[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]





                   OVERSIGHT OF THE STATE DEPARTMENT:
             TECHNOLOGY MODERNIZATION AND COMPUTER SECURITY

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
                        INTERNATIONAL RELATIONS
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION

                               __________

                             JUNE 22, 2000

                               __________

                           Serial No. 106-171

                               __________

    Printed for the use of the Committee on International Relations


        Available via the World Wide Web: http://www.house.gov/
                  international--relations

                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
68-288 CC                   WASHINGTON : 2000




                  COMMITTEE ON INTERNATIONAL RELATIONS

                 BENJAMIN A. GILMAN, New York, Chairman
WILLIAM F. GOODLING, Pennsylvania    SAM GEJDENSON, Connecticut
JAMES A. LEACH, Iowa                 TOM LANTOS, California
HENRY J. HYDE, Illinois              HOWARD L. BERMAN, California
DOUG BEREUTER, Nebraska              GARY L. ACKERMAN, New York
CHRISTOPHER H. SMITH, New Jersey     ENI F.H. FALEOMAVAEGA, American 
DAN BURTON, Indiana                      Samoa
ELTON GALLEGLY, California           MATTHEW G. MARTINEZ, California
ILEANA ROS-LEHTINEN, Florida         DONALD M. PAYNE, New Jersey
CASS BALLENGER, North Carolina       ROBERT MENENDEZ, New Jersey
DANA ROHRABACHER, California         SHERROD BROWN, Ohio
DONALD A. MANZULLO, Illinois         CYNTHIA A. McKINNEY, Georgia
EDWARD R. ROYCE, California          ALCEE L. HASTINGS, Florida
PETER T. KING, New York              PAT DANNER, Missouri
STEVE CHABOT, Ohio                   EARL F. HILLIARD, Alabama
MARSHALL ``MARK'' SANFORD, South     BRAD SHERMAN, California
    Carolina                         ROBERT WEXLER, Florida
MATT SALMON, Arizona                 STEVEN R. ROTHMAN, New Jersey
AMO HOUGHTON, New York               JIM DAVIS, Florida
TOM CAMPBELL, California             EARL POMEROY, North Dakota
JOHN M. McHUGH, New York             WILLIAM D. DELAHUNT, Massachusetts
KEVIN BRADY, Texas                   GREGORY W. MEEKS, New York
RICHARD BURR, North Carolina         BARBARA LEE, California
PAUL E. GILLMOR, Ohio                JOSEPH CROWLEY, New York
GEORGE RADANOVICH, California        JOSEPH M. HOEFFEL, Pennsylvania
JOHN COOKSEY, Louisiana
THOMAS G. TANCREDO, Colorado
                    Richard J. Garon, Chief of Staff
          Kathleen Bertelsen Moazed, Democratic Chief of Staff
               Kristin Gilley, Professional Staff Member
                    Marilyn C. Owen, Staff Associate




                            C O N T E N T S

                              ----------                              

                               WITNESSES

                                                                   Page

Fernando Burbano, Chief Information Officer, U.S. Department of 
  State..........................................................     4
Jack L. Brock, Jr., Director of Government and Defense Systems, 
  U.S. General Accounting Office.................................     6
Mark T. Maybury, Ph.D., Executive Director, Information 
  Technology Division, The MITRE Corporation.....................     9
Wayne Rychak, Deputy Assistant Secretary for Diplomatic Security, 
  U.S. Department of State.......................................    17

                                APPENDIX

Prepared statements:

The Honorable Benjamin A. Gilman, a Representative in Congress 
  from New York and Chairman, Committee on International 
  Relations......................................................    40
Fernando Burbano.................................................    43
Jack L. Brock....................................................    88
Mark T. Maybury, Ph.D............................................   108

 
    OVERSIGHT OF THE STATE DEPARTMENT: TECHNOLOGY MODERNIZATION AND 
                           COMPUTER SECURITY

                              ----------                              


                        THURSDAY, JUNE 22, 2000

                          House of Representatives,
                      Committee on International Relations,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:12 a.m. in 
room 2200, Rayburn House Office Building, Hon. Benjamin A. 
Gilman (Chairman of the Committee) presiding.
    Chairman Gilman. This meeting will come to order. I want to 
thank our panelists for joining us this morning and thank our 
colleagues for being here.
    I am pleased to convene this hearing on Oversight of the 
State Department, Technology, Modernization and Computer 
Security. This is the fourth in a series of oversight hearings 
that this Committee will conduct relating to the Overseas 
Presence Advisory Panel, the OPAP.
    We began these hearings back in February when we heard from 
the panel's members. At that time, and today, I believe the 
panel highlighted some very important issues. This Committee 
supports many of the recommendations made as a basis of 
maintaining a more effective and efficient State Department.
    We are asking our panelists to provide the Committee with a 
comprehensive review of the condition of the State Department's 
information technology program, the safeguarding of its 
information and prospects of developing a common platform to 
facilitate communication among the agencies at posts. Along 
with the efficiencies of high tech systems comes a breadth of 
possible vulnerabilities. These systems demand continual 
security evaluations and resources that should be dedicated to 
this activity.
    Personnel at the State Department must have the capacity to 
communicate quickly and precisely with a variety of people. The 
Overseas Presence Advisory Panel observed that the Department's 
current infrastructure does not provide the means either to 
acquire information from a full range of sources or to 
disseminate it to a full range of audiences.
    Inefficient information systems leave the Department 
impotent in the conduct of foreign affairs. The Department and 
other agencies sharing the overseas platform have taken steps 
to bring their systems up to private sector standards, but much 
more is needed to be successful on an interagency basis. Our 
private sector panelist, Mr. Maybury, will address the problems 
associated with that issue.
    An overriding concern as modernization proceeds is to make 
certain that appropriate, usable systems are procured and that 
security elements are addressed up front. The taxpayer is 
providing an enormous amount of money over time for the 
worldwide upgrades, and this Committee needs to be assured that 
the right decisions and cost effective procurements are being 
made.
    With recent cyber attacks against web sites in both Federal 
and congressional computer systems, serious questions arise 
about computer systems' vulnerabilities. Investigation of 
hacker assaults revealed that the techniques used over the past 
months were fundamentally very simple. In May 1998, GAO 
reported that State's computer systems were very susceptible to 
hackers and to unauthorized individuals.
    Given the important data bases that the Department 
possesses, it would be a disaster if hacker penetration were to 
occur in the State Department; to name just a few, the passport 
system, the visa system, class systems. If a hacker were to 
succeed, it would have a devastating effect on the functioning 
of these items, not to mention the effect on commerce. The 
Department takes in an enormous amount of revenue per day on 
the issuance of those items.
    I believe that in creating a modern infrastructure, 
utilizing a common platform and spending the nation's money 
wisely are certainly critical elements on the road to 
successful information technology management. We will find out 
today if our State Department is on the right road or if they 
have hit a dead end.
    Now I would like to turn to our other colleagues, the Vice-
Chairman of our Committee, the gentleman from Nebraska, Mr. 
Bereuter.
    [The prepared statement of Chairman Gilman appears in the 
appendix.]
    Mr. Bereuter. Thank you, Mr. Chairman. I have no comment. I 
look forward to the testimony.
    Chairman Gilman. Judge Hastings.
    Mr. Hastings. Mr. Chairman, I have no opening statement at 
this time.
    Chairman Gilman. Thank you.
    Mr. Rohrabacher.
    Mr. Rohrabacher. Just a very short statement for the 
record. I am very concerned, Mr. Chairman, over reports that 
the Chin Wa news agency, a Chinese agency that has ties to the 
Communist Chinese government in Beijing--in fact, it is known 
as having an intelligence connection with the government in 
Beijing--has purchased a building in Arlington with the State 
Department--at least with no protest from the State Department, 
overlooking the Pentagon. This building is a 12 story building 
that has very serious implications to electronic intelligence 
operations, especially in relationship to a direct overview of 
the Pentagon.
    I understand the State Department had no objection to this, 
raised no objections to the Chinese taking over this building, 
and I just think that there is--I do not know if this panel is 
the one who could explain it. Probably not, but for the record 
I would like to say that this is very unsettling news.
    It seems to me that somebody has got to have the 
responsibility when things like this happen, and having an 
intelligence arm of the Beijing government setting up a spy 
nest, an electronic spy nest, you know, just in this position 
overseeing the Pentagon is something that deserves our 
attention. I thought I would put that on the record.
    Chairman Gilman. Thank you very much, Mr. Rohrabacher. I 
hope some panelists will comment on it as we proceed.
    Today we welcome Mr. Fernando Burbano, the chief 
information officer of the State Department. Mr. Burbano 
assumed the position in May 1998, is responsible for the 
Department's information technology policy and operations. He 
oversees a budget of more than $500 million and the activities 
of more than 2,000 employees who are engaged in information 
management. He holds advanced degrees from the American 
University and Syracuse University.
    Our second witness, Mr. Jack Brock, is director of the 
government wide and defense information systems in the issue 
area at the General Accounting Office. He is responsible for 
information management, evaluations and reviews of computer 
security issues for several agencies, including State, and he 
has testified several times on these issues.
    The General Accounting Office [GAO] has developed guidance 
for improving responses to computer security threats. Thank you 
for putting our system back in operation. He holds advanced 
degrees from the University of Texas and Harvard. Welcome.
    Our third witness is Dr. Mark Maybury. Welcome, Mr. 
Maybury, of is it MITRE Corporation?
    Mr. Maybury. MITRE.
    Chairman Gilman. MITRE Corporation. Dr. Maybury comes to us 
highly recommended because of his experience in the field of 
worldwide system upgrades. He is the director of MITRE's 
information technology division responsible for the advanced 
research and development of intelligence and defense systems 
supporting several government agencies.
    Dr. Maybury has taken a look at what it takes to build a 
common platform, collaborative computing and knowledge 
management within the foreign affairs community. He holds 
several advanced degrees, including a Ph.D. from Cambridge in 
artificial intelligence. We certainly appreciate his 
willingness to come down from Massachusetts and educate us in 
this highly technical field.
    We appreciate all of our witnesses being here today, and we 
ask you to proceed with a summary of your statements. Without 
objection, your full statements will be made part of our 
record.
    I also want to welcome Mr. Wayne Rychak, a Deputy Assistant 
Secretary in the Diplomatic Security Bureau at the State 
Department. He is a member of the Senior Foreign Service, and 
his positions with Diplomatic Security have included being 
regional security officer in Islamabad and Pakistan.
    Mr. Rychak is here to respond to questions regarding 
information security.
    Please proceed, Mr. Burbano.

STATEMENT OF FERNANDO BURBANO, CHIEF INFORMATION OFFICER, U.S. 
                      DEPARTMENT OF STATE

    Mr. Burbano. Thank you, Mr. Chairman. Good morning, Mr. 
Chairman and distinguished Members of the Committee on 
International Relations.
    As the CIO for the State Department, I am pleased to report 
significant progress managing the Department's information 
technology resources. This morning I will focus on actions we 
have taken to, first, strengthen our computer security; second, 
improve the integrity and quality of our IT strategic planning, 
our IT capital planning and our management of IT resources; 
and, third, to achieve compliance with the Overseas Presence 
Advisory Panel, OPAP, recommendations.
    Since my testimony is limited to 5 minutes, I have provided 
a more detailed written report for the record.
    Computer security. In the past 2 years since I was 
appointed CIO, the State Department has taken significant steps 
in strengthening our computer security and the security of our 
global communications networks. For example, we now have in 
place a corporate information system security officer and 
computer security incident response teams.
    Our systems are protected with an extensive array of 
electronic firewalls, intrusion detection systems and a 
comprehensive anti-virus program. We increased system security 
training, conducted extensive independent network penetration 
testing and installed a web based geographic information system 
to collect cyber threat information.
    As additional examples of the Department's commitment to 
computer security awareness, I have hosted the CIO Council 
Security Awareness Day, Critical Infrastructure Protection Day 
and a hacker briefing presented by an industry expert. All of 
these are open to the entire Federal IT community.
    With our improved security posture, we have successfully 
withstood numerous cyber attacks such as those that have 
damaged other agencies and private sector web sites. For 
example, we were successful in defending against an attack 
after the NATO bombing of the Chinese Embassy in Belgrade when 
we were bombarded with over 10,000 messages an hour for several 
weeks.
    However, despite significant improvements in our cyber 
security, we realize that the cyber underworld continues to 
improve its weapons. We routinely assess our presence on the 
internet, and so far we have been successful in adjusting our 
protection measures to meet the continuing and ever changing 
challenges.
    I also established a security infrastructure working group 
known as SIWG to proactively oversee our enterprise 
infrastructure and coordinate an integrated, department wide 
security response. The SIWG is chaired by the Deputy CIO for 
Operations and has representation from Diplomatic Security and 
other bureaus.
    Let me briefly highlight our accomplishments in our IT 
security over the last 2 years. We achieved 100 percent 
completion of the 72 technical findings and the eight 
management recommendations identified in the 1998 GAO computer 
security audit. We achieved closure on Federal Managers 
Financial Integrity Act, FMFIA, issues open since 1984.
    We revised the foreign affairs manual to include security 
related policies. We globally deployed a computer security 
self-assessment software tool known as Kane Security Analyst. 
We conducted vulnerability assessments on our classified, 
sensitive but unclassified and internet networks.
    In a joint effort with the NSA, we have begun a pilot 
program using public key infrastructure to implement strong 
identification and authentication processes. We are 
implementing the risk management cycle as recommended in best 
practices published by GAO and OMB and are implementing a 
robust certification and accreditation program incorporating 
the recently released national information assurance 
certification and accreditation process known as NIACAP. My 
written testimony describes these achievements in more detail.
    Now turning to Overseas Presence Advisory Panel 
recommendations, particularly the actions we have taken to 
address the challenges to obtain interagency coordination and 
cooperation and to insure quality and cost effective program 
management. To insure that all foreign affairs agencies are 
partners in developing solutions to the OPAP recommendations, 
we have convened the OPAP interagency technology subcommittee. 
This subcommittee, which I chair as the representative of the 
lead agency, consists of the CIOs of the principal foreign 
affairs agencies.
    To date, the cooperation between all of the foreign affairs 
agencies in developing solutions to the OPAP report 
recommendations has been outstanding. This reflects the fact 
that over the past 2 years, through the CIO Council and its 
various subcommittees, the CIOs had already established strong 
relationships and had worked collaboratively on issues of 
common concern.
    Specifically, we are progressing in our plans to deploy an 
interoperable infrastructure accessible to all agencies to 
improve communication and collaboration. Our OPAP architecture 
approach emphasizes interagency connectivity and collaboration, 
minimizing technical risk and leveraging internet and web 
technologies.
    The intent is to build a browser based environment such 
that agencies need not change their architectures to connect to 
and use the OPAP facilities, and a range of connection options 
will be accommodated. To provide the right information to the 
right people at the right time, we are designing a knowledge 
management system to share information across agency 
boundaries. Security of the infrastructure will be addressed 
through the use of technologies such as public key 
infrastructure, data encryption and use of firewalls.
    In order to insure quality and cost effective program 
management and avoid excessive cost overruns, we are following 
a disciplined, standard project management methodology which we 
have used successfully in our Y2K worldwide remediation 
program, IT modernization program known as ALMA and the global 
emergency radio deployment program. I should point out that 
this methodology includes regular interagency project review 
and approval points, such as control gates and check points, 
and prototype and pilot tests and assessments.
    Accordingly, in fiscal year 2001, conditional on the 
availability of timely and adequate resources, we plan to 
implement a pilot program at two posts to test the interagency 
developed solutions to the OPAP unclassified technology 
recommendations. Mexico and New Delhi are being considered as 
the pilot posts. Our goals and the effective participation of 
other Federal agencies are achievable only with your support in 
providing us the resources to continue.
    Turning to IT management and planning, the last section, in 
the time remaining I will address our progress in responding to 
the 1998 GAO report which raised issues about our modernization 
program being at risk absent implementation of best practices. 
We have made significant improvements in the management, 
policy, planning and governance of our IT resources as we 
demonstrated in our success at turning our Y2K program from an 
F to an A, closing FMFIA issues and completing of a large 
scale, global IL modernization project.
    Demonstrating the Department's compliance with the GAO's 
management improvements recommendations, we have adopted an 
enhanced capital planning process that involves all the key 
stakeholders, including the CFO and other senior management, 
Assistant Secretaries, to comply with the mandates of Clinger 
Cohen and OMB Circular A-11;
    Created the Configuration Control Board, whose role will be 
expanded to further strengthen the interrelationship with the 
capital planning process; established the enterprise IT 
architecture that is modeled after guidance issued by the 
Federal CIO Council; included output and outcome measures in 
our IT tactical plan linking the relationship of those measures 
to mission effectiveness and efficiency;
    Instituted a disciplined life cycle management process 
known as Managing State Projects to help insure a consistent 
approach to all aspects of project manager; and, last, we 
continued to focus on well articulated goals that are presented 
in our new IT strategic plan published in January of this year.
    Mr. Chairman and distinguished Committee Members, I would 
like to conclude my testimony here today by assuring you that 
the State Department, including senior management, is committed 
to confronting the continuing challenges, including those which 
will cogently be addressed by GAO today.
    We will work in partnership with your Committee, the GAO 
and other agencies and other bureaus in the Department, 
including Diplomatic Security, to provide exceptional IT 
support to American diplomatic activities in the twenty-first 
century.
    Thank you, and I would be pleased to answer any questions.
    [The prepared statement of Mr. Burbano appears in the 
appendix.]
    Chairman Gilman. Thank you, Mr. Burbano.
    Mr. Brock, GAO.

  STATEMENT OF JACK L. BROCK, JR., DIRECTOR OF GOVERNMENT AND 
        DEFENSE SYSTEMS, U.S. GENERAL ACCOUNTING OFFICE

    Mr. Brock. Thank you, Mr. Chairman. Thank you very much for 
inviting us here today.
    We first met with your staff several months ago about the 
Overseas Presence Advisory Panel [OPAP]. The main concern was 
we do not want to have a hearing in 2 or 3 years and find out 
that the Department has wasted $300 million or $400 million. We 
want a return on investment. We want to make sure that the 
goals and the objectives that were set out in the OPAP report 
are in fact and that they are met efficiently.
    I think a concern that the staff had was based on a couple 
of GAO reports on the IT environment at the State Department 
and on the poor computer security, this concern was well 
founded. Could in fact the Department spend the money wisely? 
Could in fact the Department bring about the common platform 
that is needed to support OPAP?
    Our work in computer security showed that the State 
Department was highly vulnerable to both inside and outside 
threats. We were able to pretty much walk around the 
Department. There was generally a lack of oversight at the 
management level.
    Chairman Gilman. Let me interrupt. You say there is a lack 
of oversight in management at State?
    Mr. Brock. Oh, absolutely. Yes.
    Chairman Gilman. Thank you. We are curious about that 
because we are working on the possibility of creating a new 
management office. Thank you.
    Mr. Brock. The same thing on looking at major investments, 
IT investments in the Department. There were a lack of 
management controls and a lack of management processes.
    Both of those reports were done in 1998, and since then the 
Department has made impressive strides in establishing good 
management processes that should allow them, if implemented 
correctly, to control their investments, to control their 
computer security. I am a firm believer that good results come 
from good processes. If you do not have good processes, good 
results may or may not follow, but they are pretty much 
sporadic.
    The Department has now laid a foundation for having a 
better opportunity for achieving good results, and in fact when 
we are looking at the OPAP project, which the early planning 
stages are still underway, they in fact have a disciplined 
process that they are following in determining what the 
requirements of the platform will be, how much it should cost, 
what sort of technology should be in place, etc. They are doing 
a number of things that make sense, and they are pretty much on 
target by the end of this fiscal year to have a detailed 
implementation plan.
    While the Department I believe is well situated to move 
forward into a planning process, we believe they also face I 
think reasonably significant challenges in moving forward. I 
would like to just spend a few moments discussing those 
challenges.
    First of all, they have to work with eight or nine agencies 
on this common platform, and that is difficult to do. I mean, 
on paper they have the agencies in place. They all meet 
together. They have regular meetings. Nevertheless, they have 
different objectives. They have different needs, and in order 
to optimize the common platform some of the individual needs of 
various agencies might have to be suboptimized.
    It is this process that is difficult to negotiate and 
achieve. We think that it is likely that many agencies may want 
to continue operating their own technology, particularly if 
they have systems that were recently acquired or upgraded.
    Second, no one agency by itself has the authority or the 
ability to dictate a solution to insure the implementation of a 
mutually developed solution. Third, although negotiations are 
ongoing, details are still being worked out as to who will 
manage and administer the new collaborative network.
    These challenges are answerable. They are doable, but, 
nevertheless, they are challenges that have to face the 
Department. This really has nothing to do with the Department's 
status now in terms of good information over technology, but I 
think a challenge that any organization would face trying to 
bring together eight other organizations.
    The second challenge is on the matter of an architecture. 
Right now the State Department has a level of architecture, but 
it does not have a detailed architecture.
    If I could just briefly describe an architecture in more 
common terms, if you have a Rand McNally atlas and you open up 
the front page and you see the map of the United States, it 
shows the major interstates going from the east coast to the 
west coast and from the Gulf of Mexico to Canada. Well, you 
sort of know how to get there and where you are going, but it 
is only until you turn to the detailed maps inside the atlas 
that you really know the best route to take from state to state 
to state.
    I think right now the State Department has a pretty good 
overview map, but they do not have those detailed maps that are 
really necessary to dictate where the State Department wants to 
go in terms of matching business solutions with technology. The 
danger of not having an architecture in place is that sometimes 
you in fact let technology dictate business needs, or you let 
business needs dictate the wrong kind of technology, so you 
really need to merge those two things.
    The danger of continuing or the risk of continuing in the 
OPAP project while the architecture is still underway is that 
there is a risk that the eventual OPAP architecture could 
influence the State Department's final architecture in a way 
that may not be optimal. Now, this is a risk I think they are 
aware of and something that they need to follow throughout the 
development of both the architecture and the project.
    The last challenge that the State Department faces is 
computer security. This is a challenge that we found every 
agency faces. Our recent reports have indicated that the 22 
major Federal agencies all have significant computer security 
problems. The findings that we had at State Department a couple 
years ago, they are not unique to the State Department. They 
are true everywhere on a government wide basis.
    The State Department has implemented our recommendations. 
They have changed their management structure. They are in a 
better position to deal with these problems. One of the things 
that they have done at our recommendation is to begin to do 
vulnerability assessments at key places. These vulnerability 
assessments continue to find problems.
    I think a difference now is the State Department is finding 
these problems, and they are fixing them, but I think it is 
indicative that computer security is an ongoing concern. You 
are going to have a new network, a new platform, new 
opportunities for intrusion, and I think that the diligence and 
the level of effort that the State Department will have to 
exercise to this is going to be considerable, so that is a 
significant challenge.
    The advantage is that you have now as an oversight body and 
in fact an advantage that is also shared by the State 
Department and the other agencies that are participating in the 
OPAP project is that the planning for this is just now 
seriously getting underway, and you have many excellent 
oversight opportunities over the coming year.
    First of all, the State Department is developing a detailed 
project plan, and they are going to be testing the concept at a 
couple of pilot locations. This is a good opportunity to take a 
look at the detailed project plan, to take a look at the 
results of the pilot projects and say is this an investment 
that is going to pay off? Does it show promise? Is it something 
we want to pay for? Is it something that is showing results in 
a couple of limited locations? Does it show promise?
    Second, the development of a detailed project plan also 
allows the performance measures to be developed so that in fact 
you will be able to say OK, here is where you said you would 
be. Here is where you are. What is the gap? What do we need to 
do to close the gap? Are you still on target--and gives the 
State Department, the other agencies, as well as you as an 
oversight entity, an opportunity to take corrective actions.
    The State Department is well positioned to develop a plan, 
and I think that again this Committee is well positioned to use 
this plan as a vehicle for monitoring the development of the 
platform over the next couple of years.
    Mr. Chairman, that concludes my statement.
    [The prepared statement of Mr. Brock appears in the 
appendix.]
    Chairman Gilman. Thank you very much, Mr. Brock. You have 
given us a lot of food for thought.
    Mr. Maybury.

 STATEMENT OF MARK T. MAYBURY, EXECUTIVE DIRECTOR, INFORMATION 
           TECHNOLOGY DIVISION, THE MITRE CORPORATION

    Mr. Maybury. Thank you, Mr. Chairman, distinguished Members 
of the Committee.
    As executive director for the Miter Corporation, I oversee 
all collaboration computing activities at the corporation, and 
for the past 5 years I have served and worked with the 
Department of Defense very closely to develop a common 
operating environment specifically responsible for the 
collaboration and multimedia elements thereof.
    I will summarize my prepared statement, but I have provided 
a lot of details that I would like to make part of the formal 
record.
    Chairman Gilman. Without objection, it will be made part of 
the record.
    Please proceed.
    Mr. Maybury. Thank you.
    Just a comment on the requirements for, the impediments to, 
the costs of and the lessons learned from using collaboration 
computing in knowledge management and other activities across 
the government. I have attempted to address each of these 
issues in detail, but I would summarize my statements.
    The first point I would like to make is that to create a 
common operating platform for the Department of State and the 
other agencies is a challenge, but it has great potential. By 
common platform, I mean those infrastructure and applications 
that are basic to long distance and cross agency collaboration, 
things like directories, electronic mail, file sharing, desktop 
video teleconferencing, skills or expert data bases and shared 
applications.
    I believe secure collaboration and knowledge management 
solutions have promised to directly address some of the 
fundamental problems outlined in the November, 1999, OPAP 
report, including increased global complexity, dealing with 
reduced overseas staffs, the need for increased global 
engagement and influence.
    For example, if we take a look at the intelligence 
community and the Intelink, classified internet, which MITRE 
helped engineer, it has become the primary method for 
intelligence distribution throughout the intelligence 
community.
    Another example. In my written statement I detail how 
collaborative technologies have fundamentally changed the way 
the Air Force operates by creating virtual air operations 
centers. Another example. The Navy and the Joint Forces have 
been able to put Tomahawk cruise missiles on target faster and 
more accurately during war.
    At the MITRE Corporation, as I have also submitted in my 
materials, there are several CIO magazine articles outlining 
our internal internet which has been used to share knowledge 
globally. These systems have improved the timeliness and 
quality of operational processes. For example, in a major 
exercise last year, the Air Force was able to improve their 
efficiency of operations by 50 percent. With focused effort, 
the foreign affairs community can enjoy these same benefits.
    My second point is that the success of the common platform 
for the Department of State will require both knowledge 
management and collaboration technologies. I will not detail 
these, but, in short, collaboration technologies are those that 
allow people to share information across time in both different 
times, as well as across different places.
    For example, if you want to support a team working at a 
different time and a different place, you could use electronic 
mail, or if they are working at the same time, but in different 
places, you could use technologies like instant messaging, 
technologies like desktop video conferencing.
    In contrast, knowledge management can be enabled by 
collaboration, but it is distinct, and it refers to processes 
that allow us to find experts, to map the knowledge in an 
enterprise or across enterprises, to integrate knowledge and to 
disseminate knowledge.
    My third point. Because of the difficulty of predicting how 
people and organizations will use collaboration tools and the 
rapidly changing underlying communications, networking and 
computing infrastructure, it is essential that the creation of 
these systems be done in what is called an incremental spiral 
acquisition process.
    This is in contrast to the traditional waterfall approach 
where development of a system follows a strict sequential 
process from requirements to design to implementation to 
testing and in contrast is more of an iterative process in 
which these things are done in parallel.
    Accordingly, the government needs to depart from its normal 
lengthy purchasing process to build a little, test a little, 
learn from mistakes and be willing to adapt to change. Planned 
obsolescence is part of this process, and these systems can be 
very costly. In fact, when you cost these systems you must look 
at full life cycle costs to include the cost to acquire the 
system, the cost to implement it, steady state costs, as well 
as indirect costs, including intangibles such as down time and 
user satisfaction.
    Incidentally, I have included in these articles the cost 
analysis that MITRE has utilized that was highlighted in the 
February CIO article where we invested $7 million and were able 
to show over $50 million in return on investment.
    While a spiral development process does not guarantee an 
inexpensive solution, it does minimize the risk that money will 
be wasted. Success in creating a secure common platform for the 
Department of State and other agencies requires clarity of 
vision, buy in from the foreign affairs community, explicit and 
measurable business outcomes, but flexibility in technology, 
schedule, budget and specifications.
    Mr. Chairman, I have a few more points. I do not know if 
you would like me to stop or finish.
    Chairman Gilman. Well, we are going to be called for a 
vote. Why do we not dig into the questions, if you would?
    Mr. Maybury. That is fine. Thank you.
    [The prepared statement of Mr. Maybury appears in the 
appendix.]
    Chairman Gilman. I want to thank all of you for being 
concise is your presentations.
    We will continue right on through the vote with the 
questioning. I am going to ask my colleagues if they would want 
to go, and we will continue so we will not have a delay.
    First of all, Mr. Burbano, last week Undersecretary Cohen 
stated that various technology systems were still out of date, 
even though the Department has replaced all of its Wang 
systems. When can we expect the needed reorganization to be 
achieved that is so sorely needed? Which systems are top 
priority, and do we have the appropriations that are needed to 
do what you are seeking?
    Mr. Burbano. Mr. Chairman, the answer to that question I 
think goes right to the heart. It is the funding. We do not 
have the funding to completely overhaul the systems.
    The majority of the unclassified systems have been 
modernized. The classified system is where we still have a 
lot----
    Chairman Gilman. How much will be needed, Mr. Burbano?
    Mr. Burbano. Approximately close to $200 million.
    Chairman Gilman. I understood from my staff that there is 
$500 million available for information technology. Is that fund 
available to you?
    Mr. Burbano. We are using it. I mean, it is not a fund that 
is available for things we have not used it for. Believe me, we 
are making use. Our budget is, you know, as stated earlier, 
$500 million.
    Chairman Gilman. So you are limited in the appropriations 
available to you?
    Mr. Burbano. Yes. Absolutely.
    Chairman Gilman. And what is the shortage?
    Mr. Burbano. For the classified systems, close to $200 
million.
    Chairman Gilman. You need another $200 million?
    Mr. Burbano. Yes.
    Chairman Gilman. Mr. Brock, your statement noted the State 
Department networks remain highly vulnerable to exploitation of 
unauthorized access. That is based on four computer security 
evaluations of its unclassified networks.
    What do these findings suggest for efforts to develop a 
common platform? Both Mr. Brock and Mr. Burbano, has any 
corrective action been taken? Have such risk assessments been 
made on the classified system? I direct that to both of you. 
Mr. Brock?
    Mr. Brock. First, I do not think that it is unusual that 
every time you do one of these vulnerability tests that you 
continue to find holes. One of the reasons that we advocate a 
continuing of vulnerability assessment is in fact to find holes 
because they always creep up. If you are not constantly 
vigilant, you will end up with a serious mess on your hands.
    We did not go in and evaluate the repairs that the State 
Department made. We did note that they did take corrective 
action in the four reports that we examined. The fact that 
reports, though, continue to show vulnerabilities, which again 
I do not find particularly surprising, indicates that there is 
still a need for constant vigilance.
    The thing the Department has done differently since our 
original report, though, is put in more centralized management 
and in fact established a control. Before our initial report 
they never did their own vulnerability studies. At least now 
they have the capability of determining on their own where they 
have weaknesses and then being able to take corrective action 
on a more timely basis.
    But again, that just points out that when you are putting 
in a new platform, as I mentioned in my oral statement, that in 
fact you are assuming a certain risk. You need to determine 
what that risk is. You need to determine the appropriate 
controls that should be in place to minimize that risk, and 
those controls are going to cost you some money. That has to be 
factored into the life cycle cost of the overall project.
    Chairman Gilman. Mr. Brock, you noted that the panel 
reported the condition of U.S. post submissions abroad as 
unacceptable, and the panel found the facilities overseas had 
deteriorated, human resource management practices are outdated 
and inefficient, and there is no interagency mechanism to 
coordinate overseas activities or manage their size and shape. 
What is your recommendation to correct that?
    Mr. Brock. Well, we did not specifically go over and 
evaluate those conditions, so we have made a general assumption 
based on other material that those conditions were reasonably 
and accurately reported.
    In fact, the process that the State Department is leading 
now is supposed to address those conditions and make 
improvements, which is one of the challenges that we mentioned. 
In fact, to get all eight or nine agencies to agree to make 
certain changes is going to be a difficult task.
    Chairman Gilman. I am going to reserve my questions. Mr. 
Bereuter has another engagement. I am going to pass the time to 
Mr. Bereuter.
    Mr. Bereuter [presiding]. Thank you, Mr. Chairman. I 
appreciate that courtesy.
    One of the difficulties for some of us is that you 
gentlemen use terminology which is not always clear to us, and 
I am sure we do the same, but, as I understand it, you are 
preparing or are you updating information architecture, a plan 
for information architecture for the State Department.
    Is it an update would you say realistically, or is it the 
first time you are comprehensively attempting to look at and 
develop an architecture? Mr. Burbano.
    Mr. Burbano. We have developed already, as in a written 
testimony in April 1999. We put out our first high level, as 
Mr. Brock stated. It is high level architecture that brings the 
State Department into the modern age, and we are developing 
right now the details of that IT architecture, so we came out 
with the first published IT architecture.
    There was a default one, you know, because you always 
operate with one, but it was not necessarily a formally 
published architecture prior to that one.
    Mr. Bereuter. Mr. Burbano, you heard the analogy used by 
Mr. Brock about the Rand McNally overall front page map, and he 
suggested that what is lacking to some extent----
    Mr. Burbano. Is the details.
    Mr. Bereuter [continuing]. Are the details within that 
overall framework.
    You have a good framework in place, as I understand your 
comment, Mr. Brock.
    How far do you intend to go in Mexico City, and where is 
the other pilot?
    Mr. Burbano. New Delhi.
    Mr. Bereuter. New Delhi. Are these picked because you think 
that they will be good models for you to work with, to make an 
assessment on?
    Mr. Burbano. Yes. In fact, you know, those models were 
picked with the whole interagency group; not just the IT 
interagency group, but the interagency group for OPAP that is 
overlooking the right sizing and the buildings/ facilities and 
the IT portion, the three groups underneath that. They are the 
ones that decided along with the three groups underneath that 
those were the best sites.
    The reason they are the best sites is because of the 
representation there from the other agencies, which is what you 
want to do for the collaboration.
    Mr. Bereuter. Now, what I am looking for is some 
reassurance that the plan that you are developing or refining 
for the information technology for the State Department will 
survive changes in technology.
    Mr. Burbano. Yes, it will, and that is one of the key 
points. It is a refresh. We are doing that right now with our 
very successful ALMA program, which is another logical 
modernization program that we have that replaced all these 
Wangs on the unclassified system. That was very successful.
    We have a refresh program, which is part of our Managing 
State Project management system that Mr. Brock spoke about that 
has been successful, and that includes a refresh to make sure 
we stay up to date. We are doing that right now with the ALMA 
system, and we did that also with the very successful Y2K 
system and also with the global overseas radio program.
    Mr. Bereuter. Thank you very much.
    Mr. Brock, I want to have some assurance that what is being 
developed in fact will survive upgraded technological changes 
that are brought to bear in terms of new equipment, new 
software, things that perhaps we do not even anticipate at this 
point.
    I want to understand that this plan is going to be 
survivable, that it will be credible, that it will reach beyond 
the current technology and that we will not find ourselves 
having to start all over picking up the pieces as a result of 
changes in technology.
    Do you have anything you can say to me about the plan as 
being developed?
    Mr. Brock. Well, I cannot offer you those assurances 
because the plan is not complete, but what you have really done 
is laid out a very basic expectation that is true of any 
architecture. That is one of the very first things that you 
need to do is to use this to provide some assurance that the 
dollars you are going to be spending are in fact not going to 
be wasted.
    The disadvantage of not having an architecture is that 
every investment that you make may or may not fit into the 
overall structure, so you have incompatible systems. You have--
in other words, they do not talk to each other. You know, you 
buy Macs one place and PCs another place, and you cannot 
exchange software.
    We have numerous examples of where a lack of a defined 
architecture has caused agencies billions of dollars in wasted 
money, so I think the answer to your question, and I apologize 
for going on, is that right now I cannot provide you that 
assurance. I can provide you an assurance that they do have a 
high level architecture that makes sense.
    They are developing the necessary artifacts, the individual 
Rand McNally pieces, and those need to be examined as we go 
through the process to see if in fact they will provide that 
richness that you are asking for.
    Mr. Bereuter. I will just make one more statement really 
before I turn it over to Mr. Rohrabacher as I go to vote.
    I understand how difficult--I think I understand in part 
how difficult this interagency process might be to develop an 
agreement as to what is appropriate in taking secondary levels 
of benefits perhaps in order for the uniform effort to move 
ahead.
    I believe I understand that the intelligence community and 
the State Department have just basically decided they cannot be 
as compatible as the Congress had hoped they would be and that 
there is something in an appropriation bill, in an intelligence 
authorization bill, which suggests that that is the case, so I 
hope perhaps you might be able to address that in your comments 
for the record here. If I have given you enough information to 
proceed, I am asking any of you after I leave.
    Mr. Rohrabacher, are you ready to take over?
    Mr. Rohrabacher [presiding]. Thank you.
    Mr. Bereuter. Thank you.
    Mr. Rohrabacher. Oh-oh. I am in charge now.
    Doug, you left a question on the table?
    Mr. Bereuter. If they care to address it.
    Mr. Rohrabacher. Please feel free.
    Mr. Maybury. Yes. I would like to address that. The 
intelligence community is part of my IT subcommittee, 
interagency subcommittee. John Dams, who is the IC CIO for all 
the intelligence community, is a member, and he also has 
representation in the other groups.
    As far as I have seen directly, along with my other two 
subgroups, there has been excellent cooperation. There is buy 
in. The only statements that I have personally heard and also 
my group leaders has been that, you know, you have to make sure 
that we do not lower our security standards, which I totally 
agree, and nobody has said that we are going to lower them.
    In fact, the opposite. We are upping our security 
requirements because we know that the internet, you know, has 
holes like Swiss cheese, so we want to make sure that we 
strengthen our security. We are doing that, as I stated in my 
oral and written statements.
    You know, we are going to be using industrial strength 
firewalls, PKI, digital certificate and signatures and also 
encryption, anti-viruses, every available tool that is out 
there to properly do and transact business on the internet in a 
secure manner.
    As far as my relationships, and I am also a member, by the 
way, of the intelligence community CIO Council. I sit on the 
executive council. I work closely with John Dams, and as far as 
I know the intelligence community is, you know, on board with 
us. I have talked to John. As I mentioned, he is the 
representative for the intelligence community, and he is on 
board.
    Mr. Rychak. May I add to that?
    Mr. Rohrabacher. Yes. Sure.
    Mr. Rychak. I think it is also important that we make the 
distinction between our classified systems and the 
interconnectivity, the proposal to interconnect classified, and 
what is being done right now, and that is looking at our 
unclassified systems and interconnecting with the other 
agencies.
    Certainly the classified interconnectivity is a goal, but 
that is much longer term, and indeed there are some strong 
opinions as to how that could be done securely in the long run 
bringing in agencies that have very different backgrounds and 
sensitivities as it relates to information. The effort, though, 
that is ongoing right now deals with unclassified systems.
    Mr. Maybury. If I could make a comment? Two comments. One 
on the architecture point and one on the interoperability 
point.
    In my written statement with respect to the Department of 
Defense, we have been working for the past 5 years with many 
architectures, and I would strongly urge that there not be one 
architecture; there be several architectures that are tightly 
coupled.
    Just as you would not use the same map for a pilot as you 
would for somebody who is driving a truck as you would for 
somebody who is walking through a historic district in a city, 
you similarly will not use the same architecture in an 
information system for people who have different tasks or who 
are looking at different levels.
    To be specific, it is important to have a functional 
architecture, what you want to do with the system; a systems 
architecture, what are the components, what are the 
connections; and a technical architecture, that is one that 
specifies the standards, if you will, the rules of the road 
that show how these systems are going to work with one another. 
If you only have one of those, you have an incomplete 
architecture.
    With respect to technical standards, I have included in my 
written testimony the standards we use, which are international 
standards. They are not government standards. They are 
standards such as the International Telephony Union, such as 
the Engineering Task Force. These are standards bodies that 
build or, if you will, that specify the building codes to which 
commercial tools are created.
    It is essential that we have standards in interoperability 
that comes from those because if we want to protect ourselves 
from our investment and to insure interoperability in the 
future, those kinds of, if you will, building codes will help 
us do that.
    Mr. Burbano. If I can, I would like to add a point to that 
since the architecture is a very key point.
    To show you how committed and a firm believer I am in the 
architecture, we have actually gone beyond the Clinger Cohen 
requirements for IT architecture. We have also developed a 
business architecture and a security architecture, which will 
be a requirement in the near future, which is not a requirement 
right now, and we have those in draft. We are working with GAO 
on that.
    In terms of the collaboration, I would just like to say, 
because that was an issue that was brought out also in an 
earlier question. As I stated, because of Clinger Cohen I think 
that the OPAP implementation is going to be a lot easier than 
prior to Clinger Cohen because there is now a CIO Council, and 
the CIOs of the top 24 and also the other 50 CIOs or so of the 
small and medium agencies get together on a monthly/quarterly 
basis.
    That has produced a very strong collaboration that will 
spill over and is spilling over to the OPAP. That would not 
have existed prior to the Clinger Cohen, so I think we have 
excellent collaboration.
    Mr. Rohrabacher. Thank you very much.
    The Chairman is back, but I will, with the Chairman's 
permission, proceed with my 5 minutes.
    Chairman Gilman [presiding]. Please. Please.
    Mr. Rohrabacher. Which I have not had yet.
    Chairman Gilman. By all means.
    Mr. Rohrabacher. Let me just say, first of all, I stated 
something for the record at the beginning, and I just want to 
followup on that 1 minute, but let me just say that from my 
perspective it seems like we are starting this effort that you 
are talking about really late in the game here. This is near 
the end of this Administration, and all of a sudden we are 
talking about security.
    Quite frankly, Mr. Chairman, this Administration does not 
have a very good track record in terms of security in the 
operations of our Federal agencies. One need only look at the 
ongoing crisis, for lack of a better word, surrounding Los 
Alamos and what has been going on there for what appears to 
have been going on for years and years and years. I realize you 
folks are not responsible for that. Maybe you will have some 
responsibility for that or parts of that. I do not know.
    Then we hear stories about missing laptops. Now, where does 
this missing--I mean, I understand there is at least one 
missing laptop that dealt with top secret security information. 
Where does that fit into what you are doing here?

   STATEMENT OF WAYNE RYCHAK, DEPUTY ASSISTANT SECRETARY FOR 
         DIPLOMATIC SECURITY, U.S. DEPARTMENT OF STATE

    Mr. Rychak. Sir, to answer your first question, security is 
not a new issue. The comments that Mr. Brock made regarding the 
improvements, and there have been substantial improvements 
within the information and security program at the State 
Department. Those have been occurring over the course of the 
last 3 years.
    When the GAO issued their report in the fall of 1998, 
frankly it was a wake up call for many of us that are in the 
operational side. We have focused great effort and attention in 
enhancing processes, as Mr. Brock has pointed out; processes 
such as security awareness training, vulnerability and risk 
assessments, evaluations, audits, network monitoring.
    Mr. Rohrabacher. Let me interrupt you for one moment.
    Mr. Rychak. Yes.
    Mr. Rohrabacher. And I respect all the procedural things 
and the descriptions of the type of--I mean, you are going 
through this in a systematic way and saying how can we make 
things better in relationship to a GAO report.
    It is difficult for me to understand how to instill a 
security consciousness among professionals like we have at the 
State Department who work for the government when we have an 
administration that is claiming that America's most severe 
potential enemy, America's worst potential enemy, is a 
strategic partner.
    I mean, for 2 years, for 3 years, we had the State 
Department over here, of course, doing what they were told to 
do because the President of the United States was making the 
policy that the Communist Chinese should be referred to and the 
operating words were strategic partner.
    It is difficult for me, frankly, to sit and to listen to a 
very serious discussion, which you are having here, about your 
procedures when it is done under an umbrella of or an 
atmosphere that is being created by an administration insisting 
on calling our worst potential enemy a partner, and not only 
just a partner, but a strategic partner.
    Now, I am not going to ask you to attack the Administration 
because you would not be diplomats if you did, but I just 
wanted to note that for the record.
    Let's go back. Let me go back to that first issue that I 
raised in my opening statement. Here we have, and I think 
rational people have to--I think rational people all along 
understood that Communist China was not our strategic partner, 
but was instead a potential enemy. I am not saying that they 
are an enemy, but at least our worst potential adversary.
    Here we have what almost everyone recognizes as our most 
dangerous potential adversary buying a building right across 
from the Pentagon with obvious electronic capability, spying 
capabilities. Has there been any discussion? There was no 
apparent objection from the State Department, which would have 
had some say in this.
    Have there been discussions with the Defense Department or 
the CIA concerning this potential security problem?
    Mr. Rychak. Sir, when you first raised this question you 
surmised that there would probably be no one on this panel that 
could directly answer, and you are correct.
    I will tell you that the Department's Office of Foreign 
Missions would be the entity that would normally deal with 
these types of issues, any acquisitions by foreign governments 
of property. I am sure that this office was involved.
    I cannot speak of any of the details. I learned of this, as 
you did, this morning on the news. We would have to get back to 
you on your question.
    Mr. Rohrabacher. But would it be the FBI would then be in 
touch with the State Department, who would then do something 
official in terms of looking into that to see if the charges 
that this was an arm of Chinese intelligence and if it was to 
make the appropriate moves to prevent this from happening?
    Mr. Rychak. It is normally----
    Mr. Rohrabacher. Is that the way it would work?
    Mr. Rychak [continuing]. FBI, State Department and then the 
intelligence community. It is normally a coordinated effort to 
look at the potential hazards and threats that could be posed 
by a foreign government's presence anywhere in the United 
States.
    Again, I cannot speak to any of the details, though, on 
this particular issue.
    Mr. Rohrabacher. And your role that we were talking about 
earlier is that when the agencies get together and they want to 
communicate via their computer system that you are just trying 
to see now that the computer system--someone does not hack into 
that or that that is a protected communications apparatus? Is 
that right?
    Mr. Rychak. Yes. Certainly one of my roles is to do what is 
necessary to put into place a comprehensive and effective 
security program to protect that information. Yes.
    Mr. Maybury. If I could make a comment on that?
    Mr. Rohrabacher. Sure. Go right ahead.
    Mr. Maybury. With respect to there are a whole set of 
vulnerabilities that I know the State Department is aware of 
and they have been actively addressing via a variety of 
mechanisms, such as access by unauthorized users, denial of 
service and so on.
    I think that it is important to note particularly when we 
talk about distributed collaboration systems that there are new 
classes of vulnerability that are inserted or potentially 
there. In fact, we are actively working with, and I cannot 
speak to this in this open session, but with government 
agencies to develop new technologies to apply to essentially 
protect some of these systems.
    For example, one might want to have if you are 
communicating instead of over a phone using a computer to 
communicate, you may want to encrypt that kind of audio, for 
example. These are new functions that will be made available in 
the future, but we do not have them yet. There are new 
vulnerabilities that we do not yet have protection for that we 
need to either invest in or create.
    Mr. Rohrabacher. Well, I am pleased to see that we have 
some people who understand all of this computer. We were just 
discussing this. Congressman Hastings and I were discussing 
that we are not experts, unlike Ben, who understands all of the 
new computer system and the new technology. We are very happy 
that we have some real professionals who are involved in this, 
and we thank you, Mr. Maybury, and you gentlemen for spending 
your time and your professional expertise in this.
    Just again for the record, I would like to say just again I 
am not doing this to be political, Al, but I just think the 
record of this Administration in this area has been--I worked 
for the White House for 7 years, and I remember what it was 
like, the atmosphere in the Reagan Administration concerning 
security issues, and the record of this Administration when you 
consider Los Alamos and some of these other things that we know 
about has just been abysmal.
    This Administration should hang its head in shame in terms 
of the national security interests of our country in terms of 
this area. I am pleased, however, at this part of the game and 
that some professional attention is being spent in this area.
    Thank you very much, Mr. Chairman.
    Chairman Gilman. Thank you, Mr. Rohrabacher.
    Judge Hastings.
    Mr. Hastings. Mr. Chairman, thank you so very much. My dear 
and good friend from California would not dare do anything 
political, nor would I.
    Under the circumstances, I remind him that when he worked 
at the White House in the Reagan Administration a call on a 
cell would have been from a jail. The IBM machine was 
considered something forward thinking, and everybody thought 
they had arrived. Indeed, most of what you were doing was using 
dictating machines.
    The problem that I have is that it seems that the 
technology is overwhelming, and I see that as problematical for 
not only our governmental agencies, but for all of us until we 
reach whatever the optimum condition is that it is likely to 
reach, and the way it is spiraling that is hard to envision 
taking place at some point in the not too distant future.
    I would like to ask two quick questions, and then I would 
like to just, if I could, give you an overview of what I just 
said with more specifics in mind.
    Mr. Burbano or Mr. Rychak, has the Diplomatic 
Telecommunications Services, which you know is an interagency 
common platform for secure communications, been a wise and 
effective investment from an electronic communications 
perspective, and how crucial do you feel the continued 
operation of DTS-PO as an interagency run common system to be 
for the success of a common computer system? Either of you.
    Mr. Burbano. OK. I will take first a first stab at it. DTS-
PO, which you are speaking to, I think is important, and I 
think the collaboration among the agencies in the support of it 
is important.
    I think the problems have definitely been there due to not 
the organization, but funding. Frankly, it has been severely 
underfunded, and what has resulted, the biggest problem is the 
lack of band width to support the overseas community. That is 
funds, so it is a funding problem, but we need to maintain the 
organization, and it needs to be, you know, collaboration 
between parent companies.
    Mr. Hastings. All right. Thank you. Some years ago I had 
the good experience of visiting Australia for the first time, 
and I use this as just a metaphor, so to speak, for what I am 
about to suggest or ask.
    I did not know the fierce rivalry between Melbourne and 
Sydney. Apparently at one point they disliked each other so 
intensively that when they were building their rail systems, 
they built them in a manner that when they came together they 
did not fit.
    I am curious from your perspective whether or not we are 
involving enough people when we talk about collaborative 
networks, collaborative technology, interagency connectivity, 
and by that I meant this. I served in the judiciary, and we 
always were last to get stuff that was needed, yet we were 
involved in matters of security far beyond some of the things 
that I see here in the legislative branch.
    My concern is that at some point there has to be not just 
for the State Department or the CIA or the FBI or the Defense 
Department, but there has to be some collaboration with all of 
them, including the legislative, executive and judicial 
branches of our government, and calling upon experts from each 
of those areas to work with the people that are developing it. 
In other words, the State Department may fool around and 
develop the best, and GAO may not have that. We have seen that 
happen over and over again.
    Do any of you have that concern, or if I am talking about 
breadth as it pertains to security including all of government 
is that too much to ask?
    Mr. Brock. No, it is not. It gets back to a question Mr. 
Rohrabacher was going into.
    We have testified many times over the past year. The 
government has overall very poor computer security. There is no 
central leadership or management or limited central leadership 
and management. Some of the things that you are talking about 
such as the building overlooking the Pentagon going to threat 
assessment, the United States is not well equipped to do threat 
assessment. Information is not shared freely among agencies.
    The ``I LOVE YOU'' virus, which the State Department was 
internally successful at resisting, was not successfully 
resisted by many other agencies. The National Infrastructure 
Protection Agency at FBI did a very poor job of sharing 
information on the virus and coming up with relevant 
information.
    Earlier this year, the President released the national plan 
to protect the critical infrastructure. The key element of that 
plan was to say that the government will be a model so that the 
private sector will want to participate, and they acknowledge 
in that that the government is not a model; that there is a 
long way to go.
    So the issues you are talking about are much broader than 
the State Department.
    Mr. Hastings. Right.
    Mr. Brock. They do encompass other agencies, and they need 
to be looked at as part of a whole cloth.
    Mr. Hastings. Right. The other thing, Mr. Chairman, that I 
raise, and this will be my final question on this round, has to 
do with what I think is just good sense, and that is that, for 
example, on the criminal side of matters totally unrelated to 
the State Department.
    When a 17-year-old hacker is discovered that is brilliant 
and they take him to court, a lot of times they give him a 
job--do you understand what I am saying--so they can decide to 
use this kid. Now, that raises the question that I have.
    I listened to you all this morning, and just generally 
everyone that I have heard, from encryption all the way back 
across to all of the agencies that I have been faced with in my 
responsibilities as a policymaker, I have heard over and over 
and over from extraordinarily competent individuals like 
yourselves, and I do not mean that patronizingly. I do not know 
what either of you make. I suspect from my point of view you 
are underpaid by comparison to what happens in Silicon Valley 
and other places.
    I guess, Mr. Burbano, since you have the highest budget as 
I heard the Chair announce, do you feel that in an effort to 
accomplish just inside your agency the things that you need to 
accomplish that you would--a special category of funding to 
give to exceptional individuals to keep them on board or to 
bring in bright people? Would that be helpful?
    In other words, you have a GS whatever--I never have known; 
GS-14, GS-15--when you need to be paying somebody $200,000 to 
do what needs to be done. Am I off the mark here?
    Mr. Burbano. No. No. You are right on target. In fact, one 
of the things that I addressed besides computer security and 
Y2K was the work force issue was a priority of mine, and that 
was in fact what you were saying. Not only to recruit, but also 
train and also retain----
    Mr. Hastings. Retain.
    Mr. Burbano [continuing]. IT workers in security and all 
the other areas.
    What we in fact have done as a first step--I call it a 
first step because we need long term steps. We created the 
first agency in the Federal Government to create both a 
recruitment and retention allowance and bonus program, so for 
recruitment we have up to 25 percent recruitment bonus, and 
also we worked out with OPM so we can bring them in at higher 
grades and steps than normal, so that is on the recruitment 
end.
    On the training, we have added up to around $4 million 
extra to train our new employees, and to retain them we were 
certainly the first agency to come up with what we call 
retention allowance based on certifications like Microsoft, 
Oracle, Sysco, and also on, you know, whether you have a 
Bachelor's in Electronic Engineering or Master's in Computer 
Science and so forth. You can get up to 15 percent in retention 
pay, so we can keep those employees and not just bring them in 
the pipeline.
    We have done that. What still needs to be done, though, for 
the long term is we are still working with the ceiling, so you 
are very right. What we need to do, and the CIO Council and the 
State Department is working with the CIO Council to try to 
create a new IT pay scale across the whole Federal Government, 
not just State Department, that will be competitive with 
private industry.
    The National Academy for Public Administration [NAPA], has 
actually been chartered to do that study, which as you well 
know was chartered by Congress and is independent of the 
executive branch, is doing a study at the request of CIO 
Council and working with the CIO Council and OPM to look at the 
IT pay scale.
    Mr. Hastings. Well, I thank you all, and I thank you, Mr. 
Chairman.
    Mr. Maybury. Could I add a comment to that if it were 
useful? Just some facts for the record again in industry 
perspective.
    Seven out of the top ten fastest growth, according to the 
Department of Labor statistics, job categories are information 
technology job categories. Several years ago that was only 
about two or three. The average annual attrition rate of IT 
professionals in this country is roughly 14\1/2\ percent.
    Mr. Hastings. Would you say that again?
    Mr. Maybury. Fourteen and a half percent is roughly the 
average turnover rate nationally in terms of----
    Mr. Rohrabacher. Per year?
    Mr. Maybury. Per year. That means if you have 10 employees, 
all right, 1.4 of them will leave every year.
    Fifty thousand new graduates, both undergraduate and 
graduates, according to Education's statistics, will graduate 
every year. The annual growth rate in the IT industry is about 
130,000 jobs added every year. So you do the math, and, yes, 
there are the disciplines that people can come from, but there 
are not that many. You do the math, and there is a huge 
shortfall.
    We have been tracking this actually very closely in Defense 
obviously in the private sector, and I strongly concur with the 
activities that State and others have been doing in this area, 
and it will only get worse.
    Mr. Hastings. Thank you very much.
    Chairman Gilman. Thank you, Judge Hastings.
    Gentlemen, I have a few questions. Mr. Rohrabacher, if you 
have any additional questions.
    Dr. Maybury.
    Mr. Maybury. Yes, sir?
    Chairman Gilman. Your statement addresses the 
recommendation that State and the embassies have greater 
internet access, acknowledging the expansion of the internet 
can provide more pathways for intruders.
    How does one balance the need for a safe and secure system 
and yet greater access to the internet?
    Mr. Maybury. Well, I think one needs to do a business case 
analysis and to sort of have a managed approach to security. 
One needs to understand the risks and the vulnerabilities 
within those systems and then come up with a very specific 
understanding of what the costs, either those that are 
financial, national security or potential human life loss if it 
is a rather serious set of information, and one has to measure 
the associated reactions or preparations one can engage in to 
respond to those.
    In my testimony I give some specific examples of particular 
approaches, some of which State has already employed, to 
address those vulnerabilities.
    Chairman Gilman. So what you are saying is you can make any 
system secure. It is just how much you are willing to pay for 
it. Is that right?
    Mr. Maybury. Well, I want to be careful because, you know, 
there is no absolute security. Security includes personnel 
security, physical security, as well as electronic digital 
security.
    There are areas where we simply today do not have answers 
because, as I mentioned before, there are new technologies, new 
functions, including new vulnerabilities that are introduced 
into the infrastructure every day.
    What that means is if the risk is constantly changing, you 
have to be vigilant. You have to have a process that 
continually looks at those literally on a daily basis and comes 
up with corrective technologies, procedures, policies to 
address them.
    Chairman Gilman. Mr. Brock, in examining security aspects 
of all of this, is State Department doing something about 
making security a priority amongst its personnel?
    Mr. Brock. I think the State Department has made it a 
priority, but I think, as Dr. Maybury was alluding to, it has 
to be ongoing. It has to be constant.
    If I could just add a bit to his response? Most of the 
problems that we see on computer security when you are doing 
the tradeoffs between security and how much you want to spend 
is based on the absence of any sort of risk assessment; that 
you should not establish controls until you know what your risk 
is, and risk is a function of the threat and of the 
vulnerability of the system. So if you had a system with very 
limited threat and not very vulnerable, you do not need to 
spend much on control.
    Chairman Gilman. Who at State has the authority or the 
oversight on risk assessment?
    Mr. Brock. That would be Mr. Burbano.
    Chairman Gilman. Mr. Burbano, is someone doing the risk 
assessment?
    Mr. Burbano. Yes. In fact, it is a joint effort with my 
colleague, Wayne, in Diplomatic Security.
    We have established a very strong program. As an example, 
when I first came on board I worked with the Assistant 
Secretary for Diplomatic Security to bring in the first outside 
penetration testing, Lawrence Livermore, NR systems or 
unclassified systems.
    Since then we have done about three or four other 
penetration tests on not only the unclassified, but the 
sensitive but unclassified, classified systems. DS has done 
those.
    We also brought in Secure Computing Corporation to do 
penetration tests prior to the Y2K rollover when it was 
predicted there were going to be hundreds and thousands of 
hackers out there. We did that in November.
    We not only do the penetration vulnerable assessments and 
the risk management, but, more importantly, we do the 
remediations and make sure that whatever was found as holes 
that they are plugged up. As was stated earlier, you are always 
going to find holes, but we keep on plugging them. I feel we 
have done an excellent job of that.
    Not only have we done penetration tests, but we have also, 
as Mr. Rychak has stated, we have done an excellent outreach 
training program to make sure that the employees are cognizant 
of that such as I stated earlier with the Security Awareness 
Day, Critical Infrastructure Day, Hacker Day and individual 
training sections.
    You cannot log on to the internet without getting some DS 
training. You have to be certified to get that training for the 
internet in order to log on to our RICH internet access system. 
We have implemented the intrusion detection boxes, anti-
viruses. You know, I can go on and on.
    Chairman Gilman. I am trying to understand, gentlemen, the 
division responsibility for computer security matters between 
DS and the CIO shop. Can you explain the division and why it 
makes sense?
    Mr. Rychak, do you have any special concerns about the 
splintering of responsibilities between the Diplomatic Security 
office and the chief information officer?
    Mr. Rychak. Sir, I would be happy to give you a background 
as it relates to the split of responsibilities.
    There are--there have been--overlapping authorities. The 
Diplomatic Security Act, going back to 1985, vested the Bureau 
of Diplomatic Security with a broad range of responsibilities. 
The Clinger Cohen Act and other Acts vest the CIO also with a 
broad range of security responsibilities as it relates to 
information and computer systems.
    Beginning about 2 years ago, the CIO's office, NDS, worked 
to identify the strengths and the operational capabilities of 
each of our organizations so that we could put together a clear 
delineation of roles, of responsibilities.
    Chairman Gilman. Are you satisfied with that delineation 
today?
    Mr. Rychak. The delineation I think is working well. Mr. 
Burbano and I may have some differences in opinions ultimately 
in perhaps who should be the senior lead authority, but let me 
say that that decision has been made. Our Undersecretary for 
Management has made the decision that the CIO is the lead 
authority for that.
    You are aware that the Secretary has proposed the creation 
of an Undersecretary for Security in an effort to further 
consolidate and establish senior level accountability for 
security.
    Computer security/information security I think will be 
reviewed in that context, and I do not know how that will come 
out, but I have to say that the system is working I think quite 
well, and it is collegial. It has been a partnership 
arrangement between the CIO and DS.
    Chairman Gilman. Let me interrupt you a moment.
    Mr. Rychak. Yes.
    Chairman Gilman. Between the two of you, who is responsible 
for the maintenance and computer security at the overseas posts 
and at main State office? Can you tell us? Between the two 
shops, how much money does State spend for security, and is 
there money dedicated to security for the information 
technology fund?
    Mr. Rychak. I can speak for my side. For the programs that 
DS administers, we are expending roughly $11.2 million this 
fiscal year for computer security related programs, and that 
deals with security awareness and training and vulnerability 
assessments, intrusion detection capabilities, and this is a 
program, frankly, we are very excited about that we are in the 
process of implementing on a global perspective.
    That is one piece of the puzzle. There are other programs 
that the CIO and IRM administer, and I am sure Fernando would 
like to address it, everything from virus protection to 
implementing these policies, etc.
    Mr. Burbano. Yes. I think one easy way at a high level to 
differentiate DS and IRM is DS is involved in the development 
of policy and also in the evaluations, assessments and so 
forth. IRM is involved, the CIO, in the implementation of that 
policy and so, I mean, that is one high level way of looking at 
that.
    Chairman Gilman. Are you pretty much both working 
collaboratively in main State and overseas?
    Mr. Burbano. Yes. Absolutely. I would like to reinforce 
what Mr. Rychak said. We have an excellent relationship. We 
work together. We created the matrix, and ever since we have 
had that I think things have gone very smoothly, and in fact we 
understand each other's areas, and we collaborate on all 
decisions.
    Chairman Gilman. Mr. Burbano, Mr. Brock's report at GAO 
pointed out that computer security lacks a focal point within 
State to oversee and to coordinate its security activities.
    Do you have the expertise available in your shop to manage 
the responsibility for computer security?
    Mr. Burbano. Yes, and in fact I think that was May, 1998. 
We are in 2000, and that has changed over the last year so that 
is no longer--I think Mr. Brock stated that that in fact was 
true when they did the assessment, but that was 2 years ago. 
That is not----
    Chairman Gilman. You have dedicated security----
    Mr. Burbano. Yes. Absolutely.
    Chairman Gilman [continuing]. Personnel.
    Mr. Burbano. We have computer incident response teams just 
like DS has that works around the clock, 7 by 24, in not only 
monitoring, but also in----
    Chairman Gilman. So it is not left up to non-professionals?
    Mr. Burbano. No. No. These are computers that carry 
specialists that are dedicated and trained in the field just 
like DS. DS and IRM and the CIO both have computer security 
staffs that are professionals.
    Chairman Gilman. Mr. Burbano, I understand Diplomatic 
Security sends out teams to audit security of computer systems 
at the various posts overseas, and they produce reports and 
recommendations.
    Who is responsible for seeing that any recommendations are 
carried out? Does Washington followup on those reports or 
supply technical experts if a post requests assistance to make 
a proper review?
    Mr. Burbano. Yes. IRM is responsible, along with the post 
and the bureaus, in implementing those changes because the 
posts are underneath the bureaus. So it is a joint effort, but 
the responsibility for implementing those recommendations do 
fall to IRM and the bureaus and the posts, and we do implement 
the changes.
    We work very closely together on these teams. In fact, we 
send out IRM computer security specialists along with DS on 
some of these assessments.
    Chairman Gilman. Mr. Brock, how would you characterize the 
effectiveness and the improvements that State has made in their 
computer security program today as compared to 2 years ago? Do 
you have any plans to reexamine the Department's security 
program?
    Mr. Brock. We believe that the organizational changes that 
have been made are very positive, and one of the key concerns 
that we had was the bifurcation of computer security 
responsibilities throughout the Department.
    When we have gone out and done our best practices work, 
even in highly decentralized organizations computer security 
was centralized. I think it is appropriate in an organization 
like State that you may have multiple entities carry out tasks, 
but it is clear that one person or one organization needs to be 
overall responsible, and that is something that we would like 
to continue to examine within the State Department.
    Chairman Gilman. Do you have any recommendations with 
regard to that?
    Mr. Brock. Well, at the present time, no. We currently are 
engaged in a number of agency reviews, and we do not have a 
request, if this is what you are moving toward. We have not had 
a request to go back in and do a thorough computer security 
review of the State Department.
    Chairman Gilman. Mr. Rychak or Mr. Burbano, who is 
responsible for investigating computer security violations, and 
who resolves the intrusions or attacks in the Department? Who 
conducts the followup?
    Mr. Rychak. I can address that. The response to an incident 
actually takes two different forms. DS has what is called a 
CIRT, a computer incident response team. It is a 24 hour 
operation of personnel, largely investigative, that would 
respond from an investigative standpoint.
    In sync with that, the CIO has a CERT, a computer emergency 
response team, that deals with the operational issues relating 
to mitigating any problems that would develop in our system.
    Chairman Gilman. Are they able to react very promptly to 
those?
    Mr. Rychak. Yes. Actually, those terms work together and 
often do it jointly.
    Mr. Burbano. If I can add, during the Y2K rollover we had 
our two teams sitting together in the same room sharing the 
monitors, sharing the times and everything, and it worked 
extremely well. We were not hacked during the Y2K rollover.
    Chairman Gilman. Mr. Burbano, is computer security training 
mandatory at State----
    Mr. Burbano. Yes, it is mandatory.
    Chairman Gilman [continuing]. For all State employees?
    Mr. Burbano. For all State employees, and that is not just 
recent. As I mentioned earlier, in order to connect to the RICH 
internet access system you have to have DS, you know, training, 
and you have to get certified first before you can log on.
    Chairman Gilman. How long a period of training is there? 
How extensive is it?
    Mr. Burbano. We have various levels. Since DS does them, I 
will let Wayne talk about it.
    Mr. Rychak. Well, the internet training is a briefing that 
would last maybe an hour, an hour and a half. It presumes that 
the employee already has the background of security procedures 
and requirements.
    There is a new training program that was begun about 18 
months ago that was the result of the GAO audit that I would 
just like to comment on, and that was training for our 
information systems security officers. We did not have a 
program in place prior to 18 months ago to train the people who 
worked on a day to day basis to insure that computer security 
policies were being carried out.
    We did put that program into effect. We have trained 
hundreds and hundreds of personnel. It has gotten excellent 
reviews. We have more senior level training that also is 
available to these personnel, and----
    Chairman Gilman. Mr. Rychak, are you satisfied that all of 
the important employees that use secure computers have been 
properly trained now?
    Mr. Rychak. No, I cannot say that I am completely 
satisfied. You may recall that the Secretary of State announced 
a directive following the discovery of the laptop computer that 
it would be mandatory for all employees of the Department of 
State, all cleared employees, to annually receive a briefing.
    We are in the process of a very intensive effort to do just 
that, and every day that goes by we have formal briefing 
sessions that are ongoing in our auditoriums at the Department.
    Chairman Gilman. How extensive has this program been, and 
how many have been brought in at this point? What percentage of 
the employees?
    Mr. Rychak. Sir, I think we are somewhere in the 
neighborhood of 8,000. Now, that is not addressing our overseas 
operations, which are being done individually by our 
professional regional security officers.
    Chairman Gilman. So what percentage of people who should be 
brought in have already been brought into your briefing 
session?
    Mr. Rychak. On the latest exercise since the Secretary's 
directive, I would say we are probably at about 30 or 40 
percent with the goal of completing this by the end of August 
or first of September. In other words, 100 percent.
    We are taking a role and roster of everyone that receives 
the briefings, and we will be able to identify anyone that has 
not. It is again a firm directive of the Secretary that this be 
done.
    Chairman Gilman. Dr. Maybury and Mr. Brock, does the 
Federal Government need a Federal chief information officer?
    Mr. Brock. Yes. When the Clinger Cohen bill was first 
introduced, it really established the framework for management 
of information technology from the agencies. At that time we 
testified that a national CIO was needed to in fact identify 
both opportunities and challenges across government that needed 
to be explored in a collegial manner, and we still support that 
position.
    Chairman Gilman. Have there been any steps undertaken to do 
just that?
    Mr. Brock. Yesterday I read an article that apparently both 
Mr. Gore and Mr. Bush support a national CIO, and one of your 
colleagues, Mr. Turner, has introduced legislation calling for 
a national CIO.
    Chairman Gilman. Mr. Burbano or Mr. Rychak, have you seen 
any progress made with regard to that proposal?
    Mr. Burbano. Other than what Mr. Brock just mentioned, no, 
but I would like to say that my personal opinion is I agree 
that one needs to be done, and I think one model could be right 
across the river here.
    In the State of Virginia, the Governor has created, you 
know, a Secretary of Technology to look both within the state 
government, but also outside for IT management. That is one 
model you might want to take a look at.
    Mr. Maybury. If I could suggest one other model would be a 
cross agency CIO would be the intelligence community CIO, Mr. 
John Dams' office.
    Chairman Gilman. Dr. Maybury points out that the success of 
instituting a collaborative system requires clear objectives 
that can drive change. Mr. Burbano, has the interagency working 
group identified such objectives?
    Mr. Burbano. At the high level, as Mr. Brock mentioned. We 
are getting down to the detail level, but for right now it is 
at the high level. Those were submitted in the written 
testimony both for the IT common platform and the knowledge 
management system. Some other detailed documents have been 
delivered to GAO and the Committee.
    Chairman Gilman. Dr. Maybury says one of the values of a 
collaborative environment is it can reduce the number of 
forward deployed personnel. That is, jobs can be done back 
home.
    Mr. Burbano, are you examining that kind of a prospect, and 
do you think that technology will in fact allow for fewer 
personnel to have to be stationed overseas, and would those 
jobs be mostly administrative?
    Mr. Burbano. The answer to the first part I would say is 
that the right sizing committee is the committee that is 
actually examining that. That is the right sizing committee.
    My committee, the IT, will support that effort, but, you 
know, will not be, you know, making the recommendations or the 
decisions on actually, you know, reducing or shifting staff. 
That is the right sizing committee.
    Yes, IT will support the right sizing efforts fully and 
can, but there are other issues other than technology when you 
are trying to make decisions. Right sizing does not 
automatically mean reduction of staff. It means shifting to, 
you know, proper support where you need that staff.
    Chairman Gilman. Dr. Maybury, the Committee is concerned 
about the risks involved in developing an overseas common 
information technology platform and whether State Department is 
positioned to lead that kind of a project.
    In your view, what can our Committee do to effectively 
oversee that kind of a project as it enters development and 
requires additional funding?
    Mr. Maybury. Well, I think, Mr. Chairman, regular oversight 
expectations have explicit objectives. I know in my testimony 
that the organization that does this needs to have a set of key 
characteristics that include excellence in acquisition, systems 
engineering experience, technical expertise in not only 
security, but in collaboration, knowledge management, cleared 
staff, especially if we are talking about secure and unsecure 
systems, domain knowledge of overseas activities, perhaps 
personnel overseas.
    That is another risk is do you have the IT talent or the 
infrastructure overseas, and do you have a strong contractor 
base or contractor oversight. I think having explicit plans, 
these blueprints or these maps we talked about before, these 
architectures, at various levels of detail and monitoring those 
activities, monitoring the investments and looking for actual 
outcomes, looking for specific measurable impact, business 
outcomes, of the investments.
    Chairman Gilman. Have you had an opportunity to discuss 
those proposals with Mrs. Cohen, Assistant Secretary for 
Management?
    Mr. Maybury. No, sir, I have not.
    Chairman Gilman. I hope you might take advantage of trying 
to do just that so that she would have the benefit of your 
thinking.
    One last question before I call on Mr. Sherman. Mr. 
Burbano, several U.S. Government agencies with global 
operations are seeking funding for separate communications 
systems. Different agencies want their own system.
    What are we doing to persuade those agencies that a single 
connected system designed on an interagency basis is probably 
much more preferable?
    Mr. Burbano. What we are doing is with the OPAP I think 
that gets down to the heart of this because those agencies are 
represented on the various OPAP committees. Also with the CIO 
Council we have an interoperability committee that works with 
the various CIOs of the various agencies, and then you have the 
IC, intelligence community, as was just stated earlier by Dr. 
Maybury, and I also sit on that, on the executive committee for 
the intelligence CIO committee, so we are all sitting in each 
others' committees and so we are well aware of all the things 
that are going on.
    I think OPAP is bringing to the forefront because the 
President's mandate and OMB and also the congressional 
leadership of wanting to implement OPAP that for the first time 
we actually have more than just, you know, intentions, but we 
actually have a mandate to implement these government wide 
systems.
    These are the same agencies that you are talking about, and 
there is a lot of collaboration going on, and I think it is 
beginning to take an effect. As we stated, first we are working 
on the unclassified first in the first 18 months, and then 
after that we work on the classified systems.
    Chairman Gilman. Well, we hope you can convince all of 
these competing agencies to work together. I think it is 
extremely important.
    Mr. Sherman.
    Mr. Sherman. Thank you, Mr. Chairman.
    I think we are all concerned with security of our 
information. Some recent problems experienced by another 
Federal department have highlighted that recently. I want to 
commend the Chairman for holding these hearings, which I think 
focus on information security, but I think others will ask 
questions about our national security information, and I want 
to focus my questions on the visa process.
    This is a process that has flabbergasted me because I did 
not think that governments could be this inefficient, and it 
takes really bad computers and bad management to achieve some 
of the problems that we have experienced in this area, and yet 
my hope is that the information technology system as it gets 
better will begin to solve some of those problems.
    One of the many areas of problems are difficulties in 
communicating via computer between the INS and the State 
Department. Have those been worked out?
    Mr. Burbano. I think we have worked some of them out, 
especially during the Y2K rollover. We had to make sure the 
systems, you know, communicated. There are other issues, and, 
you know, those--Consular Affairs, CA. You know, if you got to 
particulars I guess we could address them with Consular 
Affairs.
    Mr. Sherman. Well, I mean, first the Y2K thing. There are a 
number of countries in the world that thought the whole Y2K 
thing was a crock, invested nothing and tried to solve it and 
did just fine.
    We in Congress provided billions to try to improve our 
computer systems and deal with Y2K. I am glad the sky did not 
fall, but we paid an awful lot of money to keep the sky from 
falling, and it did not fall elsewhere.
    As to particular problems, when I hear from my district 
that a fiance visa is taking 2 years in some places and 2 days 
in other places and that the State Department will not 
reallocate resources to be fair to Americans, one who decides 
to marry a Filipino and another who decides to marry and 
English woman, that is bad management.
    When I am told that we do not have any records on whether a 
particular visa officer by visa officer as to their success 
rate--which visa officers are rejecting 30, 40, 50 percent of 
the requests? Which visa officers are seeing over stays or 
violations of U.S. immigration laws in 5 or 10 or 15 percent of 
the visas they grant?
    The problem with information technology is that you would 
provide accountability and require good judgment or spotlight 
bad judgment. When I have suggested various actions that would 
privatize these decisions by allowing people to get bail bonds, 
you know, we have the same--virtually an analogous issue on 
whether somebody will over stay in the United States and 
whether somebody will over stay their period of freedom before 
their trial.
    In the private area, in the domestic area, we have turned 
to bail bondsmen who privatize that decision and put their 
money where their mouth is. We refuse to do that in the State 
area because total capricious power unaccountable through any 
technology system seems to be the goal.
    I have been told that this continues only because it does 
not affect American citizens. Once the DMV in California was 
about 10 percent as bad, and the whole state demanded that it 
get better. It never reached these levels.
    What information technology do we have with regard to how 
long it takes from application to grant in visa matters in the 
various consulates and embassies around the world? Do we have 
that information?
    Mr. Burbano. No, but I can get it for you because that is 
in the Consular Affairs Office, in that bureau, and they have 
that.
    Mr. Sherman. Have you spent much time looking at their 
information system?
    Mr. Burbano. I would not say a tremendous amount of time 
because I have been dealing with the security and all these 
other elements, and they----
    Mr. Sherman. I cannot tell you that it is more important 
than national security, but----
    Mr. Burbano. Right.
    Mr. Sherman [continuing]. If you have some time, that is 
where you ought to deploy it because it is a bad system, and 
all the questions I have asked have come back, and just basic 
questions we ought to have.
    No accountability by person. The accountability works two 
ways. What I am worried about is that every visa officer will 
strangle our tourism industry if they feel oh, we will be held 
accountable for how many over stays. We ought to hold visa 
officers accountable for under grants and for excessive 
rejections, but we cannot because we do not have a system that 
will tell us.
    I do not know if you have anybody on the panel who is 
familiar with these issues. I see people shaking their heads.
    Chairman Gilman. We do not have people here from Consular 
Affairs. Do you have anything, Wayne?
    Mr. Rychak. No.
    Mr. Sherman. It surprises me to have a hearing on 
information technology, to have a distinguished panel of four 
and a back up group of several more and not to have anybody 
familiar with information technology in this area, but that 
shows that this is kind of a stepchild.
    We recently did receive a report. It was produced at my 
request. We have not been able to review it thoroughly, but it 
provides averages that I know are false because I have talked 
to people out in the field. When I complained that it took 2 
years to unify an American family I was told gee, that is 
standard. That is kind of what we do here in the Philippines. 
Then I get a report that says the average is 20 days, 30 days. 
I know it is not accurate.
    I realize none of you have come prepared to talk about 
these subjects. I hope that we would develop a visa system and 
perhaps, Mr. Burbano, you could let me know whether we are on 
the way,
    Mr. Burbano. Yes. I would be happy to get back to you.
    Mr. Sherman. That would keep track of how long things last, 
if things are lasting too long why, whether there have been 
congressional inquiries and how those have been resolved.
    I mean, I am dealing with a part of the State Department 
where I have been told that congressional involvement is 
detested and will also result in intentional delays, so this is 
an area where we need a good information system and appreciate 
your attention to it.
    Mr. Burbano. Yes. We will get back to you.
    Chairman Gilman. Thank you.
    Mr. Sherman. Thank you, Mr. Chairman.
    Chairman Gilman. Gentlemen? Dr. Cooksey? Gentlemen, I am 
going to have to go to another meeting, and I am going to ask 
Dr. Cooksey if he would lead further discussion in our 
subcommittee.
    I want to thank our panelists for your excellent testimony. 
You have given us a great deal of food for thought of what we 
arguably should be doing in our oversight capacity and even 
suggested some legislation that we will take a good, hard look 
at.
    We wish you continued success in what you are doing. Thank 
you very much.
    Mr. Cooksey [presiding]. Thank you, Mr. Chairman.
    It is great to be here. It is great to be here with people 
of your educational background. There are too many politicians 
in this city, and there are not enough scientists and computer 
experts.
    I do not have but about 35 questions. We should be through 
by 5 or 6 o'clock. Dr. is it Maybury?
    Mr. Maybury. Yes, sir.
    Mr. Cooksey. Yes. We have been together in a committee, and 
I forget which one. You have a Ph.D. in artificial intelligence 
I understand. Is that correct?
    Mr. Maybury. Yes, sir.
    Mr. Cooksey. What do you think about Kakoos' book, Visions? 
Have you seen the book? He is a theoretical physics professor 
in New York.
    Mr. Maybury. I have not seen the book, sir.
    Mr. Cooksey. It is really a good book, but he says we have 
a ways to go in artificial intelligence and robots, but it is 
fascinating some of the things that he proposes.
    Mr. Maybury. I would agree with that statement.
    Mr. Cooksey. Yes. He is very well documented. He talks 
about who is doing the good research and who is doing the other 
research.
    Along those lines, what do you think about change in the 
biometric system? I am a physician. I am an ophthalmologist. 
Change the password system from whatever you use now to a 
biometric system; for example, retinal patterns?
    Mr. Maybury. In fact, actually I referred in my oral 
testimony that there are a couple of technologies like 
fingerprint detection, like biometrics that, of course, can 
enhance security specifically for authentication. One could 
think even if you wanted to go so far as DNA testing to 
determine that you actually had the individual that you knew 
was accessing the system.
    I think authentication is an important area. I think that--
I am not a biometric expert, but certainly those technologies 
have been used in secure facilities to control access.
    Mr. Cooksey. And they work?
    Mr. Maybury. Unfortunately, I cannot speak specifically to 
the performance. Obviously there are both probably precision 
and recall measures, technical measures, in terms of their 
performance. Perhaps others can.
    Mr. Rychak. Sir, I can address part of that.
    Mr. Cooksey. Yes?
    Mr. Rychak. There is a tremendous amount of research that 
is going on in the whole biomedical/biometric area. I think 
what you will find throughout the government and throughout the 
private sector is that no one countermeasure by itself is 
adequate, but used in combination and layered with other things 
you do--you can end up with a high level of security.
    We have a pilot program, for example, in the State 
Department right now of looking at combining biometrics with 
SMART card technology--you are probably familiar with SMART 
card and its capability--and combining those two to allow 
access into highly restricted areas to include highly 
restricted information systems.
    We really think that that probably is the future here, as 
opposed to simply relying on a password that obviously can be 
easily duplicated or in some cases found out about, you know.
    Mr. Cooksey. The passwords that we have used since the 
1970's.
    I helped a company in Boston design electronic medical 
records from ophthalmology. We have updated a lot of my 
technology, but still some of the passwords are old. It is very 
old technology.
    Yes, Mr. Burbano?
    Mr. Burbano. Yes. I wanted to add a comment. I agree. I 
think the biometrics systems are excellent, but it is a 
question of funding. That is the problem, you know. These 
systems are----
    Mr. Cooksey. Do you mean Congress will not give you enough 
money?
    Mr. Burbano. Well, that, but more importantly, the system, 
wherever the money comes from. What I am saying is it is very 
expensive compared to the password, so it is always a question 
of funding, to be honest with you. I mean, I think there are 
good systems, but you have to have the money to do them.
    As Mr. Rychak said, you know, we look at other 
alternatives. SMART card, you know, does not have the--
necessarily. Somebody else could pick up the SMART card, PIN 
number or whatever, but you cannot pick up your eye, but it is 
a lot cheaper than that system, so it is a question of funding.
    Mr. Maybury. If I could say something? It is also obviously 
a question of technology. We at MITRE Corporation and many 
other companies have for years been using SMART cards with PINs 
to control and to authenticate users.
    In the future we can expect, among other things, for 
example, video cameras to be built into laptops, for example, 
so the opportunity to do facial ID, which is another area, 
also, potentially retinal scans cheaply is something that 
certainly, I cannot predict or give you a year, but it is 
certainly going to be cheaper in the future than it is 
presently.
    Mr. Cooksey. Kakoos says that computer chips will cost 
between 1 and 5 cents apiece. He says they will be in the 
drapes, and----
    Mr. Maybury. Right.
    Mr. Cooksey [continuing]. They will be able to sense 
weather changes, body temperature changes.
    Mr. Maybury. They will be built into your clothing.
    Mr. Cooksey. Clothing. Right.
    Mr. Maybury. Sure.
    Mr. Cooksey. He also said that they will use DNA instead of 
computer chips. That is a fascinating concept to think about. 
There is research being done on that.
    Mr. Maybury. Yes. In fact, we have some research on micro 
electronics. DARPA has a large program and specifically atonic 
level storage devices, computing devices and the like, so that 
is actually----
    Mr. Cooksey. That is an ongoing research.
    Mr. Maybury [continuing]. A new wave of computing 
technology.
    Mr. Cooksey. Well, it is exciting to think about, and that 
is the reason, that when you design an information system you 
have to think about the future and be able to move to it.
    Mr. Burbano, you had indicated in your testimony that your 
systems are protected with intrusion detection systems, that 
you will know if someone has intruded into the State Department 
system.
    Now, Mr. Brock said in his testimony that the State 
Department's automated intrusion detection system does not 
cover all of the domestic and overseas posts. Who is right?
    Mr. Rychak, you get to referee.
    Mr. Burbano. Actually, he is the one.
    Mr. Rychak. I probably can answer it.
    Mr. Burbano. Yes. He should answer it. I just wanted to 
make an initial statement and then I will turn it over, and 
that is that we are in the midst of implementing it so, I mean, 
he is right. We are not finished implementing it.
    Mr. Cooksey. Because your testimony basically--you 
contradicted each other.
    Mr. Burbano. No. I do not think so. It is a matter of 
implementation.
    Mr. Cooksey. You are not finished.
    Mr. Burbano. I will let Mr. Rychak give you the status of 
that.
    Mr. Rychak. Yes. We started the intrusion network program 
in December of this past year. Our goal is to have it completed 
by the second quarter of next fiscal year. Essentially what it 
encompasses is installing hardware/ software on every system at 
every embassy around the world to include our domestic 
facilities.
    As we speak, we have it in place at about 60 locations. The 
majority of our domestic sensitive but unclassified systems 
have coverage. Our financial centers overseas have coverage. 
The majority of our posts in South America have coverage, and 
we are systematically going through it in terms of the 
implementation.
    We do have a 24 hour by 7 monitoring operation that is 
fully in place, but, as Fernando says, we are not there yet. We 
are aggressively implementing this, but given the scope of what 
we are trying to do it just takes time to do it right.
    Mr. Burbano. Also the funding.
    Mr. Rychak. And the funding, although the funding for the 
first----
    Mr. Cooksey. Another appropriations matter.
    Mr. Rychak. Well, that is a good point because the funding 
for the first phase is covered. In other words, we have enough 
funding to continue the installation of the systems on our 
unclassified but sensitive systems.
    The second phase is to put identical protection for our 
classified systems. That is important. It has not been as 
critical in terms of our priority because the State 
Department's classified systems were not as interconnected as 
our unclassified systems. Frankly, we benefited from the fact 
that we had and continue to have a fair amount of antiquated 
technology out there.
    The unclassified systems were becoming increasingly 
vulnerable as we got into internet and as we became much more 
interconnected, so that became our first priority.
    Mr. Cooksey. Mr. Brock.
    Mr. Brock. One of the issues that has come up at other 
agencies where we have looked at automated intrusion protection 
programs is, first of all, this technology is fairly new. It is 
not very mature, and lots of advances are being made.
    You get an incredible amount of information. In some 
organizations it has literally overwhelmed the organization's 
capability to do the analysis, and as a result we have gone 
into some agencies where they made a good faith attempt 
initially to handle the information coming in, but then 
ultimately it began to stack up and pile up in back rooms and 
was not looked at, so a tool that is turned on but not used is 
pretty useless.
    I think a challenge that the State Department has in 
rolling this out is to make a decision or series of decisions 
on what kind of information they really want and how are they 
going to do the analysis because it is fairly people oriented. 
Even though the tools are automated, a lot of the analysis is 
not and does require trained personnel.
    Mr. Cooksey. Needless to say, that is a potential problem. 
Of course, you get into the issue of one big system that serves 
all needs. The IRS did not do very well. I think they spent $3 
billion or $4 billion and gave up. I think CSC has a contract 
now to do the IRS' work.
    Mr. Brock. Yes.
    Mr. Cooksey. Another question. I understand that the 
State--this is for you, Mr. Burbano. Does the State Department 
use a bulk e-mail system whereby the e-mails are held up until 
enough are collected, and then they are sent in bulk to reduce 
cost?
    Mr. Burbano. To reduce cost?
    Mr. Cooksey. Do you do bulk mailing of e-mail? If I sent an 
e-mail or let's say you sent an e-mail from Foggy Bottom to 
Bangkok and then there are ten other people on your staff that 
send e-mails there, are they all sent at one time in bulk, or 
are they sent--do they each go individually?
    Mr. Burbano. My understanding is that they go as they go. 
They have to go through Washington for the most part, but, I 
mean, they do not get bulked or anything.
    Wayne, do you have anything to add to that?
    Mr. Rychak. Yes. I am sorry. I cannot. I do not know.
    Mr. Burbano. I can look into it, but, I mean, the e-mail 
does not sit there. In fact, we have made a lot of improvements 
in our e-mail system in the last 6 months not only for 
security, but for speed wise where we have actually improved 
response time tremendously as a result of getting rid of a lot 
of the overhead that these e-mail systems have by implementing 
X.500, that type of technologies, directory type systems.
    Mr. Cooksey. Well, today I would like to ask everyone who 
is not here representing the PRC or Russia to stay and have all 
the rest of you leave, but I am afraid we still would not know 
who was here.
    I just assume. Every time I come to one of these meetings, 
I assume that there is someone here from some of our potential 
adversaries that I hope will become allies, but, you know, that 
is part of the intelligence game. They are here, and we have a 
democracy.
    Hopefully those countries will move to--until we have this 
perfect world where we trust all of our former adversaries and 
they trust us, intelligence is going to be necessary. We are 
going to spy on them, and they will spy on us.
    I just think it is absolutely mandatory that you maintain 
your diligence in having security in the information systems 
because people's lives are at stake, and there are people's 
lives probably that have already been lost or compromised just 
because of some less than perfect security measures in this 
country.
    You can look at what has been going on in New Mexico. I 
think it is really terrible that that has happened. I am still 
a clinical professor, and I got the feeling that there was an 
attitude of these professors that were involved, that were 
running that laboratory, that they were above having to go 
through all the security measures, and that is part of the 
reason things were lax.
    I think that there was some reason to believe that there 
was some active information gathering by some of our 
adversaries, and yet we have to be diligent to make sure that 
we have good countermeasures and make sure that they do not get 
information.
    I appreciate your coming. I think there are some real 
professionals over at the State Department. I do not always 
agree with the political decisions that are made there. The 
biggest problem we have in this city is you have too many 
career politicians that instead of voting first what is best 
for the Nation and then their state and then their district, 
they do what is best for their political career.
    I feel that the people that are permanent in the State 
Department do not make those decisions, and I think some of the 
worst mistakes that have been made in Republican 
administrations, and probably they are getting ready to gavel 
me down. I am getting out of line. And in Democratic 
administrations is because people do not have their priorities 
right, and it causes problems.
    I think that one of the most disgraceful things going on 
right now is what is going on in Africa. This Administration 
and this Congress have been so Euro centered and so centered on 
the Middle East. They have just totally ignored the fact that a 
million people were killed in Rwanda and Burundi and Ethiopia 
and Eritrea and Sierra Leone.
    It is cowardess on the part of the executive branch and 
callousness on the part of the legislative branch, which is my 
party that is in control, and the net result is that a lot of 
people have lost their lives that did not need to lose their 
lives.
    I hope you have courage of your convictions and continue to 
function in a very professional manner. It will be better for 
the nation, and what is better for our national will be better 
for the world.
    Thank you.
    [Whereupon, at 12:06 p.m. the Committee was adjourned.]
      
=======================================================================




                            A P P E N D I X

                             June 22, 2000

=======================================================================

      
    [GRAPHIC] [TIFF OMITTED] T8288.001
    
    [GRAPHIC] [TIFF OMITTED] T8288.002
    
    [GRAPHIC] [TIFF OMITTED] T8288.003
    
    [GRAPHIC] [TIFF OMITTED] T8288.004
    
    [GRAPHIC] [TIFF OMITTED] T8288.005
    
    [GRAPHIC] [TIFF OMITTED] T8288.006
    
    [GRAPHIC] [TIFF OMITTED] T8288.007
    
    [GRAPHIC] [TIFF OMITTED] T8288.008
    
    [GRAPHIC] [TIFF OMITTED] T8288.009
    
    [GRAPHIC] [TIFF OMITTED] T8288.010
    
    [GRAPHIC] [TIFF OMITTED] T8288.011
    
    [GRAPHIC] [TIFF OMITTED] T8288.012
    
    [GRAPHIC] [TIFF OMITTED] T8288.013
    
    [GRAPHIC] [TIFF OMITTED] T8288.014
    
    [GRAPHIC] [TIFF OMITTED] T8288.015
    
    [GRAPHIC] [TIFF OMITTED] T8288.016
    
    [GRAPHIC] [TIFF OMITTED] T8288.017
    
    [GRAPHIC] [TIFF OMITTED] T8288.018
    
    [GRAPHIC] [TIFF OMITTED] T8288.019
    
    [GRAPHIC] [TIFF OMITTED] T8288.020
    
    [GRAPHIC] [TIFF OMITTED] T8288.021
    
    [GRAPHIC] [TIFF OMITTED] T8288.022
    
    [GRAPHIC] [TIFF OMITTED] T8288.023
    
    [GRAPHIC] [TIFF OMITTED] T8288.024
    
    [GRAPHIC] [TIFF OMITTED] T8288.025
    
    [GRAPHIC] [TIFF OMITTED] T8288.026
    
    [GRAPHIC] [TIFF OMITTED] T8288.027
    
    [GRAPHIC] [TIFF OMITTED] T8288.028
    
    [GRAPHIC] [TIFF OMITTED] T8288.029
    
    [GRAPHIC] [TIFF OMITTED] T8288.030
    
    [GRAPHIC] [TIFF OMITTED] T8288.031
    
    [GRAPHIC] [TIFF OMITTED] T8288.032
    
    [GRAPHIC] [TIFF OMITTED] T8288.033
    
    [GRAPHIC] [TIFF OMITTED] T8288.034
    
    [GRAPHIC] [TIFF OMITTED] T8288.035
    
    [GRAPHIC] [TIFF OMITTED] T8288.036
    
    [GRAPHIC] [TIFF OMITTED] T8288.037
    
    [GRAPHIC] [TIFF OMITTED] T8288.038
    
    [GRAPHIC] [TIFF OMITTED] T8288.039
    
    [GRAPHIC] [TIFF OMITTED] T8288.040
    
    [GRAPHIC] [TIFF OMITTED] T8288.041
    
    [GRAPHIC] [TIFF OMITTED] T8288.042
    
    [GRAPHIC] [TIFF OMITTED] T8288.043
    
    [GRAPHIC] [TIFF OMITTED] T8288.044
    
    [GRAPHIC] [TIFF OMITTED] T8288.045
    
    [GRAPHIC] [TIFF OMITTED] T8288.046
    
    [GRAPHIC] [TIFF OMITTED] T8288.047
    
    [GRAPHIC] [TIFF OMITTED] T8288.048
    
    [GRAPHIC] [TIFF OMITTED] T8288.049
    
    [GRAPHIC] [TIFF OMITTED] T8288.050
    
    [GRAPHIC] [TIFF OMITTED] T8288.051
    
    [GRAPHIC] [TIFF OMITTED] T8288.052
    
    [GRAPHIC] [TIFF OMITTED] T8288.053
    
    [GRAPHIC] [TIFF OMITTED] T8288.054
    
    [GRAPHIC] [TIFF OMITTED] T8288.055
    
    [GRAPHIC] [TIFF OMITTED] T8288.056
    
    [GRAPHIC] [TIFF OMITTED] T8288.057
    
    [GRAPHIC] [TIFF OMITTED] T8288.058
    
    [GRAPHIC] [TIFF OMITTED] T8288.059
    
    [GRAPHIC] [TIFF OMITTED] T8288.060
    
    [GRAPHIC] [TIFF OMITTED] T8288.061
    
    [GRAPHIC] [TIFF OMITTED] T8288.062
    
    [GRAPHIC] [TIFF OMITTED] T8288.063
    
    [GRAPHIC] [TIFF OMITTED] T8288.064
    
    [GRAPHIC] [TIFF OMITTED] T8288.065
    
    [GRAPHIC] [TIFF OMITTED] T8288.066
    
    [GRAPHIC] [TIFF OMITTED] T8288.067
    
    [GRAPHIC] [TIFF OMITTED] T8288.068
    
    [GRAPHIC] [TIFF OMITTED] T8288.069
    
    [GRAPHIC] [TIFF OMITTED] T8288.070
    
    [GRAPHIC] [TIFF OMITTED] T8288.071
    
    [GRAPHIC] [TIFF OMITTED] T8288.072
    
    [GRAPHIC] [TIFF OMITTED] T8288.073
    
    [GRAPHIC] [TIFF OMITTED] T8288.074
    
    [GRAPHIC] [TIFF OMITTED] T8288.075
    
    [GRAPHIC] [TIFF OMITTED] T8288.076
    
    [GRAPHIC] [TIFF OMITTED] T8288.077
    
    [GRAPHIC] [TIFF OMITTED] T8288.078
    
    [GRAPHIC] [TIFF OMITTED] T8288.079
    
    [GRAPHIC] [TIFF OMITTED] T8288.080
    
    [GRAPHIC] [TIFF OMITTED] T8288.081
    
    [GRAPHIC] [TIFF OMITTED] T8288.082
    
    [GRAPHIC] [TIFF OMITTED] T8288.083
    
    [GRAPHIC] [TIFF OMITTED] T8288.084
    
    [GRAPHIC] [TIFF OMITTED] T8288.085
    
    [GRAPHIC] [TIFF OMITTED] T8288.086
    
    [GRAPHIC] [TIFF OMITTED] T8288.087
    
    [GRAPHIC] [TIFF OMITTED] T8288.088
    
    [GRAPHIC] [TIFF OMITTED] T8288.089
    
