b"<html>\n<title> - OVERSIGHT OF THE STATE DEPARTMENT: TECHNOLOGY MODERNIZATION AND COMPUTER SECURITY</title>\n<body><pre>[House Hearing, 106 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n\n                   OVERSIGHT OF THE STATE DEPARTMENT:\n             TECHNOLOGY MODERNIZATION AND COMPUTER SECURITY\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                              COMMITTEE ON\n                        INTERNATIONAL RELATIONS\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED SIXTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             JUNE 22, 2000\n\n                               __________\n\n                           Serial No. 106-171\n\n                               __________\n\n    Printed for the use of the Committee on International Relations\n\n\n        Available via the World Wide Web: http://www.house.gov/\n                  international<INF>--</INF>relations\n\n                                 ______\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n68-288 CC                   WASHINGTON : 2000\n\n\n\n\n                  COMMITTEE ON INTERNATIONAL RELATIONS\n\n                 BENJAMIN A. GILMAN, New York, Chairman\nWILLIAM F. GOODLING, Pennsylvania    SAM GEJDENSON, Connecticut\nJAMES A. LEACH, Iowa                 TOM LANTOS, California\nHENRY J. HYDE, Illinois              HOWARD L. BERMAN, California\nDOUG BEREUTER, Nebraska              GARY L. ACKERMAN, New York\nCHRISTOPHER H. SMITH, New Jersey     ENI F.H. FALEOMAVAEGA, American \nDAN BURTON, Indiana                      Samoa\nELTON GALLEGLY, California           MATTHEW G. MARTINEZ, California\nILEANA ROS-LEHTINEN, Florida         DONALD M. PAYNE, New Jersey\nCASS BALLENGER, North Carolina       ROBERT MENENDEZ, New Jersey\nDANA ROHRABACHER, California         SHERROD BROWN, Ohio\nDONALD A. MANZULLO, Illinois         CYNTHIA A. McKINNEY, Georgia\nEDWARD R. ROYCE, California          ALCEE L. HASTINGS, Florida\nPETER T. KING, New York              PAT DANNER, Missouri\nSTEVE CHABOT, Ohio                   EARL F. HILLIARD, Alabama\nMARSHALL ``MARK'' SANFORD, South     BRAD SHERMAN, California\n    Carolina                         ROBERT WEXLER, Florida\nMATT SALMON, Arizona                 STEVEN R. ROTHMAN, New Jersey\nAMO HOUGHTON, New York               JIM DAVIS, Florida\nTOM CAMPBELL, California             EARL POMEROY, North Dakota\nJOHN M. McHUGH, New York             WILLIAM D. DELAHUNT, Massachusetts\nKEVIN BRADY, Texas                   GREGORY W. MEEKS, New York\nRICHARD BURR, North Carolina         BARBARA LEE, California\nPAUL E. GILLMOR, Ohio                JOSEPH CROWLEY, New York\nGEORGE RADANOVICH, California        JOSEPH M. HOEFFEL, Pennsylvania\nJOHN COOKSEY, Louisiana\nTHOMAS G. TANCREDO, Colorado\n                    Richard J. Garon, Chief of Staff\n          Kathleen Bertelsen Moazed, Democratic Chief of Staff\n               Kristin Gilley, Professional Staff Member\n                    Marilyn C. Owen, Staff Associate\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                               WITNESSES\n\n                                                                   Page\n\nFernando Burbano, Chief Information Officer, U.S. Department of \n  State..........................................................     4\nJack L. Brock, Jr., Director of Government and Defense Systems, \n  U.S. General Accounting Office.................................     6\nMark T. Maybury, Ph.D., Executive Director, Information \n  Technology Division, The MITRE Corporation.....................     9\nWayne Rychak, Deputy Assistant Secretary for Diplomatic Security, \n  U.S. Department of State.......................................    17\n\n                                APPENDIX\n\nPrepared statements:\n\nThe Honorable Benjamin A. Gilman, a Representative in Congress \n  from New York and Chairman, Committee on International \n  Relations......................................................    40\nFernando Burbano.................................................    43\nJack L. Brock....................................................    88\nMark T. Maybury, Ph.D............................................   108\n\n \n    OVERSIGHT OF THE STATE DEPARTMENT: TECHNOLOGY MODERNIZATION AND \n                           COMPUTER SECURITY\n\n                              ----------                              \n\n\n                        THURSDAY, JUNE 22, 2000\n\n                          House of Representatives,\n                      Committee on International Relations,\n                                                    Washington, DC.\n    The Committee met, pursuant to notice, at 10:12 a.m. in \nroom 2200, Rayburn House Office Building, Hon. Benjamin A. \nGilman (Chairman of the Committee) presiding.\n    Chairman Gilman. This meeting will come to order. I want to \nthank our panelists for joining us this morning and thank our \ncolleagues for being here.\n    I am pleased to convene this hearing on Oversight of the \nState Department, Technology, Modernization and Computer \nSecurity. This is the fourth in a series of oversight hearings \nthat this Committee will conduct relating to the Overseas \nPresence Advisory Panel, the OPAP.\n    We began these hearings back in February when we heard from \nthe panel's members. At that time, and today, I believe the \npanel highlighted some very important issues. This Committee \nsupports many of the recommendations made as a basis of \nmaintaining a more effective and efficient State Department.\n    We are asking our panelists to provide the Committee with a \ncomprehensive review of the condition of the State Department's \ninformation technology program, the safeguarding of its \ninformation and prospects of developing a common platform to \nfacilitate communication among the agencies at posts. Along \nwith the efficiencies of high tech systems comes a breadth of \npossible vulnerabilities. These systems demand continual \nsecurity evaluations and resources that should be dedicated to \nthis activity.\n    Personnel at the State Department must have the capacity to \ncommunicate quickly and precisely with a variety of people. The \nOverseas Presence Advisory Panel observed that the Department's \ncurrent infrastructure does not provide the means either to \nacquire information from a full range of sources or to \ndisseminate it to a full range of audiences.\n    Inefficient information systems leave the Department \nimpotent in the conduct of foreign affairs. The Department and \nother agencies sharing the overseas platform have taken steps \nto bring their systems up to private sector standards, but much \nmore is needed to be successful on an interagency basis. Our \nprivate sector panelist, Mr. Maybury, will address the problems \nassociated with that issue.\n    An overriding concern as modernization proceeds is to make \ncertain that appropriate, usable systems are procured and that \nsecurity elements are addressed up front. The taxpayer is \nproviding an enormous amount of money over time for the \nworldwide upgrades, and this Committee needs to be assured that \nthe right decisions and cost effective procurements are being \nmade.\n    With recent cyber attacks against web sites in both Federal \nand congressional computer systems, serious questions arise \nabout computer systems' vulnerabilities. Investigation of \nhacker assaults revealed that the techniques used over the past \nmonths were fundamentally very simple. In May 1998, GAO \nreported that State's computer systems were very susceptible to \nhackers and to unauthorized individuals.\n    Given the important data bases that the Department \npossesses, it would be a disaster if hacker penetration were to \noccur in the State Department; to name just a few, the passport \nsystem, the visa system, class systems. If a hacker were to \nsucceed, it would have a devastating effect on the functioning \nof these items, not to mention the effect on commerce. The \nDepartment takes in an enormous amount of revenue per day on \nthe issuance of those items.\n    I believe that in creating a modern infrastructure, \nutilizing a common platform and spending the nation's money \nwisely are certainly critical elements on the road to \nsuccessful information technology management. We will find out \ntoday if our State Department is on the right road or if they \nhave hit a dead end.\n    Now I would like to turn to our other colleagues, the Vice-\nChairman of our Committee, the gentleman from Nebraska, Mr. \nBereuter.\n    [The prepared statement of Chairman Gilman appears in the \nappendix.]\n    Mr. Bereuter. Thank you, Mr. Chairman. I have no comment. I \nlook forward to the testimony.\n    Chairman Gilman. Judge Hastings.\n    Mr. Hastings. Mr. Chairman, I have no opening statement at \nthis time.\n    Chairman Gilman. Thank you.\n    Mr. Rohrabacher.\n    Mr. Rohrabacher. Just a very short statement for the \nrecord. I am very concerned, Mr. Chairman, over reports that \nthe Chin Wa news agency, a Chinese agency that has ties to the \nCommunist Chinese government in Beijing--in fact, it is known \nas having an intelligence connection with the government in \nBeijing--has purchased a building in Arlington with the State \nDepartment--at least with no protest from the State Department, \noverlooking the Pentagon. This building is a 12 story building \nthat has very serious implications to electronic intelligence \noperations, especially in relationship to a direct overview of \nthe Pentagon.\n    I understand the State Department had no objection to this, \nraised no objections to the Chinese taking over this building, \nand I just think that there is--I do not know if this panel is \nthe one who could explain it. Probably not, but for the record \nI would like to say that this is very unsettling news.\n    It seems to me that somebody has got to have the \nresponsibility when things like this happen, and having an \nintelligence arm of the Beijing government setting up a spy \nnest, an electronic spy nest, you know, just in this position \noverseeing the Pentagon is something that deserves our \nattention. I thought I would put that on the record.\n    Chairman Gilman. Thank you very much, Mr. Rohrabacher. I \nhope some panelists will comment on it as we proceed.\n    Today we welcome Mr. Fernando Burbano, the chief \ninformation officer of the State Department. Mr. Burbano \nassumed the position in May 1998, is responsible for the \nDepartment's information technology policy and operations. He \noversees a budget of more than $500 million and the activities \nof more than 2,000 employees who are engaged in information \nmanagement. He holds advanced degrees from the American \nUniversity and Syracuse University.\n    Our second witness, Mr. Jack Brock, is director of the \ngovernment wide and defense information systems in the issue \narea at the General Accounting Office. He is responsible for \ninformation management, evaluations and reviews of computer \nsecurity issues for several agencies, including State, and he \nhas testified several times on these issues.\n    The General Accounting Office [GAO] has developed guidance \nfor improving responses to computer security threats. Thank you \nfor putting our system back in operation. He holds advanced \ndegrees from the University of Texas and Harvard. Welcome.\n    Our third witness is Dr. Mark Maybury. Welcome, Mr. \nMaybury, of is it MITRE Corporation?\n    Mr. Maybury. MITRE.\n    Chairman Gilman. MITRE Corporation. Dr. Maybury comes to us \nhighly recommended because of his experience in the field of \nworldwide system upgrades. He is the director of MITRE's \ninformation technology division responsible for the advanced \nresearch and development of intelligence and defense systems \nsupporting several government agencies.\n    Dr. Maybury has taken a look at what it takes to build a \ncommon platform, collaborative computing and knowledge \nmanagement within the foreign affairs community. He holds \nseveral advanced degrees, including a Ph.D. from Cambridge in \nartificial intelligence. We certainly appreciate his \nwillingness to come down from Massachusetts and educate us in \nthis highly technical field.\n    We appreciate all of our witnesses being here today, and we \nask you to proceed with a summary of your statements. Without \nobjection, your full statements will be made part of our \nrecord.\n    I also want to welcome Mr. Wayne Rychak, a Deputy Assistant \nSecretary in the Diplomatic Security Bureau at the State \nDepartment. He is a member of the Senior Foreign Service, and \nhis positions with Diplomatic Security have included being \nregional security officer in Islamabad and Pakistan.\n    Mr. Rychak is here to respond to questions regarding \ninformation security.\n    Please proceed, Mr. Burbano.\n\nSTATEMENT OF FERNANDO BURBANO, CHIEF INFORMATION OFFICER, U.S. \n                      DEPARTMENT OF STATE\n\n    Mr. Burbano. Thank you, Mr. Chairman. Good morning, Mr. \nChairman and distinguished Members of the Committee on \nInternational Relations.\n    As the CIO for the State Department, I am pleased to report \nsignificant progress managing the Department's information \ntechnology resources. This morning I will focus on actions we \nhave taken to, first, strengthen our computer security; second, \nimprove the integrity and quality of our IT strategic planning, \nour IT capital planning and our management of IT resources; \nand, third, to achieve compliance with the Overseas Presence \nAdvisory Panel, OPAP, recommendations.\n    Since my testimony is limited to 5 minutes, I have provided \na more detailed written report for the record.\n    Computer security. In the past 2 years since I was \nappointed CIO, the State Department has taken significant steps \nin strengthening our computer security and the security of our \nglobal communications networks. For example, we now have in \nplace a corporate information system security officer and \ncomputer security incident response teams.\n    Our systems are protected with an extensive array of \nelectronic firewalls, intrusion detection systems and a \ncomprehensive anti-virus program. We increased system security \ntraining, conducted extensive independent network penetration \ntesting and installed a web based geographic information system \nto collect cyber threat information.\n    As additional examples of the Department's commitment to \ncomputer security awareness, I have hosted the CIO Council \nSecurity Awareness Day, Critical Infrastructure Protection Day \nand a hacker briefing presented by an industry expert. All of \nthese are open to the entire Federal IT community.\n    With our improved security posture, we have successfully \nwithstood numerous cyber attacks such as those that have \ndamaged other agencies and private sector web sites. For \nexample, we were successful in defending against an attack \nafter the NATO bombing of the Chinese Embassy in Belgrade when \nwe were bombarded with over 10,000 messages an hour for several \nweeks.\n    However, despite significant improvements in our cyber \nsecurity, we realize that the cyber underworld continues to \nimprove its weapons. We routinely assess our presence on the \ninternet, and so far we have been successful in adjusting our \nprotection measures to meet the continuing and ever changing \nchallenges.\n    I also established a security infrastructure working group \nknown as SIWG to proactively oversee our enterprise \ninfrastructure and coordinate an integrated, department wide \nsecurity response. The SIWG is chaired by the Deputy CIO for \nOperations and has representation from Diplomatic Security and \nother bureaus.\n    Let me briefly highlight our accomplishments in our IT \nsecurity over the last 2 years. We achieved 100 percent \ncompletion of the 72 technical findings and the eight \nmanagement recommendations identified in the 1998 GAO computer \nsecurity audit. We achieved closure on Federal Managers \nFinancial Integrity Act, FMFIA, issues open since 1984.\n    We revised the foreign affairs manual to include security \nrelated policies. We globally deployed a computer security \nself-assessment software tool known as Kane Security Analyst. \nWe conducted vulnerability assessments on our classified, \nsensitive but unclassified and internet networks.\n    In a joint effort with the NSA, we have begun a pilot \nprogram using public key infrastructure to implement strong \nidentification and authentication processes. We are \nimplementing the risk management cycle as recommended in best \npractices published by GAO and OMB and are implementing a \nrobust certification and accreditation program incorporating \nthe recently released national information assurance \ncertification and accreditation process known as NIACAP. My \nwritten testimony describes these achievements in more detail.\n    Now turning to Overseas Presence Advisory Panel \nrecommendations, particularly the actions we have taken to \naddress the challenges to obtain interagency coordination and \ncooperation and to insure quality and cost effective program \nmanagement. To insure that all foreign affairs agencies are \npartners in developing solutions to the OPAP recommendations, \nwe have convened the OPAP interagency technology subcommittee. \nThis subcommittee, which I chair as the representative of the \nlead agency, consists of the CIOs of the principal foreign \naffairs agencies.\n    To date, the cooperation between all of the foreign affairs \nagencies in developing solutions to the OPAP report \nrecommendations has been outstanding. This reflects the fact \nthat over the past 2 years, through the CIO Council and its \nvarious subcommittees, the CIOs had already established strong \nrelationships and had worked collaboratively on issues of \ncommon concern.\n    Specifically, we are progressing in our plans to deploy an \ninteroperable infrastructure accessible to all agencies to \nimprove communication and collaboration. Our OPAP architecture \napproach emphasizes interagency connectivity and collaboration, \nminimizing technical risk and leveraging internet and web \ntechnologies.\n    The intent is to build a browser based environment such \nthat agencies need not change their architectures to connect to \nand use the OPAP facilities, and a range of connection options \nwill be accommodated. To provide the right information to the \nright people at the right time, we are designing a knowledge \nmanagement system to share information across agency \nboundaries. Security of the infrastructure will be addressed \nthrough the use of technologies such as public key \ninfrastructure, data encryption and use of firewalls.\n    In order to insure quality and cost effective program \nmanagement and avoid excessive cost overruns, we are following \na disciplined, standard project management methodology which we \nhave used successfully in our Y2K worldwide remediation \nprogram, IT modernization program known as ALMA and the global \nemergency radio deployment program. I should point out that \nthis methodology includes regular interagency project review \nand approval points, such as control gates and check points, \nand prototype and pilot tests and assessments.\n    Accordingly, in fiscal year 2001, conditional on the \navailability of timely and adequate resources, we plan to \nimplement a pilot program at two posts to test the interagency \ndeveloped solutions to the OPAP unclassified technology \nrecommendations. Mexico and New Delhi are being considered as \nthe pilot posts. Our goals and the effective participation of \nother Federal agencies are achievable only with your support in \nproviding us the resources to continue.\n    Turning to IT management and planning, the last section, in \nthe time remaining I will address our progress in responding to \nthe 1998 GAO report which raised issues about our modernization \nprogram being at risk absent implementation of best practices. \nWe have made significant improvements in the management, \npolicy, planning and governance of our IT resources as we \ndemonstrated in our success at turning our Y2K program from an \nF to an A, closing FMFIA issues and completing of a large \nscale, global IL modernization project.\n    Demonstrating the Department's compliance with the GAO's \nmanagement improvements recommendations, we have adopted an \nenhanced capital planning process that involves all the key \nstakeholders, including the CFO and other senior management, \nAssistant Secretaries, to comply with the mandates of Clinger \nCohen and OMB Circular A-11;\n    Created the Configuration Control Board, whose role will be \nexpanded to further strengthen the interrelationship with the \ncapital planning process; established the enterprise IT \narchitecture that is modeled after guidance issued by the \nFederal CIO Council; included output and outcome measures in \nour IT tactical plan linking the relationship of those measures \nto mission effectiveness and efficiency;\n    Instituted a disciplined life cycle management process \nknown as Managing State Projects to help insure a consistent \napproach to all aspects of project manager; and, last, we \ncontinued to focus on well articulated goals that are presented \nin our new IT strategic plan published in January of this year.\n    Mr. Chairman and distinguished Committee Members, I would \nlike to conclude my testimony here today by assuring you that \nthe State Department, including senior management, is committed \nto confronting the continuing challenges, including those which \nwill cogently be addressed by GAO today.\n    We will work in partnership with your Committee, the GAO \nand other agencies and other bureaus in the Department, \nincluding Diplomatic Security, to provide exceptional IT \nsupport to American diplomatic activities in the twenty-first \ncentury.\n    Thank you, and I would be pleased to answer any questions.\n    [The prepared statement of Mr. Burbano appears in the \nappendix.]\n    Chairman Gilman. Thank you, Mr. Burbano.\n    Mr. Brock, GAO.\n\n  STATEMENT OF JACK L. BROCK, JR., DIRECTOR OF GOVERNMENT AND \n        DEFENSE SYSTEMS, U.S. GENERAL ACCOUNTING OFFICE\n\n    Mr. Brock. Thank you, Mr. Chairman. Thank you very much for \ninviting us here today.\n    We first met with your staff several months ago about the \nOverseas Presence Advisory Panel [OPAP]. The main concern was \nwe do not want to have a hearing in 2 or 3 years and find out \nthat the Department has wasted $300 million or $400 million. We \nwant a return on investment. We want to make sure that the \ngoals and the objectives that were set out in the OPAP report \nare in fact and that they are met efficiently.\n    I think a concern that the staff had was based on a couple \nof GAO reports on the IT environment at the State Department \nand on the poor computer security, this concern was well \nfounded. Could in fact the Department spend the money wisely? \nCould in fact the Department bring about the common platform \nthat is needed to support OPAP?\n    Our work in computer security showed that the State \nDepartment was highly vulnerable to both inside and outside \nthreats. We were able to pretty much walk around the \nDepartment. There was generally a lack of oversight at the \nmanagement level.\n    Chairman Gilman. Let me interrupt. You say there is a lack \nof oversight in management at State?\n    Mr. Brock. Oh, absolutely. Yes.\n    Chairman Gilman. Thank you. We are curious about that \nbecause we are working on the possibility of creating a new \nmanagement office. Thank you.\n    Mr. Brock. The same thing on looking at major investments, \nIT investments in the Department. There were a lack of \nmanagement controls and a lack of management processes.\n    Both of those reports were done in 1998, and since then the \nDepartment has made impressive strides in establishing good \nmanagement processes that should allow them, if implemented \ncorrectly, to control their investments, to control their \ncomputer security. I am a firm believer that good results come \nfrom good processes. If you do not have good processes, good \nresults may or may not follow, but they are pretty much \nsporadic.\n    The Department has now laid a foundation for having a \nbetter opportunity for achieving good results, and in fact when \nwe are looking at the OPAP project, which the early planning \nstages are still underway, they in fact have a disciplined \nprocess that they are following in determining what the \nrequirements of the platform will be, how much it should cost, \nwhat sort of technology should be in place, etc. They are doing \na number of things that make sense, and they are pretty much on \ntarget by the end of this fiscal year to have a detailed \nimplementation plan.\n    While the Department I believe is well situated to move \nforward into a planning process, we believe they also face I \nthink reasonably significant challenges in moving forward. I \nwould like to just spend a few moments discussing those \nchallenges.\n    First of all, they have to work with eight or nine agencies \non this common platform, and that is difficult to do. I mean, \non paper they have the agencies in place. They all meet \ntogether. They have regular meetings. Nevertheless, they have \ndifferent objectives. They have different needs, and in order \nto optimize the common platform some of the individual needs of \nvarious agencies might have to be suboptimized.\n    It is this process that is difficult to negotiate and \nachieve. We think that it is likely that many agencies may want \nto continue operating their own technology, particularly if \nthey have systems that were recently acquired or upgraded.\n    Second, no one agency by itself has the authority or the \nability to dictate a solution to insure the implementation of a \nmutually developed solution. Third, although negotiations are \nongoing, details are still being worked out as to who will \nmanage and administer the new collaborative network.\n    These challenges are answerable. They are doable, but, \nnevertheless, they are challenges that have to face the \nDepartment. This really has nothing to do with the Department's \nstatus now in terms of good information over technology, but I \nthink a challenge that any organization would face trying to \nbring together eight other organizations.\n    The second challenge is on the matter of an architecture. \nRight now the State Department has a level of architecture, but \nit does not have a detailed architecture.\n    If I could just briefly describe an architecture in more \ncommon terms, if you have a Rand McNally atlas and you open up \nthe front page and you see the map of the United States, it \nshows the major interstates going from the east coast to the \nwest coast and from the Gulf of Mexico to Canada. Well, you \nsort of know how to get there and where you are going, but it \nis only until you turn to the detailed maps inside the atlas \nthat you really know the best route to take from state to state \nto state.\n    I think right now the State Department has a pretty good \noverview map, but they do not have those detailed maps that are \nreally necessary to dictate where the State Department wants to \ngo in terms of matching business solutions with technology. The \ndanger of not having an architecture in place is that sometimes \nyou in fact let technology dictate business needs, or you let \nbusiness needs dictate the wrong kind of technology, so you \nreally need to merge those two things.\n    The danger of continuing or the risk of continuing in the \nOPAP project while the architecture is still underway is that \nthere is a risk that the eventual OPAP architecture could \ninfluence the State Department's final architecture in a way \nthat may not be optimal. Now, this is a risk I think they are \naware of and something that they need to follow throughout the \ndevelopment of both the architecture and the project.\n    The last challenge that the State Department faces is \ncomputer security. This is a challenge that we found every \nagency faces. Our recent reports have indicated that the 22 \nmajor Federal agencies all have significant computer security \nproblems. The findings that we had at State Department a couple \nyears ago, they are not unique to the State Department. They \nare true everywhere on a government wide basis.\n    The State Department has implemented our recommendations. \nThey have changed their management structure. They are in a \nbetter position to deal with these problems. One of the things \nthat they have done at our recommendation is to begin to do \nvulnerability assessments at key places. These vulnerability \nassessments continue to find problems.\n    I think a difference now is the State Department is finding \nthese problems, and they are fixing them, but I think it is \nindicative that computer security is an ongoing concern. You \nare going to have a new network, a new platform, new \nopportunities for intrusion, and I think that the diligence and \nthe level of effort that the State Department will have to \nexercise to this is going to be considerable, so that is a \nsignificant challenge.\n    The advantage is that you have now as an oversight body and \nin fact an advantage that is also shared by the State \nDepartment and the other agencies that are participating in the \nOPAP project is that the planning for this is just now \nseriously getting underway, and you have many excellent \noversight opportunities over the coming year.\n    First of all, the State Department is developing a detailed \nproject plan, and they are going to be testing the concept at a \ncouple of pilot locations. This is a good opportunity to take a \nlook at the detailed project plan, to take a look at the \nresults of the pilot projects and say is this an investment \nthat is going to pay off? Does it show promise? Is it something \nwe want to pay for? Is it something that is showing results in \na couple of limited locations? Does it show promise?\n    Second, the development of a detailed project plan also \nallows the performance measures to be developed so that in fact \nyou will be able to say OK, here is where you said you would \nbe. Here is where you are. What is the gap? What do we need to \ndo to close the gap? Are you still on target--and gives the \nState Department, the other agencies, as well as you as an \noversight entity, an opportunity to take corrective actions.\n    The State Department is well positioned to develop a plan, \nand I think that again this Committee is well positioned to use \nthis plan as a vehicle for monitoring the development of the \nplatform over the next couple of years.\n    Mr. Chairman, that concludes my statement.\n    [The prepared statement of Mr. Brock appears in the \nappendix.]\n    Chairman Gilman. Thank you very much, Mr. Brock. You have \ngiven us a lot of food for thought.\n    Mr. Maybury.\n\n STATEMENT OF MARK T. MAYBURY, EXECUTIVE DIRECTOR, INFORMATION \n           TECHNOLOGY DIVISION, THE MITRE CORPORATION\n\n    Mr. Maybury. Thank you, Mr. Chairman, distinguished Members \nof the Committee.\n    As executive director for the Miter Corporation, I oversee \nall collaboration computing activities at the corporation, and \nfor the past 5 years I have served and worked with the \nDepartment of Defense very closely to develop a common \noperating environment specifically responsible for the \ncollaboration and multimedia elements thereof.\n    I will summarize my prepared statement, but I have provided \na lot of details that I would like to make part of the formal \nrecord.\n    Chairman Gilman. Without objection, it will be made part of \nthe record.\n    Please proceed.\n    Mr. Maybury. Thank you.\n    Just a comment on the requirements for, the impediments to, \nthe costs of and the lessons learned from using collaboration \ncomputing in knowledge management and other activities across \nthe government. I have attempted to address each of these \nissues in detail, but I would summarize my statements.\n    The first point I would like to make is that to create a \ncommon operating platform for the Department of State and the \nother agencies is a challenge, but it has great potential. By \ncommon platform, I mean those infrastructure and applications \nthat are basic to long distance and cross agency collaboration, \nthings like directories, electronic mail, file sharing, desktop \nvideo teleconferencing, skills or expert data bases and shared \napplications.\n    I believe secure collaboration and knowledge management \nsolutions have promised to directly address some of the \nfundamental problems outlined in the November, 1999, OPAP \nreport, including increased global complexity, dealing with \nreduced overseas staffs, the need for increased global \nengagement and influence.\n    For example, if we take a look at the intelligence \ncommunity and the Intelink, classified internet, which MITRE \nhelped engineer, it has become the primary method for \nintelligence distribution throughout the intelligence \ncommunity.\n    Another example. In my written statement I detail how \ncollaborative technologies have fundamentally changed the way \nthe Air Force operates by creating virtual air operations \ncenters. Another example. The Navy and the Joint Forces have \nbeen able to put Tomahawk cruise missiles on target faster and \nmore accurately during war.\n    At the MITRE Corporation, as I have also submitted in my \nmaterials, there are several CIO magazine articles outlining \nour internal internet which has been used to share knowledge \nglobally. These systems have improved the timeliness and \nquality of operational processes. For example, in a major \nexercise last year, the Air Force was able to improve their \nefficiency of operations by 50 percent. With focused effort, \nthe foreign affairs community can enjoy these same benefits.\n    My second point is that the success of the common platform \nfor the Department of State will require both knowledge \nmanagement and collaboration technologies. I will not detail \nthese, but, in short, collaboration technologies are those that \nallow people to share information across time in both different \ntimes, as well as across different places.\n    For example, if you want to support a team working at a \ndifferent time and a different place, you could use electronic \nmail, or if they are working at the same time, but in different \nplaces, you could use technologies like instant messaging, \ntechnologies like desktop video conferencing.\n    In contrast, knowledge management can be enabled by \ncollaboration, but it is distinct, and it refers to processes \nthat allow us to find experts, to map the knowledge in an \nenterprise or across enterprises, to integrate knowledge and to \ndisseminate knowledge.\n    My third point. Because of the difficulty of predicting how \npeople and organizations will use collaboration tools and the \nrapidly changing underlying communications, networking and \ncomputing infrastructure, it is essential that the creation of \nthese systems be done in what is called an incremental spiral \nacquisition process.\n    This is in contrast to the traditional waterfall approach \nwhere development of a system follows a strict sequential \nprocess from requirements to design to implementation to \ntesting and in contrast is more of an iterative process in \nwhich these things are done in parallel.\n    Accordingly, the government needs to depart from its normal \nlengthy purchasing process to build a little, test a little, \nlearn from mistakes and be willing to adapt to change. Planned \nobsolescence is part of this process, and these systems can be \nvery costly. In fact, when you cost these systems you must look \nat full life cycle costs to include the cost to acquire the \nsystem, the cost to implement it, steady state costs, as well \nas indirect costs, including intangibles such as down time and \nuser satisfaction.\n    Incidentally, I have included in these articles the cost \nanalysis that MITRE has utilized that was highlighted in the \nFebruary CIO article where we invested $7 million and were able \nto show over $50 million in return on investment.\n    While a spiral development process does not guarantee an \ninexpensive solution, it does minimize the risk that money will \nbe wasted. Success in creating a secure common platform for the \nDepartment of State and other agencies requires clarity of \nvision, buy in from the foreign affairs community, explicit and \nmeasurable business outcomes, but flexibility in technology, \nschedule, budget and specifications.\n    Mr. Chairman, I have a few more points. I do not know if \nyou would like me to stop or finish.\n    Chairman Gilman. Well, we are going to be called for a \nvote. Why do we not dig into the questions, if you would?\n    Mr. Maybury. That is fine. Thank you.\n    [The prepared statement of Mr. Maybury appears in the \nappendix.]\n    Chairman Gilman. I want to thank all of you for being \nconcise is your presentations.\n    We will continue right on through the vote with the \nquestioning. I am going to ask my colleagues if they would want \nto go, and we will continue so we will not have a delay.\n    First of all, Mr. Burbano, last week Undersecretary Cohen \nstated that various technology systems were still out of date, \neven though the Department has replaced all of its Wang \nsystems. When can we expect the needed reorganization to be \nachieved that is so sorely needed? Which systems are top \npriority, and do we have the appropriations that are needed to \ndo what you are seeking?\n    Mr. Burbano. Mr. Chairman, the answer to that question I \nthink goes right to the heart. It is the funding. We do not \nhave the funding to completely overhaul the systems.\n    The majority of the unclassified systems have been \nmodernized. The classified system is where we still have a \nlot----\n    Chairman Gilman. How much will be needed, Mr. Burbano?\n    Mr. Burbano. Approximately close to $200 million.\n    Chairman Gilman. I understood from my staff that there is \n$500 million available for information technology. Is that fund \navailable to you?\n    Mr. Burbano. We are using it. I mean, it is not a fund that \nis available for things we have not used it for. Believe me, we \nare making use. Our budget is, you know, as stated earlier, \n$500 million.\n    Chairman Gilman. So you are limited in the appropriations \navailable to you?\n    Mr. Burbano. Yes. Absolutely.\n    Chairman Gilman. And what is the shortage?\n    Mr. Burbano. For the classified systems, close to $200 \nmillion.\n    Chairman Gilman. You need another $200 million?\n    Mr. Burbano. Yes.\n    Chairman Gilman. Mr. Brock, your statement noted the State \nDepartment networks remain highly vulnerable to exploitation of \nunauthorized access. That is based on four computer security \nevaluations of its unclassified networks.\n    What do these findings suggest for efforts to develop a \ncommon platform? Both Mr. Brock and Mr. Burbano, has any \ncorrective action been taken? Have such risk assessments been \nmade on the classified system? I direct that to both of you. \nMr. Brock?\n    Mr. Brock. First, I do not think that it is unusual that \nevery time you do one of these vulnerability tests that you \ncontinue to find holes. One of the reasons that we advocate a \ncontinuing of vulnerability assessment is in fact to find holes \nbecause they always creep up. If you are not constantly \nvigilant, you will end up with a serious mess on your hands.\n    We did not go in and evaluate the repairs that the State \nDepartment made. We did note that they did take corrective \naction in the four reports that we examined. The fact that \nreports, though, continue to show vulnerabilities, which again \nI do not find particularly surprising, indicates that there is \nstill a need for constant vigilance.\n    The thing the Department has done differently since our \noriginal report, though, is put in more centralized management \nand in fact established a control. Before our initial report \nthey never did their own vulnerability studies. At least now \nthey have the capability of determining on their own where they \nhave weaknesses and then being able to take corrective action \non a more timely basis.\n    But again, that just points out that when you are putting \nin a new platform, as I mentioned in my oral statement, that in \nfact you are assuming a certain risk. You need to determine \nwhat that risk is. You need to determine the appropriate \ncontrols that should be in place to minimize that risk, and \nthose controls are going to cost you some money. That has to be \nfactored into the life cycle cost of the overall project.\n    Chairman Gilman. Mr. Brock, you noted that the panel \nreported the condition of U.S. post submissions abroad as \nunacceptable, and the panel found the facilities overseas had \ndeteriorated, human resource management practices are outdated \nand inefficient, and there is no interagency mechanism to \ncoordinate overseas activities or manage their size and shape. \nWhat is your recommendation to correct that?\n    Mr. Brock. Well, we did not specifically go over and \nevaluate those conditions, so we have made a general assumption \nbased on other material that those conditions were reasonably \nand accurately reported.\n    In fact, the process that the State Department is leading \nnow is supposed to address those conditions and make \nimprovements, which is one of the challenges that we mentioned. \nIn fact, to get all eight or nine agencies to agree to make \ncertain changes is going to be a difficult task.\n    Chairman Gilman. I am going to reserve my questions. Mr. \nBereuter has another engagement. I am going to pass the time to \nMr. Bereuter.\n    Mr. Bereuter [presiding]. Thank you, Mr. Chairman. I \nappreciate that courtesy.\n    One of the difficulties for some of us is that you \ngentlemen use terminology which is not always clear to us, and \nI am sure we do the same, but, as I understand it, you are \npreparing or are you updating information architecture, a plan \nfor information architecture for the State Department.\n    Is it an update would you say realistically, or is it the \nfirst time you are comprehensively attempting to look at and \ndevelop an architecture? Mr. Burbano.\n    Mr. Burbano. We have developed already, as in a written \ntestimony in April 1999. We put out our first high level, as \nMr. Brock stated. It is high level architecture that brings the \nState Department into the modern age, and we are developing \nright now the details of that IT architecture, so we came out \nwith the first published IT architecture.\n    There was a default one, you know, because you always \noperate with one, but it was not necessarily a formally \npublished architecture prior to that one.\n    Mr. Bereuter. Mr. Burbano, you heard the analogy used by \nMr. Brock about the Rand McNally overall front page map, and he \nsuggested that what is lacking to some extent----\n    Mr. Burbano. Is the details.\n    Mr. Bereuter [continuing]. Are the details within that \noverall framework.\n    You have a good framework in place, as I understand your \ncomment, Mr. Brock.\n    How far do you intend to go in Mexico City, and where is \nthe other pilot?\n    Mr. Burbano. New Delhi.\n    Mr. Bereuter. New Delhi. Are these picked because you think \nthat they will be good models for you to work with, to make an \nassessment on?\n    Mr. Burbano. Yes. In fact, you know, those models were \npicked with the whole interagency group; not just the IT \ninteragency group, but the interagency group for OPAP that is \noverlooking the right sizing and the buildings/ facilities and \nthe IT portion, the three groups underneath that. They are the \nones that decided along with the three groups underneath that \nthose were the best sites.\n    The reason they are the best sites is because of the \nrepresentation there from the other agencies, which is what you \nwant to do for the collaboration.\n    Mr. Bereuter. Now, what I am looking for is some \nreassurance that the plan that you are developing or refining \nfor the information technology for the State Department will \nsurvive changes in technology.\n    Mr. Burbano. Yes, it will, and that is one of the key \npoints. It is a refresh. We are doing that right now with our \nvery successful ALMA program, which is another logical \nmodernization program that we have that replaced all these \nWangs on the unclassified system. That was very successful.\n    We have a refresh program, which is part of our Managing \nState Project management system that Mr. Brock spoke about that \nhas been successful, and that includes a refresh to make sure \nwe stay up to date. We are doing that right now with the ALMA \nsystem, and we did that also with the very successful Y2K \nsystem and also with the global overseas radio program.\n    Mr. Bereuter. Thank you very much.\n    Mr. Brock, I want to have some assurance that what is being \ndeveloped in fact will survive upgraded technological changes \nthat are brought to bear in terms of new equipment, new \nsoftware, things that perhaps we do not even anticipate at this \npoint.\n    I want to understand that this plan is going to be \nsurvivable, that it will be credible, that it will reach beyond \nthe current technology and that we will not find ourselves \nhaving to start all over picking up the pieces as a result of \nchanges in technology.\n    Do you have anything you can say to me about the plan as \nbeing developed?\n    Mr. Brock. Well, I cannot offer you those assurances \nbecause the plan is not complete, but what you have really done \nis laid out a very basic expectation that is true of any \narchitecture. That is one of the very first things that you \nneed to do is to use this to provide some assurance that the \ndollars you are going to be spending are in fact not going to \nbe wasted.\n    The disadvantage of not having an architecture is that \nevery investment that you make may or may not fit into the \noverall structure, so you have incompatible systems. You have--\nin other words, they do not talk to each other. You know, you \nbuy Macs one place and PCs another place, and you cannot \nexchange software.\n    We have numerous examples of where a lack of a defined \narchitecture has caused agencies billions of dollars in wasted \nmoney, so I think the answer to your question, and I apologize \nfor going on, is that right now I cannot provide you that \nassurance. I can provide you an assurance that they do have a \nhigh level architecture that makes sense.\n    They are developing the necessary artifacts, the individual \nRand McNally pieces, and those need to be examined as we go \nthrough the process to see if in fact they will provide that \nrichness that you are asking for.\n    Mr. Bereuter. I will just make one more statement really \nbefore I turn it over to Mr. Rohrabacher as I go to vote.\n    I understand how difficult--I think I understand in part \nhow difficult this interagency process might be to develop an \nagreement as to what is appropriate in taking secondary levels \nof benefits perhaps in order for the uniform effort to move \nahead.\n    I believe I understand that the intelligence community and \nthe State Department have just basically decided they cannot be \nas compatible as the Congress had hoped they would be and that \nthere is something in an appropriation bill, in an intelligence \nauthorization bill, which suggests that that is the case, so I \nhope perhaps you might be able to address that in your comments \nfor the record here. If I have given you enough information to \nproceed, I am asking any of you after I leave.\n    Mr. Rohrabacher, are you ready to take over?\n    Mr. Rohrabacher [presiding]. Thank you.\n    Mr. Bereuter. Thank you.\n    Mr. Rohrabacher. Oh-oh. I am in charge now.\n    Doug, you left a question on the table?\n    Mr. Bereuter. If they care to address it.\n    Mr. Rohrabacher. Please feel free.\n    Mr. Maybury. Yes. I would like to address that. The \nintelligence community is part of my IT subcommittee, \ninteragency subcommittee. John Dams, who is the IC CIO for all \nthe intelligence community, is a member, and he also has \nrepresentation in the other groups.\n    As far as I have seen directly, along with my other two \nsubgroups, there has been excellent cooperation. There is buy \nin. The only statements that I have personally heard and also \nmy group leaders has been that, you know, you have to make sure \nthat we do not lower our security standards, which I totally \nagree, and nobody has said that we are going to lower them.\n    In fact, the opposite. We are upping our security \nrequirements because we know that the internet, you know, has \nholes like Swiss cheese, so we want to make sure that we \nstrengthen our security. We are doing that, as I stated in my \noral and written statements.\n    You know, we are going to be using industrial strength \nfirewalls, PKI, digital certificate and signatures and also \nencryption, anti-viruses, every available tool that is out \nthere to properly do and transact business on the internet in a \nsecure manner.\n    As far as my relationships, and I am also a member, by the \nway, of the intelligence community CIO Council. I sit on the \nexecutive council. I work closely with John Dams, and as far as \nI know the intelligence community is, you know, on board with \nus. I have talked to John. As I mentioned, he is the \nrepresentative for the intelligence community, and he is on \nboard.\n    Mr. Rychak. May I add to that?\n    Mr. Rohrabacher. Yes. Sure.\n    Mr. Rychak. I think it is also important that we make the \ndistinction between our classified systems and the \ninterconnectivity, the proposal to interconnect classified, and \nwhat is being done right now, and that is looking at our \nunclassified systems and interconnecting with the other \nagencies.\n    Certainly the classified interconnectivity is a goal, but \nthat is much longer term, and indeed there are some strong \nopinions as to how that could be done securely in the long run \nbringing in agencies that have very different backgrounds and \nsensitivities as it relates to information. The effort, though, \nthat is ongoing right now deals with unclassified systems.\n    Mr. Maybury. If I could make a comment? Two comments. One \non the architecture point and one on the interoperability \npoint.\n    In my written statement with respect to the Department of \nDefense, we have been working for the past 5 years with many \narchitectures, and I would strongly urge that there not be one \narchitecture; there be several architectures that are tightly \ncoupled.\n    Just as you would not use the same map for a pilot as you \nwould for somebody who is driving a truck as you would for \nsomebody who is walking through a historic district in a city, \nyou similarly will not use the same architecture in an \ninformation system for people who have different tasks or who \nare looking at different levels.\n    To be specific, it is important to have a functional \narchitecture, what you want to do with the system; a systems \narchitecture, what are the components, what are the \nconnections; and a technical architecture, that is one that \nspecifies the standards, if you will, the rules of the road \nthat show how these systems are going to work with one another. \nIf you only have one of those, you have an incomplete \narchitecture.\n    With respect to technical standards, I have included in my \nwritten testimony the standards we use, which are international \nstandards. They are not government standards. They are \nstandards such as the International Telephony Union, such as \nthe Engineering Task Force. These are standards bodies that \nbuild or, if you will, that specify the building codes to which \ncommercial tools are created.\n    It is essential that we have standards in interoperability \nthat comes from those because if we want to protect ourselves \nfrom our investment and to insure interoperability in the \nfuture, those kinds of, if you will, building codes will help \nus do that.\n    Mr. Burbano. If I can, I would like to add a point to that \nsince the architecture is a very key point.\n    To show you how committed and a firm believer I am in the \narchitecture, we have actually gone beyond the Clinger Cohen \nrequirements for IT architecture. We have also developed a \nbusiness architecture and a security architecture, which will \nbe a requirement in the near future, which is not a requirement \nright now, and we have those in draft. We are working with GAO \non that.\n    In terms of the collaboration, I would just like to say, \nbecause that was an issue that was brought out also in an \nearlier question. As I stated, because of Clinger Cohen I think \nthat the OPAP implementation is going to be a lot easier than \nprior to Clinger Cohen because there is now a CIO Council, and \nthe CIOs of the top 24 and also the other 50 CIOs or so of the \nsmall and medium agencies get together on a monthly/quarterly \nbasis.\n    That has produced a very strong collaboration that will \nspill over and is spilling over to the OPAP. That would not \nhave existed prior to the Clinger Cohen, so I think we have \nexcellent collaboration.\n    Mr. Rohrabacher. Thank you very much.\n    The Chairman is back, but I will, with the Chairman's \npermission, proceed with my 5 minutes.\n    Chairman Gilman [presiding]. Please. Please.\n    Mr. Rohrabacher. Which I have not had yet.\n    Chairman Gilman. By all means.\n    Mr. Rohrabacher. Let me just say, first of all, I stated \nsomething for the record at the beginning, and I just want to \nfollowup on that 1 minute, but let me just say that from my \nperspective it seems like we are starting this effort that you \nare talking about really late in the game here. This is near \nthe end of this Administration, and all of a sudden we are \ntalking about security.\n    Quite frankly, Mr. Chairman, this Administration does not \nhave a very good track record in terms of security in the \noperations of our Federal agencies. One need only look at the \nongoing crisis, for lack of a better word, surrounding Los \nAlamos and what has been going on there for what appears to \nhave been going on for years and years and years. I realize you \nfolks are not responsible for that. Maybe you will have some \nresponsibility for that or parts of that. I do not know.\n    Then we hear stories about missing laptops. Now, where does \nthis missing--I mean, I understand there is at least one \nmissing laptop that dealt with top secret security information. \nWhere does that fit into what you are doing here?\n\n   STATEMENT OF WAYNE RYCHAK, DEPUTY ASSISTANT SECRETARY FOR \n         DIPLOMATIC SECURITY, U.S. DEPARTMENT OF STATE\n\n    Mr. Rychak. Sir, to answer your first question, security is \nnot a new issue. The comments that Mr. Brock made regarding the \nimprovements, and there have been substantial improvements \nwithin the information and security program at the State \nDepartment. Those have been occurring over the course of the \nlast 3 years.\n    When the GAO issued their report in the fall of 1998, \nfrankly it was a wake up call for many of us that are in the \noperational side. We have focused great effort and attention in \nenhancing processes, as Mr. Brock has pointed out; processes \nsuch as security awareness training, vulnerability and risk \nassessments, evaluations, audits, network monitoring.\n    Mr. Rohrabacher. Let me interrupt you for one moment.\n    Mr. Rychak. Yes.\n    Mr. Rohrabacher. And I respect all the procedural things \nand the descriptions of the type of--I mean, you are going \nthrough this in a systematic way and saying how can we make \nthings better in relationship to a GAO report.\n    It is difficult for me to understand how to instill a \nsecurity consciousness among professionals like we have at the \nState Department who work for the government when we have an \nadministration that is claiming that America's most severe \npotential enemy, America's worst potential enemy, is a \nstrategic partner.\n    I mean, for 2 years, for 3 years, we had the State \nDepartment over here, of course, doing what they were told to \ndo because the President of the United States was making the \npolicy that the Communist Chinese should be referred to and the \noperating words were strategic partner.\n    It is difficult for me, frankly, to sit and to listen to a \nvery serious discussion, which you are having here, about your \nprocedures when it is done under an umbrella of or an \natmosphere that is being created by an administration insisting \non calling our worst potential enemy a partner, and not only \njust a partner, but a strategic partner.\n    Now, I am not going to ask you to attack the Administration \nbecause you would not be diplomats if you did, but I just \nwanted to note that for the record.\n    Let's go back. Let me go back to that first issue that I \nraised in my opening statement. Here we have, and I think \nrational people have to--I think rational people all along \nunderstood that Communist China was not our strategic partner, \nbut was instead a potential enemy. I am not saying that they \nare an enemy, but at least our worst potential adversary.\n    Here we have what almost everyone recognizes as our most \ndangerous potential adversary buying a building right across \nfrom the Pentagon with obvious electronic capability, spying \ncapabilities. Has there been any discussion? There was no \napparent objection from the State Department, which would have \nhad some say in this.\n    Have there been discussions with the Defense Department or \nthe CIA concerning this potential security problem?\n    Mr. Rychak. Sir, when you first raised this question you \nsurmised that there would probably be no one on this panel that \ncould directly answer, and you are correct.\n    I will tell you that the Department's Office of Foreign \nMissions would be the entity that would normally deal with \nthese types of issues, any acquisitions by foreign governments \nof property. I am sure that this office was involved.\n    I cannot speak of any of the details. I learned of this, as \nyou did, this morning on the news. We would have to get back to \nyou on your question.\n    Mr. Rohrabacher. But would it be the FBI would then be in \ntouch with the State Department, who would then do something \nofficial in terms of looking into that to see if the charges \nthat this was an arm of Chinese intelligence and if it was to \nmake the appropriate moves to prevent this from happening?\n    Mr. Rychak. It is normally----\n    Mr. Rohrabacher. Is that the way it would work?\n    Mr. Rychak [continuing]. FBI, State Department and then the \nintelligence community. It is normally a coordinated effort to \nlook at the potential hazards and threats that could be posed \nby a foreign government's presence anywhere in the United \nStates.\n    Again, I cannot speak to any of the details, though, on \nthis particular issue.\n    Mr. Rohrabacher. And your role that we were talking about \nearlier is that when the agencies get together and they want to \ncommunicate via their computer system that you are just trying \nto see now that the computer system--someone does not hack into \nthat or that that is a protected communications apparatus? Is \nthat right?\n    Mr. Rychak. Yes. Certainly one of my roles is to do what is \nnecessary to put into place a comprehensive and effective \nsecurity program to protect that information. Yes.\n    Mr. Maybury. If I could make a comment on that?\n    Mr. Rohrabacher. Sure. Go right ahead.\n    Mr. Maybury. With respect to there are a whole set of \nvulnerabilities that I know the State Department is aware of \nand they have been actively addressing via a variety of \nmechanisms, such as access by unauthorized users, denial of \nservice and so on.\n    I think that it is important to note particularly when we \ntalk about distributed collaboration systems that there are new \nclasses of vulnerability that are inserted or potentially \nthere. In fact, we are actively working with, and I cannot \nspeak to this in this open session, but with government \nagencies to develop new technologies to apply to essentially \nprotect some of these systems.\n    For example, one might want to have if you are \ncommunicating instead of over a phone using a computer to \ncommunicate, you may want to encrypt that kind of audio, for \nexample. These are new functions that will be made available in \nthe future, but we do not have them yet. There are new \nvulnerabilities that we do not yet have protection for that we \nneed to either invest in or create.\n    Mr. Rohrabacher. Well, I am pleased to see that we have \nsome people who understand all of this computer. We were just \ndiscussing this. Congressman Hastings and I were discussing \nthat we are not experts, unlike Ben, who understands all of the \nnew computer system and the new technology. We are very happy \nthat we have some real professionals who are involved in this, \nand we thank you, Mr. Maybury, and you gentlemen for spending \nyour time and your professional expertise in this.\n    Just again for the record, I would like to say just again I \nam not doing this to be political, Al, but I just think the \nrecord of this Administration in this area has been--I worked \nfor the White House for 7 years, and I remember what it was \nlike, the atmosphere in the Reagan Administration concerning \nsecurity issues, and the record of this Administration when you \nconsider Los Alamos and some of these other things that we know \nabout has just been abysmal.\n    This Administration should hang its head in shame in terms \nof the national security interests of our country in terms of \nthis area. I am pleased, however, at this part of the game and \nthat some professional attention is being spent in this area.\n    Thank you very much, Mr. Chairman.\n    Chairman Gilman. Thank you, Mr. Rohrabacher.\n    Judge Hastings.\n    Mr. Hastings. Mr. Chairman, thank you so very much. My dear \nand good friend from California would not dare do anything \npolitical, nor would I.\n    Under the circumstances, I remind him that when he worked \nat the White House in the Reagan Administration a call on a \ncell would have been from a jail. The IBM machine was \nconsidered something forward thinking, and everybody thought \nthey had arrived. Indeed, most of what you were doing was using \ndictating machines.\n    The problem that I have is that it seems that the \ntechnology is overwhelming, and I see that as problematical for \nnot only our governmental agencies, but for all of us until we \nreach whatever the optimum condition is that it is likely to \nreach, and the way it is spiraling that is hard to envision \ntaking place at some point in the not too distant future.\n    I would like to ask two quick questions, and then I would \nlike to just, if I could, give you an overview of what I just \nsaid with more specifics in mind.\n    Mr. Burbano or Mr. Rychak, has the Diplomatic \nTelecommunications Services, which you know is an interagency \ncommon platform for secure communications, been a wise and \neffective investment from an electronic communications \nperspective, and how crucial do you feel the continued \noperation of DTS-PO as an interagency run common system to be \nfor the success of a common computer system? Either of you.\n    Mr. Burbano. OK. I will take first a first stab at it. DTS-\nPO, which you are speaking to, I think is important, and I \nthink the collaboration among the agencies in the support of it \nis important.\n    I think the problems have definitely been there due to not \nthe organization, but funding. Frankly, it has been severely \nunderfunded, and what has resulted, the biggest problem is the \nlack of band width to support the overseas community. That is \nfunds, so it is a funding problem, but we need to maintain the \norganization, and it needs to be, you know, collaboration \nbetween parent companies.\n    Mr. Hastings. All right. Thank you. Some years ago I had \nthe good experience of visiting Australia for the first time, \nand I use this as just a metaphor, so to speak, for what I am \nabout to suggest or ask.\n    I did not know the fierce rivalry between Melbourne and \nSydney. Apparently at one point they disliked each other so \nintensively that when they were building their rail systems, \nthey built them in a manner that when they came together they \ndid not fit.\n    I am curious from your perspective whether or not we are \ninvolving enough people when we talk about collaborative \nnetworks, collaborative technology, interagency connectivity, \nand by that I meant this. I served in the judiciary, and we \nalways were last to get stuff that was needed, yet we were \ninvolved in matters of security far beyond some of the things \nthat I see here in the legislative branch.\n    My concern is that at some point there has to be not just \nfor the State Department or the CIA or the FBI or the Defense \nDepartment, but there has to be some collaboration with all of \nthem, including the legislative, executive and judicial \nbranches of our government, and calling upon experts from each \nof those areas to work with the people that are developing it. \nIn other words, the State Department may fool around and \ndevelop the best, and GAO may not have that. We have seen that \nhappen over and over again.\n    Do any of you have that concern, or if I am talking about \nbreadth as it pertains to security including all of government \nis that too much to ask?\n    Mr. Brock. No, it is not. It gets back to a question Mr. \nRohrabacher was going into.\n    We have testified many times over the past year. The \ngovernment has overall very poor computer security. There is no \ncentral leadership or management or limited central leadership \nand management. Some of the things that you are talking about \nsuch as the building overlooking the Pentagon going to threat \nassessment, the United States is not well equipped to do threat \nassessment. Information is not shared freely among agencies.\n    The ``I LOVE YOU'' virus, which the State Department was \ninternally successful at resisting, was not successfully \nresisted by many other agencies. The National Infrastructure \nProtection Agency at FBI did a very poor job of sharing \ninformation on the virus and coming up with relevant \ninformation.\n    Earlier this year, the President released the national plan \nto protect the critical infrastructure. The key element of that \nplan was to say that the government will be a model so that the \nprivate sector will want to participate, and they acknowledge \nin that that the government is not a model; that there is a \nlong way to go.\n    So the issues you are talking about are much broader than \nthe State Department.\n    Mr. Hastings. Right.\n    Mr. Brock. They do encompass other agencies, and they need \nto be looked at as part of a whole cloth.\n    Mr. Hastings. Right. The other thing, Mr. Chairman, that I \nraise, and this will be my final question on this round, has to \ndo with what I think is just good sense, and that is that, for \nexample, on the criminal side of matters totally unrelated to \nthe State Department.\n    When a 17-year-old hacker is discovered that is brilliant \nand they take him to court, a lot of times they give him a \njob--do you understand what I am saying--so they can decide to \nuse this kid. Now, that raises the question that I have.\n    I listened to you all this morning, and just generally \neveryone that I have heard, from encryption all the way back \nacross to all of the agencies that I have been faced with in my \nresponsibilities as a policymaker, I have heard over and over \nand over from extraordinarily competent individuals like \nyourselves, and I do not mean that patronizingly. I do not know \nwhat either of you make. I suspect from my point of view you \nare underpaid by comparison to what happens in Silicon Valley \nand other places.\n    I guess, Mr. Burbano, since you have the highest budget as \nI heard the Chair announce, do you feel that in an effort to \naccomplish just inside your agency the things that you need to \naccomplish that you would--a special category of funding to \ngive to exceptional individuals to keep them on board or to \nbring in bright people? Would that be helpful?\n    In other words, you have a GS whatever--I never have known; \nGS-14, GS-15--when you need to be paying somebody $200,000 to \ndo what needs to be done. Am I off the mark here?\n    Mr. Burbano. No. No. You are right on target. In fact, one \nof the things that I addressed besides computer security and \nY2K was the work force issue was a priority of mine, and that \nwas in fact what you were saying. Not only to recruit, but also \ntrain and also retain----\n    Mr. Hastings. Retain.\n    Mr. Burbano [continuing]. IT workers in security and all \nthe other areas.\n    What we in fact have done as a first step--I call it a \nfirst step because we need long term steps. We created the \nfirst agency in the Federal Government to create both a \nrecruitment and retention allowance and bonus program, so for \nrecruitment we have up to 25 percent recruitment bonus, and \nalso we worked out with OPM so we can bring them in at higher \ngrades and steps than normal, so that is on the recruitment \nend.\n    On the training, we have added up to around $4 million \nextra to train our new employees, and to retain them we were \ncertainly the first agency to come up with what we call \nretention allowance based on certifications like Microsoft, \nOracle, Sysco, and also on, you know, whether you have a \nBachelor's in Electronic Engineering or Master's in Computer \nScience and so forth. You can get up to 15 percent in retention \npay, so we can keep those employees and not just bring them in \nthe pipeline.\n    We have done that. What still needs to be done, though, for \nthe long term is we are still working with the ceiling, so you \nare very right. What we need to do, and the CIO Council and the \nState Department is working with the CIO Council to try to \ncreate a new IT pay scale across the whole Federal Government, \nnot just State Department, that will be competitive with \nprivate industry.\n    The National Academy for Public Administration [NAPA], has \nactually been chartered to do that study, which as you well \nknow was chartered by Congress and is independent of the \nexecutive branch, is doing a study at the request of CIO \nCouncil and working with the CIO Council and OPM to look at the \nIT pay scale.\n    Mr. Hastings. Well, I thank you all, and I thank you, Mr. \nChairman.\n    Mr. Maybury. Could I add a comment to that if it were \nuseful? Just some facts for the record again in industry \nperspective.\n    Seven out of the top ten fastest growth, according to the \nDepartment of Labor statistics, job categories are information \ntechnology job categories. Several years ago that was only \nabout two or three. The average annual attrition rate of IT \nprofessionals in this country is roughly 14\\1/2\\ percent.\n    Mr. Hastings. Would you say that again?\n    Mr. Maybury. Fourteen and a half percent is roughly the \naverage turnover rate nationally in terms of----\n    Mr. Rohrabacher. Per year?\n    Mr. Maybury. Per year. That means if you have 10 employees, \nall right, 1.4 of them will leave every year.\n    Fifty thousand new graduates, both undergraduate and \ngraduates, according to Education's statistics, will graduate \nevery year. The annual growth rate in the IT industry is about \n130,000 jobs added every year. So you do the math, and, yes, \nthere are the disciplines that people can come from, but there \nare not that many. You do the math, and there is a huge \nshortfall.\n    We have been tracking this actually very closely in Defense \nobviously in the private sector, and I strongly concur with the \nactivities that State and others have been doing in this area, \nand it will only get worse.\n    Mr. Hastings. Thank you very much.\n    Chairman Gilman. Thank you, Judge Hastings.\n    Gentlemen, I have a few questions. Mr. Rohrabacher, if you \nhave any additional questions.\n    Dr. Maybury.\n    Mr. Maybury. Yes, sir?\n    Chairman Gilman. Your statement addresses the \nrecommendation that State and the embassies have greater \ninternet access, acknowledging the expansion of the internet \ncan provide more pathways for intruders.\n    How does one balance the need for a safe and secure system \nand yet greater access to the internet?\n    Mr. Maybury. Well, I think one needs to do a business case \nanalysis and to sort of have a managed approach to security. \nOne needs to understand the risks and the vulnerabilities \nwithin those systems and then come up with a very specific \nunderstanding of what the costs, either those that are \nfinancial, national security or potential human life loss if it \nis a rather serious set of information, and one has to measure \nthe associated reactions or preparations one can engage in to \nrespond to those.\n    In my testimony I give some specific examples of particular \napproaches, some of which State has already employed, to \naddress those vulnerabilities.\n    Chairman Gilman. So what you are saying is you can make any \nsystem secure. It is just how much you are willing to pay for \nit. Is that right?\n    Mr. Maybury. Well, I want to be careful because, you know, \nthere is no absolute security. Security includes personnel \nsecurity, physical security, as well as electronic digital \nsecurity.\n    There are areas where we simply today do not have answers \nbecause, as I mentioned before, there are new technologies, new \nfunctions, including new vulnerabilities that are introduced \ninto the infrastructure every day.\n    What that means is if the risk is constantly changing, you \nhave to be vigilant. You have to have a process that \ncontinually looks at those literally on a daily basis and comes \nup with corrective technologies, procedures, policies to \naddress them.\n    Chairman Gilman. Mr. Brock, in examining security aspects \nof all of this, is State Department doing something about \nmaking security a priority amongst its personnel?\n    Mr. Brock. I think the State Department has made it a \npriority, but I think, as Dr. Maybury was alluding to, it has \nto be ongoing. It has to be constant.\n    If I could just add a bit to his response? Most of the \nproblems that we see on computer security when you are doing \nthe tradeoffs between security and how much you want to spend \nis based on the absence of any sort of risk assessment; that \nyou should not establish controls until you know what your risk \nis, and risk is a function of the threat and of the \nvulnerability of the system. So if you had a system with very \nlimited threat and not very vulnerable, you do not need to \nspend much on control.\n    Chairman Gilman. Who at State has the authority or the \noversight on risk assessment?\n    Mr. Brock. That would be Mr. Burbano.\n    Chairman Gilman. Mr. Burbano, is someone doing the risk \nassessment?\n    Mr. Burbano. Yes. In fact, it is a joint effort with my \ncolleague, Wayne, in Diplomatic Security.\n    We have established a very strong program. As an example, \nwhen I first came on board I worked with the Assistant \nSecretary for Diplomatic Security to bring in the first outside \npenetration testing, Lawrence Livermore, NR systems or \nunclassified systems.\n    Since then we have done about three or four other \npenetration tests on not only the unclassified, but the \nsensitive but unclassified, classified systems. DS has done \nthose.\n    We also brought in Secure Computing Corporation to do \npenetration tests prior to the Y2K rollover when it was \npredicted there were going to be hundreds and thousands of \nhackers out there. We did that in November.\n    We not only do the penetration vulnerable assessments and \nthe risk management, but, more importantly, we do the \nremediations and make sure that whatever was found as holes \nthat they are plugged up. As was stated earlier, you are always \ngoing to find holes, but we keep on plugging them. I feel we \nhave done an excellent job of that.\n    Not only have we done penetration tests, but we have also, \nas Mr. Rychak has stated, we have done an excellent outreach \ntraining program to make sure that the employees are cognizant \nof that such as I stated earlier with the Security Awareness \nDay, Critical Infrastructure Day, Hacker Day and individual \ntraining sections.\n    You cannot log on to the internet without getting some DS \ntraining. You have to be certified to get that training for the \ninternet in order to log on to our RICH internet access system. \nWe have implemented the intrusion detection boxes, anti-\nviruses. You know, I can go on and on.\n    Chairman Gilman. I am trying to understand, gentlemen, the \ndivision responsibility for computer security matters between \nDS and the CIO shop. Can you explain the division and why it \nmakes sense?\n    Mr. Rychak, do you have any special concerns about the \nsplintering of responsibilities between the Diplomatic Security \noffice and the chief information officer?\n    Mr. Rychak. Sir, I would be happy to give you a background \nas it relates to the split of responsibilities.\n    There are--there have been--overlapping authorities. The \nDiplomatic Security Act, going back to 1985, vested the Bureau \nof Diplomatic Security with a broad range of responsibilities. \nThe Clinger Cohen Act and other Acts vest the CIO also with a \nbroad range of security responsibilities as it relates to \ninformation and computer systems.\n    Beginning about 2 years ago, the CIO's office, NDS, worked \nto identify the strengths and the operational capabilities of \neach of our organizations so that we could put together a clear \ndelineation of roles, of responsibilities.\n    Chairman Gilman. Are you satisfied with that delineation \ntoday?\n    Mr. Rychak. The delineation I think is working well. Mr. \nBurbano and I may have some differences in opinions ultimately \nin perhaps who should be the senior lead authority, but let me \nsay that that decision has been made. Our Undersecretary for \nManagement has made the decision that the CIO is the lead \nauthority for that.\n    You are aware that the Secretary has proposed the creation \nof an Undersecretary for Security in an effort to further \nconsolidate and establish senior level accountability for \nsecurity.\n    Computer security/information security I think will be \nreviewed in that context, and I do not know how that will come \nout, but I have to say that the system is working I think quite \nwell, and it is collegial. It has been a partnership \narrangement between the CIO and DS.\n    Chairman Gilman. Let me interrupt you a moment.\n    Mr. Rychak. Yes.\n    Chairman Gilman. Between the two of you, who is responsible \nfor the maintenance and computer security at the overseas posts \nand at main State office? Can you tell us? Between the two \nshops, how much money does State spend for security, and is \nthere money dedicated to security for the information \ntechnology fund?\n    Mr. Rychak. I can speak for my side. For the programs that \nDS administers, we are expending roughly $11.2 million this \nfiscal year for computer security related programs, and that \ndeals with security awareness and training and vulnerability \nassessments, intrusion detection capabilities, and this is a \nprogram, frankly, we are very excited about that we are in the \nprocess of implementing on a global perspective.\n    That is one piece of the puzzle. There are other programs \nthat the CIO and IRM administer, and I am sure Fernando would \nlike to address it, everything from virus protection to \nimplementing these policies, etc.\n    Mr. Burbano. Yes. I think one easy way at a high level to \ndifferentiate DS and IRM is DS is involved in the development \nof policy and also in the evaluations, assessments and so \nforth. IRM is involved, the CIO, in the implementation of that \npolicy and so, I mean, that is one high level way of looking at \nthat.\n    Chairman Gilman. Are you pretty much both working \ncollaboratively in main State and overseas?\n    Mr. Burbano. Yes. Absolutely. I would like to reinforce \nwhat Mr. Rychak said. We have an excellent relationship. We \nwork together. We created the matrix, and ever since we have \nhad that I think things have gone very smoothly, and in fact we \nunderstand each other's areas, and we collaborate on all \ndecisions.\n    Chairman Gilman. Mr. Burbano, Mr. Brock's report at GAO \npointed out that computer security lacks a focal point within \nState to oversee and to coordinate its security activities.\n    Do you have the expertise available in your shop to manage \nthe responsibility for computer security?\n    Mr. Burbano. Yes, and in fact I think that was May, 1998. \nWe are in 2000, and that has changed over the last year so that \nis no longer--I think Mr. Brock stated that that in fact was \ntrue when they did the assessment, but that was 2 years ago. \nThat is not----\n    Chairman Gilman. You have dedicated security----\n    Mr. Burbano. Yes. Absolutely.\n    Chairman Gilman [continuing]. Personnel.\n    Mr. Burbano. We have computer incident response teams just \nlike DS has that works around the clock, 7 by 24, in not only \nmonitoring, but also in----\n    Chairman Gilman. So it is not left up to non-professionals?\n    Mr. Burbano. No. No. These are computers that carry \nspecialists that are dedicated and trained in the field just \nlike DS. DS and IRM and the CIO both have computer security \nstaffs that are professionals.\n    Chairman Gilman. Mr. Burbano, I understand Diplomatic \nSecurity sends out teams to audit security of computer systems \nat the various posts overseas, and they produce reports and \nrecommendations.\n    Who is responsible for seeing that any recommendations are \ncarried out? Does Washington followup on those reports or \nsupply technical experts if a post requests assistance to make \na proper review?\n    Mr. Burbano. Yes. IRM is responsible, along with the post \nand the bureaus, in implementing those changes because the \nposts are underneath the bureaus. So it is a joint effort, but \nthe responsibility for implementing those recommendations do \nfall to IRM and the bureaus and the posts, and we do implement \nthe changes.\n    We work very closely together on these teams. In fact, we \nsend out IRM computer security specialists along with DS on \nsome of these assessments.\n    Chairman Gilman. Mr. Brock, how would you characterize the \neffectiveness and the improvements that State has made in their \ncomputer security program today as compared to 2 years ago? Do \nyou have any plans to reexamine the Department's security \nprogram?\n    Mr. Brock. We believe that the organizational changes that \nhave been made are very positive, and one of the key concerns \nthat we had was the bifurcation of computer security \nresponsibilities throughout the Department.\n    When we have gone out and done our best practices work, \neven in highly decentralized organizations computer security \nwas centralized. I think it is appropriate in an organization \nlike State that you may have multiple entities carry out tasks, \nbut it is clear that one person or one organization needs to be \noverall responsible, and that is something that we would like \nto continue to examine within the State Department.\n    Chairman Gilman. Do you have any recommendations with \nregard to that?\n    Mr. Brock. Well, at the present time, no. We currently are \nengaged in a number of agency reviews, and we do not have a \nrequest, if this is what you are moving toward. We have not had \na request to go back in and do a thorough computer security \nreview of the State Department.\n    Chairman Gilman. Mr. Rychak or Mr. Burbano, who is \nresponsible for investigating computer security violations, and \nwho resolves the intrusions or attacks in the Department? Who \nconducts the followup?\n    Mr. Rychak. I can address that. The response to an incident \nactually takes two different forms. DS has what is called a \nCIRT, a computer incident response team. It is a 24 hour \noperation of personnel, largely investigative, that would \nrespond from an investigative standpoint.\n    In sync with that, the CIO has a CERT, a computer emergency \nresponse team, that deals with the operational issues relating \nto mitigating any problems that would develop in our system.\n    Chairman Gilman. Are they able to react very promptly to \nthose?\n    Mr. Rychak. Yes. Actually, those terms work together and \noften do it jointly.\n    Mr. Burbano. If I can add, during the Y2K rollover we had \nour two teams sitting together in the same room sharing the \nmonitors, sharing the times and everything, and it worked \nextremely well. We were not hacked during the Y2K rollover.\n    Chairman Gilman. Mr. Burbano, is computer security training \nmandatory at State----\n    Mr. Burbano. Yes, it is mandatory.\n    Chairman Gilman [continuing]. For all State employees?\n    Mr. Burbano. For all State employees, and that is not just \nrecent. As I mentioned earlier, in order to connect to the RICH \ninternet access system you have to have DS, you know, training, \nand you have to get certified first before you can log on.\n    Chairman Gilman. How long a period of training is there? \nHow extensive is it?\n    Mr. Burbano. We have various levels. Since DS does them, I \nwill let Wayne talk about it.\n    Mr. Rychak. Well, the internet training is a briefing that \nwould last maybe an hour, an hour and a half. It presumes that \nthe employee already has the background of security procedures \nand requirements.\n    There is a new training program that was begun about 18 \nmonths ago that was the result of the GAO audit that I would \njust like to comment on, and that was training for our \ninformation systems security officers. We did not have a \nprogram in place prior to 18 months ago to train the people who \nworked on a day to day basis to insure that computer security \npolicies were being carried out.\n    We did put that program into effect. We have trained \nhundreds and hundreds of personnel. It has gotten excellent \nreviews. We have more senior level training that also is \navailable to these personnel, and----\n    Chairman Gilman. Mr. Rychak, are you satisfied that all of \nthe important employees that use secure computers have been \nproperly trained now?\n    Mr. Rychak. No, I cannot say that I am completely \nsatisfied. You may recall that the Secretary of State announced \na directive following the discovery of the laptop computer that \nit would be mandatory for all employees of the Department of \nState, all cleared employees, to annually receive a briefing.\n    We are in the process of a very intensive effort to do just \nthat, and every day that goes by we have formal briefing \nsessions that are ongoing in our auditoriums at the Department.\n    Chairman Gilman. How extensive has this program been, and \nhow many have been brought in at this point? What percentage of \nthe employees?\n    Mr. Rychak. Sir, I think we are somewhere in the \nneighborhood of 8,000. Now, that is not addressing our overseas \noperations, which are being done individually by our \nprofessional regional security officers.\n    Chairman Gilman. So what percentage of people who should be \nbrought in have already been brought into your briefing \nsession?\n    Mr. Rychak. On the latest exercise since the Secretary's \ndirective, I would say we are probably at about 30 or 40 \npercent with the goal of completing this by the end of August \nor first of September. In other words, 100 percent.\n    We are taking a role and roster of everyone that receives \nthe briefings, and we will be able to identify anyone that has \nnot. It is again a firm directive of the Secretary that this be \ndone.\n    Chairman Gilman. Dr. Maybury and Mr. Brock, does the \nFederal Government need a Federal chief information officer?\n    Mr. Brock. Yes. When the Clinger Cohen bill was first \nintroduced, it really established the framework for management \nof information technology from the agencies. At that time we \ntestified that a national CIO was needed to in fact identify \nboth opportunities and challenges across government that needed \nto be explored in a collegial manner, and we still support that \nposition.\n    Chairman Gilman. Have there been any steps undertaken to do \njust that?\n    Mr. Brock. Yesterday I read an article that apparently both \nMr. Gore and Mr. Bush support a national CIO, and one of your \ncolleagues, Mr. Turner, has introduced legislation calling for \na national CIO.\n    Chairman Gilman. Mr. Burbano or Mr. Rychak, have you seen \nany progress made with regard to that proposal?\n    Mr. Burbano. Other than what Mr. Brock just mentioned, no, \nbut I would like to say that my personal opinion is I agree \nthat one needs to be done, and I think one model could be right \nacross the river here.\n    In the State of Virginia, the Governor has created, you \nknow, a Secretary of Technology to look both within the state \ngovernment, but also outside for IT management. That is one \nmodel you might want to take a look at.\n    Mr. Maybury. If I could suggest one other model would be a \ncross agency CIO would be the intelligence community CIO, Mr. \nJohn Dams' office.\n    Chairman Gilman. Dr. Maybury points out that the success of \ninstituting a collaborative system requires clear objectives \nthat can drive change. Mr. Burbano, has the interagency working \ngroup identified such objectives?\n    Mr. Burbano. At the high level, as Mr. Brock mentioned. We \nare getting down to the detail level, but for right now it is \nat the high level. Those were submitted in the written \ntestimony both for the IT common platform and the knowledge \nmanagement system. Some other detailed documents have been \ndelivered to GAO and the Committee.\n    Chairman Gilman. Dr. Maybury says one of the values of a \ncollaborative environment is it can reduce the number of \nforward deployed personnel. That is, jobs can be done back \nhome.\n    Mr. Burbano, are you examining that kind of a prospect, and \ndo you think that technology will in fact allow for fewer \npersonnel to have to be stationed overseas, and would those \njobs be mostly administrative?\n    Mr. Burbano. The answer to the first part I would say is \nthat the right sizing committee is the committee that is \nactually examining that. That is the right sizing committee.\n    My committee, the IT, will support that effort, but, you \nknow, will not be, you know, making the recommendations or the \ndecisions on actually, you know, reducing or shifting staff. \nThat is the right sizing committee.\n    Yes, IT will support the right sizing efforts fully and \ncan, but there are other issues other than technology when you \nare trying to make decisions. Right sizing does not \nautomatically mean reduction of staff. It means shifting to, \nyou know, proper support where you need that staff.\n    Chairman Gilman. Dr. Maybury, the Committee is concerned \nabout the risks involved in developing an overseas common \ninformation technology platform and whether State Department is \npositioned to lead that kind of a project.\n    In your view, what can our Committee do to effectively \noversee that kind of a project as it enters development and \nrequires additional funding?\n    Mr. Maybury. Well, I think, Mr. Chairman, regular oversight \nexpectations have explicit objectives. I know in my testimony \nthat the organization that does this needs to have a set of key \ncharacteristics that include excellence in acquisition, systems \nengineering experience, technical expertise in not only \nsecurity, but in collaboration, knowledge management, cleared \nstaff, especially if we are talking about secure and unsecure \nsystems, domain knowledge of overseas activities, perhaps \npersonnel overseas.\n    That is another risk is do you have the IT talent or the \ninfrastructure overseas, and do you have a strong contractor \nbase or contractor oversight. I think having explicit plans, \nthese blueprints or these maps we talked about before, these \narchitectures, at various levels of detail and monitoring those \nactivities, monitoring the investments and looking for actual \noutcomes, looking for specific measurable impact, business \noutcomes, of the investments.\n    Chairman Gilman. Have you had an opportunity to discuss \nthose proposals with Mrs. Cohen, Assistant Secretary for \nManagement?\n    Mr. Maybury. No, sir, I have not.\n    Chairman Gilman. I hope you might take advantage of trying \nto do just that so that she would have the benefit of your \nthinking.\n    One last question before I call on Mr. Sherman. Mr. \nBurbano, several U.S. Government agencies with global \noperations are seeking funding for separate communications \nsystems. Different agencies want their own system.\n    What are we doing to persuade those agencies that a single \nconnected system designed on an interagency basis is probably \nmuch more preferable?\n    Mr. Burbano. What we are doing is with the OPAP I think \nthat gets down to the heart of this because those agencies are \nrepresented on the various OPAP committees. Also with the CIO \nCouncil we have an interoperability committee that works with \nthe various CIOs of the various agencies, and then you have the \nIC, intelligence community, as was just stated earlier by Dr. \nMaybury, and I also sit on that, on the executive committee for \nthe intelligence CIO committee, so we are all sitting in each \nothers' committees and so we are well aware of all the things \nthat are going on.\n    I think OPAP is bringing to the forefront because the \nPresident's mandate and OMB and also the congressional \nleadership of wanting to implement OPAP that for the first time \nwe actually have more than just, you know, intentions, but we \nactually have a mandate to implement these government wide \nsystems.\n    These are the same agencies that you are talking about, and \nthere is a lot of collaboration going on, and I think it is \nbeginning to take an effect. As we stated, first we are working \non the unclassified first in the first 18 months, and then \nafter that we work on the classified systems.\n    Chairman Gilman. Well, we hope you can convince all of \nthese competing agencies to work together. I think it is \nextremely important.\n    Mr. Sherman.\n    Mr. Sherman. Thank you, Mr. Chairman.\n    I think we are all concerned with security of our \ninformation. Some recent problems experienced by another \nFederal department have highlighted that recently. I want to \ncommend the Chairman for holding these hearings, which I think \nfocus on information security, but I think others will ask \nquestions about our national security information, and I want \nto focus my questions on the visa process.\n    This is a process that has flabbergasted me because I did \nnot think that governments could be this inefficient, and it \ntakes really bad computers and bad management to achieve some \nof the problems that we have experienced in this area, and yet \nmy hope is that the information technology system as it gets \nbetter will begin to solve some of those problems.\n    One of the many areas of problems are difficulties in \ncommunicating via computer between the INS and the State \nDepartment. Have those been worked out?\n    Mr. Burbano. I think we have worked some of them out, \nespecially during the Y2K rollover. We had to make sure the \nsystems, you know, communicated. There are other issues, and, \nyou know, those--Consular Affairs, CA. You know, if you got to \nparticulars I guess we could address them with Consular \nAffairs.\n    Mr. Sherman. Well, I mean, first the Y2K thing. There are a \nnumber of countries in the world that thought the whole Y2K \nthing was a crock, invested nothing and tried to solve it and \ndid just fine.\n    We in Congress provided billions to try to improve our \ncomputer systems and deal with Y2K. I am glad the sky did not \nfall, but we paid an awful lot of money to keep the sky from \nfalling, and it did not fall elsewhere.\n    As to particular problems, when I hear from my district \nthat a fiance visa is taking 2 years in some places and 2 days \nin other places and that the State Department will not \nreallocate resources to be fair to Americans, one who decides \nto marry a Filipino and another who decides to marry and \nEnglish woman, that is bad management.\n    When I am told that we do not have any records on whether a \nparticular visa officer by visa officer as to their success \nrate--which visa officers are rejecting 30, 40, 50 percent of \nthe requests? Which visa officers are seeing over stays or \nviolations of U.S. immigration laws in 5 or 10 or 15 percent of \nthe visas they grant?\n    The problem with information technology is that you would \nprovide accountability and require good judgment or spotlight \nbad judgment. When I have suggested various actions that would \nprivatize these decisions by allowing people to get bail bonds, \nyou know, we have the same--virtually an analogous issue on \nwhether somebody will over stay in the United States and \nwhether somebody will over stay their period of freedom before \ntheir trial.\n    In the private area, in the domestic area, we have turned \nto bail bondsmen who privatize that decision and put their \nmoney where their mouth is. We refuse to do that in the State \narea because total capricious power unaccountable through any \ntechnology system seems to be the goal.\n    I have been told that this continues only because it does \nnot affect American citizens. Once the DMV in California was \nabout 10 percent as bad, and the whole state demanded that it \nget better. It never reached these levels.\n    What information technology do we have with regard to how \nlong it takes from application to grant in visa matters in the \nvarious consulates and embassies around the world? Do we have \nthat information?\n    Mr. Burbano. No, but I can get it for you because that is \nin the Consular Affairs Office, in that bureau, and they have \nthat.\n    Mr. Sherman. Have you spent much time looking at their \ninformation system?\n    Mr. Burbano. I would not say a tremendous amount of time \nbecause I have been dealing with the security and all these \nother elements, and they----\n    Mr. Sherman. I cannot tell you that it is more important \nthan national security, but----\n    Mr. Burbano. Right.\n    Mr. Sherman [continuing]. If you have some time, that is \nwhere you ought to deploy it because it is a bad system, and \nall the questions I have asked have come back, and just basic \nquestions we ought to have.\n    No accountability by person. The accountability works two \nways. What I am worried about is that every visa officer will \nstrangle our tourism industry if they feel oh, we will be held \naccountable for how many over stays. We ought to hold visa \nofficers accountable for under grants and for excessive \nrejections, but we cannot because we do not have a system that \nwill tell us.\n    I do not know if you have anybody on the panel who is \nfamiliar with these issues. I see people shaking their heads.\n    Chairman Gilman. We do not have people here from Consular \nAffairs. Do you have anything, Wayne?\n    Mr. Rychak. No.\n    Mr. Sherman. It surprises me to have a hearing on \ninformation technology, to have a distinguished panel of four \nand a back up group of several more and not to have anybody \nfamiliar with information technology in this area, but that \nshows that this is kind of a stepchild.\n    We recently did receive a report. It was produced at my \nrequest. We have not been able to review it thoroughly, but it \nprovides averages that I know are false because I have talked \nto people out in the field. When I complained that it took 2 \nyears to unify an American family I was told gee, that is \nstandard. That is kind of what we do here in the Philippines. \nThen I get a report that says the average is 20 days, 30 days. \nI know it is not accurate.\n    I realize none of you have come prepared to talk about \nthese subjects. I hope that we would develop a visa system and \nperhaps, Mr. Burbano, you could let me know whether we are on \nthe way,\n    Mr. Burbano. Yes. I would be happy to get back to you.\n    Mr. Sherman. That would keep track of how long things last, \nif things are lasting too long why, whether there have been \ncongressional inquiries and how those have been resolved.\n    I mean, I am dealing with a part of the State Department \nwhere I have been told that congressional involvement is \ndetested and will also result in intentional delays, so this is \nan area where we need a good information system and appreciate \nyour attention to it.\n    Mr. Burbano. Yes. We will get back to you.\n    Chairman Gilman. Thank you.\n    Mr. Sherman. Thank you, Mr. Chairman.\n    Chairman Gilman. Gentlemen? Dr. Cooksey? Gentlemen, I am \ngoing to have to go to another meeting, and I am going to ask \nDr. Cooksey if he would lead further discussion in our \nsubcommittee.\n    I want to thank our panelists for your excellent testimony. \nYou have given us a great deal of food for thought of what we \narguably should be doing in our oversight capacity and even \nsuggested some legislation that we will take a good, hard look \nat.\n    We wish you continued success in what you are doing. Thank \nyou very much.\n    Mr. Cooksey [presiding]. Thank you, Mr. Chairman.\n    It is great to be here. It is great to be here with people \nof your educational background. There are too many politicians \nin this city, and there are not enough scientists and computer \nexperts.\n    I do not have but about 35 questions. We should be through \nby 5 or 6 o'clock. Dr. is it Maybury?\n    Mr. Maybury. Yes, sir.\n    Mr. Cooksey. Yes. We have been together in a committee, and \nI forget which one. You have a Ph.D. in artificial intelligence \nI understand. Is that correct?\n    Mr. Maybury. Yes, sir.\n    Mr. Cooksey. What do you think about Kakoos' book, Visions? \nHave you seen the book? He is a theoretical physics professor \nin New York.\n    Mr. Maybury. I have not seen the book, sir.\n    Mr. Cooksey. It is really a good book, but he says we have \na ways to go in artificial intelligence and robots, but it is \nfascinating some of the things that he proposes.\n    Mr. Maybury. I would agree with that statement.\n    Mr. Cooksey. Yes. He is very well documented. He talks \nabout who is doing the good research and who is doing the other \nresearch.\n    Along those lines, what do you think about change in the \nbiometric system? I am a physician. I am an ophthalmologist. \nChange the password system from whatever you use now to a \nbiometric system; for example, retinal patterns?\n    Mr. Maybury. In fact, actually I referred in my oral \ntestimony that there are a couple of technologies like \nfingerprint detection, like biometrics that, of course, can \nenhance security specifically for authentication. One could \nthink even if you wanted to go so far as DNA testing to \ndetermine that you actually had the individual that you knew \nwas accessing the system.\n    I think authentication is an important area. I think that--\nI am not a biometric expert, but certainly those technologies \nhave been used in secure facilities to control access.\n    Mr. Cooksey. And they work?\n    Mr. Maybury. Unfortunately, I cannot speak specifically to \nthe performance. Obviously there are both probably precision \nand recall measures, technical measures, in terms of their \nperformance. Perhaps others can.\n    Mr. Rychak. Sir, I can address part of that.\n    Mr. Cooksey. Yes?\n    Mr. Rychak. There is a tremendous amount of research that \nis going on in the whole biomedical/biometric area. I think \nwhat you will find throughout the government and throughout the \nprivate sector is that no one countermeasure by itself is \nadequate, but used in combination and layered with other things \nyou do--you can end up with a high level of security.\n    We have a pilot program, for example, in the State \nDepartment right now of looking at combining biometrics with \nSMART card technology--you are probably familiar with SMART \ncard and its capability--and combining those two to allow \naccess into highly restricted areas to include highly \nrestricted information systems.\n    We really think that that probably is the future here, as \nopposed to simply relying on a password that obviously can be \neasily duplicated or in some cases found out about, you know.\n    Mr. Cooksey. The passwords that we have used since the \n1970's.\n    I helped a company in Boston design electronic medical \nrecords from ophthalmology. We have updated a lot of my \ntechnology, but still some of the passwords are old. It is very \nold technology.\n    Yes, Mr. Burbano?\n    Mr. Burbano. Yes. I wanted to add a comment. I agree. I \nthink the biometrics systems are excellent, but it is a \nquestion of funding. That is the problem, you know. These \nsystems are----\n    Mr. Cooksey. Do you mean Congress will not give you enough \nmoney?\n    Mr. Burbano. Well, that, but more importantly, the system, \nwherever the money comes from. What I am saying is it is very \nexpensive compared to the password, so it is always a question \nof funding, to be honest with you. I mean, I think there are \ngood systems, but you have to have the money to do them.\n    As Mr. Rychak said, you know, we look at other \nalternatives. SMART card, you know, does not have the--\nnecessarily. Somebody else could pick up the SMART card, PIN \nnumber or whatever, but you cannot pick up your eye, but it is \na lot cheaper than that system, so it is a question of funding.\n    Mr. Maybury. If I could say something? It is also obviously \na question of technology. We at MITRE Corporation and many \nother companies have for years been using SMART cards with PINs \nto control and to authenticate users.\n    In the future we can expect, among other things, for \nexample, video cameras to be built into laptops, for example, \nso the opportunity to do facial ID, which is another area, \nalso, potentially retinal scans cheaply is something that \ncertainly, I cannot predict or give you a year, but it is \ncertainly going to be cheaper in the future than it is \npresently.\n    Mr. Cooksey. Kakoos says that computer chips will cost \nbetween 1 and 5 cents apiece. He says they will be in the \ndrapes, and----\n    Mr. Maybury. Right.\n    Mr. Cooksey [continuing]. They will be able to sense \nweather changes, body temperature changes.\n    Mr. Maybury. They will be built into your clothing.\n    Mr. Cooksey. Clothing. Right.\n    Mr. Maybury. Sure.\n    Mr. Cooksey. He also said that they will use DNA instead of \ncomputer chips. That is a fascinating concept to think about. \nThere is research being done on that.\n    Mr. Maybury. Yes. In fact, we have some research on micro \nelectronics. DARPA has a large program and specifically atonic \nlevel storage devices, computing devices and the like, so that \nis actually----\n    Mr. Cooksey. That is an ongoing research.\n    Mr. Maybury [continuing]. A new wave of computing \ntechnology.\n    Mr. Cooksey. Well, it is exciting to think about, and that \nis the reason, that when you design an information system you \nhave to think about the future and be able to move to it.\n    Mr. Burbano, you had indicated in your testimony that your \nsystems are protected with intrusion detection systems, that \nyou will know if someone has intruded into the State Department \nsystem.\n    Now, Mr. Brock said in his testimony that the State \nDepartment's automated intrusion detection system does not \ncover all of the domestic and overseas posts. Who is right?\n    Mr. Rychak, you get to referee.\n    Mr. Burbano. Actually, he is the one.\n    Mr. Rychak. I probably can answer it.\n    Mr. Burbano. Yes. He should answer it. I just wanted to \nmake an initial statement and then I will turn it over, and \nthat is that we are in the midst of implementing it so, I mean, \nhe is right. We are not finished implementing it.\n    Mr. Cooksey. Because your testimony basically--you \ncontradicted each other.\n    Mr. Burbano. No. I do not think so. It is a matter of \nimplementation.\n    Mr. Cooksey. You are not finished.\n    Mr. Burbano. I will let Mr. Rychak give you the status of \nthat.\n    Mr. Rychak. Yes. We started the intrusion network program \nin December of this past year. Our goal is to have it completed \nby the second quarter of next fiscal year. Essentially what it \nencompasses is installing hardware/ software on every system at \nevery embassy around the world to include our domestic \nfacilities.\n    As we speak, we have it in place at about 60 locations. The \nmajority of our domestic sensitive but unclassified systems \nhave coverage. Our financial centers overseas have coverage. \nThe majority of our posts in South America have coverage, and \nwe are systematically going through it in terms of the \nimplementation.\n    We do have a 24 hour by 7 monitoring operation that is \nfully in place, but, as Fernando says, we are not there yet. We \nare aggressively implementing this, but given the scope of what \nwe are trying to do it just takes time to do it right.\n    Mr. Burbano. Also the funding.\n    Mr. Rychak. And the funding, although the funding for the \nfirst----\n    Mr. Cooksey. Another appropriations matter.\n    Mr. Rychak. Well, that is a good point because the funding \nfor the first phase is covered. In other words, we have enough \nfunding to continue the installation of the systems on our \nunclassified but sensitive systems.\n    The second phase is to put identical protection for our \nclassified systems. That is important. It has not been as \ncritical in terms of our priority because the State \nDepartment's classified systems were not as interconnected as \nour unclassified systems. Frankly, we benefited from the fact \nthat we had and continue to have a fair amount of antiquated \ntechnology out there.\n    The unclassified systems were becoming increasingly \nvulnerable as we got into internet and as we became much more \ninterconnected, so that became our first priority.\n    Mr. Cooksey. Mr. Brock.\n    Mr. Brock. One of the issues that has come up at other \nagencies where we have looked at automated intrusion protection \nprograms is, first of all, this technology is fairly new. It is \nnot very mature, and lots of advances are being made.\n    You get an incredible amount of information. In some \norganizations it has literally overwhelmed the organization's \ncapability to do the analysis, and as a result we have gone \ninto some agencies where they made a good faith attempt \ninitially to handle the information coming in, but then \nultimately it began to stack up and pile up in back rooms and \nwas not looked at, so a tool that is turned on but not used is \npretty useless.\n    I think a challenge that the State Department has in \nrolling this out is to make a decision or series of decisions \non what kind of information they really want and how are they \ngoing to do the analysis because it is fairly people oriented. \nEven though the tools are automated, a lot of the analysis is \nnot and does require trained personnel.\n    Mr. Cooksey. Needless to say, that is a potential problem. \nOf course, you get into the issue of one big system that serves \nall needs. The IRS did not do very well. I think they spent $3 \nbillion or $4 billion and gave up. I think CSC has a contract \nnow to do the IRS' work.\n    Mr. Brock. Yes.\n    Mr. Cooksey. Another question. I understand that the \nState--this is for you, Mr. Burbano. Does the State Department \nuse a bulk e-mail system whereby the e-mails are held up until \nenough are collected, and then they are sent in bulk to reduce \ncost?\n    Mr. Burbano. To reduce cost?\n    Mr. Cooksey. Do you do bulk mailing of e-mail? If I sent an \ne-mail or let's say you sent an e-mail from Foggy Bottom to \nBangkok and then there are ten other people on your staff that \nsend e-mails there, are they all sent at one time in bulk, or \nare they sent--do they each go individually?\n    Mr. Burbano. My understanding is that they go as they go. \nThey have to go through Washington for the most part, but, I \nmean, they do not get bulked or anything.\n    Wayne, do you have anything to add to that?\n    Mr. Rychak. Yes. I am sorry. I cannot. I do not know.\n    Mr. Burbano. I can look into it, but, I mean, the e-mail \ndoes not sit there. In fact, we have made a lot of improvements \nin our e-mail system in the last 6 months not only for \nsecurity, but for speed wise where we have actually improved \nresponse time tremendously as a result of getting rid of a lot \nof the overhead that these e-mail systems have by implementing \nX.500, that type of technologies, directory type systems.\n    Mr. Cooksey. Well, today I would like to ask everyone who \nis not here representing the PRC or Russia to stay and have all \nthe rest of you leave, but I am afraid we still would not know \nwho was here.\n    I just assume. Every time I come to one of these meetings, \nI assume that there is someone here from some of our potential \nadversaries that I hope will become allies, but, you know, that \nis part of the intelligence game. They are here, and we have a \ndemocracy.\n    Hopefully those countries will move to--until we have this \nperfect world where we trust all of our former adversaries and \nthey trust us, intelligence is going to be necessary. We are \ngoing to spy on them, and they will spy on us.\n    I just think it is absolutely mandatory that you maintain \nyour diligence in having security in the information systems \nbecause people's lives are at stake, and there are people's \nlives probably that have already been lost or compromised just \nbecause of some less than perfect security measures in this \ncountry.\n    You can look at what has been going on in New Mexico. I \nthink it is really terrible that that has happened. I am still \na clinical professor, and I got the feeling that there was an \nattitude of these professors that were involved, that were \nrunning that laboratory, that they were above having to go \nthrough all the security measures, and that is part of the \nreason things were lax.\n    I think that there was some reason to believe that there \nwas some active information gathering by some of our \nadversaries, and yet we have to be diligent to make sure that \nwe have good countermeasures and make sure that they do not get \ninformation.\n    I appreciate your coming. I think there are some real \nprofessionals over at the State Department. I do not always \nagree with the political decisions that are made there. The \nbiggest problem we have in this city is you have too many \ncareer politicians that instead of voting first what is best \nfor the Nation and then their state and then their district, \nthey do what is best for their political career.\n    I feel that the people that are permanent in the State \nDepartment do not make those decisions, and I think some of the \nworst mistakes that have been made in Republican \nadministrations, and probably they are getting ready to gavel \nme down. I am getting out of line. And in Democratic \nadministrations is because people do not have their priorities \nright, and it causes problems.\n    I think that one of the most disgraceful things going on \nright now is what is going on in Africa. This Administration \nand this Congress have been so Euro centered and so centered on \nthe Middle East. They have just totally ignored the fact that a \nmillion people were killed in Rwanda and Burundi and Ethiopia \nand Eritrea and Sierra Leone.\n    It is cowardess on the part of the executive branch and \ncallousness on the part of the legislative branch, which is my \nparty that is in control, and the net result is that a lot of \npeople have lost their lives that did not need to lose their \nlives.\n    I hope you have courage of your convictions and continue to \nfunction in a very professional manner. It will be better for \nthe nation, and what is better for our national will be better \nfor the world.\n    Thank you.\n    [Whereupon, at 12:06 p.m. the Committee was adjourned.]\n      \n=======================================================================\n\n\n\n\n                            A P P E N D I X\n\n                             June 22, 2000\n\n=======================================================================\n\n      \n    [GRAPHIC] [TIFF OMITTED] T8288.001\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.002\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.003\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.004\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.005\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.006\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.007\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.008\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.009\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.010\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.011\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.012\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.013\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.014\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.015\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.016\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.017\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.018\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.019\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.020\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.021\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.022\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.023\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.024\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.025\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.026\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.027\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.028\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.029\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.030\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.031\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.032\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.033\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.034\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.035\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.036\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.037\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.038\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.039\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.040\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.041\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.042\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.043\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.044\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.045\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.046\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.047\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.048\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.049\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.050\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.051\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.052\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.053\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.054\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.055\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.056\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.057\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.058\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.059\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.060\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.061\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.062\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.063\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.064\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.065\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.066\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.067\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.068\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.069\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.070\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.071\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.072\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.073\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.074\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.075\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.076\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.077\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.078\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.079\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.080\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.081\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.082\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.083\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.084\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.085\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.086\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.087\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.088\n    \n    [GRAPHIC] [TIFF OMITTED] T8288.089\n    \n\x1a\n</pre></body></html>\n"