[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]




                     COMPUTER SECURITY REPORT CARD

=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
                      INFORMATION, AND TECHNOLOGY

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION

                               __________

                           SEPTEMBER 11, 2000

                               __________

                           Serial No. 106-260

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform

                   U.S. GOVERNMENT PRINTING OFFICE
74-495                     WASHINGTON : 2001


_______________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Printing 
                                 Office
Internet: bookstore.gpo.gov  Phone: (202) 512-1800  Fax: (202) 512-2250
               Mail: Stop SSOP, Washington, DC 20402-0001


                     COMMITTEE ON GOVERNMENT REFORM

                     DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland       TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut       ROBERT E. WISE, Jr., West Virginia
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
STEPHEN HORN, California             PAUL E. KANJORSKI, Pennsylvania
JOHN L. MICA, Florida                PATSY T. MINK, Hawaii
THOMAS M. DAVIS, Virginia            CAROLYN B. MALONEY, New York
DAVID M. McINTOSH, Indiana           ELEANOR HOLMES NORTON, Washington, 
MARK E. SOUDER, Indiana                  DC
JOE SCARBOROUGH, Florida             CHAKA FATTAH, Pennsylvania
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
MARSHALL ``MARK'' SANFORD, South     DENNIS J. KUCINICH, Ohio
    Carolina                         ROD R. BLAGOJEVICH, Illinois
BOB BARR, Georgia                    DANNY K. DAVIS, Illinois
DAN MILLER, Florida                  JOHN F. TIERNEY, Massachusetts
ASA HUTCHINSON, Arkansas             JIM TURNER, Texas
LEE TERRY, Nebraska                  THOMAS H. ALLEN, Maine
JUDY BIGGERT, Illinois               HAROLD E. FORD, Jr., Tennessee
GREG WALDEN, Oregon                  JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California                             ------
PAUL RYAN, Wisconsin                 BERNARD SANDERS, Vermont 
HELEN CHENOWETH-HAGE, Idaho              (Independent)
DAVID VITTER, Louisiana


                      Kevin Binger, Staff Director
                 Daniel R. Moll, Deputy Staff Director
                     James C. Wilson, Chief Counsel
                        Robert A. Briggs, Clerk
                 Phil Schiliro, Minority Staff Director
                                 ------                                

   Subcommittee on Government Management, Information, and Technology

                   STEPHEN HORN, California, Chairman
JUDY BIGGERT, Illinois               JIM TURNER, Texas
THOMAS M. DAVIS, Virginia            PAUL E. KANJORSKI, Pennsylvania
GREG WALDEN, Oregon                  MAJOR R. OWENS, New York
DOUG OSE, California                 PATSY T. MINK, Hawaii
PAUL RYAN, Wisconsin                 CAROLYN B. MALONEY, New York

                               Ex Officio

DAN BURTON, Indiana                  HENRY A. WAXMAN, California
          J. Russell George, Staff Director and Chief Counsel
                  Ben Ritt, Professional Staff Member
                           Bryan Sisk, Clerk
                    Trey Henderson, Minority Counsel


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on September 11, 2000...............................     1
Statement of:
    Dyer, John R., Chief Information Officer, Social Security 
      Administration.............................................   142
    Gilligan, John, Chief Information Officer, Department of 
      Energy, cochair, security, privacy and critical 
      infrastructure committee, Chief Information Officers 
      Council....................................................   116
    Hobbs, Ira L., Deputy Chief Information Officer, Department 
      of Agriculture.............................................   184
    Hugler, Edward, Deputy Assistant Secretary for Administration 
      and Management, Department of Labor........................   179
    Singleton, Solveig, director of information studies for the 
      CATO Institute.............................................   201
    Spotila, John T., Administrator, Office of Information and 
      Regulatory Affairs, Office of Management and Budget........    27
    Tanner, Mark A., Information Resources Manager, Federal 
      Bureau of Investigation, Department of Justice.............   193
    White, Daryl W., Chief Information Officer, Department of the 
      Interior...................................................   155
    Willemssen, Joel, Director, Accounting and Information 
      Management Division, U.S. General Accounting Office, 
      accompanied by Robert Dayce, Director for Computer Security 
      Issues, General Accounting Office..........................    95
Letters, statements, etc., submitted for the record by:
    Dyer, John R., Chief Information Officer, Social Security 
      Administration, prepared statement of......................   145
    Gilligan, John, Chief Information Officer, Department of 
      Energy, cochair, security, privacy and critical 
      infrastructure committee, Chief Information Officers 
      Council, prepared statement of.............................   120
    Hobbs, Ira L., Deputy Chief Information Officer, Department 
      of Agriculture, prepared statement of......................   186
    Horn, Hon. Stephen, a Representative in Congress from the 
      State of California:
        Letter dated July 27, 2000...............................    46
        Prepared statement of....................................     4
    Hugler, Edward, Deputy Assistant Secretary for Administration 
      and Management, Department of Labor, prepared statement of.   181
    Singleton, Solveig, director of information studies for the 
      CATO Institute, prepared statement of......................   204
    Spotila, John T., Administrator, Office of Information and 
      Regulatory Affairs, Office of Management and Budget, 
      prepared statement of......................................    31
    Tanner, Mark A., Information Resources Manager, Federal 
      Bureau of Investigation, Department of Justice, prepared 
      statement of...............................................   196
    Turner, Hon. Jim, a Representative in Congress from the State 
      of Texas, prepared statement of............................    25
    White, Daryl W., Chief Information Officer, Department of the 
      Interior, prepared statement of............................   157
    Willemssen, Joel, Director, Accounting and Information 
      Management Division, U.S. General Accounting Office, 
      prepared statement of......................................    97

 
                     COMPUTER SECURITY REPORT CARD

                              ----------                              


                       MONDAY, SEPTEMBER 11, 2000

                  House of Representatives,
Subcommittee on Government Management, Information, 
                                    and Technology,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10 a.m., in 
room 2154, Rayburn House Office Building, Hon. Stephen Horn 
(chairman of the subcommittee) presiding.
    Present: Representatives Horn and Turner.
    Staff present: J. Russell George, staff director and chief 
counsel; Randy Kaplan, counsel; Ben Ritt, professional staff 
member; Bonnie Heald, director of communications; Bryan Sisk, 
clerk; Elizabeth Seong, staff assistant; George Fraser, intern; 
Michelle Ash and Trey Henderson, minority counsels; and Jean 
Gosa, minority assistant clerk.
    Mr. Horn. The quorum being present, this hearing of the 
Subcommittee on Government Management, Information, and 
Technology will come to order.
    We're here today to discuss one of the Federal Government's 
most important and ongoing challenges, the security of 
government computers. Computers and the Internet are 
revolutionizing the way we do business, conduct research and 
communicate with friends and associates. The benefits are 
enormous as vast amounts of information flow instantly from 
business to business and individual to individual, but 
widespread access to computers and the Internet also carries 
the significant risk that personal, financial or business 
information can fall into the hands of computer hackers or 
others with more malicious intent.
    Similarly, as the Federal Government becomes increasingly 
dependent on computers and the Internet, the computer systems 
and the sensitivity of information they contain come under an 
increasing number of attacks. Unlike the year 2000 or Y2K 
computer challenge, this threat has no deadline. Rather it is a 
day-to-day challenge created by an increasingly sophisticated 
technology. In order to guarantee the integrity of the Federal 
programs and to protect the personal privacy of all Americans, 
government leaders must focus their attention on the security 
of their vital computer systems.
    Today the subcommittee is releasing its first report card 
on the status of the computer security at executive branch 
departments and agencies. These grades are based on self-
reported evaluation of agency information, in addition to the 
results of audits conducted by the General Accounting Office 
and the various agency inspectors general. This is the first 
time such governmentwide information has ever been compiled.
    As you can see, only two agencies have made progress toward 
protecting their computers against invasion. Although auditors 
found some significant weaknesses at the Social Security 
Administration and National Science Foundation, both agencies 
received Bs, the highest grade awarded. But the rest of the 
picture is very dismal. Overall the government earned an 
average grade of D minus. More than one-quarter of the 24 major 
Federal agencies received a failing F; the Department of Labor, 
charged with maintaining vital employment statistics, an F; the 
Department of the Interior, which manages the Nation's public 
lands, an F; the Department of Health and Human Services that 
holds personal information on every citizen who receives 
Medicare, another F; Agriculture and Justice, the Small 
Business Administration, the Office of Personnel Management, 
the personnel office for the entire executive branch of the 
Federal Governments, all Fs.
    Six other vital agencies nearly failed. The Department of 
Defense, whose computers carry some of the Nation's most 
sensitive secrets, earned only a D plus for its computer 
security program; Veterans Affairs and Treasury, along with the 
Environmental Protection Agency, General Services 
Administration and National Aeronautics and Space 
Administration, more Ds.
    Four other government agencies received grades of 
incomplete. These vital agencies oversee key elements of the 
Nation's infrastructure and emergency services. They are the 
Departments of Energy and Transportation, the Nuclear 
Regulatory Commission and the Federal Emergency Management 
Agency [FEMA]. These agencies could not receive a grade because 
there has been insufficient auditor resources and scrutiny to 
validate the agencies' self-evaluations.
    Obviously there is a great deal of work ahead. Regardless 
of grade, each agency must recognize that the daily challenges 
to their computer systems will continue to grow in number and 
sophistication. They must take the necessary steps to mitigate 
those threats. There is no room for complacency, for the stakes 
are simply too high.
    We have with us today witnesses representing six of the 
agencies that were graded. They will discuss their agency's 
progress and plans to develop acceptable computer security 
procedures.
    Mr. John Gilligan from the Department of Energy will also 
testify on behalf of the Chief Information Officers Council. In 
addition, we have the Honorable John Spotila from the Office of 
Management and Budget, which is charged with overseeing the 
agency's computer security efforts; and Mr. Joel Willemssen 
from the General Accounting Office, which works for the 
legislative branch, headed the Comptroller General of the 
United States. And I want to thank Comptroller General Walker 
and the staff for their excellent help in regard to the grades 
and everything else. I take the responsibility for the grades, 
but they sat for hours with us on making sure that we've been 
fair.
    We have the ability, the government has the ability, to 
protect the integrity of the vital computer systems. As I look 
back, this is sort of where we were on Y2K in April 1996. There 
are a lot of Fs, a lot of Ds, but the executive branch came 
through on midnight January 1 where it counted, and I am 
confident that the executive branch will do the same thing this 
time.
    We welcome all of our witnesses, and we look forward to 
their testimony.
    I now yield to the ranking member for an opening statement, 
the gentleman from Texas Mr. Turner.
    [The prepared statement of Hon. Stephen Horn follows:]

    [GRAPHIC] [TIFF OMITTED] T4495.001
    
    [GRAPHIC] [TIFF OMITTED] T4495.002
    
    [GRAPHIC] [TIFF OMITTED] T4495.003
    
    [GRAPHIC] [TIFF OMITTED] T4495.004
    
    [GRAPHIC] [TIFF OMITTED] T4495.005
    
    [GRAPHIC] [TIFF OMITTED] T4495.006
    
    [GRAPHIC] [TIFF OMITTED] T4495.007
    
    [GRAPHIC] [TIFF OMITTED] T4495.008
    
    [GRAPHIC] [TIFF OMITTED] T4495.009
    
    [GRAPHIC] [TIFF OMITTED] T4495.010
    
    [GRAPHIC] [TIFF OMITTED] T4495.011
    
    [GRAPHIC] [TIFF OMITTED] T4495.012
    
    [GRAPHIC] [TIFF OMITTED] T4495.013
    
    [GRAPHIC] [TIFF OMITTED] T4495.014
    
    [GRAPHIC] [TIFF OMITTED] T4495.015
    
    [GRAPHIC] [TIFF OMITTED] T4495.016
    
    [GRAPHIC] [TIFF OMITTED] T4495.017
    
    [GRAPHIC] [TIFF OMITTED] T4495.018
    
    [GRAPHIC] [TIFF OMITTED] T4495.019
    
    [GRAPHIC] [TIFF OMITTED] T4495.020
    
    Mr. Turner. Thank you, Mr. Chairman.
    As we all understand, our Federal agencies rely on 
computers and electronic data to perform functions that are 
essential to our national welfare and directly affect the lives 
of millions of Americans.
    This technology greatly benefits Federal operations through 
the speed and accessibility it provides, but it also creates 
vulnerability to attack. Individuals, organizations and 
virtually anyone today with a computer and a modem has the 
potential to interrupt and to eavesdrop on government 
operations around the world. Many experts are predicting that 
future wars will be in the form of cyberattacks and fought out 
over a computer grid rather than a battlefield.
    I want to commend the chairman for his interest and his 
work on this important issue. Computer security is without a 
doubt one of the most critical and difficult technical 
challenges facing our government. Like Y2K, this subcommittee 
has an important oversight role in holding our Federal agencies 
accountable for implementing computer security efforts, and 
while I commend the chairman's efforts to reduce the task to a 
simple report card grade, I also realize that improving 
computer security is a very complicated, timely and costly 
process.
    Additionally, I do understand that the subjective format of 
our grading system could in some cases unfairly portray the 
significant efforts an agency has made to take corrective 
actions. I realize that some agency computer systems are 
critical to national security, while others may not be. I also 
realize that this Congress has an obligation to provide 
adequate funding to agencies so that they might meet the 
requirement that we have imposed on them.
    While I want to commend the agencies that are moving 
forward, it is clear that the Federal Government has a long way 
to go before an effective, comprehensive Federal computer 
security system is in place. It is my hope that as a result of 
these hearings, we will be closer to achieving our mutual goal. 
We want to make sure that the Federal managers have the tools 
and the funds in place to be accountable for the protection of 
agency infrastructures.
    Again, I thank the chairman for calling this hearing. I 
appreciate the good work that the committee and the staff has 
done, and I look forward to hearing from each of our witnesses.
    Thank you, Mr. Chairman.
    [The prepared statement of Hon. Jim Turner follows:]

    [GRAPHIC] [TIFF OMITTED] T4495.021
    
    [GRAPHIC] [TIFF OMITTED] T4495.022
    
    Mr. Horn. Well, we thank you, and I agree with you. We need 
to be talking to the authorizers and the appropriators to make 
sure that what is needed will be there. So I imagine the next 
round we should have some improvement.
    We will now start with the witnesses, and along the agenda 
the Honorable John Spotila is the Administrator, Office of 
Information and Regulatory Affairs, Office of Management and 
Budget, part of the President's Executive Office of the 
President, and he is speaking on behalf of OMB today.
    So, Mr. Spotila.

    STATEMENT OF JOHN T. SPOTILA, ADMINISTRATOR, OFFICE OF 
 INFORMATION AND REGULATORY AFFAIRS, OFFICE OF MANAGEMENT AND 
                             BUDGET

    Mr. Spotila. Good morning, Mr. Chairman and members of the 
committee. Thank you for inviting me here to discuss OMB's 
efforts in the vital area of computer security.
    OMB policies build on a statutory framework requiring that 
Federal agencies adopt a set of risk-based management controls 
for all Federal computer systems. The agencies must 
periodically review their security controls to ensure continued 
effectiveness.
    In an effort to identify strengths and weaknesses in agency 
security programs, OMB sought updated information from the 
agencies in June 1999 on their risk management processes. We 
are now focusing on the security posture of 43 high-impact 
government programs where good security is particularly 
important. These programs include Medicare, Medicaid, the air 
traffic control system, Social Security and Student Aid. In 
late May of this year, we asked the agencies to send us 
specific information regarding the management, operational and 
technical controls in place for each application or general 
support system sustaining these programs.
    Our preliminary findings are illuminating. We have made 
significant progress, but can still do better. Agencies are 
working to integrate security into their capital planning and 
investment control processes. We have made this a high 
priority. Many agencies have completed a security review of 
their systems and have updated their security plans within the 
last 2 years. Many agencies develop and share their security 
plans with their partner organizations and other agencies. This 
promotes a comprehensive understanding of the interconnections 
prevalent in a shared risk environment.
    Due to their extensive Y2K work, most agencies have tested 
their continuity of operations plans within the last 2 years. 
Most agencies have provided users and system administrators 
with IT security training within the last year. Most agencies 
update their virus detection and elimination software on an 
ongoing basis and have successfully implemented processes to 
confirm the testing and installation of software patches in a 
timely manner.
    Nearly all agencies have documented incident handling 
procedures and have a formal incident response capability in 
place. More agencies need to install firewalls at external 
entry points to exclude unauthorized users and within their 
networks to ensure that authorized users do not exceed 
authorization.
    Agencies can better protect the confidentiality of 
sensitive material through increased use of encryption for 
password files and personal information. Agencies should 
improve their intrusion detection capabilities and procedures. 
This should include increased involvement of agency privacy 
officers and legal counsel in reviewing the monitoring 
activities.
    More agencies should ensure that agency managers 
specifically authorize the processing of each new or updated 
system before actual operations begin. More agencies should 
have independent review of their security plans.
    We are working with the agencies on all of these areas. The 
President, his chief of staff and the Director of OMB have all 
taken a personal interest in enhancing security for our 
interconnected systems. This has gone a long way to establish 
senior management support at the agencies.
    In February, OMB issued important guidance to the agencies 
on incorporating security and privacy requirements in each of 
their fiscal year 2002 information technology budget 
submissions.
    A well-known computer security expert, Robert Courtney, 
once said, ``Good security is the ultimate non-event.'' In that 
phrase, he summarized the difficulty of measuring effective 
security. We face a significant challenge. We must devise a 
method to assess security for the whole of government, its 
thousands of vastly diverse systems and millions of desktop 
computers. No other organization faces demands in this area 
that are as broad as those the government confronts.
    Since last fall, OMB has worked with the CIO Council, NIST, 
GAO and the agencies to develop security performance measures 
against which agencies can assess their security programs. As 
you know, CIO Council and NIST representatives have met with 
your staff to discuss this effort. We have made great progress 
in a relatively short period of time, but, not surprisingly, 
there is more to be done. Even the private sector is struggling 
with this challenge.
    Mr. Chairman, clearly you are focused on the need to assess 
agency security programs. While we appreciate your serious 
interest in security and your belief that grades will help the 
agencies improve their performance, we do have some concerns 
with this approach. We look forward to working closely with you 
to develop better ways of measuring progress in this area. We 
learned much from our collegial efforts with the committee, GAO 
and the agencies in developing good Y2K measurements. Ideally, 
we should work together to develop a similar workable set of 
measurements for assessing agency security programs.
    Measuring agency security effectiveness is at least as 
complex as the Y2K measurement effort. We must assess programs 
and implementation at three different levels: the relatively 
uniform agency management or executive level; the expansive mix 
of individual programs where agency business operations take 
place; and at each of the thousands of government information 
systems that support actual agency program operations.
    Cursory measurements can be misleading. A well-documented 
security program without the periodic evaluation of control 
effectiveness can give a false sense of security. A weak 
central organization can obscure highly effective component, 
program or system-level security. We must take a comprehensive 
approach to evaluating security if we are to generate 
meaningful results.
    Our assessment approach begins with the premise that all 
agency programs and systems must include a continuing cycle of 
risk management, appropriate methods to evaluate and measure 
performance, and the ability to anticipate or quickly react to 
changes in the risk environment.
    We are putting great emphasis on agency self-assessment. 
This fall all agencies will use a NIST-prepared questionnaire 
that focuses on overall agency programs as well as on specific 
management, operational and technical controls applied to each 
system or group of systems. Assessing the effectiveness of the 
program and the individual controls, not simply their 
existence, is vital to achieving and maintaining adequate 
security.
    The NIST questionnaire will help agencies identify whether 
the program and controls are properly documented, implemented 
and continuously tested and reviewed. We can then determine a 
security level for an individual system, an agency or 
component, or an aggregated form, an entire agency.
    Self-assessments improve security. They are less costly and 
can be performed more frequently than compliance inspections 
and audits. They can be performed by system users, thereby 
helping to promote buy-in and greater compliance. They promote 
openness and cooperation among all participants. They can also 
give us good information on a timely basis.
    In seeking to measure security effectiveness, we should not 
equate it to our Y2K experience. While Y2K was a complex 
management challenge, it was a relatively straightforward 
technical one, and we could measure progress toward a known 
event. Security challenges, on the other hand, are 
unpredictable, ongoing, ever-changing and multidimensional. 
Security threats often arise from malicious parties who probe 
for vulnerabilities and risks. These threats can strike at the 
confidentiality of our information, the integrity of our 
systems and data, and our ability to ensure that information in 
systems will be ready for use when needed. These threats are 
ever-changing and our approach to security must be equally 
dynamic.
    While a general progress report at an agency level can be 
valuable when used in the proper context, it is but a snapshot 
taken at a point in time. It may or may not even be a clear 
picture. Because a security program comprises physical, 
personnel, technical and other controls, accurately assessing a 
program is an extremely complex undertaking. In our view, the 
differences between the two call for different responses. Just 
as we must resist the simplicity of a one-size-fits-all 
security program for the wide variety of agency systems, we 
must also avoid a one-size-fits-all approach to measuring 
successes and shortfalls.
    If we are to improve the government's approach to 
information security, we need to work together. We very much 
appreciate the committee's interest in this important area and 
look forward to continuing our close cooperation with you. We 
value our partnership with you and hope that this hearing will 
mark a further strengthening of our joint efforts on behalf of 
the American people. Thank you.
    Mr. Horn. We thank you. And in courtesy to the executive 
branch, we let you go beyond the 5-minute rule.
    Mr. Spotila. Thank you.
    [The prepared statement of Mr. Spotila follows:]

    [GRAPHIC] [TIFF OMITTED] T4495.023
    
    [GRAPHIC] [TIFF OMITTED] T4495.024
    
    [GRAPHIC] [TIFF OMITTED] T4495.025
    
    [GRAPHIC] [TIFF OMITTED] T4495.026
    
    [GRAPHIC] [TIFF OMITTED] T4495.027
    
    [GRAPHIC] [TIFF OMITTED] T4495.028
    
    [GRAPHIC] [TIFF OMITTED] T4495.029
    
    [GRAPHIC] [TIFF OMITTED] T4495.030
    
    [GRAPHIC] [TIFF OMITTED] T4495.031
    
    [GRAPHIC] [TIFF OMITTED] T4495.032
    
    [GRAPHIC] [TIFF OMITTED] T4495.033
    
    [GRAPHIC] [TIFF OMITTED] T4495.034
    
    [GRAPHIC] [TIFF OMITTED] T4495.035
    
    [GRAPHIC] [TIFF OMITTED] T4495.036
    
    Mr. Horn. I will say for all the other witnesses after Mr. 
Willemssen, who speaks for the General Accounting Office of the 
legislative branch, that we would like you to summarize, and we 
will bring the gavel down every 5 minutes now or we're not 
going to be out of here, and we want to be out of here by 
roughly 11:45. I know a number of you have commitments.
    What I would like to put in the record at this point for 
the hearing record--and tell me if there's anything else that 
ought to go into it, or some of these are classified, just to 
redact them, as the saying goes--Presidential Directive 63; 
OMB-A130, the Budget Director Mr. Lew's guidance, to agencies; 
the appendix 3 and associated NIST--what was once the Bureau of 
Standards and Security--guidance. And I would like these simply 
as appendices to your testimony, and if there's a problem, work 
it out with staff.
    Mr. Spotila. That's fine.
    [The information referred to follows:]

    [GRAPHIC] [TIFF OMITTED] T4495.037
    
    [GRAPHIC] [TIFF OMITTED] T4495.038
    
    [GRAPHIC] [TIFF OMITTED] T4495.039
    
    [GRAPHIC] [TIFF OMITTED] T4495.040
    
    [GRAPHIC] [TIFF OMITTED] T4495.041
    
    [GRAPHIC] [TIFF OMITTED] T4495.042
    
    [GRAPHIC] [TIFF OMITTED] T4495.043
    
    [GRAPHIC] [TIFF OMITTED] T4495.044
    
    [GRAPHIC] [TIFF OMITTED] T4495.045
    
    [GRAPHIC] [TIFF OMITTED] T4495.046
    
    [GRAPHIC] [TIFF OMITTED] T4495.047
    
    [GRAPHIC] [TIFF OMITTED] T4495.048
    
    [GRAPHIC] [TIFF OMITTED] T4495.049
    
    [GRAPHIC] [TIFF OMITTED] T4495.050
    
    [GRAPHIC] [TIFF OMITTED] T4495.051
    
    [GRAPHIC] [TIFF OMITTED] T4495.052
    
    [GRAPHIC] [TIFF OMITTED] T4495.053
    
    [GRAPHIC] [TIFF OMITTED] T4495.054
    
    [GRAPHIC] [TIFF OMITTED] T4495.055
    
    [GRAPHIC] [TIFF OMITTED] T4495.056
    
    [GRAPHIC] [TIFF OMITTED] T4495.057
    
    [GRAPHIC] [TIFF OMITTED] T4495.058
    
    [GRAPHIC] [TIFF OMITTED] T4495.059
    
    [GRAPHIC] [TIFF OMITTED] T4495.060
    
    [GRAPHIC] [TIFF OMITTED] T4495.061
    
    [GRAPHIC] [TIFF OMITTED] T4495.062
    
    [GRAPHIC] [TIFF OMITTED] T4495.063
    
    [GRAPHIC] [TIFF OMITTED] T4495.064
    
    [GRAPHIC] [TIFF OMITTED] T4495.065
    
    [GRAPHIC] [TIFF OMITTED] T4495.066
    
    [GRAPHIC] [TIFF OMITTED] T4495.067
    
    [GRAPHIC] [TIFF OMITTED] T4495.068
    
    [GRAPHIC] [TIFF OMITTED] T4495.069
    
    [GRAPHIC] [TIFF OMITTED] T4495.070
    
    [GRAPHIC] [TIFF OMITTED] T4495.071
    
    [GRAPHIC] [TIFF OMITTED] T4495.072
    
    [GRAPHIC] [TIFF OMITTED] T4495.073
    
    [GRAPHIC] [TIFF OMITTED] T4495.074
    
    [GRAPHIC] [TIFF OMITTED] T4495.075
    
    [GRAPHIC] [TIFF OMITTED] T4495.076
    
    [GRAPHIC] [TIFF OMITTED] T4495.077
    
    [GRAPHIC] [TIFF OMITTED] T4495.078
    
    [GRAPHIC] [TIFF OMITTED] T4495.079
    
    [GRAPHIC] [TIFF OMITTED] T4495.080
    
    [GRAPHIC] [TIFF OMITTED] T4495.081
    
    [GRAPHIC] [TIFF OMITTED] T4495.082
    
    [GRAPHIC] [TIFF OMITTED] T4495.083
    
    [GRAPHIC] [TIFF OMITTED] T4495.084
    
    [GRAPHIC] [TIFF OMITTED] T4495.085
    
    Mr. Horn. So we will now move to have the oath since I 
didn't begin it that way. If you will all stand.
    [Witnesses sworn.]
    Mr. Horn. The clerk will note all the witnesses affirmed.
    And we now go to the agent of the Comptroller General of 
the United States, which is Joel Willemssen, Director, 
Accounting and Information Management Division, U.S. General 
Accounting Office.
    Mr. Willemssen.

    STATEMENT OF JOEL WILLEMSSEN, DIRECTOR, ACCOUNTING AND 
   INFORMATION MANAGEMENT DIVISION, U.S. GENERAL ACCOUNTING 
  OFFICE, ACCOMPANIED BY ROBERT DAYCE, DIRECTOR FOR COMPUTER 
           SECURITY ISSUES, GENERAL ACCOUNTING OFFICE

    Mr. Willemssen. Thank you, Mr. Chairman, Ranking Member 
Turner. Thank you for inviting us to testify today. 
Accompanying me is Robert Dayce, GAO's Director for Computer 
Security Issues, and as requested I'll briefly summarize our 
statement.
    Overall GAO and inspector general reviews done over the 
past year continue to show that Federal agencies have serious 
and widespread computer security weaknesses. Our analysis of 
recently issued GAO and inspector general reports revealed 
significant weaknesses at each of the 24 major Federal 
agencies. As displayed on the board, these weaknesses were 
reported in all six major areas of general computer security 
controls.
    For example, in the area of security program management, 
weaknesses were identified at 21 agencies. Security program 
management is fundamental to the appropriate selection and 
effectiveness of the other categories of controls shown on the 
board. This area covers a range of activities related to 
understanding risks, selecting and implementing controls 
appropriate with risk levels, and ensuring the controls, once 
implemented, continue to operate effectively.
    Another critical area where weaknesses have been found at 
each of the 24 agencies is access controls. Weak controls over 
access to sensitive data and systems make it possible for a 
person to inappropriately modify, destroy or disclose data or 
computer programs. For the other highlighted areas of security 
controls, we've also found significant weaknesses at most of 
the agencies in which audit work has been done.
    I think it's noteworthy to point out that since our last 
analysis of issued reports in 1998, the scope of audit work 
performed has expanded to more fully cover all six major 
control areas at each agency. Not surprisingly, this has led to 
the identification of additional areas of weakness. However, 
this does not necessarily mean that security is getting worse, 
although it is clear that serious pervasive weaknesses persist. 
These serious weaknesses present substantial risk to Federal 
operations, assets and confidentiality.
    Because virtually all Federal operations are supported by 
automated systems and electronic data, the risks are very high, 
and the breadth of the potential impact is very wide. The risks 
cover areas as diverse as taxpayer records, law enforcement, 
national defense, and a wide range of benefit programs.
    While a number of factors have distributed to weak Federal 
information security, I want to emphasize that we believe the 
key underlying problem is ineffective security program 
management. With that in mind, we have issued two executive 
guides that discuss practices that leading organizations have 
employed to strengthen the effectiveness of their security 
programs.
    In conclusion, the expanded body of audit evidence that has 
become available shows that important operations at every major 
Federal agency continue to be at risk as a result of weak 
controls. Reducing these risks will require agencies to 
implement fundamental improvements in managing computer 
security.
    Thank you, Mr. Chairman, and I would be pleased to address 
any questions that you may have.
    Mr. Horn. Well, thank you very much. We will have the 
questions after all the witnesses have made their presentation.
    [The prepared statement of Mr. Willemssen follows:]

    [GRAPHIC] [TIFF OMITTED] T4495.086
    
    [GRAPHIC] [TIFF OMITTED] T4495.087
    
    [GRAPHIC] [TIFF OMITTED] T4495.088
    
    [GRAPHIC] [TIFF OMITTED] T4495.089
    
    [GRAPHIC] [TIFF OMITTED] T4495.090
    
    [GRAPHIC] [TIFF OMITTED] T4495.091
    
    [GRAPHIC] [TIFF OMITTED] T4495.092
    
    [GRAPHIC] [TIFF OMITTED] T4495.093
    
    [GRAPHIC] [TIFF OMITTED] T4495.094
    
    [GRAPHIC] [TIFF OMITTED] T4495.095
    
    [GRAPHIC] [TIFF OMITTED] T4495.096
    
    [GRAPHIC] [TIFF OMITTED] T4495.097
    
    [GRAPHIC] [TIFF OMITTED] T4495.098
    
    [GRAPHIC] [TIFF OMITTED] T4495.099
    
    [GRAPHIC] [TIFF OMITTED] T4495.100
    
    [GRAPHIC] [TIFF OMITTED] T4495.101
    
    [GRAPHIC] [TIFF OMITTED] T4495.102
    
    [GRAPHIC] [TIFF OMITTED] T4495.103
    
    [GRAPHIC] [TIFF OMITTED] T4495.104
    
    Mr. Horn. The next witness is John Gilligan, the Chief 
Information Officer for the Department of Energy, the cochair 
for Security, Privacy and Critical Infrastructure Committee of 
the Chief Information Officers Council. I will give you another 
minute besides the 5 because you're speaking for the Chief 
Information Officers Council. Mr. Gilligan, you've prepared a 
very thorough statement, but we can't obviously get over 25 
pages into the record at this point, but it is in the record, 
but not having been spoken.
    So if Mr. Gilligan will proceed.

    STATEMENT OF JOHN GILLIGAN, CHIEF INFORMATION OFFICER, 
 DEPARTMENT OF ENERGY, COCHAIR, SECURITY, PRIVACY AND CRITICAL 
  INFRASTRUCTURE COMMITTEE, CHIEF INFORMATION OFFICERS COUNCIL

    Mr. Gilligan. Thank you, Chairman Horn and Ranking Member 
Turner. I want to thank you for the opportunity to appear 
before this subcommittee to address the very important issue of 
improving security of our Federal information systems. My 
remarks today will focus on my perspectives as cochair of the 
CIO Council's Security, Privacy and Critical Infrastructure 
Committee.
    Federal CIOs share the concerns that have been expressed by 
Members of Congress, senior members in the administration, and 
the public, that we need to improve the security of our 
government information systems. Federal CIOs take their 
responsibility to oversee agency efforts in cybersecurity very 
seriously. We share the frustration of members of this 
committee that progress in securing government systems has not 
been more rapid. Let me assure you that Federal CIOs are not 
asleep at the wheel. Rather, they are laboring hard to get a 
handle on one of the Nation's most complex technological and 
management problems.
    Perhaps it is useful to put the difficulty of cybersecurity 
into perspective. I recall an exchange I had with a military 
four-star general a few years ago. We were discussing his 
frustration with the slow progress on an information technology 
project. This very successful commander with hundreds of 
thousands of troops under his command was clearly exasperated. 
He commented to me after we had discussed the project status, 
``John, after all, this is not rocket science.'' As I later 
examined his comment, it became clear that he was right. The 
problem could not correctly be compared to rocket science where 
we have literally hundreds of years of experience, including a 
well-defined set of engineering principles.
    Due to the rapid pace of evolution of information 
technology, we are typically faced with applying information 
technology solutions that have been in existence for months or, 
at best, a few years. I submit that the situation is acute for 
cybersecurity. It is not rocket science. No, many aspects of 
cybersecurity are indeed much more difficult than rocket 
science.
    When I addressed this committee in March of this year, I 
stated that the single biggest challenge that I saw for CIOs in 
cybersecurity was making line management aware that 
cybersecurity is not just a complex technological issue. At the 
core cybersecurity is also a complex risk management issue.
    Another challenge that I see facing CIOs is helping line 
management answer the question, ``what is adequate security?'' 
Security experts tell us that no system is impenetrable if 
network access is provided. However, the collective 
inexperience of government and industry in applying security to 
a range of functions including public Web sites, financial data 
bases, procurement-sensitive data, citizen benefits and 
corporate-sensitive or government-sensitive research, makes 
this a hard problem.
    The primary focus of the CIO Council efforts in this area 
has been to help Federal organizations address the question of 
what is adequate security. The CIO Council has sponsored a Web-
based repository for sharing best practices. This repository 
can be found at http://bsp.cio.gov.
    We have developed sample security policies for use by 
agencies in intrusion reporting and procuring security 
projects. We have worked to improve governmentwide processes 
for reporting security incidents and distributing warnings in a 
rapid fashion. An ongoing effort is to develop a set of 
benchmark security practices for electronic services.
    The Council has also sponsored a number of training and 
education forums addressing privacy and critical infrastructure 
protection.
    The CIO Council is also leading efforts to establish a 
governmentwide encryption infrastructure using public key 
technology called a public key infrastructure [PKI].
    An additional CIO Council effort that is particularly 
relevant to today's hearing is the development of an 
Information Technology Security Assessment Framework. This 
effort was initiated about 10 months ago to provide a tool to 
help guide security efforts within Federal agencies. This 
framework has been developed largely with the leadership of the 
National Institute of Standards and Technology and built upon 
existing policy and guidance from the Office of Management and 
Budget, the General Accounting Office, and the National 
Institutes of Standards and Technology.
    The framework provides a road map for Federal organizations 
to guide them in focusing and prioritizing their efforts to 
improve security. For each of five levels in the framework, a 
set of activities is defined that should be undertaken to 
assure a sound and effective security program. The framework 
reinforces the importance of a solid foundation for an 
organization security program and is based on sound policy, 
clearly defined management responsibility, and organizationwide 
coverage.
    The CIO Council has completed a final draft of version one 
of the Information Technology Security Assessment Framework and 
hopes to publish this version in October. Following the example 
of similar efforts by Carnegie Mellon University to develop 
security frameworks for software and other disciplines, we plan 
to continue to refine the framework over the upcoming months. 
With advice and input from GAO, we have started working on 
enhancements to the framework that would permit organizations 
to better assess the effectiveness of the security programs 
that have been documented and implemented.
    The final area that I would like to address is the need for 
stronger funding support from Congress for a small set of 
cross-government security initiatives that serve as the 
foundation for governmentwide improvements in cybersecurity. 
The cochairs of the Security, Privacy and Critical Committee of 
the CIO Council recently sent a letter to all Members of 
Congress that highlighted our concern in this area. The letter 
points out that while there is almost $2 billion identified in 
the administration's fiscal year 2001 budget request for 
cybersecurity-related items, only a very small portion of this 
request totaling less than $50 million is requested for these 
essential governmentwide foundation programs. The efforts of 
this group include the Federal Computer Incident Response 
Capability [FEDCIRC], which is managed by GSA and provides 
alerts and warnings of virus attacks to all Federal agencies.
    It has become clear to the CIO Council that these necessary 
foundation efforts to improve cybersecurity governmentwide are 
being hampered by a patchwork of funding and oversight 
structures in both the executive and legislative branches. We 
cannot hope to achieve robust governmentwide security without 
these programs. We urge the respective congressional committees 
who have jurisdiction over these efforts not to view them as 
politically driven projects, but as essential elements of a 
governmentwide foundation for cybersecurity. Moreover, we 
believe that a $50 million investment for these efforts is a 
very small investment in view of the great leverage that these 
efforts will provide.
    I would like to enter into the record a copy of the letter 
entitled ``Essential Programs for Ensuring Security of the 
Federal Cyber Infrastructure.''
    Mr. Horn. Without objection, it will be in the record at 
this point in your testimony.
    Mr. Gilligan. It is clear to Federal CIOs that the lack of 
a single integrated budget for cybersecurity items--these 
foundation cybersecurity items--keeps these efforts from 
getting the proper attention that they deserve and makes 
progress and governmentwide efforts more difficult.
    In similar fashion, the efforts of the CIO Council Security 
Committee and other CIO Council committees continue to be 
hampered by lack of effective methods to fund these cross-
government initiatives that we undertake. The synergistic 
benefit and opportunity for savings across the government are 
enormous. However, due to the use of pass-the-hat funding 
approaches for the CIO Council, for example, funding for the 
best security practices efforts that was mentioned earlier had 
to be limited to $200,000 and was received 9 months into the 
fiscal year. We will not be able to continue to operate and 
expand this site or undertake other projects with operational 
demands without an adequate level of funding.
    I would suggest that this committee, working with the 
administration, should examine ways to provide better methods 
to fund and manage cross-government initiatives in the 
information technology area. As a taxpayer, I am dismayed by 
the difficulty of funding these efforts which have the ability 
to yield tremendous efficiencies. It is an area where our 
executive and legislative branches are truly failing, unable to 
leverage the potential of information technology.
    In my written testimony, I've included descriptions of 
efforts within the Department of Energy to improve the security 
of our many security systems.
    In summary, let me again express my appreciation for the 
opportunity to share my views on the important subject and 
encourage the committee to continue to support the CIO Council-
sponsored efforts, especially the Information Technology 
Security Assessment Framework.
    While our joint challenge to improve cybersecurity may be 
more difficult than building rockets, chief information 
officers are committed to rapidly improving the protection 
afforded to information systems managed by the Federal 
Government.
    This concludes my remarks. Thank you.
    [The prepared statement of Mr. Gilligan follows:]

    [GRAPHIC] [TIFF OMITTED] T4495.105
    
    [GRAPHIC] [TIFF OMITTED] T4495.106
    
    [GRAPHIC] [TIFF OMITTED] T4495.107
    
    [GRAPHIC] [TIFF OMITTED] T4495.108
    
    [GRAPHIC] [TIFF OMITTED] T4495.109
    
    [GRAPHIC] [TIFF OMITTED] T4495.110
    
    [GRAPHIC] [TIFF OMITTED] T4495.111
    
    [GRAPHIC] [TIFF OMITTED] T4495.112
    
    [GRAPHIC] [TIFF OMITTED] T4495.113
    
    [GRAPHIC] [TIFF OMITTED] T4495.114
    
    [GRAPHIC] [TIFF OMITTED] T4495.115
    
    [GRAPHIC] [TIFF OMITTED] T4495.116
    
    [GRAPHIC] [TIFF OMITTED] T4495.117
    
    [GRAPHIC] [TIFF OMITTED] T4495.118
    
    [GRAPHIC] [TIFF OMITTED] T4495.119
    
    [GRAPHIC] [TIFF OMITTED] T4495.120
    
    [GRAPHIC] [TIFF OMITTED] T4495.121
    
    [GRAPHIC] [TIFF OMITTED] T4495.122
    
    [GRAPHIC] [TIFF OMITTED] T4495.123
    
    [GRAPHIC] [TIFF OMITTED] T4495.124
    
    [GRAPHIC] [TIFF OMITTED] T4495.125
    
    [GRAPHIC] [TIFF OMITTED] T4495.126
    
    Mr. Horn. Well, thank you very much. And I would hope that 
when there is some budget negotiations going on toward the end, 
that the President's list will include this, and we hope that 
the Speaker will include it.
    The next witness is John R. Dyer, the Chief Information 
Officer for the Social Security Administration.
    Mr. Dyer.

 STATEMENT OF JOHN R. DYER, CHIEF INFORMATION OFFICER, SOCIAL 
                    SECURITY ADMINISTRATION

    Mr. Dyer. Good morning, Mr. Chair, Mr. Turner. Thank you 
very much for inviting us to testify.
    We, too, as this committee, consider security to be an 
actual vital concern, particularly in this day as we move more 
into the systems world.
    At the onset let me emphasize that the Social Security 
Administration has always taken the responsibility to protect 
the privacy of personal information in agency files very 
seriously. The Social Security Board's first regulation 
published in 1937 dealt with the confidentiality of SSA 
records. For 65 years SSA has honored its commitment to the 
American people to maintain the confidentiality of the records 
in our possession. We understand in order to address privacy 
concerns, we need a strong computer security program in place. 
Today I would like to discuss where we are with computer 
security, what improvements we're making.
    SSA approaches computer security on an entitywide basis. By 
doing so we address all aspects of the SSA enterprise. Overall 
the Chief Information Officer, who reports directly to the 
Commissioner and Deputy Commissioner, is responsible for 
information system security. In my role as CIO, I assure that 
our security initiatives are enterprisewide in scope. At the 
Deputy Commissioner level, Social Security's Chief Financial 
Officer assures that all new systems have the required 
financial controls to maintain sound stewardship over the 
moneys entrusted to our care. We have also placed our system 
security policy function with this Deputy Commissioner.
    In order to meet the challenges of data security in today's 
highly technological environment, this agency has adopted an 
enterprisewide approach to system security, financial 
information, data integrity and prevention of fraud, waste and 
abuse. We have full-time staff devoted to system security 
stationed throughout the agency, in all regions and in the 
central office. We have established centers for security and 
integrity in each Social Security region. They provide day-to-
day oversight control over our computer software. In addition, 
we have a Deputy Commissioner-level Office of Systems which 
supports the operating system, develops new software and the 
related controls, and, in general, assures that Social Security 
is taking advantage of the latest in effective systems 
technology.
    SSA has been certifying its sensitive systems since the 
original OMB requirement was published in 1991. Our process 
requires Deputy Commissioners responsible for those systems to 
accredit them. SSA's planning and certification activity is now 
in full compliance with NIST 800-18 guidance.
    SSA sensitive systems include all programmatic systems 
needed to support programs administered by the agency as well 
as critical personnel functions. They also include the network 
and the system used to monitor Social Security's data center 
operations.
    As an independent agency we have our own inspector general 
who can focus his efforts on the agency needs and concerns. The 
IG is also very active working with other Federal, State and 
local law enforcement agencies to assure all avenues for 
investigation and prosecution are being pursued, especially for 
systems security-related issues.
    In summary, we have in place the right authorities, the 
right personnel, the right software controls to prevent 
penetration of our systems and to address systems security 
issues as they surface.
    As I mentioned, SSA has maintained an information security 
program for many years. Key components, such as deploying new 
security technology, integrating security into the business 
process, and performing self-assessment of our security 
infrastructure, to name a few, describe the goals and 
objectives that will touch every SSA employee.
    Of particular importance this year are the activities 
related to the Presidential Decision Directive PDD-63 on 
cyberterrorism and infrastructure protection and continuity of 
operations. We have recently completed an evaluation of all 
critical SSA assets. I am pleased to note that SSA was one of 
the first agencies to do so.
    Originally, SSA was not a tier I agency, but given the 
importance of our ongoing monthly payments, we were elevated to 
this level by the Critical Infrastructure Assurance Office. As 
part of this effort we have completed an inventory of all 
critical assets and implemented an incidence response process 
for computer incidents. We have also revised our physical 
security plans to assure our facilities are properly secured.
    An independent auditor, Pricewaterhouse Coopers, has 
evaluated our security program over the last 4 years working 
with the IG. They have given us many recommendations to 
strengthen our security program, and we have implemented 77 
percent of their recommendations. We are addressing the 
remainder at this time. Most of the ones that will take us to 
finish up over the next fiscal year are facility-related, and 
that's what takes a little bit of time.
    In addition, we have ongoing site reviews, corrective 
actions, and we also have another independent contractor, 
Deloitte and Touche, reviewing our systems and overall 
management.
    In the contingency area this year, we actually tested all 
of our sites at one time, which was an area of recommendation 
that Pricewaterhouse Coopers had recommended for us. And so we 
believe that when we get the next report from PwC, it will 
indicate that we have made substantial progress.
    In terms of the new increasing technology, and as we're 
moving toward Internet, we are putting in place all the latest 
security features from firewalls to filters to head off 
specific attacks.
    So I would like to say in conclusion, Mr. Chairman, the 
Social Security Administration has a longstanding tradition of 
assuring the public that their personal records are secure. 
Both the Commissioner and the Deputy Commissioner give system 
security their highest priority. We all recognize this is not a 
one-time task to be accomplished, but rather it's an ongoing 
mission that we can never lose sight of. We know we cannot rest 
on past practice. We must be vigilant every way we can to 
assure that these records remain secure and that the public 
confidence in Social Security is maintained.
    I want to thank the committee for the opportunity to 
testify at this hearing, and I will be glad to answer any 
questions you might have.
    Mr. Horn. Thank you very much, Mr. Dyer.
    [The prepared statement of Mr. Dyer follows:]

    [GRAPHIC] [TIFF OMITTED] T4495.153
    
    [GRAPHIC] [TIFF OMITTED] T4495.154
    
    [GRAPHIC] [TIFF OMITTED] T4495.155
    
    [GRAPHIC] [TIFF OMITTED] T4495.156
    
    [GRAPHIC] [TIFF OMITTED] T4495.157
    
    [GRAPHIC] [TIFF OMITTED] T4495.158
    
    [GRAPHIC] [TIFF OMITTED] T4495.159
    
    [GRAPHIC] [TIFF OMITTED] T4495.160
    
    [GRAPHIC] [TIFF OMITTED] T4495.161
    
    [GRAPHIC] [TIFF OMITTED] T4495.162
    
    Mr. Horn. As usual, Social Security is at the top of the 
heap even though it's a B. So we're used to you getting As 
under the Y2K situation, and we look forward to you keeping 
ahead of the pack, shall we say. Thank you very much for 
coming. Thanks to your colleagues that led to a B grade.
    We now go to Daryl W. White, the Chief Information Officer 
of the Department of the Interior, who has presented us with 
quite a full platter of documentation. We appreciate that. It's 
all in the record, and now you have 5 minutes to summarize it.

    STATEMENT OF DARYL W. WHITE, CHIEF INFORMATION OFFICER, 
                   DEPARTMENT OF THE INTERIOR

    Mr. White. Good morning, Mr. Chairman and Mr. Turner. Thank 
you for the opportunity to appear before you today to discuss 
the status of computer security at the Department of the 
Interior. The Department of the Interior appreciates being 
afforded the opportunity to complete the recent computer 
security questionnaire. We are pleased to report that we are 
making substantive progress to improve our computer security 
posture.
    The Department of the Interior recognizes that computer 
security is of agencywide importance and is actively working to 
implement a well-structured program to protect our information 
assets. It is anticipated that the vast majority of issues 
identified in the questionnaire will be adequately addressed 
through implementations of our program.
    Let me summarize the steps that Interior has taken over the 
past 14 months to improve our computer security posture. During 
1999, Interior performed extensive work in Y2K readiness for 
mission-critical systems and major data centers. As a result of 
Y2K preparation, policies and guidance for contingency planning 
and physical security were issued and several implemented.
    In September 1999, we acquired limited funding for 
contractor services to perform automated vulnerability scanning 
of our most critical systems. Based on the results of the 
scanning, remediation was performed where needed.
    January 2000, Interior accomplished priority filling of the 
Department Information Technology Security Manager position 
with a well-qualified and experienced individual. We were 
fortunate to have obtained Steve Schmidt from the State 
Department's Bureau of Diplomatic Security. Mr. Schmidt has 
brought a wealth of experience and practical knowledge to 
Interior. It is through his leadership and direction that we 
have seen a revitalizing of the Department IT Security Working 
Group.
    Also in January 2000, $175,000 was allocated for computer 
security program development. Funding was obtained through an 
internal competitive process whereby senior Department managers 
clearly chose computer security as a high priority issue in 
competition with other equally important issues. This funding 
was obligated to obtain contractor computer security services 
in program development and limited as-needed vulnerability 
scanning.
    February 2000, Interior was successful in including in the 
fiscal year 2001 President's budget request $175,000 for 
electronic data security. The House and Senate omitted this 
funding from their versions of the fiscal year 2001 
appropriations bill. Interior continues to clarify the urgent 
need for the funding to the Appropriations Committee.
    In May 2000, the Departmental Information Technology 
Security Manager issued the Interior Information Technology 
Security Plan, fully specifying the National Institute of 
Standards and Technology [NIST], published generally accepted 
principles and practices for securing Federal computer systems. 
This plan provides the basis for ensuring a computer security 
program that meets or exceeds the minimum Federal requirements 
as required by public laws, Federal regulations and executive 
branch directions.
    July 2000, the Department issued agencywide budget guidance 
that further supported Office of Management and Budget 
instructions on incorporating computer security funding in all 
information technology projects. This guidance advised that 
computer security spending should average 5 percent of the 
total budget for information technology spending and placed a 
high priority on increasing resources for security.
    August 2000, a contract was awarded by the General Services 
Administration under the SafeGuard program to Science 
Applications International Corp. to provide computer security 
program development services to the Department. This is 
significant to our approach to computer security, and I wish to 
elaborate further.
    One of the primary means to improve IT security across the 
Department of the Interior is to establish proven structured 
and self-documenting methodologies for working through the 
security life-cycle process. I am pleased to report that 
realizing this goal has begun through the award of the 
mentioned contract. The associated statement of work divides 
the task into two phases. The first phase tasks will provide 
Interior with the technical and administrative assistance to 
put in place proven structured methodologies for information 
technology security development. The second phase will produce 
minimum requirements for risk mitigation in the form of 
policies for agencywide information technology security issues. 
From here we will develop technology and product-specific 
implementation guides. Dependent upon the availability of 
resources, we will then implement operating capabilities.
    In August 2000, an additional $240,000 was obtained for 
computer security program development. This funding will be 
used to accomplish the development and implementation of 
selected security practices.
    In closing, it must be noted that our ability to completely 
implement an adequate computer security program is strongly 
dependent upon the availability of necessary resources.
    This concludes my statement. I will be happy to respond to 
any questions that you or any members of the committee may 
have.
    Mr. Horn. Well, we thank you very much, Mr. White.
    [The prepared statement of Mr. White follows:]

    [GRAPHIC] [TIFF OMITTED] T4495.163
    
    [GRAPHIC] [TIFF OMITTED] T4495.164
    
    [GRAPHIC] [TIFF OMITTED] T4495.165
    
    [GRAPHIC] [TIFF OMITTED] T4495.166
    
    [GRAPHIC] [TIFF OMITTED] T4495.167
    
    [GRAPHIC] [TIFF OMITTED] T4495.168
    
    [GRAPHIC] [TIFF OMITTED] T4495.169
    
    [GRAPHIC] [TIFF OMITTED] T4495.170
    
    [GRAPHIC] [TIFF OMITTED] T4495.171
    
    [GRAPHIC] [TIFF OMITTED] T4495.172
    
    [GRAPHIC] [TIFF OMITTED] T4495.173
    
    [GRAPHIC] [TIFF OMITTED] T4495.174
    
    [GRAPHIC] [TIFF OMITTED] T4495.175
    
    [GRAPHIC] [TIFF OMITTED] T4495.176
    
    [GRAPHIC] [TIFF OMITTED] T4495.177
    
    [GRAPHIC] [TIFF OMITTED] T4495.178
    
    [GRAPHIC] [TIFF OMITTED] T4495.179
    
    [GRAPHIC] [TIFF OMITTED] T4495.180
    
    [GRAPHIC] [TIFF OMITTED] T4495.181
    
    [GRAPHIC] [TIFF OMITTED] T4495.182
    
    [GRAPHIC] [TIFF OMITTED] T4495.183
    
    [GRAPHIC] [TIFF OMITTED] T4495.184
    
    Mr. Horn. Our next presentation is from Edward Hugler, the 
Deputy Assistant Secretary for Administration and Management, 
Department of Labor.

  STATEMENT OF EDWARD HUGLER, DEPUTY ASSISTANT SECRETARY FOR 
       ADMINISTRATION AND MANAGEMENT, DEPARTMENT OF LABOR

    Mr. Hugler. Thank you, Mr. Chairman and Ranking Member 
Turner. I will be brief, as you requested.
    We share your view that computer security is a high 
priority, a priority that the Department of Labor takes very 
seriously at the highest levels. Quite frankly, I am 
disappointed at the grade we received today, and in some small 
measure dismayed by it.
    Following a successful transition or the century date 
change, we have directed significant attention to enhancing our 
security program and strengthening our security perimeter to 
defend against its attack. While this surely is an ongoing and 
very complex task, I am pleased to report that we have made 
solid progress to date and are continuing to improve our 
ability to defend against cyber attacks.
    As we began the fiscal year, we had a number of security-
related issues identified by our Office of the Inspector 
General in their audit of our financial statement. The issues 
encompassed work to done in six areas of Department-wide 
security program planning and management structure. The good 
news is, because computer security is a high priority, we had 
already identified areas that needed attention and had plans 
under way for corrective action. This proactive posture was 
acknowledged by the OIG in their audit findings.
    At this stage we have resolved all of the audit report 
issues at the departmental level and are working toward closing 
out the remaining issues with specific agency systems.
    In addition to dealing with immediate day-to-day issues, 
such as continued attempts to gain unauthorized access to our 
systems and responding to malicious codes such as the I Love 
You virus, we have invested substantial effort in planning 
ahead. Led by the Department's Chief Information Officer, our 
strategy in this undertaking has been twofold: First, align our 
information technology investments with legislative mandates 
and other direction; and second, bring a departmental focus to 
our information technology investments where a unified approach 
and economies of scale are advantageous.
    Information technology approaches that are common across 
the Department, such as the implementation of a common 
architecture and needed improvements in the infrastructure, 
lend themselves to a common cross-cutting strategy. The use of 
a common strategy then enables us to effectively leverage the 
use of individuals' expertise and other scarce resources for 
the good of all at the Department of Labor.
    Utilizing this approach for fiscal year 2001, the 
Department identified three cross-cutting areas for investment, 
one of which is computer security. The computer security cross-
cut represents approximately 18 percent of the Department's 
information technology cross-cutting investment portfolio for 
fiscal year 2001. It includes plans to ensure that the 
information security policies, procedures and practices of the 
Department are adequate, as well as reflect the first step 
toward implementing a multiyear plan for protecting our 
critical infrastructure. Notably this will be a separate budget 
activity, and the funds will be administered by the 
Department's Chief Information Officer to ensure an organized, 
disciplined approach to implementing a stronger security 
program.
    Mr. Chairman, our plans for next year should not, however, 
overshadow what we've accomplished this year, 2000. I would 
like to submit a brief highlight of those accomplishments for 
the record, if I may.
    Mr. Horn. Without objection, it will be in the record at 
this point.
    Mr. Hugler. Thank you, Mr. Chairman.
    Mr. Chairman, we concur with the need to assess the overall 
state of the Federal Government's computer security 
environment, and we welcome the opportunity to work with you 
and the subcommittee to devise an instrument that will provide 
the flexibility necessary to accurately assess agencies' 
progress. We also recognize that work remains to be done at the 
Department of Labor to further improve our computer security.
    I share with you your confidence that we will come through 
as we did with the year 2000 challenge. I am confident as well 
that we have sound plans for making these improvements and the 
skill on hand to do so. However, the key to our success, as has 
been mentioned by other witnesses at the table this morning, 
will be making the necessary funding available.
    Thank you, Mr. Chairman. I appreciate the opportunity to be 
here, and I will be happy to take your questions.
    Mr. Horn. Well, thank you very much.
    [The prepared statement of Mr. Hugler follows:]

    [GRAPHIC] [TIFF OMITTED] T4495.185
    
    [GRAPHIC] [TIFF OMITTED] T4495.186
    
    [GRAPHIC] [TIFF OMITTED] T4495.187
    
    Mr. Horn. And our next presenter is Ira L. Hobbs, the 
Deputy Chief Information Officer for the Department of 
Agriculture.
    Mr. Hobbs.

 STATEMENT OF IRA L. HOBBS, DEPUTY CHIEF INFORMATION OFFICER, 
                   DEPARTMENT OF AGRICULTURE

    Mr. Hobbs. Thank you, Mr. Chairman. Good morning, Mr. 
Chairman and Ranking Member Turner.
    I am pleased to appear before the committee this morning to 
update you on the status of the computer security program of 
the U.S. Department of Agriculture. With your permission, I 
will make a few brief comments and submit my written testimony 
for the record.
    USDA's programs touch the lives of every American every 
day. We manage a diverse portfolio of over 200 Federal programs 
throughout the Nation and the world at a cost of about $60 
billion annually.
    The information we manage, which includes Federal payroll 
data, market-sensitive data, geographical data, information on 
food stamps and food safety, proprietary research data, is 
among USDA's greatest assets.
    The Department is committed to protecting its information 
assets as well as the privacy of its customers and its 
employees. Audit reports conducted by both USDA's own Office of 
the Inspector General and the General Accounting Office have 
identified significant weaknesses in our overall computer 
security program, which we are working hard to correct. As an 
example, the Department is acquiring and installing necessary 
equipment to upgrade security at our highest priority Internet 
access points, and we are strengthening our intrusion detection 
capabilities. We are working diligently to correct all of the 
deficiencies that have been identified by the reports and hope 
to be able give you a much more expanded impact in terms of the 
changes that we have made.
    Reports such as those cited above, as well as internal 
security reviews mandated by the Secretary of Agriculture in 
July 1999, made it clear that the Department requires an 
overall coordinated and corporate approach to cybersecurity if 
it is to succeed.
    The USDA agencies include some security funding in their 
respective budgets. Departmental funding is critical to 
ensuring the creation of a standard security infrastructure, 
and departmental leadership is required to ensure that we have 
a comprehensive set of policies and guidelines.
    The Secretary's security review also resulted in a 
multiyear action plan to strengthen USDA's information 
security, which addresses program organization, staffing needs, 
policy and program operations, and security and 
telecommunications technical infrastructure. When fully enacted 
our plan will align USDA security practices with those of 
leading organizations.
    Our recent focus primarily has been upon building upon the 
competency and skill of our security staff. We are extremely 
fortunate working with the Secretary to establish the first 
Associate Chief Information Officer for Cybersecurity at the 
Department of Agriculture and able to select a senior level 
executive, Mr. William Hadesty, formerly with the Internal 
Revenue Service, as our first CIO for Cybersecurity. With the 
recent addition of Mr. Hadesty, we have already started to 
implement the priority actions in our action plan.
    The Congress provided a $500,000 budget increase for the 
Office of the Chief Information Officer for security in fiscal 
year 2000. With these funds and existing resources, we are 
assembling a well-qualified staff of security experts to lead 
the Department's efforts.
    Since joining with us in February 2000, the Associate CIO 
for Cybersecurity has carefully analyzed and made adjustments 
to our ongoing program. In addition, our most critical 
information resources, including the National Information 
Technology Center in Kansas City and the National Finance 
Center in New Orleans, have been or are now undergoing critical 
review. We recognize, though, that we still have a long way to 
go.
    The Office of the Chief Information Officer's fiscal year 
2001 budget request included an increase in funding for 
cybersecurity of approximately $6.5 million. If enacted as 
requested, our security budget will provide the resources to 
complete the development of a USDA risk management program, 
continue to expand our cybersecurity office, increase our 
capacity to conduct onsite reviews, and provide training and 
hands-on assistance to augment the skills of our agency's 
security staff. Additionally our project plans call for a major 
effort in 2001 to further define requirements for a security 
architecture and begin its redesign and implementation.
    In fiscal year 2002, we will continue to develop and 
implement our USDA-wide computer security program. The 
information survivability program and the sensitive systems 
certification program we plan to establish will complete USDA's 
computer security umbrella.
    Mr. Chairman, we believe that fulfillment of our 
cybersecurity action plan will position the Department to 
comply with Federal computer security guidelines and best 
management practices. The reality is, though, that until our 
computer security program is fully funded, we will remain much 
too vulnerable.
    I appreciate the opportunity to speak to the committee. I 
look forward to being able to answer any questions you may 
have.
    Mr. Horn. Thank you very much, Mr. Hobbs.
    [The prepared statement of Mr. Hobbs follows:]

    [GRAPHIC] [TIFF OMITTED] T4495.188
    
    [GRAPHIC] [TIFF OMITTED] T4495.189
    
    [GRAPHIC] [TIFF OMITTED] T4495.190
    
    [GRAPHIC] [TIFF OMITTED] T4495.191
    
    [GRAPHIC] [TIFF OMITTED] T4495.192
    
    [GRAPHIC] [TIFF OMITTED] T4495.193
    
    [GRAPHIC] [TIFF OMITTED] T4495.194
    
    Mr. Horn. Our next presenter is Mark A. Tanner, Information 
Resources Manager, Federal Bureau of Investigation, Department 
of Justice.
    Mr. Tanner.

  STATEMENT OF MARK A. TANNER, INFORMATION RESOURCES MANAGER, 
     FEDERAL BUREAU OF INVESTIGATION, DEPARTMENT OF JUSTICE

    Mr. Tanner. Good morning, Mr. Chairman, Mr. Turner and 
other members of the audience. I thank you for inviting us here 
to discuss computer security at the FBI. The FBI shares your 
conviction that computer security is a vital concern. That 
concern is manifested in a variety of levels: First, the 
concern within the FBI as to how the FBI collects and handles 
sensitive personal information; the concern as a member of the 
U.S. intelligence community where there is a growing awareness 
and desire to achieve a collaborative sharing of intelligence 
information while at the same time securing highly sensitive 
and classified sources and techniques; the concern as a member 
of the law enforcement community often called upon to 
investigate, identify and apprehend those responsible for 
hacking into government systems and critical infrastructures of 
this Nation; and the concern as a Federal law enforcement 
agency called upon to investigate computer and computer-related 
crimes as diverse as a pedophile seeking to prey on a 
youngster, Internet fraud crimes which victimize all elements 
of our society, including persons and businesses, and those who 
would seek to enrich themselves by manipulating stock prices.
    The FBI's internal computer policies and practices present 
a somewhat unusual picture as far as Federal agencies are 
concerned. The FBI is, as I have stated, an agency charged with 
investigating many computer-related crimes and it is charged 
with the conduct of all counterintelligence activities in the 
United States.
    In addition, the FBI operates several systems on which 
State and local law enforcement agencies have come to rely as a 
necessity. As such, the FBI must operate both classified and 
unclassified systems, and many of those unclassified systems 
have strong requirements for the protection of personal data 
about American citizens as well as a need to maintain instant 
availability.
    In addition, the nature of some of these, some of these 
systems presents special requirements in that the data 
represents information gathered through a variety of methods, 
each requiring its own specialized method of handling and 
protecting the information. These methods includes Federal 
grand jury subpoenas which are subject to the requirements of 
rule 6(e) of the Federal Rules of Criminal Procedure, material 
identified as Federal taxpayer information, and thus, subject 
to specialized handling and disclosure requirements, as well as 
other many other specialized requirements. Of course, the 
specific requirements of classified information such as that 
obtained as a result of title 50, the Foreign Intelligence 
Surveillance Act, activities or by other intelligence community 
agencies, which must be respected.
    To accomplish these tasks, the FBI operates 35 general 
support systems and 12 major applications; 24 of the 35 general 
support systems are classified and 6 of the 12 major 
applications are classified. In other words, the FBI operates 
30 national security systems. It should be noted that the vast 
majority of the FBI's classified systems are currently internal 
systems and thus do not have external connections to nonsecure 
or unclassified systems.
    The FBI's information systems security policy is codified 
in our Manual of Investigative Operations, section 35. A copy 
of this policy has previously been provided to this 
subcommittee. The policy is a compilation of requirements which 
are outlined in section 35-11 of this policy. In general, let 
me state that because of the variety of types of systems used 
by the FBI, our practice, where practical, involves using a 
hierarchical approach to any requirement from these sources 
based on the selective system's criticality and risks. This is 
to avoid any possible confusion as to whether or not a system 
should follow this or that set of rules and regulations. To 
choose any other course of action would be folly.
    The FBI's policy is coordinated with the Information 
Systems Security Unit which is a part of our National Security 
Division. The security unit works closely with the Department 
of Justice entities which oversee classified and unclassified 
computer systems. In addition, they maintain a good working 
relationship with the national entities responsible for 
computer security policy, such as the NSTISSC and NIST and the 
Security Policy Board to ensure that the latest information is 
available.
    There are many challenges which face the FBI in today's 
computerized world. One of the biggest challenges involves the 
rapidly changing environment and the rapidly changing world in 
which we all live. New technologies are moving into the 
marketplace at a frenetic pace; old technologies are undergoing 
metamorphosis. Each of these new products presents particular 
problems and a careful and thoughtful analysis to ensure that 
the FBI continues to maintain a policy which recognizes the 
business needs of the computerized world and still providing 
meaningful security practice.
    The FBI is practicing risk management approach in its 
certification and accreditation of all computer system 
security. As I previously noted, most systems are internal and 
not connected to nonsecure unclassified systems. This isolation 
provides some sense of comfort in that these systems are not 
connected to the outside and far less vulnerable to compromise 
and attack. In this manner, our approach has been to identify 
both systems which pose the largest risk in terms of their data 
and sensitivity of the data. These systems are approached 
before systems which play a lesser role in either their data or 
sensitivity. The FBI is currently engaged in a series of 
activities which will hopefully lead to the speedy completion 
of the certification and accreditations. Resources have been on 
loan from the Department of Justice as well as other 
intelligence community under the ICAP program.
    The FBI has undertaken a--an effort to make system owners 
cognizant of system security requirements in their initial and 
life-cycle development of plans for systems, in that way 
ensuring that systems security is built into all systems and 
that the continuing costs are specifically identified as a 
separate line in each proposal.
    In conclusion, let me just reiterate that the FBI 
appreciates the interest of this subcommittee, indeed the 
interests of all parts of Congress in this area where we share 
your interests and concern. Our efforts will continue to ensure 
that all systems, including those of the FBI, meet the 
expectations of the American public to appropriately protect 
that information which must be protected. The FBI respects the 
trust placed in it by the American public and the Congress and 
will do the utmost to maintain that trust.
    Thank you.
    [The prepared statement of Mr. Tanner follows:]

    [GRAPHIC] [TIFF OMITTED] T4495.195
    
    [GRAPHIC] [TIFF OMITTED] T4495.196
    
    [GRAPHIC] [TIFF OMITTED] T4495.197
    
    [GRAPHIC] [TIFF OMITTED] T4495.198
    
    [GRAPHIC] [TIFF OMITTED] T4495.199
    
    Mr. Horn. Well, thank you Mr. Tanner. We appreciate very 
much what the FBI has done in tracking down a lot of these 
hackers, and some I believe are in Federal prison now. So we 
thank you for that effort, and I think you were very on top of 
the situation in the Philippines when that occurred.
    Our last presenter before questions is Solveig Singleton, 
Director of Information Studies for the CATO Institute. Am I 
correct to say the CATO Institute would be called a 
libertarian-based institute?
    Ms. Singleton. Yes.
    Mr. Horn. OK. Ms. Singleton, it's all yours for 5 minutes.

STATEMENT OF SOLVEIG SINGLETON, DIRECTOR OF INFORMATION STUDIES 
                     FOR THE CATO INSTITUTE

    Ms. Singleton. Thank you, Mr. Chairman. My testimony today 
is going to offer examples of some of the types of data bases 
maintained by Federal agencies and offer a big-picture 
perspective on the significance of any security problems within 
those data bases.
    With the power to command, powers of arrest, police, courts 
and armies, the government has powers that the private sector 
lacks. You can hang up on an annoying telemarketer but it's 
hard to hang up on the IRS. Recognizing that in the 
Constitution we have the fourth amendment which limits the 
means by which government may collect information and we also 
had the idea originally of a government of relatively limited 
powers, and inherently a government of more limited power has 
less need for hundreds and hundreds of data bases than a 
government of broader powers.
    Now, for better or for worse, we have drifted away from 
this concept of limited government, and there's a natural 
consequence. The amount of detailed information about private 
citizens in Federal files has grown by leaps and bounds.
    To underscore the importance of keeping this information 
secure, I will offer an overview of the types of information 
that are held by Federal agencies.
    Essentially, Federal agencies collect an enormous array of 
information. The Federal Government will inexorably record, 
obviously, your name, your address, your income, but also your 
race, details of how you spend your money, your employer, 
updated quarterly, whether you've asked for information from 
government agencies, student records, whether your banker 
thinks you've engaged in any suspicious activities like making 
an unusually large withdrawal or deposit, and finally, of 
course, a surprising number of agencies hold different types of 
medical records and not simply Health and Human Services.
    I am going to run down some of the departments that we 
looked at very quickly and offer a very small number of 
examples of the type of information that they hold. Let me 
start with the Commerce Department.
    One file maintained by this Department keeps individual and 
household statistical surveys which include individual's names, 
age, birth date, place of birth, sex, race, home business phone 
and address, family size and composition, patterns of product 
use, drug sensitivity data, medical, dental, and physical 
history and other information as they consider necessary.
    The Department of Education has the national student loan 
data system and, among other items, a registry of deaf-blind 
children nationwide.
    The Department of Energy maintains, among some very 
sensitive counterintelligence data bases, records of human 
radiation experiments.
    The Federal Bureau of Investigation, obviously, is home to 
the FBI central records system, alien address reports, witness 
security files and information on debt collection and parole 
records.
    The Department of Health and Human Services has massive 
quantities of medical record information, filling hundreds of 
data bases. Some of these data bases include the personal 
Medicaid data system and the national claims history billing 
and collection master records system.
    Next comes the Department of Housing and Urban Development. 
Now, this agency is perhaps best known among privacy advocates 
over the last few years, urging that residents of Federal 
housing agree to warrantless searches of their apartments in 
their lease agreements. This agency holds data such as single 
family research files, income certification evaluation data, 
and tenant eligibility verification files.
    The Department of Labor has a lot of data bases including a 
data base with information on applicant race and national 
origin, records from the workers' compensation system and 
records from the national longitudinal survey of youth, which 
is a longterm study of certain individuals as they grew up over 
the past few decades.
    Obviously the Social Security information collects 
information on lifetime earnings, as well as information 
related to insurance and health care and census data. What may 
be less well known is the extent to which they share and match 
information with Health and Human Services, the IRS, and other 
agencies. So, for example, one data base at the Social Security 
Administration is--matches Internal Revenue Service and Social 
Security Administration data with census survey data and 
records of Cuban and Indo-Chinese refugees.
    The Department of Treasury, last but not least, holds a 
financing data base which contains millions of reports of 
banking activities of privately named U.S. citizens. They have 
also got the national data base of new hires, which holds 
records of the income and employment of every working American, 
updated quarterly.
    Now, to sum up, I don't want to suggest that all this data 
is part of some kind of sinister plot and we should all go 
around wearing tinfoil hats on our head, nor do I want to 
denigrate the well-intentioned efforts that have been made to 
make many of these data bases more secure, but what I would 
like to point out is that the growth of these data bases makes 
security and the need for internal controls against 
unauthorized use by government employees a systemic problem 
rather than an occasional problem, and it generally--the growth 
of these data bases threatens to shift the balance of power 
between individuals and the Federal Government. So this really 
is a systemic issue and it will be become more and more acute 
as we move away from a vision of limited government and want 
the government to be involved more and more in our day-to-day 
lives.
    Thank you.
    [The prepared statement of Ms. Singleton follows:]

    [GRAPHIC] [TIFF OMITTED] T4495.200
    
    [GRAPHIC] [TIFF OMITTED] T4495.201
    
    [GRAPHIC] [TIFF OMITTED] T4495.202
    
    [GRAPHIC] [TIFF OMITTED] T4495.203
    
    [GRAPHIC] [TIFF OMITTED] T4495.204
    
    [GRAPHIC] [TIFF OMITTED] T4495.205
    
    [GRAPHIC] [TIFF OMITTED] T4495.206
    
    [GRAPHIC] [TIFF OMITTED] T4495.207
    
    [GRAPHIC] [TIFF OMITTED] T4495.208
    
    [GRAPHIC] [TIFF OMITTED] T4495.209
    
    Mr. Horn. We thank you and now begin the questioning. What 
we'll do is alternate the questioning, 5 minutes for myself and 
5 minutes for the ranking member and back and forth until we 
get the questions out of our system.
    I'm going to start with the Department of Agriculture. As I 
recall in your statement, Agriculture repelled 250 hacker 
attacks. Were any of these successful attacks, Mr. Hobbs, and 
if so what kind of damage was done?
    Mr. Hobbs. In some instances, Mr. Chairman, the attacks 
were successful. They resulted in things like changes to Web 
pages. We report all of our intrusions. Some of them like 
changes to Web pages. We were able to identify where people had 
been able to access systems, but in no instance were there any 
major or significant damages done. In most instances we've 
taken the necessary steps to shut down what we consider to be 
backdoor ways that people were getting into the systems, and 
are trying to be more vigilant in our monitoring and tracking 
of those activities and those kinds of concerns.
    Mr. Horn. On the Agriculture, you completed the security 
questionnaire and it states the Department doesn't really feel 
that the system accreditation is important. A lot of other 
agencies feel the system accreditation, where possible, is 
important. Why isn't accreditation that important to the 
Department of Agriculture?
    Mr. Hobbs. I don't think that we said that it was not 
important. I believe that what we are doing is we have a 
prioritized program that we are working toward completion of, 
with systems accreditation being a part of that. So I don't 
think we said it was unimportant. I think what we said is we 
have a prioritized effect--direction in terms of which we're 
trying to proceed, and that we're moving with deliberate speed 
in that sense of looking at all aspects and all phases of our 
security program.
    Mr. Horn. Well let me ask Mr. Willemssen, on behalf of the 
General Accounting Office, as I understand, system 
accreditation is a formal management process to test and accept 
the adequacy of the system's security before putting it into 
operations. So how important is it to an agency's security 
computer programs that they're accredited; and could you 
explain that process and why most of the Departments are doing 
that where they can?
    Mr. Willemssen. We believe system accreditation is 
especially critical, and it represents management's judgment 
that they have gone in, made an assessment of the risk of a 
particular system and the associated data; that given the risk 
associated with the system and data, appropriate controls have 
been put in place to fend off any attacks that may occur, and 
that management is therefore making a declaration that the 
appropriate controls are there to deflect or at least be aware 
of any such attacks that may happen. We think it's especially 
important. Most agencies agree. We do see at times differences 
in nomenclature. Some agencies may actually be doing something 
similar to accreditation but may call it something else.
    Mr. Horn. Moving to the Department of Labor, Mr. Hugler, as 
I looked at the information, the computer security 
questionnaire indicated weaknesses in all six general control 
areas and the weaknesses were confirmed by the Inspector 
General's audit results. So I'm curious, what does the 
Department consider to be its most critical weaknesses?
    Mr. Hugler. Well, Mr. Chairman, I think you're correct to 
state what the Inspector General found last year and they did 
find weaknesses in all six areas. I think what's important to 
recognize is that we have now addressed all of those issues, 
and in fact the Inspector General's audit findings, as I 
recall, acknowledged that if we did two important things, one 
is put out the rules for the Department's computer security and 
put out the rules for the Department, in terms of systems 
development and life-cycle criterion rules, if we did those two 
things, that we would have addressed all six of the categories 
with which they found issues.
    We have done that and, more importantly I think, we have 
gone ahead aggressively with implementing those rules. And the 
example, I would cite to you, is our experience with the I-
love-you virus. We have incident response procedures now in 
place at the Department. We had some 33,000 attacks from that 
virus. A small number of computers, 243 as I recall, were 
infected. I think the most--the best measure of our response, 
however, was the fact that we notified our employees of that 
virus and what to do with it 3 hours in advance of the official 
Federal notification.
    So I would commend your attention to that as an example of 
the kind of things we've been able to do over the last year. So 
really the OIG's findings from last year are just that, a year 
old, and we have improved dramatically since then.
    Mr. Horn. And so you would say the corrective action for 
these has been completed?
    Mr. Hugler. Yes, sir. At the Department level we have done 
that and I am very comfortable with that.
    Mr. Horn. I now yield 5 minutes to the gentleman from 
Texas, Mr. Turner.
    Mr. Turner. Thank you, Mr. Chairman. As I listen to each of 
you who come from your respective agencies, it causes me to 
come back to a comment Mr. Gilligan made about the importance 
of cross-government initiatives. As many of you know, I have 
been an advocate of having a Federal CIO, a chief CIO for the 
Nation, someone who had the expertise, the competence, the 
leadership role, as well as the budgetary support necessary to 
be sure that we can have stronger cross-government initiatives 
in the area of information technology and certainly in the area 
of computer security.
    And I think I'd like to ask you, Mr. Gilligan, to expand 
upon your assessment of the need for these cross-government 
initiatives, and I would be interested in your insight on it, 
because not having nearly the expertise in the area that you do 
nor the experience in the area, I still am left, after hearing 
all this testimony, with the conviction that the area of 
information technology certainly provides the potential for the 
expenditure of vast sums of Federal dollars in a very 
inefficient way. And I would be interested in your comments on 
the idea of more emphasis on cross-governmental initiatives and 
what kind of leadership might be necessary to ensure that 
happens.
    Mr. Gilligan. Mr. Turner, I'd be happy to comment. What I 
have found in my activities in the CIO Council is that the 
potential that you allude to for enormous sufficiencies as a 
result of cross-government IT efforts is there, but that 
potential is difficult to realize because our fundamental 
government structures in the executive branch and in the 
legislative branch tend to be stovepipe-oriented on particular 
agencies and particular missions, and in fact, what I have 
found is the most difficult efforts to get support for are 
cross-government initiatives. And relatively small sums of 
money that would have enormous benefits often fall through the 
cracks because there is no clear forum for advocacy. And 
individual committees, whether they be in the executive or the 
legislative branch, tend to be very narrowly focused on that 
portfolio to which they're assigned responsibility.
    In my testimony, I noted our best security practices 
effort. This is an effort that is enormously compelling. The 
objective is to pull together best security practices from 
across the Federal Government, provide a Web repository where 
they can be accessed easily, and to share this wealth of 
experience that we have across the government.
    We have found that getting small sums, hundreds of 
thousands of dollars for this initiative, is very difficult, 
and it's not that the effort is not supported. It is supported. 
And when I talk to members in the administration and Members of 
Congress, it is supported. But the question is, ``who should 
pay for it and where should that funding come from?''
    The Federal incident response capability, FedCIRC, which is 
our government's central point for disseminating information on 
viruses and patch updates, is funded through a set of 
committees. It is sponsored by Department of Defense, the FBI 
and GSA. We have found in the recent remarks that the report 
has not been strong, and again I don't think it's because the 
merits of this effort are not supported in general. It's that 
there is no central focus that helps bring this together and to 
help identify that these individual, relatively small dollar 
items in individual budgets, are in fact of far greater 
importance than their small dollars would indicate.
    And so I think as you suggest, this is an area where we 
desperately need to focus attention. I think not only in the 
security area will it help us improve security, but we can far 
better leverage the enormous resources that we do have in 
attacking a whole range of information technology issues.
    Mr. Turner. Thank you.
    Mr. Spotila, I know you have worked in this area, and one 
of your duties at OMB is to try to be sure that we move toward 
the kind of things Mr. Gilligan is talking about. I know there 
is a Presidential directive that established two tiers of 
agencies. It strikes me, and you might want to explain that a 
little bit, but it strikes me that it is certainly appropriate 
to acknowledge that the importance of computer security may 
vary from agency to agency, and that when we try to focus our 
resources, perhaps we should choose certain agencies over 
another. If we did that, we would expect to see different 
grades from the agencies because we would have made a choice 
regarding where to place the initial dollars to improve 
security. But describe for us a little bit that Presidential 
directive that established those first, those two tiers.
    Mr. Spotila. Yes, Mr. Turner. First of all, let me just 
mention that OMB has been very supportive, as I've testified to 
the committee before, of these cross-cutting initiatives. We 
share Mr. Gilligan's belief that these are very important, that 
they would make a great deal of difference, and that they do 
need support.
    The President, in May 1998, put out a Presidential Decision 
Directive aimed at critical infrastructure protection. It was 
at that time that he designated Mr. Richard Clark as his 
adviser on counterterrorism. He's worked with the committee and 
has been very active. The Critical Infrastructure Assurance 
Office was then established.
    What we have tried to do in the administration is to 
prioritize in this area. I mentioned in my testimony that OMB's 
focus has been on the same 43 high-impact programs that we 
focused on during the Y2K effort. We have more than 26,000 
systems in the government. If we're going to enhance our 
ability to serve the American people by promoting effective 
information security, we need to prioritize. We need to start 
with the areas that have the greatest impact, whether they be 
agency by agency, or, more accurately, within agencies, program 
by program, system by system.
    The Critical Infrastructure Assurance Office has tried to 
zero in on those areas, those agencies, and those aspects 
within agencies that have the greatest importance and perhaps 
would be at risk the most. We've tried to work at OMB at 
focusing on the programs that we think have the greatest impact 
on the American people; as I'd mentioned, Medicare, Medicaid 
and the like. We think that we have to begin with the most 
important things. That's where we're going to have the most 
significant improvement and have the most significant benefit, 
which is not to say that we ignore all the other areas. We put 
out general guidance. We're working with the agencies. We're 
relying on the agencies to try to improve their efforts in this 
regard across the board.
    But in terms of White House attention, we're obviously 
starting with the things that matter the most.
    Mr. Turner. Thank you.
    Mr. Horn. Let me add to that the following. This is the 
last month of a fiscal year. This is the time Cabinet officers, 
deputy secretaries, assistant secretaries, all of them sit 
around and say, what can we do with the surplus we have in our 
budget? And having been in administration, I know exactly what 
they do, and this is the time, if they're serious about this, 
to reprogram some of that money into what everybody's saying, 
oh, we've got to have new money. That isn't the way we started 
with Y2K. We started when I urged a lot of the people to start 
reprogramming.
    When Dr. Raines came in as budget director, he said, You're 
absolutely right, and that's what I'm going to tell them. And 
he did, and that's how we got the job done. We also made sure 
Congress provided the money. But if they're serious in these 
various executive branch agencies, this is the time to get a 
few million here and there.
    And then besides that, let's just talk about a few simple 
steps such as policies requiring regular changing of passwords, 
safeguarding equipment, turning off computers. That doesn't 
cost a thing. That just costs doing it, if any. And I guess I 
would ask, because energy has certainly been in the papers for 
the last 2 years on this, but I'd ask, is there in OMB the 
concern about policies to just get those basic areas done?
    Mr. Spotila. Let me respond in a couple of respects.
    First of all, I agree with you, Mr. Chairman, that some 
agencies are going to have discretionary funds available this 
September. We would certainly hope that they would apply them 
to this area. I know that the various CIOs at this table and 
others around government are going to do all they can to try to 
impress that upon their agency heads. So I think that we do 
need to be serious; just as all of us need to be serious, the 
executive and the legislative branch, because this is a really 
important area.
    We have a lot of policy out there, even things that you 
mentioned about passwords, changing passwords and the like. The 
key is getting people to implement and follow the policy that 
may be out there. One of the things I emphasized in my 
testimony today and in my written testimony is that, in order 
to have effective security, it is essential that nonsecurity 
people buy in, that they participate, that they understand the 
significance and that they buy into it. Because we can have all 
the policies in the world and we can have all the centralized 
supervision in the world, but if that person at the desk 
doesn't follow it, it doesn't do any good.
    You know, we tell the story about having very complex 
passwords that people write on little yellow sticky notes and 
paste to their computer screen. You can't have effective 
security without cooperation at all levels, and it's a message 
that we're trying to impart throughout the government. I think 
it will be an ongoing challenge to continue to do that.
    Mr. Horn. I thank you very much.
    Let me ask Mr. Dyer, who's got the B grade, the social 
security system, there is--apparently you're farther along than 
most other agencies now. Do you have a best practices that 
others might implement and what are they?
    Mr. Dyer. Mr. Chair, I think it's just like when we 
approached Y2K. Early on we saw it coming, and we 
institutionalized the process, the resources to deal with it. 
And we've done the same thing with security. It's part of our 
life cycle with our programs. Anytime we think about bringing 
up a new system, we look at the security aspects. Any 
modification to any system, we check the security all the way 
through and how it could roll over into other security systems.
    I pick up on what GAO said and what John Spotila said. The 
biggest challenge we're finding is managing it. You can have 
good procedures, policies, rules in place, but you constantly 
have to be working with your managers, your employees that they 
follow them, and that's where we've been putting a tremendous 
amount of our effort.
    We've had conferences across the country. We've set up 
centers so that we're able to make sure that we have people in 
place that are doing the dogging and checking it. We change 
passwords every month now. We found that it just didn't happen 
the way it should. So we have instituted it. We're going 
through. We found out that they change the passwords to 
something they could remember. We now have software to check to 
see if it's dates of birth or names of family members or 
whatnot so you can start to screen those things out.
    So, to me, it's a constant management challenge. You can do 
the systems, but you've got be there, right there on top of it 
all the time.
    Mr. Horn. In my 26 seconds remaining, Mr. Willemssen, 
anything you want to add to that as to what might be done that 
isn't being done?
    Mr. Willemssen. One thing that I would add, Mr. Chairman--
and it somewhat extending off of Mr. Spotila's comment--and 
that is, it's one thing for agencies to have the policies and 
procedures which I think in many cases they do. It's quite 
another to see whether the accompanying practices have actually 
been put in place.
    That's been particularly the case when we and Inspectors 
General go out and we test whether these policies and 
procedures are actually being implemented. They often have not 
been. And that really is a key distinction I think often 
between what the agencies believe is going on and what may 
actually be happening, although I think there is clearly many 
of the agencies are on the road for improvement in that 
direction, also.
    Mr. Horn. I now yield 5 minutes to the gentleman from 
Texas, Mr. Turner.
    Mr. Turner. Thank you, Mr. Chairman.
    The designation of the Presidential directive--is it tier 
1, tier 2, phase 1, phase 2, whatever it's called--I'm curious 
as to what kind of impact that has and how is that designation 
significant; and I'd like, Mr. Hugler, if you would, to comment 
on that because I know Department of Labor is a tier 2 
designation.
    Mr. Hugler. Yes, sir. Thank you, Mr. Turner.
    It is an important distinction, because it is important to 
recognize that some agencies handle more sensitive information 
and have more sensitive systems than others do. We certainly 
believe that our mission is important to American workers, but, 
frankly, we do not have critical information that directly 
implicates national security. So, as such, if we are going to 
prioritize funding and implementation priorities, I think it is 
appropriate for the Department of Labor to be a phase 2 agency 
or tier 2 agency.
    I think it's also important to note, though, that we take 
those responsibilities as a tier 2 agency as important and that 
we meet them and we are on target to meet all the milestones 
for which we are accountable.
    Mr. Turner. Mr. Spotila, when you think about funding for 
these various agencies to be sure they move forward in the area 
of computer security, do you make budgetary recommendations 
based on this phase 1, phase 2 designation?
    Mr. Spotila. What we do in the first instance is to 
actually have the agencies themselves come to OMB with their 
own determinations as to what they'd like to accomplish and 
what they feel they need in the information security area. They 
do so within their overall budget submissions when they go 
through the OMB review process.
    With the guidance that OMB put out earlier this year, 
focusing on the next budget year, we've made it very clear that 
information security needs to be part of that agency initial 
analysis. It needs to be integrated within the entire area of 
information technology planning for budget purposes because we 
don't believe that doing it as an add-on is effective at all.
    Within the budget review process, obviously if an agency is 
a higher priority, if the need is greater, that will be 
recognized in the process. Very often, the budget issues turn 
more on whether or not the proposal has been well thought out, 
whether it is likely to be a good use of money and a good 
expenditure of money and one that is likely to contribute not 
only to increased security but the agency's performance of its 
mission. Those are the kinds of factors that OMB takes into 
account, just as later on the Congress will take that into 
account.
    And your comment earlier about the risk, that money could 
be wasted in this area, is also something that we take very 
seriously. You can't just fund a proposal because it sounds 
good or because the agency is an important agency or the area 
is an important area. You have to make certain that the 
proposal will work, that it will contribute something that will 
add value and will involve money well spent. And so this 
analysis is actually a very comprehensive and thorough one.
    We think in the next budget cycle we're going to get better 
submissions from the agencies. We've been working with the 
agencies directly one on one to get them to understand the 
change. We're expecting that in the IT area we are going to 
receive budget submissions that are better thought out and that 
will have better justifications.
    Mr. Turner. Mr. Gilligan made a strong case for greater 
emphasis on cross-agency initiatives. What has OMB done to 
promote greater cross-agency efforts?
    Mr. Spotila. We've actually been doing a variety of things. 
We've worked closely with the CIO council, which I've chaired 
since last year until their DDM was confirmed. We've worked 
closely with John and his committee in that regard trying to 
identify areas. We've worked closely with Dick Clark and the 
Critical Infrastructure Assurance Office and the national 
security community and with others throughout OMB and the 
agencies trying to identify areas where crosscutting 
initiatives would help.
    John mentioned public infrastructure which would enable us 
to authenticate signatures. We think that's an important area. 
We know we need better intrusion detection capability. We think 
we need expert review teams that can get out onsite in the 
various agencies and help them not only assess security but try 
to improve their efforts in security. We think we need more 
efforts in the R&D area. We need scholarships for people to 
start learning this area so that the Federal Government can get 
the kind of personnel it needs with the kind of experience and 
educational background it needs to work in this area over the 
long term.
    So we have tried to identify areas of need, working closely 
with all these other parties, and then within the budget 
process we've actually given it a huge amount of support to try 
to help develop proposals that make sense, that will have 
credibility with the Congress, that will work once implemented.
    I think that the reality is we do start with a stovepipe 
approach. We all need to think outside of the box. We need to 
make certain that, as we do crosscutting initiatives, that they 
work so that we can buildup credibility and support for further 
efforts in the future. That's something we take very seriously, 
and I think that will be an ever-growing need in the future.
    Mr. Turner. How many dollars have you expended on cross-
agency initiatives and how many of them have been accomplished?
    Mr. Spotila. Well, I think the reality is that in the past, 
as John has said, when there have been efforts like 
crosscutting initiatives, for example, support of the CIO 
Council and its efforts, we've done that by what John indicates 
is passing the hat. Under the Clinger-Cohen Act, we have some 
ability to do that, to have agencies contribute toward support 
of crosscutting measures.
    The President's budget, as I outlined in my testimony, not 
only includes an increase for computer security in general, but 
it highlights crosscutting initiatives that we think are very 
important. John mentioned that for $50 million an awful lot can 
be accomplished. I think the President's request is actually 
greater than that in this area because we're also focusing on 
research and development and on cyberscholarships and the like. 
Still, we're looking at a relatively small amount of money. 
$150 million would make a huge impact in this area. The key is 
to get it appropriated.
    And so when we talk about past crosscutting initiatives 
it's hard to track because we haven't had the kind of 
appropriations in large numbers that we're talking about here. 
We have used relatively small amounts of money to support the 
CIO Council and some other developmental areas along these 
lines. The GITS Board, for example, worked on the PKI--public 
key infrastructure-- issue for some time. The Board has now 
been rolled into the CIO Council. We've identified a need to do 
much more of this going forward. I think the key now will be to 
see what happens in the appropriations process this fall.
    Mr. Turner. You've requested how many dollars for cross-
agency initiatives?
    Mr. Spotila. We have a list in my testimony that I can just 
mention, highlight real quickly.
    Mr. Turner. Where would that be found?
    Mr. Spotila. In my written testimony?
    Mr. Turner. I mean in the budget itself. Is it 
appropriations in OMB? Is that where the money would reside 
currently?
    Mr. Spotila. No. Actually, although these are crosscutting 
initiatives in the budget, they appear in the departmental 
submissions. So, for example, the Department of Commerce is 
seeking $5 million for NIST to establish an expert security 
review team that can then go to agencies, to a number of 
different agencies outside of Commerce. That's an example. When 
we talk about crosscutting initiatives, because of the nature 
of the appropriations process, it needs to appear in an 
individual agency's budget. Part of the difficulty is--not to 
single out Commerce--if that particular appropriations 
committee or subcommittee doesn't think it a priority, that an 
expert security review team at Commerce will be helping 25 
other agencies, they might give it less support. That's where 
the difficulty comes in the budget process.
    So all of these so-called crosscutting initiatives still 
appear in individual agency budget submissions.
    Mr. Turner. I think that's one of the things that I have 
concern about, that perhaps we need some central location, some 
leadership for this that would flow through our Federal CIOs to 
be sure that these things happen. Because I think what you're 
left with, even after you secure the appropriations agency by 
agency, you're still in the pass-the-hat mode, which I think is 
one of the problems that we perhaps face in the area that we 
are discussing.
    Thank you, Mr. Chairman. I know my time's expired.
    Mr. Horn. Thank you.
    Let me followup on that again. There's obviously a concern 
when you have these cross--the boundaries, if you will, 
initiatives. Now, can--on reprogramming, you know, $5 million, 
that's chicken feed to any agency. They have got the--they can 
reprogram that.
    So you don't really need to worry too much. But you're 
right. If they're trying to help four or five other agencies, 
the appropriations and authorizers here might say, hey, not on 
my beat, put them somewhere else. So--but, hopefully, that's 
why OMB is there, to sort of help straighten it out.
    I am not going to embarrass any of the CIOs here, the chief 
information officers, but have the secretaries and heads of the 
agencies within the executive branch been responsive to the 
efforts to strengthen computer security? And I just--perhaps 
Mr. Gilligan on behalf of the CIO Council, Chief Information 
Council, do you get a feeling in those meetings that some of 
them just--these are not, obviously, here. They're other 
places. But do you get a feeling that they're not getting good 
backing from the top executives in the agency?
    Mr. Gilligan. It's my clear sense that the senior 
executives across the agencies are getting the message. It's a 
complex issue, and I think the difficulty, as I addressed in my 
testimony, is understanding both that cybersecurity is 
important, and understanding what to do about it are two 
different things, and I think that's, in many cases, where 
agencies are stuck. It is not an issue that can be delegated 
down. It has to be undertaken and aggressive leadership has to 
be provided by senior management, as we found with Y2K.
    So I reiterate, I think the actions of the senior levels of 
the administration, and of this committee and others are going 
to be important in helping to get that message across. While 
there are complex technical issues that equate to rocket 
science, there is a foundation that must be built that is just 
good sound management practice that requires aggressive 
involvement at the senior levels.
    Mr. Horn. Let me move to another question, that when we had 
this discussion a few minutes ago on the libertarian 
suggestions, what message do the grades that we have given you 
send to the American people regarding the security of the 
citizens' personal information? Should we have a special 
category in that as to how that's dealt with in an agency and 
on those files that such as the census and others are the 
obvious one over in Commerce? Should we have a category as to 
how high in the agenda and hierarchy of things to be done that 
you first protect the information of the American citizen from 
getting out for people making use of those data and, therefore, 
perhaps as we've seen what's happened in credit card operations 
is some of these idiots take exactly the whole name and number 
and all the rest of it, and the result is that those poor souls 
can never get a loan again because somebody's running around 
the country with their credit card. Well, isn't that also true 
in some of the agencies here? What do you think, Mr. Spotila?
    Mr. Spotila. Well, let me start by saying that we take very 
seriously the importance of preserving the confidentiality of 
information that the government holds. As we've been discussing 
throughout this morning, we recognize that, although a lot of 
progress has been made, we are not done. We cannot afford to be 
complacent because the challenge in this area is a dynamic one. 
The threat changes; new technology, new threats can appear. And 
so, on a day-by-day basis, we need to continue to do the best 
we can and to improve our efforts.
    Without getting into the grades themselves, we all agree 
here that there is room for improvement. I'm perhaps more 
sanguine in the sense that I think that the information that 
we're talking about here is not at great risk. I think the 
agencies are very careful about protecting that information, as 
John Dyer indicated at Social Security. They take it very 
seriously and realize the importance of it. This is not to say 
that we're complacent. A new threat could emerge tomorrow that 
hasn't been anticipated, and a part of what you need in the 
security area is the ability to detect intrusions and to react 
to them and to correct problems when they surface.
    So I would say to the American people that we take security 
very seriously and that we all need to work together on behalf 
of the American people in this area.
    Mr. Horn. Mr. Willemssen, you've looked at a lot of 
agencies over the years. What is your answer to that question 
and how worried should the American people be about this 
situation?
    Mr. Willemssen. Well, I think--point one, Mr. Chairman, I 
think it's imperative to point out that absolute protection is 
not possible, and so we've got to look at this from a risk 
perspective. And in doing those risk assessments, the higher 
the sensitivity of systems and data, then the more rigid and 
tight the controls need to be and agencies need to make that 
up-front judgment on how much risk for particular systems and 
data they're willing to accept and, given that acceptance of 
risk, then put in the appropriate controls.
    And I think in many cases we still have agencies who 
haven't done the in-depth risk assessments of systems and data 
in order to come to those judgments because not all systems and 
data are created equal. There has to be some judgments up front 
on what we absolutely have to protect as best as possible, 
again recognizing that there is no absolute as it pertains to 
protection but that we can narrow the margin significantly.
    Mr. Horn. Ms. Singleton, would you like to get your licks 
in, shall we say?
    Ms. Singleton. I'd like to offer one additional comment 
along those lines, which is to say that part of the problem 
that I think the American people might perceive with this 
system as a whole is that in the private sector if you leak a 
document--say you work in a law firm and you leak a document 
about a client. The law firm stands a good chance of losing its 
client and you stand a good chance of losing your job. But 
there's a greater perception I think on the part of the 
American people--and partly it's correct that, in a Federal 
Government agency, if there's a leak or a mistake or an error, 
that there will be relatively lesser consequences for the 
agency as a whole and for the employee of that agency than 
there would be in the private sector.
    For example, if somebody in the agency does lose your file 
or give it to the wrong person, you still have to deal with 
that agency. You can't go to say another Department of 
Agriculture or another Department of Labor and find a, you 
know, better security practice there. So I think that also goes 
to the issue of some of the expense involved, is that it would 
be very helpful for the perception of the American people to 
have an understanding that if these policies are violated that 
there will be real consequences for the agency and for the 
employees involved.
    Mr. Horn. Well, we thank you on that.
    I'm going to have a few closing words, and I want to thank 
the staff and tell you what we're doing tomorrow here.
    It's clear that a great deal of attention must be focused 
on this vital issue. There's a lot of computer security policy 
out there, but it isn't necessarily being followed by some 
agencies and others. And when we look at all of the State 
governments you've got another matter there in terms of 
privacy. What does it take, legislation? You can be assured if 
it does we will continue to monitor the government's progress 
in this area.
    This report card sets a baseline for the future oversight. 
It also is a wake-up call for Federal departments and agencies 
to begin taking the necessary steps to ensure that the 
sensitive information contained in the computers will be 
protected.
    Tomorrow at 10 a.m. the subcommittee will hold a related 
hearing to examine two proposals that would establish the 
position of a Federal chief information officer. The gentleman 
from Texas has proposed that. Among other responsibilities, 
this governmentwide position would be responsible for the 
government's computer security efforts, and that's one 
approach, and that's in essence what we asked the President to 
do in the summer of 1997, was get somebody to put them in 
charge.
    Now, they didn't move for about a year, but when they did 
move that was exactly what was needed to get the coordination, 
somebody to be assistant to the President as Mr. Constant was 
when he was brought back into government, and he did a very 
fine job of pulling all the pieces together. Because I would 
ask, has the President brought this up at a Cabinet meeting?
    And, Mr. Spotila, I don't know if you know the answer to 
that, but in the Eisenhower administration, that thing would 
have been up there 10 years before. That's what Social Security 
was under the Y2K. They were on their own. There was no 
administration. They went through three of them in that period 
that didn't really face up to it until the bells were really 
ringing.
    So that's one of our concerns. But I think the next round 
we'll have a better feel for how accurately and diligently the 
agencies are doing it.
    I want to thank each of these witnesses today, and I want 
to thank the staff on both the minority and majority: J. 
Russell George, staff director, chief counsel of the 
subcommittee; Randy Kaplan, counsel; on my left, your right, 
Ben Ritt, professional staff member on loan from the GAO and 
the one that has had a lot of effort on putting this particular 
hearing together; Bonnie Heald, director of communications; 
Bryan Sisk, clerk; Elizabeth Seong, staff assistant; Earl 
Pierce, also a professional staff member; and George Fraser, 
intern.
    On Mr. Turner's side, Trey Henderson, minority counsel; and 
Jean Gosa, minority clerk.
    Court reporters, Colleen Lynch and Melinda Walker.
    May I say that we're now going to end this, and I know the 
media have wanted to have some questions, and those of you that 
would like to stay, please, gentlemen, and Ms. Singleton, 
you're welcome to stay. You're the experts in a lot of these, 
and I'm sure they'd like to ask you a few questions, but we 
won't do it in a formal hearing, and we--I don't know how the 
oath spreads over to a press conference, but we're in recess 
here. So--till tomorrow anyhow.
    [Whereupon, at 11:50 a.m., the subcommittee was adjourned.]

