bring them in, and say, ``Listen, these are the things we are trying to accomplish. What is possible?'' Get some dialogue going. Yes, sir. Mr. Cilluffo. Mr. Rogers. Beyond simply as it affects TSA, but generally speaking, metric performance measures. I don't mean to get too philosophical, but at the end of the day what gets measured gets done. But are we measuring what matters? It is that second set of questions that I think you can see improvement in the future. Wherein the Quadrennial Homeland Security Review aligns with a bottom-up review so you can actually--a policy without resources is rhetoric. But if you can actually match up the priorities from a budgetary standpoint, that is kind of the way the Department of Defense does it with the Palm process and with the QDR. One thing I might note though, that it took the Goldwater- Nichols Act to be able to really prioritize those needs that were purple, that were across services, that were unique beyond any particular military service. The Department doesn't have a COCOM-like structure. Maybe it should. That is a different set of questions. But it doesn't at this point. Mr. Rogers. Excellent. Thank you. I yield back. Chairman King. The gentleman yields back. The gentleman from Michigan, Mr. Clarke, is recognized for 5 minutes. Mr. Clarke of Michigan. Thank you, Mr. Chairman. Just to all of those who are testifying, my major concern is about the security of our power systems, our power grid, or airports, especially our municipal drinking water and sewage systems. A cyber attack on the industrial control systems that govern these assets could have a devastating impact on areas like metropolitan Detroit, especially if there was a cyber attack against our municipal drinking water and sewage system. If any of you have some thoughts on the type of policies that we could implement here to better protect the American people from such a cyber attack, that is information I would like to hear. I do have some specific questions. One issue, raised by Mr. Baker, about the role that private companies who are victims of a cyber attack could play in terms of funding Federal investigations into those attacks. Also, Mr. Cilluffo raised the issue of Iran and Hezbollah. Are there any specific instances or concerns that we should have regarding Iran and Hezbollah regarding a cyber attack on our country? I yield back my time. Chairman King. The gentleman---- Mr. Clarke of Michigan. Well, I would like to get a response, and then I yield back my time afterwards. Mr. Baker. In terms of industrial control systems, you are absolutely right that practically everything that civilized life in Detroit or any other American city depends on is an industrial control system. Those systems, as the Stuxnet attack on Iran's Natanz enrichment facility shows, are vulnerable to attacks that can break the systems. No major city is going to survive in an orderly fashion if it has no power and no water and the sewers are not functioning properly. You can break all of those things with a properly designed attack. To prevent that, we need to make sure that our systems, to the extent possible, have been pulled off of the internet and that there are not internet connections. We need to talk to the software manufacturers and hold them to high standards in terms of how secure those systems are. They have never been secure because they didn't think they were connected to the internet. They are now discovering that they are. The hardware in those systems is also not secure, and we need a research agenda that will improve the security of the hardware. Finally, in my personal view we are probably putting far too much emphasis on smart grid deployments today. We talked earlier, Mr. Maurer talked, about rushing to failure. Smart grids are connecting our power systems, and they offer some real savings. But they are connecting our entire power system to the internet in ways that we could end up regretting. So those are all things that I would suggest we begin immediately to pursue. I will come back to the private-sector issue if others finish in time. Mr. Cilluffo. Mr. Clarke, thank you for your question. I mean, this is a multifaceted set of issues. Clearly, we have seen attempts, and successful hacks, on supervisory data and acquisition systems. The underpinnings of our critical infrastructure is not only overseas, but those attempts are spiking domestically, as well. So in terms of critical infrastructure, yes. But I think you have got a bigger issue. Back to some of the acquisition questions, we haven't baked security into the design of our architectures. That is why I think, rightfully so, the House Intelligence Committee is asking very tough questions vis-a-vis Huawei, ZTE, and anyone else who could potentially have access to our backbone, our very critical infrastructures, that are most significant for computer network exploit, espionage, or potential attack. More needs to be done there. We have got to figure out what are the right carrots and what are the right sticks. We have talked a lot about the sticks, but I think there are some carrots; tax incentives, liability protections, if you meet a certain standard in BAR. Which I think should be initiated by a third party. I call it a Good Housekeeping seal of approval. So it is looking at what are the right carrots and sticks. Some critical infrastructures are more critical than others. Those that really affect our ability and could impede our ability to project power, deploy forces and, from a National security standpoint, I think take on a different set of issues. Very, very, very briefly on Iran. Yes, we have seen a lot of activity in this space. I recently testified--I see Mr. Lungren here--before one of his committee hearings specifically on Iran before all these unhelpful leaks in terms of what we have seen on the cyber side. They have stood up a cyber army, the Baseez and some of their proxies have been involved. There is a cyber Hezbollah that is involved in primarily intelligence collection. So there is reason to be concerned. There are attacks going on as we speak on some of our banking sectors that some people aren't sure where they are necessarily generating from; notably Bank of America, Chase, and others. So I think that is an area we need to be concerned about. But let us not treat all attacks the same. Hacking a website is like graffiti in cyberspace. It is bad, but it is not the same as attacking the very critical infrastructures or damaging the data that those systems run. So we have got to take some of those issues into consideration. Finally, there were attacks this summer on Saudi Aramco and on Qatari RasGas. To me, this is where I was talking about what sorts of products NPPD and INA could provide to the critical infrastructure owners. They should have taken those lessons learned and be able to share some of the signature data with our own critical infrastructures. I might note that a big thing I have been pushing is the Defense Industrial Base pilot, which right now is primarily focused on the defense contractors. I really feel that should be expanded to our critical infrastructure owners and operators; at least the most critical infrastructure owners and operators. Mr. Clarke of Michigan. Mr. Chairman, if we do have time I would like Mr. Baker--the opportunity to---- Chairman King. Actually, we are running on this. I appreciate it, but let me just say I want to thank you for your service on the committee, Mr. Clarke. No one knows what the future holds, but it has been a privilege having you work with us on the committee. Even if you are on that side, and ask some tough questions sometimes. Mr. Clarke of Michigan. It is an honor to serve our country here, and it is an honor to serve with you in this panel. Thank you. Chairman King. Thank you. The gentleman from California, our leader on cybersecurity, Mr. Lungren. Mr. Lungren. Thank you very much. Thank the panelists. I hope I am not contrarian in this. I have been on this committee for 8 years now, and been part of the oversight for the Homeland Security Department. Frankly, I think they are better now than they were back then. I think there has been improvement, there has been some maturation. I guess the question is: How far along are we in the maturing process? When we compare this to DoD, as was mentioned, it took a long time for us to have the reorganization of DoD to get where we are today. So I, frankly, have seen what I consider to be improvement. I believe we are safer today because of DHS, even with all the warts and the shortcomings that we have. So I wanted to start with that. The second thing I wanted to say is fusion centers. We have a fusion center in my district, which I have been out to see any number of times. I am impressed by the level of cooperation, collaboration, exchange of information and respect for all the participants--local, State, Federal, including DHS. Mr. Baker, have you seen that? What I see in the Sacramento region, is that the same as you have observed or that you have been made aware of around the country? Mr. Baker. Yes, there are some very successful fusion centers that are doing great work and that have really built deep relationships between DHS and local and State authorities. I have had people say if you have seen one fusion center you have seen one fusion center. They are very variable, and not all of them are as successful as the one in your district. But I think they have turned out to be an enduring institution. We may end up seeing consolidation or rationalization of some of them as the budget gets tighter. But it seems to me they have been a very valuable way for DHS to actually make a difference in local policing. Mr. Lungren. See, that is one of the concerns we have. When we look at budgets, there are those who look at things like that as the first thing to go. I don't think it ought to be the first thing to go. I think it ought to be one of the things that we try and make even better. Because in the area of terrorism, as in so much other things, much of the intelligence is gathered by people who weren't looking for terrorists as their first objective. Mr. Baker. Right. Mr. Lungren. There are so many more eyes and ears with local law enforcement than there are Federal agents. Part of our job is to make sure that we give the expertise, share the expertise, on the Federal level with those at the local and State level. Then, with the analysts--perhaps they are Federal analysts, perhaps they are analysts that come from other departments--but utilize that, that ability. I fear that when we run into these tough budget times that is the first thing to go because it is not a fancy gadget, it's not a new thing that comes out of S&T, even though I want things to come out of S&T. So I am concerned about that. In the area of cyber, one of the concerns I have had has been the tremendous personnel turnover we have seen within the cybersecurity mission within the Department. At the same time, I have been impressed most recently with an added robustness of that element of DHS. In part, because of the infusion of a good number of people from the private sector. So two questions for you, Mr. Cilluffo, and also Mr. Baker: What is the basis of the difficulty for us keeping people in the cybersecurity arena in DHS, No. 1? No. 2, do you think the failure of the Congress to get a statutory authority and an institutionalization of the lines of authority within the Executive branch on cybersecurity is, in fact, a serious problem? Or is it just something we can take care of by way of Executive Order? Mr. Cilluffo. Mr. Cilluffo. I will start, and I am just going to say one thing on fusion centers. Because we have done a number of surveys, the first surveys, to try to bring a little bit of science to the art of intelligence. I agree with your position 100 percent. The one thing I would note that they are lacking, and the majority of them suggested as much, was analytical tradecraft and capability, No. 1. Second, their ability to do threat reporting on the cyber side is weak, and they need to build that up. But to your question on cyber retention, it is a huge issue. Not only at the Department of Homeland Security, but across the Department of Defense and the intelligence community. Because you have so many greater opportunities in the private sector. Not only financial, but sometimes less bureaucratic. One of the things I think we need to start thinking about in terms of authority is our active defenses, where you give other entities the ability to respond in real time, in certain circumstances, in accordance with our laws. So I don't think an Executive Order--I mean, this is an issue that is so important for our country, it is so important for all branches of Government to be able to acknowledge and recognize that this is a significant set of issues. I don't think you can just pay for it forward by Executive Order. I think it requires a debate, it requires a discussion. It is extremely important, looking to future, that you--I don't think you can promulgate it through an Executive Order alone. I think Congress has not only an opportunity, a responsibility, to address these issues. Mr. Baker. On personnel, look, this is a hot field and people who do well in it in Government are going to get lots of job offers. We do need to face the fact that we will have turnover at some point. I will note that NSA, where I have also worked, has addressed that issue by and large as a culture where they expect people to come in and spend 25 or 30 years doing what NSA does. They get some very talented people. They lose people, but they have held onto their people better than DHS cyber has. My suggestion would be, on this as on many other things, DHS needs to be borrowing personnel and capability from NSA, bringing them over, making them part of the career progression within NSA so that they can get the benefit of the talented folks that NSA has. On the question of Executive Order versus legislation, legislation would be better but I am a realist. I actually think the Homeland Security Act gave a lot of authority, at least within the civilian arm of the Federal Government, to DHS. What we have seen is, the President by and large seems prepared to back that up by saying no, I really want you to do what the Homeland Security Act conveyed to you. That is progress. So I have supported an Executive Order, I think it is a good idea. There are things that can't be fixed. The Rogers bill, CISPA would be a much better solution than any private or Executive Order solution to the information-sharing problem. I frankly think, though, we are in for a period of a year or more in which nothing is going to happen in Congress so we need to be looking at everything that can be done within the Executive. I don't think we have gotten to the end of the things the administration can do to improve cybersecurity. Chairman King. The time of the gentleman is expired. The gentleman from New York, Mr. Turner. I am sorry, how did I forget? Here I am talking away to the temporary Ranking Member, who has ascended very quickly to the throne. The gentlelady from California, who has been a very close bipartisan worker on this committee, Ms. Hahn. Ms. Hahn. Thank you, Chairman King. I will start by adding my shout-out to my colleague from California, Mr. Lungren, on the necessity of our fusion centers. There is one in the Los Angeles region, as well, that is very significant. I would dare say many of the plots that have been foiled over the last years were a result of the information that was cobbled together in our fusion center. I think we, as Members of this committee, ought to be very clear and very precise in advocating for the continence of our fusion centers. I have appreciated the gentlemens' testimony, and your knowledge about our Department of Homeland Security and the future. I have a district that borders the largest port complex in our country, Los Angeles and Long Beach. To that end, I have been concerned about port security. In fact, my very first hearing here in the Homeland Security Committee was the 9/11 report card. At that time, it had come out that probably we were a little lacking. I would like to hear Mr. Baker's grade for port security in this country. To that end, I will say thanks to Chairman King, and a real bipartisan support. I was able to pass my first bill this year, on asking the Department of Homeland Security to report back to Congress on assessment of our port security. I would love to hear your analysis of how we are doing. I tend to think it is still a very vulnerable entryway into our country through our Nation's ports. Specifically, I would like to know, generally, how you feel about that. But specifically, speaking of managing our resources, I have heard from a number of ports across this country that the port security grants, which I am a big advocate of. We have done things in this committee to continue port security grants. But some of the deadlines, some of the requirements, some of the, you know, burdens that, apparently, we are putting on port authorities to actually use these port security grants in an efficient way are hindering what I believe ultimately is the securing of our Nation's ports. So I would love to hear your assessment specifically of port security, and how we are managing our port security grants. Mr. Baker. So I can't give you much useful information about the grant management because I think I am out-of-date on that. I did participate heavily in the Port Security Act process and the implementation of that, and it's been continued by the next administration. On the whole, I would give that effort about a B. I think, given the amount of attention that has been put on that and the number of authorities--not just CBP, but also Coast Guard, that are available--the Department has done a reasonably good job of trying to improve port security. You know, obviously it has not been able to move inspection for nuclear weapons overseas the way one would like, and that isn't going to happen anytime soon. Not because of incompetence on the Department's part, but because, you know, we have to persuade our negotiating partners to do that. One of my biggest worries is that if we are looking for nuclear weapons, which is a fundamental part of our port security program, that may be smuggled into the United States we have pretty good mechanisms--not perfect, but pretty good mechanisms--for identifying those weapons if they come in in containers through the ports. We are much less well-protected against the possibility that someone will put that into a private jet and just file a plan for Teterboro and never get to Teterboro. Just set it off before they land it in the United States. We need an approach to nuclear weapon smuggling that looks not just at ports, but at all the ways people might smuggle stuff in. The joke is, the best way to get it in is to wrap it in a bale of marijuana. We need to be looking at all of those. I think actually we have done a better job of securing our ports against that threat than most of the other mechanisms by which people would bring a nuclear weapon in. Ms. Hahn. Any other members of the panel want to speak on port security? Mr. Maurer. We issued a report specifically on the Port Security Grant Program about a year or so ago, and highlighted some of the issues you pointed out. Specifically, it takes too long for the money to flow out to the actual recipients. I think the good news there, in a nutshell, is that FEMA and DHS are taking actions to address our recommendations. My understanding is, they are starting to make progress on that. So that is good news. The second point, real quickly, is, one of my colleagues from GAO, Steve Caldwell, recently testified on the overall state of port security. I think we would agree with Mr. Baker's assessment. Generally speaking, that has been one of the relative areas of success for DHS over the course of the last 10 years. Ms. Hahn. Thank you. Mr. Cilluffo. A very general point. Smuggling is smuggling is smuggling is smuggling, whether it is drugs, weapons, people, or whatever illicit or even licit goods in tough areas. So one area where I think beyond just ports that we need to be doing more is we are seeing hybrid threats. Is it terrorism, is it crime, is it this, is it that? At the end of the day, I think there is some real opportunity between the counternarcotics community and the counterterrorism community to further cooperate on some of these issues. Because again, the routes are going to be the same. The TTP, the terror tactics, might be the same. So how do we start bringing those worlds together? Ms. Hahn. Thank you. I yield back. Chairman King. The time of the gentlelady has expired. Now the gentleman from New York. Mr. Turner. Mr. Turner. Thank you, Mr. Chairman. One of the most important elements here in counterterrorism is intelligence. If you could give us a minute, maybe, on what you think can be done and improved for intelligence sharing. I am particularly taking this from a view as a New York representative, which comes both ways. The NYPD, as you may know, has its own intelligence operation. If you have a thought on the efficacy of that, and what are the things that could be improved upon in the next year or two. If you would be kind enough to begin, Honorable Skinner? Mr. Skinner. I would be happy to. That is one of the things. I think the biggest concerns I had dealt with the integration of our IT systems and creating a capability to communicate on a real-time basis. The Department, within itself, has problems just communicating across the various component lines. One of the biggest challenges--and I believe I alluded to this earlier--is our ability to then communicate on a real-time basis with our Federal partners and, particularly, with our State and local partners. The fusion centers, I think, is a good step forward to improving that communication capability. But I still think we have problems with getting access on a real-time basis, giving people the clearances so that they can communicate on a real-time basis, and developing a trust. Fusion centers, I think some operate very well. But again, we talk about do we need as many as we have? Probably not. Can we do a better job in consolidating those fusion centers and building on a cadre where they are most needed on a risk basis would be, I think, a step forward. But building an IT capability to allow us to communicate, I think, is one step that we need to continue to work on. Mr. Turner. How far away are we from that ideal? Mr. Skinner. Quite frankly, I think we are very far away. Mr. Turner. Thank you. Mr. Baker. You know, the New York police department is one of the crown jewels of our counterterrorism effort, and the only non-Federal agency that really provides an alternative model for how you respond to terrorism effectively. I was disappointed to see the Associated Press and a few other folks kind of sniping at NYPD and inviting Federal oversight as a way of kind of making them less effective. We should have more local law enforcement agencies that were learning from NYPD, that were willing to talk directly to the U.S. intelligence agencies. So I would say they should be a model, rather than somebody subjected to criticism. On information sharing, let me just highlight an area of information sharing that I think is far worse than the relationship with State and locals. It is information sharing on cyber intrusions where, in fact, law enforcement agencies know an enormous amount about who is doing them, what tactics they are using, why they are targeting people, and who they are targeting. The targets are in the private sector. The sharing with the private sector at that level of detail, in my view, is nowhere near as good as it with State and locals on the counterterrorism mission. Mr. Cilluffo. I think Stewart and I are hanging out too much. NYPD is clearly the gold standard in this business. I might note, though, Ms. Hahn and others that if New York police department is the gold standard, LAPD is the silver standard. But once you get outside of New York, Los Angeles, Texas and some of these other areas, Arizona, you really have a mixed bag. At the end of the day, that is why I think we really do need to invest in the fusion centers. It could probably afford some culling to be able to build on the best. The last thing I want is the successful initiatives to be thrown out--the baby thrown out with the bath water--if we see the need to cut, and we are not going to cut the right ones. In essence, you are going to have entities that perhaps ought to be put on life support, and you have got the gems that are going to be stymied. New York has its own intelligence capabilities. They have an overseas presence. Very few police departments have an overseas presence. So I don't think it is even constructive to compare that--maybe LAPD--with the rest of the country. But as much as can lean forward, enable and support, it has been a target multiple times. Unfortunately, it is a target almost every day; much of which we don't read about. So I support that 110 percent. One thing on the intelligence picture writ large. I would argue that we need a true domestic intelligence estimate. We don't have regional threat assessments domestically for the Jihadi threat, for Islamist threats. The United Kingdom, for example, does. I am not suggesting we need a security service or an MI5 in the United States. Actually, quite the opposite. Push the capabilities to our State and local authorities. One area where we are the best in the world, hands down, are JTTFs. But that is only when an investigation is open. Once we get the blip on the radar screen we are the best, period. But what about in that steady state, to be able to see what that threat environment looks like for the unknown unknowns. That, I think, we still have a lot of work to do. As much as we can invest in our State and local authorities, we ought to. Mr. Maurer. Very quickly, I think you should know information sharing is one of GAO's high-risk areas. So clearly there is a lot of work that still needs to be done there. We want to see closer collaboration among all the Federal partners and a greater ability to work with State and locals, as well. Chairman King. The time of the gentleman has expired. Again, Mr. Turner will be leaving the committee at the end of the day. I want to thank him for his service. He does an outstanding job, and I want to thank him for his dedication to the committee and to the people of New York overall. Also, let me associate myself with the remarks of Mr. Baker and Mr. Cilluffo on the NYPD. I just hope that the Associated Press and New York Times were listening. With that, I recognize the gentlelady lady from Texas, Ms. Jackson Lee, for 5 minutes. Ms. Jackson Lee. Let me also thank my colleague for his service, as well. I think, as the Ranking Member and the Chairman mentioned at the beginning of this hearing, we are committed in a bipartisan way to the security of this homeland--and, I would like to put on the record--for the greatest country in the world. I heard someone define us as the greatest democracy in the world. I am going to redefine us as the greatest country in the world. So I am very grateful for our commitment. I also want to associate myself with the comments ``maybe one day.'' I am going to ask for just a yes or no answer. That the streamlining of jurisdiction oversight of homeland security is imperative for a consistent and efficient and effective securing of the homeland. Mr. Skinner, do you agree? Mr. Skinner. Yes. Ms. Jackson Lee. Mr. Baker. Mr. Baker. Amen. Ms. Jackson Lee. Mr. Cilluffo. Do I get it right? Mr. Cilluffo. Yes. Ms. Jackson Lee. GAO in particular, Mr. Maurer? Mr. Maurer. You know, we got to be agnostic on that one because we serve the whole Congress. I don't say that to dodge the question, but because I know this has been an issue that has been debated among the Members across the various---- Ms. Jackson Lee. We will give you a pass. Mr. Maurer. Okay. Ms. Jackson Lee. Let me also indicate that I look forward, if we all return by way of election, to really look at this regional security threat concept. I think that is a very important new note to hear. I am going to try and ask a number of fast-moving questions, and try to get through all of you. May not, but let me start with Mr. Maurer. I hope you can comment that investing resources, or the utilization of resources funding, is crucial to some of the assessments that you have made. Do we need to continue the right and reasonable and effective and continued funding for Homeland Security? Mr. Maurer. Absolutely. You are going to need resources to achieve many of the things the Department wants to do. They are making---- Ms. Jackson Lee. That are still not done. Mr. Maurer. That are still not---- Ms. Jackson Lee. And are crucial to securing the Nation. Mr. Maurer. Absolutely. They have made good progress so far to date. One of the biggest criticisms we have had of their plans to date, frankly, is the fact that they have resource limitations in executing those plans. Now some of that rests in the Department, quite frankly, and setting priorities on where they are going to spend the money that Congress appropriates to them. Ms. Jackson Lee. The border, which is something that I have been particularly attentive to because I come from the State of Texas. Have we made improvements since, for example, 2005? I particularly remember enhancing the Border Patrol agent census, or population; adding more, and giving them enhanced equipment. Has that made a difference? Mr. Maurer. Yes, it has. There are certainly many more Border Patrol agents on the Southwest Border as well as the Northern Border. DHS continues to invest in enhancing the training that they receive, as well as the acquisition tools and the systems that they use in the course of their job. We still have a number of concerns about the technology enhancements DHS plans to make on the Southwest Border. The collapse of SBInet was a major failure for the Department, and we are watching what they are doing on that front very carefully right now. Ms. Jackson Lee. I think we would be very eager to know that even though we have the rise of drug cartels, gun trafficking, which we just heard the IG's report that I think I can put on the record. That the attorney general had no knowledge of the gun trafficking and the Fast and Furious issue. But we do know that there are elements that were not effective. But with all of that, getting those other agencies to collaborate, we can see in the future a secure border or a securer border? Mr. Maurer. It definitely depends on the execution among the various departments and agencies. That is certainly our hope, and we will be there to provide oversight to help assist the Congress in its own deliberation. Ms. Jackson Lee. All right. Gentlemen, I am going to give three questions and I would like you to answer. I see my time is--and I ask the Chairman for an indulgence. They could pick the ones that they would like. I do want to indicate that I would like to see the CERT1 program improved--I don't think the outreach goes to minority communities sufficiently--and that is the response program during disasters. I think the procurement is way in need of repair in terms of outreach to small businesses. But these are the questions I would like. We have seen a rash of attacks or threats to universities, bomb threats. I believe we need an ombudsman or a focus inside Homeland Security that is an immediate response team to our universities. Some of these, obviously, are prank calls. Or at least they have been determined as that. But with the rash of incidences that have occurred, I would appreciate your comment. I would appreciate your comment on the importance of reaching out to Muslim-Americans and retaining and hiring them in the security process. I would appreciate your comment on the importance of homeland security and civil liberties. Anyone want to start first? Chairman King. I would ask the gentlemen if they would try to, you know, give brief answers. Try to keep it in the next 2 or 3 minutes. Ms. Jackson Lee. Mr. Chairman, I thank you. Mr. Baker, you are up. Mr. Baker. Okay. So I would say ombudsman to universities, or at least a place to call after you get a call you can't tell is crank or not, absolutely it is a great idea. It should be part of information sharing. Outreach to Muslims has been going on, should continue to go on and I think, on the whole, has been successful for the Department and the U.S. Government generally. On civil liberties and privacy, frankly if there were a job I wanted in Government it would be chief privacy skeptic. I think the privacy groups have not, on the whole, treated DHS well or its programs. We probably should be more skeptical about privacy claims than we are. Ms. Jackson Lee. All right. Well, Mr. Skinner. Mr. Skinner. I have nothing to add to what Mr. Baker just said. Very well put. Mr. Cilluffo. Just that I agree on the university side we need a bellybutton. I am not sure exactly how that looks like, but I am standing where I sit. I am at George Washington University now. Second, in terms of civil liberties, I don't think the debate has been cast as an either/or proposition. I don't think that is healthy. You can, and must, have both. When you start looking in the cyber domain in particular, there are going to be a lot of questions. But I agree with Stewart. Many of them are red herrings. A lot of them are not necessarily--that is not to suggest we don't take it seriously. We do. But I think most of the people, having been on the inside you hear more from your lawyers than you hear from the ops guys in terms of what it is you can and cannot do. That creates, to some extent, a chilling effect. Which is why, again, Congress, I think, has an opportunity and a responsibility to address some of these issues and move some legislation. Ms. Jackson Lee. You should not take privacy lightly, however. Mr. Cilluffo. Absolutely not. It is you build too many walls, the bad guys win by default because our way of life has been lost. That is what we are, is a federalist democracy, of course. Ms. Jackson Lee. Mr. Maurer. Mr. Maurer. You definitely want to consider civil liberties as part of the overall approach to cybersecurity. Absolutely in agreement on that. Outreach to the Muslim community is absolutely vital. I agree with that, as well. I think it is an interesting concept you talk about for an ombudsman, and certainly worth looking into. Ms. Jackson Lee. Thank you very much. Mr. Chairman, thank you. I yield back. Chairman King. The time of the gentlelady has expired. The gentleman from Texas, chairman of the Oversight Subcommittee, Mr. McCaul. Mr. McCaul. I thank the Chairman. I want to follow up on something Mr. Lungren talked about. That is, you know I think one of the greatest disappointments I think I, and this committee I think, share in is that the Congress did not pass cybersecurity legislation, which is so important. Every day that goes by without those authorities, more Americans are at risk. So I hope that if we can't get it done in this Congress we can certainly get it done next Congress. A very small point, and I want to go on to two other points. But, Mr. Baker, you mentioned an interesting idea. I think part of the problem is the perception that DHS just doesn't have the capability that NSA has. That probably is reality, too. So to put that faith and trust in DHS because I personally think, and I think Mr. Lungren and the Chairman agree, that a civilian authority is the more appropriate in a domestic sense rather than a military. Now, NSA can work with DHS and that is what you want. But how do you get NSA, you know, capability or NSA employees to come to DHS? Mr. Baker. So, in fact, some of that is happening. You know, I am an alumnus of both organizations, and may be the only one who has had a political appointment in both. But I don't think that you can bring staff over from NSA, detail them in. They are operating under DHS authorities and constraints, but they are bringing a raft of technical capability that otherwise it would be very hard for the Department to hire. What we need is enough technically competent people at the Department so they feel that they can take advice from NSA employees without fearing that they are getting a whole bunch of policy advice they don't see buried in the technical---- Mr. McCaul. I like the detail approach. Because I think, again, they kind of have to earn the respect of the Congress for the Congress to give them those authorities. I think there is an issue with that. I personally think it should be more under civilian control. So, quickly, to move on, I am chairing a hearing tomorrow-- I think, Mr. Maurer, you are going to be there--on acquisition, procurement. You know, we still see all the silos that Mr. Skinner talked about. Yet, you know, it is still a very solid F in terms of the acquisitions. So we don't see--there were these recommendations that were made, you know, several years ago. But they don't seem to be followed. So you got a procurement process that has become very wasteful in its management. I mean, so overall how do you integrate this management together? But then how do you fix the procurement process? If you could answer it in a fairly short manner I would appreciate that. Mr. Maurer. Sure, absolutely. First off, I want to give good credit to my colleague, John Hutton. He will be the GAO witness tomorrow at your hearing. So he is taking the lead on this issue at GAO. But how to address the problem? First and foremost, DHS needs to follow its own rules. They haven't been doing that, that has been at the root of the problem. Second, they do need to do a better job of managing the overall portfolio, and start making the hard decisions and figuring out what they can actually afford out in the future. But a third issue, they need to do a better job of coming up with life-cycle cost estimates. That sounds wonky and down in the weeds, but what it basically means is figuring out the price tag. What is it going to cost to procure these different systems, and over how many years is that going to take? Until they come to grips with all three of these issues they are going to continue to have problems. Mr. McCaul. Okay. A final a point is, Mr. Cilluffo, you talked about regional threats. I think that is a very smart approach. I led a delegation down to Latin America, and we went to, you know, the tri-border area, a Jewish community center in Buenos Aires. As you know, the Saudi ambassador applied the Quds forces. They were going to hit the embassies--and Israel, Saudi, and Argentina. So we look a lot at the Middle East, but there is a lot going on right here, too. My kind of nightmare scenario is a strike from Israel, against Iran. With everything that is happening right now already, with these embassies already being targeted, you throw that cocktail on top of everything and it is a Molotov cocktail. I can see, you know, there will be ramifications to that. There will be a response. I can see the Hezbollah operatives not only there but in this hemisphere which we know are here. I can see them lining up. So is DHS prepared? Do you think they are even looking at this issue and planning to defend? Mr. Cilluffo. Mr. McCaul, you raise a number of very important points. I think as much as you can raise awareness in terms of the challenges you saw in the tri-border area would be helpful to the American people. Because we do have problems on our hands. It is not just in the tri-border area. Hezbollah has got a presence in the United States. In fact, the Los Angeles police department elevated the government of Iran and its proxies, notably Hezbollah, as a Tier I threat; highest threat level. NYPD has been leaning forward in terms of addressing some of these challenges. So I don't think it is only in response to some actions that Israel or others may take. I think that you are seeing an uptick in activity that, even short of that, warrants greater concern from the U.S. National security. Mr. McCaul. Then, in closing, I hope the Department is focused on this very aggressively in terms of defending the Nation rather than responding, or reacting to, a crisis. Mr. Cilluffo. I can tell you some are. I am not sure that is percolating throughout the entire Department. But I have worked with some folks who are recognizing that as a challenge. Mr. McCaul. I thank the Chairman. Chairman King. The gentleman yields back. I would just point out, as Mr. McCaul knows, and he was part of the hearing, we held a hearing--at least one hearing, full committee also, I think, some subcommittee involvement--on the whole issue of Hezbollah in this country. My impression was the same as yours. It is a serious threat not being taken seriously enough by everyone. By some, but not by all. With that, the gentlelady from California, Ms. Richardson, is recognized for 5 minutes. Ms. Richardson. Yes, thank you, Mr. Chairman. I just have two questions for Mr. Skinner. One, in fiscal year 2011 the Department entered into over 133,000 procurement transactions and over 81,000 thus far in 2012. I am concerned about the oversight of these transactions. On your watch, during the Department, we have obviously heard, and learned of, various problems of the procurement process, including contracts with SBInet, Deepwater, and Federal Protective Service contracts and Guard contracts. Yet the Department's management budget appears to leave little room for improved oversight during the procurement process. How can you improve upon your contract oversight? Mr. Skinner. It is, I think, very basic. That is, increased staffing. Because I think the acquisition management function within the Department when it stood up, and even today, as much as they are trying to build a capability is still grossly understaffed. I think as part of the procurement process, when you develop your strategic plans, your operational plans, as to what you are going to be buying in the outyears and in the current years, that we need to budget in, or factor in, the cost of the total procurement. Just not the cost that we pay the contractor, but the cost to provide oversight of those contracts. It is all part of the contract administration process. Ms. Richardson. Has that---- Mr. Skinner. I do not think that is being done right now. Ms. Richardson. Is there anything you need us to do to be able to assist you to have that happen? Mr. Skinner. The authorities are there, the guidelines are there, the policies are there. They just simply need to be implemented. I think with additional staffing, we could do a better job of managing the contracts as opposed to just simply awarding and then reacting to problems. Ms. Richardson. Okay. So, Mr. Chairman, if you would be willing maybe the committee would want to consider requesting of the Secretary that as contracts are distributed that, as Mr. Skinner has suggested, that the oversight be included in the overall cost that is being considered. Then that way, they might be able to have adequate staffing to take control of the taxpayers' money, which I know you and all of us here are very concerned about. Chairman King. We will certainly consider that, and I will work with you and your office to try to bring that about. Ms. Richardson. Thank you, Mr. Chairman. The second question is: Mr. Skinner, on a scale of 1 to 10, how would you rate the Department of Homeland Security on its cybersecurity efforts? Meaning, where are there improvements most needed from the Department's perspective, and what legislation could we do to help you to better achieve those results? Mr. Skinner. First, let me say I am probably the least qualified person to ask that question on this panel. But based on my observations when I was serving with the Department, they are making modest progress through their hiring efforts, their attention to the cybersecurity issues. But on a scale of 1 to 10, I would have to give them something around a 4. We have a long, long way to go. I think one of the primary things, and it has been repeated several times this morning, is that we definitely could use legislation to help guide the Department. Ms. Richardson. Okay. Would anyone else like to give a very brief response that wanted to chime in? Mr. Cilluffo. Just to piggyback Mr. Skinner's comments, General Alexander, when asked very specifically where the U.S. readiness was on a scale from 1 to 10, said a 3. So it is pretty much in line with some of that thinking. He is the commander of Cyber Command, and director of the National Security Agency. I do feel this is a big area that the United States--we are not any further along than our homeland community was shortly after 9/11. Ms. Richardson. Wow. Mr. Cilluffo. The difference is, is we know the risks. So I think we have got a responsibility to move. Mr. Baker. I can just add, if the people who are attacking us for getting grades from their governments they would get at least a 6. So we are losing ground to the attackers. Ms. Richardson. Mr. Chairman, I know that when appropriations come forward in the House, typically where we look to add more programs, Members of Congress will typically take money out of the management and oversight or salary bucket of a particular department. Take money from there and, you know, fund for another program. I would be more than willing to join you of us educating our colleagues that in this particular area of cybersecurity-- we can't speak to every area--but the impacts of these cuts to the staffing in particular is really hindering the ability to move forward. If you would like to join me, or suggestions on how we might do that, I would welcome that. Thank you, sir. Chairman King. Be delighted to work with you. The time of the gentlelady has expired. Before I go on to Mr. Marino, I just want to acknowledge, in the audience, Robert Matticola, who is homeland security director for the New York waterway ferry in New York, and he has held that position since July 2008. It is obviously a job that is in the line of fire, and I want to commend you for your service. Now the gentleman from Pennsylvania, former United States attorney, Mr. Marino is recognized for 5 minutes. Mr. Marino. Thank you, Mr. Chairman. I apologize for being late. I am trying to get to all of my committee hearings today. Gentlemen, it is a pleasure. As my distinguished Chairman stated, I have been in law enforcement and I have been there for 19 years. So I know what our men and women go through. I have been out there on the front line with them, I have their backs. I have worked closely with all the agencies throughout my career. You know, it is easy for us and anyone else to Monday- morning-quarterback our men and women and our agents on the line and in the field. Just unfortunate that much of the information and much of our operations--and I still say ``our'' because I still feel I am part of law enforcement, I will always be--has to be kept close to the chest because we don't want the enemy knowing what is going on out there. But each one of you can respond to my question, if you would like to. Are our agents, are our people in the field, fully equipped with what they need to do what we expect them to do? Equipment, training, et cetera? Mr. Skinner, would you like to start? Mr. Skinner. I believe because of the rapid buildup within our law enforcement community, particularly with CBP and ICE over the past 5 to 6 years, that we are still behind the curve as far as providing the types of training and the degree of training that they need. As far as equipping them, I also believe that our infrastructure is trailing our hiring. We are hiring faster than we can build an infrastructure to support them. Third, as far as supervision and management, as we hire so many people so rapidly that brought some of our more experienced--or what we have done is, in essence, taken very inexperienced individuals and put them in supervisory and management roles. That was the only alternative they had at that time. That does not mean to be a criticism. But all in all, I think we still have to catch up to the hiring. Mr. Baker. I don't have anything to add to that. Mr. Cilluffo. I would just underscore field bias, field bias, field bias. As much as we can lean forward, if you look at the military community, the intelligence community, and other communities that have gone through similar issues commanders intent; push the capability down to the pointy end of the spear. In this case, I think the big potential gap is, we need to enhance our analytical capacity so State and local can--so they are not going in with--not blind, but with less vision, given the fog of crises and situations. So push to State and local. That is my one takeaway. DHS's role in that is significant and important, but it is really about looking at State and local authorities as their force multipliers. They are our boots. Mr. Maurer. I think DHS definitely deserves some credit, particularly in the last couple of years, in coming to grips with its management problems. It gets right to your question. They are trying to do a better job with procurements, they are trying to do a better job with training, they are trying to do a better job with all the different entities working as one unified whole within DHS as well as their interagency partners. They are definitely not where they want to be or where they need to be, and they fully recognize that. But I am just encouraged by the fact they are paying more attention to sort of these basic fundamental resource and management issues. Mr. Marino. I understand that, being in the field, there are many agencies and many different types of work that has to be done. But can you give me a ball-park figure? We talked about training--and behind the curve on that--to adequately train our people on the front lines. Whether it is ICE, you know, whether it is DEA or whoever is--and Homeland Security protecting our borders, or even overseas. How much time are we talking about for training? Mr. Maurer. I don't know if you can put an exact time frame or dollar figure on it because training is an on-going thing. I mean, it is not only bringing in new Border Patrol agents. It is continuing to offer training throughout that person's career. Mr. Marino. But I mean, you know, bringing someone in initially. I know training is on-going, and should be. But let me put it this way. I don't think there is any agency with whom I have worked where it is a 6-week training course and you are ready to rock and roll. Is that a correct statement? A significant amount of time is required? Mr. Skinner. Absolutely yes, there is significant time required. I almost equate it to like a boot camp. Because when you bring someone in, you are giving them basic training. But as you progress, you are going to have to receive additional training. That training has to be kept up-to-date. It is just not a one-shot deal. It is constant. Mr. Marino. Totally agree. Mr. Skinner. So there is a lot--the more investment we make in our training, the better performance we are going to get from our employees. Mr. Marino. Thank you, gentlemen. I yield back. Chairman King. The gentleman yields back. I want to thank all the witnesses for their testimony today. I think this is one of the most thoughtful and substantive hearings we have had. Your testimony was really invaluable. I think as Members of the committee, we often tend to focus on issues that are particularly important to us, a component to the Department that are important to us, or parts of the Department where particular errors have been made. I think you were able to bring it together today and really show us the Department as a whole, its weaknesses and its strengths. As Mr. Lungren said, I think significant progress has been made. It is important to keep that in mind. But at the same time, we have to, you know, continue to make more progress. Especially address some of the more significant deficiencies. But at the same time, I think it is important that we let the public know, really, the overall job that DHS is doing. Because too often, when it comes time for budget cuts or whatever, people look upon DHS as not really contributing that much. The fact is, despite its persistence, al-Qaeda has not been able to perpetrate an attack on the scale of 9/11 in the past 11 years. The DHS has been a vital component of that. So with that, I want to thank you for your testimony. I would also want to thank the Members of the committee who were here today. Some Members may have additional questions for the witnesses, and we would ask you to respond to those in writing. The hearing record will be held open for 10 days. Without objection from the distinguished acting Ranking Member---- Ms. Hahn. No objection. Chairman King [continuing]. The committee stands adjourned. [Whereupon, at 12:03 p.m., the committee was adjourned.] A P P E N D I X ---------- Questions From Chairman Peter T. King for Richard L. Skinner Question 1. Will you please share your views on the importance of the completion of the St.Elizabeths project to the Department's efforts to consolidate operations and its potential impact on the Department's performance? Answer. In my opinion, the inability of the Department to complete the St. Elizabeths project as originally planned should have little, if any, impact on the Department's efforts to consolidate operations and, most certainly, should not adversely impact its performance. Consolidating the Department's components ``under one roof'' so to speak is an issue of convenience, not one of performance, particularly in today's IT environment of borderless networks, where any employee should be able to connect with anyone or any information from anywhere, using any device. Housing ``people'' in one location may make it convenient for officials to conduct face-to-face meetings, but it will not address the real challenges facing the Department, and that is consolidating and integrating management support systems and operations. Consolidating operations and improving performance are ``management'' issues, not ``logistical or housing'' issues. Question 2a. How would you compare the creation and maturation of the Department of Homeland Security to date to that experienced by the Department of Defense in the decade after its establishment? Do you believe that now, almost 10 years after its creation, the Department should have matured more quickly and its components should be operating more effectively and efficiently? Answer. While the creation of the Department of Homeland Security may be the largest Government reorganization since the creation of the Department of Defense, it pales in comparison to the enormity of the challenges faced by DoD upon its creation. Accordingly, in my opinion, the Department of Homeland Security has, and should have, matured more rapidly to date than the Department of Defense in the decade after its establishment. I believe that now, almost 10 years after its creation, the Department should have matured more quickly and its components should be operating more effectively and efficiently. During its first 3 years of existence, neither the Congress nor the administration gave the Department the resources needed to properly support the programs and operations inherited from its legacy agencies. In particular, its management support functions were shortchanged, i.e., the financial, information technology, acquisition, human resources, and grants management functions. During the second 3 years of its existence, both the Congress and the administration increased the Department's funding for its management support functions, but, while making modest improvements, it fell far short of its goal to establish a cohesive, efficient, and effective organization. For example, the Department is still unable to obtain a clean opinion on its financial statements and internal controls; its components are still struggling to upgrade or transition their respective IT infrastructures; resources needed to implement acquisition policies are still lacking; and, it is impossible to determine whether the Department's grant programs are actually improving our Nation's homeland security posture. During the past 3 years, budget constraints have impeded the Department's ability to make any significant headway and build on the modest improvements made since its creation. The Department's new challenge will be to sustain the progress already made and at the same time continue to make necessary improvements. Question 2b. How much longer is the argument that bringing together so many Federal agencies a legitimate explanation for the Department's shortcomongs? Answer. Bringing together so many Federal agencies should no longer be a legitimate explanation for the Department's shortcomings. The Department had many opportunities to address its management challenges, but, for a myriad of reasons, it failed to do so. Although some were out of its control, many opportunities were lost due to poor management decisions or just plain indecision. Unless the Department stays focused on its shortcomings, it will be harder than ever to find solutions to strengthen critical management support functions and, ultimately, to ensure the success of its homeland security mission. Questions From Chairman Peter T. King for Stewart A. Baker Question 1. Will you please share your views on the importance of the completion of the St. Elizabeths project to the Department's efforts to consolidate operations and its potential impact on the Department's performance? Answer. As noted in my testimony before the committee, one of the greatest challenges facing the Department of Homeland Security going forward will be developing a framework to enable proper coordination among all of the Departments big and proud components. Department leadership has done a good job at bringing the various components together to respond to major crises, but coordination on day-to-day issues is very much lacking. The St. Elizabeths Campus project, by bringing together the leaders of all of DHS's components under one roof, is critical to addressing this larger Departmental challenge. Placing component and Departmental leadership in the same office space will, I believe, go far in building a unified organizational culture and providing daily opportunities for DHS components to work together cooperatively. Question 2a. How would you compare the creation and maturation of the Department of Homeland Security to date to that experienced by the Department of Defense in the decade after its establishment? Do you believe that now, almost 10 years after its creation, the Department should have matured more quickly and its components should be operating more effectively and efficiently? Answer. The Department of Defense's history illustrates just how difficult integrating all of the components at DHS will be. When DoD was formed in the late 1940s out of the Department of War and the Department of Navy, both of which had been established in the 1700s, DoD at least had the advantage of an existing unified office space and the recent experience of coordinating operations during World War II. All the same, it took years for DoD's leadership to establish its authority within the entire Department. As late as the Cuban Missile Crisis in 1962, Secretary McNamara's authority over the Navy was still in doubt. When the Secretary asked Admiral Anderson: ``what would happen if a Soviet ship refused to stop or resisted boarding. Anderson answered angrily, `This is none of your goddamn business. We've been doing this since the days of John Paul Jones, and if you'll go back to your quarters, Mr. Secretary, we'll handle this.' ''--Dobbs, One Minute to Midnight: Kennedy, Khrushchev, and Castro on the Brink of Nuclear War (2008). I'm quite confident that today, just 10 years into the Department, no DHS component head would dare to say that to the Secretary of Homeland Security, even though several of the components have been carrying out their missions as long as the Navy. Question 2b. How much longer is the argument that bringing together so many Federal agencies a legitimate explanation for the Department's shortcomings? Answer. The understandable challenges of post-merger integration at DHS, however, do not excuse component or Departmental leadership from fulfilling their missions. Responsibility for building the Department's capacity and accomplishing its objectives still has to lie with individual components or offices at DHS. To the extent that individual parts of DHS are underperforming, they should be held individually accountable for making the necessary programmatic and staffing changes to turn the Department around. Questions From Chairman Peter T. King for Frank J. Cilluffo Question 1. Will you please share your views on the importance of the completion of the St. Elizabeths project to the Department's efforts to consolidate operations and its potential impact on the Department's performance? Answer. While I am not fully up to speed on all of the developments surrounding the St. Elizabeths project, I am of the view that consolidating operations in a single location could have a range of salutary benefits, including the prospect of synergies between and among offices and individuals that derive simply from physical proximity (through increased daily interactions, etc). In addition to tangible advantages, such as the facilitation of communications between and among offices and individuals, there are likely to be intangible advantages as well, such as a greater sense of unity of mission and the boost to morale that may occur as a result of co-location (which may engender a greater sense of esprit de corps). However, there are a range of factors that may affect the timing of completion of the St. Elizabeths project, including of course the current budgetary situation; hence it may be some time before the project's benefits come to fruition. Let me underscore, though, that future developments should not come at the expense of the Department's operating budget. Having said that, perhaps the most forceful and vivid argument in favor of timely completion of the St. Elizabeths project is as follows: Just imagine the Department of Defense without the Pentagon, or the CIA without the George (H.W.) Bush Center for Intelligence in Langley, Virginia. Question 2a. How would you compare the creation and maturation of the Department of Homeland Security to date to that experienced by the Department of Defense in the decade after its establishment? Do you believe that now, almost 10 years after its creation, the Department should have matured more quickly and its components should be operating more effectively and efficiently? Question 2b. How much longer is the argument that bringing together so many Federal agencies a legitimate explanation for the Department's shortcomings? Answer. There are certainly some similarities between the Department of Homeland Security and the Department of Defense in the context described above (creation and maturation a decade after establishment). In both instances, it took time to synchronize each of the following--operations, planning, strategy, etc.--from an organization-wide perspective. Likewise, both cases evidence the pace at which a cohesive organizational culture takes shape; this is not something that appears or grows overnight. Notably, for the Defense Department, thinking purple is a mindset and action posture that took time to cultivate and instill; and even then, in order to genuinely root itself required legislation (the Goldwater-Nichols Department of Defense Reorganization Act of 1986) and a supporting incentive structure that tied education and training, interagency rotations, promotion and professional advancement to ``jointness.'' Given that DHS initiatives in the realm of education and training, for example, remain nascent, it is no surprise that there are still some bumps in the road when it comes to execution and implementation in an effective and efficient manner. On paper and in principle, 10 years may seem like a long time. Yet that first decade of DHS' existence has been marked by unprecedented and almost constant challenges. The fact that DHS was created at a time of crisis, and also evolved in such a climate, suggests that an extended interval may be warranted in order to judiciously evaluate its progress. Having said that, DHS as an enterprise needs a sharper focus and a greater prioritization of its activities, to include more and better alignment of budgets with priorities. In addition, DHS has yet to define its Office of the Secretary, writ large. Compare the Defense Department, whose counterpart Office for Policy (OSD/Policy) for example, serves a robust and genuine Department-wide, cross-cutting function. This is the bar which DHS should, and must, aim to reach. Indeed, the Defense Department today is the gold standard when it comes to plans and planning, after-action reflection, and a range of other matters. Both regional and functional/thematic approaches to a range of complex challenges are successfully integrated and incorporated into outputs, including budgeting for future years. Yet there was a time when DoD's ability to bring these various pieces together so effectively was in some question; and this was so despite the fact that military endeavors permit a type of mandating vis-a-vis Service members that civilian entities do not. The challenge at hand is thus compounded: While DoD is founded upon the science of command and control, DHS must rely instead on cooperation and coordination, and the art of persuasion, to successfully achieve its ends. Accordingly, I would submit that DHS remains a work in progress, but one that must be evaluated in context, with due regard for the substantial challenges that the Department has faced in past, and which it will continue to face in future--including an inhospitable climate of financial austerity, coupled with a rapidly evolving threat spectrum that encompasses both cyber and kinetic components. Questions From Chairman Peter T. King for David C. Maurer Question 1. Will you please share your views on the importance of the completion of the St. Elizabeths project to the Department's efforts to consolidate operations and its potential impact on the Department's performance? Answer. We have previously reported that consolidation or co- location of Federal Government offices or functions--a goal of the St. Elizabeths project--may result in several benefits, including more effective and efficient operations. In 2011, we reported that co- locating services can result in improved communication among programs, improved delivery of services for clients, and elimination of duplication.\1\ For example, programs can be co-located within one-stop centers or electronically linked, which affords the potential for sharing resources and cross-training staff. In 2006, we reported that DHS's plans to co-locate its headquarters, its component headquarters, and their respective staffs and operations centers at one location could further enhance collaboration among DHS's component agencies.\2\ DHS has also identified that consolidating most of its headquarters operations at St. Elizabeths would enhance communication, increase efficiency, facilitate mission integration, and foster a ``One DHS'' culture. --------------------------------------------------------------------------- \1\ GAO-11-92. \2\ GAO-07-89. --------------------------------------------------------------------------- However, given the constrained budget environment, the future of the St. Elizabeths project is uncertain. In December 2011, DHS estimated the project would take 4 to 5 years longer to complete and cost about $600 million to $700 million more than originally planned, largely due to shortfalls in funding. At that time, DHS estimated that the project would be completed in 2020 or 2021. In March 2012, DHS reported that it was in the process of revising its plan of options for completing the St. Elizabeths project, and would continue analyzing options throughout the summer. One option, which includes large segments based on the original construction plan, would take 6 years longer to complete and cost more than $700 million more than originally planned. Under this option, DHS estimated planned construction will be completed in 2022 at an overall cost of about $4 billion. In addition, while headquarters consolidation may result in gained efficiencies, under DHS's current plan, not all headquarters offices and components will be located at St. Elizabeths. For example, although all of the Secretary's office and the Federal Emergency Management Agency and the U.S. Coast Guard headquarters staff will be relocated, only the headquarters leadership of five major DHS components--U.S. Immigration and Customs Enforcement, U.S. Customs and Border Protection, Transportation Security Administration, U.S. Secret Service, and U.S. Citizenship and Immigration Services--will be moved. Headquarters staff from these five components will remain in other locations around the National capital region, which limits the potential benefits of consolidation. Finally, since the planned completion date of the St. Elizabeths project could be 10 years in the future, DHS will not reap the planned benefits of consolidation for some time. During the interim, we believe DHS should continue to focus on executing its plans for addressing GAO's designation of implementing and transforming DHS as a high-risk issue. Doing so will enhance the management platform for the entire Department and better position DHS to carry out its various missions in a more efficient and effective manner. Question 2a. How would you compare the creation and maturation of the Department of Homeland Security to date to that experienced by the Department of Defense in the decade after its establishment? Do you believe that now, almost 10 years after its creation, the Department should have matured more quickly and its components should be operating more effectively and efficiently? Question 2b. How much longer is the argument that bringing together so many Federal agencies a legitimate explanation for the Department's shortcomings? Answer. As DHS continues to implement plans to address its long- standing management challenges, it can learn from the experience of other departments, including the Department of Defense (DoD). Specifically, since its creation in 1949, DoD has worked to unify the Department, enhance its management practices, and foster a joint approach to operations and decision making. However, it is also important to note that some of DoD's experiences may not be appropriate for DHS. For example, as of October 2012, 63 years after DoD's creation, it remains on GAO's high-risk list for seven management- related topics, including financial management, weapon systems acquisition, and business systems modernization. In addition, several important aspects of DoD's organization and approach are devoted to deterrence, combat operations, and other National security missions that, while complimentary to DHS's homeland security focus, differ significantly from the day-to-day operations and requirements of DHS's components. DHS can certainly learn from DoD's experience, but should exercise care in appropriately selecting and applying those lessons that can be best applied to DHS. Prior to DHS's creation, we reported that building a common, unified Department from several legacy agencies represented a significant challenge that would take several years to achieve.\3\ This has proven to be the case. DHS has remained on GAO's high-risk list since it began operations in 2003. --------------------------------------------------------------------------- \3\ GAO-03-260. --------------------------------------------------------------------------- Since its creation, DHS has implemented key homeland security operations and achieved important goals in many areas to create and strengthen a foundation to reach its potential. DHS has made important progress, particularly on the mission side. For example, DHS: Implemented the U.S. Visitor and Immigrant Status Indicator Technology program to verify the identities of foreign visitors entering and exiting the country by processing biometric and biographic information; Developed and implemented Secure Flight--a program for screening airline passengers against terrorist watch list records--and new programs and technologies to screen passengers, checked baggage, and air cargo; Assessed risks posed by chemical, biological, radiological and nuclear threats and deployed capabilities to detect these threats; and Created new programs and offices to implement its homeland security responsibilities, such as establishing the U.S. Computer Emergency Readiness Team to help coordinate efforts to address cybersecurity threats. But at the same time, our work has identified three key themes-- leading and coordinating the homeland security enterprise, implementing and integrating management functions for results, and strategically managing risks and assessing homeland security efforts--that have impacted the Department's progress since it began operations.\4\ DHS had successes in all of these areas, but our work found that these themes have been at the foundation of DHS's implementation challenges and need to be addressed from a Department-wide perspective. As DHS continues to mature, more work remains for it to strengthen the efficiency and effectiveness of those efforts to achieve its full potential. --------------------------------------------------------------------------- \4\ DHS defines the homeland security enterprise as the Federal, State, local, Tribal, territorial, non-governmental, and private-sector entities, as well as individuals, families, and communities, who share a common National interest in the safety and security of the United States and the American population. --------------------------------------------------------------------------- Of particular note, DHS continues to face several management challenges. For example, DHS's major acquisitions programs face challenges that increase the risk of poor outcomes, such as cost growth and schedule delays. Additionally, DHS has been unable to obtain an audit opinion on its internal controls over financial reporting due to material weaknesses in internal controls. Further, despite DHS efforts to improve employee morale, Federal surveys have consistently found that DHS employees are less satisfied with their jobs than the Government-wide average. DHS has several initiatives underway that, if fully implemented and sustained, could help address the Department's management challenges. For example, as I noted in my September 2012 testimony before this committee, DHS's Integrated Strategy for High-Risk Management identifies 18 key initiatives and corresponding corrective action plans for addressing the Department's management challenges and improving operational efficiency through better integration of people, structures, and processes. This strategy provides a path for moving DHS from where it is now--a large Department with several management challenges--to where it wants to be--a unified Department, supported by integrated management functions. DHS must now focus on executing the strategy. Doing so is important because building a solid management foundation will help DHS carry out its homeland security missions.