[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]





 
COMPUTER INSECURITIES AT DOE HEADQUARTERS: DOE's FAILURE TO GET ITS OWN 
                          CYBER HOUSE IN ORDER

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                      OVERSIGHT AND INVESTIGATIONS

                                 of the

                         COMMITTEE ON COMMERCE
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION

                               __________

                             JUNE 13, 2000

                               __________

                           Serial No. 106-157

                               __________

            Printed for the use of the Committee on Commerce


                    U.S. GOVERNMENT PRINTING OFFICE
65-910CC                    WASHINGTON : 2000




                         COMMITTEE ON COMMERCE

                     TOM BLILEY, Virginia, Chairman

W.J. ``BILLY'' TAUZIN, Louisiana     JOHN D. DINGELL, Michigan
MICHAEL G. OXLEY, Ohio               HENRY A. WAXMAN, California
MICHAEL BILIRAKIS, Florida           EDWARD J. MARKEY, Massachusetts
JOE BARTON, Texas                    RALPH M. HALL, Texas
FRED UPTON, Michigan                 RICK BOUCHER, Virginia
CLIFF STEARNS, Florida               EDOLPHUS TOWNS, New York
PAUL E. GILLMOR, Ohio                FRANK PALLONE, Jr., New Jersey
  Vice Chairman                      SHERROD BROWN, Ohio
JAMES C. GREENWOOD, Pennsylvania     BART GORDON, Tennessee
CHRISTOPHER COX, California          PETER DEUTSCH, Florida
NATHAN DEAL, Georgia                 BOBBY L. RUSH, Illinois
STEVE LARGENT, Oklahoma              ANNA G. ESHOO, California
RICHARD BURR, North Carolina         RON KLINK, Pennsylvania
BRIAN P. BILBRAY, California         BART STUPAK, Michigan
ED WHITFIELD, Kentucky               ELIOT L. ENGEL, New York
GREG GANSKE, Iowa                    TOM SAWYER, Ohio
CHARLIE NORWOOD, Georgia             ALBERT R. WYNN, Maryland
TOM A. COBURN, Oklahoma              GENE GREEN, Texas
RICK LAZIO, New York                 KAREN McCARTHY, Missouri
BARBARA CUBIN, Wyoming               TED STRICKLAND, Ohio
JAMES E. ROGAN, California           DIANA DeGETTE, Colorado
JOHN SHIMKUS, Illinois               THOMAS M. BARRETT, Wisconsin
HEATHER WILSON, New Mexico           BILL LUTHER, Minnesota
JOHN B. SHADEGG, Arizona             LOIS CAPPS, California
CHARLES W. ``CHIP'' PICKERING, 
Mississippi
VITO FOSSELLA, New York
ROY BLUNT, Missouri
ED BRYANT, Tennessee
ROBERT L. EHRLICH, Jr., Maryland

                   James E. Derderian, Chief of Staff

                   James D. Barnette, General Counsel

      Reid P.F. Stuntz, Minority Staff Director and Chief Counsel

                                 ______

              Subcommittee on Oversight and Investigations

                     FRED UPTON, Michigan, Chairman

JOE BARTON, Texas                    RON KLINK, Pennsylvania
CHRISTOPHER COX, California          HENRY A. WAXMAN, California
RICHARD BURR, North Carolina         BART STUPAK, Michigan
  Vice Chairman                      GENE GREEN, Texas
BRIAN P. BILBRAY, California         KAREN McCARTHY, Missouri
ED WHITFIELD, Kentucky               TED STRICKLAND, Ohio
GREG GANSKE, Iowa                    DIANA DeGETTE, Colorado
ROY BLUNT, Missouri                  JOHN D. DINGELL, Michigan,
ED BRYANT, Tennessee                   (Ex Officio)
TOM BLILEY, Virginia,
  (Ex Officio)

                                  (ii)





                            C O N T E N T S

                               __________
                                                                   Page

Testimony of:
    Gilligan, John M., Chief Information Officer, U.S. Department 
      of Energy..................................................    12
    Habiger, Eugene E., Director, Office of Security and 
      Emergency Operations, U.S. Department of Energy............    10
    Podonsky, Glenn S., Director, Office of Independent Oversight 
      and Performance Assurance, accompanied by Bradley A. 
      Peterson, Office of Cyber Security and Special Reviews, 
      U.S. Department of Energy..................................     6

                                 (iii)

  


COMPUTER INSECURITIES AT DOE HEADQUARTERS: DOE's FAILURE TO GET ITS OWN 
                          CYBER HOUSE IN ORDER

                              ----------                              


                         TUESDAY, JUNE 13, 2000

                  House of Representatives,
                             Committee on Commerce,
              Subcommittee on Oversight and Investigations,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 9:10 a.m., in 
room 2123, Rayburn House Office Building, Hon. Fred Upton 
(chairman) presiding.
    Members present: Representatives Upton, Burr, Bilbray, 
Bryant, Bliley, (ex officio), Stupak, Green, and DeGette.
    Also present: Representative Wilson.
    Staff present: Tom Dilenge, majority counsel; Anthony 
Habib, legislative clerk; Clay Alspach, legislative clerk; 
Edith Holleman, minority counsel; and Brendan Kelsay, minority 
research analyst.
    Mr. Upton. Good morning, everyone and welcome.
    Today's alarming news story may change the focus of this 
morning's hearing a little bit. Americans everywhere want 
absolute assurances that our nuclear secrets remain just that, 
secret.
    Sadly, today's headlines are indeed startling regarding the 
missing disks and the unsuccessful attempts of answering the 
many questions that are now out there. How can these disks be 
missing after more than a month with only as many as 86 
individuals, 26 being unescorted, having access to these highly 
classified disks?
    Real security is going to require additional changes in how 
DOE and its labs control their classified data, whether in hard 
copy or on computer disk. Our hearing today, coupled with this 
news from Los Alamos, shows how far the Department, in its 
lapse, still must go to make security the priority that 
everyone wants it to be.
    This subcommittee will hold a hearing to continue its year-
long review of cyber security practices at the Department of 
Energy. This time, our focus is not on the Department's nuclear 
weapons labs--which have received the lion's share of attention 
and have made real improvements in computer security since last 
year--but on DOE headquarters itself. Unfortunately, the 
current situation at DOE headquarters is little better than 
where the labs were a year ago, a startling and troubling 
revelation given the Secretary's professed commitment over 1 
year ago to make security, and cyber security in particular, a 
top priority throughout the Department.
    We'll hear today once again from Mr. Glenn Podonsky, whose 
office conducts independent reviews of DOE security practices, 
including the latest audit of headquarters cyber security 
completed last month. At our last hearing on DOE's security 
issues, Mr. Podonsky's office promised in response to 
Congresswoman Wilson's questioning to initiate an expedited 
review of headquarters cyber security, and I am pleased that 
he's with us to report to the subcommittee on the findings of 
this audit. In particular, we will hear that the headquarters 
computer network has many significant and easily exploitable 
vulnerabilities that render it both susceptible to internal and 
external threats.
    As with the labs, we will hear once again about the lack of 
internal security controls to limit the ability of authorized 
and unauthorized users, including some foreign nationals, to 
move freely among the various program office systems to 
compromise sensitive information. On this unified network is 
not only the Secretary's office but also key program functions, 
such as defense programs, nonproliferation and national 
security, security operations, counterintelligence, the general 
counsel and inspector general, and even Mr. Podonsky's office. 
While these offices' classified data is physically separate 
from the unclassified network, the audit does raise concerns 
about whether the tighter controls that were ordered more than 
a year ago by the Secretary to limit the transfer of classified 
data to the unclassified systems have in fact been implemented 
at DOE's own headquarters.
    As with the labs, we'll also hear about deficiencies in 
certain fire walls and intrusion detection systems. While no 
Internet fire wall is ever 100 percent foolproof, it is 
important that a sytem be able to quickly detect and block this 
spread of unauthorized entries into the network. By this 
important measure, DOE falls significantly short of the mark.
    From a management perspective, the audit essentially finds 
that no single person or entity is in charge of this network, 
an amazing finding in and of itself, and most likely the root 
cause of the technical problems uncovered by this audit. It 
appears that much like other Federal agencies the committee has 
looked at, the chief information officer at DOE is the chief in 
name only.
    Given Secretary Richardson's reorganization last summer, 
which elevated the CIO and gave him responsibility for all 
cyber security efforts throughout the Department, I would have 
thought that the CIO would have also received the authority to 
mandate certain minimum requirements and corrective actions to 
vulnerable systems. Instead, we now find out that the CIO 
lacks, according to the audit, ``real and perceived authority 
to order changes,'' a view apparently shared by the CIO 
himself.
    I know I must speak for many members of this committee when 
I say that I find the whole situation bewildering. How could 
DOE headquarters, which was the catalyst for the security 
changes at the nuclear weapons labs last year, leave its own 
systems so vulnerable to misuse; and why is the Department's 
CIO so powerless to change the situation?
    These and many other questions will be explored at today's 
hearing, and I welcome our panel of witnesses. In particular, I 
look forward to the testimony of General Habiger, DOE's 
security czar, and Mr. Gilligan, DOE's CIO, on what technical 
and management changes DOE intends to make to fix these serious 
problems and on what timetable. I am glad to see that after 
we'd noticed this hearing last week, the Department immediately 
moved to give this CIO new powers over the headquarters 
network; and I hope he uses that power to quickly and 
effectively gain control over this important cyber system.
    At this point, I yield to my friend from Michigan, Mr. 
Stupak, the acting ranking member for this morning's hearing.
    Mr. Stupak. Thanks, Mr. Chairman, and thanks for holding 
this important hearing.
    Yesterday, I was prepared to give an opening statement 
regarding cyber security at the Department of Energy, but after 
reading the New York Times yesterday, I was forced to 
substantially change my statement.
    I'm very concerned that the Department of Energy has no 
idea what happened to two hard drives containing classified 
information about our nuclear weapons program. According to the 
New York Times, the hard drives contained detailed 
specifications about U.S. and Russian nuclear weapons. However, 
what is more concerning is the laissez-faire attitude Los 
Alamos National Laboratory and the Department of Energy have 
displayed in trying to ascertain what happened to highly 
classified information.
    In the article, a senior Energy official is quoted as 
saying, ``In my opinion, it's premature to call this a security 
breach.'' Well, I, for one, think it is a security breach and 
has definitely been breached and no one can say what has 
happened to the hard drives, who had control of the hard drives 
or who last had access to them.
    I have to tell you, in my hometown of Menominee, Michigan, 
if I want to check out a library book at the Menominee Public 
Library, you have to have a library card and they make a record 
if you remove the book; and if you keep the book too long, they 
send you a notice asking you to return it. Eventually, they 
charge you late fine. Most Americans would find it hard to 
believe that Menominee Public Library has a more sophisticated 
tracking system for ``Winnie the Pooh'' than Los Alamos has for 
highly classified nuclear weapons data. That is exactly the 
situation we're faced with.
    Mr. Curran, the Director of the Department's 
Counterintelligence Office, is quoted as saying, ``At this 
point, there is no evidence that suggests espionage is involved 
in this incident.''
    How are we going to find out? Does Mr. Curran expect 
someone from Baghdad or Beijing to call them next year and ask 
for a software update?
    We need to get the answers from the witnesses on a number 
of issues. Why did it take Los Alamos National Laboratory 3 
weeks to alert the Department of Energy that the hard drives 
were missing? How were these hard drives and computers stored? 
A couple of months ago the State Department lost highly 
classified information on nuclear weapons. Now Los Alamos has 
misplaced highly classified information. This is not a joke. 
We're talking about highly classified nuclear weapons data.
    I have been a critic of the lack of security at our nuclear 
weapons laboratory at Lawrence Livermore, Los Alamos and other 
facilities. Other members have come to me and asked me to tone 
it down; I will once the national labs take the security 
breaches seriously. I believe it's time to take--make security 
at our national labs a military priority and not a civilian 
afterthought.
    Mr. Chairman, we need answers and we need results. While I 
understand the witnesses are prepared to discuss cyber security 
at the Department of Energy, I intend to ask questions about 
the latest loss of our Nation's nuclear secrets, and I hope I 
will get some answers to my questions today.
    Thank you, Mr. Chairman.
    Mr. Upton. I recognize Mr. Bliley for an opening statement.
    Chairman Bliley. Thank you, Mr. Chairman.
    Since allegations of spying at Los Alamos first surfaced 
early last year, this committee and the American public have 
been subject to a steady stream of press releases, action 
plans, tough talk and photo ops from Secretary Richardson and 
senior DOE officials, designed to show a commitment to security 
at the Department of Energy. They have crisscrossed the 
country, making lots of visits to the nuclear weapons labs, 
demanding reforms and upgrades to security systems, 
particularly computer systems; and we've been told that the 
Department's contractors have, ``gotten the message,'' ``zero 
tolerance,'' for poor security.
    I certainly don't mean to belittle these efforts because 
they have had some positive effect, particularly when combined 
with this committee's aggressive oversight and the bright media 
spotlight. But despite the travels and television appearances, 
the Secretary apparently hasn't checked his own headquarters 
office. Effective leadership requires making sure your own 
house is in order when demanding others clean up theirs. Today, 
we are witnessing nothing less than a failure of leadership.
    A recent internal inspection by the Department's 
independent cyber security team, prompted by Congresswoman 
Wilson's request during our last oversight hearing on this 
matter, has revealed real flaws in the cyber security program 
at the Department's own headquarters that should have been 
corrected a long time ago. Indeed, the Department knew about 
many of these flaws for some time before this latest inspection 
occurred yet failed to fix them. That doesn't seem like zero 
tolerance to me, and it highlights serious management failures.
    Indeed, one of the key findings in this report is that the 
Department, in executing its cyber security program at 
headquarters, has ignored the most basic principle of computer 
security, that a network is only as strong as its weakest link. 
Individual DOE program offices essentially set their own rules 
on security, which results in real differences in levels of 
security. This situation puts the entire DOE network, which 
contains a large amount of sensitive information, at serious 
risk of compromise or misuse.
    Whatever the DOE spin on this is, there can be little doubt 
that the latest audit of cyber security is a terrible 
embarrassment to the Department and to the administration. How 
could such a situation exist at DOE if security is really a top 
priority?
    The audit report concludes by stating that senior 
management attention is needed to fix the problems plaguing the 
Department's cyber security system. I am not sure how much more 
senior we can get than the Secretary, who supposedly has been 
focused on security at least since the spy scandal erupted over 
a year ago. I think it is time he and the rest of the 
Department focused equal attention on eliminating risks closer 
to home.
    Finally, I just want to say a word about the recent 
revelations of missing classified data from Los Alamos. It is 
alarming that, despite the alleged focus on security over the 
last year, it appears the Department of Energy and its labs 
still have a long way to go before the American public can or 
should feel confident that our nuclear secrets are safe in 
their hands. Several months ago, I requested the General 
Accounting Office conduct an investigation into whether DOE and 
its labs have proper procedures in place to control and account 
for their classified documents and electronic media. The latest 
news from Los Alamos suggests that, whether or not this missing 
data is eventually recovered, the answer is no.
    Thank you, Mr. Chairman.
    Mr. Upton. Thank you, Mr. Chairman.
    Mrs. Wilson.
    Mrs. Wilson. I ask unanimous consent to be allowed to sit 
in on this hearing of the Oversight and Investigations 
Subcommittee.
    Mr. Upton. Without objection, so ruled.
    Would the gentlelady like to make an opening statement?
    Mrs. Wilson. Yes, Mr. Chairman, I would.
    Thank you, Mr. Chairman, for letting me sit in on this 
subcommittee hearing. I am not normally on the Subcommittee on 
Oversight and Investigations. I have a particular interest and 
concern on the issue of cyber security at our national 
laboratories.
    In fact, this hearing and the testimony that we're going to 
hear today is the result of an inquiry that I made at a 
previous hearing about security at DOE headquarters. Because as 
all of us know, a system is only as strong as its weakest wall. 
And if we focus only on cyber security of systems out on the 
periphery of the Department of Energy and not those at DOE 
headquarters, we haven't strengthened the security system in 
the Department of Energy.
    I understand that we will hear testimony today about cyber 
security at the headquarters of the Department of Energy on its 
unclassified systems. That inquiry parallels those that have 
previously been made at the outer rings of the Department of 
Energy, including at our national labs. We do not yet know how 
secure the classified systems are at DOE headquarters, but the 
preliminary reports that I have seen about the testimony we're 
going to hear today are troubling. It means that Department of 
Energy has been out looking at all of its contractors and 
subcontractors, and at the periphery of its organization, being 
critical, and rightly critical, while it didn't have its own 
house in order.
    General Habiger, you and I were trained in some of the same 
places, with similar kinds of ethics and values, and I think 
both of us believe in leadership by example. And I am glad that 
you're now looking at the Department of Energy headquarters and 
trying to lead by example. But I am a little sorry that it took 
this kind of prodding to get the Department of Energy to do so.
    With respect to information systems and cyber security and 
computer security, all of us know that it must be systemic. It 
is by its nature systemic, and computer security has to be 
looked at as a whole and not just in pieces. I suspect that is 
one of the problems at the Department of Energy. Every little 
fiefdom within the Department of Energy runs its own show, and 
part of it is weak.
    I do want to say something, just briefly, about the reports 
yesterday from Los Alamos National Laboratory. Folks from Los 
Alamos came to my office yesterday to give me preliminary 
information about the loss of classified data at Los Alamos 
National Laboratory, and I find it deeply troubling. We don't 
yet know a lot about what happened, and I support the ongoing 
investigation to find out.
    I have also requested that the Intelligence Committee, on 
which I sit, hold an immediate classified briefing on what was 
lost and what we know at this point.
    There are a number of questions that I still have. They're 
inappropriate to ask in an unclassified forum, and I will be 
asking those questions in the House Permanent Select Committee 
on Intelligence as early as this week.
    There is one thing, though, that this most recent incident 
underscores for me, and that is the need to move forward 
rapidly with the implementation of the NNSA and the 
confirmation of General John Gordon to lead it. At the moment, 
the nuclear weapons complex in this country is in a state of 
limbo, of neither being part of the Department of Energy nor 
having a real head of its own. That is unsustainable if we want 
that organization to move forward, to improve security at our 
national labs and our nuclear weapons complex, and to come up 
with a concerted plan for the future.
    Thank you, Mr. Chairman.
    Mr. Upton. Thank you. Well, gentlemen, as you know, as you 
have testified before, we have a long-standing tradition of 
taking testimony under oath before this subcommittee. Do you 
have any objection to that?
    Voices. No.
    Mr. Upton. And committee rules allow you to be represented 
by counsel if you wish such. Do you desire to have counsel 
representation?
    Voices. No, sir.
    Mr. Upton. In that case, if you would now stand and raise 
your right hands.
    [Witnesses sworn.]
    You are now under oath, and as you heard at the beginning, 
I guess we're going to allow you to take a little extra time in 
delivering your testimony.
    Mr. Podonsky, we'll start with you. Welcome back.

TESTIMONY OF GLENN S. PODONSKY, DIRECTOR, OFFICE OF INDEPENDENT 
OVERSIGHT AND PERFORMANCE ASSURANCE, ACCOMPANIED BY BRADLEY A. 
 PETERSON, OFFICE OF CYBER SECURITY AND SPECIAL REVIEWS, U.S. 
                      DEPARTMENT OF ENERGY

    Mr. Podonsky. Thank you, Mr. Chairman. I appreciate the 
opportunity to----
    Mr. Upton. If you could just pull the mike a little bit 
closer, that would be terrific.
    Mr. Podonsky. I appreciate the opportunity, Mr. Chairman, 
to appear before this committee to discuss our April inspection 
of unclassified cyber security systems at the DOE headquarters.
    As you know, the Office of Independent Oversight and 
Performance Assurance provides the Secretary of Energy with an 
independent view of the effectiveness of safeguards and 
security, emergency management, and cyber security policies and 
programs throughout the DOE complex. With me this morning is 
Mr. Brad Peterson, the head of my cyber security office.
    In the past, DOE sites often focused on making information 
easily available and computer systems easy to use, which 
frequently led to cyber security receiving a low priority. 
Also, DOE policy was not always followed, which allowed 
implementation of computer systems in ways that did not provide 
for effective security.
    Particularly disturbing to us was the situation in 1994 at 
Los Alamos when my office pointed out that the classified 
network had connections to the unclassified network, posing the 
risk that an authorized user could download large quantities of 
classified information to an unclassified computer with little 
chance of detection.
    Over the past 15 years, the DOE headquarters has often 
received less than satisfactory ratings in many areas, 
including cyber security. Until Secretary Richardson's 
involvement, the program offices were in some cases unwilling 
to commit resources to enhance security. Recent results, 
however, have been more positive. A number of cyber security 
upgrades and other initiatives have been completed or are under 
way.
    The results of our inspection in April indicate that 
important deficiencies still need to be addressed. Many program 
offices have cyber security programs that would be considered 
effective if they were not connected to less effective 
networks.
    Generally, the main headquarters fire wall is effective; 
however, several Web servers managed by individual program 
offices are located completely outside the fire wall boundary. 
Most were found to be vulnerable to hacking, and some have 
vulnerabilities that could allow any Internet user to gain 
system administrator-level privileges and subsequently deface 
or shut down the Web site. Headquarters has not developed 
overall cyber security procedures or minimum requirements for 
each network segment on the network.
    The fragmented management systems and practices currently 
in place are a root cause of many identified weaknesses. While 
the chief information officer has attempted to address many of 
these weaknesses, the effectiveness of these initiatives has 
been limited due to lack of real or perceived authority. This 
fragmentation results in part from weaknesses in policy, which 
does not address the unique situation at headquarters or 
establish overall responsibilities and authorities.
    My office is continually expanding its ability to conduct 
network performance testing, using tools we have acquired or 
developed. We currently have an extensive cyber security 
laboratory dedicated to testing cyber security features. We 
also conduct regular inspection of cyber security systems at 
DOE sites.
    We will conduct an inspection of the classified cyber 
security at DOE headquarters next month in conjunction with a 
comprehensive inspection of all the safeguards and security 
policies and programs at the headquarters. We also will 
continue to follow up and work closely with General Habiger's 
office as they work to clarify and enhance cyber security 
policy and guidance.
    Although much work remains, it is clear that a positive 
trend in classified cyber security has been established at the 
headquarters and that DOE headquarters has heard the wake-up 
call from the Secretary and from the congressional committees. 
Cyber security is receiving a significantly higher level of 
attention from senior management than in the years gone past, 
and we are seeing more improvements that could not have been 
made without management support and the Secretary's 
involvement.
    Finally, our independent oversight function as a direct 
report to the Secretary has a mechanism in place, a mandated 
corrective action plan, that ensures independent oversight 
findings will be addressed. With these measures, we expect the 
identified weaknesses will be corrected.
    Thank you, Mr. Chairman.
    [The prepared statement of Glenn S. Podonsky follows:]
     Prepared Statement of Glenn S. Podonsky, Director, Office of 
  Independent Oversight and Performance Assurance, U.S. Department of 
                                 Energy
    Thank you Mr. Chairman. I appreciate the opportunity to appear 
before this committee to discuss our Independent Oversight activities 
as they relate to unclassified cyber security at DOE Headquarters. The 
Office of Independent Oversight and Performance Assurance is 
responsible for providing the Secretary of Energy with an independent 
view of the effectiveness of DOE policies and programs in the areas of 
safeguards and security, emergency management, and cyber security.
    My remarks this morning will focus on the recent Independent 
Oversight inspection of unclassified cyber security systems at the DOE 
Headquarters, which was conducted in April 2000. I will also briefly 
summarize some historical perspectives to provide a background on how 
we got to where we are today. Finally, I will discuss our plans for 
upcoming inspections at DOE Headquarters, follow-up activities, and 
other initiatives.
Historical Perspectives.
    From the early days of computer networks, DOE has historically 
struggled with the area of cyber security. For a variety of reasons, 
such as the emphasis on intellectual freedom and open exchange of 
ideas, DOE sites, in the past, often focused on making information 
easily available and computer systems easy to use. This often led to 
situations in which cyber security received a lower priority than user 
convenience or operational efficiency.
    There were also instances where DOE and contractor management did 
not follow DOE policy and allowed sites to implement computer systems 
in ways that did not provide for effective security. A particularly 
disturbing example was the situation in Los Alamos in 1994 when my 
office pointed out that the classified network had connections to the 
unclassified network, which posed a risk from an insider. Using these 
connections, an authorized user could download large quantities of 
classified information to an unclassified computer with little chance 
of detection.
    During most Oversight inspections over the last 15 years, the DOE 
Headquarters has performed poorly, often receiving less than 
satisfactory ratings in many areas, including cyber security. In many 
cases, until Secretary Richardson's involvement, Headquarters program 
offices were unwilling to commit resources to enhance security or to 
implement the same requirements they imposed on the field.
    Recent results, however, have been more positive. Headquarters has 
completed a number of cyber security upgrades and has other initiatives 
underway.
    Before talking about the results of the recent Headquarters 
inspection, I would like to take a moment to share with you some of the 
techniques we use for evaluating the effectiveness of cyber security 
programs. We began to use automated tools to performance test security 
features in 1995. This use of technology was a quantum step forward and 
dramatically increased our ability to test network security. Using 
automated network scanning tools, we are able to test thousands of 
systems and all network connections and features in a period of a week. 
Previously, such an effort would have taken a year or more.
    We have continually expanded our ability to conduct performance 
tests of networks using tools that we have acquired or developed on our 
own. For example, we have software programs--referred to as ``war 
dialers''--that can test every phone line at a DOE site in a matter of 
days to determine whether unauthorized modems exist. If present, such 
modems could be located and used by hackers to bypass the firewall to 
gain access to information or destroy data.
    We currently have an extensive cyber security laboratory dedicated 
entirely to testing cyber security features. We conduct regular 
inspections of the implementation of cyber security at DOE sites. We 
have expanded our methods to include a program of unannounced 
inspections and penetration testing. Most recently, we have been 
implementing what is commonly referred to as a RED Team approach, in 
which we use a variety of techniques to perform detailed tests of a 
site's cyber security features. These tests include penetration testing 
by experts who are thoroughly familiar with the latest hacker 
techniques and methods.
    Our assembled team of inspectors, together with our cyber security 
laboratory, enables us to conduct penetration testing on par with some 
of the best known hackers. With this extensive testing capability, it 
is not surprising that we continue to find weaknesses in 
implementation. Many DOE sites recently have established their own 
programs for regular scans of their networks and tests of their 
security features. This is one of the most positive trends in DOE, 
because an ongoing, effective self-assessment program is essential to 
effective network security.
    In addition to the rigorous performance testing of systems, our 
inspections also include an evaluation of the programmatic, management 
system elements that are the essential foundation of a cyber security 
program. By looking at such elements as leadership, risk management, 
procedures and performance evaluation, we are able to identify not only 
specific technical deficiencies, but also underlying root causes, which 
must be addressed to prevent recurrence of the problems.
Summary of the April inspection of HQ unclassified cyber security 
        systems
    The results of our April Headquarters inspection of unclassified 
cyber security indicate that important deficiencies need to be 
addressed. Many program offices have cyber security programs that would 
be considered effective if evaluated on their own merits (that is, they 
would be effective if they were not connected to less effective 
networks of other organizations). Within several program offices, 
leadership and support for cyber security are good, and roles and 
responsibilities are well defined. Much of the recent improvement can 
be attributed to the attention and efforts of Secretary of Energy and 
the DOE Chief Information Officer to improve cyber security across the 
complex. The Chief Information Officer has been aggressive in creating 
policy and has taken an active role in addressing DOE-wide problems. 
The CIO has worked to strengthen cyber security within the Headquarters 
and improve the security of the network backbone and main firewall. The 
CIO has also supported the Headquarters program offices through efforts 
such as regular scanning of networks to identify vulnerabilities that 
need corrective action.
    Despite recent progress, weaknesses continue to exist in several 
important aspects of the Headquarters cyber security program. 
Weaknesses regarding the backbone switches and individual systems 
throughout the network were identified. Our testing demonstrated how a 
malicious insider could exploit these weaknesses. The results of these 
tests demonstrate the need for continued vigilance of network security.
    Generally, the main Headquarters firewall was effective. However, 
several Web servers are managed by individual program offices and are 
located completely outside the firewall boundary. Most of these servers 
were found to be vulnerable to common hacking exploits, and some 
contain vulnerabilities that could allow any Internet user to gain 
system administrator-level privileges, and subsequently deface or shut 
down the Web site. To demonstrate this possibility, we exploited one of 
the vulnerabilities and gained system administrator-level privileges to 
one of the servers. There is also some concern that the risk of 
alternate pathways into the network that could allow unauthorized 
access has not been evaluated.
    The potentially exploitable vulnerabilities in the Headquarters 
network result from a number of weaknesses in the unclassified cyber 
security program. Headquarters has not developed overall cyber security 
procedures (such as policies for modems or foreign national access) or 
procedures to establish minimum requirements for each network segment 
on the network. There is no formal process for evaluating performance 
and for self-identifying and correcting vulnerabilities in the overall 
network. Additionally, Headquarters risk assessments have not been 
rigorous.
    The fragmented management systems and practices currently in place 
are a root cause of many of the programmatic weaknesses and technical 
vulnerabilities. While the DOE Chief Information Officer has attempted 
to address many of the weaknesses associated with this fragmentation, 
we determined that the effectiveness of these initiatives has been 
limited due to the lack of real and perceived authority. This 
fragmentation results in part from weaknesses in policy, which does not 
address the unique situation at DOE Headquarters or establish overall 
responsibilities and authorities for Headquarters. The 25 individual 
LAN segments, covering 29 different program offices, have widely 
varying levels of effectiveness.
    While some program offices have established effective practices, 
others have poor configuration management practices, ineffective 
policies and procedures, and ineffective intrusion detection 
strategies. Because of the configuration of the overall network (that 
is, the logical connections among all systems with few security 
barriers between segments), the overall system is only as good as the 
weakest link. In effect, the potentially effective practices of some 
program offices are largely negated by the ineffective practices of 
other program offices.
    To summarize the results of our inspection, the increased focus on 
cyber security and the positive measures that have been implemented at 
DOE Headquarters have resulted in significant improvements in cyber 
security. However, additional improvements are needed, with particular 
emphasis on assessing and managing risk and on addressing 
vulnerabilities that can be exploited from within the internal network.
Plans for Independent Oversight Follow-up and other DOE Initiatives
    We will be performing follow-up activities to determine whether 
identified weaknesses have been addressed. Although in the early stages 
of their corrective actions.
    Headquarters personnel have been generally responsive to the 
inspection findings and have started corrective actions.
    In a related effort, we will be conducting an inspection of the 
``classified'' cyber security program at DOE Headquarters in July 2000 
in conjunction with a comprehensive inspection of Headquarters' 
safeguards and security policies and programs. Independent Oversight 
will also continue to work with the Office of Security and Emergency 
Operations as they work to clarify and enhance cyber security policy 
and guidance.
    Although much work remains, it is clear that a positive trend has 
been established at DOE Headquarters in the area of unclassified cyber 
security. While continued, close Independent Oversight attention is 
warranted, there are several reasons to be cautiously optimistic that 
this positive trend will continue. For example, it is clear that DOE 
Headquarters has heard the wake-up call from the Secretary and 
Congressional Committees. Cyber security is receiving a significantly 
higher level of attention from senior management than in the past, and 
we are seeing some improvements that could not have been made without 
management support and the Secretary's personal involvement. In 
addition, the Office of Security and Emergency Operations and the DOE 
Chief Information Officer have indicated a willingness to improve 
policies and guidance to ensure there is a clear and unambiguous basis 
for holding line management accountable for effective security. 
Finally, our Independent Oversight function, as a direct report to the 
Secretary, has a mechanism in place--the mandated corrective action 
plan--that ensures Independent Oversight findings are addressed. With 
these measures, we have reason to be optimistic that identified 
weaknesses will be corrected.
    Thank you Mr. Chairman; this concludes my comments.

    Mr. Upton. General Habiger.

 TESTIMONY OF EUGENE E. HABIGER, DIRECTOR, OFFICE OF SECURITY 
  AND EMERGENCY OPERATIONS, ACCOMPANIED BY JOHN M. GILLIGAN, 
      CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF ENERGY

    Mr. Habiger. Mr. Chairman, distinguished members of this 
subcommittee, thank you for the opportunity to appear before 
you today to testify on Mr. Podonsky's Office of Independent 
Oversight and Performance Assurance report on our headquarters. 
While not always pleasant to hear, these reviews are essential 
in our ongoing efforts to ensure that we protect our 
information systems and the information they process.
    I readily acknowledge and accept the findings of this 
review. As recognized by the review itself, we have made much 
progress in the headquarters unclassified security program over 
the past 2 years. The Office of Chief Information Officer, 
under the very capable leadership of John Gilligan, has moved 
aggressively to address DOE-wide problems to include the 
establishment of new policy governing our unclassified systems. 
At headquarters, John and his staff have made significant 
improvements in the security of the network backbone and our 
main firewall. Despite this progress, however, I acknowledge 
there is room for improvement.
    I also want to be straightforward with you and freely admit 
that over the past year our focus has been directed at our 
defense facilities and then our other large sites. As a result, 
headquarters has not received the same level of attention. This 
level of attention is directly correlated to the funds 
appropriated to us for cyber security. As part of our fiscal 
year 2000 Budget Amendment Request that I was personally 
involved with in July of last year, we asked for $35 million to 
address our cyber security needs, but were appropriated only $7 
million. With such a shortfall, some hard decisions had to be 
made.
    Mr. Chairman, I now quote from my sworn testimony of 
October 26 of last year in front of this very committee, 
``Congress has, up to this point, failed to fund the 
Department's fiscal year 2000 full budget amendment in order 
for us to make near- and long-term fixes. We have valid 
requirements in the area of cyber security to buy hardware, 
encryption equipment and to train our systems administrators. 
Simply stated, we have been given a mandate, but not the 
resources to accomplish that mandate.''
    I cannot in retrospect tell you that if we had received the 
additional $28 million we requested back in July that we would 
have no cyber security discrepancies, but I can assure you, Mr. 
Chairman, that in my judgment they would not have been of the 
same order of magnitude.
    Consequently, the headquarters unclassified cyber security 
initiatives were given lower priority in light of more pressing 
needs at our field sites. Granted, not all of the issues 
identified were the result of funding shortfalls. Where limited 
funds were not an issue, we moved quickly to take corrective 
action.
    In addition, the Deputy Secretary recently directed that 
the Office of Chief Information Officer serve as the central 
cyber security authority for the headquarters. This action 
addresses the recommendations to establish the necessary 
management structure to implement an effective cyber security 
program at our headquarters.
    Additionally, we are implementing longer-term actions to 
improve the efficiency of the cyber security program by 
adopting best security practices and a more proactive risk 
assessment program.
    I want to assure you that we are fixing the shortfalls 
identified in the independent oversight review. Headquarters 
should and will set the standard for the rest of the Department 
on how it implements security of our unclassified systems.
    Thank you, Mr. Chairman.
    [The prepared statement of Eugene E. Habiger follows:]
 Prepared Statement of Eugene E. Habiger, Director, Office of Security 
          and Emergency Operations, U.S. Department of Energy
    Mr. Chairman and distinguished members of the Subcommittee, thank 
you for the opportunity to appear before you today to testify on the 
Office of Independent Oversight and Performance Assurance's report 
entitled, ``Unclassified Cyber Security Review of Department of Energy 
Headquarters.'' While not always pleasant to hear, these reviews are 
essential in our ongoing efforts to ensure that we protect our 
information systems and the information that they process.
    I readily acknowledge and accept the findings of the Independent 
Oversight review. As recognized by the review itself, we have made much 
progress in the Headquarters unclassified cyber security program over 
the past two years. The Office of the Chief Information Officer, under 
the very capable leadership of John Gilligan, has moved aggressively to 
address DOE-wide problems to include the establishment of new policy 
governing our unclassified systems. At Headquarters, John and his staff 
have made significant improvements in the security of the network 
backbone and main firewall. Despite this progress, however, there is 
room for improvement.
    I also want to be straightforward with you and freely admit that 
over the past year our focus has been directed at our defense 
facilities and then our other large sites. This level of attention is 
directly correlated to the funds appropriated to us for cyber security. 
As part of our FY 2000 Supplemental Budget Amendment request, we asked 
for $35 million to address our cyber security needs, but were 
appropriated only $7 million. With such a shortfall, some hard 
decisions had to be made.
    Mr. Chairman, I now quote from my sworn testimony of October 26, 
1999 in front of this committee: ``. . . Congress has, up to this 
point, failed to fund the Department's FY 2000 full budget amendment in 
order to make near and long term fixes. We have valid requirements in 
the area of cyber security to buy hardware, encryption equipment and to 
train our systems administrators . . . Simply stated, we have been 
given a mandate but not the additional resources to accomplish that 
mandate.'' I cannot in retrospect tell you that had we received the 
additional $28M we requested back in July of last year, that we would 
have had no cyber security discrepancies . . . but, I can assure you 
that they would not have been of the same order of magnitude.
    Consequently, the Headquarters unclassified cyber security 
initiatives were given lower priority in light of more pressing needs 
at our field sites. Granted, not all of the issues identified were the 
result of funding shortfalls. Where limited funds were not an issue, we 
moved quickly to take corrective action. For example, the Deputy 
Secretary recently directed that the Office of the Chief Information 
Officer serve as the central cyber-security authority for Headquarters. 
This action addresses the recommendation to establish the necessary 
management structure to implement an effective cyber-security program 
at Headquarters.
    Additionally, we are implementing longer-term actions to improve 
the efficiency of the cyber security program by adopting

 best security practices, and
 a more proactive risk assessment program.
    I want to assure you that we are fixing the shortfalls identified 
in the Independent Oversight review. Headquarters should and will set 
the standard for the rest of the Department on how it implements 
security of its unclassified systems. With your permission, I would now 
like to yield to John Gilligan, the Chief Information Officer of the 
Department of Energy, to elaborate on how we are progressing on our 
Headquarters efforts.

    Mr. Upton. Mr. Gilligan.

                  TESTIMONY OF JOHN M. GILLIGAN

    Mr. Gilligan. Thank you, Mr. Chairman and distinguished 
members of the subcommittee, for the opportunity to appear 
before you today. My testimony will focus on actions we have 
taken across the Department to improve the level of cyber 
security protection in our systems and networks. I will also 
discuss the cyber security weaknesses that have been identified 
in the headquarters during the recent review by the 
Department's independent oversight organization, as well as our 
efforts to remedy these identified weaknesses.
    I am pleased to say that the state of cyber security at the 
Department of Energy is far better today than it was a year 
ago. A year ago there was clear evidence that the Department's 
cyber security efforts, in particular for our unclassified 
computer systems, had not kept pace with the rapid 
proliferation of network connection and increasing threats. Our 
policies were outdated, cyber security compromises at some 
sites led to significant work disruptions, and we did not have 
awareness of cyber security threats or adequate training of our 
work force to deal with these threats. These concerns were 
reported in congressional hearings and other forums. This was a 
painful wake-up call for the Department, but a necessary one.
    During the past year, each DOE organization has focused on 
improving awareness of cyber security threats and installing 
improved security controls. I have seen enormous progress in 
how unclassified information is protected and a significant 
increase in the awareness of cyber security issues at all 
levels within the Department. While we have worked this issue 
aggressively, cyber security is not a quick fix and more needs 
to be done. However, the security protection in the Department 
is improving rapidly, and I appreciate the opportunity to 
discuss our progress.
    Since the spring of 1999, the Secretary of Energy and I 
have emphasized the Department-wide focus on cyber security. 
The initial focus was on our defense laboratories and 
production facilities, with aggressive programs to upgrade and 
verify fixes at these facilities last summer and fall. This 
focus has subsequently been extended to all DOE sites. Over 
this period, the Department has completely restructured its 
cyber security program. Actions taken include the following:
    Creating a single Department-wide cyber security office 
under me as the Department's Chief Information Officer; 
requiring work stand-downs at all sites to conduct security 
awareness training; developing and issuing four new cyber 
security policies and two new cyber security guidelines; 
instituting a set of cyber security metrics which permit us to 
evaluate progress at each site; doubling the size and 
increasing the role of the central DOE security incident and 
early warning capability, our computer incident advisory 
capability located at Lawrence Livermore Laboratory; having 
each DOE site develop a detailed site-specific cyber security 
plan describing the implementation of cyber security protection 
at the site; deploying a number of security training programs 
Department wide to improve the security skills of our systems 
administrators and a separate training course provided to our 
line managers.
    Finally, each site has significantly upgraded its 
protection through the use of firewalls and intrusion detection 
software, stronger passwords, improved system configuration 
controls and reconfiguration of system and network connectivity 
to reduce vulnerabilities.
    In addition, the Secretary has created a proactive, 
independent security assessment organization, the Office of 
Independent Oversight and Performance Evaluation, reporting 
directly to him, to provide an independent review of security 
throughout the complex. For the past year, this independent 
oversight office has been conducting thorough reviews of cyber 
security effectiveness at DOE sites.
    As Chief Information Officer, I am a key customer of the 
products of the independent oversight reviews. I rely on these 
reviews to provide me with an objective assessment of the 
effectiveness of the cyber security at our sites and the 
effectiveness of the CIO cyber security policies. In essence, 
the independent oversight reviews provide critical feedback to 
me on how the individual sites are progressing with cyber 
security upgrades, and my staff often participates in the 
reviews.
    Since last summer the independent oversight organization 
has conducted 13 reviews. In those instances where significant 
vulnerabilities were identified, my policy staff and I have 
worked with the site and the line management organizations to 
ensure that there is rapid resolution. Action plans for fixing 
problems identified in the independent oversight reviews are 
tracked by the DOE Security Council that is chaired by the DOE 
Security Czar General Habiger.
    In cases where there are significant weaknesses identified, 
a rapid follow-up review by the independent oversight team is 
scheduled. We have done such follow-up reviews at a number of 
our facilities over the past year. These follow-up reviews 
provide me and other senior Department officials with clear 
evidence that those sites are, in fact, making rapid progress 
to remedy the identified cyber security problems.
    In April of this year, the DOE independent oversight office 
conducted a review of the headquarters unclassified cyber 
security program. This assessment included a programmatic 
review and testing of controls to prevent or limit access to 
the headquarters information network against the external 
threats, such as unauthorized system hackers, and internal 
threat, for example, Department employees.
    As you have heard from Mr. Podonsky, the review found that, 
although unclassified cyber security at headquarters has 
significantly improved in the past 2 years, there are still 
significant deficiencies that need to be addressed. In 
particular, the review found that many program offices within 
the headquarters have effective cyber security programs. 
However, because all DOE headquarters networks are 
interconnected, an office with weak security can undermine the 
otherwise effective processes and controls of the better 
managed offices. A number of individual headquarters offices 
were found to have ineffective cyber security programs.
    Weaknesses identified in the review included the following: 
A lack of headquarters-wide procedures on configuration 
management; the absence of consistent policy on external 
connections, modems and foreign national access; the lack of 
minimum cyber security requirements for each local area network 
in the headquarters; lack of a formal process to evaluate 
performance and self-identify and correct cyber security 
vulnerabilities; headquarters risks assessments had also not 
been done rigorously and had not considered the shared risks of 
the headquarters network.
    In my assessment, the root cause for most of the reported 
cyber security problems was the failure to treat the 
headquarters as an interconnected and interdependent set of 
systems and network, that is, an integrated site. This problem 
started to become apparent earlier this spring when I found 
that each office in the headquarters had produced separate 
cyber security plans as required by DOE's new unclassified 
cyber security policy. The reviews by my office of many of 
these plans indicated serious weaknesses. These were documented 
and forwarded back to the individual organizations.
    In addition, as we began to collect metrics on cyber 
security implementation, the metrics submitted from some 
headquarters offices indicated that they had significant 
weaknesses in their cyber security implementation programs. 
These findings were shared with the respective headquarters 
management, and we began evaluating approaches to improve our 
approach within the headquarters. The findings of the 
independent oversight review confirmed these earlier 
indications of problems.
    The Office of Independent Oversight has recommended 
immediate and long-term actions to address the headquarters 
cyber security issues identified in its review. I support these 
recommendations. Immediate actions include designating a single 
focal point for headquarters cyber security as well as 
establishing appropriate processes and procedures across the 
headquarters. Longer-term actions include taking steps to 
improve the efficiency of cyber security programs by adopting 
best security practices and a more proactive risk management 
program.
    Steps that are being taken to address the recommendations 
made by the Office of Independent Oversight are as follows: On 
June 8, the deputy-secretary directed the Office of the CIO to 
serve as central cyber security authority for all computers and 
networks within the Department of Energy headquarters site, and 
I have submitted that memorandum as a part of the testimony. 
This action is the necessary and important first step to begin 
to manage headquarters as a single entity and to institute 
consistent site-wide approaches for securing our computers and 
networks.
    Specifically, the CIO operations organization, headed by 
Mr. Patrick Hargett who has joined me, which currently provides 
computer and networking support to a number of headquarters 
organizations, including the Office of the Secretary, the CIO, 
Security and Emergency Operations, Management and 
Administration, the Chief Financial Officer and a number of 
other offices, will assume responsibility for all cyber 
security policies, processes and procedures for the entire 
headquarters site. These policies, processes and procedures 
will be coordinated through a headquarters cyber security 
working group that my office will form. Each headquarters 
office will also be represented on this working group and will 
be an integral part of the cyber security forum.
    In addition, my office, as the central cyber security 
authority for headquarters, will undertake the following 
efforts: develop, implement and enforce formal network 
connection policies; develop, manage, operate and enforce an 
integrated security configuration management process; develop, 
manage and implement a security self-assessment process for 
headquarters offices; and centrally manage the security of 
headquarters, the network perimeter, including all firewalls 
and be responsible for performing intrusion detection, 
vulnerability scanning and auditing on the headquarters 
information technology infrastructure.
    I have made a commitment to the Secretary that we will 
implement fixes to the significant vulnerabilities identified 
in the independent oversight review of the headquarters within 
60 days. Consistent with our practices when we find a site that 
has significant weaknesses, I have asked the Office of 
Independent Oversight to reassess the headquarters in early 
fall to verify that we have resolved the serious weaknesses 
that were identified in the April review. The Secretary has 
requested regular updates on progress to close the headquarters 
vulnerabilities.
    In summary, the cyber security program in the Department of 
Energy in June 2000 bears little resemblance to the program in 
place just a year ago. We have put updated cyber security 
policies in effect, our security training has improved the 
effectiveness of our system administrators and informed our 
management of upgraded cyber security threats, each site has 
upgraded its security controls and have improvement plans to be 
executed as resources are available, and a review and follow-up 
process using the Secretary's independent oversight function 
permits the Department to objectively assess our status.
    Although we have made great process, there is room for 
improvements. Clearly, the review of the headquarters shows 
that we have significant weaknesses that require immediate 
attention. Moreover, the Department believes that the 
headquarters must set the standard for the rest of the 
Department on how it implements security of its cyber systems. 
The Secretary and I are fully committed to ensuring that the 
headquarters is a model for the rest of the Department.
    Beyond fixing the clear weaknesses, the Department is 
moving to strengthen security in a number of areas. Current 
focus areas for improvement are eliminating the use of clear 
text reusable passwords, implementing consistent security 
architectures at each site, using automated tools to review 
firewall and intrusion detection logs to identify and then 
automatically block access from Internet sites that are 
attacking DOE sites, and automated distribution of software 
patches to make the process of patching vulnerabilities more 
rapid and reliable.
    We know that there is no silver bullet fix for cyber 
security. Success in this area will take continued focused 
efforts to deal with the increasing complexity of the threats 
and the rapid evolution of technology.
    Successes will also take resources. I note that as a part 
of the Department's fiscal year 2000 Budget Amendment request, 
we asked for additional funding to address our pressing 
security needs for our unclassified computers, but, as General 
Habiger noted, we were only appropriated a small portion of 
what was requested.
    While many of the issues identified in the review of the 
headquarters and other DOE sites are not the result of lack of 
funding, accelerating implementation of protection mechanisms 
does take additional resources.
    We look forward to continuing to work with the Congress to 
fund our important cyber security programs, and we commit to 
providing you continued visibility on our progress. Thank you.
    [The prepared statement of John M. Gilligan follows:]
Prepared Statement of John M. Gilligan, Chief Information Officer, U.S. 
                          Department of Energy
                              introduction
    Thank you Mr. Chairman and distinguished members of the Committee 
for the opportunity to appear before you today. My testimony will focus 
on actions we have taken across the Department to improve the level of 
cyber security protection in our systems and networks. I will also 
discuss the cyber security weaknesses that have been identified in the 
Headquarters during the recent review by the Department's Independent 
Oversight organizations, as well as our efforts to remedy these 
identified weaknesses.
    I am pleased to say that the state of cyber security at the 
Department of Energy (DOE) is far better today than it was a year ago. 
A year ago, there was clear evidence that the Department's cyber 
security efforts, in particular for our unclassified computer systems, 
had not kept pace with the rapid proliferation of network connections 
and increasing threats. Our policies were outdated, cyber security 
compromises at some sites led to significant work disruptions, and we 
did not have awareness of cyber security threats or adequate training 
of our workforce to deal with these threats. These concerns were 
reported in congressional hearings and other forums. This was a painful 
wake-up call for the Department, but a necessary one.
    During the past year, each DOE organization has focused on 
improving awareness of cyber security threats and installing improved 
security controls. I have seen enormous progress in how unclassified 
information is protected and a significant increase in awareness of 
cyber security issues at all levels within the Department. While we 
have worked this issue aggressively, cyber security is not a quick fix 
and more needs to be done. However, the security protection in the 
Department is improving rapidly, and I appreciate the opportunity to 
discuss our progress.
    Since the spring of 1999, the Secretary of Energy and I have 
emphasized a Department-wide focus on cyber security. The initial focus 
was on our Defense laboratories and production facilities with 
aggressive programs to upgrade and verify fixes at these facilities 
last summer and fall. This focus has subsequently been extended to all 
DOE sites. Over this period, the Department completely restructured its 
cyber security program. Actions taken include the following:

 Creating a single, Department-wide Cyber Security Office under 
        me as the Department's Chief Information Officer.
 Requiring work ``stand downs'' at all sites to conduct 
        security awareness training.
 Developing and issuing four new cyber security policies and 
        two new cyber security guidelines.
 Instituting a set of cyber security metrics which permit us to 
        evaluate progress at each site.
 Doubling the size and increasing the role of the central DOE 
        security incident and early warning capability, our Computer 
        Incident Advisory Capability (CIAC) located at Lawrence 
        Livermore Laboratory.
 Having each DOE site develop a detailed, site-specific cyber 
        security plan describing the implementation of cyber security 
        protection at the site.
 Deploying a cyber security training program Department-wide to 
        improve the security skills of our Systems Administrators and a 
        separate training course provided to line managers.
 Finally, each site has significantly upgraded its protection 
        through the use of firewalls and intrusion detection software, 
        stronger passwords, improved system configuration controls, and 
        reconfiguration of system and network connectivity to reduce 
        vulnerabilities.
    In addition, the Secretary created a proactive independent security 
assessment organization, the Office of Independent Oversight and 
Performance Evaluation, reporting directly to him to provide an 
independent review of security throughout the complex. For the past 
year, this Independent Oversight office has been conducting thorough 
reviews of cyber security effectiveness at DOE sites. As CIO, I am a 
key customer of the products of independent oversight reviews. I rely 
on these reviews to provide me with an objective assessment of the 
effectiveness of the cyber security at our sites and the effectiveness 
of the CIO cyber security policies. In essence, the Independent 
Oversight reviews provide critical feedback to me on how individual 
sites are progressing with cyber security upgrades, and my staff often 
participates in the reviews. Since last summer, the Independent 
Oversight organization has conducted 13 reviews. In those instances 
where significant vulnerabilities were identified, my policy staff and 
I have worked with the site and the line management organization to 
ensure that there is rapid resolution. Action plans for fixing problems 
identified in the Independent Oversight Reviews are tracked by the DOE 
Security Council that is chaired by the DOE Security Czar, General 
Habiger. In cases where there are significant weaknesses identified, a 
rapid follow-up review by the Independent Oversight team is scheduled. 
We have done such follow-up reviews at a number of our facilities over 
the past year. These follow-up reviews provide me and other senior 
Department officials with clear evidence that those sites are, in fact 
, making rapid progress to remedy the identified cyber security 
problems.
                      independent oversight review
    In April of this year, the DOE Independent Oversight office 
conducted a review of the Headquarters unclassified cyber security 
program. The assessment included a programmatic review and testing of 
controls to prevent or limit access to the Headquarters information 
network against the external threat (such as unauthorized system, i.e., 
hackers) and the internal threat (i.e., Department employees). As you 
have heard from Mr. Podonsky, the review found that, although 
unclassified cyber security at Headquarters has significantly improved 
in the past two years, there are significant deficiencies that need to 
be addressed. In particular, the review found that many program offices 
within the Headquarters have effective cyber security programs. 
However, because all DOE Headquarters networks are interconnected, an 
office with weak security can undermine the otherwise effective 
processes and controls of the better-managed offices. A number of 
individual Headquarters offices were found to have ineffective cyber 
security programs.
    Weaknesses identified in the review included the following:

 A lack of Headquarters-wide procedures on configuration 
        management;
 The absence of consistent policy on external connections, 
        modems, and foreign national access;
 The lack of minimum cyber security requirements for each Local 
        Area Network in the Headquarters;
 Lack of a formal process to evaluate performance and self-
        identify and correct cyber security vulnerabilities;
 Headquarters risk assessments had not been rigorous and had 
        not considered the shared risk of the Headquarters network.
    In my assessment the root cause for most of the reported cyber 
security problems was the failure to treat the Headquarters as an 
interconnected and interdependent set of systems and networks that is 
an integrated ``site''. This problem started to become apparent earlier 
this spring when I found that each office in the Headquarters had 
produced separate cyber security plans as required by DOE's new 
unclassified cyber security policy. The reviews by my office of many of 
these plans indicated serious weaknesses. These were documented and 
forwarded back to the individual organizations. In addition, as we 
began to collect metrics on cyber security implementation, the metrics 
submitted from some Headquarters offices indicated that they had 
significant weaknesses in their cyber security programs. These findings 
were shared with the respective Headquarters management, and we began 
evaluating approaches to improve our approach within the Headquarters. 
The findings of the Independent Oversight review confirmed these 
earlier indications of problems.
    The Office of Independent Oversight has recommended immediate and 
long-term actions to address the headquarters cyber issues identified 
in its review. I support these recommendations. Immediate actions 
included designating a single focal point for Headquarters Cyber 
Security, as well as establishing appropriate processes and procedures 
across Headquarters. Longer-term actions include taking steps to 
improve the efficiency of the cyber security program by adopting best 
practice security practices and a more proactive risk assessment 
program.
          department response to independent oversight report
    Steps that are being taken to address the recommendations made by 
the Office of Independent Oversight are as follows. On June 8, 2000, 
the Deputy Secretary directed the Office of the CIO to serve as the 
central cyber security authority for all computers and networks within 
the DOE Headquarters site (see attachment). This action is the 
necessary and important first step to begin to manage Headquarters as a 
single entity and to institute consistent site-wide approaches for 
securing our computers and networks. Specifically, the CIO Operations 
Organization, which currently provides computer and networking support 
to a number of Headquarters organizations including the Office of the 
Secretary, the CIO, Security and Emergency Operations,
    Management and Administration, the CFO and a number of other 
offices, will assume responsibility for all cyber security policies, 
processes, and procedures for the entire Headquarters site. These 
policies, processes and procedures will be coordinated through a 
Headquarters Cyber Security Working Group that my office will form. 
Each Headquarters office will be represented on this Working Group and 
will be an integral part of this cyber security forum.
    In addition, my office, as the central cyber security authority for 
the Headquarters, will undertake the following efforts:

 Develop, implement and enforce formal network connection 
        policies;
 Develop, manage, enforce and operate an integrated security 
        configuration management process;
 Develop, manage and implement a security self-assessment 
        process for Headquarters offices; and
 Centrally manage the security of the Headquarters network 
        perimeter, including all firewalls, and be responsible for 
        performing intrusion detection, vulnerability scanning and 
        auditing on the Headquarters IT infrastructure.
    I have made a commitment to the Secretary that we will implement 
fixes to the significant vulnerabilities identified in the Independent 
Oversight review of the Headquarters within sixty days. Consistent with 
our practices when we find a site that has significant weaknesses, I 
have asked the Office of Independent Oversight to reassess the 
Headquarters in early fall to verify that we have resolved the serious 
weaknesses that were identified in the April review. The Secretary has 
requested regular updates on progress to close the Headquarters 
vulnerabilities.
                               conclusion
    In summary, the cyber security program in the Department of Energy 
in June of 2000 bears little resemblance to the program in place just a 
year ago. We have put updated cyber security policies in effect; our 
security training has improved the effectiveness of our system 
administrators and informed our management of upgraded cyber security 
threats; each site has upgraded its security controls and have 
improvement plans to be executed as resources are available; and a 
review and follow-up process using the Secretary's Independent 
Oversight function permits the Department to objectively assess our 
status. Although we have made great progress, there is room for 
improvements. Clearly, the review of the Headquarters shows that we 
have significant weaknesses that require immediate attention. Moreover, 
the Department believes that the Headquarters must set the standard for 
the rest of the Department on how it implements security of cyber 
systems. The Secretary and I are fully committed to ensuring that the 
Headquarters is a model for the rest of the Department.
    Beyond fixing the clear weaknesses, the Department is moving to 
strengthen security in a number of areas. Current focus areas for 
improvement are eliminating the use of clear-text reusable passwords, 
implementing consistent security architectures at each site, using 
automated tools to review firewall and intrusion detection logs to 
identify and then automatically block access from internet sites that 
are attacking DOE sites, and automated distribution of software patches 
to make the process of patching vulnerabilities more rapid and 
reliable.
    We know that there is no silver bullet fix for cyber security. 
Success in this area will take continued and focused effort to deal 
with the increasing complexity of the threats and the rapid evolution 
of technology. Success will also take resources. I note that as a part 
of the Department's FY 2000 Supplemental request, we asked for 
additional funding to address our pressing security needs for our 
unclassified computers, but as General Habiger noted, we were only 
appropriated a small portion of what we requested. While many of the 
issues identified in the review of the Headquarters and other DOE sites 
are not the result of lack of funding, accelerating implementation of 
protections mechanisms does take additional resources. We look forward 
to continuing to work with Congress to fund our important cyber 
security programs and we commit to providing you continued visibility 
on our progress.
    Thank You.

    Mr. Upton. Thank you.
    I would just note that the House was in session and voting 
until nearly midnight last night. We also have a number of 
subcommittees that are also meeting at this time, and by 
unanimous consent I will ask that all members of the 
subcommittee will have an opportunity to enter their opening 
statement into the record.
    You will see a number of members coming in and out. We're 
going into session, I know, at 10. I don't expect votes for a 
while as we complete yet another long day today on the Labor, 
HHS appropriation bill.
    General Habiger, I know that you're prepared for some of 
the questions that we're going to have in light of the opening 
statement by Mr. Bliley, Mr. Stupak and myself with regard to 
the missing disks and the hard drives; and I happen to find it, 
as I read the morning papers this morning, fairly incredulous 
that it appears as though these disks have been missing for a 
number of weeks. Only 86 individuals had access to these disks, 
in fact; and, of those 86, only I believe 26 were allowed to 
have unescorted access to the disks.
    A number of members of this subcommittee traveled to look 
at all the labs earlier this year. We visited extensively, I 
thought, Los Alamos. We had a number of meetings with your 
staff and others before we came, terrific staff support as 
well.
    Could you describe the vault? And I don't know that we 
visited this particular vault where these were taken.
    At Los Alamos, the vault we did visit, we went through this 
long drive through these almost mountain passes and went 
through security that was very well armed and photo ID. I mean, 
it was extensive to get in. In fact, I think it took us about 
20 minutes to actually get into the vault because of the 
security. We probably spent more time going through the 
security to get into the vault than we actually spent in the 
vault. And I don't know whether that was the vault--you know 
the groundwork much better because you have been there, I'm 
sure, a number of times. Is that the vault, the one that 
actually goes into almost into the mountain where these two 
disks were taken?
    Mr. Habiger. No, sir. The vault in question is in the main 
building, technical area three, they call it.
    Mr. Upton. Is that where Wen Ho Lee's office is?
    Mr. Habiger. Yes, sir.
    There are three levels of protection before you get into 
the vault itself. I'd rather not go into the details in open 
session, but let me tell you that there are extensive security 
procedures that are in place at each level of in-depth security 
that would preclude anyone except those that are authorized to 
be in that area to gain access to the vault. The vault itself 
serves about--is relatively small, about 10 feet wide and about 
20 foot long.
    Mr. Upton. Now, as I understand it, these two disks----
    Mr. Habiger. Two hard drives.
    Mr. Upton. Two hard drives that are missing were, in fact, 
in a locked bag, is that right, inside the vault?
    Mr. Habiger. Yes, sir.
    Mr. Upton. And in fact, the bag itself was, in fact, 
compartmentalized, with locked compartments within the bag; is 
that right?
    Mr. Habiger. Yes, sir.
    Mr. Upton. The way that I understand it is, when it was 
discovered, the empty compartment was, in fact, locked; is that 
right?
    Mr. Habiger. Yes, sir.
    Let me just back up a little bit and explain the scenario.
    The fire at Los Alamos began on, as I recall, Thursday, May 
4. On the evening of May 7, Sunday, late, nearly midnight, the 
decision was made to go into the vault by two individuals who 
are authorized unescorted access into that vault to take the 
kit--the kit is a kit used by the Nuclear Emergency Search 
Team, NEST, to rapidly deploy to situations that require some 
of our Nation's best minds to look at an improvised nuclear 
device or perhaps a stolen nuclear weapon. These individuals 
pull on-call duty. We have members of our scientific community 
at both Los Alamos, Livermore and Pantex on duty, on call 24 
hours a day, 365 days a year.
    In order to ensure that that capability was still available 
to respond very rapidly, the decision was made to go into the 
vault late Sunday night as the fire began to burn out of 
control. They went into the vault, they inventoried--and you 
can inventory the hard drives by just feeling them. They're a 
little bigger than a deck of cards, about two-thirds as wide as 
a deck of cards. They could not feel the hard drives in the 
locked container.
    There are three kits. They were in kit No. 2. They 
immediately went into kit No. 3 to pull out two hard drives. 
One's the primary. The second hard drive is the backup. They 
took the two hard drives, the two containers out of kit three, 
put it in kit two and immediately evacuated the area and put 
the kit two with the kit three hard drives in a more secure--by 
secure I'm talking about safe, out of harm's way in relation to 
the fire.
    They immediately reported to other individuals on the NEST 
team that they went into the vault, they couldn't find the hard 
drives to kit two, and, as you recall, on Monday, May 8, the 
lab was shut down completely because of the life-threatening 
aspects of the fire. The lab did not come back up until Monday, 
May 22; and when the labs started back up again on Monday, May 
22, it was not all 10,000 people going back to work. It was a 
gradual buildup of activity. The first things that were looked 
at were the safety considerations.
    I will also tell you that during this entire course of the 
fire, I was in contact--along with Deputy Secretary Glauthier, 
we had people on duty 24 hours a day, and the security systems 
were up and running the entire time. Now there were certain 
situations where we had to pull guards out of certain areas and 
put them out of harm's way, but we still had a credible 
security at all of the facilities there, to include this vault.
    So the labs started up on Monday, May 22. On Wednesday, May 
24, a full-scale search was begun within the X division and 
anyplace that the NEST activity could have taken place. We were 
informed on the evening of June 1 that those hard drives were 
missing.
    Ed Curran, the Director of Counter Intelligence, 
immediately went to the FBI headquarters and informed them. 
Deputy Secretary Glauthier was in communication with Dr. Browne 
at the laboratory. On Monday, during a video teleconference 
with Dr. Browne, it was determined that Dr. Browne indicated 
that he had intensely searched the facility and could not find 
the two missing hard drives.
    At that point, Deputy Secretary Glauthier directed that I, 
with Ed Curran, go to FBI headquarters, which we did. We met at 
around noon with senior officials at the Bureau. It was 
determined that we jointly do an investigation, DOE and the 
FBI. At 8:30 that night, Monday night, I was in Los Alamos. At 
7 o'clock the next morning, we had a sizable number of FBI 
agents, about 15, 10 DOE personnel; and we started at 7 o'clock 
Tuesday morning; and we didn't finish up until nearly midnight 
that night. Our first interviews began that first day.
    I was recalled--I was actively engaged until this past 
Saturday. I was asked to come back to testify at this hearing. 
I came back Sunday, and I plan on going back tomorrow.
    Mr. Upton. When you say that there was an intensive search 
for these disks, was there an intensive search between May 8 
and May 22?
    Mr. Habiger. No, sir, because the lab was completely shut 
down. And you had to be there--and I went there--I went there 
on May 19, as I recall. I flew over the site; and I will tell 
you, sir, that it was life threatening. There was absolutely no 
activity except security and fire fighting that went on from 
that period--essentially from May 7 through May 22.
    Mr. Upton. But the individuals that had access to the 
disks, 26 folks who had unescorted access, they weren't then at 
the facility, right? They all left?
    Mr. Habiger. Yes, sir. Yes, sir. And there's no indication 
whatsoever--see, there's a log that is created based upon the 
entry procedures, again which I'd rather not go into here. A 
telephone call has to be made. That call is recorded. Passwords 
have to be given. It's an elaborate process.
    Mr. Upton. Right. But was any effort taken with the 26 
people that had access to that until the May 22? I mean, what 
I'm saying is those people weren't there, those 26 people. They 
went someplace where it was safe. You knew that the disks were 
missing since May 8. The lab was closed from May 8 to May 22. 
Those individuals who had access and actually could have 
perhaps retrieved or taken those disks went someplace where it 
was safe. Was any effort taken by the Los Alamos security folks 
to, in fact, interview any of those 26 people during the fire?
    Mr. Habiger. No, sir. The total focus during that period 
was the--saving the laboratory from destruction from the fire.
    Mr. Upton. But we knew that disks were missing before the 
fire took place.
    Mr. Habiger. Sir, there were a relatively small number of 
individuals that knew that. You will have to talk to lab 
personnel--and, again, we are trying to determine through a 
series of interviews, the FBI and Department of Energy--at last 
count over 90 interviews had been accomplished, interviews that 
last anywhere from 30 minutes to 3 hours since Tuesday of last 
week. Those interviews continue as we speak.
    Mr. Upton. Are polygraphs being used on those interviews?
    Mr. Habiger. They will be beginning tomorrow, yes, sir.
    Mr. Upton. Mr. Stupak.
    Mr. Stupak. Thank you, Mr. Chairman.
    General, you speak of kit No. 2 as having the missing hard 
drives. Is there a kit No. 1?
    Mr. Habiger. Yes, sir.
    Mr. Stupak. Is that all intact?
    Mr. Habiger. Yes, sir.
    Mr. Stupak. Okay. So the one we're talking about is kit No. 
2?
    Mr. Habiger. Absolutely.
    Mr. Stupak. Once you get into the area where the kits are 
stored, where this NEST kit is stored, aren't the keys to get 
into these bags just hanging right there on the wall?
    Mr. Habiger. Sir, there are two sets of keys. There's a set 
of keys on the wall, and there's a set of keys attached to the 
kit.
    Mr. Stupak. So once you get to the kit area you can have 
access to those kits either by taking the keys off the wall or 
ones on the kit; is that right?
    Mr. Habiger. Yes, sir.
    Mr. Stupak. And the people who are in there, there are 26 
who had to be escorted and about 60 others who did not need to 
be escorted?
    Mr. Habiger. Fifty-seven. Sixty's close enough.
    Mr. Stupak. So then when the kit--when it was discovered 
that kit No. 2 was missing the hard drives and you had the 
fire, there was no attempt to ascertain from these possibly 56, 
57 people and the other 26 people what they did with it during 
this time?
    Mr. Habiger. Sir, the access to the vault is, as I 
mentioned, very tightly controlled. Anyone who goes into the 
vault during off-duty hours has to go through this elaborate 
procedure to get into the vault where it's documented. There is 
also a log in the vault for those people who are not allowed 
unescorted access, that they have to sign in. So those 57 
individuals, whenever they went in, they'd have to sign in on a 
log. They couldn't go in by themselves. I went--when I went to 
the vault, had to sign in on a log, and I was escorted.
    Mr. Stupak. And hopefully everyone signed in, but we don't 
know if everyone signed in.
    Second, you mentioned off duty. What about regular business 
hours? Do people sign in all the time then?
    Mr. Habiger. Let me back up, sir. Those kinds of questions 
are being asked now. I have seen the logs. I can't confirm----
    Mr. Stupak. They may be asked now, but I guess the part 
that still puzzles me, why weren't they asked between May 8 and 
May 24 when the fire got under control? Why did it take almost 
2 weeks before anyone started asking the questions? These 56 
people or 26 people weren't out fighting the fire, were they? 
Certainly you had access to them. They could have asked these 
questions.
    I would think on May 8 when you're missing the kits, two 
hard drives from these computers, there'd be some concern and 
start asking questions. While you have the fire, I'm sure 
you're not out there fighting the fire. I'm sure someone would 
have at least started some investigation instead of waiting 
until June 1 to notify the FBI that everyone's returned, we 
still can't find these things. I guess that is the laissez-
faire attitude that I really have problems with.
    Mr. Habiger. Well, sir, these kinds of questions that 
you're asking are good questions. And as a result of the 
investigation, which, by the way, is a criminal investigation 
at this point, we will find the answers to these questions; and 
we will take the appropriate action. The lab director will take 
the appropriate action.
    Mr. Stupak. In the Washington Post this morning you said, 
and if I can quote you, the disks and the hard drives missing 
at Los Alamos were probably misplaced or lost rather than 
stolen. How did you reach that conclusion?
    Mr. Habiger. Sir, I'd rather not go into that in this 
session.
    Mr. Stupak. Well, you know, you talked to the Post about 
it. That is certainly in open session.
    Mr. Habiger. Yes, sir. I will stand by that statement based 
upon----
    Mr. Stupak. Was that the official line or do you have 
something to back it up? Is the official line that, well, it 
must be misplaced or lost rather than stolen or do you really 
have some proof, without getting into it, that they were, in 
fact, misplaced?
    Mr. Habiger. It's my judgment, sir, based upon my exposure 
over the past week of working nearly 15, 16 hours a day and 
being an integral part of the process.
    Mr. Stupak. Okay. Has anyone yet told you or anyone else 
that the disks were set down or misplaced and just can't 
remember where they were? Do you have any idea who was the last 
person who had access to this kit No. 2?
    Mr. Habiger. Sir, there's no requirement to inventory the 
disks. As a matter of fact, because of changes in security 
policies across the entire government, there's very little 
requirement to inventory classified material.
    Mr. Stupak. So if I get in the vault, I take kit No. 2, I 
don't have to sign out--don't have to sign it out or anything?
    Mr. Habiger. No, sir.
    Mr. Stupak. So my library book in Menominee is more secure 
than these disks once I get access, get my hands on it?
    Mr. Habiger. Sir, the individuals who have access to those 
kits are dedicated, loyal Americans.
    Mr. Stupak. I don't dispute that, but you can't dispute we 
have two of them missing.
    Mr. Habiger. Yes, sir.
    Mr. Stupak. You can't dispute that when they took them out 
there's no procedure in place to identify even who took them 
out. Once you get to the magic ring, you take the magic ring 
and you leave, and there's no check-out of that.
    Mr. Habiger. But you have to get to the magic ring.
    Mr. Stupak. Right. It sounds like it wasn't too difficult, 
if you have about 80 or 90----
    Mr. Habiger. There are 26 people who had access, 
uncontrolled access, unescorted access.
    Mr. Stupak. Okay--26 unescorted access, and then another 56 
or 57 who would have to be escorted. And I guess our concern 
is, if it's 26 who have unescorted and if they're missing the--
May 7 or May 8 and they come back May 24, because they were 
good people, no one thought it was necessary to check with 
those 26 what happened in the interim?
    Mr. Habiger. No, sir. I think it was a focus on a 
catastrophic event that was occurring, that many people's lives 
were at risk.
    Mr. Stupak. I don't disagree with that, but do you think it 
was a mistake not to at least begin an investigation to try to 
figure out where they were, if someone honestly misplaced them 
we could get them back here, so you wouldn't be back here 
answering my questions?
    Mr. Habiger. Sir, that is one of my questions that we'll 
have answered as a result of our investigation.
    Mr. Stupak. General, last May, Secretary Richardson said 
there was a, ``zero tolerance security policy.'' He said, ``no 
security infractions are acceptable, and penalties would be 
strengthened.'' These would include, ``verified unintentional 
or reckless breaches that create a significant risk of a 
national security compromise or that displays a wilful 
disregard for security procedures.'' That was May 11, 1999. Is 
that policy still in place today?
    Mr. Habiger. It certainly is, sir.
    Mr. Stupak. Is what happened at Los Alamos with kit No. 2 a 
security infraction or is it an oversight by a scientist? At a 
minimum, you would have to agree the information has left its 
proper secured location, has it not?
    Mr. Habiger. Sir, I will tell you that when we find the 
answer to the question as to who was responsible, I guarantee 
you that that individual will be dealt with appropriately under 
the Secretary's very aggressive policy of zero tolerance.
    Mr. Stupak. You would agree with me at a minimum right now 
we have information that has left its proper secured location, 
it left the vault, that hard drive, kit No. 2, correct?
    Mr. Habiger. Yes, sir; and what we're trying to find out is 
how that happened and where those hard drives are today.
    Mr. Stupak. Now in the same area--that is the same place 
where Wen Ho Lee worked, and he's not been charged with 
espionage but security breaches involving weapons information, 
and he's been in solitary confinement in a Federal prison for 
many months. It appears from the public statements being made 
by DOE officials that they're already trying to say that this 
situation is somehow different, someone just lost the 
information. Is that how a zero tolerance policy is to be 
enforced?
    Mr. Habiger. Congressman Stupak, we don't know. We've been 
at this for 7 days. I'd like to think that the aggressive 
action of both the Federal Bureau of Investigation and 
Department of Energy will get us some answers soon. Frankly, 
the polygraphs, being the next step, will allow us to do that.
    Mr. Stupak. Sure, I hope we do get to the bottom of it, but 
I guess it's a little bit like I've been hammering away for the 
last couple of years. I've been on this subcommittee now for 6 
years. There seems to be this attitude or atmosphere at our 
labs that things happen, you know. And we try to get some 
answers, and we'll come back and report to Congress. But we 
really don't see anything changing. When we say in May 1999 
there's zero tolerance and we come back to a situation like 
this--and I don't know how you can say this is any different 
than May 1999. It should be zero tolerance. Someone lost the 
information.
    Mr. Habiger. Sir, and as soon as we find out who lost the 
information, who misplaced the information, you can--I can 
guarantee you that very swift, appropriate action will be 
taken.
    Mr. Stupak. Thank you for the extra time, Mr. Chairman.
    Mr. Upton. You're welcome.
    Mr. Bryant.
    Mr. Bryant. Thank you, Mr. Chairman.
    I apologize to the panel for being late, but we had, as the 
Chairman said, other commitments. So I haven't had the benefit 
of hearing all your statements. I have looked through some of 
the statements. I do, like my colleague from Michigan, both 
colleagues from Michigan, the Chairman and Mr. Stupak, have 
concern here.
    It is much like when your house gets broken into, the 
police officers come out and say, well, you know, we're going 
to find out what happened here, and we are going to work long 
and hard hours to get there, and if we catch them we're going 
to punish them severely. Given the nature of what's been 
missing here, it's not a burglary of a home; and given the 
nature of the zero tolerance policy and given the nature of the 
history of who we're talking about here, it is very 
disappointing to hear those same things: Well, we're going to 
find out what happened, and we're working hard to do it right 
now, 16 hours a day, and when we get them we're really going to 
punish them.
    But I think maybe, General, one of things you said struck 
me, and it may be an example of this attitude that my friend, 
Mr. Stupak, refers to. I think you start with the presumption, 
and that's the key word, the presumption that because we've got 
good dedicated Americans there, there's an answer. Rather than 
the presumption that there's been a criminal activity, or 
something very important is missing, and we better really get 
going here very quickly. I think that's the example, is the 
investigation, which anybody that knows, any basic 
investigatory techniques knows you don't wait 3 weeks to start 
an investigation after a crime such as this occurs. You get 
right on it. And I realize there were exigent circumstances 
involved here, but it just seems to me to have delayed the 
actual investigation questioning of all those people that had 
access to this room should not have occurred.
    I don't know that it was necessary at your level that this 
occurred, this decision was made, but at some level of security 
at Los Alamos, that that decision was made that, it's probably, 
``somebody's got it home or using it at home or something like 
that,'' and that may not have been proper, but the presumption, 
or the assumption, was there's a good reason out there. 
Somebody's got it, rather than it could have been taken--it 
could have been stolen. Somebody could have taken it out, had 
access.
    Again, I think it's the mindset that because these people 
are good, dedicated Americans who work hard out there, that 
somebody could not commit a criminal act. Therefore some 2 to 3 
weeks we had a delay in the investigation which, if somebody 
has wrongfully taken it out, it could be no telling where now. 
We might get that person eventually, and punish them, but this 
country has lost something very important. Let me go back if I 
could, Mr. Podonsky, to questions.
    In your report, you recommend that the department consider 
mandating a standdown at all external Web service until 
significant vulnerabilities are identified or clarified during 
the inspection that occurred during your inspection and a 
correction is made to these. Why did you recommend this 
standdown, and has that been done by the Department of Energy?
    Mr. Podonsky. First of all, we put that recommendation in 
what we call our opportunities for improvement as the feedback 
loop to provide the office that we're inspecting, or the Office 
of Responsibility, to consider that which would be John 
Gilligan's office. In Mr. Gilligan's corrective actions plan, 
it does not appear that they are planning to do a standdown. 
They have other solutions that they have in mind to address the 
issue that we have identified. We recommended the standdown, 
getting to the first point of your question, because we felt 
that until they can do their risk assessment, we would not know 
what vulnerabilities existed.
    Mr. Bryant. But you have made recommendations in the 
report, I'm looking here at a question that says--this is kind 
of skipping on down--six further cyber security enhancements 
were announced in May 1999 by the Secretary, that they were 
transferred informally to the management and may have resulted 
in confusion and lack of implementation. What does that mean to 
you? What do you know about that?
    Mr. Podonsky. Well, the six further enhancements, there was 
a nine-point plan, the TriLab nine-point plan from the results 
of last spring. In addition to the nine-point plan, there were 
six enhancements that the Secretary put out. Those enhancements 
were not put out as a policy. They were put out in memorandum 
form. We took that from an inspection standpoint to mean that 
they should be followed and should be further memorialized into 
policy. Mr. Gilligan's office, during last summer, was looking 
into that and memorializing those things. We felt that the same 
thing we were doing in looking at it out at the sites and field 
should be applicable at the headquarters as well.
    Mr. Bryant. There was an issue also about Web pages, some 
of the Web pages being inside the security wall and some being 
outside. Are you familiar with that issue?
    Mr. Podonsky. Yes. I am. Let me ask my office director for 
cyber security to address that.
    Mr. Peterson. That also really relates to your first 
question on the standdown--that relates to your first question 
on the standdown. The recommendation was to standdown the 
headquarter's Web servers located out of what's referred to as 
the DMZ or the screen subnet. Those we found to have 
significant vulnerabilities that could either result in a Web 
defacement or somebody taking over those systems and using them 
to illicitly attack another Internet entity, and our 
recommendation was then to do a standdown. We thought it would 
take a day or two to fix those and then put them back on line 
securely.
    Mr. Bryant. What is the date of your report that recommends 
the standdown? When did you recommend that?
    Mr. Peterson. Our initial draft report went out the last 
week in April.
    Mr. Bryant. Let me go over to Mr. Gilligan. Could you 
respond to some of these issues, especially some of the 
recommendations, the implementation of the policy from DOE on 
those six additional points? Could you just respond in general 
to those?
    Mr. Gilligan. Yes, sir, I would be happy to do that. First 
let me address the Web pages. As the report accurately points 
out, we have a subset of the Web pages that are supported by 
headquarters organizations that are in the highly protected 
enclave we call a screen subnetwork. They've been there for the 
past year. Those are viewed as being very secure.
    There is another set of Web pages that are supported by 
individual organizations. They are managed by those individual 
organizations and some of them were found to have significant 
weaknesses. The recommendation of the independent oversight 
organization was that a rapid remedy was to standdown, that is, 
take the Web pages off the Internet and to fix them, that is, 
fix them individually. The recommendation that I provided to 
the Deputy Secretary and the Secretary was not to continue to 
manage these as separate entities, but to move all of the Web 
pages within the headquarters into this protected area, the 
screen subnetwork that was found by the independent oversight 
penetration team to be extremely well protected.
    Mr. Bryant. Has that been done?
    Mr. Gilligan. That is in the process of being done at 
present that consists of moving the software, moving, in some 
cases, the physical computers into the screen subnetwork in 
order to ensure they are adequately protected. My judgment was 
that the standdown was not an immediate action. It was 
warranted because the vulnerability that exists within the 
headquarters as a result of these Web pages is relatively 
minor. The threat to the headquarters is that these Web pages 
could be defaced, which is an embarrassment. There is no loss 
of operational ability as a result of a Web page not operating.
    The other potential vulnerability is that a Web page, or 
any computer, could be used as a platform for attacking other 
sites, and in this case, attacking sites outside the Department 
of Energy, because the Department of Energy's computers are 
well protected from our Web sites, that is, there is no trust 
relationship. So we made the decision to rapidly move these Web 
pages into the screen subnetwork in order to provide the 
security that I felt was a better solution.
    Addressing the second issue which you raised, which was the 
six further enhancements. The six further enhancements were 
published by the Secretary with something I contributed to last 
summer. We have, in fact, embodied those six further 
enhancements in our policies. The recommendation of the 
Independent Oversight Group was that perhaps additional policy 
is needed in order to ensure that all sites clearly understand 
what is to be implemented in these six further enhancements.
    Six further enhancements discuss things like providing 
configuration control of all computers, providing scanning of 
the networks, reviewing audit logs and conducting regular 
audits. All of those requirements are, in fact, codified in our 
policies. It is the view of my office that rather than change 
and add to the policies, what we need is guidelines, that is, 
how to implement the policies on these six further 
enhancements, again, that are covered in our policies so that 
there is no ambiguity and we are moving forward to implement 
that.
    Mr. Bryant. Mr. Chairman, my time is finished. Before I 
conclude my statement, I would like to ask unanimous consent to 
add a White House release with regards to the memorandum from 
the heads of executive departments and agencies and the subject 
is action by Federal agencies to safeguard against Internet 
attacks. It's dated March 3, 2000.
    Mr. Upton. Without objection.
    [The memo appears on pg. 46.]
    Mr. Upton. The Chair would note that we have two votes on 
the floor, and I will ask Ms. DeGette whether she would prefer 
now using 5 minutes or come back after the two votes.
    Ms. DeGette. Mr. Chairman, I might as well ask my questions 
now. We still have over 10 minutes. Thank you. Thank you, Mr. 
Chairman.
    General, I would like to follow up on some questions Mr. 
Stupak was asking you. I guess we're all glad that you're 
investigating the situation, but given the fact that you 
discovered the disks missing on May 7, and no one was really 
told until May 22, and now there's an investigation, I guess 
I'm wondering what is your timeframe at this point for 
completing the work you're doing?
    Mr. Habiger. Let me back up, if I may, and tell you--and 
this relates to Congressman Bryant's question about the 
timelines between the evening May 7 when the hard drives were 
discovered missing, and the evening of June 1 when I was 
notified--or we were notified at DOE headquarters. That is not 
a good scenario. Someone should have informed us much earlier 
on in the process.
    Ms. DeGette. I agree, like maybe May 7 or early on May 8, 
but that's not my question.
    Mr. Habiger. I want you to know here you had a situation 
where you had the lab on the verge of burning down.
    Ms. DeGette. Sir, I understand. I understand what your 
explanation is for why there was no notification, but my 
question is, what is your timeframe now for completing the work 
that you are doing to figure out what happened and how to avoid 
it in the future?
    Mr. Habiger. At this point, the FBI is now in the lead for 
the investigation.
    Ms. DeGette. We're glad about that, too, but what is their 
timeframe?
    Mr. Habiger. Ma'am, I was called back to take part in this 
hearing. They begin polygraph examinations beginning tomorrow. 
They are moving very, very aggressively. I cannot give you an 
end date.
    Ms. DeGette. Mr. Chairman, I would just make a request that 
this committee would consider another oversight hearing in 30 
days just to examine the progress. This is such a serious 
national issue, I think that we should keep monitoring.
    Mr. Upton. You're right.
    Ms. DeGette. Thank you, Mr. Chairman.
    Let me ask you a few more questions. I understand the fire 
was there when these drives were discovered missing. Where were 
the kit 2 and the kit 3 hard drives stored during the fire? 
Where were those stored?
    Mr. Habiger. They were stored in another technical area in 
a very secure vault.
    Ms. DeGette. At the Los Alamos site?
    Mr. Habiger. Yes.
    Ms. DeGette. And out of risk of fire?
    Mr. Habiger. Yes, ma'am.
    Ms. DeGette. You had said that it was chaotic because of 
the fire, and that's why your office wasn't informed. Was the 
lab director informed at that time?
    Mr. Habiger. No, ma'am. I cannot--I've got some information 
third-hand, but I don't think Dr. Browne was informed until 
toward the end of the period, the very end of the period.
    Ms. DeGette. Until close to May 22 or June 1?
    Mr. Habiger. After that just a few days before June 1.
    Ms. DeGette. Do you have any sense why that happened?
    Mr. Habiger. No, ma'am. I would defer to Dr. Browne.
    Ms. DeGette. Was Mr. Curran--DOE's counterintelligence 
specialist informed?
    Mr. Habiger. No, ma'am.
    Ms. DeGette. Who, if anyone, was informed?
    Mr. Habiger. On the evening of June 1 is when we first 
discovered that there was a problem.
    Ms. DeGette. To your knowledge, between May 7 and June 1, 
no one higher up was informed?
    Mr. Habiger. That's absolutely correct.
    Ms. DeGette. Is what you were investigating why that 
happened?
    Mr. Habiger. The primary concern is to get this classified 
data back.
    Ms. DeGette. I would agree, but in my experience, when 
you've got classified data in the form of disks and it's gone 
from May 7 until June 1, it's going to make the job of getting 
that data back much more difficult. Would you not agree?
    Mr. Habiger. I couldn't agree more.
    Ms. DeGette. So therefore, it would seem to me that a 
second, and almost equally high priority would be trying to 
determine why the gap, the almost month--the 3-week gap, 
occurred because in the future, if you have gaps like this, it 
would make it virtually impossible to get data back, correct?
    Mr. Habiger. I would put the priorities getting the 
information back, finding out who was responsible for that 
data, or those hard drives being put in a place where they 
shouldn't have been. And then the third priority is your area 
that you're getting into now.
    Ms. DeGette. General, there is a clear protocol in place 
that required contractors like the University of California and 
program offices to inform your office immediately when this 
type of classified information is missing, correct?
    Mr. Habiger. Within 8 hours.
    Ms. DeGette. Within 8 hours. And have you ever been 
informed of these kinds of breaches in the past?
    Mr. Habiger. Yes.
    Ms. DeGette. Was it done within 8 hours?
    Mr. Habiger. Yes.
    Ms. DeGette. Do you think this is just a one-shot situation 
or do you think there is a bigger problem?
    Mr. Habiger. At this point I don't know because the focus, 
as I said, has been where are the hard drives, who is 
responsible. The process will take its turn and we'll take the 
appropriate action. The lab director will take the appropriate 
action.
    Ms. DeGette. Mr. Podonsky, do you have any views on that 
issue?
    Mr. Podonsky. We have not been involved in this 
investigation, so to answer the question, we have no--we don't 
have any more information than what you've heard this morning.
    Ms. DeGette. Now, we've heard that Mr. Curran has told the 
press that there's no evidence that this is espionage, and 
someone else said the disks are just lost. Do we have any 
evidence that this is not espionage or theft for money?
    Mr. Habiger. Ma'am, before you came in, I covered that in a 
very generic sense, and this is not the forum to get into it, 
but looking at what we know at this point, it does not appear, 
as Mr. Curran pointed out, to be espionage.
    Ms. DeGette. I assume you would want to treat this as a 
potential case of espionage.
    Mr. Habiger. That's correct. I'm not speaking for the 
Federal Bureau of Investigation, but that's how the case would 
be characterized by them.
    Ms. DeGette. Thank you. Thank you, Mr. Chairman.
    Mr. Upton. The Chair would note there are at least two 
votes on the House floor. We'll recess until 10:50.
    [Brief recess.]
    Mr. Upton. We do not expect votes for an hour or 2, so 
we'll be done by then, I hope.
    Mr. Burr is recognized for questions.
    Mr. Burr. Thank you, Mr. Chairman. General, welcome again.
    Mr. Habiger. Good to see you again, sir.
    Mr. Burr. Glenn, we always welcome you back. I'm hopeful 
there's a point where maybe we're not sending you out to do 
evaluations, that, in fact, we're confident on the process that 
we've got. Clearly with the news cycle in the last 24 hours, 
there are some questions that I've got to ask about that 
probably would be better directed at the General. And I'll try 
to get refocused back on the DOE headquarters issue.
    General, it's been stated that there was a date that they 
knew that these drives still existed in a secure vault. Was 
that April 7?
    Mr. Habiger. On April 7, sir, there was an inventory by 
members of the team, the NEST team, in which the individual who 
conducted the inventory has indicated that he saw the disk. 
Another inventory was conducted on April 27, and the individual 
at that time, a different individual, didn't actually see the 
disks. His statement was along the lines, if the disks were not 
there, it would have created a very aggressive reaction. So he 
remembers doing the inventory, but he doesn't remember actually 
seeing the disks.
    Mr. Burr. Without getting into specifics about what were on 
these disks, we know they were related to NEST scenarios. Is 
there any reason to believe that an individual at the facility 
would have needed access to that particular disk for purposes 
of something they were working on?
    Mr. Habiger. From the information I've been exposed to in a 
relatively short period of time, those disks were taken out 
from time to time to be updated with more current information, 
and they were taken out by certified people for training 
purposes.
    Mr. Burr. When I was at Los Alamos, we didn't visit that 
particular vault. We did do several vaults. We also did a 
reference room or library room and the security was extremely 
tight, even for us to enter. And we walked through their 
scenario of if an individual--if a scientist at the facility 
wanted to take out that information, what's the process they 
would go through? There was one person in that room whose 
responsibility it was to account for everything. Things checked 
out, to make sure they were checked back in. I'm sure there was 
additional security to make sure it didn't go offsite. My 
question would be, what was the process in this particular 
vault when an individual took something out and then replaced 
it. Is there a record that we can go back to?
    Mr. Habiger. No, sir, there's not.
    Mr. Burr. Can you explain to me why for the reference room, 
the library room that was frequently used, that we would have a 
process that followed the movement of these papers, but why 
there wouldn't be a process that followed the movement of hard 
drives?
    Mr. Habiger. My observation goes along these lines. The 
vault you're talking about, you're talking about virtually 
thousands of people who have access, and the vault I'm talking 
about, the people who had unescorted access to these kits was 
less than 30.
    Mr. Burr. Does it not--in hindsight, I'm not asking you to 
put yourself before it--in hindsight, does it seem like a 
reasonable recommendation that we track who removes that type 
of sensitive information and when, and potentially when they 
return it?
    Mr. Habiger. Yes, sir. This is one of the many things that 
we are looking at to change as a result of this particular 
incident.
    Mr. Burr. Is it the responsibility of DOE officials at Los 
Alamos or the University of California officials?
    Mr. Habiger. University of California.
    Mr. Burr. To account for all the items?
    Mr. Habiger. Yes, sir.
    Mr. Burr. Let's go back to this period of delay, and we all 
followed the fire. Should we be worried that there was a 
security breakdown during this fire episode at Los Alamos?
    Mr. Habiger. I talked on a regular basis to the director of 
security at Los Alamos during the fire. All security systems 
were up. Some compensatory measures had to be taken in a couple 
of areas which I was fully in agreement with.
    Mr. Burr. If I understand it, correct me if I'm wrong, this 
vault facility is in the main building?
    Mr. Habiger. Yes, sir.
    Mr. Burr. I guess close to where that library reference 
room was?
    Mr. Habiger. Yes, sir.
    Mr. Burr. Just simply because of the work space, and that 
was not a building that was left unsecured at any time.
    Mr. Habiger. At any time, no, sir.
    Mr. Burr. Was it ever a building that was evacuated of the 
people? I remember it being so far away from the forest.
    Mr. Habiger. During the fire, there was no one in that 
building, but the security systems were all up and running. 
Inside that vault, Congressman Burr, were sensors, motion 
sensors, infrared sensors that had to be turned off before 
anyone had access to the vault.
    Mr. Burr. Clearly, there was no indication of a security 
breach that happened?
    Mr. Habiger. No, sir.
    Mr. Burr. Let's go to this delay in notification. What is 
the explanation that the University of California supplied DOE 
on why they waited so long to tell DOE officials?
    Mr. Habiger. We have not gone down that path. As I 
indicated, I think, just before you came in, I was not pleased 
with the length of time that it took before I was notified, 
before my office was notified, which was on the evening of June 
1. During my almost week's stay at Los Alamos, we were focused 
on three major considerations, the first being where are the 
disks, and who is accountable for the disks not being where 
they are supposed to? As we go down the path and we have a very 
structured inquiry process, part of that process is to come up 
with explanations for the kinds of things that you are 
identifying now.
    Mr. Burr. I don't want to seem too simplistic, but I put 
myself in charge of the Los Alamos lab. I envision being in a 
situation where there's a month's delay before I notify the 
Department of Energy that high level security hard drives are 
missing, and I envision the first question that I'm asked, why 
did it take you so long to inform us? I would take for granted 
that question was asked. If there wasn't an answer, that's 
fine, but clearly I think that--we have reason to be concerned 
because the last time we saw a delay like this was whether we 
sold a computer to an exporter of Chinese relationship and, you 
know, when we got through the whole process, we learned that 
the delay in notification, especially of us, was in hopes that 
they would retrieve it before anybody found out about it.
    Is this one of those situations where there was a hope by 
officials that the University of California and at Los Alamos 
that they would find the disk and not have to report it?
    Mr. Habiger. I don't want to put words into Dr. Browne's 
mouth, but my observation is that scenario that you're just 
describing.
    Mr. Burr. Let me--I thank you for that. I do. I don't think 
it's any member's intent that we are going to solve this case 
today, but we appreciate your willingness to let us explore 
some of the questions.
    Mr. Chairman, do I have time to go into some of the 
headquarters' questions?
    Mr. Upton. Can we go another round and you can do that?
    Mr. Burr. I would be happy to do that.
    Mr. Upton. Mrs. Wilson.
    Mrs. Wilson. Thank you, Mr. Chairman. Again, I appreciate 
your willingness to let me ask some questions here today.
    As I said in my opening statement, I don't intend to go 
into some of the details of the most recent incident in Los 
Alamos, because the questions that I want to ask are very 
specific, and I don't think that the answers would be 
appropriate in an open forum. But I think we have summarized 
pretty clearly what the questions are from this committee's 
point of view and from my point of view. What happened to those 
hard drives? Is there a compromise to America's national 
security? Who is accountable for it? And how are we going to 
make the systemic changes needed to make sure it doesn't happen 
again? And did the notification procedure work?
    As I understand it, John Browne, the director of the lab, 
didn't even know they had a problem until May 31, which is the 
day before he informed you which means there's a problem lower 
down within the lab on processes of notification. I understand 
completely that an investigation could not have been done fully 
until after the fires were under control, and I think all of us 
in this room understand that, that you can't do the arson 
investigation until the fire is out. At the same time that 
doesn't preclude prompt notification that we may have a 
problem, and I think those are all legitimate questions we're 
going to be seeking answers to.
    I'd like to focus on a couple of other things from your 
testimony in the time that I have available. First, this 
question of funding for cyber security at the Department of 
Energy. I note from the testimony, particularly General 
Habiger, yours, concerning the need for supplemental funds. I 
went back and checked my records, because this was an important 
issue for me. According to my records for fiscal year 2000, the 
supplemental requested by the administration--now, you may have 
asked for more money from the Office of Management and Budget, 
but it may not have gotten approved--because the administration 
requested $4 million for cyber security from the Congress. I 
thought that was way too low, and so several of us from this 
Congress met quietly with folks who know a little about cyber 
security and the problems at the nuclear weapons labs, and they 
confirmed that that was way too low.
    I made a request of the Appropriations Committee in the 
Congress for $90 million in supplemental funds for cyber 
security for the Department of Energy, and the House approved 
$45 million for cyber security. That's currently sitting over 
in the Senate, and pieces of it may be pulled out and added on 
to one of the bills that we're about to work on in the next 
couple of weeks here.
    I guess what I want to know is, what are you talking about 
with $35 million? Is that what you asked OMB for and are you 
now going to continue to support the administration's $4 
million request? Are you going to support what the House put 
into the bill, which is $45 for cyber security immediately?
    Mr. Habiger. We're talking about fiscal year 2000 amend-
ment----
    Mrs. Wilson. Current fiscal year, yes.
    Mr. Habiger. We submitted a request for $65 million for 
security in the Department of Energy in that supplemental, $65 
million. We received $10 million of that $65 million. Thirty-
five million of that was for cyber security. The $10 million 
that we got was not directed toward cyber security. I 
personally directed that $7 million of that $10 million be 
dedicated to cyber security. That is what, as I understand it, 
Congresswoman Wilson, came over on July 13 of last year.
    Mrs. Wilson. July 13, 1999?
    Mr. Habiger. Yes, ma'am.
    Mrs. Wilson. You're talking about 1999 money, not 2000 
money?
    Mr. Habiger. Supplemental 19--an amendment for fiscal year 
2000 that was submitted on July 13.
    Mrs. Wilson. Gentlemen, without meaning any disrespect, I 
think you may want to go back and talk to your budgeters about 
which years we are talking about, and which supplementals we 
are talking about, because there was a supplemental request for 
cyber security for the current fiscal year, we are in fiscal 
year 2000, and it was for $4 million from the administration. 
That was the request. We upped it to 10 times as large.
    Mr. Habiger. It was--the fiscal year 2000 we submitted on 
the July 13, 1999, an amendment.
    Mrs. Wilson. You are talking about when the budget was 
initially passed for the current year. I am now talking about 
the supplemental that is pending in this House currently. The 
administration only asked us--after all of the Cox report, 
after all of you went out to look at the labs, after we got all 
of the reports in that said we were way under our estimate of 
what we're going to need for cyber security--and the 
administration's request for a supplemental for what we need 
right now, today, to get moving and get this thing fixed was $4 
million. My sense was that was way too low, so we upped it to 
10 times that amount, and we're going to vote on it here. What 
do you want me to vote on? You want me to back off on this and 
go with the administration at a $4 million supplemental request 
or do you want me to keep fighting?
    Mr. Habiger. I would like you to keep fighting.
    Mrs. Wilson. Thank you, sir.
    With respect to this diagram that we see over here, it has 
a number of firewalls around the top of it and yet it's got a 
number of connections at the bottom of it which seem to go to 
other areas within the Department of Energy and contractor 
facilities and so forth where they don't appear to be 
firewalls. Could you talk to me about the vulnerability of the 
DOE unclassified systems through those other areas?
    Mr. Peterson. For the classified systems or for the--I'm 
sorry, the contractor facilities, what we're specifically 
talking about there are local contractor support in the 
Washington, DC area so a program office would establish a 
connection with a local supporting contractor. That's not to 
imply that those go out to the national laboratories or other 
sites.
    The other connection that's shown up there for the DOE 
business net is to 38 different DOE field sites throughout the 
country. Now, some of those field sites are collocated behind 
firewalls with other sites. For example, at Oak Ridge, you'd 
have collocated there Y 12 and Oak Ridge National Lab, but for 
the Albuquerque field office, there's no connection to Sandia 
or Los Alamos. So it's going to vary, but specifically, talking 
about the connections to the DOE Federal facilities. We have a 
concern because you're exactly right, there's not a firewall at 
the headquarters junction where you have these connections, and 
then they become logically part of your headquarters' internal 
network. There's no firewalls or security features to prevent 
access from those remote sites. These--each one of these 
facilities may have their own firewall. They may have modem 
connections which then provide pathways into the internal 
headquarters network, and our concern has been that that risk 
has not been adequately addressed and considered.
    Mrs. Wilson. I ask unanimous consent to ask this one final 
question. Does that mean that someone can get access to the 
contractor facility, and then from there get into the DOE 
unclassified system?
    Mr. Peterson. That would be a concern, yes.
    Mrs. Wilson. Thank you, Mr. Chairman. I would like to enter 
into the record the report of dissenting additional views of 
the Emergency Supplemental Appropriations Act for the year 
ending September 30, 2000, where it states very clearly that 
with respect to cyber security, the committee recommendation 
for cyber security activity is $49 million, an increase of $45 
million over the administration's request of $4 million.
    Mr. Upton. Without objection.
    Mr. Green?
    Mr. Green. Thank you, Mr. Chairman. I ask unanimous consent 
to place my statement into the record.
    Mr. Upton. Without objection.
    Mr. Green. General, you seem to want to tell us that the 
problems at the headquarters are not the fault of poor 
management and lack of attention but of dollars. That's what 
we're hearing in response to this morning's article where the 
Secretary said the committee only approved a small amount of 
funding for last year. But Mr. Podonsky said these are not high 
ticket items, and now you say we can fix these problems within 
60 days. That doesn't sound like a money problem to me. And is 
it a money problem or are we talking about something different 
when you say it can be fixed within 60 days?
    Mr. Habiger. We're talking about two different things, 
Congressman Green. Had we received adequate funding at the 
beginning of the fiscal year, we'd have been able to move out 
quickly in terms of training systems administrators, going out 
and perhaps finding these problems before Podonsky found them, 
and I would readily admit that the basic problems involve the 
organizational issues that Mr. Gilligan talked about, but 
again, it goes back to a money issue. If we had received 
adequate funding, I don't--in my judgment, our performance 
would have been better.
    Mr. Green. Mr. Podonsky, were these problems caused by lack 
of money or lack of oversight or management skill?
    Mr. Podonsky. First of all, Congressman, I would like to 
say that in the 16 years I'm reminded I've been in the 
department, and have lived through six secretaries, nobody 
other than Secretary Richardson has applied as much attention 
in management skill to the security issues as the Secretary. 
However, having said that, I would also say that my staff 
concluded that a vast majority of the issues at the 
headquarters unclassified cyber security were management-
related, not financially related. There are some financial 
aspects to it, but clearly, the fragmentation that exists among 
the various pods in the headquarters need to be fixed and 
fragmentation doesn't take money.
    Mr. Green. You don't have to--a lot of us served with 
Secretary Richardson and consider him a good friend, and he's 
diligent and I understand that. Sometimes we wonder, even in 
Congress, if it's a mistake when we do something successfully.
    Let me ask everyone on the panel, it's my understanding 
that DOE is considering opening the bidding for the contract to 
run Los Alamos National Laboratory, which is currently held by 
the University of California, in fact, I understand for the 
last 50 years. Given the problems that this lab has had along 
with the new revelations that is in today's news media, would 
you recommend that this contract be open for bidding?
    Mr. Habiger. Congressman Green, let me tell you right up 
front, I have not been involved in the contract of the 
laboratory. At this particular point in time, I have no 
recommendation one way or another.
    Mr. Green. Anybody else? Since we seem to have problems at 
Los Alamos and even Livermore, that if someone has had a 
certain contract for those years, is it something we can look 
at the contractor? Is it DOE?
    Mr. Podonsky. I think, Congressman, it gets back to the 
basic accountability in that people, whether they be 
contractors or Feds, need to be held accountable for their 
responsibilities that they are assigned.
    Mr. Habiger. The Secretary has made that very clear on a 
number of occasions.
    Mr. Green. One last question, again, raised from the 
article this morning. I was told that the unit that was lost or 
misplaced, that the unit was not the one involved in the test 
at Lawrence Livermore in early May. The article said that it 
was. Can you state for certain, or is it possible that we may 
be looking in the wrong lab for it? Maybe it's still in 
California. Again, since it was discovered missing on May 7 and 
reported on June 1, is that a possibility?
    Mr. Habiger. Sir, we dispatched two Department of Energy 
investigators who hooked up with two FBI agents at Lawrence 
Livermore, and every conceivable place was searched and 
interviews were conducted. This occurred on Tuesday of last 
week.
    Mr. Green. Again, Mr. Chairman, whatever time I have left, 
I share the concern of all the members of the committee, and 
because of the nature of what would happen, or what could 
happen with--we're concerned about rogue nations and things 
like that, that if a terrorist had the ability to utilize this 
information on how we would respond to a terrorist attack with 
a nuclear device. So I would just encourage the Department of 
Energy and our contractor to do everything they can to make 
sure that they find it, but also that this doesn't happen 
again. Thank you.
    Mr. Upton. Thank you, Mr. Green.
    Mr. Bilbray.
    Mr. Bilbray. Mr. Chairman, I appreciate your having this 
hearing. General, I'm not going to ask any questions except for 
the fact that as a father of five, I sure hope my kids aren't 
watching and reading about this incident. I only say it because 
I don't know how many times a parent will say where is the last 
time you saw it, who was responsible for it, you know, the 
whole concept we have of personal accountability, and this just 
really makes it tough for those of us who are trying to teach 
our children to be personally responsible for their little part 
of the world that they've got control over.
    And this situation just really is inexplicable to a young 
person, let alone a child, about, well, Daddy, what did the 
Federal Government do with this? Why is this--why don't they 
know where their important stuff is? Didn't they clean their 
room and keep it tidy so they know where they hid it? And I'm 
just here to listen because I'd like to find more answers so 
that, God forbid, if they ask me when I get home on Friday what 
happened, where is it, are they going--who is going to be held 
accountable, I want to at least have some answers for them, 
because this thing I think is a whole credibility issue that 
goes farther than just one department in this government. It 
really, really hurts our credibility as the servants of the 
American public and as the guardians of world freedom. I yield 
back, Mr. Chairman.
    Mr. Upton. Thank you, Mr. Bilbray.
    I have a couple more questions. We'll start a second round.
    General Habiger, it's my understanding that they knew the 
disks were there in April. When was the last time that all the 
disks were known to be accounted for?
    Mr. Habiger. In kit number 2, the last fully confirmed 
audit was on April 7. We have an unconfirmed audit or inventory 
by an individual, as I indicated before, said that if they 
weren't there, he doesn't remember seeing them, but he said if 
they weren't there, it would have rang alarm bells.
    Mr. Upton. So really not until May 8 did you realize----
    Mr. Habiger. May 7, sir.
    Mr. Upton. May 7 that they were there.
    Mr. Burr. Would the chairman yield for one clarification.
    Mr. Upton. Yes.
    Mr. Burr. General, was that the only thing in that vault or 
are there other sensitive documents or disks or hard drives?
    Mr. Habiger. There were three kits in that room, sir.
    Mr. Burr. When you say they were a kit, kit No. 1 was 
accounted for on April 7.
    Mr. Habiger. Kit number 2.
    Mr. Burr. Does that tell us that kit number 1 and kit 
number 3 were not accounted for on April 7?
    Mr. Habiger. That is true.
    Mr. Burr. I thank the chairman.
    Mr. Upton. And there was more than just the kits. Could you 
describe this vault again. Those of us that went out, we were 
in the library there. The library is sort of the secure room 
that was there. We did not--I don't believe we saw where this 
vault was in the building, but is it similar to the other 
vaults that we saw?
    Mr. Habiger. Sir, it's much smaller. It's about ten foot 
wide, about 20 feet long there. There were two long tables, a 
number of shelves, a small two-drawer safe. There were some 
documents. There were other hard drives.
    Mr. Upton. Is there security outside of the room then as 
well?
    Mr. Habiger. Yes, sir. Sir, this is a vault. I mean, this 
is something that, again, in open session without--I'd rather 
not go into the details, but this is something you and I would 
take several weeks trying to break into. I'm talking about 
dynamite and explosives and that sort of thing.
    Mr. Upton. Of the--is it 28 or 26 individuals that have 
access to it without being escorted?
    Mr. Habiger. I believe the number is 26, sir.
    Mr. Upton. Of those 26, are all of them U.S. citizens?
    Mr. Habiger. Oh, yes, sir.
    Mr. Upton. No foreign nationals?
    Mr. Habiger. Oh, no, sir, no, sir.
    Mr. Upton. I just want to make sure.
    Mr. Burr. Mr. Chairman, would you yield? Twenty-six 
individuals have access to the kits?
    Mr. Habiger. Unescorted access.
    Mr. Burr. Are there any other individuals who have 
unescorted access to the vault?
    Mr. Habiger. 57.
    Mr. Burr. 57 to the vault?
    Mr. Habiger. Yes, sir.
    Mr. Upton. They have to be escorted, though.
    Mr. Habiger. Escorted. 57 escorted.
    Mr. Burr. My question is, is there a difference in those 
that have access to the kits and access to the vault? Is it the 
same list or is it one and the same?
    Mr. Habiger. The people who have unescorted access can open 
up the vault. The 57 who have escorted access have to have 
someone who has unescorted access, open the vault and let them 
in to do what they have to do. This is a good point and I 
should have clarified it earlier. The vault was a dual-purpose 
vault. On one side of the vault you had the NEST activities, 
and on the other side of the vault you had the ASCI, the 
Advanced Strategic Computer Initiative activities on the other 
side of the vault.
    There is an individual who is accountable for that vault. 
It's an individual who has unescorted access to the vault, and 
she is responsible for who gets in there and makes sure that 
only people--the people that have unescorted access are watched 
by her if she's in there. If she's not in there, the door 
should be locked.
    Mr. Burr. Unescorted access means they have total access to 
everything in that vault?
    Mr. Habiger. Yes, sir.
    Mr. Burr. The right side and the left side you're 
describing?
    Mr. Habiger. Yes, sir.
    Mr. Burr. I thank you.
    Mr. Upton. Have all the folks with access to the vault been 
quizzed already?
    Mr. Habiger. Sir, all of the people who have unescorted 
access have been interviewed. Most of the people, primarily 
based upon availability who had unescorted access, have been 
interviewed.
    Mr. Upton. Now they are going back to reinterview all the 
individuals with a polygraph; that begins tomorrow?
    Mr. Habiger. The FBI is working up a list of people that 
they will polygraph. The FBI is in charge of the polygraphing 
process.
    Mr. Upton. I want to go back to the dollar amount that Mrs. 
Wilson raised with regard to the supplemental. Before I was in 
the Congress, I served at the Office of Management and Budget. 
I was very aware of different agency requests that came in, and 
ultimately what happened to them up on the Hill, and it was one 
of the reasons that a number of us wanted to go out and visit 
the labs. Actually, I think it was the hearing that you might 
have been at last summer, where a number of us indicated we had 
never been there and we wanted to get a better understanding of 
just exactly what was there, so we could have a helpful hand in 
making sure that security was appropriate.
    Mr. Podonsky and others provided many details to us. As we 
undertook the Department of Energy's budget last year, I do 
remember there were additional requests that came in, but it 
was included as part of the overall spending bill that was 
adopted in, I believe it was October, and everything was on the 
table, and if the administration, I think, had pushed a little 
bit harder, or even some would suggest pushed, in fact, the 
full funding amount would have been included as part of the 
overall bill. But it is sort of surprising that as it wasn't 
all funded, that the Department of Energy would only--I should 
say the administration would seek only $4 million, which we 
have now requested more than 10 times such, but based on the 
testimony by Mr. Gilligan this morning where, in essence, he 
indicated that problems were identified a year ago and, in 
fact, within 60 days, a system would be set up to make sure 
there wouldn't be any problems and that's without any funding 
at all.
    As we look at the level of funding that we've done with the 
labs, the labs were very careful to tell us that security was 
No. 1 and that they would find--they identified a number of 
weaknesses that were out there and that they would find the 
resources to fix the problem, no matter what the cost, and, in 
fact, I think they've done that, would be my sense, as they've 
testified to us earlier.
    I just wondered why isn't A, the same standard there at the 
headquarters and B, how are you able to do it now? It sounds 
like you're able to do exactly what you wanted to do without an 
extra dime coming your way.
    Mr. Gilligan. Sir, I appreciate the question, and let me if 
I could, go back and make clear, the request that we made last 
summer for $35 million as a budget amendment for the fiscal 
2000 was something that I personally worked. In fact, my 
initial recommendation was for $50 million. Working with the 
Department, we were only able to identify offsets, that is, 
other budget reductions within the Department to support $35 
million. That came through the administration over to Congress. 
We got 7 million. Of that, $1 million was earmarked for a 
specific project; so $6 million to be able to dedicate against 
the priorities that we identified.
    Frankly, I was surprised that we didn't get support after 
we had had the hearings and the discussion, especially in view 
of the fact that the Department provided offsets, other budget 
reductions. Those offsets were taken to fund other priorities.
    Subsequently I was given an opportunity--I was given a cap 
of $4 million to identify additional cybersecurity initiatives 
that we could request in a budget supplemental, and we did.
    Now, to address your specific question on the current 
headquarters review, the significant problems that we've 
identified, many of them can be fixed with limited dollars, I 
will readily admit that. There are some significant management 
issues that we can address in the Deputy Secretary's memo, 
which, in addition to the policy authority that I have for the 
Department, now gives me line operational authority for the 
headquarters computer security. I can now work to put the 
management changes that need to be in effect to be able to fix 
most of the problems.
    However, I still need additional funding to fully implement 
protections to solve some additional weaknesses that I am aware 
of on that picture. For example, at the lower left of that 
picture, you see a cloud network. That is the DOE network. That 
network connects our headquarters with all of our Federal 
operations. That is something I am responsible for. We, in 
fact, do have a policy, and we have enforced the policy that 
each of the sites must have a firewall before they can connect 
to DOE Net. Mr. Podonsky's review identifies that additional 
security measures would be warranted, and I agree, and that 
would be to create an additional protection so that one site 
that potentially is compromised could not affect another site.
    That will take funding. That funding is something I have 
requested now in the 2001 budget, and I would appreciate 
support for that. So we will be able to implement some of the 
fixes, some of the configuration management enforcement. Some 
of the connection policies we will be able to implement. We 
will not be able to implement some of the full enhancements 
that I would like to do to get the headquarters up to the level 
of my comfort without additional funding in fiscal year 2001.
    Mr. Upton. Thank you. I know my time has expired. I'd just 
like to tell all members that we're looking at having a 
classified closed briefing with General Habiger on the issue of 
the missing hard drives, not only with this subcommittee, but 
also with other members on Intelligence as well as Armed 
Services, and it could be later today.
    Mr. Stupak.
    Mr. Stupak. Thank you, Mr. Chairman.
    General, the way I understand it here, there are three 
kits, two hard drives each. So there's a total of six hard 
drives.
    Mr. Habiger. Yes, sir.
    Mr. Stupak. Can you tell us when the last time all six were 
present and accounted for?
    Mr. Habiger. I can tell you that--not all six. I can tell 
you that 4 of the 6 were accounted for when the lab began their 
aggressive inventory on the--beginning May 22.
    Mr. Stupak. May 22?
    Mr. Habiger. Yes, sir.
    Mr. Stupak. All right. Why would you take the hard drives 
out of kit three and put it in kit two?
    Mr. Habiger. So you'd have an operational capability. 
Remember----
    Mr. Stupak. But then that renders kit three incapable, 
right?
    Mr. Habiger. The hard drives are all the same. One's 
primary, one's backup. The concern was to get an operational 
kit out of harm's way, and so the individuals who went into the 
vault at 2300 on May 7 made a decision to move the two hard 
drives.
    Mr. Stupak. All right. Well, move them out of harm's way, 
we're talking here about a wildfire. From my watching of the 
news and everything else, it seems like a wildfire is 
threatening to an area or a place for a day or two because it's 
a wildfire, and then it moves on. Your testimony is that from 
May 8 to May 22----
    Mr. Habiger. Sir, the winds were constantly changing, and 
the winds were up to 60, 70 knots during this period, and 
initially--and you had massive changes, 180-degree wind changes 
of these very high winds, and the exposure or the risk to the 
lab would go up 1 day and down the next, just depending on 
which way the wind was blowing.
    Mr. Stupak. Well, if it would go up 1 day and come down the 
next, during that time did anyone make any efforts then to try 
to locate these disks?
    Mr. Habiger. As far as I know, no, sir, and let me point 
out that the Los Alamos--the city of Los Alamos and the 
laboratory were shut down, were evacuated. National Guard 
troops were in place, State police, to ensure that.
    Mr. Stupak. Okay. Let me just--and I know a statement was 
made earlier that you can't do an arson investigation while a 
fire is ongoing. Having been in police work for 12, 13 years, I 
totally disagree, because during an arson investigation there 
are things you look for, people around there, the evidence, 
containers, fire trails, the burn patterns. Those are all key 
parts of any arson investigation, and I'm sure they are in any 
investigation. I'm still befuddled why we waited until after 
May 22 and you not being notified until June 1. I just find 
that unacceptable and--but I'm sure we can get into that some 
other time.
    Mr. Podonsky, you're in charge of the Independent Oversight 
for security at DOE, correct?
    Mr. Podonsky. Yes, sir.
    Mr. Stupak. And you spent a lot of time out there last year 
and after it was determined that classified information was 
being downloaded into unclassified systems; did you not?
    Mr. Podonsky. Yes, we did.
    Mr. Stupak. One of the things you told the subcommittee in 
October when we held a hearing on the security situation at the 
weapons lab was that there--and I am going to quote now--there 
were weaknesses in access controls at areas where classified 
weapons information was used and stored. Is that correct?
    Mr. Podonsky. That is correct.
    Mr. Stupak. And that's not a cybersecurity issue, it's a 
plain old physical security problem. In fact, you were talking 
about areas exactly like the vault in which the lost hard 
drives were stored, correct?
    Mr. Podonsky. That is correct, but we were not at the TA 
three area.
    Mr. Stupak. I know you weren't talking specifically about 
that vault at that time. It's the idea of the same old physical 
security problem. Now that we've established that the disks 
were in the emergency response kit for the NEST team, and the 
kit was in a locked suitcase-like container with other locked 
containers inside, these hard drives were in one of those 
containers. The suitcase, however, was accessible to anyone in 
the room. We've already established there were keys there, you 
could get at them. Can you explain to me then how a situation 
could have been allowed for this type of security breach? I 
mean, if it's plain old physical security, and that was a 
concern a year ago, why would we have the keys right there, 
accessible, attached to the kits or hanging on the wall? It 
just seems like a great opportunity to access it by somebody 
who should not access it.
    Mr. Podonsky. I can answer generically since we are not 
directly involved in what's currently under investigation. 
However, I will tell you in August when we were there, they 
were rated satisfactory, the overall site security, and then 
again in December, and that was based on the performance that 
we saw at the sites within the laboratory that we inspected. We 
maintain and believe that that was a satisfactory performance.
    There is a human element in security, and that's something 
that is always unpredictable. Obviously, as I said, we don't 
have the details of what's going on in the investigation, but 
we had seen, just like in the downloading of classified to an 
unclassified Net, there is always that human element, 
regardless of all the administrative controls that you put in.
    Mr. Stupak. Exactly. There's a human element. I think when 
we raised it earlier, I was reminded that these are good, hard-
working, honest people. No one up here is saying they're not, 
but the fact remains we still have two hard drives missing that 
can't be accounted for, that can't be remembered where they 
are.
    And explain something else for me if you can, and maybe 
I'm--explain how a nuclear weapons laboratory can have a 
satisfactory security program, but can lose or have removed 
weapons, design and intelligence information such as on these 
hard drives? How can they get a satisfactory?
    Mr. Podonsky. At the time that we inspected them, they were 
performing at a satisfactory level, and all the things that we 
tested, the guards, the cybersecurity, the material control 
accountability, they were not only in compliance with the DOE 
requirements, but they were performing well, albeit this latest 
news event that just occurred is not a satisfactory situation, 
but that does not, in our view, taint the entire laboratory's 
performance. It does call into question a lot of other issues 
that I'm sure General Habiger will talk in a closed session.
    Mr. Stupak. In the previous hearings we've always brought 
up this atmosphere that exists at the lab, rather relaxed 
atmosphere, and I've been one who always talked about 
accountability and responsibility, and then we continue to see 
these satisfactory, satisfactory, and then we hit another 
embarrassing-type situation. So I guess that goes back to that 
human element. No matter how honest or how well we think 
employees are, there's still going to be a degree of human 
element that you can't put satisfactory on. Is that a fair 
statement?
    Mr. Podonsky. I would say there's a--with any corporation, 
in DOE in particular, as we've seen, there's some very 
dedicated people there that are doing the job for very noble 
reasons, and there's always going to be the human element that 
you cannot put a satisfactory on.
    I am reminded when we used to do safety oversight, we had a 
number of very serious and near fatal accidents at the 
laboratory. Not everybody took safety seriously until it 
happened to some of their own researchers. So that human 
element is something that it is very difficult to quantify. So 
what we do is we don't just look at technical systems, we look 
at management systems. We try to get to the root cause. We're 
not at all trying to indicate that we hide behind the curtain 
of the human frailties, but that's something that has to be 
considered.
    Mr. Stupak. Thank you, Mr. Chairman.
    Mr. Upton. Mr. Burr.
    Mr. Burr. Mr. Gilligan, let me attempt to answer a question 
you raised or a statement that you made, and this is a response 
from me personally. You said that you were surprised that the 
budget request was not fulfilled, and I would only share from a 
standpoint of somebody that I think has been in every security 
briefing that we've had, open or closed, has followed the 
process to the extent that over the break I traveled to 
California for a three-stop tour in 2\1/2\ days, and has 
followed not only the General's suggestions, but the 
Secretary's statements, that many of the things that were 
stated up front have not been fulfilled.
    I am not here to judge whether they should have been made 
or should have been carried out, but we made some changes along 
the way, and that's understandable as we're addressing a crisis 
of the moment. I think the lack of any specific funding that 
might not have made it is a lack of confidence that we have the 
right plan in effect, or that we're concerned on whether we 
will implement what it is that we have endorsed, or there's not 
that degree of need to accomplish what has been explained to 
Congress.
    So the challenge is indeed on your part and on the part of 
General Habiger and of the Department of Energy to make sure 
that every Member of Congress understands what the cost of the 
process is, and that may be a more elementary challenge on your 
part than we have had in the past, but we are not going to 
knee-jerk to a crisis that exists. We're going to ask for the 
documentation, and we're going to ask for the accountability 
that what you tell us is accomplished.
    Let me move back to the current situation for just a few 
more questions, General. What do you mean by escorted? When a 
person is escorted, what does that mean, into that vault?
    Mr. Habiger. They have to be accompanied by someone who 
understands the security requirements.
    Mr. Burr. Would that individual have to be on that list of 
26 individuals?
    Mr. Habiger. Yes, sir.
    Mr. Burr. For secure access by themselves?
    Mr. Habiger. Yes, sir.
    Mr. Burr. You mentioned, I think, ASCI information 
additionally was stored in that vault?
    Mr. Habiger. Yes, sir.
    Mr. Burr. Is that accounted for and secure today?
    Mr. Habiger. Yes, sir.
    Mr. Burr. All of it?
    Mr. Habiger. Yes, sir. As a matter of fact, the laboratory 
in the nuclear weapons arena, Dr. Browne directed as of 1700 
hours yesterday that a 72-hour lock-down of the nuclear weapons 
area be accomplished, and that all plans, security plans, be 
reviewed, and that all classified media, documents be accounted 
for. That's to be accomplished over a 72-hour period.
    Mr. Upton. Would the gentleman yield?
    Mr. Burr. Yes.
    Mr. Upton. When somebody is in the vault, and they are to 
be escorted, does the escort then have to stay with that 
individual the entire time they are within the vault?
    Mr. Habiger. Yes, sir; again, 10 feet wide, 20 feet long.
    Mr. Upton. So if you need the escort, there's always at 
least two people in that room?
    Mr. Habiger. Absolutely, sir.
    Mr. Burr. General, if you can't answer this, I understand 
it, we'll address it later, but after an individual has 
possession of this hard drive, how easily is it usable? Is it a 
plug and play?
    Mr. Habiger. Yes, sir.
    Mr. Burr. Okay. Was this the most sensitive information in 
the vault?
    Mr. Habiger. Yes, sir.
    Mr. Burr. Let me ask you, you referred to the fact that the 
FBI has taken the lead in the investigation, and you expect 
next week for the FBI to begin a polygraph process.
    Mr. Habiger. Tomorrow.
    Mr. Burr. Tomorrow, once they have identified individuals. 
We know the record with polygraph as it relates to our 
scientists. This is not something that they do 
enthusiastically. Do you have any reason to believe that any of 
the individuals that will be targeted would object to this 
initiative?
    Mr. Habiger. I will give you a very definitive answer in 
closed session, sir.
    Mr. Burr. I thank you for that.
    Let me move, if I could, to why we're here today. Glenn, 
last time you testified here, I believe you very emphatically 
told us that the message was getting out on security, that that 
had been heard, and today you're telling us that DOE 
headquarters heard the wake-up call. Is that right?
    Mr. Podonsky. Yes, sir.
    Mr. Burr. If DOE headquarters really heard that call, then 
why do you find such a bad situation involving very basic 
principles of computer security?
    Mr. Podonsky. Well, sir, as I started to mention in my 
response to Congressman Green, I'd like to iterate, in all the 
time that we've been in the Department, we've seen some very 
egregious management systems in place, a lot of repeat issues 
that should have been dealt with over the last 16 years. Many 
issues have been written about in our oversight reports. 
Various administrations did not have it high on the priority.
    For obvious reasons, this administration, together with 
this Congress, has focused a great deal on security in 
Department of Energy, and to you all's credit as well as this 
Secretary, we have seen a quantum change. It doesn't mean they 
are there where they need to be, but clearly the headquarters, 
the responsibility that John Gilligan has being further 
clarified by his Deputy Secretary Glauthier's memo will further 
help him do the job that he was hired to do, but in addition, 
he and his staff have been focusing on the field extensively. 
So quite candidly, until the management processes were in 
place, we did not see that they were going to be very 
successful at bringing the headquarters into the same level 
that the field is now getting into.
    We believe with the corrective action plan that Mr. 
Gilligan's office has prepared, if all the items in there get 
carried out, we do believe it's going to be going in the right 
direction. That's why we say that we've seen a difference. It 
is taken in respect to what we've seen over the last 16 years.
    Mr. Burr. Most of us who have served for several years 
consider Bill Richardson to be a friend, and we know that every 
effort he goes out on is genuine and passionate. So I think we 
would hold in the same regard the Secretary's willingness to 
address this problem. The follow-through is something that this 
committee continues to be baffled at, and I would only point to 
the March 3, 2000, memorandum from the White House, and that 
memorandum, in the last paragraph it said, accordingly, I've 
asked each Cabinet Secretary and agency head renew their 
efforts to safeguard their department's or agency's computer 
systems against denial-of-service attacks on the Internet, 
stepping up the awareness of a security breach.
    That was March 3, 2000.
    It also said, I have asked my Chief of Staff John Podesta 
to coordinate a review of the Federal Government 
vulnerabilities in this regard and report back to me by April 
1.
    [The information referred to follows:]

                                    The White House
                              Office of the Press Secretary
                                                      March 3, 2000
For Immediate Release March 3, 2000

MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

SUBJECT: Action by Federal Agencies to Safeguard Against Internet 
        Attacks

    America and the world have benefited tremendously from the amazing 
advances we have seen with the Internet and computer technology. But 
with every new technological advance there are new challenges, and we 
must meet them--both Government and the private sector--in partnership.
    Following recent Internet disruptions, I met with experts and 
leaders of the information technology industry so we could work 
together to maximize the promise of the Internet, while minimizing the 
risks. These Internet disruptions high-light how important computer 
networks have become to our daily lives; and how vulnerabilities can 
create risks for all--including the Federal Government.
    Accordingly, I ask each Cabinet Secretary and agency head to renew 
their efforts to safeguard their department or agency's computer 
systems against denial-of-service attacks on the Internet. Within legal 
and administrative limits, attention should also be paid to contractors 
providing services. The Federal Computer Incidence Response Center 
(FEDCirc) and the National Infrastructure Protection Center (NIPC) have 
available software tools to assist you in these efforts.
    I have asked my Chief of staff, John Podesta, to coordinate a 
review of Federal Government vulnerabilities in this regard and to 
report back to me by April 1.
                                                 William J. Clinton

    Mr. Burr. Mr. Podonsky or General Habiger, can you share 
with us what Mr. Podesta reported to the President relative to 
the state of security at the Department of Energy?
    Mr. Gilligan. Sir, I'd be happy to tell you. In fact, I was 
one of the authors of that memo that the President signed. 
Under my role as cochair of the Federal CIO Council, Security, 
Privacy and Security Infrastructure Committee, I have a 
responsibility to help advise the administration across the 
Federal Government. We prepared that memo for the President. We 
prepared a process working with Office of Management and 
Budget, Mr. Podesta's staff, to get reports from each Federal 
agency. Within the Department of Energy, I coordinated the 
response. We sent out guidance to each of our field 
organizations, specific technical guidance on how to prevent 
denial-of-service attacks. It is a particularly difficult, 
technically challenging----
    Mr. Burr. I take for granted that the April 1 deadline for 
Mr. Podesta to get back to the President was a status report, 
are we secure.
    Mr. Gilligan. No. The status report was on those actions 
that have been taken. Security is not a binary function. It is 
not we are 100 percent secure or we are 100 percent insecure. 
It's a relative activity. It's a very complex set of technical 
issues that are involved.
    The status report that was asked for was what was the 
response within each agency to address denial-of-service 
attacks, and within the Department of Energy we reported that 
each of our organizations had taken the guidance that we had 
issued, they had responded to the guidance in a variety of 
ways, many running specific software checks against all of 
their systems to look for potential vulnerabilities that could 
be exploited, to look for configuration controls that would, in 
fact, allow us to prevent denial-of-service attacks.
    Mr. Burr. Did the Department of Energy make the April 1 
deadline?
    Mr. Gilligan. Yes, we did.
    Mr. Burr. Glenn, your review of security was at the end of 
April?
    Mr. Podonsky. Yes, sir.
    Mr. Burr. At that time did you find Web servers at the 
Department of Energy that could access other agencies?
    Mr. Peterson. We found Web servers, again referring to our 
diagram, out in the public area outside of the screen sub-Net, 
that were vulnerable to attack. We proved that by taking over 
one of those machines, and we could have used it to attack a 
different agency.
    Mr. Burr. You could use them to launch a denial-of-service 
attack on other government agencies?
    Mr. Peterson. That is correct.
    Mr. Burr. Now, is that what you reported to Mr. Podesta?
    Mr. Gilligan. The report back to Mr. Podesta did not 
address every individual computer within the agency.
    Mr. Burr. So what was the President asking for in this 
memorandum? I mean, I take for granted he was probably asking 
about some of the most sensitive secure areas. We're doing an 
assessment of unclassified areas and just our Web servers. We 
were vulnerable to exactly the thing the President said in his 
memorandum, which was denial of service existed.
    Mr. Gilligan. Each of the sites reported the steps that 
they had taken. The headquarters organizations, plural, 
reported those steps they had taken to respond to the denial-
of-service attacks. We did not at this juncture verify each and 
every computer the fact that something----
    Mr. Burr. If you knew that those existed when you put this 
report in, why was Mr. Podonsky's review of the system needed 
if you knew where we were vulnerable?
    Mr. Gilligan. I am not sure, sir, I understand your 
question.
    Mr. Burr. You responded to Mr. Podesta for the purpose of 
his reporting to the President the status at DOE by April 1.
    Mr. Gilligan. That's correct.
    Mr. Burr. At some point thereafter Mr. Podonsky's still 
doing a review of unclassified systems at the Department of 
Energy, and he finds vulnerable areas. I guess the question is, 
did you know about those vulnerable areas when you reported to 
Mr. Podesta?
    Mr. Gilligan. Sir, today and in the future there will 
continue to be vulnerabilities in our computer systems. That's 
the state-of-the-art. There are vulnerabilities in the computer 
systems that are run by this Congress, but that's the state-of-
the-art. The securing of these systems is a continuing process. 
The report back to Mr. Podesta identified those processes and 
the verification that each of our sites had done. It did not 
say that there were no vulnerabilities. In fact, there are 
vulnerabilities that continue to be discovered and exploited.
    Mr. Burr. Is the vulnerability--and I am not a techie, 
clearly you are--is the vulnerability of a Web server and its 
potential use to launch attacks a new phenomena, or is that 
something that has existed since Web servers have been out 
there?
    Mr. Gilligan. The potential to use----
    Mr. Burr. Is that the last place we look for a 
vulnerability, or is it one of the first places?
    Mr. Gilligan. The Web server is generally not a high risk, 
a highly vulnerable computer, because of the limited functions 
it performs, and in general, Web servers are intended for 
public access, and the protection on those is primarily to 
ensure that the information content that is primarily read only 
is, in fact, preserved.
    Mr. Burr. Let me turn to Mr. Podonsky, who did the 
investigation. Is a Web server a tool that one should be 
concerned with if that Web server is unsecured and can be used 
to launch attacks on?
    Mr. Peterson. Absolutely. For one, it could be an 
embarrassment to the Department having it defaced, and then the 
second one is to have our resources from the DOE to be used in 
an illicit manner.
    Mr. Burr. Let me just read from your report if I can. I 
quote: Most of these Web servers were found to be vulnerable to 
common hacking exploits, and some contained vulnerabilities 
that could allow any Internet user to gain system 
administrator-level privileges. With this level of privilege an 
attacker could deface or shut down the Web site or configure 
the server to launch attacks against other Internet entities 
causing public embarrassment to DOE.
    So, in fact, you did put it in your report--in the way that 
you've stated it, it sounds fairly serious.
    Let me just ask one last question, Mr. Chairman.
    Glenn, your report also concluded by stating this, and this 
is alarming to me, it really is: Senior management attention is 
needed to establish a management structure conducive to 
effective unclassified cybersecurity at headquarters. Now, we 
have all praised Bill Richardson quite a bit. We have a lot of 
confidence in you, General. We have tremendous confidence in a 
lot of folks at the Department of Energy. But, Glenn, I have 
got to ask you, what led you to put that in your report, that 
senior management's attention is needed? We've had a series of 
security breaches, of management blunders, I think. Nobody has 
ever questioned the commitment of the Secretary, but something 
led you to say senior management doesn't get it yet. Who were 
you describing when you used the term ``senior management''?
    Mr. Podonsky. Let me answer your question in the following 
way. Last week I met with General Gordon, and one of the things 
he asked me about the new NNSA, what are some of the first 
things he ought to do. He was planning to go and do some tours 
of the sites around the complex, and I suggested that he first 
needs to take a look at headquarters, and he needs to take a 
good hard look at how headquarters operates. And I would say 
that what we were aiming at is when we looked at what is the 
root cause, General Habiger and John Gilligan and all the folks 
that are dedicated to doing the right thing in the Department 
have mostly been focusing outside the headquarters is what our 
assessment was, and there's an awful lot of organizations 
within that Department across the way there that may need to be 
working all in unison.
    So our focus was that senior management at headquarters 
needs to also take a look at the operation of the Forrestal as 
well the Germantown building, not just the field offices.
    Mr. Burr. Technical question. My understanding is that DOE 
contractors in some way, shape or form are linked to regional 
offices and/or headquarters of the Department of Energy. Could 
those links also be used to launch attacks from, or could those 
links be used to exploit any security measures that we have in 
place?
    Mr. Peterson. We are concerned with the links from the 
exploitation aspect. Obviously it broadens your network 
perimeter, and then it will allow you--if you find the weakest 
point, then it allows you into that broad perimeter of that 
network, and then if you have enough time and skill, then you 
can take over a machine, a computer, and then use that to 
launch an attack against the Internet site. So that's 
definitely a concern.
    Mr. Burr. General, let me just make one last statement, if 
I could. I do hope we go to a closed session, if not today, 
very quickly.
    I would only say this, that for a vault containing high-
security information, one that we were concerned enough with to 
go through a process of individuals who could visit it, No. 1, 
and from that list who needed escorting, that apparently we 
have a full-time person who oversees the entry to that vault 
and the exit to that vault, it is amazing to me that there's 
not some record of who accessed it when and if anyone removed 
something from that vault, and if so, when it was returned. If 
this were some type of nuclear material of which we have 
identified a similar set of scenarios that we have addressed, 
one of the remedies was that it no longer goes without some 
type of cataloging of who went, when they went, what they did, 
when it was returned, if it was taken off premises. I do hope 
that that's a procedure that will change, and if it can't be 
accomplished through our current contractor, I hope the 
Department of Energy will be brave enough to review this 
contract and to look at somebody that can run a facility with 
the type of procedures that we need, as Mr. Gilligan said, in 
an ever-changing technological world that every day we're faced 
with a new risk and a new challenge.
    And with that, I thank all four of you, and I yield back.
    Mr. Upton. Thank you.
    I just want to note, thanks to the membership of Mrs. 
Wilson on the Intelligence Committee, we've been able to secure 
the intelligence room in the Capitol until 2 o'clock. General 
Habiger, would you be able to come maybe at like 1 until 2:00?
    Mr. Habiger. Sir, at your convenience.
    Mr. Upton. Okay. Well, we'll put a notice to all members of 
the full committee that that is available, and you know where 
it is in the Capitol; do you not?
    Mr. Habiger. I'll find it.
    Mr. Upton. It's hard to find. I'm sure David can help you.
    We'll yield at this point. I am going to leave here 
shortly. Mr. Burr is going to take over the chairmanship, and I 
will see you at 1 o'clock, and at this point we'll yield to 
Mrs. Wilson, who has got a couple more questions.
    Mrs. Wilson. Thank you, Mr. Chairman. I do have a couple of 
more questions, particularly about cybersecurity at the 
headquarters. And, General, I have a lot of sympathy for your 
situation, trying to get a job done and convince--I have been 
in that situation myself--trying to convince the budget guys 
that you have got a job to do and you need the resources to do 
that job and so forth. But I do think it's important to make 
sure this chronology is in the record with respect to 
cybersecurity, and I think I have kind of compiled my own 
summary of it at this point. And I think it's important for 
everybody to understand what happened in 1999 and where we are 
now.
    In January 1999, the Cox report was finished in its 
classified form, briefed to the administration and key Members 
of Congress.
    Of course, by that time, the administration's budget 
request was already in and up here, and there are a number of 
requests that come in to amend that throughout the year as we 
are beginning work on it.
    On May 14, 1999, the Department of Energy requested an 
amendment to the President's budget request for cybersecurity. 
That went to the energy and water committee, and that request 
was for $8.5 million, and it was fully funded.
    May 25, the Cox report is publicly released in its 
unclassified form, and there is a firestorm of hearings and 
investigations and responses in both the Defense Committee, the 
Intelligence Committee and this committee all the way through 
June. It affected the defense authorization, intelligence 
authorization and the appropriations bill.
    On about July 13, as I understand it, there was a request 
in the energy and water committee for $35 million, General, for 
your office. It was listed as security. The committee asked for 
further justification and breakdown and were not able to get 
it. This is 24 hours before the markup in subcommittee. It was 
not listed as for cybersecurity. It was for the funding of your 
office, and I have no doubt at all that your office needs that 
funding to do your job. Without that supported breakdown, you 
were given $7 million initially from that subcommittee mark, 
but it wasn't cybersecurity, it was for your operations in your 
office, and I understand that's entirely legitimate.
    It then goes through the House and over to conference. I 
would note that there's a man named Senator Pete Domenici, who 
I know pretty well, who is on that conference committee, and if 
there was a shortage for cybersecurity, particularly for the 
nuclear weapons complex, it would not have been particularly 
difficult to get that put into the bill.
    In the fall, the labs continue on looking at cybersecurity 
and their needs and making plans and assessments of the costs 
of this whole thing, and when we come back in January, me and a 
whole bunch of other folks were expecting a major request for a 
supplemental, particularly related to the cybersecurity, but in 
February we get the White House's supplemental request, and 
they only asked for $4 million for cybersecurity.
    We then get a group together here of experts and others and 
ask in early March, is that adequate? Is this real? And the 
answer is quietly, no, it's not. It's not the real number, it's 
not the real need. So we make the request of Energy and Water 
in a separate supplemental to bump that up significantly. I ask 
for $90 million; $45 million is added specifically for 
cybersecurity.
    I think that is important as a chronology because, now, I 
think there's sometimes an attempt to shift blame around. And I 
understand that you're in a difficult situation. You have to 
get up and operating as a security office, but with respect to 
cybersecurity and the requests that come in for cybersecurity, 
I think the appropriators have been pretty good at working with 
those members like myself who are concerned about this issue 
and fully funding the requests that are identified as 
protecting our security programs, our computer security, and 
we'll continue to fight those battles up here and get the money 
that's needed. I frankly wish that I had more support from the 
administration when it comes to really identifying the actual 
costs that are going to be needed, and I'd appreciate it if 
you'd take that one back.
    I do have some questions concerning this chart, some more 
things. First from Mr. Gilligan, is there a single unified risk 
assessment and a security plan for the headquarters network as 
a whole?
    Mr. Gilligan. Congresswoman Wilson, there is not, and, in 
fact, I think that's one of the observations that the 
independent oversight review points out that I agree is a 
weakness in our implementation. If I look at how we implemented 
cybersecurity policies within the headquarters, each individual 
subordinate organization in the headquarters implemented the 
policies individually. So there are multiple risk assessments. 
There are multiple cybersecurity plans, there are multiple 
cybersecurity implementations, and I think Mr. Podonsky's team 
correctly identifies this as an overall weakness because we 
have some offices who do a very good job of implementing those 
plans, correcting the vulnerabilities, and other offices who 
have not done a good job, but it becomes a shared risk.
    So the action that was taken by the Deputy Secretary in 
essence expands my job, so not only am I to have policy 
responsibility for the entire Department, but I now have 
operational responsibility which I did not have previously for 
the entire headquarters. In the past I had operational 
responsibility through an operations organization that happens 
to be attached to me for small subsets of the headquarters, 
and, in fact, those portions of the headquarters were viewed as 
very strong in the independent oversight review, yet they were 
vulnerable to other offices who had weaker security. So now 
that I have responsibility for the operational security of the 
entire headquarters, we can do one plan, one risk assessment, 
one set of policies and procedures, and I can enforce those 
policies and procedures across the headquarters.
    Mrs. Wilson. When were you given that additional authority?
    Mr. Gilligan. On June 8.
    Mrs. Wilson. Okay. Does DOE have a comprehensive list of 
the external connections so that anything that enters those 
circles or those subcircles here--do you have a comprehensive 
list of external connections?
    Mr. Gilligan. Ma'am, we have a list. I would not say that 
it is a comprehensive list. I think that is a continued 
vulnerability. The Internet networking technology that we have 
today lets connections be made quite rapidly, and that would be 
part of the objective of establishing a very rigorous perimeter 
across all of the headquarters systems and a what is called 
connection policy which we can enforce, which would, in fact, 
then allow us to map what are all the external connections, do 
they, in fact, conform to the security provisions that must be 
in place before an external connection is permitted, and that's 
more part of the activity that's under way now.
    Mrs. Wilson. With respect to the additional authority that 
you have been given on June 8, and I also have some sympathy 
for your situation being responsible for something, but I would 
guess a lot of the guys who have to implement this don't really 
work for you, they still work down in DP and IA and NN and 
those kinds of things. Is that right?
    Mr. Gilligan. That's correct. My office now has overall 
responsibility. We will still work with the individual offices, 
but now I have the accountability and responsibility to make it 
work, and I can go to the Deputy Secretary and the Secretary as 
needed to identify problems, where in the past I did not have 
any clear authority. I could identify concerns, but I had no 
specific responsibility or authority. That has been clarified 
with the Deputy Secretary's memo of June 8.
    Mrs. Wilson. What additional authority do you really have? 
Can you really tell DP or CR or EH or any of these little 
suborganizations, ``Shut down your computer network until you 
fix the following problems?''
    Mr. Gilligan. That is one of the new authorities that I 
have. With my ability now to enforce a connection policy, if 
that policy is not adhered to, I can and will shut down those 
organizations.
    Mr. Burr [presiding]. If the Chair could ask the gentlelady 
to wrap up as quickly as she can, I think that it's only right 
to allow them the opportunity for a break in between the 1 
o'clock session. So if you would wrap up as quickly as you can.
    Mrs. Wilson. Thank you, Mr. Chairman. In fact, I think that 
probably concludes the things that I'd like to pursue in this 
forum, and I thank all of you for your time.
    Mr. Burr. I thank the gentlelady. I didn't think she'd be 
quite that quick, but the Chair would ask unanimous consent for 
the record to remain open for the purposes of opening 
statements of any members that request to enter those and for 
additional questions of members.
    Gentlemen, let me once again thank you on behalf of this 
committee. I hope all of you understand the seriousness that we 
not only take of the headquarters evaluation, but the findings 
within the last 48 hours of continuation of a breach of our 
security at our labs.
    Our hope is that, Mr. Podonsky, you will move forward 
with--at some point with an audit of the classified areas of 
headquarters, and that we will have an opportunity to review 
that.
    And my hope is, Mr. Gilligan, with this new responsibility, 
and that's the coordination of one plan for security at 
headquarters, that you will be successful in making sure that 
that's implemented in the fashion that you see appropriate.
    My hope, General, is that at some point we can get one plan 
for the individual labs that you have and your team have the 
confidence in that it is secure.
    With this, this hearing is adjourned.
    [Whereupon, at 12:15 p.m., the subcommittee was adjourned.]
