b"<html>\n<title> - COMPUTER INSECURITIES AT DOE HEADQUARTERS: DOE's FAILURE TO GET ITS OWN CYBER HOUSE IN ORDER</title>\n<body><pre>[House Hearing, 106 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n\n \nCOMPUTER INSECURITIES AT DOE HEADQUARTERS: DOE's FAILURE TO GET ITS OWN \n                          CYBER HOUSE IN ORDER\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                            SUBCOMMITTEE ON\n                      OVERSIGHT AND INVESTIGATIONS\n\n                                 of the\n\n                         COMMITTEE ON COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED SIXTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             JUNE 13, 2000\n\n                               __________\n\n                           Serial No. 106-157\n\n                               __________\n\n            Printed for the use of the Committee on Commerce\n\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n65-910CC                    WASHINGTON : 2000\n\n\n\n\n                         COMMITTEE ON COMMERCE\n\n                     TOM BLILEY, Virginia, Chairman\n\nW.J. ``BILLY'' TAUZIN, Louisiana     JOHN D. DINGELL, Michigan\nMICHAEL G. OXLEY, Ohio               HENRY A. WAXMAN, California\nMICHAEL BILIRAKIS, Florida           EDWARD J. MARKEY, Massachusetts\nJOE BARTON, Texas                    RALPH M. HALL, Texas\nFRED UPTON, Michigan                 RICK BOUCHER, Virginia\nCLIFF STEARNS, Florida               EDOLPHUS TOWNS, New York\nPAUL E. GILLMOR, Ohio                FRANK PALLONE, Jr., New Jersey\n  Vice Chairman                      SHERROD BROWN, Ohio\nJAMES C. GREENWOOD, Pennsylvania     BART GORDON, Tennessee\nCHRISTOPHER COX, California          PETER DEUTSCH, Florida\nNATHAN DEAL, Georgia                 BOBBY L. RUSH, Illinois\nSTEVE LARGENT, Oklahoma              ANNA G. ESHOO, California\nRICHARD BURR, North Carolina         RON KLINK, Pennsylvania\nBRIAN P. BILBRAY, California         BART STUPAK, Michigan\nED WHITFIELD, Kentucky               ELIOT L. ENGEL, New York\nGREG GANSKE, Iowa                    TOM SAWYER, Ohio\nCHARLIE NORWOOD, Georgia             ALBERT R. WYNN, Maryland\nTOM A. COBURN, Oklahoma              GENE GREEN, Texas\nRICK LAZIO, New York                 KAREN McCARTHY, Missouri\nBARBARA CUBIN, Wyoming               TED STRICKLAND, Ohio\nJAMES E. ROGAN, California           DIANA DeGETTE, Colorado\nJOHN SHIMKUS, Illinois               THOMAS M. BARRETT, Wisconsin\nHEATHER WILSON, New Mexico           BILL LUTHER, Minnesota\nJOHN B. SHADEGG, Arizona             LOIS CAPPS, California\nCHARLES W. ``CHIP'' PICKERING, \nMississippi\nVITO FOSSELLA, New York\nROY BLUNT, Missouri\nED BRYANT, Tennessee\nROBERT L. EHRLICH, Jr., Maryland\n\n                   James E. Derderian, Chief of Staff\n\n                   James D. Barnette, General Counsel\n\n      Reid P.F. Stuntz, Minority Staff Director and Chief Counsel\n\n                                 ______\n\n              Subcommittee on Oversight and Investigations\n\n                     FRED UPTON, Michigan, Chairman\n\nJOE BARTON, Texas                    RON KLINK, Pennsylvania\nCHRISTOPHER COX, California          HENRY A. WAXMAN, California\nRICHARD BURR, North Carolina         BART STUPAK, Michigan\n  Vice Chairman                      GENE GREEN, Texas\nBRIAN P. BILBRAY, California         KAREN McCARTHY, Missouri\nED WHITFIELD, Kentucky               TED STRICKLAND, Ohio\nGREG GANSKE, Iowa                    DIANA DeGETTE, Colorado\nROY BLUNT, Missouri                  JOHN D. DINGELL, Michigan,\nED BRYANT, Tennessee                   (Ex Officio)\nTOM BLILEY, Virginia,\n  (Ex Officio)\n\n                                  (ii)\n\n\n\n\n\n                            C O N T E N T S\n\n                               __________\n                                                                   Page\n\nTestimony of:\n    Gilligan, John M., Chief Information Officer, U.S. Department \n      of Energy..................................................    12\n    Habiger, Eugene E., Director, Office of Security and \n      Emergency Operations, U.S. Department of Energy............    10\n    Podonsky, Glenn S., Director, Office of Independent Oversight \n      and Performance Assurance, accompanied by Bradley A. \n      Peterson, Office of Cyber Security and Special Reviews, \n      U.S. Department of Energy..................................     6\n\n                                 (iii)\n\n  \n\n\nCOMPUTER INSECURITIES AT DOE HEADQUARTERS: DOE's FAILURE TO GET ITS OWN \n                          CYBER HOUSE IN ORDER\n\n                              ----------                              \n\n\n                         TUESDAY, JUNE 13, 2000\n\n                  House of Representatives,\n                             Committee on Commerce,\n              Subcommittee on Oversight and Investigations,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 9:10 a.m., in \nroom 2123, Rayburn House Office Building, Hon. Fred Upton \n(chairman) presiding.\n    Members present: Representatives Upton, Burr, Bilbray, \nBryant, Bliley, (ex officio), Stupak, Green, and DeGette.\n    Also present: Representative Wilson.\n    Staff present: Tom Dilenge, majority counsel; Anthony \nHabib, legislative clerk; Clay Alspach, legislative clerk; \nEdith Holleman, minority counsel; and Brendan Kelsay, minority \nresearch analyst.\n    Mr. Upton. Good morning, everyone and welcome.\n    Today's alarming news story may change the focus of this \nmorning's hearing a little bit. Americans everywhere want \nabsolute assurances that our nuclear secrets remain just that, \nsecret.\n    Sadly, today's headlines are indeed startling regarding the \nmissing disks and the unsuccessful attempts of answering the \nmany questions that are now out there. How can these disks be \nmissing after more than a month with only as many as 86 \nindividuals, 26 being unescorted, having access to these highly \nclassified disks?\n    Real security is going to require additional changes in how \nDOE and its labs control their classified data, whether in hard \ncopy or on computer disk. Our hearing today, coupled with this \nnews from Los Alamos, shows how far the Department, in its \nlapse, still must go to make security the priority that \neveryone wants it to be.\n    This subcommittee will hold a hearing to continue its year-\nlong review of cyber security practices at the Department of \nEnergy. This time, our focus is not on the Department's nuclear \nweapons labs--which have received the lion's share of attention \nand have made real improvements in computer security since last \nyear--but on DOE headquarters itself. Unfortunately, the \ncurrent situation at DOE headquarters is little better than \nwhere the labs were a year ago, a startling and troubling \nrevelation given the Secretary's professed commitment over 1 \nyear ago to make security, and cyber security in particular, a \ntop priority throughout the Department.\n    We'll hear today once again from Mr. Glenn Podonsky, whose \noffice conducts independent reviews of DOE security practices, \nincluding the latest audit of headquarters cyber security \ncompleted last month. At our last hearing on DOE's security \nissues, Mr. Podonsky's office promised in response to \nCongresswoman Wilson's questioning to initiate an expedited \nreview of headquarters cyber security, and I am pleased that \nhe's with us to report to the subcommittee on the findings of \nthis audit. In particular, we will hear that the headquarters \ncomputer network has many significant and easily exploitable \nvulnerabilities that render it both susceptible to internal and \nexternal threats.\n    As with the labs, we will hear once again about the lack of \ninternal security controls to limit the ability of authorized \nand unauthorized users, including some foreign nationals, to \nmove freely among the various program office systems to \ncompromise sensitive information. On this unified network is \nnot only the Secretary's office but also key program functions, \nsuch as defense programs, nonproliferation and national \nsecurity, security operations, counterintelligence, the general \ncounsel and inspector general, and even Mr. Podonsky's office. \nWhile these offices' classified data is physically separate \nfrom the unclassified network, the audit does raise concerns \nabout whether the tighter controls that were ordered more than \na year ago by the Secretary to limit the transfer of classified \ndata to the unclassified systems have in fact been implemented \nat DOE's own headquarters.\n    As with the labs, we'll also hear about deficiencies in \ncertain fire walls and intrusion detection systems. While no \nInternet fire wall is ever 100 percent foolproof, it is \nimportant that a sytem be able to quickly detect and block this \nspread of unauthorized entries into the network. By this \nimportant measure, DOE falls significantly short of the mark.\n    From a management perspective, the audit essentially finds \nthat no single person or entity is in charge of this network, \nan amazing finding in and of itself, and most likely the root \ncause of the technical problems uncovered by this audit. It \nappears that much like other Federal agencies the committee has \nlooked at, the chief information officer at DOE is the chief in \nname only.\n    Given Secretary Richardson's reorganization last summer, \nwhich elevated the CIO and gave him responsibility for all \ncyber security efforts throughout the Department, I would have \nthought that the CIO would have also received the authority to \nmandate certain minimum requirements and corrective actions to \nvulnerable systems. Instead, we now find out that the CIO \nlacks, according to the audit, ``real and perceived authority \nto order changes,'' a view apparently shared by the CIO \nhimself.\n    I know I must speak for many members of this committee when \nI say that I find the whole situation bewildering. How could \nDOE headquarters, which was the catalyst for the security \nchanges at the nuclear weapons labs last year, leave its own \nsystems so vulnerable to misuse; and why is the Department's \nCIO so powerless to change the situation?\n    These and many other questions will be explored at today's \nhearing, and I welcome our panel of witnesses. In particular, I \nlook forward to the testimony of General Habiger, DOE's \nsecurity czar, and Mr. Gilligan, DOE's CIO, on what technical \nand management changes DOE intends to make to fix these serious \nproblems and on what timetable. I am glad to see that after \nwe'd noticed this hearing last week, the Department immediately \nmoved to give this CIO new powers over the headquarters \nnetwork; and I hope he uses that power to quickly and \neffectively gain control over this important cyber system.\n    At this point, I yield to my friend from Michigan, Mr. \nStupak, the acting ranking member for this morning's hearing.\n    Mr. Stupak. Thanks, Mr. Chairman, and thanks for holding \nthis important hearing.\n    Yesterday, I was prepared to give an opening statement \nregarding cyber security at the Department of Energy, but after \nreading the New York Times yesterday, I was forced to \nsubstantially change my statement.\n    I'm very concerned that the Department of Energy has no \nidea what happened to two hard drives containing classified \ninformation about our nuclear weapons program. According to the \nNew York Times, the hard drives contained detailed \nspecifications about U.S. and Russian nuclear weapons. However, \nwhat is more concerning is the laissez-faire attitude Los \nAlamos National Laboratory and the Department of Energy have \ndisplayed in trying to ascertain what happened to highly \nclassified information.\n    In the article, a senior Energy official is quoted as \nsaying, ``In my opinion, it's premature to call this a security \nbreach.'' Well, I, for one, think it is a security breach and \nhas definitely been breached and no one can say what has \nhappened to the hard drives, who had control of the hard drives \nor who last had access to them.\n    I have to tell you, in my hometown of Menominee, Michigan, \nif I want to check out a library book at the Menominee Public \nLibrary, you have to have a library card and they make a record \nif you remove the book; and if you keep the book too long, they \nsend you a notice asking you to return it. Eventually, they \ncharge you late fine. Most Americans would find it hard to \nbelieve that Menominee Public Library has a more sophisticated \ntracking system for ``Winnie the Pooh'' than Los Alamos has for \nhighly classified nuclear weapons data. That is exactly the \nsituation we're faced with.\n    Mr. Curran, the Director of the Department's \nCounterintelligence Office, is quoted as saying, ``At this \npoint, there is no evidence that suggests espionage is involved \nin this incident.''\n    How are we going to find out? Does Mr. Curran expect \nsomeone from Baghdad or Beijing to call them next year and ask \nfor a software update?\n    We need to get the answers from the witnesses on a number \nof issues. Why did it take Los Alamos National Laboratory 3 \nweeks to alert the Department of Energy that the hard drives \nwere missing? How were these hard drives and computers stored? \nA couple of months ago the State Department lost highly \nclassified information on nuclear weapons. Now Los Alamos has \nmisplaced highly classified information. This is not a joke. \nWe're talking about highly classified nuclear weapons data.\n    I have been a critic of the lack of security at our nuclear \nweapons laboratory at Lawrence Livermore, Los Alamos and other \nfacilities. Other members have come to me and asked me to tone \nit down; I will once the national labs take the security \nbreaches seriously. I believe it's time to take--make security \nat our national labs a military priority and not a civilian \nafterthought.\n    Mr. Chairman, we need answers and we need results. While I \nunderstand the witnesses are prepared to discuss cyber security \nat the Department of Energy, I intend to ask questions about \nthe latest loss of our Nation's nuclear secrets, and I hope I \nwill get some answers to my questions today.\n    Thank you, Mr. Chairman.\n    Mr. Upton. I recognize Mr. Bliley for an opening statement.\n    Chairman Bliley. Thank you, Mr. Chairman.\n    Since allegations of spying at Los Alamos first surfaced \nearly last year, this committee and the American public have \nbeen subject to a steady stream of press releases, action \nplans, tough talk and photo ops from Secretary Richardson and \nsenior DOE officials, designed to show a commitment to security \nat the Department of Energy. They have crisscrossed the \ncountry, making lots of visits to the nuclear weapons labs, \ndemanding reforms and upgrades to security systems, \nparticularly computer systems; and we've been told that the \nDepartment's contractors have, ``gotten the message,'' ``zero \ntolerance,'' for poor security.\n    I certainly don't mean to belittle these efforts because \nthey have had some positive effect, particularly when combined \nwith this committee's aggressive oversight and the bright media \nspotlight. But despite the travels and television appearances, \nthe Secretary apparently hasn't checked his own headquarters \noffice. Effective leadership requires making sure your own \nhouse is in order when demanding others clean up theirs. Today, \nwe are witnessing nothing less than a failure of leadership.\n    A recent internal inspection by the Department's \nindependent cyber security team, prompted by Congresswoman \nWilson's request during our last oversight hearing on this \nmatter, has revealed real flaws in the cyber security program \nat the Department's own headquarters that should have been \ncorrected a long time ago. Indeed, the Department knew about \nmany of these flaws for some time before this latest inspection \noccurred yet failed to fix them. That doesn't seem like zero \ntolerance to me, and it highlights serious management failures.\n    Indeed, one of the key findings in this report is that the \nDepartment, in executing its cyber security program at \nheadquarters, has ignored the most basic principle of computer \nsecurity, that a network is only as strong as its weakest link. \nIndividual DOE program offices essentially set their own rules \non security, which results in real differences in levels of \nsecurity. This situation puts the entire DOE network, which \ncontains a large amount of sensitive information, at serious \nrisk of compromise or misuse.\n    Whatever the DOE spin on this is, there can be little doubt \nthat the latest audit of cyber security is a terrible \nembarrassment to the Department and to the administration. How \ncould such a situation exist at DOE if security is really a top \npriority?\n    The audit report concludes by stating that senior \nmanagement attention is needed to fix the problems plaguing the \nDepartment's cyber security system. I am not sure how much more \nsenior we can get than the Secretary, who supposedly has been \nfocused on security at least since the spy scandal erupted over \na year ago. I think it is time he and the rest of the \nDepartment focused equal attention on eliminating risks closer \nto home.\n    Finally, I just want to say a word about the recent \nrevelations of missing classified data from Los Alamos. It is \nalarming that, despite the alleged focus on security over the \nlast year, it appears the Department of Energy and its labs \nstill have a long way to go before the American public can or \nshould feel confident that our nuclear secrets are safe in \ntheir hands. Several months ago, I requested the General \nAccounting Office conduct an investigation into whether DOE and \nits labs have proper procedures in place to control and account \nfor their classified documents and electronic media. The latest \nnews from Los Alamos suggests that, whether or not this missing \ndata is eventually recovered, the answer is no.\n    Thank you, Mr. Chairman.\n    Mr. Upton. Thank you, Mr. Chairman.\n    Mrs. Wilson.\n    Mrs. Wilson. I ask unanimous consent to be allowed to sit \nin on this hearing of the Oversight and Investigations \nSubcommittee.\n    Mr. Upton. Without objection, so ruled.\n    Would the gentlelady like to make an opening statement?\n    Mrs. Wilson. Yes, Mr. Chairman, I would.\n    Thank you, Mr. Chairman, for letting me sit in on this \nsubcommittee hearing. I am not normally on the Subcommittee on \nOversight and Investigations. I have a particular interest and \nconcern on the issue of cyber security at our national \nlaboratories.\n    In fact, this hearing and the testimony that we're going to \nhear today is the result of an inquiry that I made at a \nprevious hearing about security at DOE headquarters. Because as \nall of us know, a system is only as strong as its weakest wall. \nAnd if we focus only on cyber security of systems out on the \nperiphery of the Department of Energy and not those at DOE \nheadquarters, we haven't strengthened the security system in \nthe Department of Energy.\n    I understand that we will hear testimony today about cyber \nsecurity at the headquarters of the Department of Energy on its \nunclassified systems. That inquiry parallels those that have \npreviously been made at the outer rings of the Department of \nEnergy, including at our national labs. We do not yet know how \nsecure the classified systems are at DOE headquarters, but the \npreliminary reports that I have seen about the testimony we're \ngoing to hear today are troubling. It means that Department of \nEnergy has been out looking at all of its contractors and \nsubcontractors, and at the periphery of its organization, being \ncritical, and rightly critical, while it didn't have its own \nhouse in order.\n    General Habiger, you and I were trained in some of the same \nplaces, with similar kinds of ethics and values, and I think \nboth of us believe in leadership by example. And I am glad that \nyou're now looking at the Department of Energy headquarters and \ntrying to lead by example. But I am a little sorry that it took \nthis kind of prodding to get the Department of Energy to do so.\n    With respect to information systems and cyber security and \ncomputer security, all of us know that it must be systemic. It \nis by its nature systemic, and computer security has to be \nlooked at as a whole and not just in pieces. I suspect that is \none of the problems at the Department of Energy. Every little \nfiefdom within the Department of Energy runs its own show, and \npart of it is weak.\n    I do want to say something, just briefly, about the reports \nyesterday from Los Alamos National Laboratory. Folks from Los \nAlamos came to my office yesterday to give me preliminary \ninformation about the loss of classified data at Los Alamos \nNational Laboratory, and I find it deeply troubling. We don't \nyet know a lot about what happened, and I support the ongoing \ninvestigation to find out.\n    I have also requested that the Intelligence Committee, on \nwhich I sit, hold an immediate classified briefing on what was \nlost and what we know at this point.\n    There are a number of questions that I still have. They're \ninappropriate to ask in an unclassified forum, and I will be \nasking those questions in the House Permanent Select Committee \non Intelligence as early as this week.\n    There is one thing, though, that this most recent incident \nunderscores for me, and that is the need to move forward \nrapidly with the implementation of the NNSA and the \nconfirmation of General John Gordon to lead it. At the moment, \nthe nuclear weapons complex in this country is in a state of \nlimbo, of neither being part of the Department of Energy nor \nhaving a real head of its own. That is unsustainable if we want \nthat organization to move forward, to improve security at our \nnational labs and our nuclear weapons complex, and to come up \nwith a concerted plan for the future.\n    Thank you, Mr. Chairman.\n    Mr. Upton. Thank you. Well, gentlemen, as you know, as you \nhave testified before, we have a long-standing tradition of \ntaking testimony under oath before this subcommittee. Do you \nhave any objection to that?\n    Voices. No.\n    Mr. Upton. And committee rules allow you to be represented \nby counsel if you wish such. Do you desire to have counsel \nrepresentation?\n    Voices. No, sir.\n    Mr. Upton. In that case, if you would now stand and raise \nyour right hands.\n    [Witnesses sworn.]\n    You are now under oath, and as you heard at the beginning, \nI guess we're going to allow you to take a little extra time in \ndelivering your testimony.\n    Mr. Podonsky, we'll start with you. Welcome back.\n\nTESTIMONY OF GLENN S. PODONSKY, DIRECTOR, OFFICE OF INDEPENDENT \nOVERSIGHT AND PERFORMANCE ASSURANCE, ACCOMPANIED BY BRADLEY A. \n PETERSON, OFFICE OF CYBER SECURITY AND SPECIAL REVIEWS, U.S. \n                      DEPARTMENT OF ENERGY\n\n    Mr. Podonsky. Thank you, Mr. Chairman. I appreciate the \nopportunity to----\n    Mr. Upton. If you could just pull the mike a little bit \ncloser, that would be terrific.\n    Mr. Podonsky. I appreciate the opportunity, Mr. Chairman, \nto appear before this committee to discuss our April inspection \nof unclassified cyber security systems at the DOE headquarters.\n    As you know, the Office of Independent Oversight and \nPerformance Assurance provides the Secretary of Energy with an \nindependent view of the effectiveness of safeguards and \nsecurity, emergency management, and cyber security policies and \nprograms throughout the DOE complex. With me this morning is \nMr. Brad Peterson, the head of my cyber security office.\n    In the past, DOE sites often focused on making information \neasily available and computer systems easy to use, which \nfrequently led to cyber security receiving a low priority. \nAlso, DOE policy was not always followed, which allowed \nimplementation of computer systems in ways that did not provide \nfor effective security.\n    Particularly disturbing to us was the situation in 1994 at \nLos Alamos when my office pointed out that the classified \nnetwork had connections to the unclassified network, posing the \nrisk that an authorized user could download large quantities of \nclassified information to an unclassified computer with little \nchance of detection.\n    Over the past 15 years, the DOE headquarters has often \nreceived less than satisfactory ratings in many areas, \nincluding cyber security. Until Secretary Richardson's \ninvolvement, the program offices were in some cases unwilling \nto commit resources to enhance security. Recent results, \nhowever, have been more positive. A number of cyber security \nupgrades and other initiatives have been completed or are under \nway.\n    The results of our inspection in April indicate that \nimportant deficiencies still need to be addressed. Many program \noffices have cyber security programs that would be considered \neffective if they were not connected to less effective \nnetworks.\n    Generally, the main headquarters fire wall is effective; \nhowever, several Web servers managed by individual program \noffices are located completely outside the fire wall boundary. \nMost were found to be vulnerable to hacking, and some have \nvulnerabilities that could allow any Internet user to gain \nsystem administrator-level privileges and subsequently deface \nor shut down the Web site. Headquarters has not developed \noverall cyber security procedures or minimum requirements for \neach network segment on the network.\n    The fragmented management systems and practices currently \nin place are a root cause of many identified weaknesses. While \nthe chief information officer has attempted to address many of \nthese weaknesses, the effectiveness of these initiatives has \nbeen limited due to lack of real or perceived authority. This \nfragmentation results in part from weaknesses in policy, which \ndoes not address the unique situation at headquarters or \nestablish overall responsibilities and authorities.\n    My office is continually expanding its ability to conduct \nnetwork performance testing, using tools we have acquired or \ndeveloped. We currently have an extensive cyber security \nlaboratory dedicated to testing cyber security features. We \nalso conduct regular inspection of cyber security systems at \nDOE sites.\n    We will conduct an inspection of the classified cyber \nsecurity at DOE headquarters next month in conjunction with a \ncomprehensive inspection of all the safeguards and security \npolicies and programs at the headquarters. We also will \ncontinue to follow up and work closely with General Habiger's \noffice as they work to clarify and enhance cyber security \npolicy and guidance.\n    Although much work remains, it is clear that a positive \ntrend in classified cyber security has been established at the \nheadquarters and that DOE headquarters has heard the wake-up \ncall from the Secretary and from the congressional committees. \nCyber security is receiving a significantly higher level of \nattention from senior management than in the years gone past, \nand we are seeing more improvements that could not have been \nmade without management support and the Secretary's \ninvolvement.\n    Finally, our independent oversight function as a direct \nreport to the Secretary has a mechanism in place, a mandated \ncorrective action plan, that ensures independent oversight \nfindings will be addressed. With these measures, we expect the \nidentified weaknesses will be corrected.\n    Thank you, Mr. Chairman.\n    [The prepared statement of Glenn S. Podonsky follows:]\n     Prepared Statement of Glenn S. Podonsky, Director, Office of \n  Independent Oversight and Performance Assurance, U.S. Department of \n                                 Energy\n    Thank you Mr. Chairman. I appreciate the opportunity to appear \nbefore this committee to discuss our Independent Oversight activities \nas they relate to unclassified cyber security at DOE Headquarters. The \nOffice of Independent Oversight and Performance Assurance is \nresponsible for providing the Secretary of Energy with an independent \nview of the effectiveness of DOE policies and programs in the areas of \nsafeguards and security, emergency management, and cyber security.\n    My remarks this morning will focus on the recent Independent \nOversight inspection of unclassified cyber security systems at the DOE \nHeadquarters, which was conducted in April 2000. I will also briefly \nsummarize some historical perspectives to provide a background on how \nwe got to where we are today. Finally, I will discuss our plans for \nupcoming inspections at DOE Headquarters, follow-up activities, and \nother initiatives.\nHistorical Perspectives.\n    From the early days of computer networks, DOE has historically \nstruggled with the area of cyber security. For a variety of reasons, \nsuch as the emphasis on intellectual freedom and open exchange of \nideas, DOE sites, in the past, often focused on making information \neasily available and computer systems easy to use. This often led to \nsituations in which cyber security received a lower priority than user \nconvenience or operational efficiency.\n    There were also instances where DOE and contractor management did \nnot follow DOE policy and allowed sites to implement computer systems \nin ways that did not provide for effective security. A particularly \ndisturbing example was the situation in Los Alamos in 1994 when my \noffice pointed out that the classified network had connections to the \nunclassified network, which posed a risk from an insider. Using these \nconnections, an authorized user could download large quantities of \nclassified information to an unclassified computer with little chance \nof detection.\n    During most Oversight inspections over the last 15 years, the DOE \nHeadquarters has performed poorly, often receiving less than \nsatisfactory ratings in many areas, including cyber security. In many \ncases, until Secretary Richardson's involvement, Headquarters program \noffices were unwilling to commit resources to enhance security or to \nimplement the same requirements they imposed on the field.\n    Recent results, however, have been more positive. Headquarters has \ncompleted a number of cyber security upgrades and has other initiatives \nunderway.\n    Before talking about the results of the recent Headquarters \ninspection, I would like to take a moment to share with you some of the \ntechniques we use for evaluating the effectiveness of cyber security \nprograms. We began to use automated tools to performance test security \nfeatures in 1995. This use of technology was a quantum step forward and \ndramatically increased our ability to test network security. Using \nautomated network scanning tools, we are able to test thousands of \nsystems and all network connections and features in a period of a week. \nPreviously, such an effort would have taken a year or more.\n    We have continually expanded our ability to conduct performance \ntests of networks using tools that we have acquired or developed on our \nown. For example, we have software programs--referred to as ``war \ndialers''--that can test every phone line at a DOE site in a matter of \ndays to determine whether unauthorized modems exist. If present, such \nmodems could be located and used by hackers to bypass the firewall to \ngain access to information or destroy data.\n    We currently have an extensive cyber security laboratory dedicated \nentirely to testing cyber security features. We conduct regular \ninspections of the implementation of cyber security at DOE sites. We \nhave expanded our methods to include a program of unannounced \ninspections and penetration testing. Most recently, we have been \nimplementing what is commonly referred to as a RED Team approach, in \nwhich we use a variety of techniques to perform detailed tests of a \nsite's cyber security features. These tests include penetration testing \nby experts who are thoroughly familiar with the latest hacker \ntechniques and methods.\n    Our assembled team of inspectors, together with our cyber security \nlaboratory, enables us to conduct penetration testing on par with some \nof the best known hackers. With this extensive testing capability, it \nis not surprising that we continue to find weaknesses in \nimplementation. Many DOE sites recently have established their own \nprograms for regular scans of their networks and tests of their \nsecurity features. This is one of the most positive trends in DOE, \nbecause an ongoing, effective self-assessment program is essential to \neffective network security.\n    In addition to the rigorous performance testing of systems, our \ninspections also include an evaluation of the programmatic, management \nsystem elements that are the essential foundation of a cyber security \nprogram. By looking at such elements as leadership, risk management, \nprocedures and performance evaluation, we are able to identify not only \nspecific technical deficiencies, but also underlying root causes, which \nmust be addressed to prevent recurrence of the problems.\nSummary of the April inspection of HQ unclassified cyber security \n        systems\n    The results of our April Headquarters inspection of unclassified \ncyber security indicate that important deficiencies need to be \naddressed. Many program offices have cyber security programs that would \nbe considered effective if evaluated on their own merits (that is, they \nwould be effective if they were not connected to less effective \nnetworks of other organizations). Within several program offices, \nleadership and support for cyber security are good, and roles and \nresponsibilities are well defined. Much of the recent improvement can \nbe attributed to the attention and efforts of Secretary of Energy and \nthe DOE Chief Information Officer to improve cyber security across the \ncomplex. The Chief Information Officer has been aggressive in creating \npolicy and has taken an active role in addressing DOE-wide problems. \nThe CIO has worked to strengthen cyber security within the Headquarters \nand improve the security of the network backbone and main firewall. The \nCIO has also supported the Headquarters program offices through efforts \nsuch as regular scanning of networks to identify vulnerabilities that \nneed corrective action.\n    Despite recent progress, weaknesses continue to exist in several \nimportant aspects of the Headquarters cyber security program. \nWeaknesses regarding the backbone switches and individual systems \nthroughout the network were identified. Our testing demonstrated how a \nmalicious insider could exploit these weaknesses. The results of these \ntests demonstrate the need for continued vigilance of network security.\n    Generally, the main Headquarters firewall was effective. However, \nseveral Web servers are managed by individual program offices and are \nlocated completely outside the firewall boundary. Most of these servers \nwere found to be vulnerable to common hacking exploits, and some \ncontain vulnerabilities that could allow any Internet user to gain \nsystem administrator-level privileges, and subsequently deface or shut \ndown the Web site. To demonstrate this possibility, we exploited one of \nthe vulnerabilities and gained system administrator-level privileges to \none of the servers. There is also some concern that the risk of \nalternate pathways into the network that could allow unauthorized \naccess has not been evaluated.\n    The potentially exploitable vulnerabilities in the Headquarters \nnetwork result from a number of weaknesses in the unclassified cyber \nsecurity program. Headquarters has not developed overall cyber security \nprocedures (such as policies for modems or foreign national access) or \nprocedures to establish minimum requirements for each network segment \non the network. There is no formal process for evaluating performance \nand for self-identifying and correcting vulnerabilities in the overall \nnetwork. Additionally, Headquarters risk assessments have not been \nrigorous.\n    The fragmented management systems and practices currently in place \nare a root cause of many of the programmatic weaknesses and technical \nvulnerabilities. While the DOE Chief Information Officer has attempted \nto address many of the weaknesses associated with this fragmentation, \nwe determined that the effectiveness of these initiatives has been \nlimited due to the lack of real and perceived authority. This \nfragmentation results in part from weaknesses in policy, which does not \naddress the unique situation at DOE Headquarters or establish overall \nresponsibilities and authorities for Headquarters. The 25 individual \nLAN segments, covering 29 different program offices, have widely \nvarying levels of effectiveness.\n    While some program offices have established effective practices, \nothers have poor configuration management practices, ineffective \npolicies and procedures, and ineffective intrusion detection \nstrategies. Because of the configuration of the overall network (that \nis, the logical connections among all systems with few security \nbarriers between segments), the overall system is only as good as the \nweakest link. In effect, the potentially effective practices of some \nprogram offices are largely negated by the ineffective practices of \nother program offices.\n    To summarize the results of our inspection, the increased focus on \ncyber security and the positive measures that have been implemented at \nDOE Headquarters have resulted in significant improvements in cyber \nsecurity. However, additional improvements are needed, with particular \nemphasis on assessing and managing risk and on addressing \nvulnerabilities that can be exploited from within the internal network.\nPlans for Independent Oversight Follow-up and other DOE Initiatives\n    We will be performing follow-up activities to determine whether \nidentified weaknesses have been addressed. Although in the early stages \nof their corrective actions.\n    Headquarters personnel have been generally responsive to the \ninspection findings and have started corrective actions.\n    In a related effort, we will be conducting an inspection of the \n``classified'' cyber security program at DOE Headquarters in July 2000 \nin conjunction with a comprehensive inspection of Headquarters' \nsafeguards and security policies and programs. Independent Oversight \nwill also continue to work with the Office of Security and Emergency \nOperations as they work to clarify and enhance cyber security policy \nand guidance.\n    Although much work remains, it is clear that a positive trend has \nbeen established at DOE Headquarters in the area of unclassified cyber \nsecurity. While continued, close Independent Oversight attention is \nwarranted, there are several reasons to be cautiously optimistic that \nthis positive trend will continue. For example, it is clear that DOE \nHeadquarters has heard the wake-up call from the Secretary and \nCongressional Committees. Cyber security is receiving a significantly \nhigher level of attention from senior management than in the past, and \nwe are seeing some improvements that could not have been made without \nmanagement support and the Secretary's personal involvement. In \naddition, the Office of Security and Emergency Operations and the DOE \nChief Information Officer have indicated a willingness to improve \npolicies and guidance to ensure there is a clear and unambiguous basis \nfor holding line management accountable for effective security. \nFinally, our Independent Oversight function, as a direct report to the \nSecretary, has a mechanism in place--the mandated corrective action \nplan--that ensures Independent Oversight findings are addressed. With \nthese measures, we have reason to be optimistic that identified \nweaknesses will be corrected.\n    Thank you Mr. Chairman; this concludes my comments.\n\n    Mr. Upton. General Habiger.\n\n TESTIMONY OF EUGENE E. HABIGER, DIRECTOR, OFFICE OF SECURITY \n  AND EMERGENCY OPERATIONS, ACCOMPANIED BY JOHN M. GILLIGAN, \n      CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF ENERGY\n\n    Mr. Habiger. Mr. Chairman, distinguished members of this \nsubcommittee, thank you for the opportunity to appear before \nyou today to testify on Mr. Podonsky's Office of Independent \nOversight and Performance Assurance report on our headquarters. \nWhile not always pleasant to hear, these reviews are essential \nin our ongoing efforts to ensure that we protect our \ninformation systems and the information they process.\n    I readily acknowledge and accept the findings of this \nreview. As recognized by the review itself, we have made much \nprogress in the headquarters unclassified security program over \nthe past 2 years. The Office of Chief Information Officer, \nunder the very capable leadership of John Gilligan, has moved \naggressively to address DOE-wide problems to include the \nestablishment of new policy governing our unclassified systems. \nAt headquarters, John and his staff have made significant \nimprovements in the security of the network backbone and our \nmain firewall. Despite this progress, however, I acknowledge \nthere is room for improvement.\n    I also want to be straightforward with you and freely admit \nthat over the past year our focus has been directed at our \ndefense facilities and then our other large sites. As a result, \nheadquarters has not received the same level of attention. This \nlevel of attention is directly correlated to the funds \nappropriated to us for cyber security. As part of our fiscal \nyear 2000 Budget Amendment Request that I was personally \ninvolved with in July of last year, we asked for $35 million to \naddress our cyber security needs, but were appropriated only $7 \nmillion. With such a shortfall, some hard decisions had to be \nmade.\n    Mr. Chairman, I now quote from my sworn testimony of \nOctober 26 of last year in front of this very committee, \n``Congress has, up to this point, failed to fund the \nDepartment's fiscal year 2000 full budget amendment in order \nfor us to make near- and long-term fixes. We have valid \nrequirements in the area of cyber security to buy hardware, \nencryption equipment and to train our systems administrators. \nSimply stated, we have been given a mandate, but not the \nresources to accomplish that mandate.''\n    I cannot in retrospect tell you that if we had received the \nadditional $28 million we requested back in July that we would \nhave no cyber security discrepancies, but I can assure you, Mr. \nChairman, that in my judgment they would not have been of the \nsame order of magnitude.\n    Consequently, the headquarters unclassified cyber security \ninitiatives were given lower priority in light of more pressing \nneeds at our field sites. Granted, not all of the issues \nidentified were the result of funding shortfalls. Where limited \nfunds were not an issue, we moved quickly to take corrective \naction.\n    In addition, the Deputy Secretary recently directed that \nthe Office of Chief Information Officer serve as the central \ncyber security authority for the headquarters. This action \naddresses the recommendations to establish the necessary \nmanagement structure to implement an effective cyber security \nprogram at our headquarters.\n    Additionally, we are implementing longer-term actions to \nimprove the efficiency of the cyber security program by \nadopting best security practices and a more proactive risk \nassessment program.\n    I want to assure you that we are fixing the shortfalls \nidentified in the independent oversight review. Headquarters \nshould and will set the standard for the rest of the Department \non how it implements security of our unclassified systems.\n    Thank you, Mr. Chairman.\n    [The prepared statement of Eugene E. Habiger follows:]\n Prepared Statement of Eugene E. Habiger, Director, Office of Security \n          and Emergency Operations, U.S. Department of Energy\n    Mr. Chairman and distinguished members of the Subcommittee, thank \nyou for the opportunity to appear before you today to testify on the \nOffice of Independent Oversight and Performance Assurance's report \nentitled, ``Unclassified Cyber Security Review of Department of Energy \nHeadquarters.'' While not always pleasant to hear, these reviews are \nessential in our ongoing efforts to ensure that we protect our \ninformation systems and the information that they process.\n    I readily acknowledge and accept the findings of the Independent \nOversight review. As recognized by the review itself, we have made much \nprogress in the Headquarters unclassified cyber security program over \nthe past two years. The Office of the Chief Information Officer, under \nthe very capable leadership of John Gilligan, has moved aggressively to \naddress DOE-wide problems to include the establishment of new policy \ngoverning our unclassified systems. At Headquarters, John and his staff \nhave made significant improvements in the security of the network \nbackbone and main firewall. Despite this progress, however, there is \nroom for improvement.\n    I also want to be straightforward with you and freely admit that \nover the past year our focus has been directed at our defense \nfacilities and then our other large sites. This level of attention is \ndirectly correlated to the funds appropriated to us for cyber security. \nAs part of our FY 2000 Supplemental Budget Amendment request, we asked \nfor $35 million to address our cyber security needs, but were \nappropriated only $7 million. With such a shortfall, some hard \ndecisions had to be made.\n    Mr. Chairman, I now quote from my sworn testimony of October 26, \n1999 in front of this committee: ``. . . Congress has, up to this \npoint, failed to fund the Department's FY 2000 full budget amendment in \norder to make near and long term fixes. We have valid requirements in \nthe area of cyber security to buy hardware, encryption equipment and to \ntrain our systems administrators . . . Simply stated, we have been \ngiven a mandate but not the additional resources to accomplish that \nmandate.'' I cannot in retrospect tell you that had we received the \nadditional $28M we requested back in July of last year, that we would \nhave had no cyber security discrepancies . . . but, I can assure you \nthat they would not have been of the same order of magnitude.\n    Consequently, the Headquarters unclassified cyber security \ninitiatives were given lower priority in light of more pressing needs \nat our field sites. Granted, not all of the issues identified were the \nresult of funding shortfalls. Where limited funds were not an issue, we \nmoved quickly to take corrective action. For example, the Deputy \nSecretary recently directed that the Office of the Chief Information \nOfficer serve as the central cyber-security authority for Headquarters. \nThis action addresses the recommendation to establish the necessary \nmanagement structure to implement an effective cyber-security program \nat Headquarters.\n    Additionally, we are implementing longer-term actions to improve \nthe efficiency of the cyber security program by adopting\n\n<bullet> best security practices, and\n<bullet> a more proactive risk assessment program.\n    I want to assure you that we are fixing the shortfalls identified \nin the Independent Oversight review. Headquarters should and will set \nthe standard for the rest of the Department on how it implements \nsecurity of its unclassified systems. With your permission, I would now \nlike to yield to John Gilligan, the Chief Information Officer of the \nDepartment of Energy, to elaborate on how we are progressing on our \nHeadquarters efforts.\n\n    Mr. Upton. Mr. Gilligan.\n\n                  TESTIMONY OF JOHN M. GILLIGAN\n\n    Mr. Gilligan. Thank you, Mr. Chairman and distinguished \nmembers of the subcommittee, for the opportunity to appear \nbefore you today. My testimony will focus on actions we have \ntaken across the Department to improve the level of cyber \nsecurity protection in our systems and networks. I will also \ndiscuss the cyber security weaknesses that have been identified \nin the headquarters during the recent review by the \nDepartment's independent oversight organization, as well as our \nefforts to remedy these identified weaknesses.\n    I am pleased to say that the state of cyber security at the \nDepartment of Energy is far better today than it was a year \nago. A year ago there was clear evidence that the Department's \ncyber security efforts, in particular for our unclassified \ncomputer systems, had not kept pace with the rapid \nproliferation of network connection and increasing threats. Our \npolicies were outdated, cyber security compromises at some \nsites led to significant work disruptions, and we did not have \nawareness of cyber security threats or adequate training of our \nwork force to deal with these threats. These concerns were \nreported in congressional hearings and other forums. This was a \npainful wake-up call for the Department, but a necessary one.\n    During the past year, each DOE organization has focused on \nimproving awareness of cyber security threats and installing \nimproved security controls. I have seen enormous progress in \nhow unclassified information is protected and a significant \nincrease in the awareness of cyber security issues at all \nlevels within the Department. While we have worked this issue \naggressively, cyber security is not a quick fix and more needs \nto be done. However, the security protection in the Department \nis improving rapidly, and I appreciate the opportunity to \ndiscuss our progress.\n    Since the spring of 1999, the Secretary of Energy and I \nhave emphasized the Department-wide focus on cyber security. \nThe initial focus was on our defense laboratories and \nproduction facilities, with aggressive programs to upgrade and \nverify fixes at these facilities last summer and fall. This \nfocus has subsequently been extended to all DOE sites. Over \nthis period, the Department has completely restructured its \ncyber security program. Actions taken include the following:\n    Creating a single Department-wide cyber security office \nunder me as the Department's Chief Information Officer; \nrequiring work stand-downs at all sites to conduct security \nawareness training; developing and issuing four new cyber \nsecurity policies and two new cyber security guidelines; \ninstituting a set of cyber security metrics which permit us to \nevaluate progress at each site; doubling the size and \nincreasing the role of the central DOE security incident and \nearly warning capability, our computer incident advisory \ncapability located at Lawrence Livermore Laboratory; having \neach DOE site develop a detailed site-specific cyber security \nplan describing the implementation of cyber security protection \nat the site; deploying a number of security training programs \nDepartment wide to improve the security skills of our systems \nadministrators and a separate training course provided to our \nline managers.\n    Finally, each site has significantly upgraded its \nprotection through the use of firewalls and intrusion detection \nsoftware, stronger passwords, improved system configuration \ncontrols and reconfiguration of system and network connectivity \nto reduce vulnerabilities.\n    In addition, the Secretary has created a proactive, \nindependent security assessment organization, the Office of \nIndependent Oversight and Performance Evaluation, reporting \ndirectly to him, to provide an independent review of security \nthroughout the complex. For the past year, this independent \noversight office has been conducting thorough reviews of cyber \nsecurity effectiveness at DOE sites.\n    As Chief Information Officer, I am a key customer of the \nproducts of the independent oversight reviews. I rely on these \nreviews to provide me with an objective assessment of the \neffectiveness of the cyber security at our sites and the \neffectiveness of the CIO cyber security policies. In essence, \nthe independent oversight reviews provide critical feedback to \nme on how the individual sites are progressing with cyber \nsecurity upgrades, and my staff often participates in the \nreviews.\n    Since last summer the independent oversight organization \nhas conducted 13 reviews. In those instances where significant \nvulnerabilities were identified, my policy staff and I have \nworked with the site and the line management organizations to \nensure that there is rapid resolution. Action plans for fixing \nproblems identified in the independent oversight reviews are \ntracked by the DOE Security Council that is chaired by the DOE \nSecurity Czar General Habiger.\n    In cases where there are significant weaknesses identified, \na rapid follow-up review by the independent oversight team is \nscheduled. We have done such follow-up reviews at a number of \nour facilities over the past year. These follow-up reviews \nprovide me and other senior Department officials with clear \nevidence that those sites are, in fact, making rapid progress \nto remedy the identified cyber security problems.\n    In April of this year, the DOE independent oversight office \nconducted a review of the headquarters unclassified cyber \nsecurity program. This assessment included a programmatic \nreview and testing of controls to prevent or limit access to \nthe headquarters information network against the external \nthreats, such as unauthorized system hackers, and internal \nthreat, for example, Department employees.\n    As you have heard from Mr. Podonsky, the review found that, \nalthough unclassified cyber security at headquarters has \nsignificantly improved in the past 2 years, there are still \nsignificant deficiencies that need to be addressed. In \nparticular, the review found that many program offices within \nthe headquarters have effective cyber security programs. \nHowever, because all DOE headquarters networks are \ninterconnected, an office with weak security can undermine the \notherwise effective processes and controls of the better \nmanaged offices. A number of individual headquarters offices \nwere found to have ineffective cyber security programs.\n    Weaknesses identified in the review included the following: \nA lack of headquarters-wide procedures on configuration \nmanagement; the absence of consistent policy on external \nconnections, modems and foreign national access; the lack of \nminimum cyber security requirements for each local area network \nin the headquarters; lack of a formal process to evaluate \nperformance and self-identify and correct cyber security \nvulnerabilities; headquarters risks assessments had also not \nbeen done rigorously and had not considered the shared risks of \nthe headquarters network.\n    In my assessment, the root cause for most of the reported \ncyber security problems was the failure to treat the \nheadquarters as an interconnected and interdependent set of \nsystems and network, that is, an integrated site. This problem \nstarted to become apparent earlier this spring when I found \nthat each office in the headquarters had produced separate \ncyber security plans as required by DOE's new unclassified \ncyber security policy. The reviews by my office of many of \nthese plans indicated serious weaknesses. These were documented \nand forwarded back to the individual organizations.\n    In addition, as we began to collect metrics on cyber \nsecurity implementation, the metrics submitted from some \nheadquarters offices indicated that they had significant \nweaknesses in their cyber security implementation programs. \nThese findings were shared with the respective headquarters \nmanagement, and we began evaluating approaches to improve our \napproach within the headquarters. The findings of the \nindependent oversight review confirmed these earlier \nindications of problems.\n    The Office of Independent Oversight has recommended \nimmediate and long-term actions to address the headquarters \ncyber security issues identified in its review. I support these \nrecommendations. Immediate actions include designating a single \nfocal point for headquarters cyber security as well as \nestablishing appropriate processes and procedures across the \nheadquarters. Longer-term actions include taking steps to \nimprove the efficiency of cyber security programs by adopting \nbest security practices and a more proactive risk management \nprogram.\n    Steps that are being taken to address the recommendations \nmade by the Office of Independent Oversight are as follows: On \nJune 8, the deputy-secretary directed the Office of the CIO to \nserve as central cyber security authority for all computers and \nnetworks within the Department of Energy headquarters site, and \nI have submitted that memorandum as a part of the testimony. \nThis action is the necessary and important first step to begin \nto manage headquarters as a single entity and to institute \nconsistent site-wide approaches for securing our computers and \nnetworks.\n    Specifically, the CIO operations organization, headed by \nMr. Patrick Hargett who has joined me, which currently provides \ncomputer and networking support to a number of headquarters \norganizations, including the Office of the Secretary, the CIO, \nSecurity and Emergency Operations, Management and \nAdministration, the Chief Financial Officer and a number of \nother offices, will assume responsibility for all cyber \nsecurity policies, processes and procedures for the entire \nheadquarters site. These policies, processes and procedures \nwill be coordinated through a headquarters cyber security \nworking group that my office will form. Each headquarters \noffice will also be represented on this working group and will \nbe an integral part of the cyber security forum.\n    In addition, my office, as the central cyber security \nauthority for headquarters, will undertake the following \nefforts: develop, implement and enforce formal network \nconnection policies; develop, manage, operate and enforce an \nintegrated security configuration management process; develop, \nmanage and implement a security self-assessment process for \nheadquarters offices; and centrally manage the security of \nheadquarters, the network perimeter, including all firewalls \nand be responsible for performing intrusion detection, \nvulnerability scanning and auditing on the headquarters \ninformation technology infrastructure.\n    I have made a commitment to the Secretary that we will \nimplement fixes to the significant vulnerabilities identified \nin the independent oversight review of the headquarters within \n60 days. Consistent with our practices when we find a site that \nhas significant weaknesses, I have asked the Office of \nIndependent Oversight to reassess the headquarters in early \nfall to verify that we have resolved the serious weaknesses \nthat were identified in the April review. The Secretary has \nrequested regular updates on progress to close the headquarters \nvulnerabilities.\n    In summary, the cyber security program in the Department of \nEnergy in June 2000 bears little resemblance to the program in \nplace just a year ago. We have put updated cyber security \npolicies in effect, our security training has improved the \neffectiveness of our system administrators and informed our \nmanagement of upgraded cyber security threats, each site has \nupgraded its security controls and have improvement plans to be \nexecuted as resources are available, and a review and follow-up \nprocess using the Secretary's independent oversight function \npermits the Department to objectively assess our status.\n    Although we have made great process, there is room for \nimprovements. Clearly, the review of the headquarters shows \nthat we have significant weaknesses that require immediate \nattention. Moreover, the Department believes that the \nheadquarters must set the standard for the rest of the \nDepartment on how it implements security of its cyber systems. \nThe Secretary and I are fully committed to ensuring that the \nheadquarters is a model for the rest of the Department.\n    Beyond fixing the clear weaknesses, the Department is \nmoving to strengthen security in a number of areas. Current \nfocus areas for improvement are eliminating the use of clear \ntext reusable passwords, implementing consistent security \narchitectures at each site, using automated tools to review \nfirewall and intrusion detection logs to identify and then \nautomatically block access from Internet sites that are \nattacking DOE sites, and automated distribution of software \npatches to make the process of patching vulnerabilities more \nrapid and reliable.\n    We know that there is no silver bullet fix for cyber \nsecurity. Success in this area will take continued focused \nefforts to deal with the increasing complexity of the threats \nand the rapid evolution of technology.\n    Successes will also take resources. I note that as a part \nof the Department's fiscal year 2000 Budget Amendment request, \nwe asked for additional funding to address our pressing \nsecurity needs for our unclassified computers, but, as General \nHabiger noted, we were only appropriated a small portion of \nwhat was requested.\n    While many of the issues identified in the review of the \nheadquarters and other DOE sites are not the result of lack of \nfunding, accelerating implementation of protection mechanisms \ndoes take additional resources.\n    We look forward to continuing to work with the Congress to \nfund our important cyber security programs, and we commit to \nproviding you continued visibility on our progress. Thank you.\n    [The prepared statement of John M. Gilligan follows:]\nPrepared Statement of John M. Gilligan, Chief Information Officer, U.S. \n                          Department of Energy\n                              introduction\n    Thank you Mr. Chairman and distinguished members of the Committee \nfor the opportunity to appear before you today. My testimony will focus \non actions we have taken across the Department to improve the level of \ncyber security protection in our systems and networks. I will also \ndiscuss the cyber security weaknesses that have been identified in the \nHeadquarters during the recent review by the Department's Independent \nOversight organizations, as well as our efforts to remedy these \nidentified weaknesses.\n    I am pleased to say that the state of cyber security at the \nDepartment of Energy (DOE) is far better today than it was a year ago. \nA year ago, there was clear evidence that the Department's cyber \nsecurity efforts, in particular for our unclassified computer systems, \nhad not kept pace with the rapid proliferation of network connections \nand increasing threats. Our policies were outdated, cyber security \ncompromises at some sites led to significant work disruptions, and we \ndid not have awareness of cyber security threats or adequate training \nof our workforce to deal with these threats. These concerns were \nreported in congressional hearings and other forums. This was a painful \nwake-up call for the Department, but a necessary one.\n    During the past year, each DOE organization has focused on \nimproving awareness of cyber security threats and installing improved \nsecurity controls. I have seen enormous progress in how unclassified \ninformation is protected and a significant increase in awareness of \ncyber security issues at all levels within the Department. While we \nhave worked this issue aggressively, cyber security is not a quick fix \nand more needs to be done. However, the security protection in the \nDepartment is improving rapidly, and I appreciate the opportunity to \ndiscuss our progress.\n    Since the spring of 1999, the Secretary of Energy and I have \nemphasized a Department-wide focus on cyber security. The initial focus \nwas on our Defense laboratories and production facilities with \naggressive programs to upgrade and verify fixes at these facilities \nlast summer and fall. This focus has subsequently been extended to all \nDOE sites. Over this period, the Department completely restructured its \ncyber security program. Actions taken include the following:\n\n<bullet> Creating a single, Department-wide Cyber Security Office under \n        me as the Department's Chief Information Officer.\n<bullet> Requiring work ``stand downs'' at all sites to conduct \n        security awareness training.\n<bullet> Developing and issuing four new cyber security policies and \n        two new cyber security guidelines.\n<bullet> Instituting a set of cyber security metrics which permit us to \n        evaluate progress at each site.\n<bullet> Doubling the size and increasing the role of the central DOE \n        security incident and early warning capability, our Computer \n        Incident Advisory Capability (CIAC) located at Lawrence \n        Livermore Laboratory.\n<bullet> Having each DOE site develop a detailed, site-specific cyber \n        security plan describing the implementation of cyber security \n        protection at the site.\n<bullet> Deploying a cyber security training program Department-wide to \n        improve the security skills of our Systems Administrators and a \n        separate training course provided to line managers.\n<bullet> Finally, each site has significantly upgraded its protection \n        through the use of firewalls and intrusion detection software, \n        stronger passwords, improved system configuration controls, and \n        reconfiguration of system and network connectivity to reduce \n        vulnerabilities.\n    In addition, the Secretary created a proactive independent security \nassessment organization, the Office of Independent Oversight and \nPerformance Evaluation, reporting directly to him to provide an \nindependent review of security throughout the complex. For the past \nyear, this Independent Oversight office has been conducting thorough \nreviews of cyber security effectiveness at DOE sites. As CIO, I am a \nkey customer of the products of independent oversight reviews. I rely \non these reviews to provide me with an objective assessment of the \neffectiveness of the cyber security at our sites and the effectiveness \nof the CIO cyber security policies. In essence, the Independent \nOversight reviews provide critical feedback to me on how individual \nsites are progressing with cyber security upgrades, and my staff often \nparticipates in the reviews. Since last summer, the Independent \nOversight organization has conducted 13 reviews. In those instances \nwhere significant vulnerabilities were identified, my policy staff and \nI have worked with the site and the line management organization to \nensure that there is rapid resolution. Action plans for fixing problems \nidentified in the Independent Oversight Reviews are tracked by the DOE \nSecurity Council that is chaired by the DOE Security Czar, General \nHabiger. In cases where there are significant weaknesses identified, a \nrapid follow-up review by the Independent Oversight team is scheduled. \nWe have done such follow-up reviews at a number of our facilities over \nthe past year. These follow-up reviews provide me and other senior \nDepartment officials with clear evidence that those sites are, in fact \n, making rapid progress to remedy the identified cyber security \nproblems.\n                      independent oversight review\n    In April of this year, the DOE Independent Oversight office \nconducted a review of the Headquarters unclassified cyber security \nprogram. The assessment included a programmatic review and testing of \ncontrols to prevent or limit access to the Headquarters information \nnetwork against the external threat (such as unauthorized system, i.e., \nhackers) and the internal threat (i.e., Department employees). As you \nhave heard from Mr. Podonsky, the review found that, although \nunclassified cyber security at Headquarters has significantly improved \nin the past two years, there are significant deficiencies that need to \nbe addressed. In particular, the review found that many program offices \nwithin the Headquarters have effective cyber security programs. \nHowever, because all DOE Headquarters networks are interconnected, an \noffice with weak security can undermine the otherwise effective \nprocesses and controls of the better-managed offices. A number of \nindividual Headquarters offices were found to have ineffective cyber \nsecurity programs.\n    Weaknesses identified in the review included the following:\n\n<bullet> A lack of Headquarters-wide procedures on configuration \n        management;\n<bullet> The absence of consistent policy on external connections, \n        modems, and foreign national access;\n<bullet> The lack of minimum cyber security requirements for each Local \n        Area Network in the Headquarters;\n<bullet> Lack of a formal process to evaluate performance and self-\n        identify and correct cyber security vulnerabilities;\n<bullet> Headquarters risk assessments had not been rigorous and had \n        not considered the shared risk of the Headquarters network.\n    In my assessment the root cause for most of the reported cyber \nsecurity problems was the failure to treat the Headquarters as an \ninterconnected and interdependent set of systems and networks that is \nan integrated ``site''. This problem started to become apparent earlier \nthis spring when I found that each office in the Headquarters had \nproduced separate cyber security plans as required by DOE's new \nunclassified cyber security policy. The reviews by my office of many of \nthese plans indicated serious weaknesses. These were documented and \nforwarded back to the individual organizations. In addition, as we \nbegan to collect metrics on cyber security implementation, the metrics \nsubmitted from some Headquarters offices indicated that they had \nsignificant weaknesses in their cyber security programs. These findings \nwere shared with the respective Headquarters management, and we began \nevaluating approaches to improve our approach within the Headquarters. \nThe findings of the Independent Oversight review confirmed these \nearlier indications of problems.\n    The Office of Independent Oversight has recommended immediate and \nlong-term actions to address the headquarters cyber issues identified \nin its review. I support these recommendations. Immediate actions \nincluded designating a single focal point for Headquarters Cyber \nSecurity, as well as establishing appropriate processes and procedures \nacross Headquarters. Longer-term actions include taking steps to \nimprove the efficiency of the cyber security program by adopting best \npractice security practices and a more proactive risk assessment \nprogram.\n          department response to independent oversight report\n    Steps that are being taken to address the recommendations made by \nthe Office of Independent Oversight are as follows. On June 8, 2000, \nthe Deputy Secretary directed the Office of the CIO to serve as the \ncentral cyber security authority for all computers and networks within \nthe DOE Headquarters site (see attachment). This action is the \nnecessary and important first step to begin to manage Headquarters as a \nsingle entity and to institute consistent site-wide approaches for \nsecuring our computers and networks. Specifically, the CIO Operations \nOrganization, which currently provides computer and networking support \nto a number of Headquarters organizations including the Office of the \nSecretary, the CIO, Security and Emergency Operations,\n    Management and Administration, the CFO and a number of other \noffices, will assume responsibility for all cyber security policies, \nprocesses, and procedures for the entire Headquarters site. These \npolicies, processes and procedures will be coordinated through a \nHeadquarters Cyber Security Working Group that my office will form. \nEach Headquarters office will be represented on this Working Group and \nwill be an integral part of this cyber security forum.\n    In addition, my office, as the central cyber security authority for \nthe Headquarters, will undertake the following efforts:\n\n<bullet> Develop, implement and enforce formal network connection \n        policies;\n<bullet> Develop, manage, enforce and operate an integrated security \n        configuration management process;\n<bullet> Develop, manage and implement a security self-assessment \n        process for Headquarters offices; and\n<bullet> Centrally manage the security of the Headquarters network \n        perimeter, including all firewalls, and be responsible for \n        performing intrusion detection, vulnerability scanning and \n        auditing on the Headquarters IT infrastructure.\n    I have made a commitment to the Secretary that we will implement \nfixes to the significant vulnerabilities identified in the Independent \nOversight review of the Headquarters within sixty days. Consistent with \nour practices when we find a site that has significant weaknesses, I \nhave asked the Office of Independent Oversight to reassess the \nHeadquarters in early fall to verify that we have resolved the serious \nweaknesses that were identified in the April review. The Secretary has \nrequested regular updates on progress to close the Headquarters \nvulnerabilities.\n                               conclusion\n    In summary, the cyber security program in the Department of Energy \nin June of 2000 bears little resemblance to the program in place just a \nyear ago. We have put updated cyber security policies in effect; our \nsecurity training has improved the effectiveness of our system \nadministrators and informed our management of upgraded cyber security \nthreats; each site has upgraded its security controls and have \nimprovement plans to be executed as resources are available; and a \nreview and follow-up process using the Secretary's Independent \nOversight function permits the Department to objectively assess our \nstatus. Although we have made great progress, there is room for \nimprovements. Clearly, the review of the Headquarters shows that we \nhave significant weaknesses that require immediate attention. Moreover, \nthe Department believes that the Headquarters must set the standard for \nthe rest of the Department on how it implements security of cyber \nsystems. The Secretary and I are fully committed to ensuring that the \nHeadquarters is a model for the rest of the Department.\n    Beyond fixing the clear weaknesses, the Department is moving to \nstrengthen security in a number of areas. Current focus areas for \nimprovement are eliminating the use of clear-text reusable passwords, \nimplementing consistent security architectures at each site, using \nautomated tools to review firewall and intrusion detection logs to \nidentify and then automatically block access from internet sites that \nare attacking DOE sites, and automated distribution of software patches \nto make the process of patching vulnerabilities more rapid and \nreliable.\n    We know that there is no silver bullet fix for cyber security. \nSuccess in this area will take continued and focused effort to deal \nwith the increasing complexity of the threats and the rapid evolution \nof technology. Success will also take resources. I note that as a part \nof the Department's FY 2000 Supplemental request, we asked for \nadditional funding to address our pressing security needs for our \nunclassified computers, but as General Habiger noted, we were only \nappropriated a small portion of what we requested. While many of the \nissues identified in the review of the Headquarters and other DOE sites \nare not the result of lack of funding, accelerating implementation of \nprotections mechanisms does take additional resources. We look forward \nto continuing to work with Congress to fund our important cyber \nsecurity programs and we commit to providing you continued visibility \non our progress.\n    Thank You.\n\n    Mr. Upton. Thank you.\n    I would just note that the House was in session and voting \nuntil nearly midnight last night. We also have a number of \nsubcommittees that are also meeting at this time, and by \nunanimous consent I will ask that all members of the \nsubcommittee will have an opportunity to enter their opening \nstatement into the record.\n    You will see a number of members coming in and out. We're \ngoing into session, I know, at 10. I don't expect votes for a \nwhile as we complete yet another long day today on the Labor, \nHHS appropriation bill.\n    General Habiger, I know that you're prepared for some of \nthe questions that we're going to have in light of the opening \nstatement by Mr. Bliley, Mr. Stupak and myself with regard to \nthe missing disks and the hard drives; and I happen to find it, \nas I read the morning papers this morning, fairly incredulous \nthat it appears as though these disks have been missing for a \nnumber of weeks. Only 86 individuals had access to these disks, \nin fact; and, of those 86, only I believe 26 were allowed to \nhave unescorted access to the disks.\n    A number of members of this subcommittee traveled to look \nat all the labs earlier this year. We visited extensively, I \nthought, Los Alamos. We had a number of meetings with your \nstaff and others before we came, terrific staff support as \nwell.\n    Could you describe the vault? And I don't know that we \nvisited this particular vault where these were taken.\n    At Los Alamos, the vault we did visit, we went through this \nlong drive through these almost mountain passes and went \nthrough security that was very well armed and photo ID. I mean, \nit was extensive to get in. In fact, I think it took us about \n20 minutes to actually get into the vault because of the \nsecurity. We probably spent more time going through the \nsecurity to get into the vault than we actually spent in the \nvault. And I don't know whether that was the vault--you know \nthe groundwork much better because you have been there, I'm \nsure, a number of times. Is that the vault, the one that \nactually goes into almost into the mountain where these two \ndisks were taken?\n    Mr. Habiger. No, sir. The vault in question is in the main \nbuilding, technical area three, they call it.\n    Mr. Upton. Is that where Wen Ho Lee's office is?\n    Mr. Habiger. Yes, sir.\n    There are three levels of protection before you get into \nthe vault itself. I'd rather not go into the details in open \nsession, but let me tell you that there are extensive security \nprocedures that are in place at each level of in-depth security \nthat would preclude anyone except those that are authorized to \nbe in that area to gain access to the vault. The vault itself \nserves about--is relatively small, about 10 feet wide and about \n20 foot long.\n    Mr. Upton. Now, as I understand it, these two disks----\n    Mr. Habiger. Two hard drives.\n    Mr. Upton. Two hard drives that are missing were, in fact, \nin a locked bag, is that right, inside the vault?\n    Mr. Habiger. Yes, sir.\n    Mr. Upton. And in fact, the bag itself was, in fact, \ncompartmentalized, with locked compartments within the bag; is \nthat right?\n    Mr. Habiger. Yes, sir.\n    Mr. Upton. The way that I understand it is, when it was \ndiscovered, the empty compartment was, in fact, locked; is that \nright?\n    Mr. Habiger. Yes, sir.\n    Let me just back up a little bit and explain the scenario.\n    The fire at Los Alamos began on, as I recall, Thursday, May \n4. On the evening of May 7, Sunday, late, nearly midnight, the \ndecision was made to go into the vault by two individuals who \nare authorized unescorted access into that vault to take the \nkit--the kit is a kit used by the Nuclear Emergency Search \nTeam, NEST, to rapidly deploy to situations that require some \nof our Nation's best minds to look at an improvised nuclear \ndevice or perhaps a stolen nuclear weapon. These individuals \npull on-call duty. We have members of our scientific community \nat both Los Alamos, Livermore and Pantex on duty, on call 24 \nhours a day, 365 days a year.\n    In order to ensure that that capability was still available \nto respond very rapidly, the decision was made to go into the \nvault late Sunday night as the fire began to burn out of \ncontrol. They went into the vault, they inventoried--and you \ncan inventory the hard drives by just feeling them. They're a \nlittle bigger than a deck of cards, about two-thirds as wide as \na deck of cards. They could not feel the hard drives in the \nlocked container.\n    There are three kits. They were in kit No. 2. They \nimmediately went into kit No. 3 to pull out two hard drives. \nOne's the primary. The second hard drive is the backup. They \ntook the two hard drives, the two containers out of kit three, \nput it in kit two and immediately evacuated the area and put \nthe kit two with the kit three hard drives in a more secure--by \nsecure I'm talking about safe, out of harm's way in relation to \nthe fire.\n    They immediately reported to other individuals on the NEST \nteam that they went into the vault, they couldn't find the hard \ndrives to kit two, and, as you recall, on Monday, May 8, the \nlab was shut down completely because of the life-threatening \naspects of the fire. The lab did not come back up until Monday, \nMay 22; and when the labs started back up again on Monday, May \n22, it was not all 10,000 people going back to work. It was a \ngradual buildup of activity. The first things that were looked \nat were the safety considerations.\n    I will also tell you that during this entire course of the \nfire, I was in contact--along with Deputy Secretary Glauthier, \nwe had people on duty 24 hours a day, and the security systems \nwere up and running the entire time. Now there were certain \nsituations where we had to pull guards out of certain areas and \nput them out of harm's way, but we still had a credible \nsecurity at all of the facilities there, to include this vault.\n    So the labs started up on Monday, May 22. On Wednesday, May \n24, a full-scale search was begun within the X division and \nanyplace that the NEST activity could have taken place. We were \ninformed on the evening of June 1 that those hard drives were \nmissing.\n    Ed Curran, the Director of Counter Intelligence, \nimmediately went to the FBI headquarters and informed them. \nDeputy Secretary Glauthier was in communication with Dr. Browne \nat the laboratory. On Monday, during a video teleconference \nwith Dr. Browne, it was determined that Dr. Browne indicated \nthat he had intensely searched the facility and could not find \nthe two missing hard drives.\n    At that point, Deputy Secretary Glauthier directed that I, \nwith Ed Curran, go to FBI headquarters, which we did. We met at \naround noon with senior officials at the Bureau. It was \ndetermined that we jointly do an investigation, DOE and the \nFBI. At 8:30 that night, Monday night, I was in Los Alamos. At \n7 o'clock the next morning, we had a sizable number of FBI \nagents, about 15, 10 DOE personnel; and we started at 7 o'clock \nTuesday morning; and we didn't finish up until nearly midnight \nthat night. Our first interviews began that first day.\n    I was recalled--I was actively engaged until this past \nSaturday. I was asked to come back to testify at this hearing. \nI came back Sunday, and I plan on going back tomorrow.\n    Mr. Upton. When you say that there was an intensive search \nfor these disks, was there an intensive search between May 8 \nand May 22?\n    Mr. Habiger. No, sir, because the lab was completely shut \ndown. And you had to be there--and I went there--I went there \non May 19, as I recall. I flew over the site; and I will tell \nyou, sir, that it was life threatening. There was absolutely no \nactivity except security and fire fighting that went on from \nthat period--essentially from May 7 through May 22.\n    Mr. Upton. But the individuals that had access to the \ndisks, 26 folks who had unescorted access, they weren't then at \nthe facility, right? They all left?\n    Mr. Habiger. Yes, sir. Yes, sir. And there's no indication \nwhatsoever--see, there's a log that is created based upon the \nentry procedures, again which I'd rather not go into here. A \ntelephone call has to be made. That call is recorded. Passwords \nhave to be given. It's an elaborate process.\n    Mr. Upton. Right. But was any effort taken with the 26 \npeople that had access to that until the May 22? I mean, what \nI'm saying is those people weren't there, those 26 people. They \nwent someplace where it was safe. You knew that the disks were \nmissing since May 8. The lab was closed from May 8 to May 22. \nThose individuals who had access and actually could have \nperhaps retrieved or taken those disks went someplace where it \nwas safe. Was any effort taken by the Los Alamos security folks \nto, in fact, interview any of those 26 people during the fire?\n    Mr. Habiger. No, sir. The total focus during that period \nwas the--saving the laboratory from destruction from the fire.\n    Mr. Upton. But we knew that disks were missing before the \nfire took place.\n    Mr. Habiger. Sir, there were a relatively small number of \nindividuals that knew that. You will have to talk to lab \npersonnel--and, again, we are trying to determine through a \nseries of interviews, the FBI and Department of Energy--at last \ncount over 90 interviews had been accomplished, interviews that \nlast anywhere from 30 minutes to 3 hours since Tuesday of last \nweek. Those interviews continue as we speak.\n    Mr. Upton. Are polygraphs being used on those interviews?\n    Mr. Habiger. They will be beginning tomorrow, yes, sir.\n    Mr. Upton. Mr. Stupak.\n    Mr. Stupak. Thank you, Mr. Chairman.\n    General, you speak of kit No. 2 as having the missing hard \ndrives. Is there a kit No. 1?\n    Mr. Habiger. Yes, sir.\n    Mr. Stupak. Is that all intact?\n    Mr. Habiger. Yes, sir.\n    Mr. Stupak. Okay. So the one we're talking about is kit No. \n2?\n    Mr. Habiger. Absolutely.\n    Mr. Stupak. Once you get into the area where the kits are \nstored, where this NEST kit is stored, aren't the keys to get \ninto these bags just hanging right there on the wall?\n    Mr. Habiger. Sir, there are two sets of keys. There's a set \nof keys on the wall, and there's a set of keys attached to the \nkit.\n    Mr. Stupak. So once you get to the kit area you can have \naccess to those kits either by taking the keys off the wall or \nones on the kit; is that right?\n    Mr. Habiger. Yes, sir.\n    Mr. Stupak. And the people who are in there, there are 26 \nwho had to be escorted and about 60 others who did not need to \nbe escorted?\n    Mr. Habiger. Fifty-seven. Sixty's close enough.\n    Mr. Stupak. So then when the kit--when it was discovered \nthat kit No. 2 was missing the hard drives and you had the \nfire, there was no attempt to ascertain from these possibly 56, \n57 people and the other 26 people what they did with it during \nthis time?\n    Mr. Habiger. Sir, the access to the vault is, as I \nmentioned, very tightly controlled. Anyone who goes into the \nvault during off-duty hours has to go through this elaborate \nprocedure to get into the vault where it's documented. There is \nalso a log in the vault for those people who are not allowed \nunescorted access, that they have to sign in. So those 57 \nindividuals, whenever they went in, they'd have to sign in on a \nlog. They couldn't go in by themselves. I went--when I went to \nthe vault, had to sign in on a log, and I was escorted.\n    Mr. Stupak. And hopefully everyone signed in, but we don't \nknow if everyone signed in.\n    Second, you mentioned off duty. What about regular business \nhours? Do people sign in all the time then?\n    Mr. Habiger. Let me back up, sir. Those kinds of questions \nare being asked now. I have seen the logs. I can't confirm----\n    Mr. Stupak. They may be asked now, but I guess the part \nthat still puzzles me, why weren't they asked between May 8 and \nMay 24 when the fire got under control? Why did it take almost \n2 weeks before anyone started asking the questions? These 56 \npeople or 26 people weren't out fighting the fire, were they? \nCertainly you had access to them. They could have asked these \nquestions.\n    I would think on May 8 when you're missing the kits, two \nhard drives from these computers, there'd be some concern and \nstart asking questions. While you have the fire, I'm sure \nyou're not out there fighting the fire. I'm sure someone would \nhave at least started some investigation instead of waiting \nuntil June 1 to notify the FBI that everyone's returned, we \nstill can't find these things. I guess that is the laissez-\nfaire attitude that I really have problems with.\n    Mr. Habiger. Well, sir, these kinds of questions that \nyou're asking are good questions. And as a result of the \ninvestigation, which, by the way, is a criminal investigation \nat this point, we will find the answers to these questions; and \nwe will take the appropriate action. The lab director will take \nthe appropriate action.\n    Mr. Stupak. In the Washington Post this morning you said, \nand if I can quote you, the disks and the hard drives missing \nat Los Alamos were probably misplaced or lost rather than \nstolen. How did you reach that conclusion?\n    Mr. Habiger. Sir, I'd rather not go into that in this \nsession.\n    Mr. Stupak. Well, you know, you talked to the Post about \nit. That is certainly in open session.\n    Mr. Habiger. Yes, sir. I will stand by that statement based \nupon----\n    Mr. Stupak. Was that the official line or do you have \nsomething to back it up? Is the official line that, well, it \nmust be misplaced or lost rather than stolen or do you really \nhave some proof, without getting into it, that they were, in \nfact, misplaced?\n    Mr. Habiger. It's my judgment, sir, based upon my exposure \nover the past week of working nearly 15, 16 hours a day and \nbeing an integral part of the process.\n    Mr. Stupak. Okay. Has anyone yet told you or anyone else \nthat the disks were set down or misplaced and just can't \nremember where they were? Do you have any idea who was the last \nperson who had access to this kit No. 2?\n    Mr. Habiger. Sir, there's no requirement to inventory the \ndisks. As a matter of fact, because of changes in security \npolicies across the entire government, there's very little \nrequirement to inventory classified material.\n    Mr. Stupak. So if I get in the vault, I take kit No. 2, I \ndon't have to sign out--don't have to sign it out or anything?\n    Mr. Habiger. No, sir.\n    Mr. Stupak. So my library book in Menominee is more secure \nthan these disks once I get access, get my hands on it?\n    Mr. Habiger. Sir, the individuals who have access to those \nkits are dedicated, loyal Americans.\n    Mr. Stupak. I don't dispute that, but you can't dispute we \nhave two of them missing.\n    Mr. Habiger. Yes, sir.\n    Mr. Stupak. You can't dispute that when they took them out \nthere's no procedure in place to identify even who took them \nout. Once you get to the magic ring, you take the magic ring \nand you leave, and there's no check-out of that.\n    Mr. Habiger. But you have to get to the magic ring.\n    Mr. Stupak. Right. It sounds like it wasn't too difficult, \nif you have about 80 or 90----\n    Mr. Habiger. There are 26 people who had access, \nuncontrolled access, unescorted access.\n    Mr. Stupak. Okay--26 unescorted access, and then another 56 \nor 57 who would have to be escorted. And I guess our concern \nis, if it's 26 who have unescorted and if they're missing the--\nMay 7 or May 8 and they come back May 24, because they were \ngood people, no one thought it was necessary to check with \nthose 26 what happened in the interim?\n    Mr. Habiger. No, sir. I think it was a focus on a \ncatastrophic event that was occurring, that many people's lives \nwere at risk.\n    Mr. Stupak. I don't disagree with that, but do you think it \nwas a mistake not to at least begin an investigation to try to \nfigure out where they were, if someone honestly misplaced them \nwe could get them back here, so you wouldn't be back here \nanswering my questions?\n    Mr. Habiger. Sir, that is one of my questions that we'll \nhave answered as a result of our investigation.\n    Mr. Stupak. General, last May, Secretary Richardson said \nthere was a, ``zero tolerance security policy.'' He said, ``no \nsecurity infractions are acceptable, and penalties would be \nstrengthened.'' These would include, ``verified unintentional \nor reckless breaches that create a significant risk of a \nnational security compromise or that displays a wilful \ndisregard for security procedures.'' That was May 11, 1999. Is \nthat policy still in place today?\n    Mr. Habiger. It certainly is, sir.\n    Mr. Stupak. Is what happened at Los Alamos with kit No. 2 a \nsecurity infraction or is it an oversight by a scientist? At a \nminimum, you would have to agree the information has left its \nproper secured location, has it not?\n    Mr. Habiger. Sir, I will tell you that when we find the \nanswer to the question as to who was responsible, I guarantee \nyou that that individual will be dealt with appropriately under \nthe Secretary's very aggressive policy of zero tolerance.\n    Mr. Stupak. You would agree with me at a minimum right now \nwe have information that has left its proper secured location, \nit left the vault, that hard drive, kit No. 2, correct?\n    Mr. Habiger. Yes, sir; and what we're trying to find out is \nhow that happened and where those hard drives are today.\n    Mr. Stupak. Now in the same area--that is the same place \nwhere Wen Ho Lee worked, and he's not been charged with \nespionage but security breaches involving weapons information, \nand he's been in solitary confinement in a Federal prison for \nmany months. It appears from the public statements being made \nby DOE officials that they're already trying to say that this \nsituation is somehow different, someone just lost the \ninformation. Is that how a zero tolerance policy is to be \nenforced?\n    Mr. Habiger. Congressman Stupak, we don't know. We've been \nat this for 7 days. I'd like to think that the aggressive \naction of both the Federal Bureau of Investigation and \nDepartment of Energy will get us some answers soon. Frankly, \nthe polygraphs, being the next step, will allow us to do that.\n    Mr. Stupak. Sure, I hope we do get to the bottom of it, but \nI guess it's a little bit like I've been hammering away for the \nlast couple of years. I've been on this subcommittee now for 6 \nyears. There seems to be this attitude or atmosphere at our \nlabs that things happen, you know. And we try to get some \nanswers, and we'll come back and report to Congress. But we \nreally don't see anything changing. When we say in May 1999 \nthere's zero tolerance and we come back to a situation like \nthis--and I don't know how you can say this is any different \nthan May 1999. It should be zero tolerance. Someone lost the \ninformation.\n    Mr. Habiger. Sir, and as soon as we find out who lost the \ninformation, who misplaced the information, you can--I can \nguarantee you that very swift, appropriate action will be \ntaken.\n    Mr. Stupak. Thank you for the extra time, Mr. Chairman.\n    Mr. Upton. You're welcome.\n    Mr. Bryant.\n    Mr. Bryant. Thank you, Mr. Chairman.\n    I apologize to the panel for being late, but we had, as the \nChairman said, other commitments. So I haven't had the benefit \nof hearing all your statements. I have looked through some of \nthe statements. I do, like my colleague from Michigan, both \ncolleagues from Michigan, the Chairman and Mr. Stupak, have \nconcern here.\n    It is much like when your house gets broken into, the \npolice officers come out and say, well, you know, we're going \nto find out what happened here, and we are going to work long \nand hard hours to get there, and if we catch them we're going \nto punish them severely. Given the nature of what's been \nmissing here, it's not a burglary of a home; and given the \nnature of the zero tolerance policy and given the nature of the \nhistory of who we're talking about here, it is very \ndisappointing to hear those same things: Well, we're going to \nfind out what happened, and we're working hard to do it right \nnow, 16 hours a day, and when we get them we're really going to \npunish them.\n    But I think maybe, General, one of things you said struck \nme, and it may be an example of this attitude that my friend, \nMr. Stupak, refers to. I think you start with the presumption, \nand that's the key word, the presumption that because we've got \ngood dedicated Americans there, there's an answer. Rather than \nthe presumption that there's been a criminal activity, or \nsomething very important is missing, and we better really get \ngoing here very quickly. I think that's the example, is the \ninvestigation, which anybody that knows, any basic \ninvestigatory techniques knows you don't wait 3 weeks to start \nan investigation after a crime such as this occurs. You get \nright on it. And I realize there were exigent circumstances \ninvolved here, but it just seems to me to have delayed the \nactual investigation questioning of all those people that had \naccess to this room should not have occurred.\n    I don't know that it was necessary at your level that this \noccurred, this decision was made, but at some level of security \nat Los Alamos, that that decision was made that, it's probably, \n``somebody's got it home or using it at home or something like \nthat,'' and that may not have been proper, but the presumption, \nor the assumption, was there's a good reason out there. \nSomebody's got it, rather than it could have been taken--it \ncould have been stolen. Somebody could have taken it out, had \naccess.\n    Again, I think it's the mindset that because these people \nare good, dedicated Americans who work hard out there, that \nsomebody could not commit a criminal act. Therefore some 2 to 3 \nweeks we had a delay in the investigation which, if somebody \nhas wrongfully taken it out, it could be no telling where now. \nWe might get that person eventually, and punish them, but this \ncountry has lost something very important. Let me go back if I \ncould, Mr. Podonsky, to questions.\n    In your report, you recommend that the department consider \nmandating a standdown at all external Web service until \nsignificant vulnerabilities are identified or clarified during \nthe inspection that occurred during your inspection and a \ncorrection is made to these. Why did you recommend this \nstanddown, and has that been done by the Department of Energy?\n    Mr. Podonsky. First of all, we put that recommendation in \nwhat we call our opportunities for improvement as the feedback \nloop to provide the office that we're inspecting, or the Office \nof Responsibility, to consider that which would be John \nGilligan's office. In Mr. Gilligan's corrective actions plan, \nit does not appear that they are planning to do a standdown. \nThey have other solutions that they have in mind to address the \nissue that we have identified. We recommended the standdown, \ngetting to the first point of your question, because we felt \nthat until they can do their risk assessment, we would not know \nwhat vulnerabilities existed.\n    Mr. Bryant. But you have made recommendations in the \nreport, I'm looking here at a question that says--this is kind \nof skipping on down--six further cyber security enhancements \nwere announced in May 1999 by the Secretary, that they were \ntransferred informally to the management and may have resulted \nin confusion and lack of implementation. What does that mean to \nyou? What do you know about that?\n    Mr. Podonsky. Well, the six further enhancements, there was \na nine-point plan, the TriLab nine-point plan from the results \nof last spring. In addition to the nine-point plan, there were \nsix enhancements that the Secretary put out. Those enhancements \nwere not put out as a policy. They were put out in memorandum \nform. We took that from an inspection standpoint to mean that \nthey should be followed and should be further memorialized into \npolicy. Mr. Gilligan's office, during last summer, was looking \ninto that and memorializing those things. We felt that the same \nthing we were doing in looking at it out at the sites and field \nshould be applicable at the headquarters as well.\n    Mr. Bryant. There was an issue also about Web pages, some \nof the Web pages being inside the security wall and some being \noutside. Are you familiar with that issue?\n    Mr. Podonsky. Yes. I am. Let me ask my office director for \ncyber security to address that.\n    Mr. Peterson. That also really relates to your first \nquestion on the standdown--that relates to your first question \non the standdown. The recommendation was to standdown the \nheadquarter's Web servers located out of what's referred to as \nthe DMZ or the screen subnet. Those we found to have \nsignificant vulnerabilities that could either result in a Web \ndefacement or somebody taking over those systems and using them \nto illicitly attack another Internet entity, and our \nrecommendation was then to do a standdown. We thought it would \ntake a day or two to fix those and then put them back on line \nsecurely.\n    Mr. Bryant. What is the date of your report that recommends \nthe standdown? When did you recommend that?\n    Mr. Peterson. Our initial draft report went out the last \nweek in April.\n    Mr. Bryant. Let me go over to Mr. Gilligan. Could you \nrespond to some of these issues, especially some of the \nrecommendations, the implementation of the policy from DOE on \nthose six additional points? Could you just respond in general \nto those?\n    Mr. Gilligan. Yes, sir, I would be happy to do that. First \nlet me address the Web pages. As the report accurately points \nout, we have a subset of the Web pages that are supported by \nheadquarters organizations that are in the highly protected \nenclave we call a screen subnetwork. They've been there for the \npast year. Those are viewed as being very secure.\n    There is another set of Web pages that are supported by \nindividual organizations. They are managed by those individual \norganizations and some of them were found to have significant \nweaknesses. The recommendation of the independent oversight \norganization was that a rapid remedy was to standdown, that is, \ntake the Web pages off the Internet and to fix them, that is, \nfix them individually. The recommendation that I provided to \nthe Deputy Secretary and the Secretary was not to continue to \nmanage these as separate entities, but to move all of the Web \npages within the headquarters into this protected area, the \nscreen subnetwork that was found by the independent oversight \npenetration team to be extremely well protected.\n    Mr. Bryant. Has that been done?\n    Mr. Gilligan. That is in the process of being done at \npresent that consists of moving the software, moving, in some \ncases, the physical computers into the screen subnetwork in \norder to ensure they are adequately protected. My judgment was \nthat the standdown was not an immediate action. It was \nwarranted because the vulnerability that exists within the \nheadquarters as a result of these Web pages is relatively \nminor. The threat to the headquarters is that these Web pages \ncould be defaced, which is an embarrassment. There is no loss \nof operational ability as a result of a Web page not operating.\n    The other potential vulnerability is that a Web page, or \nany computer, could be used as a platform for attacking other \nsites, and in this case, attacking sites outside the Department \nof Energy, because the Department of Energy's computers are \nwell protected from our Web sites, that is, there is no trust \nrelationship. So we made the decision to rapidly move these Web \npages into the screen subnetwork in order to provide the \nsecurity that I felt was a better solution.\n    Addressing the second issue which you raised, which was the \nsix further enhancements. The six further enhancements were \npublished by the Secretary with something I contributed to last \nsummer. We have, in fact, embodied those six further \nenhancements in our policies. The recommendation of the \nIndependent Oversight Group was that perhaps additional policy \nis needed in order to ensure that all sites clearly understand \nwhat is to be implemented in these six further enhancements.\n    Six further enhancements discuss things like providing \nconfiguration control of all computers, providing scanning of \nthe networks, reviewing audit logs and conducting regular \naudits. All of those requirements are, in fact, codified in our \npolicies. It is the view of my office that rather than change \nand add to the policies, what we need is guidelines, that is, \nhow to implement the policies on these six further \nenhancements, again, that are covered in our policies so that \nthere is no ambiguity and we are moving forward to implement \nthat.\n    Mr. Bryant. Mr. Chairman, my time is finished. Before I \nconclude my statement, I would like to ask unanimous consent to \nadd a White House release with regards to the memorandum from \nthe heads of executive departments and agencies and the subject \nis action by Federal agencies to safeguard against Internet \nattacks. It's dated March 3, 2000.\n    Mr. Upton. Without objection.\n    [The memo appears on pg. 46.]\n    Mr. Upton. The Chair would note that we have two votes on \nthe floor, and I will ask Ms. DeGette whether she would prefer \nnow using 5 minutes or come back after the two votes.\n    Ms. DeGette. Mr. Chairman, I might as well ask my questions \nnow. We still have over 10 minutes. Thank you. Thank you, Mr. \nChairman.\n    General, I would like to follow up on some questions Mr. \nStupak was asking you. I guess we're all glad that you're \ninvestigating the situation, but given the fact that you \ndiscovered the disks missing on May 7, and no one was really \ntold until May 22, and now there's an investigation, I guess \nI'm wondering what is your timeframe at this point for \ncompleting the work you're doing?\n    Mr. Habiger. Let me back up, if I may, and tell you--and \nthis relates to Congressman Bryant's question about the \ntimelines between the evening May 7 when the hard drives were \ndiscovered missing, and the evening of June 1 when I was \nnotified--or we were notified at DOE headquarters. That is not \na good scenario. Someone should have informed us much earlier \non in the process.\n    Ms. DeGette. I agree, like maybe May 7 or early on May 8, \nbut that's not my question.\n    Mr. Habiger. I want you to know here you had a situation \nwhere you had the lab on the verge of burning down.\n    Ms. DeGette. Sir, I understand. I understand what your \nexplanation is for why there was no notification, but my \nquestion is, what is your timeframe now for completing the work \nthat you are doing to figure out what happened and how to avoid \nit in the future?\n    Mr. Habiger. At this point, the FBI is now in the lead for \nthe investigation.\n    Ms. DeGette. We're glad about that, too, but what is their \ntimeframe?\n    Mr. Habiger. Ma'am, I was called back to take part in this \nhearing. They begin polygraph examinations beginning tomorrow. \nThey are moving very, very aggressively. I cannot give you an \nend date.\n    Ms. DeGette. Mr. Chairman, I would just make a request that \nthis committee would consider another oversight hearing in 30 \ndays just to examine the progress. This is such a serious \nnational issue, I think that we should keep monitoring.\n    Mr. Upton. You're right.\n    Ms. DeGette. Thank you, Mr. Chairman.\n    Let me ask you a few more questions. I understand the fire \nwas there when these drives were discovered missing. Where were \nthe kit 2 and the kit 3 hard drives stored during the fire? \nWhere were those stored?\n    Mr. Habiger. They were stored in another technical area in \na very secure vault.\n    Ms. DeGette. At the Los Alamos site?\n    Mr. Habiger. Yes.\n    Ms. DeGette. And out of risk of fire?\n    Mr. Habiger. Yes, ma'am.\n    Ms. DeGette. You had said that it was chaotic because of \nthe fire, and that's why your office wasn't informed. Was the \nlab director informed at that time?\n    Mr. Habiger. No, ma'am. I cannot--I've got some information \nthird-hand, but I don't think Dr. Browne was informed until \ntoward the end of the period, the very end of the period.\n    Ms. DeGette. Until close to May 22 or June 1?\n    Mr. Habiger. After that just a few days before June 1.\n    Ms. DeGette. Do you have any sense why that happened?\n    Mr. Habiger. No, ma'am. I would defer to Dr. Browne.\n    Ms. DeGette. Was Mr. Curran--DOE's counterintelligence \nspecialist informed?\n    Mr. Habiger. No, ma'am.\n    Ms. DeGette. Who, if anyone, was informed?\n    Mr. Habiger. On the evening of June 1 is when we first \ndiscovered that there was a problem.\n    Ms. DeGette. To your knowledge, between May 7 and June 1, \nno one higher up was informed?\n    Mr. Habiger. That's absolutely correct.\n    Ms. DeGette. Is what you were investigating why that \nhappened?\n    Mr. Habiger. The primary concern is to get this classified \ndata back.\n    Ms. DeGette. I would agree, but in my experience, when \nyou've got classified data in the form of disks and it's gone \nfrom May 7 until June 1, it's going to make the job of getting \nthat data back much more difficult. Would you not agree?\n    Mr. Habiger. I couldn't agree more.\n    Ms. DeGette. So therefore, it would seem to me that a \nsecond, and almost equally high priority would be trying to \ndetermine why the gap, the almost month--the 3-week gap, \noccurred because in the future, if you have gaps like this, it \nwould make it virtually impossible to get data back, correct?\n    Mr. Habiger. I would put the priorities getting the \ninformation back, finding out who was responsible for that \ndata, or those hard drives being put in a place where they \nshouldn't have been. And then the third priority is your area \nthat you're getting into now.\n    Ms. DeGette. General, there is a clear protocol in place \nthat required contractors like the University of California and \nprogram offices to inform your office immediately when this \ntype of classified information is missing, correct?\n    Mr. Habiger. Within 8 hours.\n    Ms. DeGette. Within 8 hours. And have you ever been \ninformed of these kinds of breaches in the past?\n    Mr. Habiger. Yes.\n    Ms. DeGette. Was it done within 8 hours?\n    Mr. Habiger. Yes.\n    Ms. DeGette. Do you think this is just a one-shot situation \nor do you think there is a bigger problem?\n    Mr. Habiger. At this point I don't know because the focus, \nas I said, has been where are the hard drives, who is \nresponsible. The process will take its turn and we'll take the \nappropriate action. The lab director will take the appropriate \naction.\n    Ms. DeGette. Mr. Podonsky, do you have any views on that \nissue?\n    Mr. Podonsky. We have not been involved in this \ninvestigation, so to answer the question, we have no--we don't \nhave any more information than what you've heard this morning.\n    Ms. DeGette. Now, we've heard that Mr. Curran has told the \npress that there's no evidence that this is espionage, and \nsomeone else said the disks are just lost. Do we have any \nevidence that this is not espionage or theft for money?\n    Mr. Habiger. Ma'am, before you came in, I covered that in a \nvery generic sense, and this is not the forum to get into it, \nbut looking at what we know at this point, it does not appear, \nas Mr. Curran pointed out, to be espionage.\n    Ms. DeGette. I assume you would want to treat this as a \npotential case of espionage.\n    Mr. Habiger. That's correct. I'm not speaking for the \nFederal Bureau of Investigation, but that's how the case would \nbe characterized by them.\n    Ms. DeGette. Thank you. Thank you, Mr. Chairman.\n    Mr. Upton. The Chair would note there are at least two \nvotes on the House floor. We'll recess until 10:50.\n    [Brief recess.]\n    Mr. Upton. We do not expect votes for an hour or 2, so \nwe'll be done by then, I hope.\n    Mr. Burr is recognized for questions.\n    Mr. Burr. Thank you, Mr. Chairman. General, welcome again.\n    Mr. Habiger. Good to see you again, sir.\n    Mr. Burr. Glenn, we always welcome you back. I'm hopeful \nthere's a point where maybe we're not sending you out to do \nevaluations, that, in fact, we're confident on the process that \nwe've got. Clearly with the news cycle in the last 24 hours, \nthere are some questions that I've got to ask about that \nprobably would be better directed at the General. And I'll try \nto get refocused back on the DOE headquarters issue.\n    General, it's been stated that there was a date that they \nknew that these drives still existed in a secure vault. Was \nthat April 7?\n    Mr. Habiger. On April 7, sir, there was an inventory by \nmembers of the team, the NEST team, in which the individual who \nconducted the inventory has indicated that he saw the disk. \nAnother inventory was conducted on April 27, and the individual \nat that time, a different individual, didn't actually see the \ndisks. His statement was along the lines, if the disks were not \nthere, it would have created a very aggressive reaction. So he \nremembers doing the inventory, but he doesn't remember actually \nseeing the disks.\n    Mr. Burr. Without getting into specifics about what were on \nthese disks, we know they were related to NEST scenarios. Is \nthere any reason to believe that an individual at the facility \nwould have needed access to that particular disk for purposes \nof something they were working on?\n    Mr. Habiger. From the information I've been exposed to in a \nrelatively short period of time, those disks were taken out \nfrom time to time to be updated with more current information, \nand they were taken out by certified people for training \npurposes.\n    Mr. Burr. When I was at Los Alamos, we didn't visit that \nparticular vault. We did do several vaults. We also did a \nreference room or library room and the security was extremely \ntight, even for us to enter. And we walked through their \nscenario of if an individual--if a scientist at the facility \nwanted to take out that information, what's the process they \nwould go through? There was one person in that room whose \nresponsibility it was to account for everything. Things checked \nout, to make sure they were checked back in. I'm sure there was \nadditional security to make sure it didn't go offsite. My \nquestion would be, what was the process in this particular \nvault when an individual took something out and then replaced \nit. Is there a record that we can go back to?\n    Mr. Habiger. No, sir, there's not.\n    Mr. Burr. Can you explain to me why for the reference room, \nthe library room that was frequently used, that we would have a \nprocess that followed the movement of these papers, but why \nthere wouldn't be a process that followed the movement of hard \ndrives?\n    Mr. Habiger. My observation goes along these lines. The \nvault you're talking about, you're talking about virtually \nthousands of people who have access, and the vault I'm talking \nabout, the people who had unescorted access to these kits was \nless than 30.\n    Mr. Burr. Does it not--in hindsight, I'm not asking you to \nput yourself before it--in hindsight, does it seem like a \nreasonable recommendation that we track who removes that type \nof sensitive information and when, and potentially when they \nreturn it?\n    Mr. Habiger. Yes, sir. This is one of the many things that \nwe are looking at to change as a result of this particular \nincident.\n    Mr. Burr. Is it the responsibility of DOE officials at Los \nAlamos or the University of California officials?\n    Mr. Habiger. University of California.\n    Mr. Burr. To account for all the items?\n    Mr. Habiger. Yes, sir.\n    Mr. Burr. Let's go back to this period of delay, and we all \nfollowed the fire. Should we be worried that there was a \nsecurity breakdown during this fire episode at Los Alamos?\n    Mr. Habiger. I talked on a regular basis to the director of \nsecurity at Los Alamos during the fire. All security systems \nwere up. Some compensatory measures had to be taken in a couple \nof areas which I was fully in agreement with.\n    Mr. Burr. If I understand it, correct me if I'm wrong, this \nvault facility is in the main building?\n    Mr. Habiger. Yes, sir.\n    Mr. Burr. I guess close to where that library reference \nroom was?\n    Mr. Habiger. Yes, sir.\n    Mr. Burr. Just simply because of the work space, and that \nwas not a building that was left unsecured at any time.\n    Mr. Habiger. At any time, no, sir.\n    Mr. Burr. Was it ever a building that was evacuated of the \npeople? I remember it being so far away from the forest.\n    Mr. Habiger. During the fire, there was no one in that \nbuilding, but the security systems were all up and running. \nInside that vault, Congressman Burr, were sensors, motion \nsensors, infrared sensors that had to be turned off before \nanyone had access to the vault.\n    Mr. Burr. Clearly, there was no indication of a security \nbreach that happened?\n    Mr. Habiger. No, sir.\n    Mr. Burr. Let's go to this delay in notification. What is \nthe explanation that the University of California supplied DOE \non why they waited so long to tell DOE officials?\n    Mr. Habiger. We have not gone down that path. As I \nindicated, I think, just before you came in, I was not pleased \nwith the length of time that it took before I was notified, \nbefore my office was notified, which was on the evening of June \n1. During my almost week's stay at Los Alamos, we were focused \non three major considerations, the first being where are the \ndisks, and who is accountable for the disks not being where \nthey are supposed to? As we go down the path and we have a very \nstructured inquiry process, part of that process is to come up \nwith explanations for the kinds of things that you are \nidentifying now.\n    Mr. Burr. I don't want to seem too simplistic, but I put \nmyself in charge of the Los Alamos lab. I envision being in a \nsituation where there's a month's delay before I notify the \nDepartment of Energy that high level security hard drives are \nmissing, and I envision the first question that I'm asked, why \ndid it take you so long to inform us? I would take for granted \nthat question was asked. If there wasn't an answer, that's \nfine, but clearly I think that--we have reason to be concerned \nbecause the last time we saw a delay like this was whether we \nsold a computer to an exporter of Chinese relationship and, you \nknow, when we got through the whole process, we learned that \nthe delay in notification, especially of us, was in hopes that \nthey would retrieve it before anybody found out about it.\n    Is this one of those situations where there was a hope by \nofficials that the University of California and at Los Alamos \nthat they would find the disk and not have to report it?\n    Mr. Habiger. I don't want to put words into Dr. Browne's \nmouth, but my observation is that scenario that you're just \ndescribing.\n    Mr. Burr. Let me--I thank you for that. I do. I don't think \nit's any member's intent that we are going to solve this case \ntoday, but we appreciate your willingness to let us explore \nsome of the questions.\n    Mr. Chairman, do I have time to go into some of the \nheadquarters' questions?\n    Mr. Upton. Can we go another round and you can do that?\n    Mr. Burr. I would be happy to do that.\n    Mr. Upton. Mrs. Wilson.\n    Mrs. Wilson. Thank you, Mr. Chairman. Again, I appreciate \nyour willingness to let me ask some questions here today.\n    As I said in my opening statement, I don't intend to go \ninto some of the details of the most recent incident in Los \nAlamos, because the questions that I want to ask are very \nspecific, and I don't think that the answers would be \nappropriate in an open forum. But I think we have summarized \npretty clearly what the questions are from this committee's \npoint of view and from my point of view. What happened to those \nhard drives? Is there a compromise to America's national \nsecurity? Who is accountable for it? And how are we going to \nmake the systemic changes needed to make sure it doesn't happen \nagain? And did the notification procedure work?\n    As I understand it, John Browne, the director of the lab, \ndidn't even know they had a problem until May 31, which is the \nday before he informed you which means there's a problem lower \ndown within the lab on processes of notification. I understand \ncompletely that an investigation could not have been done fully \nuntil after the fires were under control, and I think all of us \nin this room understand that, that you can't do the arson \ninvestigation until the fire is out. At the same time that \ndoesn't preclude prompt notification that we may have a \nproblem, and I think those are all legitimate questions we're \ngoing to be seeking answers to.\n    I'd like to focus on a couple of other things from your \ntestimony in the time that I have available. First, this \nquestion of funding for cyber security at the Department of \nEnergy. I note from the testimony, particularly General \nHabiger, yours, concerning the need for supplemental funds. I \nwent back and checked my records, because this was an important \nissue for me. According to my records for fiscal year 2000, the \nsupplemental requested by the administration--now, you may have \nasked for more money from the Office of Management and Budget, \nbut it may not have gotten approved--because the administration \nrequested $4 million for cyber security from the Congress. I \nthought that was way too low, and so several of us from this \nCongress met quietly with folks who know a little about cyber \nsecurity and the problems at the nuclear weapons labs, and they \nconfirmed that that was way too low.\n    I made a request of the Appropriations Committee in the \nCongress for $90 million in supplemental funds for cyber \nsecurity for the Department of Energy, and the House approved \n$45 million for cyber security. That's currently sitting over \nin the Senate, and pieces of it may be pulled out and added on \nto one of the bills that we're about to work on in the next \ncouple of weeks here.\n    I guess what I want to know is, what are you talking about \nwith $35 million? Is that what you asked OMB for and are you \nnow going to continue to support the administration's $4 \nmillion request? Are you going to support what the House put \ninto the bill, which is $45 for cyber security immediately?\n    Mr. Habiger. We're talking about fiscal year 2000 amend-\nment----\n    Mrs. Wilson. Current fiscal year, yes.\n    Mr. Habiger. We submitted a request for $65 million for \nsecurity in the Department of Energy in that supplemental, $65 \nmillion. We received $10 million of that $65 million. Thirty-\nfive million of that was for cyber security. The $10 million \nthat we got was not directed toward cyber security. I \npersonally directed that $7 million of that $10 million be \ndedicated to cyber security. That is what, as I understand it, \nCongresswoman Wilson, came over on July 13 of last year.\n    Mrs. Wilson. July 13, 1999?\n    Mr. Habiger. Yes, ma'am.\n    Mrs. Wilson. You're talking about 1999 money, not 2000 \nmoney?\n    Mr. Habiger. Supplemental 19--an amendment for fiscal year \n2000 that was submitted on July 13.\n    Mrs. Wilson. Gentlemen, without meaning any disrespect, I \nthink you may want to go back and talk to your budgeters about \nwhich years we are talking about, and which supplementals we \nare talking about, because there was a supplemental request for \ncyber security for the current fiscal year, we are in fiscal \nyear 2000, and it was for $4 million from the administration. \nThat was the request. We upped it to 10 times as large.\n    Mr. Habiger. It was--the fiscal year 2000 we submitted on \nthe July 13, 1999, an amendment.\n    Mrs. Wilson. You are talking about when the budget was \ninitially passed for the current year. I am now talking about \nthe supplemental that is pending in this House currently. The \nadministration only asked us--after all of the Cox report, \nafter all of you went out to look at the labs, after we got all \nof the reports in that said we were way under our estimate of \nwhat we're going to need for cyber security--and the \nadministration's request for a supplemental for what we need \nright now, today, to get moving and get this thing fixed was $4 \nmillion. My sense was that was way too low, so we upped it to \n10 times that amount, and we're going to vote on it here. What \ndo you want me to vote on? You want me to back off on this and \ngo with the administration at a $4 million supplemental request \nor do you want me to keep fighting?\n    Mr. Habiger. I would like you to keep fighting.\n    Mrs. Wilson. Thank you, sir.\n    With respect to this diagram that we see over here, it has \na number of firewalls around the top of it and yet it's got a \nnumber of connections at the bottom of it which seem to go to \nother areas within the Department of Energy and contractor \nfacilities and so forth where they don't appear to be \nfirewalls. Could you talk to me about the vulnerability of the \nDOE unclassified systems through those other areas?\n    Mr. Peterson. For the classified systems or for the--I'm \nsorry, the contractor facilities, what we're specifically \ntalking about there are local contractor support in the \nWashington, DC area so a program office would establish a \nconnection with a local supporting contractor. That's not to \nimply that those go out to the national laboratories or other \nsites.\n    The other connection that's shown up there for the DOE \nbusiness net is to 38 different DOE field sites throughout the \ncountry. Now, some of those field sites are collocated behind \nfirewalls with other sites. For example, at Oak Ridge, you'd \nhave collocated there Y 12 and Oak Ridge National Lab, but for \nthe Albuquerque field office, there's no connection to Sandia \nor Los Alamos. So it's going to vary, but specifically, talking \nabout the connections to the DOE Federal facilities. We have a \nconcern because you're exactly right, there's not a firewall at \nthe headquarters junction where you have these connections, and \nthen they become logically part of your headquarters' internal \nnetwork. There's no firewalls or security features to prevent \naccess from those remote sites. These--each one of these \nfacilities may have their own firewall. They may have modem \nconnections which then provide pathways into the internal \nheadquarters network, and our concern has been that that risk \nhas not been adequately addressed and considered.\n    Mrs. Wilson. I ask unanimous consent to ask this one final \nquestion. Does that mean that someone can get access to the \ncontractor facility, and then from there get into the DOE \nunclassified system?\n    Mr. Peterson. That would be a concern, yes.\n    Mrs. Wilson. Thank you, Mr. Chairman. I would like to enter \ninto the record the report of dissenting additional views of \nthe Emergency Supplemental Appropriations Act for the year \nending September 30, 2000, where it states very clearly that \nwith respect to cyber security, the committee recommendation \nfor cyber security activity is $49 million, an increase of $45 \nmillion over the administration's request of $4 million.\n    Mr. Upton. Without objection.\n    Mr. Green?\n    Mr. Green. Thank you, Mr. Chairman. I ask unanimous consent \nto place my statement into the record.\n    Mr. Upton. Without objection.\n    Mr. Green. General, you seem to want to tell us that the \nproblems at the headquarters are not the fault of poor \nmanagement and lack of attention but of dollars. That's what \nwe're hearing in response to this morning's article where the \nSecretary said the committee only approved a small amount of \nfunding for last year. But Mr. Podonsky said these are not high \nticket items, and now you say we can fix these problems within \n60 days. That doesn't sound like a money problem to me. And is \nit a money problem or are we talking about something different \nwhen you say it can be fixed within 60 days?\n    Mr. Habiger. We're talking about two different things, \nCongressman Green. Had we received adequate funding at the \nbeginning of the fiscal year, we'd have been able to move out \nquickly in terms of training systems administrators, going out \nand perhaps finding these problems before Podonsky found them, \nand I would readily admit that the basic problems involve the \norganizational issues that Mr. Gilligan talked about, but \nagain, it goes back to a money issue. If we had received \nadequate funding, I don't--in my judgment, our performance \nwould have been better.\n    Mr. Green. Mr. Podonsky, were these problems caused by lack \nof money or lack of oversight or management skill?\n    Mr. Podonsky. First of all, Congressman, I would like to \nsay that in the 16 years I'm reminded I've been in the \ndepartment, and have lived through six secretaries, nobody \nother than Secretary Richardson has applied as much attention \nin management skill to the security issues as the Secretary. \nHowever, having said that, I would also say that my staff \nconcluded that a vast majority of the issues at the \nheadquarters unclassified cyber security were management-\nrelated, not financially related. There are some financial \naspects to it, but clearly, the fragmentation that exists among \nthe various pods in the headquarters need to be fixed and \nfragmentation doesn't take money.\n    Mr. Green. You don't have to--a lot of us served with \nSecretary Richardson and consider him a good friend, and he's \ndiligent and I understand that. Sometimes we wonder, even in \nCongress, if it's a mistake when we do something successfully.\n    Let me ask everyone on the panel, it's my understanding \nthat DOE is considering opening the bidding for the contract to \nrun Los Alamos National Laboratory, which is currently held by \nthe University of California, in fact, I understand for the \nlast 50 years. Given the problems that this lab has had along \nwith the new revelations that is in today's news media, would \nyou recommend that this contract be open for bidding?\n    Mr. Habiger. Congressman Green, let me tell you right up \nfront, I have not been involved in the contract of the \nlaboratory. At this particular point in time, I have no \nrecommendation one way or another.\n    Mr. Green. Anybody else? Since we seem to have problems at \nLos Alamos and even Livermore, that if someone has had a \ncertain contract for those years, is it something we can look \nat the contractor? Is it DOE?\n    Mr. Podonsky. I think, Congressman, it gets back to the \nbasic accountability in that people, whether they be \ncontractors or Feds, need to be held accountable for their \nresponsibilities that they are assigned.\n    Mr. Habiger. The Secretary has made that very clear on a \nnumber of occasions.\n    Mr. Green. One last question, again, raised from the \narticle this morning. I was told that the unit that was lost or \nmisplaced, that the unit was not the one involved in the test \nat Lawrence Livermore in early May. The article said that it \nwas. Can you state for certain, or is it possible that we may \nbe looking in the wrong lab for it? Maybe it's still in \nCalifornia. Again, since it was discovered missing on May 7 and \nreported on June 1, is that a possibility?\n    Mr. Habiger. Sir, we dispatched two Department of Energy \ninvestigators who hooked up with two FBI agents at Lawrence \nLivermore, and every conceivable place was searched and \ninterviews were conducted. This occurred on Tuesday of last \nweek.\n    Mr. Green. Again, Mr. Chairman, whatever time I have left, \nI share the concern of all the members of the committee, and \nbecause of the nature of what would happen, or what could \nhappen with--we're concerned about rogue nations and things \nlike that, that if a terrorist had the ability to utilize this \ninformation on how we would respond to a terrorist attack with \na nuclear device. So I would just encourage the Department of \nEnergy and our contractor to do everything they can to make \nsure that they find it, but also that this doesn't happen \nagain. Thank you.\n    Mr. Upton. Thank you, Mr. Green.\n    Mr. Bilbray.\n    Mr. Bilbray. Mr. Chairman, I appreciate your having this \nhearing. General, I'm not going to ask any questions except for \nthe fact that as a father of five, I sure hope my kids aren't \nwatching and reading about this incident. I only say it because \nI don't know how many times a parent will say where is the last \ntime you saw it, who was responsible for it, you know, the \nwhole concept we have of personal accountability, and this just \nreally makes it tough for those of us who are trying to teach \nour children to be personally responsible for their little part \nof the world that they've got control over.\n    And this situation just really is inexplicable to a young \nperson, let alone a child, about, well, Daddy, what did the \nFederal Government do with this? Why is this--why don't they \nknow where their important stuff is? Didn't they clean their \nroom and keep it tidy so they know where they hid it? And I'm \njust here to listen because I'd like to find more answers so \nthat, God forbid, if they ask me when I get home on Friday what \nhappened, where is it, are they going--who is going to be held \naccountable, I want to at least have some answers for them, \nbecause this thing I think is a whole credibility issue that \ngoes farther than just one department in this government. It \nreally, really hurts our credibility as the servants of the \nAmerican public and as the guardians of world freedom. I yield \nback, Mr. Chairman.\n    Mr. Upton. Thank you, Mr. Bilbray.\n    I have a couple more questions. We'll start a second round.\n    General Habiger, it's my understanding that they knew the \ndisks were there in April. When was the last time that all the \ndisks were known to be accounted for?\n    Mr. Habiger. In kit number 2, the last fully confirmed \naudit was on April 7. We have an unconfirmed audit or inventory \nby an individual, as I indicated before, said that if they \nweren't there, he doesn't remember seeing them, but he said if \nthey weren't there, it would have rang alarm bells.\n    Mr. Upton. So really not until May 8 did you realize----\n    Mr. Habiger. May 7, sir.\n    Mr. Upton. May 7 that they were there.\n    Mr. Burr. Would the chairman yield for one clarification.\n    Mr. Upton. Yes.\n    Mr. Burr. General, was that the only thing in that vault or \nare there other sensitive documents or disks or hard drives?\n    Mr. Habiger. There were three kits in that room, sir.\n    Mr. Burr. When you say they were a kit, kit No. 1 was \naccounted for on April 7.\n    Mr. Habiger. Kit number 2.\n    Mr. Burr. Does that tell us that kit number 1 and kit \nnumber 3 were not accounted for on April 7?\n    Mr. Habiger. That is true.\n    Mr. Burr. I thank the chairman.\n    Mr. Upton. And there was more than just the kits. Could you \ndescribe this vault again. Those of us that went out, we were \nin the library there. The library is sort of the secure room \nthat was there. We did not--I don't believe we saw where this \nvault was in the building, but is it similar to the other \nvaults that we saw?\n    Mr. Habiger. Sir, it's much smaller. It's about ten foot \nwide, about 20 feet long there. There were two long tables, a \nnumber of shelves, a small two-drawer safe. There were some \ndocuments. There were other hard drives.\n    Mr. Upton. Is there security outside of the room then as \nwell?\n    Mr. Habiger. Yes, sir. Sir, this is a vault. I mean, this \nis something that, again, in open session without--I'd rather \nnot go into the details, but this is something you and I would \ntake several weeks trying to break into. I'm talking about \ndynamite and explosives and that sort of thing.\n    Mr. Upton. Of the--is it 28 or 26 individuals that have \naccess to it without being escorted?\n    Mr. Habiger. I believe the number is 26, sir.\n    Mr. Upton. Of those 26, are all of them U.S. citizens?\n    Mr. Habiger. Oh, yes, sir.\n    Mr. Upton. No foreign nationals?\n    Mr. Habiger. Oh, no, sir, no, sir.\n    Mr. Upton. I just want to make sure.\n    Mr. Burr. Mr. Chairman, would you yield? Twenty-six \nindividuals have access to the kits?\n    Mr. Habiger. Unescorted access.\n    Mr. Burr. Are there any other individuals who have \nunescorted access to the vault?\n    Mr. Habiger. 57.\n    Mr. Burr. 57 to the vault?\n    Mr. Habiger. Yes, sir.\n    Mr. Upton. They have to be escorted, though.\n    Mr. Habiger. Escorted. 57 escorted.\n    Mr. Burr. My question is, is there a difference in those \nthat have access to the kits and access to the vault? Is it the \nsame list or is it one and the same?\n    Mr. Habiger. The people who have unescorted access can open \nup the vault. The 57 who have escorted access have to have \nsomeone who has unescorted access, open the vault and let them \nin to do what they have to do. This is a good point and I \nshould have clarified it earlier. The vault was a dual-purpose \nvault. On one side of the vault you had the NEST activities, \nand on the other side of the vault you had the ASCI, the \nAdvanced Strategic Computer Initiative activities on the other \nside of the vault.\n    There is an individual who is accountable for that vault. \nIt's an individual who has unescorted access to the vault, and \nshe is responsible for who gets in there and makes sure that \nonly people--the people that have unescorted access are watched \nby her if she's in there. If she's not in there, the door \nshould be locked.\n    Mr. Burr. Unescorted access means they have total access to \neverything in that vault?\n    Mr. Habiger. Yes, sir.\n    Mr. Burr. The right side and the left side you're \ndescribing?\n    Mr. Habiger. Yes, sir.\n    Mr. Burr. I thank you.\n    Mr. Upton. Have all the folks with access to the vault been \nquizzed already?\n    Mr. Habiger. Sir, all of the people who have unescorted \naccess have been interviewed. Most of the people, primarily \nbased upon availability who had unescorted access, have been \ninterviewed.\n    Mr. Upton. Now they are going back to reinterview all the \nindividuals with a polygraph; that begins tomorrow?\n    Mr. Habiger. The FBI is working up a list of people that \nthey will polygraph. The FBI is in charge of the polygraphing \nprocess.\n    Mr. Upton. I want to go back to the dollar amount that Mrs. \nWilson raised with regard to the supplemental. Before I was in \nthe Congress, I served at the Office of Management and Budget. \nI was very aware of different agency requests that came in, and \nultimately what happened to them up on the Hill, and it was one \nof the reasons that a number of us wanted to go out and visit \nthe labs. Actually, I think it was the hearing that you might \nhave been at last summer, where a number of us indicated we had \nnever been there and we wanted to get a better understanding of \njust exactly what was there, so we could have a helpful hand in \nmaking sure that security was appropriate.\n    Mr. Podonsky and others provided many details to us. As we \nundertook the Department of Energy's budget last year, I do \nremember there were additional requests that came in, but it \nwas included as part of the overall spending bill that was \nadopted in, I believe it was October, and everything was on the \ntable, and if the administration, I think, had pushed a little \nbit harder, or even some would suggest pushed, in fact, the \nfull funding amount would have been included as part of the \noverall bill. But it is sort of surprising that as it wasn't \nall funded, that the Department of Energy would only--I should \nsay the administration would seek only $4 million, which we \nhave now requested more than 10 times such, but based on the \ntestimony by Mr. Gilligan this morning where, in essence, he \nindicated that problems were identified a year ago and, in \nfact, within 60 days, a system would be set up to make sure \nthere wouldn't be any problems and that's without any funding \nat all.\n    As we look at the level of funding that we've done with the \nlabs, the labs were very careful to tell us that security was \nNo. 1 and that they would find--they identified a number of \nweaknesses that were out there and that they would find the \nresources to fix the problem, no matter what the cost, and, in \nfact, I think they've done that, would be my sense, as they've \ntestified to us earlier.\n    I just wondered why isn't A, the same standard there at the \nheadquarters and B, how are you able to do it now? It sounds \nlike you're able to do exactly what you wanted to do without an \nextra dime coming your way.\n    Mr. Gilligan. Sir, I appreciate the question, and let me if \nI could, go back and make clear, the request that we made last \nsummer for $35 million as a budget amendment for the fiscal \n2000 was something that I personally worked. In fact, my \ninitial recommendation was for $50 million. Working with the \nDepartment, we were only able to identify offsets, that is, \nother budget reductions within the Department to support $35 \nmillion. That came through the administration over to Congress. \nWe got 7 million. Of that, $1 million was earmarked for a \nspecific project; so $6 million to be able to dedicate against \nthe priorities that we identified.\n    Frankly, I was surprised that we didn't get support after \nwe had had the hearings and the discussion, especially in view \nof the fact that the Department provided offsets, other budget \nreductions. Those offsets were taken to fund other priorities.\n    Subsequently I was given an opportunity--I was given a cap \nof $4 million to identify additional cybersecurity initiatives \nthat we could request in a budget supplemental, and we did.\n    Now, to address your specific question on the current \nheadquarters review, the significant problems that we've \nidentified, many of them can be fixed with limited dollars, I \nwill readily admit that. There are some significant management \nissues that we can address in the Deputy Secretary's memo, \nwhich, in addition to the policy authority that I have for the \nDepartment, now gives me line operational authority for the \nheadquarters computer security. I can now work to put the \nmanagement changes that need to be in effect to be able to fix \nmost of the problems.\n    However, I still need additional funding to fully implement \nprotections to solve some additional weaknesses that I am aware \nof on that picture. For example, at the lower left of that \npicture, you see a cloud network. That is the DOE network. That \nnetwork connects our headquarters with all of our Federal \noperations. That is something I am responsible for. We, in \nfact, do have a policy, and we have enforced the policy that \neach of the sites must have a firewall before they can connect \nto DOE Net. Mr. Podonsky's review identifies that additional \nsecurity measures would be warranted, and I agree, and that \nwould be to create an additional protection so that one site \nthat potentially is compromised could not affect another site.\n    That will take funding. That funding is something I have \nrequested now in the 2001 budget, and I would appreciate \nsupport for that. So we will be able to implement some of the \nfixes, some of the configuration management enforcement. Some \nof the connection policies we will be able to implement. We \nwill not be able to implement some of the full enhancements \nthat I would like to do to get the headquarters up to the level \nof my comfort without additional funding in fiscal year 2001.\n    Mr. Upton. Thank you. I know my time has expired. I'd just \nlike to tell all members that we're looking at having a \nclassified closed briefing with General Habiger on the issue of \nthe missing hard drives, not only with this subcommittee, but \nalso with other members on Intelligence as well as Armed \nServices, and it could be later today.\n    Mr. Stupak.\n    Mr. Stupak. Thank you, Mr. Chairman.\n    General, the way I understand it here, there are three \nkits, two hard drives each. So there's a total of six hard \ndrives.\n    Mr. Habiger. Yes, sir.\n    Mr. Stupak. Can you tell us when the last time all six were \npresent and accounted for?\n    Mr. Habiger. I can tell you that--not all six. I can tell \nyou that 4 of the 6 were accounted for when the lab began their \naggressive inventory on the--beginning May 22.\n    Mr. Stupak. May 22?\n    Mr. Habiger. Yes, sir.\n    Mr. Stupak. All right. Why would you take the hard drives \nout of kit three and put it in kit two?\n    Mr. Habiger. So you'd have an operational capability. \nRemember----\n    Mr. Stupak. But then that renders kit three incapable, \nright?\n    Mr. Habiger. The hard drives are all the same. One's \nprimary, one's backup. The concern was to get an operational \nkit out of harm's way, and so the individuals who went into the \nvault at 2300 on May 7 made a decision to move the two hard \ndrives.\n    Mr. Stupak. All right. Well, move them out of harm's way, \nwe're talking here about a wildfire. From my watching of the \nnews and everything else, it seems like a wildfire is \nthreatening to an area or a place for a day or two because it's \na wildfire, and then it moves on. Your testimony is that from \nMay 8 to May 22----\n    Mr. Habiger. Sir, the winds were constantly changing, and \nthe winds were up to 60, 70 knots during this period, and \ninitially--and you had massive changes, 180-degree wind changes \nof these very high winds, and the exposure or the risk to the \nlab would go up 1 day and down the next, just depending on \nwhich way the wind was blowing.\n    Mr. Stupak. Well, if it would go up 1 day and come down the \nnext, during that time did anyone make any efforts then to try \nto locate these disks?\n    Mr. Habiger. As far as I know, no, sir, and let me point \nout that the Los Alamos--the city of Los Alamos and the \nlaboratory were shut down, were evacuated. National Guard \ntroops were in place, State police, to ensure that.\n    Mr. Stupak. Okay. Let me just--and I know a statement was \nmade earlier that you can't do an arson investigation while a \nfire is ongoing. Having been in police work for 12, 13 years, I \ntotally disagree, because during an arson investigation there \nare things you look for, people around there, the evidence, \ncontainers, fire trails, the burn patterns. Those are all key \nparts of any arson investigation, and I'm sure they are in any \ninvestigation. I'm still befuddled why we waited until after \nMay 22 and you not being notified until June 1. I just find \nthat unacceptable and--but I'm sure we can get into that some \nother time.\n    Mr. Podonsky, you're in charge of the Independent Oversight \nfor security at DOE, correct?\n    Mr. Podonsky. Yes, sir.\n    Mr. Stupak. And you spent a lot of time out there last year \nand after it was determined that classified information was \nbeing downloaded into unclassified systems; did you not?\n    Mr. Podonsky. Yes, we did.\n    Mr. Stupak. One of the things you told the subcommittee in \nOctober when we held a hearing on the security situation at the \nweapons lab was that there--and I am going to quote now--there \nwere weaknesses in access controls at areas where classified \nweapons information was used and stored. Is that correct?\n    Mr. Podonsky. That is correct.\n    Mr. Stupak. And that's not a cybersecurity issue, it's a \nplain old physical security problem. In fact, you were talking \nabout areas exactly like the vault in which the lost hard \ndrives were stored, correct?\n    Mr. Podonsky. That is correct, but we were not at the TA \nthree area.\n    Mr. Stupak. I know you weren't talking specifically about \nthat vault at that time. It's the idea of the same old physical \nsecurity problem. Now that we've established that the disks \nwere in the emergency response kit for the NEST team, and the \nkit was in a locked suitcase-like container with other locked \ncontainers inside, these hard drives were in one of those \ncontainers. The suitcase, however, was accessible to anyone in \nthe room. We've already established there were keys there, you \ncould get at them. Can you explain to me then how a situation \ncould have been allowed for this type of security breach? I \nmean, if it's plain old physical security, and that was a \nconcern a year ago, why would we have the keys right there, \naccessible, attached to the kits or hanging on the wall? It \njust seems like a great opportunity to access it by somebody \nwho should not access it.\n    Mr. Podonsky. I can answer generically since we are not \ndirectly involved in what's currently under investigation. \nHowever, I will tell you in August when we were there, they \nwere rated satisfactory, the overall site security, and then \nagain in December, and that was based on the performance that \nwe saw at the sites within the laboratory that we inspected. We \nmaintain and believe that that was a satisfactory performance.\n    There is a human element in security, and that's something \nthat is always unpredictable. Obviously, as I said, we don't \nhave the details of what's going on in the investigation, but \nwe had seen, just like in the downloading of classified to an \nunclassified Net, there is always that human element, \nregardless of all the administrative controls that you put in.\n    Mr. Stupak. Exactly. There's a human element. I think when \nwe raised it earlier, I was reminded that these are good, hard-\nworking, honest people. No one up here is saying they're not, \nbut the fact remains we still have two hard drives missing that \ncan't be accounted for, that can't be remembered where they \nare.\n    And explain something else for me if you can, and maybe \nI'm--explain how a nuclear weapons laboratory can have a \nsatisfactory security program, but can lose or have removed \nweapons, design and intelligence information such as on these \nhard drives? How can they get a satisfactory?\n    Mr. Podonsky. At the time that we inspected them, they were \nperforming at a satisfactory level, and all the things that we \ntested, the guards, the cybersecurity, the material control \naccountability, they were not only in compliance with the DOE \nrequirements, but they were performing well, albeit this latest \nnews event that just occurred is not a satisfactory situation, \nbut that does not, in our view, taint the entire laboratory's \nperformance. It does call into question a lot of other issues \nthat I'm sure General Habiger will talk in a closed session.\n    Mr. Stupak. In the previous hearings we've always brought \nup this atmosphere that exists at the lab, rather relaxed \natmosphere, and I've been one who always talked about \naccountability and responsibility, and then we continue to see \nthese satisfactory, satisfactory, and then we hit another \nembarrassing-type situation. So I guess that goes back to that \nhuman element. No matter how honest or how well we think \nemployees are, there's still going to be a degree of human \nelement that you can't put satisfactory on. Is that a fair \nstatement?\n    Mr. Podonsky. I would say there's a--with any corporation, \nin DOE in particular, as we've seen, there's some very \ndedicated people there that are doing the job for very noble \nreasons, and there's always going to be the human element that \nyou cannot put a satisfactory on.\n    I am reminded when we used to do safety oversight, we had a \nnumber of very serious and near fatal accidents at the \nlaboratory. Not everybody took safety seriously until it \nhappened to some of their own researchers. So that human \nelement is something that it is very difficult to quantify. So \nwhat we do is we don't just look at technical systems, we look \nat management systems. We try to get to the root cause. We're \nnot at all trying to indicate that we hide behind the curtain \nof the human frailties, but that's something that has to be \nconsidered.\n    Mr. Stupak. Thank you, Mr. Chairman.\n    Mr. Upton. Mr. Burr.\n    Mr. Burr. Mr. Gilligan, let me attempt to answer a question \nyou raised or a statement that you made, and this is a response \nfrom me personally. You said that you were surprised that the \nbudget request was not fulfilled, and I would only share from a \nstandpoint of somebody that I think has been in every security \nbriefing that we've had, open or closed, has followed the \nprocess to the extent that over the break I traveled to \nCalifornia for a three-stop tour in 2\\1/2\\ days, and has \nfollowed not only the General's suggestions, but the \nSecretary's statements, that many of the things that were \nstated up front have not been fulfilled.\n    I am not here to judge whether they should have been made \nor should have been carried out, but we made some changes along \nthe way, and that's understandable as we're addressing a crisis \nof the moment. I think the lack of any specific funding that \nmight not have made it is a lack of confidence that we have the \nright plan in effect, or that we're concerned on whether we \nwill implement what it is that we have endorsed, or there's not \nthat degree of need to accomplish what has been explained to \nCongress.\n    So the challenge is indeed on your part and on the part of \nGeneral Habiger and of the Department of Energy to make sure \nthat every Member of Congress understands what the cost of the \nprocess is, and that may be a more elementary challenge on your \npart than we have had in the past, but we are not going to \nknee-jerk to a crisis that exists. We're going to ask for the \ndocumentation, and we're going to ask for the accountability \nthat what you tell us is accomplished.\n    Let me move back to the current situation for just a few \nmore questions, General. What do you mean by escorted? When a \nperson is escorted, what does that mean, into that vault?\n    Mr. Habiger. They have to be accompanied by someone who \nunderstands the security requirements.\n    Mr. Burr. Would that individual have to be on that list of \n26 individuals?\n    Mr. Habiger. Yes, sir.\n    Mr. Burr. For secure access by themselves?\n    Mr. Habiger. Yes, sir.\n    Mr. Burr. You mentioned, I think, ASCI information \nadditionally was stored in that vault?\n    Mr. Habiger. Yes, sir.\n    Mr. Burr. Is that accounted for and secure today?\n    Mr. Habiger. Yes, sir.\n    Mr. Burr. All of it?\n    Mr. Habiger. Yes, sir. As a matter of fact, the laboratory \nin the nuclear weapons arena, Dr. Browne directed as of 1700 \nhours yesterday that a 72-hour lock-down of the nuclear weapons \narea be accomplished, and that all plans, security plans, be \nreviewed, and that all classified media, documents be accounted \nfor. That's to be accomplished over a 72-hour period.\n    Mr. Upton. Would the gentleman yield?\n    Mr. Burr. Yes.\n    Mr. Upton. When somebody is in the vault, and they are to \nbe escorted, does the escort then have to stay with that \nindividual the entire time they are within the vault?\n    Mr. Habiger. Yes, sir; again, 10 feet wide, 20 feet long.\n    Mr. Upton. So if you need the escort, there's always at \nleast two people in that room?\n    Mr. Habiger. Absolutely, sir.\n    Mr. Burr. General, if you can't answer this, I understand \nit, we'll address it later, but after an individual has \npossession of this hard drive, how easily is it usable? Is it a \nplug and play?\n    Mr. Habiger. Yes, sir.\n    Mr. Burr. Okay. Was this the most sensitive information in \nthe vault?\n    Mr. Habiger. Yes, sir.\n    Mr. Burr. Let me ask you, you referred to the fact that the \nFBI has taken the lead in the investigation, and you expect \nnext week for the FBI to begin a polygraph process.\n    Mr. Habiger. Tomorrow.\n    Mr. Burr. Tomorrow, once they have identified individuals. \nWe know the record with polygraph as it relates to our \nscientists. This is not something that they do \nenthusiastically. Do you have any reason to believe that any of \nthe individuals that will be targeted would object to this \ninitiative?\n    Mr. Habiger. I will give you a very definitive answer in \nclosed session, sir.\n    Mr. Burr. I thank you for that.\n    Let me move, if I could, to why we're here today. Glenn, \nlast time you testified here, I believe you very emphatically \ntold us that the message was getting out on security, that that \nhad been heard, and today you're telling us that DOE \nheadquarters heard the wake-up call. Is that right?\n    Mr. Podonsky. Yes, sir.\n    Mr. Burr. If DOE headquarters really heard that call, then \nwhy do you find such a bad situation involving very basic \nprinciples of computer security?\n    Mr. Podonsky. Well, sir, as I started to mention in my \nresponse to Congressman Green, I'd like to iterate, in all the \ntime that we've been in the Department, we've seen some very \negregious management systems in place, a lot of repeat issues \nthat should have been dealt with over the last 16 years. Many \nissues have been written about in our oversight reports. \nVarious administrations did not have it high on the priority.\n    For obvious reasons, this administration, together with \nthis Congress, has focused a great deal on security in \nDepartment of Energy, and to you all's credit as well as this \nSecretary, we have seen a quantum change. It doesn't mean they \nare there where they need to be, but clearly the headquarters, \nthe responsibility that John Gilligan has being further \nclarified by his Deputy Secretary Glauthier's memo will further \nhelp him do the job that he was hired to do, but in addition, \nhe and his staff have been focusing on the field extensively. \nSo quite candidly, until the management processes were in \nplace, we did not see that they were going to be very \nsuccessful at bringing the headquarters into the same level \nthat the field is now getting into.\n    We believe with the corrective action plan that Mr. \nGilligan's office has prepared, if all the items in there get \ncarried out, we do believe it's going to be going in the right \ndirection. That's why we say that we've seen a difference. It \nis taken in respect to what we've seen over the last 16 years.\n    Mr. Burr. Most of us who have served for several years \nconsider Bill Richardson to be a friend, and we know that every \neffort he goes out on is genuine and passionate. So I think we \nwould hold in the same regard the Secretary's willingness to \naddress this problem. The follow-through is something that this \ncommittee continues to be baffled at, and I would only point to \nthe March 3, 2000, memorandum from the White House, and that \nmemorandum, in the last paragraph it said, accordingly, I've \nasked each Cabinet Secretary and agency head renew their \nefforts to safeguard their department's or agency's computer \nsystems against denial-of-service attacks on the Internet, \nstepping up the awareness of a security breach.\n    That was March 3, 2000.\n    It also said, I have asked my Chief of Staff John Podesta \nto coordinate a review of the Federal Government \nvulnerabilities in this regard and report back to me by April \n1.\n    [The information referred to follows:]\n\n                                    The White House\n                              Office of the Press Secretary\n                                                      March 3, 2000\nFor Immediate Release March 3, 2000\n\nMEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES\n\nSUBJECT: Action by Federal Agencies to Safeguard Against Internet \n        Attacks\n\n    America and the world have benefited tremendously from the amazing \nadvances we have seen with the Internet and computer technology. But \nwith every new technological advance there are new challenges, and we \nmust meet them--both Government and the private sector--in partnership.\n    Following recent Internet disruptions, I met with experts and \nleaders of the information technology industry so we could work \ntogether to maximize the promise of the Internet, while minimizing the \nrisks. These Internet disruptions high-light how important computer \nnetworks have become to our daily lives; and how vulnerabilities can \ncreate risks for all--including the Federal Government.\n    Accordingly, I ask each Cabinet Secretary and agency head to renew \ntheir efforts to safeguard their department or agency's computer \nsystems against denial-of-service attacks on the Internet. Within legal \nand administrative limits, attention should also be paid to contractors \nproviding services. The Federal Computer Incidence Response Center \n(FEDCirc) and the National Infrastructure Protection Center (NIPC) have \navailable software tools to assist you in these efforts.\n    I have asked my Chief of staff, John Podesta, to coordinate a \nreview of Federal Government vulnerabilities in this regard and to \nreport back to me by April 1.\n                                                 William J. Clinton\n\n    Mr. Burr. Mr. Podonsky or General Habiger, can you share \nwith us what Mr. Podesta reported to the President relative to \nthe state of security at the Department of Energy?\n    Mr. Gilligan. Sir, I'd be happy to tell you. In fact, I was \none of the authors of that memo that the President signed. \nUnder my role as cochair of the Federal CIO Council, Security, \nPrivacy and Security Infrastructure Committee, I have a \nresponsibility to help advise the administration across the \nFederal Government. We prepared that memo for the President. We \nprepared a process working with Office of Management and \nBudget, Mr. Podesta's staff, to get reports from each Federal \nagency. Within the Department of Energy, I coordinated the \nresponse. We sent out guidance to each of our field \norganizations, specific technical guidance on how to prevent \ndenial-of-service attacks. It is a particularly difficult, \ntechnically challenging----\n    Mr. Burr. I take for granted that the April 1 deadline for \nMr. Podesta to get back to the President was a status report, \nare we secure.\n    Mr. Gilligan. No. The status report was on those actions \nthat have been taken. Security is not a binary function. It is \nnot we are 100 percent secure or we are 100 percent insecure. \nIt's a relative activity. It's a very complex set of technical \nissues that are involved.\n    The status report that was asked for was what was the \nresponse within each agency to address denial-of-service \nattacks, and within the Department of Energy we reported that \neach of our organizations had taken the guidance that we had \nissued, they had responded to the guidance in a variety of \nways, many running specific software checks against all of \ntheir systems to look for potential vulnerabilities that could \nbe exploited, to look for configuration controls that would, in \nfact, allow us to prevent denial-of-service attacks.\n    Mr. Burr. Did the Department of Energy make the April 1 \ndeadline?\n    Mr. Gilligan. Yes, we did.\n    Mr. Burr. Glenn, your review of security was at the end of \nApril?\n    Mr. Podonsky. Yes, sir.\n    Mr. Burr. At that time did you find Web servers at the \nDepartment of Energy that could access other agencies?\n    Mr. Peterson. We found Web servers, again referring to our \ndiagram, out in the public area outside of the screen sub-Net, \nthat were vulnerable to attack. We proved that by taking over \none of those machines, and we could have used it to attack a \ndifferent agency.\n    Mr. Burr. You could use them to launch a denial-of-service \nattack on other government agencies?\n    Mr. Peterson. That is correct.\n    Mr. Burr. Now, is that what you reported to Mr. Podesta?\n    Mr. Gilligan. The report back to Mr. Podesta did not \naddress every individual computer within the agency.\n    Mr. Burr. So what was the President asking for in this \nmemorandum? I mean, I take for granted he was probably asking \nabout some of the most sensitive secure areas. We're doing an \nassessment of unclassified areas and just our Web servers. We \nwere vulnerable to exactly the thing the President said in his \nmemorandum, which was denial of service existed.\n    Mr. Gilligan. Each of the sites reported the steps that \nthey had taken. The headquarters organizations, plural, \nreported those steps they had taken to respond to the denial-\nof-service attacks. We did not at this juncture verify each and \nevery computer the fact that something----\n    Mr. Burr. If you knew that those existed when you put this \nreport in, why was Mr. Podonsky's review of the system needed \nif you knew where we were vulnerable?\n    Mr. Gilligan. I am not sure, sir, I understand your \nquestion.\n    Mr. Burr. You responded to Mr. Podesta for the purpose of \nhis reporting to the President the status at DOE by April 1.\n    Mr. Gilligan. That's correct.\n    Mr. Burr. At some point thereafter Mr. Podonsky's still \ndoing a review of unclassified systems at the Department of \nEnergy, and he finds vulnerable areas. I guess the question is, \ndid you know about those vulnerable areas when you reported to \nMr. Podesta?\n    Mr. Gilligan. Sir, today and in the future there will \ncontinue to be vulnerabilities in our computer systems. That's \nthe state-of-the-art. There are vulnerabilities in the computer \nsystems that are run by this Congress, but that's the state-of-\nthe-art. The securing of these systems is a continuing process. \nThe report back to Mr. Podesta identified those processes and \nthe verification that each of our sites had done. It did not \nsay that there were no vulnerabilities. In fact, there are \nvulnerabilities that continue to be discovered and exploited.\n    Mr. Burr. Is the vulnerability--and I am not a techie, \nclearly you are--is the vulnerability of a Web server and its \npotential use to launch attacks a new phenomena, or is that \nsomething that has existed since Web servers have been out \nthere?\n    Mr. Gilligan. The potential to use----\n    Mr. Burr. Is that the last place we look for a \nvulnerability, or is it one of the first places?\n    Mr. Gilligan. The Web server is generally not a high risk, \na highly vulnerable computer, because of the limited functions \nit performs, and in general, Web servers are intended for \npublic access, and the protection on those is primarily to \nensure that the information content that is primarily read only \nis, in fact, preserved.\n    Mr. Burr. Let me turn to Mr. Podonsky, who did the \ninvestigation. Is a Web server a tool that one should be \nconcerned with if that Web server is unsecured and can be used \nto launch attacks on?\n    Mr. Peterson. Absolutely. For one, it could be an \nembarrassment to the Department having it defaced, and then the \nsecond one is to have our resources from the DOE to be used in \nan illicit manner.\n    Mr. Burr. Let me just read from your report if I can. I \nquote: Most of these Web servers were found to be vulnerable to \ncommon hacking exploits, and some contained vulnerabilities \nthat could allow any Internet user to gain system \nadministrator-level privileges. With this level of privilege an \nattacker could deface or shut down the Web site or configure \nthe server to launch attacks against other Internet entities \ncausing public embarrassment to DOE.\n    So, in fact, you did put it in your report--in the way that \nyou've stated it, it sounds fairly serious.\n    Let me just ask one last question, Mr. Chairman.\n    Glenn, your report also concluded by stating this, and this \nis alarming to me, it really is: Senior management attention is \nneeded to establish a management structure conducive to \neffective unclassified cybersecurity at headquarters. Now, we \nhave all praised Bill Richardson quite a bit. We have a lot of \nconfidence in you, General. We have tremendous confidence in a \nlot of folks at the Department of Energy. But, Glenn, I have \ngot to ask you, what led you to put that in your report, that \nsenior management's attention is needed? We've had a series of \nsecurity breaches, of management blunders, I think. Nobody has \never questioned the commitment of the Secretary, but something \nled you to say senior management doesn't get it yet. Who were \nyou describing when you used the term ``senior management''?\n    Mr. Podonsky. Let me answer your question in the following \nway. Last week I met with General Gordon, and one of the things \nhe asked me about the new NNSA, what are some of the first \nthings he ought to do. He was planning to go and do some tours \nof the sites around the complex, and I suggested that he first \nneeds to take a look at headquarters, and he needs to take a \ngood hard look at how headquarters operates. And I would say \nthat what we were aiming at is when we looked at what is the \nroot cause, General Habiger and John Gilligan and all the folks \nthat are dedicated to doing the right thing in the Department \nhave mostly been focusing outside the headquarters is what our \nassessment was, and there's an awful lot of organizations \nwithin that Department across the way there that may need to be \nworking all in unison.\n    So our focus was that senior management at headquarters \nneeds to also take a look at the operation of the Forrestal as \nwell the Germantown building, not just the field offices.\n    Mr. Burr. Technical question. My understanding is that DOE \ncontractors in some way, shape or form are linked to regional \noffices and/or headquarters of the Department of Energy. Could \nthose links also be used to launch attacks from, or could those \nlinks be used to exploit any security measures that we have in \nplace?\n    Mr. Peterson. We are concerned with the links from the \nexploitation aspect. Obviously it broadens your network \nperimeter, and then it will allow you--if you find the weakest \npoint, then it allows you into that broad perimeter of that \nnetwork, and then if you have enough time and skill, then you \ncan take over a machine, a computer, and then use that to \nlaunch an attack against the Internet site. So that's \ndefinitely a concern.\n    Mr. Burr. General, let me just make one last statement, if \nI could. I do hope we go to a closed session, if not today, \nvery quickly.\n    I would only say this, that for a vault containing high-\nsecurity information, one that we were concerned enough with to \ngo through a process of individuals who could visit it, No. 1, \nand from that list who needed escorting, that apparently we \nhave a full-time person who oversees the entry to that vault \nand the exit to that vault, it is amazing to me that there's \nnot some record of who accessed it when and if anyone removed \nsomething from that vault, and if so, when it was returned. If \nthis were some type of nuclear material of which we have \nidentified a similar set of scenarios that we have addressed, \none of the remedies was that it no longer goes without some \ntype of cataloging of who went, when they went, what they did, \nwhen it was returned, if it was taken off premises. I do hope \nthat that's a procedure that will change, and if it can't be \naccomplished through our current contractor, I hope the \nDepartment of Energy will be brave enough to review this \ncontract and to look at somebody that can run a facility with \nthe type of procedures that we need, as Mr. Gilligan said, in \nan ever-changing technological world that every day we're faced \nwith a new risk and a new challenge.\n    And with that, I thank all four of you, and I yield back.\n    Mr. Upton. Thank you.\n    I just want to note, thanks to the membership of Mrs. \nWilson on the Intelligence Committee, we've been able to secure \nthe intelligence room in the Capitol until 2 o'clock. General \nHabiger, would you be able to come maybe at like 1 until 2:00?\n    Mr. Habiger. Sir, at your convenience.\n    Mr. Upton. Okay. Well, we'll put a notice to all members of \nthe full committee that that is available, and you know where \nit is in the Capitol; do you not?\n    Mr. Habiger. I'll find it.\n    Mr. Upton. It's hard to find. I'm sure David can help you.\n    We'll yield at this point. I am going to leave here \nshortly. Mr. Burr is going to take over the chairmanship, and I \nwill see you at 1 o'clock, and at this point we'll yield to \nMrs. Wilson, who has got a couple more questions.\n    Mrs. Wilson. Thank you, Mr. Chairman. I do have a couple of \nmore questions, particularly about cybersecurity at the \nheadquarters. And, General, I have a lot of sympathy for your \nsituation, trying to get a job done and convince--I have been \nin that situation myself--trying to convince the budget guys \nthat you have got a job to do and you need the resources to do \nthat job and so forth. But I do think it's important to make \nsure this chronology is in the record with respect to \ncybersecurity, and I think I have kind of compiled my own \nsummary of it at this point. And I think it's important for \neverybody to understand what happened in 1999 and where we are \nnow.\n    In January 1999, the Cox report was finished in its \nclassified form, briefed to the administration and key Members \nof Congress.\n    Of course, by that time, the administration's budget \nrequest was already in and up here, and there are a number of \nrequests that come in to amend that throughout the year as we \nare beginning work on it.\n    On May 14, 1999, the Department of Energy requested an \namendment to the President's budget request for cybersecurity. \nThat went to the energy and water committee, and that request \nwas for $8.5 million, and it was fully funded.\n    May 25, the Cox report is publicly released in its \nunclassified form, and there is a firestorm of hearings and \ninvestigations and responses in both the Defense Committee, the \nIntelligence Committee and this committee all the way through \nJune. It affected the defense authorization, intelligence \nauthorization and the appropriations bill.\n    On about July 13, as I understand it, there was a request \nin the energy and water committee for $35 million, General, for \nyour office. It was listed as security. The committee asked for \nfurther justification and breakdown and were not able to get \nit. This is 24 hours before the markup in subcommittee. It was \nnot listed as for cybersecurity. It was for the funding of your \noffice, and I have no doubt at all that your office needs that \nfunding to do your job. Without that supported breakdown, you \nwere given $7 million initially from that subcommittee mark, \nbut it wasn't cybersecurity, it was for your operations in your \noffice, and I understand that's entirely legitimate.\n    It then goes through the House and over to conference. I \nwould note that there's a man named Senator Pete Domenici, who \nI know pretty well, who is on that conference committee, and if \nthere was a shortage for cybersecurity, particularly for the \nnuclear weapons complex, it would not have been particularly \ndifficult to get that put into the bill.\n    In the fall, the labs continue on looking at cybersecurity \nand their needs and making plans and assessments of the costs \nof this whole thing, and when we come back in January, me and a \nwhole bunch of other folks were expecting a major request for a \nsupplemental, particularly related to the cybersecurity, but in \nFebruary we get the White House's supplemental request, and \nthey only asked for $4 million for cybersecurity.\n    We then get a group together here of experts and others and \nask in early March, is that adequate? Is this real? And the \nanswer is quietly, no, it's not. It's not the real number, it's \nnot the real need. So we make the request of Energy and Water \nin a separate supplemental to bump that up significantly. I ask \nfor $90 million; $45 million is added specifically for \ncybersecurity.\n    I think that is important as a chronology because, now, I \nthink there's sometimes an attempt to shift blame around. And I \nunderstand that you're in a difficult situation. You have to \nget up and operating as a security office, but with respect to \ncybersecurity and the requests that come in for cybersecurity, \nI think the appropriators have been pretty good at working with \nthose members like myself who are concerned about this issue \nand fully funding the requests that are identified as \nprotecting our security programs, our computer security, and \nwe'll continue to fight those battles up here and get the money \nthat's needed. I frankly wish that I had more support from the \nadministration when it comes to really identifying the actual \ncosts that are going to be needed, and I'd appreciate it if \nyou'd take that one back.\n    I do have some questions concerning this chart, some more \nthings. First from Mr. Gilligan, is there a single unified risk \nassessment and a security plan for the headquarters network as \na whole?\n    Mr. Gilligan. Congresswoman Wilson, there is not, and, in \nfact, I think that's one of the observations that the \nindependent oversight review points out that I agree is a \nweakness in our implementation. If I look at how we implemented \ncybersecurity policies within the headquarters, each individual \nsubordinate organization in the headquarters implemented the \npolicies individually. So there are multiple risk assessments. \nThere are multiple cybersecurity plans, there are multiple \ncybersecurity implementations, and I think Mr. Podonsky's team \ncorrectly identifies this as an overall weakness because we \nhave some offices who do a very good job of implementing those \nplans, correcting the vulnerabilities, and other offices who \nhave not done a good job, but it becomes a shared risk.\n    So the action that was taken by the Deputy Secretary in \nessence expands my job, so not only am I to have policy \nresponsibility for the entire Department, but I now have \noperational responsibility which I did not have previously for \nthe entire headquarters. In the past I had operational \nresponsibility through an operations organization that happens \nto be attached to me for small subsets of the headquarters, \nand, in fact, those portions of the headquarters were viewed as \nvery strong in the independent oversight review, yet they were \nvulnerable to other offices who had weaker security. So now \nthat I have responsibility for the operational security of the \nentire headquarters, we can do one plan, one risk assessment, \none set of policies and procedures, and I can enforce those \npolicies and procedures across the headquarters.\n    Mrs. Wilson. When were you given that additional authority?\n    Mr. Gilligan. On June 8.\n    Mrs. Wilson. Okay. Does DOE have a comprehensive list of \nthe external connections so that anything that enters those \ncircles or those subcircles here--do you have a comprehensive \nlist of external connections?\n    Mr. Gilligan. Ma'am, we have a list. I would not say that \nit is a comprehensive list. I think that is a continued \nvulnerability. The Internet networking technology that we have \ntoday lets connections be made quite rapidly, and that would be \npart of the objective of establishing a very rigorous perimeter \nacross all of the headquarters systems and a what is called \nconnection policy which we can enforce, which would, in fact, \nthen allow us to map what are all the external connections, do \nthey, in fact, conform to the security provisions that must be \nin place before an external connection is permitted, and that's \nmore part of the activity that's under way now.\n    Mrs. Wilson. With respect to the additional authority that \nyou have been given on June 8, and I also have some sympathy \nfor your situation being responsible for something, but I would \nguess a lot of the guys who have to implement this don't really \nwork for you, they still work down in DP and IA and NN and \nthose kinds of things. Is that right?\n    Mr. Gilligan. That's correct. My office now has overall \nresponsibility. We will still work with the individual offices, \nbut now I have the accountability and responsibility to make it \nwork, and I can go to the Deputy Secretary and the Secretary as \nneeded to identify problems, where in the past I did not have \nany clear authority. I could identify concerns, but I had no \nspecific responsibility or authority. That has been clarified \nwith the Deputy Secretary's memo of June 8.\n    Mrs. Wilson. What additional authority do you really have? \nCan you really tell DP or CR or EH or any of these little \nsuborganizations, ``Shut down your computer network until you \nfix the following problems?''\n    Mr. Gilligan. That is one of the new authorities that I \nhave. With my ability now to enforce a connection policy, if \nthat policy is not adhered to, I can and will shut down those \norganizations.\n    Mr. Burr [presiding]. If the Chair could ask the gentlelady \nto wrap up as quickly as she can, I think that it's only right \nto allow them the opportunity for a break in between the 1 \no'clock session. So if you would wrap up as quickly as you can.\n    Mrs. Wilson. Thank you, Mr. Chairman. In fact, I think that \nprobably concludes the things that I'd like to pursue in this \nforum, and I thank all of you for your time.\n    Mr. Burr. I thank the gentlelady. I didn't think she'd be \nquite that quick, but the Chair would ask unanimous consent for \nthe record to remain open for the purposes of opening \nstatements of any members that request to enter those and for \nadditional questions of members.\n    Gentlemen, let me once again thank you on behalf of this \ncommittee. I hope all of you understand the seriousness that we \nnot only take of the headquarters evaluation, but the findings \nwithin the last 48 hours of continuation of a breach of our \nsecurity at our labs.\n    Our hope is that, Mr. Podonsky, you will move forward \nwith--at some point with an audit of the classified areas of \nheadquarters, and that we will have an opportunity to review \nthat.\n    And my hope is, Mr. Gilligan, with this new responsibility, \nand that's the coordination of one plan for security at \nheadquarters, that you will be successful in making sure that \nthat's implemented in the fashion that you see appropriate.\n    My hope, General, is that at some point we can get one plan \nfor the individual labs that you have and your team have the \nconfidence in that it is secure.\n    With this, this hearing is adjourned.\n    [Whereupon, at 12:15 p.m., the subcommittee was adjourned.]\n\x1a\n</pre></body></html>\n"