b"<html>\n<title> - HOW SECURE IS SENSITIVE COMMERCE DEPARTMENT DATA AND OPERATIONS? A REVIEW OF THE DEPARTMENT'S COMPUTER SECURITY POLICIES AND PRACTICES</title>\n<body><pre>[House Hearing, 107 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n  HOW SECURE IS SENSITIVE COMMERCE DEPARTMENT DATA AND OPERATIONS? A \n  REVIEW OF THE DEPARTMENT'S COMPUTER SECURITY POLICIES AND PRACTICES\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                            SUBCOMMITTEE ON\n                      OVERSIGHT AND INVESTIGATIONS\n\n                                 of the\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED SEVENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             AUGUST 3, 2001\n\n                               __________\n\n                           Serial No. 107-56\n\n                               __________\n\n       Printed for the use of the Committee on Energy and Commerce\n\n\n Available via the World Wide Web: http://www.access.gpo.gov/congress/\n                                 house\n\n                                _______\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n74-853                     WASHINGTON : 2001\n\n____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpr.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n               W.J. ``BILLY'' TAUZIN, Louisiana, Chairman\n\nMICHAEL BILIRAKIS, Florida           JOHN D. DINGELL, Michigan\nJOE BARTON, Texas                    HENRY A. WAXMAN, California\nFRED UPTON, Michigan                 EDWARD J. MARKEY, Massachusetts\nCLIFF STEARNS, Florida               RALPH M. HALL, Texas\nPAUL E. GILLMOR, Ohio                RICK BOUCHER, Virginia\nJAMES C. GREENWOOD, Pennsylvania     EDOLPHUS TOWNS, New York\nCHRISTOPHER COX, California          FRANK PALLONE, Jr., New Jersey\nNATHAN DEAL, Georgia                 SHERROD BROWN, Ohio\nSTEVE LARGENT, Oklahoma              BART GORDON, Tennessee\nRICHARD BURR, North Carolina         PETER DEUTSCH, Florida\nED WHITFIELD, Kentucky               BOBBY L. RUSH, Illinois\nGREG GANSKE, Iowa                    ANNA G. ESHOO, California\nCHARLIE NORWOOD, Georgia             BART STUPAK, Michigan\nBARBARA CUBIN, Wyoming               ELIOT L. ENGEL, New York\nJOHN SHIMKUS, Illinois               TOM SAWYER, Ohio\nHEATHER WILSON, New Mexico           ALBERT R. WYNN, Maryland\nJOHN B. SHADEGG, Arizona             GENE GREEN, Texas\nCHARLES ``CHIP'' PICKERING,          KAREN McCARTHY, Missouri\nMississippi                          TED STRICKLAND, Ohio\nVITO FOSSELLA, New York              DIANA DeGETTE, Colorado\nROY BLUNT, Missouri                  THOMAS M. BARRETT, Wisconsin\nTOM DAVIS, Virginia                  BILL LUTHER, Minnesota\nED BRYANT, Tennessee                 LOIS CAPPS, California\nROBERT L. EHRLICH, Jr., Maryland     MICHAEL F. DOYLE, Pennsylvania\nSTEVE BUYER, Indiana                 CHRISTOPHER JOHN, Louisiana\nGEORGE RADANOVICH, California        JANE HARMAN, California\nCHARLES F. BASS, New Hampshire\nJOSEPH R. PITTS, Pennsylvania\nMARY BONO, California\nGREG WALDEN, Oregon\nLEE TERRY, Nebraska\n\n                  David V. Marventano, Staff Director\n\n                   James D. Barnette, General Counsel\n\n      Reid P.F. Stuntz, Minority Staff Director and Chief Counsel\n\n                                 ______\n\n              Subcommittee on Oversight and Investigations\n\n               JAMES C. GREENWOOD, Pennsylvania, Chairman\n\nMICHAEL BILIRAKIS, Florida           PETER DEUTSCH, Florida\nCLIFF STEARNS, Florida               BART STUPAK, Michigan\nPAUL E. GILLMOR, Ohio                TED STRICKLAND, Ohio\nSTEVE LARGENT, Oklahoma              DIANA DeGETTE, Colorado\nRICHARD BURR, North Carolina         CHRISTOPHER JOHN, Louisiana\nED WHITFIELD, Kentucky               BOBBY L. RUSH, Illinois\n  Vice Chairman                      JOHN D. DINGELL, Michigan,\nCHARLES F. BASS, New Hampshire         (Ex Officio)\nW.J. ``BILLY'' TAUZIN, Louisiana\n  (Ex Officio)\n\n                                  (ii)\n\n\n                            C O N T E N T S\n\n                               __________\n                                                                   Page\n\nTestimony of:\n    Bodman, Hon. Samuel W., Deputy Secretary, accompanied by \n      Thomas Pyke, Acting Chief Information Officer, U.S. \n      Department of Commerce.....................................    40\n    Dacey, Robert F., Director, Information Security Issues, U.S. \n      General Accounting Office..................................    20\n    Frazier, Hon. Johnnie E., Inspector General, U.S. Department \n      of Commerce................................................    10\n\n                                 (iii)\n\n  \n\n \n  HOW SECURE IS SENSITIVE COMMERCE DEPARTMENT DATA AND OPERATIONS? A \n  REVIEW OF THE DEPARTMENT'S COMPUTER SECURITY POLICIES AND PRACTICES\n\n                              ----------                              \n\n\n                         FRIDAY, AUGUST 3, 2001\n\n                  House of Representatives,\n                  Committee on Energy and Commerce,\n              Subcommittee on Oversight and Investigations,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 9:30 a.m., in \nroom 2123, Rayburn House Office Building, Hon. James C. \nGreenwood (chairman) presiding.\n    Members present: Representatives Greenwood, Burr, and \nTauzin (ex officio).\n    Staff present: Tom Dilenge, majority counsel; Mark \nPaoletta, majority counsel; Will Carty, legislative clerk; and \nPeter Kielty, legislative clerk.\n    Mr. Greenwood. Good morning. The subcommittee will come to \norder.\n    I apologize for starting a little late. It was a late night \nlast night, and we are hoping some of the other members arrive, \nbut we do not want to dishonor anyone's time. So we will start \nnow.\n    We are here today to continue the committee's review of \ncomputer security, or lack thereof, as the case may be, at \nFederal agencies under our jurisdiction. Since 1998, this \ncommittee has reviewed computer security policies and practices \nat the Environmental Protection Agency, the Department of \nEnergy, the Health Care Financing Administration, and today we \nwill be focusing our attention on the Department of Commerce.\n    Without exception, we have found significant security \nproblems at each of these agencies, all of which either took or \nare taking prompt action to correct the deficiencies identified \nas a result of our oversight.\n    Unfortunately, it appears that information security rarely \nbecomes a priority within an agency until the white hot lights \nof public and congressional attention focus on that agency's \nspecific flaws.\n    Today we will hear from information security experts at the \nGeneral Accounting Office, who at this committee's request \nconducted an in depth evaluation of the department's management \nand implementation of computer security at seven of its \noperating divisions, including the Bureau of Export \nAdministration, the International Trade Administration, the \nEconomics and Statistics Administration, and the Office of the \nSecretary.\n    GAO's team of ethical hackers identified and exploited \nvulnerabilities in the computer systems of these divisions to \ngain virtually unlimited access to them internally from within \nthe department's network and externally from the Internet.\n    Not only could these systems be accessed without \nauthorization, but the information contained in them could be \nread, modified, or deleted at will, even with respect to the \nmost sensitive systems and data files within these seven \ndivisions.\n    And with such access also comes the power to completely \ndisrupt critical department operations. It is no secret that of \nthe systems reviewed and found to be vulnerable by GAO, many \ncontain highly sensitive personal, financial, commercial, and \nnational security related data and are critical to the \ndepartment's overall mission.\n    Included in this list are the export control licensing \nsystems and the networks that are used by the International \nTrade Administration for communications with our foreign \ncommerce outposts around the world.\n    The state of the department's security was truly \ndeplorable. GAO found instances in which systems did not \nrequire passwords even for system administrator accounts. Other \nsystems had easily guessed passwords, such as ``password.''\n    Certain passwords and password files were either \nunencrypted or not otherwise protected, permitting anyone on \nthe network, authorized or unauthorized, to read and obtain \neven the most powerful account passwords.\n    And six of the seven bureaus did not even limit the number \nof times an individual could try to log onto the system, \nallowing would be hackers excessive opportunities to crack \nthese poor password controls.\n    GAO also found that poor network security and \nconfigurations permitted GAO's experts to circumvent the \nlimited security controls that were in place and thus, to \ntravel between and among the seven connected bureaus, \nessentially finding that the lowest common denominator among \nthese bureaus set the security standard for the rest of them.\n    Some of the bureaus did not even have firewalls in place to \nprotect all of their sensitive internal systems from the \nInternet or, if they did, they were either so poorly \nimplemented as to be largely ineffective or could be easily \nbypassed by alternative access routes.\n    These failures place all of the connected bureaus at \nsignificant risks of intrusions.\n    Equally troubling, and despite advanced notice of the GAO \nhacking attempts, the department's monitoring of cyber \nintrusions failed to detect the overwhelming majority of GAO's \nintrusion and scanning efforts, including the successful ones.\n    In fact, GAO reports that its hackers gained access to one \nsystem only to find that a Russian hacker had been there before \nthem without the department's apparent knowledge. And only two \nof the bureaus reviewed by GAO had formal intrusion detection \nsystems in place.\n    In short, the department simply has no idea of whether its \nsensitive systems are being or have been compromised, a totally \nunacceptable situation.\n    The reason for these failures, according to GAO, is the \nlack of an effective security management program at the \ndepartment. Basic and longstanding Federal security \nrequirements have essentially been ignored for years. Only 3 of \nthe 94 sensitive systems reviewed by GAO had documented risk \nassessments, and only seven had current security plans, none of \nwhich have been approved yet by management.\n    The department's computer security policies have not been \nupdated since 1995, despite the tremendous growth of the \nInternet and the increased interconnectivity between Commerce \nbureaus and the outside world, and there are virtually no \nminimum security requirements for all Commerce computer \nsystems, even, for example, on basic issues such as password \nlengths or characteristics.\n    In addition to GAO, we will hear today from the \ndepartment's Inspector General, which also has done work in \nthis area. A recent IG report essentially confirmed that the \nlack of effective security management found by GAO with respect \nto seven of the department's operating divisions was not \nunusual.\n    Across the department adequate risk assessments and \nsecurity plans are the exception rather than the norm with \nroughly 92 percent of the department's systems failing to \ncomply with at least one of these Federal security \nrequirements.\n    The IG's financial control audits, which beginning this \nyear contained a limited penetration test of computer security \ncontrols, also confirm that access control problems similar to \nthose identified at the seven bureaus reviewed by GAO exist at \nmany other Commerce bureaus as well, including the Census \nBureau, NOAA, NIST, and others, posing threats from both \ninternal and external sources.\n    How could this situation exist and for so long? The short \nanswer is that until this committee started asking questions \nearly last year, no one at the department was even seriously \nlooking at these issues.\n    Despite Federal requirements for independent reviews of \nsecurity controls on major systems on a routine basis, GAO \nfound that neither the department's Chief Information Officer \nnor six of the seven bureaus reviewed had conducted any such \naudits or oversight.\n    Unfortunately the situation is not at all unusual. Our \ncyber security reviews have consistently shown that this lack \nof real world testing of the effectiveness of security controls \nis one of the major problems facing not just the Commerce \nDepartment, but the Federal Government as a whole.\n    This lack of attention to cyber security is reflected by \nthe lack of resource devoted to this purpose. At Commerce, for \nexample, the department's Office of Information Technology \nSecurity, which is responsible for setting the department's \ncomputer security policies and conducting oversight to insure \ncompliance by these various bureaus, was a one-person operation \nuntil March 2000, when the Director of this office was given \ntwo interns to assist with these important functions.\n    I am pleased to hear that Secretary Evans recently approved \na redirection of additional personnel and funding for this \noffice, which in addition to computer security is also \nresponsible for the department's overall critical \ninfrastructure protection efforts.\n    It certainly is time; indeed, it is well past time for the \nCommerce Department to start taking the security of its data \nsystem seriously, much more so than it was under the previous \nadministration.\n    In the 21st Century effective computer security is as much \na part and cost of doing business as having locks on the front \nwas during previous centuries. And we will continue our \noversight in this area until Commerce and the other Federal \nagencies under our jurisdiction get this message loud and \nclear.\n    I want to welcome and thank our witnesses for testifying \ntoday on this important topic, and we'll now recognize the \nRanking Member.\n    Actually, I will now recognize the chairman of the full \ncommittee, Mr. Tauzin, for his opening statement.\n    [The prepared statement of Hon. James Greenwood follows:]\n\n Prepared Statement of Hon. James Greenwood, Chairman, Subcommittee on \n                      Oversight and Investigations\n\n    We are here today to continue this Committee's review of computer \nsecurity--or lack thereof as the case may be--at Federal agencies under \nour jurisdiction. Since 1998, this Committee has reviewed computer \nsecurity policies and practices at the Environmental Protection Agency, \nthe Department of Energy, the Health Care Financing Administration, and \ntoday we will be focusing our attention on the Department of Commerce. \nWithout exception, we have found significant security problems at each \nof these agencies, all of which either took--or are taking--prompt \naction to correct the deficiencies identified as a result of our \noversight. Unfortunately, it appears that information security rarely \nbecomes a priority within an agency until the white-hot lights of \npublic and congressional attention focus on that agency's specific \nflaws.\n    Today we will hear from information security experts at the General \nAccounting Office who, at this Committee's request, conducted an in-\ndepth evaluation of the Department's management and implementation of \ncomputer security at seven of its operating divisions, including the \nBureau of Export Administration, the International Trade \nAdministration, the Economics and Statistics Administration, and the \nOffice of the Secretary.\n    GAO's team of ethical hackers identified and exploited \nvulnerabilities in the computer systems of these divisions to gain \nvirtually unlimited access to them internally, from within the \nDepartment's network, and externally, from the Internet. Not only could \nthese systems be accessed without authorization, but the information \ncontained in them could be read, modified, or deleted at will--even \nwith respect to the most sensitive systems and data files within these \nseven divisions. And with such access also comes the power to \ncompletely disrupt critical Department operations.\n    It is no secret that, of the systems reviewed and found to be \nvulnerable by GAO, many contain highly sensitive personal, financial, \ncommercial, and national security-related data, and are critical to the \nDepartment's overall mission. Included in this list are the export \ncontrol licensing systems and the networks that are used by the \nInternational Trade Administration for communications with our foreign \nCommerce outposts around the world.\n    The state of the Department's security was truly deplorable. GAO \nfound instances in which systems did not require passwords, even for \nsystem administrator accounts. Other systems had easily guessed \npasswords, such as ``password.'' Certain passwords and password files \nwere either unencrypted or not otherwise protected, permitting anyone \non the network--authorized or unauthorized--to read and obtain even the \nmost powerful account passwords. And six of the seven bureaus did not \neven limit the number of times an individual could try to log on to the \nsystem, allowing would-be hackers excessive opportunities to crack \nthese poor password controls.\n    GAO also found that poor network security and configurations \npermitted GAO's experts to circumvent the limited security controls \nthat were in place, and thus to travel between and among the seven \nconnected bureaus--essentially finding that the lowest common \ndenominator among these bureaus set the security standard for the rest \nof them. Some of the bureaus did not even have firewalls in place to \nprotect all of their sensitive internal systems from the Internet--or, \nif they did, they were either so poorly implemented as to be largely \nineffective, or could be easily bypassed via alternative access routes. \nThese failures place all of the connected bureaus at significant risk \nof intrusions.\n    Equally troubling, and despite advance notice of the GAO hacking \nattempts, the Department's monitoring of cyber intrusions failed to \ndetect the overwhelming majority of GAO's intrusion and scanning \nefforts, including the successful ones. In fact, GAO reports that its \nhackers gained access to one system, only to find that a Russian hacker \nhad been there before them, without the Department's apparent \nknowledge. And only two of the bureaus reviewed by GAO had formal \nintrusion detection systems in place. In short, the Department simply \nhas no idea of whether its sensitive systems are being or have been \ncompromised--a totally unacceptable situation.\n    The reason for these failures, according to GAO, is the lack of an \neffective security management program at the Department. Basic and \nlongstanding Federal security requirements have essentially been \nignored for years. Only three of the 94 sensitive systems reviewed by \nGAO had documented risk assessments, and only seven had current \nsecurity plans, none of which had been approved yet by management. The \nDepartment's computer security policies have not been updated since \n1995, despite the tremendous growth of the Internet and the increased \ninter-connectivity between Commerce bureaus and the outside world. And \nthere are virtually no minimum security requirements for all Commerce \ncomputer systems--even, for example, on basic issues such as password \nlengths or characteristics.\n    In addition to GAO, we will hear today from the Department's \nInspector General, which also has done work in this area. A recent IG \nreport essentially confirmed that the lack of effective security \nmanagement found by GAO, with respect to seven of the Department's \noperating divisions, was not unusual. Across the Department, adequate \nrisk assessments and security plans are the exception rather than the \nnorm, with roughly 92% of the Department's systems failing to comply \nwith at least one of these Federal security requirements.\n    The IG's financial control audits, which, beginning this year, \ncontained a limited penetration test of computer security controls, \nalso confirm that access control problems similar to those identified \nat the seven bureaus reviewed by GAO exist at many other Commerce \nbureaus as well, including the Census Bureau, NOAA, NIST, and others, \nposing threats from both internal and external sources.\n    How could this situation exist, and for so long? The short answer \nis that, until this Committee started asking questions early last year, \nno one at the Department was even seriously looking at these issues. \nDespite Federal requirements for independent reviews of security \ncontrols on major systems on a routine basis, GAO found that neither \nthe Department's chief information officer, nor six of the seven \nbureaus reviewed, had conducted any such audits or oversight.\n    Unfortunately, this situation is not at all unusual. Our cyber \nsecurity reviews have consistently shown that this lack of real-world \ntesting of the effectiveness of security controls is one of the major \nproblems facing not just the Commerce Department, but the Federal \ngovernment as a whole.\n    This lack of attention to cyber security is reflected by the lack \nof resources devoted to this purpose. At Commerce, for example, the \nDepartment's Office of Information Technology Security--which is \nresponsible for setting the Department's computer security policies and \nconducting oversight to ensure compliance by the various bureaus--was a \none-person operation up until March 2000, when the director of this \noffice was given two interns to assist with these important functions. \nI am pleased to hear that Secretary Evans recently approved a re-\ndirection of additional personnel and funding for this office, which in \naddition to computer security is also responsible for the Department's \noverall critical infrastructure protection efforts.\n    It certainly is time--indeed, it is well past time--for the \nCommerce Department to start taking the security of its data systems \nseriously, much more so than it was under the previous Administration. \nIn the 21st century, effective computer security is as much a part and \ncost of doing business as having locks on the front door was during \nprevious centuries. And we will continue our oversight in this area \nuntil Commerce and the other Federal agencies under our jurisdiction \nget this message loud and clear.\n    I want to welcome and thank our witnesses for testifying today on \nthis important topic, and will now recognize the Ranking Member for an \nopening statement.\n\n    Chairman Tauzin. Thank you, Mr. Chairman.\n    And let me echo your comments regarding the need for \nFederal agencies to start devoting a great deal more attention \nand resources necessary to secure the computer systems of our \ncountry safe from the attacks or misuse from hackers.\n    I want to congratulate you, Jim, on the excellent work you \nhave done as our O&I chairman this year, and this, of course, \nmay be some of the most important work you do, even ranking \nwith the important work you have done in tire safety this year \nto protect Americans.\n    Protecting the security of our systems is critical not only \nto the privacy of American citizens, who share information with \nthese systems very often involuntarily, but they do not even \nhave a chance to say, ``Please do not use it for something \nelse,'' but it obviously has huge implications for the \npotential for someone to create some real mischief in some very \nsensitive data banks in this country.\n    What we learned about the capability of hackers to move \ninto, for example, CMS, (Center for Medicaid/Medicare Services) \nthe agency formerly known as HCFA (Health Care Financing \nAdministration), and interfere with the provision of health \ncare services and reimbursement, sensitive medical accounts, it \nis pretty frightening.\n    You know, there is one area where citizens are keenly aware \nof the privacy of their information and the sanctity of that \nprivacy. It is in the health care area.\n    I cannot tell you how appalled I was to learn that that \ninformation might be compromised and that the systems that my \nmother and so many other Americans depend upon for their health \ncare might be ripped because somebody got in and managed it \nimproperly and misused it.\n    And so again, I want to stress how important it is. This \nsubcommittee has been moving on this issue, and again, Mr. \nChairman, I congratulate you.\n    The Commerce Department, which is the focus of our hearing \ntoday, the GAO and Inspector General audit findings are \nalarming. Hackers from GAO and the Inspector General's Office \nwere able to have their way with the department's various \ncomputer systems, violating the integrity of the department's \ncomputer networks virtually at will.\n    You know, if our government ethical hackers can get in, I \nguarantee you there are kids in Russia and Cal Tech, somewhere \nall over this world who can get in.\n    And while the findings are quite troubling, they don't \nsurprise me based upon the committee's work on other agencies. \nWhen an administration, like the last administration, devotes \nso little time and attention to this particular matter, we are \nnot surprised that these problems are so pervasive.\n    It is clear to me that while the former President might \nhave said that this was an area of importance, the \nadministration simply failed constantly, consistently to make \nthe protection of our Nation's critical cyber assets a true \npriority. There just was not enough attention paid to it.\n    Somebody was asleep at the computer switch, and that is why \nI am pleased to see the new Secretary of Commerce is taking a \nvery different approach.\n    He has instituted a new management structure with increased \nauthority, responsibility, and accountability for the \ndepartment's information officers, and he has allocated more \nresources to the security functions at the departmental level.\n    And probably most importantly, the Secretary has made clear \nto his Under Secretaries that they will make computer security \na priority as an integral part of their programmatic missions \nand will allocate additional resources as necessary to get the \njob done.\n    Those are strong words. We have heard strong words before. \nSo we want to make sure those strong words are translated today \nand hereafter into very strong action.\n    In this vein I'm very pleased to have the newly confirmed \nDeputy Secretary of the department here today, signifying, I \nthink, the importance of this topic to the Secretary and the \nlevel at which these issues are now being handled by the \ndepartment. That is very encouraging.\n    Let me just finish by emphasizing that good computer \nsecurity is not a simple fix. We have learned that in this \ncommittee. It is sort of like the radar systems, you know. For \nevery new radar system they manufacture for the police, the \nsame company is manufacturing a radar detection system for \nconsumers to put in their cars.\n    And we know that the people who make the best security \nsystems also know how to break them, and very often the people \nthat are really good at this stuff figure it out on their own.\n    And while it takes consistent and sustained leadership, \nparticularly in the beginning, effective long-term information \nsecurity programs require their implementation, sound processes \nand policies that can carry on absent or despite the particular \npersonalities involved.\n    I hope the Commerce Department and all of the Federal \nagencies of our country keep this principle in mind as they \ntake the long overdue steps to improve the security of \nsensitive data when the American people have entrusted them or \nthat they have entrusted us, rather, to protect.\n    When they give us their information, very often \ninvoluntarily, we have a sacred duty to protect their privacy \nand the integrity of that information, and we cannot look at it \nany less solemnly than that.\n    Thank you, Mr. Chairman.\n    [The prepared statement of Hon. W.J. ``Billy'' Tauzin \nfollows:]\n\n Prepared Statement of Hon. W.J. ``Billy'' Tauzin, Chairman, Committee \n                         on Energy and Commerce\n\n    Thank you, Mr. Chairman, and I want to echo your comments regarding \nthe need for all Federal agencies to start devoting the attention and \nresources necessary to secure their computer systems from attacks or \nmisuse. The government must do more to protect the sensitive personal, \nfinancial, proprietary and national security-related data on its \nsystems.\n    I also want to stress how valuable the work of this Subcommittee \nhas been in moving the ball forward on these issues. There should be \nlittle doubt in anyone's mind that, absent the aggressive oversight of \nthis Subcommittee, agencies such as EPA, DOE, HCFA (now known as CMS) \nand others would not have taken many of the actions that they recently \nhave taken to improve the security of their sensitive data and systems. \nWhile none of them are yet perfected, and none will likely ever be \nperfected due to rapidly changing technology, keeping the pressure and \nthe focus on these issues is critically important to our nation and to \nits citizens.\n    As for the Commerce Department--which is the focus of our hearing \ntoday--the GAO and Inspector General audit findings are alarming. \nEthical hackers from GAO and the Inspector General's office were able \nto have their way with the Department's various computer systems--\nviolating the integrity of the Department's computer networks virtually \nat will.\n    While these findings are quite troubling, they don't surprise me at \nall, based on the Committee's work at other agencies. When an \nAdministration, such as the Clinton Administration, devotes so little \nattention and resources to a particular matter, we shouldn't be \nsurprised to find that such problems are so pervasive. It is clear to \nme that, despite what the former President might have said about the \nimportance of computer security, his Administration failed to take \nactions to make the protection of our nation's critical cyber assets a \ntrue priority.\n    That is why I am so pleased to see that the new Secretary of \nCommerce is taking a different approach. He's instituted a new \nmanagement structure--with increased authority, responsibility, and \naccountability for the Department's information officers. He's \nallocated more resources to these security functions at the Department \nlevel. And, probably most importantly, the Secretary has made clear to \nhis Under Secretaries that they will make computer security a priority \nas an integral part of their programmatic missions, and will allocate \nadditional resources as necessary to get the job done.\n    In this vein, we are pleased to have the newly-confirmed Deputy \nSecretary of the Department here today to testify, signaling the \nimportance of this topic to the Secretary and the level at which these \nissues are now being handled within the Department.\n    Let me finish just by emphasizing that good computer security is \nnot a simple fix. While it takes consistent and sustained leadership, \nparticularly in the beginning, effective long-term information security \nprograms require the implementation of sound processes and policies \nthat can carry on absent, or despite of, particular personalities. I \nhope the Commerce Department, and all Federal agencies, keep this \nprinciple in mind as they take these long-overdue steps to improve the \nsecurity of the sensitive data which the American people have entrusted \nthem to protect.\n    I thank the Chairman, and yield back the balance of my time.\n\n    Mr. Greenwood. The Chair thanks the chairman for his \ncomments and for his presence and for his assistance and \ncooperation and help with this investigation, and recognizes \nfor an opening statement the gentleman from North Carolina, Mr. \nBurr.\n    Mr. Burr. I thank the chairman and full committee chairman.\n    Having finished a hectic legislative schedule this week, if \nwe look a little tired, it is because we are, and this \ncommittee contributed greatly to major legislation in the form \nof a comprehensive energy package and a patient's bill of \nrights that some dreamed would never happen.\n    But the issue that we are here to look at today is of \ninterest to every member, Republican and Democrat. That is \ncertainly not indicative of the participation that we have this \nmorning. It is more indicative of the lack of sleep that all \nhave had and their anxiousness to go home since the business is \nover.\n    This subcommittee has looked at computer security issues at \na number of government agencies. As troubling as many of the \nproblems that those agencies were, and still are in many cases, \nI am especially troubled by some of the concerns raised by the \nGeneral Accounting Office audit of seven Commerce bureaus.\n    In particular, I am more than a little concerned about the \nsecurity of the Bureau of Export Administration, which is \nresponsible, among other things, for regulating the export of \nsensitive goods and technology, enforcing export controls, \nanti-boycott and public safety laws, cooperating with and \nassisting other countries on export control and strategic trade \nissues, assisting U.S. industry to comply with international \narms control agreements, and monitoring the viability of the \nUnited States' defense industrial base.\n    That mission statement came straight off BXA's Web site. I \nimagine most of us recognize those as some very serious \nresponsibilities, and I imagine most of us will be equally \ndisturbed by the fact that BXA has one of the worst computer \nsecurity problems and is among the most susceptible to \nunauthorized access of the seven bureaus examined by GAO.\n    I suspect, based on the track record, that it is not a \nstand out among the rest of the department's bureaus either. \nApparently BXA had not tested its system since 1991 and had not \nconducted a risk assessment since 1994.\n    Many of the problems GAO will discuss were also identified \nby the Commerce Inspector General in a 1999 report. Here we are \ntoday, August 2001. It must be Groundhog Day, starting at the \nsame point with the same problems once again.\n    Now, what this means is that the Commerce Department has \napparently not made much progress adhering to PDD 63 issued in \nMay 1998 that set up groups within the Federal Government to \ndevelop and implement plans that would protect government \noperated computer and communications infrastructure.\n    The directive identified 12 areas critical to the \nfunctioning of this country. Commerce was designated as lead \nagency for information and communications security. Foreign \naffairs and national defense are also key elements of the \ndirective, and it is my understanding that the export control \nsystem is considered, under PDD 63, critical.\n    And I have the sneaking suspicion that GAO is about to tell \nthis subcommittee that it was able to gain unauthorized access \nto administrative level BXA systems.\n    That's not the only portion of the mission statement on the \nWeb site. It also states that another of the bureau's missions \nis to promote Federal initiatives and public-private \npartnerships across industry sectors to protect the Nation's \ncritical infrastructure. To protect the Nation's critical \ninfrastructure. I think that one phrase justifies why we are \nhere today, and I think why everybody takes it seriously.\n    In closing, I will say to our friends from the Department \nof Commerce: you inherited this problem. The challenge is that \nyou have inherited a problem you have to fix.\n    I hope the next Congress with the next Commerce \nDepartment--hopefully they are the same people we have today in \nthe next Commerce Department--but heaven forbid we ever have a \nsituation where we come back up here to talk about this problem \nagain because I believe that this committee is serious about \nmaking sure that we work as a partner to make sure that the \nproblem of security within BXA, within Commerce, within all \nFederal agencies is eliminated as it relates to the access that \nwe've seen.\n    Mr. Chairman, once again, let me thank you, and yield back \nthe balance of my time.\n    Mr. Greenwood. The Chair thanks the gentleman for his \nstatement and welcomes our first two witnesses.\n    They are the Honorable Johnnie E. Frazier, Inspector \nGeneral, U.S. Department of Commerce, and Mr. Robert F. Dacey, \nDirector of Information Security Systems at the U.S. General \nAccounting Office.\n    You gentlemen are aware that the committee is holding an \ninvestigative hearing, and when doing so has had the practice \nof taking testimony under oath. Do you have any objections to \ntestifying under oath?\n    Mr. Frazier. No, sir.\n    Mr. Greenwood. Seeing no such objections, the Chair then \nadvises you that under the rules of the House and the rules of \nthe committee you are entitled to be advised by counsel.\n    Do you desire to be advised by counsel during your \ntestimony today?\n    Seeing a negative response, in that case if you would \nplease rise and raise your right hands, I will swear you in.\n    [Witnesses sworn.]\n    Mr. Greenwood. Thank you.\n    You may be seated, and you are now under oath, and, Mr. \nFrazier, we will begin with you for your opening statement.\n    Please proceed. Welcome.\n\n TESTIMONY OF HON. JOHNNIE E. FRAZIER, INSPECTOR GENERAL, U.S. \n    DEPARTMENT OF COMMERCE; AND ROBERT F. DACEY, DIRECTOR, \n  INFORMATION SECURITY ISSUES, U.S. GENERAL ACCOUNTING OFFICE\n\n    Mr. Frazier. Thank you, Mr. Chairman.\n    Mr. Chairman and members of the committee, I am very \npleased to be here today to talk about the OIG's work as it \nrelates to the Department of Commerce IT security.\n    The detailed results of our work have been included in my \nlong statement, which I would like to have submitted for the \nrecord, but I would like to take a few minutes right now just \nto talk about a few of the projects that we have been working \non.\n    Commerce, as you know, has many complex computer systems \nthat provide essential services to the public and support \ncritical mission activities, such as the Nation's weather \nservices, care of the environment, promotion of trade, economic \ngrowth, and scientific research.\n    As the department's systems have become more \ninterconnected, vulnerabilities have also increased, thus \nincreasing the need to continuously improve IT security \nmeasures. I cannot overemphasize the importance of IT security.\n    Indeed, in our recent semi-annual reports to the Congress, \nwe have identified strengthening department-wide security over \ninformation technology as one of the top ten management \nchallenges facing the Department of Commerce.\n    During the past year, we have engaged in various audit, \ninspection, evaluation, and investigation activities aimed at \nstrengthening IT security Commerce-wide. We have coordinated \nwith GAO and the CIO to ensure that we address the most \nimportant issues and avoid duplication of effort.\n    In our resulting reports and briefings, we have made \nnumerous observations and recommendations aimed at improving IT \nsecurity. Let me briefly mention a few of our efforts.\n    One recent evaluation which examined the Office of the \nCIO's oversight of the department's IT security program found \nthat despite some progress in recent years, additional \nimprovements are needed. The department's IT security policy \nneeds to be revised and expanded because it has not been \nupdated to comply with significant revisions of OMB guidance, \nand it has not kept pace with recent trends in technology and \nrelated security threats.\n    Additional IT security compliance procedures are needed \nbecause security for many of the department's systems has not \nbeen adequately planned. The security reviews have not been \nperformed, and several of our agencies do not even have \nadequate awareness plans or training plans or even sufficient \ncapabilities for responding to IT security incidents.\n    Another one of our evaluations revealed that although the \ndepartment made early strides in its critical infrastructure \nprotection planning, important milestones had slipped. The \ninventory of critical assets needed to be reevaluated and \nvulnerability assessments, remediation plans, and budget \njustifications just simply had not been completed.\n    A third evaluation identified privacy and security concerns \nraised by the department's use of Internet ``cookies'' and Web \n``bugs'' on its Web sites.\n    We have also identified security issues through our \ninspections of Commerce offices and activities, both \ndomestically and overseas. Likewise our investigative work has \nidentified and examined specific incidents or allegations \ninvolving IT security weaknesses, vulnerabilities, or threats.\n    And finally, our systems security audits of departmental \nfinancial management systems are designed to identify IT \nsecurity problems. These audits are performed by certified \npublic accounting firms under contract with us and include \nsecurity reviews of the department's financial management \nsystems and related networks.\n    The CPAs use the GAO Federal information system controls \naudit manual as their guidance.\n    The fiscal year 2000 financial statement audits included \nreview of general system controls at the department's seven \ndata processing locations. We found weaknesses at all seven \nlocations, including our observations that formal security \nplans either did not exist, were outdated, or were not approved \nfor the major financial management systems and associated \nsupport systems.\n    Moreover risk assessments needed to be completed and \napproved, and more security monitoring was clearly needed.\n    In addition to the general system security control reviews, \npenetration testing was also performed at four of the seven \nlocations to identify weaknesses in access controls. The \npenetration testing found open modems and ports that were \naccessible to potential hackers, readily accessible sensitive \ninformation on Web sites, and firewall configurations that \ncould allow a hacker to introduce a virus.\n    As for physical security, some computer rooms in sensitive \nwork areas were not adequately secured.\n    It is important at this point to note that the department \nand its operating units have reported progress on some of these \nweaknesses, and I should also note that we are aware that they \nare working to address others.\n    But you should also note that we are in the process of \nperforming our annual follow-up work to try and confirm many of \nthese observations and reported accomplishments.\n    We currently have other IT security reviews underway, \nincluding looking at some of the classified systems, looking at \nthe background investigations behind some of the people who run \nthese systems and a host of other projects.\n    Finally, I am pleased to note that just last month my \noffice entered into a memorandum of agreement with the \ndepartment's Office of the CIO and the Office of Security to \ndefine our respective roles and responsibilities related to \nCommerce's IT security program. This agreement is intended to \npromote a partnership among the three offices to ensure \nimproved coverage of IT security matters.\n    In closing, it is clear to me that cooperative, continuous, \nand concerted efforts are needed by each of us, and I mean each \nof us, as we move to address IT security weaknesses. These same \nefforts are needed if we are to have any chance of at least \nstaying one step ahead of hackers and others that see IT \nsecurity as some sort of cat and mouse game.\n    I am encouraged that the senior management of the \ndepartment and its operating units increasingly recognize the \nneed to take a proactive approach to do this. For example, the \nSecretary's recent directive increasing the authority of \noperating unit CIOs and making them a more integral part of the \nbureau management team is an important initiative.\n    Likewise, the recent appointment of the Senior Advisor to \nthe Secretary for Privacy should be instrumental in addressing \nsuch issues as ``cookies,'' Web ``bugs,'' and other security \nand privacy matters.\n    Program officials are being strongly reminded that they, \ntoo, have key IT security responsibilities and need to work \nclosely with operating CIOs and security officials to ensure a \nmore effective security program.\n    This concludes my statement, and I will gladly answer any \nquestions.\n    [The prepared statement of Hon. Johnnie E. Frazier \nfollows:]\n\n   Prepared Statement of Johnnie E. Frazier, Inspector General, U.S. \n                         Department of Commerce\n\n    Mr. Chairman and Members of the Committee, I am pleased to appear \nbefore you today to discuss the Office of Inspector General's (OIG) \nwork and other activities related to the security and protection of the \nDepartment's critical information technology (IT) systems, programs, \nand activities.\n    The Department of Commerce has numerous complex computer systems \nthat provide essential services to the public and support critical \nmission activities, such as the nation's weather services, \nenvironmental stewardship, promotion of trade and economic growth, \nscientific research, and technological development. As the Department's \nsystems have become more interconnected, vulnerabilities have also \nincreased, thus increasing the need to continuously improve IT security \nmeasures. Strong IT security measures are vital to (1) protecting the \nprivacy of information, (2) safeguarding the integrity of computer \nsystems and their networks, and (3) ensuring the availability of \nservices to the American public and other users. I cannot emphasize too \nmuch how important these measures are.\n    Indeed, in our recent Semiannual Reports to the Congress, we have \nidentified ``Strengthening Department-wide Information Security'' as \none of the top 10 management challenges facing the Department of \nCommerce because of that issue's:\n\n1. Importance to the Department's mission and the nation's well-being,\n2. Complexity and sizable expenditures, and\n3. Need for significant management improvements.\n    During the past year, we have engaged in a number of audit, \ninspection, evaluation, and other activities involving Commerce IT \nsecurity matters--all aimed at strengthening IT security Commerce-wide. \nWe have completed evaluations of the Department's efforts to implement \nits Critical Infrastructure Protection (CIP) plans. We also have \nassessed the Office of the Chief Information Officer's (CIO) IT \nsecurity policy and the effectiveness of its oversight of the \nDepartment's IT security program. In addition, we have evaluated the \nuse of persistent Internet ``cookies'' and ``web bugs'' on Commerce \nInternet sites. Furthermore, in support of the OIG's fiscal year 2000 \nfinancial statement audits, we have conducted security reviews of the \nDepartment's financial management systems and their related networks.\n    Moreover, assessments of IT security policies and practices are \noften an integral part of the operational inspections we conduct of \nCommerce activities, units, and offices domestically and overseas. \nThese inspections are intended to provide operating unit managers with \nuseful, timely information about their operations, including IT \nsecurity issues. IT security problems have also been identified through \nour investigative work. In addition, we have worked closely with many \nof the Department's key IT managers, top security personnel, and senior \nprogram officials in an effort to identify the most critical IT \nsecurity issues and help craft corrective measures. Let me briefly \nsummarize the results of some of our recent efforts.\n\nEARLY PROGRESS MADE IN CRITICAL INFRASTRUCTURE PROTECTION, BUT PLANNING \n                     AND IMPLEMENTATION HAVE SLOWED\n\n    Last year, we evaluated the Department's CIP plan, identification \nof minimum essential infrastructure (MEI) assets, and vulnerability \nassessments of its cyber-based assets. MEI assets are the physical and \ncyber-based assets essential to the minimum operations of the economy \nand the government. Our evaluation found that although the Department \nhad made initial progress by developing a Department-wide CIP plan, \nidentifying critical infrastructure assets, and initiating \nvulnerability assessments, there were several areas that warranted \nmanagement attention:\n\n<bullet> The Department's CIP plan needed to be strengthened because \n        several of its elements were outdated or missing, and important \n        milestones had slipped. The asset inventory, vulnerability \n        assessment framework, and budget estimates included in the plan \n        were not current. The plan also did not include requirements \n        for reviewing new assets to determine whether they should be \n        included as MEI assets, periodically updating vulnerability \n        assessments, or developing a system for responding to \n        infrastructure attacks.\n<bullet> The MEI asset inventory needed to be reevaluated because of \n        limitations in data gathering. In most cases, asset managers \n        were neither interviewed nor given adequate guidance before \n        filling out complex questionnaires used to gather asset \n        information, and the officials most knowledgeable about the \n        assets were seldom interviewed because of logistical problems \n        and limited resources. Establishing a reliable MEI inventory is \n        important because it forms the basis for later activities, such \n        as selecting the highest risk assets for vulnerability \n        assessments and taking remedial actions.\n<bullet> Vulnerability assessments, remediation plans, and budget \n        justifications needed to be completed. Reportedly due to \n        resource constraints, the Department had current vulnerability \n        assessments for less than 10 percent of MEI assets and had not \n        developed any remediation plans.\n    The CIO's office agreed with our findings and stated that the \nDepartment's focus would be on the broad spectrum of IT security, which \nemphasizes assets critical to the Department's mission and includes \nmost cyber-based MEI assets. Short-term actions were identified to \nimprove guidance to operating unit personnel involved in vulnerability \nassessments and increase their involvement in the MEI asset inventory, \nrevise the MEI asset list, and evaluate new assets to determine whether \nthey should be included as MEI assets.\n\n      ADDITIONAL FOCUS NEEDED ON IT SECURITY POLICY AND OVERSIGHT\n\n    The CIO is responsible for developing and implementing a \ndepartmental IT security program to ensure the confidentiality, \nintegrity, and availability of information and IT resources. The CIO's \nresponsibilities include developing policies, procedures, and \ndirectives for IT security and providing oversight of the IT security \nprograms of the Department's operating units.\n    We conducted an evaluation to assess the CIO's policies and the \neffectiveness of his oversight of the Department's IT security program. \nOur review focused on the CIO's compliance with laws and regulations \ngoverning IT security and his actions in recent years to oversee the \nDepartment's IT security program.\n    We found that although in the past IT security did not receive \nadequate attention, in more recent years, the CIO's office had expanded \nits focus on and increased the resources devoted to IT security. For \nexample, the office conducted its first Department-wide assessment of \nIT security planning in 1999 and reviewed operating unit self-\nassessments in 2000, which resulted in increased compliance with \nsecurity requirements. Nevertheless, policy and oversight need further \nimprovements. Specifically:\n\n<bullet> IT security policy needs to be revised and expanded. The \n        Department's IT security policy is out of date because it was \n        developed in 1993 and 1995, prior to a significant revision of \n        OMB Circular A-130, which communicates policy on the security \n        of federal automated information resources. The policy is also \n        missing important components because it has not kept pace with \n        recent trends in technology and related security threats. The \n        Department's policy must be kept current and complete because \n        the operating units use it as the foundation for their general \n        and system-specific policies. We recommended that the CIO's \n        office update and expand its IT security policy as soon as \n        possible.\n<bullet> Additional IT security compliance procedures are needed. \n        Security for many of the Department's systems has not been \n        adequately planned, and security reviews have not been \n        performed. In addition, several operating units do not have \n        adequate awareness and training programs or adequate \n        capabilities for responding to IT security incidents. The \n        Government Information Security Reform Act (GISRA) requires the \n        CIO's office to conduct annual IT security evaluations in 2001 \n        and 2002 similar to the self-assessments it monitored in 2000. \n        We recommended that the office commit to a program of reviews \n        that extends beyond GISRA's 2-year review requirement. \n        Moreover, the CIO's office should work with the Department's \n        acquisition and budget managers to ensure that IT-related \n        procurement specifications include security requirements, and \n        that funds for meeting these requirements are included in \n        operating unit budgets.\n    During our evaluation of the Department's IT security policy, we \nprovided the Department with a written analysis that identified \nweaknesses and deficiencies in the policy, and made recommendations for \nspecific changes to bring the policy into compliance with applicable \nlaws and regulations.\n    The CIO's office agreed with all of our recommendations and cited a \nnumber of corrective actions it planned to take to implement them. \nAmong other things, it agreed to revise, expand, and update the \nDepartment's IT security policy; continue its compliance review program \nbeyond the 2-year period required by GISRA; and begin security reviews \nas soon as possible.\n\n    USE OF INTERNET ``COOKIES'' AND ``WEB BUGS'' RAISED PRIVACY AND \n                           SECURITY CONCERNS\n\n    We evaluated the use of persistent Internet cookies and web bugs by \ndepartmental Internet sites, as well as the adequacy of the privacy \nstatements posted on the main web pages of the Department and its \noperating units. We conducted our evaluation in response to Public Law \n106-554, the Consolidated Appropriations Act of 2001, which required \nthe Inspector General of each agency to submit a report to the Congress \ndisclosing any activity regarding the collection of information \nrelating to any individual's access or viewing habits on the agency's \nInternet sites.\n    Persistent Internet cookies are data stored on web users' hard \ndrives that can identify users' computers and track their browsing \nhabits. Web bugs are software code that can monitor who is reading a \nweb page. These technologies are capable of being employed in ways that \ncould violate the privacy of individuals visiting the Department's web \nsites and can also pose security threats.\n    Web bugs are considered security threats because they can perform \nmalicious actions, including searching for the existence of specific \ninformation, such as financial information, on a user's hard drive, and \ndownloading files from, or uploading files to, a user's computer. A web \nuser would be unaware of the presence of web bugs without using \ndetection software. Even if such software were used, the malicious \nactions performed by identified web bugs could go undetected.\n    We found that most of the Department's Internet sites do not use \neither persistent cookies or web bugs. However, we did find several \ninstances in which persistent cookies were being used without a \ncompelling reason or the approval of the Secretary, as required by \nDepartment and OMB policy. We also found a number of web pages using \nweb bugs. At the time we began our evaluation, the Department did not \nhave a policy regulating web bug use, but it promptly developed and \nissued one when informed of the problem. Finally, we found that many of \nthe operating units' privacy statements did not provide all of the \ninformation required by the Department's privacy policy.\n    We recommended that the Department's CIO direct operating unit CIOs \nand senior management to implement a strategy to control the use of \npersistent cookies and web bugs and to certify annually that the \noperating unit is in compliance with the Department's applicable \npolicies. We also recommended that the CIO direct operating unit CIOs \nand senior managers to revise their privacy policy statements to make \nthem compliant with the Department's policy. The CIO's office agreed \nwith our findings and worked with us to help ensure that the cookies we \nhad identified were removed. The Secretary of Commerce's new Special \nAssistant for Privacy is working to remove all web bugs and develop a \nuniform privacy policy statement.\n\n SYSTEMS SECURITY AUDITS OF DEPARTMENTAL FINANCIAL MANAGEMENT SYSTEMS \n                            REVEAL PROBLEMS\n\n    Our audits of Commerce operating units' financial statements, \nperformed by certified public accounting (CPA) firms under contract \nwith us, include security reviews of the Department's financial \nmanagement systems and related networks that support the statements. \nOur CPA contractors use GAO's Federal Information System Controls Audit \nManual (FISCAM) as a guide in performing these reviews. FISCAM provides \nguidance on assessing the reliability of computer-generated data that \nsupports financial statements, including physical security and logical \naccess controls designed to prevent or detect unauthorized access or \nintrusion into systems and networks.\n    In 1999 we adopted a systems security review strategy that provides \nfor full coverage of each financial management system and its related \nnetworks on a two-year basis. Every two years, a review addresses the \nsix systems security areas identified in FISCAM: (1) entitywide \nsecurity program planning and management, (2) access controls, (3) \napplication software development and change control, (4) systems \nsoftware, (5) segregation of duties, and (6) service continuity. In the \nalternate years, we routinely conduct penetration testing (in which \nsomeone playing the role of a hostile attacker tries to compromise \nsystems security) and application-level testing. Review of the system \nenvironment for significant changes and follow-up on open \nrecommendations occurs annually.\n    The audits of operating units' individual fiscal year 2000 \nfinancial statements included reviews of the general system controls \nover the major financial management systems at the seven data \nprocessing locations. In the reports on our audits of the Department's \nfiscal year 1999 and 2000 consolidated financial statements, we noted \nthat these systems security reviews disclosed weaknesses in controls \nover major financial management systems at all seven locations that \nprovide data processing support. Specifically, these reviews found \nthat:\n\n1. Entitywide security program planning and management needed \n        improvement at all seven locations. This control is the \n        foundation of an entity's security control structure and a \n        reflection of senior management's commitment to addressing \n        security risks. It is intended to ensure that security controls \n        are adequate, consistently applied, and monitored, and that \n        responsibilities are clear and properly implemented.\n2. Access controls for both operating systems and the financial \n        management systems needed strengthening at all seven locations, \n        and monitoring of external and internal access to systems \n        needed strengthening at five locations. These controls should \n        limit or monitor access to computer resources to guard against \n        unauthorized modification, loss, and disclosure.\n3. Applications software development and change control needed \n        improvement at four locations. These controls should help \n        prevent the implementation of unauthorized programs or \n        modifications to existing programs.\n4. Systems software improvements were needed at four locations. \n        Controls in this area should limit and monitor access to the \n        important software programs that operate computer hardware.\n5. Segregation of duties improvements were needed at five locations. \n        Appropriate controls in this area include policies, procedures, \n        and an organizational structure to prevent one individual from \n        controlling key aspects of computer-related operations, thus \n        deterring unauthorized actions or access to assets.\n6. To ensure service continuity, contingency plans needed to be \n        prepared, updated, or improved at all seven locations. \n        Appropriate controls in this area include procedures for \n        continuing critical operations, without interruption and with \n        prompt resumption of those operations, when unexpected events \n        occur.\n    Of particular note, among the weaknesses identified by the CPA \nfirms in the area of entitywide security program planning and \nmanagement, was the fact that formal comprehensive security plans \neither did not exist, were outdated, or were not approved for the major \nfinancial management systems and associated general support systems on \nwhich the applications were processed. In addition, risk assessments \nneeded to be completed and approved, and security monitoring needed to \nbe performed.\n    At four locations, penetration testing was also performed on the \nnetwork that supports the financial management systems to identify \nweaknesses in access controls. As part of the penetration testing, the \nCPA firms reviewed the adequacy of access controls, which include \nlogical and physical controls. Logical access controls involve the use \nof computer hardware and software to prevent or detect unauthorized \naccess, such as by hackers, to networks, systems, and sensitive files \nby requiring users to input user ID numbers, passwords, and other \nidentifiers that are linked to predetermined access privileges. \nPhysical controls involve keeping computers in locked rooms to limit \nphysical access. The firms' penetration testing of logical controls \nfound that in some cases:\n\n<bullet> Open modems and ports were accessible to potential hackers.\n<bullet> Sensitive information on websites was readily accessible.\n<bullet> Sensitive active system services could allow unauthorized \n        access, downloading of files, and gathering of information.\n<bullet> Firewall configurations could allow a hacker to introduce a \n        destructive virus.\n    In addition, physical access controls over networks and financial \nmanagement systems needed strengthening. For example, at one location, \nautomated exterior locking systems had not been installed on doors to \nrestrict access, and the key card lock for the data center's computer \nroom was inappropriately placed on the inside of the door, rather than \nthe outside. In addition, personnel did not consistently lock and \nsecure their work areas. At another location, hardware that processed \nvery sensitive information was located in an area accessible by \nnumerous employees and contractors and was not segregated in an \nindividually secure area.\n    For fiscal year 2000, the CPA firms concluded that four operating \nunits had system security weaknesses that rose to the level of \n``reportable conditions.'' Taken together, these conditions, combined \nwith the Department's lack of an integrated financial management \nsystem, constituted a material weakness in the audit of the \nconsolidated financial statements. In our report on the audit of the \nconsolidated statements, we recommended that the CIO's office continue \nto develop and implement a database for tracking and reporting on \ncorrective actions planned and taken to address the outstanding general \ncontrols recommendations. We also recommended that the office review, \nmonitor, and provide guidance to the reporting entities on their \ncorrective actions planned and taken in response to our current and \nprior years' audit reports on general controls.\n    We issued audit reports with recommendations to correct the control \nweaknesses identified at each of the seven data processing locations, \nand the operating units generally agreed with our recommendations. The \nDepartment and its operating units are required to provide us with \naudit action plans that address each of our recommendations. We have \nreviewed the plans submitted to date and concur with the actions taken \nor planned. Moreover, we are in the process of performing our annual \nfollow-up of the adequacy of the corrective actions planned or taken.\n\n IT SECURITY ISSUES HAVE ALSO BEEN IDENTIFIED THROUGH OIG INSPECTIONS \n                           AND INVESTIGATIONS\n\n    We have also identified IT security issues through our inspections \nand investigative work. Our inspections unit, for example, conducted a \n1999 assessment of the Bureau of Export Administration's (BXA) Export \nControl Automated Support System as part of a larger review of BXA's \nadministration of the federal export licensing process for dual-use \ncommodities. While we determined that most of the system's general and \napplication controls were adequate, we found that BXA's IT security \ncontrols could be enhanced by improving database access controls, \npreparing a security plan, performing periodic security reviews, \nofficially assigning the security duties to its security officer, \nproviding all users with current security training, and restricting the \nnumber of BXA employees with file manager access. BXA management \nimplemented some corrective actions immediately and agreed to take \naction on our other recommendations dealing with the IT security of its \nlicensing system.\n    We are also conducting a series of inspections of the National \nWeather Service's weather forecast offices (WFOs) that have identified \na number of IT security issues that need to be addressed by local \nmanagers. Among other problems, we noted that one WFO we visited did \nnot have a designated security officer, and office personnel did not \nfollow the Weather Service's policy on IT security. We found other \nproblems, which I cannot describe in detail in a public hearing, that \nhighlight how vulnerable some systems can be without proper management \nattention. Fortunately, the Weather Service has greatly improved its IT \nsecurity both locally and nationally since the start of our review. \nDuring the past nine months, we visited two other WFOs. Although we \ncontinued to identify some IT security problems, we have found that \ndesignated security officers have been named and are receiving \nnecessary training on IT security. More importantly, WFO personnel \nappear to better understand IT security concepts and requirements.\n    IT security problems have also been identified through our \ninvestigative work. Through our OIG Hotline and other information \nchannels, specific incidents or allegations involving IT security \nweaknesses, vulnerabilities, or threats have been brought to our \nattention and examined. For example:\n\n<bullet> In one incident, a foreign hacker penetrated a network server \n        and installed software without the knowledge of the system \n        administrator. Had the software been activated, the server \n        would have been prevented from performing its normal network \n        services and would have been one of many computers \n        simultaneously activated to overload a designated Internet \n        site. As a result of the incident, the number of points of \n        access to the network was reduced to a bare minimum, and \n        existing monitoring software was activated.\n<bullet> In another incident, a hacker caused extensive damage to an \n        operating unit server, and it took more than 5 work days to \n        repair the server and restore operations. Because the software \n        on the server was destroyed, the system administrator was not \n        able to determine how the attack had occurred. Security \n        features were added when the software was restored, to reduce \n        the risk of another shutdown.\n<bullet> In a third incident, an after-hours contract cleaning employee \n        used a computer that had not been properly secured to gain \n        access to the Internet via a network system and view \n        pornographic materials. Coordination with the contracting \n        officer, property manager, and president of the contract \n        company resulted in the employee's immediate removal from the \n        facility contract and subsequent termination. In addition, the \n        practice of routinely leaving the computer on overnight was \n        discontinued.\n\n ADDITIONAL OIG REVIEWS OF IT SECURITY MATTERS ARE EITHER UNDERWAY OR \n                                PLANNED\n\n    We are currently conducting IT security evaluations related to (1) \nthe Economics and Statistics Administration's and the Census Bureau's \npreparation and release of the Advance Retail Sales Principal Economic \nIndicator, (2) the Department's classified information systems, and (3) \nthe Department's IT security program and practices, as required by the \nGovernment Information Security Reform Act.\n    The objective of our security evaluation of the Advance Retail \nSales indicator is to determine whether adequate internal controls and \nsystem safeguards are in place to prevent the unauthorized disclosure \nor use of the economic indicator data before its release to the public. \nWe have found that employees dealing with the indicator do not always \nhave appropriate background investigations and that their positions are \nnot always assigned the appropriate level of risk as required by Title \n5, Part 731, of the Code of Federal Regulations and OMB Circular A-130. \nIn some instances, the Department's records did not identify the type \nof investigation done, if any, for personnel working on Principal \nEconomic Indicators. We also noted a lack of guidance from the Office \nof Human Resources Management, as well as from the Office of Security, \nsuggesting that the problems associated with assigning appropriate risk \nlevels to positions and ensuring that background investigations are \nperformed may exist throughout Commerce. We are conducting additional \nwork to examine this issue.\n    Our review of the Department's classified information systems will \nassess the adequacy of its policies for protecting classified \ninformation and the effectiveness of its oversight of these systems.\n    The GISRA-mandated review is the annual evaluation of the \nDepartment's IT security program and practices. This evaluation will \nincorporate information from our security reviews, as well as results \nof related evaluations performed by operating units, GAO, and \ncontractors. We are also continuing our security reviews of Commerce's \nfinancial management systems and related networks as part of our fiscal \nyear 2001 financial statements audits. These reviews will be in line \nwith our IT security review strategy and will include penetration \ntesting of the U.S. Patent and Trademark Office and FISCAM reviews for \nthe other operating units.\n    The need for the OIG to provide oversight and evaluation of IT \nsecurity will be increasingly critical in the coming years. Our \nindependent evaluation of the Department's IT security program being \nperformed under GISRA and our security reviews of the Department's \nfinancial management systems show that although the Department is \ngiving greater attention to IT security, serious issues remain to be \nresolved. These issues appear to be the result of an earlier lack of \nattention to IT security, limited resources, and an environment in \nwhich the risks, threats, and vulnerabilities have continued to \nescalate in number and complexity. The weaknesses identified by GAO's \nrecent network vulnerability analysis of the Department underscore our \nconcerns.\n    In our independent GISRA evaluation for the next fiscal year, we \nplan to evaluate the effectiveness of operating unit IT security \nprograms and to conduct security evaluations of specific general \nsupport systems and major applications. We will use the findings of our \ncurrent GISRA evaluation and of GAO's security audit to assist us in \nidentifying specific operating units, general support systems, and \nmajor applications to evaluate in the future.\n\n      COOPERATIVE EFFORTS NEEDED TO ADDRESS IT SECURITY WEAKNESSES\n\n    I am pleased to note that, just last month, my office entered into \na memorandum of agreement with the Department's Office of the CIO and \nOffice of Security to define our respective roles and responsibilities \nrelating to the development, implementation, and management of the \nCommerce IT security program. This agreement is intended to promote a \npartnership among the three offices that both ensures complete coverage \nof IT security matters and prevents wasteful duplication of effort.\n    Under the agreement, the CIO's office has the basic responsibility \nfor developing and implementing the Commerce-wide IT security program, \nwhich includes developing IT security policies and procedures, \npromoting IT security awareness and training, serving as the \nDepartment's critical infrastructure assurance officer, and convening a \nmeeting of the incident response group when incidents or intrusions \noccur. Commerce's Office of Security has the primary responsibility for \nsecurity for the Department's classified systems and, in conjunction \nwith the Department of State, for IT security at Commerce overseas \nposts. My office is responsible for conducting investigations of IT \nincidents and intrusions, and for conducting reviews of the \nDepartment's IT security program and individual systems, including the \nannual independent evaluations of the program required by GISRA.\n    In closing, it is clear that cooperative, continuous, and concerted \nefforts are needed by each of us--and I mean each of us--if we are to \naddress IT security weaknesses. These efforts are needed if we are to \nhave any chance of staying at least one step ahead of the hackers and \nothers that see IT security as some sort of cat-and-mouse game.\n    I am confident that the senior management of the Department and its \noperating units increasingly recognize the need to take a proactive \napproach to do this. For example, the Secretary's recent directive \nincreasing the authority of operating unit CIOs and making them a more \nintegral part of the management team is an important initiative. \nLikewise, the recent appointment of a Senior Advisor to the Secretary \nfor Privacy should be instrumental in addressing such issues as \ncookies, web bugs, and other security/privacy matters. And program \nofficials are also being strongly reminded that they too have key IT \nsecurity responsibilities and need to work closely with operating unit \nCIOs and security officials to ensure an effective security program.\n    We intend to continue our partnership with all of these managers by \nidentifying weaknesses and potential vulnerabilities in IT security and \nby searching for ways to improve it. Through this relationship, I \nbelieve we can help strengthen IT security within the Department.\n    This concludes my statement. A list highlighting some of the \nreports we have issued that address IT security issues is included as \nan attachment. Mr. Chairman, I would be happy to answer any questions \nyou or other members of the Committee might have.\n\n                               Attachment\n\n                      U.S. DEPARTMENT OF COMMERCE\n                      OFFICE OF INSPECTOR GENERAL\n    RECENT AUDIT, INSPECTION, AND EVALUATION REPORTS ON INFORMATION \n                      TECHNOLOGY SECURITY MATTERS\n\n                              Evaluations\n\n1--Office of the Chief Information Officer: Use of Internet ``Cookies'' \n        and ``Web Bugs'' on Commerce Web Sites Raises Privacy and \n        Security Concerns, OSE-14257, April 2001\n2--Office of the Chief Information Officer: Additional Focus Needed on \n        Information Technology Security Policy and Oversight, OSE-\n        13573, March 2001\n3--Office of the Chief Information Officer: Critical Infrastructure \n        Protection: Early Strides Were Made, but Planning and \n        Implementation Have Slowed, OSE-12680, August 2000\n4--Bureau of the Census: Computer Security for Transmission of \n        Sensitive Data Should Be Strengthened, OSE-10773, September \n        1998\n\n                      Financial Statements Audits\n\n [Note: These audits are performed annually; listed below are only the \nreports covering FY 2000. In addition, the reports on security reviews \n                 are not publicly available documents.]\n\n5--Department of Commerce: Consolidated Financial Statements, FY 2000, \n        FSD-12849-1, March 2001\n6--National Institute of Standards and Technology, Improvements Needed \n        in the General Controls Associated with Financial Management \n        Systems, FSD-12859-1, February 2001\n7--Economic Development Administration, Improvements Needed in the \n        General Controls Associated with Financial Management Systems, \n        FSD-12851-1, January 2001\n8--Bureau of the Census, Improvements Needed in the General Controls \n        Associated with Financial Management Systems, FSD-12850-1, \n        January 2001\n9--National Technical Information Service, Improvements Needed in the \n        General Controls Associated with Financial Management Systems, \n        FSD-12857-1, January 2001\n10--Office of the Secretary, Follow-up Review of the General Controls \n        Associated with the Office of Computer Services/Financial \n        Accounting and Reporting System, FSD-12852-1, January 2001\n11--International Trade Administration, Review of General and \n        Application System Controls Associated with the Fiscal Year \n        2000 Financial Statements, FSD-12854-1, January 2001\n12--National Oceanic and Atmospheric Administration, Improvements \n        Needed in the General Controls Associated with Financial \n        Management Systems, FSD-12855-1, December 2000\n13--United States Patent and Trademark Office, Improvements Needed in \n        the General Controls Associated with Financial Management \n        Systems, FSD-12858-1, December 2000\n\n                              Inspections\n\n14--National Oceanic and Atmospheric Administration: San Angelo Weather \n        Forecast Office Performs Its Core Responsibilities Well, but \n        Office Management and Regional Oversight Need Improvement, IPE-\n        13531, June 2001\n15--National Oceanic and Atmospheric Administration: Raleigh Weather \n        Forecast Office Provides Valuable Services, but Needs Improved \n        Management and Internal Controls, IPE-12661, September 2000\n16--Bureau of Export Administration: Improvements Are Needed to Meet \n        the Export Licensing Requirements of the 21st Century, IPE-\n        11488, June 1999\n17--Office of Security: Vulnerabilities in the Department's Classified \n        Tracking System Need to Be Corrected, IPE-11630, March 1999\n\n    Mr. Greenwood. We thank you very much for your testimony, \nand we will be getting to questions shortly.\n    Mr. Dacey.\n\n                  TESTIMONY OF ROBERT F. DACEY\n\n    Mr. Dacey. Mr. Chairman and members of the committee, I am \npleased to be here today to discuss our review of information \nsecurity controls over unclassified systems at the Department \nof Commerce.\n    As you requested, I will briefly summarize our written \ntestimony.\n    At the seven Commerce operating units we reviewed, \nsignificant and pervasive computer security weaknesses place \nsensitive Commerce systems at serious risk. We demonstrated \nthrough commonly or readily available software and common \ntechniques that individuals, both internal and external to \nCommerce, could gain unauthorized access to these systems and \nthereby read, copy, modify or delete sensitive financial, \neconomic, personnel and confidential business data.\n    Moreover, intruders could disrupt the operations of mission \ncritical systems, and due to poor incident detection \ncapabilities, unauthorized system access may not be detected.\n    As an illustration of these points, a recent media report \nannounced the discovery of security vulnerabilities that \nallowed sensitive business information to be publicly accessed \nfrom a Commerce Web site, forcing the department to temporarily \nshut down a part of that site.\n    Our review identified vulnerabilities in four key areas. \nFirst, controls intended to protect information systems and \ncritical data from unauthorized access were ineffectively \nimplemented, leaving systems highly susceptible to intrusions \nor disruptions.\n    Specifically, management of user IDs and passwords, \nincluding those related to powerful system administration \nfunctions, were not effective. As you alluded to earlier, in \nmany systems passwords were not required or were easy to guess.\n    Also, bureau operating systems were not securely \nconfigured, including exposing excessive amounts of system \ninformation and allowing unnecessary or poorly configured \nsystem functions to exist.\n    Further, none of the Commerce bureaus reviewed had \neffective external and internal network security controls. Our \ntesting demonstrated that extensive unauthorized access to the \ndepartment's networks and systems could be gained as a result \nof weakly configured external control devices, poorly \ncontrolled dial-up modems, and ineffective internal network \ncontrols.\n    Second, we found other significant weaknesses. \nSpecifically, computer duties were not properly segregated to \nmitigate the risk of errors and fraud.\n    Software changes were not adequately controlled to ensure \nthat only authorized and tested programs were put in operation, \nand comprehensive and complete recovery plans were not \ndeveloped to ensure the continuity of operations in the event \nof a service disruption.\n    Third, Commerce bureaus did not adequately prevent, detect, \nrespond to, or report intrusions, providing little assurance \nthat unauthorized attempts to gain access to its systems would \nbe identified and appropriate actions taken in time to prevent \nor mitigate damage.\n    For example, software updates to correct known \nvulnerabilities were not installed, tested bureaus were \ngenerally unable to detect our extensive intrusion activities, \nand in two instances when our activity was detected, Commerce \nemployees inappropriately responded by launching attacks back \nagainst our systems.\n    Moreover, these two incidents were not reported to the \nsecurity managers of the various bureaus.\n    Also, we identified evidence of hacker activity that \nCommerce had not previously detected on a system containing \nsensitive personnel information.\n    Fourth, and most important, Commerce does not have an \neffective, department-wide information security program, as Mr. \nFrazier earlier discussed, to proactively insure that sensitive \ndata and critical operations are adequately protected.\n    The lack of an effective security program is exacerbated by \nthe highly interconnected nature of Commerce's systems. Key \nweaknesses existed in each of five critical areas.\n    First, there was lack of a strong, centralized management \nfunction to oversee and coordinate department-wide security \nactivities.\n    Second, there was a widespread lack of risk assessment. For \nexample, as of March 2001, of the bureau's 94 sensitive systems \nwe reviewed, 91 did not have documented risk assessments, 87 \nhad no current security plans; and none were authorized for \nprocessing by Commerce management.\n    Third, there were significantly outdated and incomplete \ninformation security policies which did not reflect current \nFederal requirements in many important areas, had not been \nupdated to reflect certain risks related to the Internet, and \ndid not establish baseline security requirements for all \nsystems.\n    Fourth, there was inadequately promoted security awareness \nand training. Although each of the bureaus had informal \nprograms in place, none had documented computer security \ntraining procedures that meet Federal requirements to ensure \nthat security risks and responsibilities are understood by all \nmanagers, users, and system administrators.\n    Fifth, there was a lack of an ongoing program to test and \nevaluate security controls. No oversight reviews of the \nbureau's systems had been performed by either the staff of \nCommerce's information security program or six of the seven \nbureaus. There had been isolated tests at one bureau.\n    In a draft report to Commerce, we made recommendations, \nwhich are summarized in our written statement, to address these \nweaknesses. The Commerce Secretary's response stated that \nCommerce has developed and is currently implementing an action \nplan to correct the specific problems we identified.\n    Mr. Chairman, this concludes my statement. I would be happy \nto answer any questions that you or members of the committee \nmay have.\n    [The prepared statement of Robert F. Dacey appears at the \nend of the hearing.]\n    Mr. Greenwood. I thank you, Mr. Dacey.\n    And the full statements of both witnesses will be entered \ninto the record.\n    Here is a question that I would like you each to respond \nto. Both of you used the term ``sensitive'' to describe the \ntypes of systems and the data at issue here. Can you be more \nspecific with respect to the types of information that are \nsusceptible to compromise and why it is that Congress and the \nAmerican people should be concerned about these \nvulnerabilities?\n    Mr. Frazier. I will be happy speak first.\n    There are so many systems in the Department of Commerce \nthat we view as sensitive. You can start with the Census \nBureau, for example. The Census Bureau has lots of information \nthat is protected by Title 13, and in fact, I have heard you \nspeak to the concern about how the American public must come to \ntrust and know that information that they share with us is \ngoing to be protected.\n    Mr. Greenwood. That was a huge issue in this whole last \ncensus exercise where so many Americans were reluctant to fill \nout long forms because of the fear of compromise in the \nintegrity of the system.\n    And, of course, we all assured them that that was not a \nproblem.\n    Mr. Frazier. Yes. I should tell you that in 1998, in \nadvance of the decennial census, we found an incredible \nvulnerability there, and we brought it to the attention of \ncensus managers, and that was handled as a red cover report for \nobvious reasons.\n    The concern was that if that information got out, people \nwould begin to question whether it was wise to send in \ninformation. It was just an oversight on the part of a security \nmanager that we could not believe, something that we would \nthink would be as obvious as this. I am not giving the details \nhere for obvious reasons, but we were just amazed that \nsomething as basic as that could have that kind of potential \nconsequence to the integrity of the system.\n    Mr. Greenwood. To interrupt you for a moment, is it \nconceivable that a hacker could go in through the Census Bureau \nto my Greenwood family long forms, Census form, and scan it and \nidentify information as being responses that our family gave to \nthe Census form?\n    Mr. Frazier. No. When we found this problem, fortunately it \nwas before the decennial census. It was in doing the work we \ndid for the dress rehearsal, and so we were able to plug that \ngap. Of course, once you brought that to the attention of the \nDepartment and Census officials, that was something that they \nwere going to correct immediately. So that was not a problem \nthere.\n    But, again, I go back to tell you how something as \nimportant as that system would have been overlooked. You know, \nthat was incomprehensible to us that that could be the case.\n    As we have gone in to look at the work at BXA, as you are \naware, we have done quite a bit of work in BXA, and for many \nyears, too many years, we have raised concerns about the \nadequacy of its ECASS system, which has the sensitive \ninformation on export controls, licensing requests.\n    We have made recommendations----\n    Mr. Greenwood. Could you elaborate on why that is \nsensitive? What makes that particular information sensitive?\n    Mr. Frazier. Well, part of it is business proprietary from \nthe standpoint if you are Company X and are getting ready to \nexport radars to a certain country, you have to provide the \ndepartment with certain information that they can use to assess \nyour license request.\n    In the process of doing that, that is information that you \nsurely do not want your competitors to have. So that would be \nextremely sensitive.\n    Mr. Greenwood. You mentioned radar. I assume that could \napply to other military equipment that is being exported, \ninformation that we would certainly not want some individuals \nor organizations to have ready access to, who might have an \ninterest in intercepting that military equipment.\n    Mr. Frazier. As you know, Commerce handles what we call \ndual use items, which have both military and civilian uses, and \nso you are right on the money when you suggest that that is \ninformation that we would surely want to protect as much as we \npossibly can.\n    Mr. Greenwood. In fact, in the GAO report, it says \nsensitive data such as relating to national security, nuclear \nproliferation, missile technology, and chemical and biological \nwarfare reside in the bureau system.\n    Mr. Frazier. Yes.\n    Mr. Greenwood. Mr. Dacey, would you like to elaborate on \nthe same subject?\n    Mr. Dacey. Yes. Basically, in addition to the export \nlicense information we talked about, there is certain other \ninformation. There is something called the safe harbor, which I \nalluded to in my oral statement, which is a method for filing \nto satisfy European Union privacy requirements, and by filing \nyou demonstrate that you meet certain requirements and then can \nobtain certain personnel information and bring it back to your \ncompany.\n    And that included information like revenue, you know, what \ncompanies are you doing business with, number of employees and \nsuch nature of information which was exposed as well.\n    There is, additionally, other information that the bureaus \nhave on the personal side, and that would have to do with \ncredit card information, for example the ESA subscription \nservices. They collect credit card information.\n    The bureau itself has data bases containing significant \ninformation on Commerce personnel, including various \ninformation, Social Security numbers, and that sort of thing.\n    So there is a variety of information, including financial \ninformation, that is out there on the systems that are at \nCommerce.\n    Mr. Greenwood. And what about the ability to go through the \nCommerce Department systems? Is it conceivable that one could \ngo through the Commerce Department's system and then thereby \nreach out to consulates, to our consulates around the world?\n    Mr. Dacey. One of the tests that we performed, we were able \nto--let me back up a minute.\n    When we do our testing, our target or goal is to gain what \nwe call administrative control of the systems we are looking \nat, and that means we could place ourselves in the position of \nsystem administrator and thereby do just about anything that we \nwould want to do on that system, including reading files, \ncopying files, deleting files, changing software, any number of \nthings that a system administrator could do.\n    We gained that level of access on several of Commerce's \nsystems. Some of those allowed us to gain access to networks \nwhich went to the Foreign Commercial Service posts as well as \nthe systems that contained some of this sensitive information.\n    Mr. Greenwood. And those consulates are, of course, in \nturn, interconnected to other sensitive agencies of the Federal \nGovernment so that it would seem to me to heighten the \nsensitive nature of this leak.\n    Mr. Dacey. We did not specifically look at the connectivity \nof those Commerce installations in foreign posts with other \npotential agencies, but that is an issue which might be \nexplored in the future as another task.\n    Mr. Burr. Would the chairman yield?\n    Mr. Greenwood. Certainly.\n    Mr. Burr. What I understand your answer to be that you did \nnot try to go outside of the Commerce system within the \nembassy?\n    Mr. Dacey. That is correct. We went to Commerce \ninstallations in the various foreign posts, and because that \nwas the limit of our testing, we stopped at that point. We did \nnot try.\n    Mr. Burr. If the focus at the embassies was to keep people \nout of their system, but not to limit their movement from \nwithin their system that they were in, had you tried you might \nhave been able to go anywhere within the embassy system.\n    Mr. Dacey. It is hard to speculate where we could have \ngone, but if there was interconnectivity, we had significant \nrights on the system, Commerce's system. We just do not know \nwhat interconnectivity might exist.\n    Mr. Greenwood. The Chair's time has expired, and the \nchairman recognizes the chairman of the full committee for 5 \nminutes to inquire.\n    Chairman Tauzin. Thank you, Mr. Chairman.\n    Mr. Dacey, I want to understand the concept of the weakness \nwithin the system, if you do not mind. In your testimony you \nstate that the individuals both within and outside Commerce \ncould compromise internal and external security controls to \ngain extensive unauthorized access.\n    I want to know what you mean by ``extensive.'' Is that \nanother term for what is call root access or total control of \nthe systems?\n    Mr. Dacey. Right. That is what I was referring to as \nadministrative level access on the networks. That is referred \nto as root access, and we were able to gain that level of \naccess on several systems.\n    Chairman Tauzin. Now, you also state that the department \nwas able to detect your extensive intrusion activities on only \nfour occasions. How many intrusions should have been detected \nif they had had a good system in place?\n    Mr. Dacey. We attempted to scan over 1,000 system devices. \nSo I do not say that they would detect all 1,000, but certainly \nwe would have expected a significantly higher number of those \nattempts to be detected.\n    Chairman Tauzin. So you are saying 4 out of 1,000 were \ndetected?\n    Mr. Dacey. Over 1,000.\n    Chairman Tauzin. Over 1,000?\n    Mr. Dacey. Yes.\n    Chairman Tauzin. What is that .4 of 1 percent, something \nlike that were detected? So that in effect, if again my math is \nright, something like 99.6 percent of the intrusions were not \ndetected.\n    Mr. Dacey. Something like that, yes.\n    Chairman Tauzin. That is purer than Ivory Snow. That is a \nhuge number. It basically says that you could walk around \nundetected in cyberspace, in effect, within the department's \ndata banks.\n    Mr. Dacey. Right. That is one of our concerns, as I said in \nmy oral statement. There was actual hacker activity on one of \nthe systems which we discovered, which Commerce was not \npreviously aware of.\n    Chairman Tauzin. Can you give me a little more information \nabout the fact that your auditors discovered the intrusion of a \nRussian hacker in the system? What exactly happened there? What \nwas going on?\n    Mr. Dacey. We identified a server, a network server, and \nwhen we went in to start to explore it, we identified certain \ntools that were left behind by a hacker, and at that point in \ntime we turned that over to the agency and suggested that they \ninvestigate the situation and resolve it and figure out what \nhappened.\n    Chairman Tauzin. Well, did they find out what the Russian \nwas up to?\n    Mr. Dacey. I believe, based on my recollection, the IG \nreally followed up on the process afterward. I don't know if \nMr. Frazier has any further information.\n    Chairman Tauzin. Could you tell us?\n    Mr. Frazier. Vladimir was his name.\n    Chairman Tauzin. Vladimir?\n    Mr. Frazier. Yes.\n    Chairman Tauzin. Good, old Vladimir. What was Vladimir \ndoing in our data banks?\n    Mr. Frazier. We found out that he had hacked into a number \nof government systems.\n    Chairman Tauzin. Was he just having fun or was he up to \nmischief?\n    Mr. Frazier. Well, we could not determine that. He got into \nthe system. He got into the systems at other agencies, and he \ndid not do any major damage to our knowledge, but that is part \nof the problem. You do not know how long he had been there. You \ndo not know what else he had----\n    Chairman Tauzin. Well, I mean, you detected only .4 of 1 \npercent. So he could have been all over the place, and if he \ndid not drop a tool here or there, you may never know he was \nthere.\n    Mr. Frazier. We would have never known he had been there.\n    Chairman Tauzin. So he could have been in a lot of other \nplaces that he did not leave his tracks, right?\n    Mr. Frazier. Yes. So what they will do is close that door.\n    Chairman Tauzin. That is right.\n    Mr. Frazier. But many other doors are left open.\n    Chairman Tauzin. Yes, let's talk about doors. One of the \nthing you mentioned, Mr. Dacey, is the interconnectivity of the \nCommerce Department, the bureaus you reviewed. \nInterconnectivity is good, of course, in a sense because it \nallows all of the bureaus to share information and to relate to \none another. It could be a problem if a hacker or Vladimir \nfinds, excuse my expression, the weakest link in the system and \nthrough interconnection, he is everywhere, and then bye-bye, he \nis gone.\n    Tell me about interconnectivity within the bureau, within \nthe department, rather, among its bureaus.\n    Mr. Dacey. One of the issues is the interconnectivity \nbetween us. As you suggested, it is a good thing. It is used to \ncommunicate between the bureaus at Commerce. One of the issues \nthough is protecting those systems and that interconnectivity \nso that if someone gains unauthorized access to one bureau \nsystem, that there are measures to prevent them from going \nfurther once they are inside the network.\n    What we found, in fact, was that some of the accesses that \nwe obtained to some of the more sensitive information were \nactually through other bureaus that we----\n    Chairman Tauzin. So you actually did that. You found the \nweakest link, and then bingo, you had access to other \ninformation that you might not have directly been able to \naccess, right?\n    Mr. Dacey. That is correct. When we identified these, \nagain, our tests were not designed also to detect every \nvulnerability, but we found sufficient evidence to----\n    Chairman Tauzin. Well, I guess here is probably the most \nimportant question. Have you done enough testing to be able to \nadvise the Commerce Department on how to seal those doors and \nhow to protect against the Vladimirs of the world?\n    Mr. Dacey. We provided detailed out-briefings at the time \nthat we performed our work in the field, and our understanding \nis that the agency has fixed some and is working on others, and \nthat is consistent with their response to----\n    Chairman Tauzin. Was your testing complete?\n    Mr. Dacey. But that was what I was going to suggest, is \nthat we do a limited amount of testing. We spent about, let's \nsay on average, 2 weeks at each bureau, and we found sufficient \nvulnerabilities to support our conclusions. I would not aver \nthat, in fact, we found all of the vulnerabilities.\n    In fact, we did not find all of the vulnerabilities. One of \nthe important steps that Commerce needs to take is really to \ndevelop an active testing program of their own and identify \nthese vulnerabilities from a management viewpoint and fix them.\n    We certainly did not find them all.\n    Chairman Tauzin. Mr. Chairman, one final thought, and I do \nnot want to at all cast aspersions on either one of your \noperations because you do a very good job for us, but we heard \nfrom a lot of agencies that we are losing talented people, and \nthey are reaching retirement age, and I assume that is true of \nyour agency as well, that you are losing some of your best \npeople.\n    What we have learned in this area of the high tech commerce \nworld is that some extraordinarily good people are the youngest \npeople, and I just wonder, are you satisfied that within your \nranks are, indeed, some of the brightest and most capable \npeople who could be charged with determining whether we have \nleft doors open and whether the systems are adequate or \nwhether, in effect, we really know all the answers as to how \ninappropriate access can be obtained.\n    I guess what I am asking you is: are we as bright within \nyour agencies as the people out there, particularly the younger \npeople who are coming up and know these kind of systems like \nthe back of their hands? Are we as bright as they? And are we \nas capable as they in understanding what is possible when it \ncomes to entries of access?\n    Mr. Frazier. Let me comment on that on a number of levels. \nFirst, I think that we recognize the need to go out and get new \ntalent, if you will, to stay current with this. We are using \ncontractors like never before because, as you point out, we \ncannot literally keep IT specialists. The private sector will \nhire them away very, very, very quickly.\n    But at the same time, I am fortunate that I have an \nassistant IG for systems who I think is one of the best in \ngovernment. She has brought a lot of people from the private \nsector, and we have been able to keep them.\n    It is not easy, you know, but I think that that is \nsomething that we have worked very hard to do.\n    But I think that even more important is for managers to \nrecognize that it is not just about the IT specialist or the \nsecurity specialist. It is about program officials taking \nresponsibility for this.\n    You know, you used the term ``weakest link,'' and it is \nexactly the word that describes the problem. I can put in the \nbest system. I can hire the best people. I can get the best \ncontractors, but then if I get an employee who decides that he \nor she is going to leave his system on overnight so that a \ncleaning person can access the system, as we found in one case, \nthen it does not matter that I have hired the best and the \nbrightest.\n    So the goal here, I think, is to get managers in the \nDepartment of Commerce involved. That is why we are so \nimpressed with the Secretary's recent memo that said to the \nUnder Secretaries and others: This is your responsibility.\n    When we issue our reports to the CIO or if I issue my \nreport to the Director of Security, I am preaching to the choir \nat that point, but the reality is that I've got to turn around \nand talk to the people who run those systems, who do not \nunderstand, who do not see that information security is their \nresponsibility.\n    It is an awareness program. I have to tell you when you go \nin and you brief many senior officials and you start to talk \nabout security reviews and doing quarterly reviews, their eyes \nkind of gloss over because it sounds so boring or that is ``not \nmy responsibility.''\n    Quite the contrary, it is something that has not been taken \nseriously in the past, and until all of us, until everyone \nrecognizes the role that they are charged with playing, I think \nthat we are going to come back to you year in and year out with \nthe same kinds of problems. That is my frustration.\n    Chairman Tauzin. Very well said.\n    Thank you, Mr. Chairman.\n    Mr. Greenwood. I thank the chairman of the full committee \nfor his participation and note that with his heavy schedule and \nsix subcommittees to cover, it is impressive that he manages to \ncome to each one of our hearings and spend the time. We \nappreciate it.\n    The Chair recognizes the gentleman, Mr. Burr, to inquire.\n    Mr. Burr. Thank you, Mr. Chairman.\n    Mr. Dacey, I have seen a lot of folks behind you going like \nthis. So I assume that they are part of the security analysis \nteam, and let me thank them for their good work.\n    But let me ask you a real important question. Are they the \nbest that is out there?\n    I think we have a very good team actually, whether they are \nbehind me or not.\n    Mr. Burr. And I am sure you do, and I thought of another \nway to ask it, and I could not think of it, but the likelihood \nis there is somebody out there that is going to be as good if \nnot better.\n    Mr. Dacey. Our aggregate experience averages about 20 years \nper person on our staff doing this work at this point in time.\n    Mr. Burr. Well, then you may have the best.\n    Mr. Dacey. No, I do not profess we have the best. I do not \nthink they would profess that, but we have some good folks \nhere.\n    The issues are in this whole environment that there are a \nlot of people who are out there that are finding these \nvulnerabilities and issues with systems that apparently have \nthe time and abilities to go do that. We do not try to discover \nnew ones. We just try to figure out if agencies have processes \nin place to find them and fix them, and that has been a \nchallenge, and we have pursued that role to try to do that.\n    Mr. Burr. The question that I am trying to get answered: \nthere are a host of folks in the world who have skills at least \nequal to the folks that conducted this review of the \ndeficiencies and security at Commerce. Would that be safe to \nsay?\n    Mr. Dacey. Yes.\n    Mr. Burr. So we have got an ever looming threat of people \nwho want to get into these systems. Now, I would assume that \ncommerce is probably linked to the Department of Energy, and if \none could hack into Commerce, they might find their way at \nleast to try to get into the Department of Energy, and if the \nDepartment of Energy had an area that might have a deficiency \nand they got into that, the Department of Energy is linked to \nthe nuclear labs, and you follow the path I am going, that one \ncould enter in Commerce and potentially end up in the Los \nAlamos system.\n    Is that conceivable?\n    Mr. Dacey. We really did not look at that connectivity, but \nif, in fact----\n    Mr. Burr. If they were connected.\n    Mr. Dacey. And if it was not adequately controlled, yes, \nthat is conceivable, but again, given the particular facts I do \nnot know. We did not look at the interconnectivity of Commerce \nto other bureaus.\n    So it is an issue, but I think it is one that has not been \nactively explored, and that is not just Commerce, but the \ninterconnectivity between various bureaus. I mean there is some \nof that interconnectivity. When we do our work, we find \nconnections to other bureaus routinely.\n    We have not tested those because our work has typically \nbeen focused on the bureau that we have been looking at at that \ntime.\n    Mr. Burr. And we know that employees of Commerce are paid \nby the United States Treasury. Therefore, there is probably a \nlink to the Treasury, and because there is a link to the \nTreasury, the Treasury is probably linked to every other \nagency, and there might be a way to go that system and test \nnumerous different agencies within the Federal Government.\n    Mr. Dacey. It depends on the connectivity and the controls. \nIn some cases, for example, the information may, in fact, be \njust downloaded and pushed down to another entity. There may \nnot be a live connection, and there are a lot of other things \nthat go on.\n    So I think though that that is an increasing risk because \nwhat we are seeing overall is more interconnectivity as time \ngoes on. It is certainly convenient, and it saves time and \ncost.\n    At the same time, there need to be adequate controls in \nplace to prevent someone from doing what you suggested.\n    Mr. Burr. And am I correct that a scenario like that could \nhappen if you had one entry point that they could get into?\n    Mr. Dacey. In the situation, take Commerce, for example. As \nI said, some of our access to this sensitive data was obtained \nthrough other bureaus. So we were able to get in.\n    Typically that is what we do. As I said before, we do not \nexplore every conceivable opportunity to get into the systems \nbecause when we find one and gain the level of access we \nobtained----\n    Mr. Burr. You are completed.\n    Mr. Dacey. [continuing] we do not need to go further to do \nwhat we do.\n    So there are definitely weakest link concepts that we \ntalked about earlier that need to be protected against.\n    I would also like to reiterate that most of our testing \nthat we have done here is technical in nature. We have tools \nthat are available to virtually anyone that can identify these \ntypes of vulnerabilities and tools to exploit them.\n    What we have not done much of, one thing that the hacker \ncommunity does, is something called social engineering, where \nthey try to gain information like passwords and other \ninformation from employees, which is why employee awareness is \nvery important as we talked about earlier.\n    And so those are the issues. The weakest link might be \nsomeone answering a phone and saying, ``Yes, here is my \npassword and user ID,'' and someone else using it to log onto \nthe system, and if you get a little bit into the door, \noftentimes you can get information, including network traffic, \nthat has other passwords and escalate your privileges to the \nlevel we seek to obtain.\n    Mr. Frazier. And, in fact, as part of our penetration \ntesting for the financial statements, our CPAs did exactly \nthat, called up, pretended to be the system administrator, told \nsomeone that they needed their password to get in, and the \nperson gave it to them over the phone, and so we know that that \nhas, in fact, happened.\n    Your questions are right on the money. Those are the \nquestions that the system's administrators, that the program \nofficials, and the security people should be asking every day. \nYou should make the assumption that people are constantly \ntrying to get into your system.\n    And what is important is that you should make the \nassumption that they are trying to get into your system so that \nthey can get into other parts of the Department of Commerce \nbecause you do not know what the interconnectivity is, and so \nuntil you do the extensive testing, which is seldom done at any \nagency, you have to make that assumption that this is happening \non a continuous basis.\n    Mr. Burr. Let me ask you real directly, Mr. Frazier: do you \nknow all the connectivity point?\n    Mr. Frazier. No. Right off the bat, no.\n    Mr. Burr. Is there anybody at the Commerce Department that \ndoes?\n    Mr. Frazier. And I would venture to say at this point, no.\n    Mr. Burr. So even if it was not a technical deficiency that \nwe had, a simple password management problem might create \naccess for somebody intending to enter the system and figure \nout where they can go.\n    Mr. Frazier. Yes.\n    Mr. Burr. Okay. Let me ask you real quickly. Your testimony \nseemed to rehash some of the issues covered in the 1999 report \nyour office sent to then Secretary Daley. I believe, in fact, \nthe report had your name on it, if I am correct.\n    Mr. Frazier. Yes, it did.\n    Mr. Burr. Why should we have confidence in your office's \nability to insure needed changes do take place, I guess, \nconsidering the fact that you have raised the issue? You have \nraised the issue. We know it has gone to the level of the \nSecretary, and we still have a problem.\n    Mr. Frazier. It is an easy answer there. We identify the \nproblems. We then report those problems to managers. We, as you \nknow, report to the Congress also. We come to the Congress and \ntell them the same story. We send them our list of the top ten \nchallenges.\n    We sent that report up to the Hill. Unfortunately we have \nnot been empowered with what I call the enforcement tool that \nsays, ``You are going to put the resources into this area to \ndevelop it.''\n    If you use BXA, for example, you can go back 5 years and \nfind out where the IG's Office--I was not the IG--recommended \nthat that system be improved, that the system be updated. It \nidentified many weaknesses as long ago as 5 years.\n    In our 1999 report, we found a litany of problems, whereas \nwe have checked recently and found out that about half of those \nissues have been addressed, but some of the most critical ones, \nthe ones that say are you trying to see if people can penetrate \nyour system, are you regularly developing the kinds of security \nplans that are required by the government rules and \nregulations, and the answer is still no.\n    Now, we have not let that drop because we currently have an \ninspection team that is in there looking at the ECASS system \nagain. And again we will take the message of our findings to \nthe Congress, to the Secretary, and you hope that they will get \nthe message.\n    Again, I would go back and emphasize the program officials \nhaving the top responsibility for making sure that these are \nimplemented.\n    We have testified that in the case of BXA, that there \nshould be additional funding to support the resources that were \nnecessary to develop that system, and that's something that an \nIG usually does not do. We are usually trying to find ways to \ncut resources.\n    But in that case, we went on record as saying, yes, we \nthink that that system definitely needed to be upgraded. It \nneeded additional support, and again, that's not an excuse. It \nsays that this is the way it is in the sense that we do not \nhave the authority, if you will, to go in and make somebody do \nanything.\n    We can surely use the bully pulpit. That is why I am so \npleased with this hearing today because it represents an \nopportunity for these issues to be aired. In fact, they should \nhave long been done.\n    Mr. Burr. Well, we hope you will continue to speak very \nloudly on it and not wait for the invitations from us. I think \nyou have gotten an administration that is very anxious to solve \nsome of these problems.\n    Both of you in your testimony, I think, alluded to one \nphrase that I found very interesting, excessive user \nprivileges, and I remember when we were in the heat of the \ninvestigation at our nuclear labs. One of the problems that we \nfound was the lack of different levels of security within the \nlab.\n    We had adopted this policy in the early 1990's where rather \nthan offend somebody, we sort of brought everybody in at the \nsame status and never thought about the fact that that gave \neverybody the same type of access to the sensitive areas of a \ncomputer system, and that contributed to the potential \nnightmare that we saw.\n    Does there exist a separation of individuals' levels of \naccess that they can get in the Commerce system, or once you \nare in, you are in everything or you are only in a \ncompartmentalized area?\n    Mr. Frazier. It is hard to generalize, but I can tell you \nexamples where that has definitely been a problem in the \nDepartment of Commerce, without mentioning the bureau's name, \nwhere certain people who should have had the authority, for \nexample, to only read information were inadvertently given the \nauthority to not only read, but to alter the information.\n    Now, that can have very dire consequences when you give 15 \npeople access to a system that should not have access.\n    Now, what was equally troubling, of course, when we found \nthis out, the second time what was of great concern to us, if \nthey had done what I call the quarterly monitoring, if they had \ndone the risk assessment, that is something that would have \nbeen identified, and again, managers too often think of this as \njust these requirements that really do not have any impact, and \nyou cannot overemphasize that these are things that are put on \nthe books for a very good reason.\n    So the answer is yes.\n    Mr. Burr. Mr. Dacey?\n    Mr. Dacey. There are different levels of access that one \ncan give to different systems. Our main target in our review is \nto try to get at the system administrator level of access, \nwhich is the one that should be fairly tightly controlled and \nlimited to only a limited number of folks. So there is the \nability to do that.\n    What we found in Commerce though is not a regular review \nprocess, as was just discussed, to look at those and see if, in \nfact, they have been properly allocated to the right people.\n    Additionally, we also found system administrator passwords \nand information in files in certain bureaus that would give us \nthat ability. So even if we had not been given the direct \naccess, we could have gained information that would have \nallowed us to log on or sign on at that level of access.\n    Mr. Burr. So that would sort of come under that header of \npassword management problem?\n    Mr. Dacey. And how is it stored in the system.\n    Mr. Burr. I will ask one last question. The chairman has \nbeen very patient.\n    Could we at least conclude that if an individual who had a \npassword that allowed them the same access you were able to \nachieve as an administrator left the Department of Commerce, \ncould we believe that their password would be canceled, \naltered, or are we convinced that they could not access the \nsystem when they left today?\n    Mr. Dacey. We did not specifically look at that at \nCommerce. I know in other bureaus it is an issue of people \nrevoking passwords on a timely basis, but I believe the IG has \ndone some work in that area.\n    Mr. Frazier. Yes, there are cases where that does not \nhappen. If you are in the private sector, my brother-in-law \nworks for CISCO, and he points out that when you go in and tell \nthem that you are going to leave, they change your password \nbefore you leave the room, terminating your access to the \nsystems.\n    We have people who have been out of the Department of \nCommerce for 3 years and who still we found have access to the \nsystem.\n    That is unacceptable, absolutely unacceptable, you know.\n    Mr. Burr. I thank both of you.\n    I yield back.\n    Mr. Greenwood. The Chair thanks the gentleman for his \ninquiry. The gentleman asked if you folks had the expertise. It \nis my observation that you do not need the smartest hackers in \nthe world to get into a department who has a computer security \nsystem that is the cyberspace equivalent of the Keystone Cops.\n    So I do not think you need to worry about what your \ncapacity is.\n    Mr. Burr. Mr. Chair, could I say that I think Mr. Dacey has \nthe smartest ones?\n    Mr. Greenwood. Both of you have also found in your \nrespective audits a failure on the part of the Commerce bureaus \nto prepare risk assessments and security plans for their \nsensitive systems, including some that have been designated as \ncritical to our national security.\n    Is this just a paper work problem, or should we be truly \nconcerned about this lack of documented assessments and plans? \nEither gentlemen.\n    Mr. Frazier. Well, see, I think that therein is part of the \nproblem, is there are too many managers who perceive it as a \npaper work exercise. This is just another check list for us to \ngo through.\n    And I cannot overemphasize the importance of changing that \nthinking, establishing a different culture that says we need to \ndo this, and it needs to be done on a regular basis.\n    That is part of the problem, and again, I think I mentioned \nthat.\n    Mr. Greenwood. Let me ask this to both gentlemen. We have \nyour official reports and so forth, but I also know that in \nsome of these tests you gave advanced warning to the department \nthat you were going to be doing this testing. I assume you had \nconversations with people in the department whose work you were \nexamining and whose job--maybe you did not, but I would be \ninterested in what those informal conversations were like.\n    I mean, did people in the department say, ``Oh, God, you \nare going to look at our system, and I know you are going to \nfind that it is awful and I am embarrassed,'' or, ``we are \ndoing the best that we can, but we just are overworked. We will \nget to it?''\n    When you communicate with folks in the department whose job \nit is to set up these security systems, what kind of dialog is \nthat? What has that been like?\n    Mr. Frazier. Well, when we do our penetration testing with \nthe CPAs through the financial systems, we usually identify one \nbureau official who is sworn to secrecy and will work with us, \nbut as I have pointed out, usually once you identify these \nproblems, these are people who are in the systems business, who \nunderstand systems, and you are preaching to the choir.\n    The message has to be conveyed to their supervisors, to the \ntop officials to let them know that they have got to get the \nmessage out on a broader level. This is not just a problem for \nthe accountants to worry about or the systems people to worry \nabout or the security people to worry about.\n    And traditionally that is what happens.\n    Mr. Greenwood. But I am talking about the people in the \ndepartment whose job it has been to comply with the Federal law \nand to make sure that these systems are secure. When you \ncommunicate with them, have they said, ``Our hands are tied. We \ndo not have the resources. We are not well trained enough. I do \nnot have enough people?''\n    What do they say?\n    Mr. Frazier. A number of things, but, in fact, I think that \nBob alluded to the fact also that the department has agreed to \nimplement the recommendations.\n    We went back in preparation for this hearing and looked at \nthe recommendations that we had issued, say, in the last 2 to 3 \nyears in the areas of IT security, and almost without \nexception, I mean, let's say if there were 100 recommendations, \nthere may have been 5 to 7 that the bureau said, ``We disagree \nwith you on.''\n    So they give you the assurances that they are going to deal \nwith this, and they send in what we call action plans to tell \nus how they propose to deal with it, but also, if you look at \nthose audit action plans and inspection action plans, usually \nthey raise questions about the limited resources that they have \navailable to implement some of the recommendations.\n    And then the other thing is that they, too, are faced with \nthe problems of making sure that they have the talent to do \nthis.\n    Now, you take one bureau. I will not mention the name, that \nhas plenty of resources, and they went out and hired a CPA firm \nto try and penetrate their system doing the exact same thing \nthat we do or GAO would do, and any bureau can do that.\n    In fact, most bureaus should have that as part of their \nrisk management plan. So part of it does come down to \nresources, but, again, it comes down to a commitment.\n    Mr. Greenwood. But when they have complained about \ninadequacy of resources and they have asked for the resources, \ndid you get a sense of how far up into the hierarchy? Did those \nrequests go to the Secretary's level? Did the Secretary \ntransmit those requests to the administration?\n    Where was the weakest link, so to speak, in terms of the \nfolks in the department or in the administration who failed to \nprovide the resources?\n    Mr. Frazier. I send all of my reports to the head of the \nbureaus, the Under Secretary level or the Assistant Secretary \nlevel, and any finding or observation that has IT security \nimplications would have been sent to the department's CIO and \nto the department's Deputy Assistant Secretary for Security.\n    So the report, the information has surely been made \navailable.\n    Mr. Greenwood. And the problem, I think--correct me if I am \nwrong about this--but the CIO has a variety of responsibilities \nbeyond. The security of the IT is a subset of the CIO's \nresponsibilities; is that correct?\n    Mr. Frazier. Yes, that is correct.\n    Mr. Greenwood. Okay, and what were some of the other \nresponsibilities of the CIO?\n    Mr. Frazier. One of the things I looked at, how long we \nhave had IT security on our list of the top ten management \nchallenges, and it has been about 1\\1/2\\ years, and I asked my \nAssistant IG, ``Well, why didn't we have this on there \nearlier?'' Because we knew that there were problems.\n    And she said, you know, a lot of times we forget that back \nin 1988 and 1989 most of us were preoccupied with the Y2K \nissues, which you know, we kind of forget. The concern was \nwhether----\n    Mr. Greenwood. Do you mean 1988 or 1998?\n    Mr. Frazier. I am sorry. 1998.\n    Mr. Greenwood. Nobody was thinking about it in 1988.\n    Mr. Frazier. The concern was whether the systems were going \nto function literally, and so people were not worried about \nsome of the details.\n    And the other thing, if the truth be told, is these systems \nhave become more sophisticated and more interconnected. This \nproblem has grown, and I do not think that our interest and \nattention has kept up with the way that the system technology \nhas grown, and so I think that that is part of the problem.\n    Mr. Greenwood. Mr. Dacey, do you have any other comments?\n    Mr. Dacey. No. I think it is a matter of emphasis. Some of \nthe things that we have found is that for some of the bureau's \nsecurity officers, it was a part-time duty. They had other \nresponsibilities even besides security management. They did not \nhave a full-time security manager, even one in some bureaus. I \nthink that is a major issue.\n    In terms of thoughts, I know they had time to prepare, and \nI know in the process of doing our work things improved because \nthey were aware we were there and we were certainly fixing \nissues.\n    But when we raise these issues, they are generally not a \nbig dispute, and generally the people we talk to appreciate the \nsignificance of the vulnerabilities that we highlight. So we do \nnot have a lot of convincing to do.\n    So the real issue is really focusing attention because I \nthink if it was placed that they would be able to find the same \nkind of vulnerabilities that we find and use some of the same \ntools that we use to do that.\n    Mr. Greenwood. Mr. Frazier, in your financial control \naudits for fiscal year 2000, you looked at seven Commerce \nbureaus including NOAA, NIST, the Census Bureau, and others, \nand found that access control problems existed at all seven \nlocations. Can you be more specific about what you mean by \naccess controls?\n    Mr. Frazier. Well, we looked at the access controls at four \nof the seven, and what that means is that we were able to get \ninto the system. I mentioned that we were able to get one \nindividual system administrator to compromise his or her \npassword.\n    We also were able to get into the system in ways that we \nshould not have been able to get into the system, and again, \nthe CPAs use Cybercop and several other readily available \nsoftware packages to try and do this penetration testing, and \nso it is not like they have some special techniques that need \nto be used, but in using what is readily available software, \nthey were able to access these systems.\n    Mr. Greenwood. Do you believe that this represented a \nmaterial weakness or a reportable condition under the relevant \nstatutory authorities?\n    Mr. Frazier. Well, they were reportable conditions, but of \ncourse, once you pull them together and we issued our \nconsolidated reports for the Department of Commerce, we became \nconcerned that it was a material weakness.\n    Individually it may not have been a material weakness at \nthe various bureaus, but again when pulled together and looked \nat together, it would be a material weakness.\n    Mr. Greenwood. Okay. A related question, again, for you, \nMr. Frazier, and, Mr. Dacey, if you would like to comment, \nplease do.\n    GAO has testified that at the seven bureaus it reviewed, \nnone of them had effective internal or external network \nsecurity controls. It appears based on the body of IG audit \nwork at other Commerce bureaus that there is nothing unique \nabout these seven bureaus in this respect, and that in your \nopinion similar deficiencies either have been or would be found \nat virtually any commerce bureau.\n    Would that be a fair statement?\n    Mr. Frazier. Let me clarify one thing. GAO is looking at \nseven bureaus. We are looking at seven financial data centers. \nSo we are talking about apples and oranges. There would be, for \nexample, one financial data center, such as NOAA, and BXA would \nbe the same one. So it is not the same seven.\n    So when we talk about what we have found in problems at all \nof these seven locations, it is not the same seven. Okay?\n    Mr. Greenwood. But the problems are similar.\n    Mr. Frazier. The problems are definitely similar.\n    Mr. Greenwood. And there is no indication that anybody at \nthe department level Commerce-wide had been creating security \nsystems in other bureaus that would make the seven that you \nlooked at unique.\n    Mr. Frazier. I'm sorry?\n    Mr. Greenwood. I am assuming that what you found in these \nseven bureaus and these seven centers, there is no reason for \nus to believe that they were unique. One would assume that----\n    Mr. Frazier. If you look at seven and you find----\n    Mr. Greenwood. [continuing] the department as a whole \nallowed these weaknesses in these seven bureaus, there was \nnothing going on at the department at the top most level that \nwould have presented these weaknesses in other bureaus.\n    Mr. Frazier. Yes, I do not think so.\n    Mr. Greenwood. Mr. Dacey, any further comments?\n    Mr. Dacey. No. Just based upon a reading of some of the \nreports that the IG has issued, the nature of the \nvulnerabilities appeared to be similar.\n    Mr. Greenwood. Okay. We are about to hear from the new \nDeputy Secretary. Let me just ask you in his presence if you \ncould make one recommendation, each of you gentlemen, what \nwould be your most critical recommendation to the department?\n    Mr. Frazier. Well, I have had the pleasure of meeting with \nDeputy Secretary Bodman, and when we sat down at our first \nmeeting, the first thing we talked about were the challenges \nfacing the department. It was a lengthy meeting, and one of the \nthings that I was encouraged about, as you know, he has an \nengineering background. He comes from the business sector. He \ncomes out of the academic community, and it was very clear that \nhe understands systems.\n    But more to the point was getting the message out to the \nprogram officials to hold them responsible. I think often we \nlook for very complicated fixes, and the point that I surely \ntried to convey to him, that part of this is an awareness \nprogram.\n    And so there is a short memo that came out that said \nbasically to the secretarial officers: you are now basically \nresponsible for security in your agency.\n    That will probably have a greater impact than putting an \nadditional $2 million in every budget in the department. I mean \nif you begin to change that culture.\n    So I am encouraged, is the word that I use, that I think he \nwill bring a new dimension there.\n    Chairman Tauzin. Mr. Chairman.\n    Mr. Greenwood. The Chair recognizes the chairman.\n    Chairman Tauzin. Could I be recognized and strike the last \nword for a second?\n    Mr. Greenwood. The Chair yields to the gentleman.\n    Chairman Tauzin. I thank the gentleman.\n    Mr. Chairman, I have to be at the White House in about 10 \nminutes for a cabinet meeting on global warming, and so I am \ngoing to have to leave right now, and I will not have a chance \nto visit with the witness from the Commerce Department, but I \nwanted to put on the record at this point my deep concern about \nthe existence of ``cookies'' and Web ``bugs'' within the \nCommerce Department systems, and my concern that even now that \nthe department is focusing on the existence of these \n``cookies,'' that as the testimony indicates are there without \na compelling reason and without the approval of the Secretary, \nthat the department's CIO is now recommending a strategy to \ncontrol the use of persistent ``cookies'' and Web ``bugs.''\n    My concern is that I think we ought to go further than \nthat. My understanding of the policy of the government is that \nunless there is a very good reason for a ``cookie'' or a Web \n``bug'' to exist on Federal sites, that we will have a very \nserious concern about Americans having to deal with these \ndevices when they are sharing their information, as I said, \ninvoluntarily with the government.\n    I can understand ``cookies'' and Web ``bugs'' on commercial \nsites that I enter voluntarily and choose to visit and do \nbusiness with, but when American citizens are asked to \ninvoluntarily do their business with the government with the \nInternet only to find that we have permitted someone else, some \nother institution, perhaps not even a government institution, \nto be collecting that information for other purposes sometimes \nwithout the knowledge or consent of the citizens of this \ncountry, that raises grave concerns.\n    When leader Dick Army and I asked for a study by the GAO of \nthe existence of security and privacy on Federal sites, we were \nappalled to find out; so was the Senate appalled to find out \nthat there were so many ``bugs'' on the systems and so many \n``cookies'' that were actually out there. We found one on an \nIRS site. We found a ``cookie'' for a private enterprise \nconcern in this country collecting information from citizens on \nan IRS site.\n    Now, how abominable is that? It is bad enough having to \ndeal with the IRS, but to think that the IRS is sharing our \ninformation with other people without our consent is \noutrageous.\n    And so, Mr. Chairman, again, my apologies for having to \nleave because this is such a good hearing and it is such a \nserious focus of your oversight investigations work that I hate \nto leave it, but I want to leave it with this thought, and I \nhope the department witnesses are prepared to speak out \nforcefully about their intention about how they intend to deal \nwith these ``bugs'' and this ``cookie'' problem.\n    Americans ought not to have to be surprised to find out \nthat private information is being shared by their own \ngovernment with people they might not want to share it with. It \nis as simple as that.\n    Mr. Frazier. As you are aware, we did find 12 of them in \nthe Commerce system, but to the department's credit, the \nSecretary has hired a special advisor for privacy. He has met \nwith me and my systems people to ask about other particulars.\n    Chairman Tauzin. Well, you do not need an expert consultant \nto tell you that when we have got a Federal Trade Commission \nthat is pounding on private companies in America to have good \npolicies of disclosure to consumers about what they are \ngathering and how they are using that information, you do not \nneed an expert to tell you there is something deadly wrong \nabout the government doing it without consumers' permission, \nparticularly when it is information, as I said, that we are \nsharing not necessarily of our own volition.\n    And if consumers have questions about privacy in the \ncommercial world, I can promise you their concerns rise to \nastronomical levels when it comes to information they are \nsharing with the government very often only because they have \nto.\n    So anything you can do to put a spotlight on this problem \nand anything the department can do to help us aggressively stop \nwhoever it is in our government who thinks they have the right \nto do this without asking our consent as citizens of this \ncountry to allow others to come in and gather information about \nus without our consent, I hope you come down like a sledge \nhammer in your reports, and I hope the department comes down \nlike a sledge hammer on any employee who thinks they have a \nright to do that without very important reasons that are well \nspelled out and well justified and approved at the top and with \nthe disclosure to Congress of what is going on.\n    And I thank you very much, Mr. Chairman.\n    Mr. Greenwood. I thank the chairman, again, for his \nparticipation and for his keen interest in this issue.\n    And before I recognize Mr. Burr for inquiry, I had a \nquestion on the table, to which Mr. Frazier has responded, and \nbefore I go to Mr. Dacey, Mr. Frazier made reference to the \nmemo dated July 27 from Donald Evans, the Secretary, on the \nhigh priority to information technology security.\n    The Chair would, without objection, enter it and several \nother documents provided to us by the department for the \nofficial record.\n    Mr. Dacey, if you would respond to the question about your \nNo. 1 recommendation, then I would following that recognize the \ngentleman from North Carolina.\n    Mr. Dacey. I think it is important that a good foundation \nbe established on which to build the future efforts to provide \nsecurity at Commerce. There is currently an IT restructuring \nplan for IT overall, as well as a task force focused on \ncomputer security, and those groups are to provide \nrecommendations and there are to be developed policies and \nprocedures.\n    I think in doing so there is an excellent opportunity for \nthe department to put together that strong foundation and \nsupport, and they should do so, including clarifying the roles \nand responsibilities of the various parties for security in the \ndepartment, including the department-wide CIO, as well as the \nbureaus' CIOs.\n    It is also important to provide accountability and make \nsure those people are accountable for providing security, and \nalso in that process, address the resource issue to insure that \nthere are adequate resources put to bear to address the \nsecurity issues.\n    I think now is a critical time to do that, and it is \nimportant to proceed in that manner.\n    Mr. Greenwood. Thank you.\n    Mr. Frazier, were you about to say something?\n    Mr. Frazier. No.\n    Mr. Greenwood. Okay. The Chair recognizes the gentleman \nfrom North Carolina.\n    Mr. Burr. Mr. Chairman, just for clarification if I could, \nMr. Frazier, because in my last question you said that there \nhad been instances where former employees' passwords stayed \nactive in you said 3 years. Are there currently any former \nemployees whose passwords are still active?\n    Mr. Frazier. I could not answer that, but I would make the \nassumption that the answer is yes because it is not something \nthat I have monitored. If someone left yesterday, it is that \nkind of situation.\n    The concern is that there is not a system in place that \nwould check that with such regularity to make certain that it \ncould not happen. You know, I could not say that it is, but I \nwould be amazed that it is not.\n    Mr. Burr. Given your role, has a recommendation been made \nfor a process to be set up to make sure that those passwords \nare eliminated?\n    I mean, in the private sector they are eliminated as soon \nas you utter the words, ``I am leaving.''\n    Mr. Frazier. Yes.\n    Mr. Burr. I think one of you alluded to that.\n    Mr. Frazier. That is the recommendation that I would make.\n    Mr. Burr. It has been made or----\n    Mr. Frazier. It has not been made, but it is interesting \nbecause I think I did not think of that until literally this \nmorning. We raised the concern about people who had left, and \nwe brought those to the attention, and we have a recommendation \nthat says, on a bureau-by-bureau basis, that says when someone \nleaves, the password should be changed.\n    And the question that I have to go to to look to see if we \nhave elevated that to the CIO's office so that it could become \na department-wide policy. It has been made at bureau level.\n    Mr. Burr. I think you are going to get the answer.\n    Mr. Frazier. Yes, it is at the bureau level as I have \nsuggested. But is surely is one that should be made at the \ndepartment level.\n    Mr. Burr. I would hope before the end of the day that \nrecommendation would be made.\n    I thank you for the information.\n    Thank you, Mr. Chairman.\n    Mr. Greenwood. The Chair thanks the gentleman and wishes to \nthank both of the witnesses for your fine work, for your \ntestimony, for your continued cooperation with this \nsubcommittee.\n    And allow me to thank both of your staff folks, those with \nyou and those not with you, for the excellent service that they \nprovide to the country. This is an issue that is in some ways \nobscure, but increasingly it becomes evident that this is so \ncritical to our national security and to the confidentiality \nthat our citizens demanded and have a right to, and so we thank \nyou for your work and the work that you will do in the future.\n    And we excuse you now.\n    Mr. Dacey. Thank you.\n    Mr. Frazier. Thank you.\n    Mr. Greenwood. And call our next witness, who is the \nHonorable Samuel W. Bodman, Deputy Secretary for the Department \nof Commerce. He is accompanied by Mr. Thomas Pyke, the Acting \nChief Information Officer.\n    Welcome, Mr. Secretary. Welcome, Mr. Pyke. Thank you for \nbeing with us this morning.\n    You are aware that the committee is holding an \ninvestigative hearing, and when doing so we have had the \npractice of taking testimony under oath. Do either of you have \nobjection to testifying under oath?\n    Seeing no objection, the Chair then advises you that under \nthe rules of the House and the rules of the committee, you are \nentitled to be advised by counsel. Do you desire to be advised \nby counsel during your testimony?\n    Mr. Bodman. No, sir.\n    Mr. Greenwood. The gentlemen indicate negative in that \ncase.\n    If you would please rise and raise your right hand, I will \nswear you in.\n    [Witnesses sworn.]\n    Mr. Greenwood. So swearing, you are under oath, and you may \nnow give your testimony, Mr. Bodman. Thank you, again, for \nbeing with us.\n\n     TESTIMONY OF HON. SAMUEL W. BODMAN, DEPUTY SECRETARY, \n ACCOMPANIED BY THOMAS PYKE, ACTING CHIEF INFORMATION OFFICER, \n                  U.S. DEPARTMENT OF COMMERCE\n\n    Mr. Bodman. Mr. Chairman, I appreciate the opportunity of \nbeing here.\n    I have submitted my formal statement, and I will attempt to \nsummarize it in the interest of time.\n    I am accompanied today by Mr. Pyke, who is our Acting Chief \nInformation Officer for the department. I will count on him for \nthe answer to any technical questions that may come up, \nalthough he took on his role only recently. His background in \nsecurity, I think, is notable--in particular, his having \ndirected the National Institute of Standards and Technology's \nprogram for the development of governmentwide computer security \nstandards and guidelines, which assignment he had prior to his \nbecoming the CIO at NOAA.\n    And then he was asked recently to take on the acting CIO \njob for the department as a whole.\n    I can report to you that Secretary Evans and I are very \nconcerned about the findings that have been reviewed this \nmorning. I am as concerned as the committee, perhaps more so.\n    I want to thank the committee, and I want to thank the GAO \nwith sincerity, as well as the IG's Office for all of the hard \nwork that they have done on this.\n    I have had experience in my prior life of having managed IT \nsecurity systems at both Fidelity and at Cabot Corporation, \nwhere I was previously employed. I appreciate the significance \nof this matter, and I hope that my previous experience will be \nof some value in dealing with these problems.\n    Speaking for the Secretary and myself, we accept the \nfindings of the GAO report, both specifically and as to their \ngeneral causes. I do not have much more to say. The defense \nstipulates the evidence.\n    We are here to assure you that we will work hard on dealing \nwith these issues. You have alluded before to some of the \nactions that the Secretary has already taken to build a strong \nand effective IT security program.\n    First, he has directed all of the Commerce agency heads to \nfocus their personal attention on this matter. I think, as the \nInspector General alluded to already, at least in the part of \nhis discussion and testimony that I heard when I arrived, that \nthis is really a matter of a general manager's responsibility, \nnot the responsibility of the CIO. This is a general manager's \njob.\n    It is my job. It is Secretary Evans' job, not Mr. Pyke's \njob. We hope to rely on him to help us get this done, but this \nis our responsibility, and frankly, I am embarrassed to be here \nin front of you to hear the nature of what we are dealing with.\n    Mr. Greenwood. Mr. Bodman, how long have you been on the \njob?\n    Mr. Bodman. Six days.\n    Mr. Greenwood. You do not need to feel embarrassed yet. We \nwill let you know.\n    Mr. Bodman. I am sorry, sir, but that is just the nature of \nresponsibility. We have it. It does not matter how long we have \nhad it. We are here now, and it is our job. To be responsible \nfor something that is in this great a difficulty is not \nsomething that I find a great deal of personal comfort in, \nhowever long I have been here.\n    And I know I speak for the Secretary in this matter.\n    He has ordered a department-wide IT restructuring plan. We \nreferred to that. It features the department's Chief \nInformation Officer.\n    Mr. Pyke. This oversight function will ensure that \nappropriate action is taken at the agency level to implement \nnew departmental IT policies.\n    Mr. Bodman. In the past the departmental CIO apparently had \nrelatively little management authority. We believe we have \nfixed that. In the past the policy seems to have stalled at \ntimes when it got to the agency heads, who had in their view \nmore important matters. And I believe that the new priority the \nSecretary has given to IT security will be very helpful.\n    The plan also gives each of our CIOs the authority to \nmanage IT security, IT planning and operations, and IT capital \ninvestment review. This new approach is in sharp contrast to \nthe old way of doing business, and as I said before, I think it \nwill be helpful.\n    Third, we have established an IT security task force \nchaired by Mr. Pyke that will work under my personal oversight. \nThe task force will improve our IT security by developing a \ncomprehensive department-wide plan.\n    The task force is made up of individuals with a lot of \nexpertise in this area, including people from NIST, which has \nhad a governmentwide responsibility in this area in the past.\n    We have also enlisted assistance from the National Security \nAgency, and we are grateful to the NSA that they have been \nforthcoming with personnel to be helpful to us in dealing with \nthese matters.\n    The new task force is already at work. They have met more \nthan once, and they are working on a fast track to develop an \neffective security program for the department and to identify \nactions that we should take.\n    We have already received some short-term recommendations, \nand these have been implemented. We are doing the best we can \nto get on top of the things that can be dealt with immediately \nand to bring these problems to a much higher level of \nconsciousness among our managers.\n    Furthermore, the program development task force will \naddress the assessment of risks throughout the department and \nthe means for providing security commensurate with those risks. \nThey will provide a road map for updating our approach to \nsecurity problems, develop an oversight process with compliance \ntesting as a key component, and plan a department-wide IT \nsecurity awareness training program.\n    The task force is also addressing the specific issues that \nhave been identified, including strengthening access controls. \nYou have heard extensive discussion about that. We are working \non it.\n    The problem with this area involves more of a mind set--how \neverybody in the department feels about his or her \nresponsibility for security. It is a challenge to deal with \nthese matters because security is a personal responsibility, \nand it is something that is difficult at times.\n    I would imagine that even the Congressman may find it \ndifficult at times to change your password and make sure that \nit is updated. This is a natural, human problem. Certainly I \nfind it a pain in the neck to have to change a password and \nthan remember what my password is.\n    Mr. Greenwood. It is impossible for me to do it. That is \nwhy I have a 15 year old daughter to take care of that.\n    Mr. Bodman. Well, you are way ahead of me, sir.\n    In any event, it is something that we believe we can and \nwill get started on, and it is that factor that makes it \ndifficult to forecast exactly when we will be done. I guess the \ntruth is we will never be done because this has got to be an \nongoing effort.\n    The Secretary and I are committed to supporting all of \nthese efforts ourselves under the leadership of our agency \nheads and our CIOs, and we think that we will get there.\n    And I want to thank you all for this opportunity of coming \nhere and addressing this matter relatively early in my tenure. \nAnd I know I speak for the Secretary, since both of us have \ncome from the private sector and have managed publicly owned \ncompanies, in saying that we recognize the kind of \nresponsibility we have for the management of these systems and \nwill do our best to get on top of these problems as quickly as \nwe can.\n    Thank you.\n    [The prepared statement of Hon. Samuel W. Bodman follows:]\n\n    Prepared Statement of Samuel W. Bodman, Deputy Secretary, U.S. \n                         Department of Commerce\n\n    Good morning, Mr. Chairman. I appreciate this opportunity to \ndiscuss the Information Technology Security Audit of the Department of \nCommerce that was recently conducted by the General Accounting Office \n(GAO). Accompanying me today is Tom Pyke, Acting Chief Information \nOfficer for the Department. Although Tom took on this role only \nrecently, his information technology (IT) security experience includes \ndirecting the National Institute of Standards and Technology's (NIST's) \nprogram for the development of government-wide computer security \nstandards and guidelines.\n    Secretary Evans and I are very concerned about the findings of this \nGAO review because much of the work of the Department on behalf of our \ncitizens depends on the quality and integrity of our data and IT \nsystems. We thank the Committee and GAO for bringing this serious issue \nto the attention of the Department's new leadership. Having managed the \nIT security programs at Fidelity Investments and the Cabot Corporation, \nI appreciate the critical importance of IT security, and I trust that \nmy management experience in this area will be of some value in meeting \nthe challenges presented by the findings of the GAO review.\n    Speaking for the Secretary and myself, we accept the findings of \nthe GAO report, as to both the specific weaknesses identified in the \naudit and their underlying causes. To correct these security problems \nand prevent future incidents, Secretary Evans is acting to build a \nstrong and effective Commerce IT Security Program and to correct the \ntechnical problems identified by the GAO audit.\n    First, Secretary Evans has directed all Commerce agency heads to \nfocus their personal attention on establishing IT security as a \npriority. Working in conjunction with their Chief Information Officers, \nthey will allocate necessary resources to assure that the Department's \ndata and IT systems are protected in order to avoid data loss, misuse, \nor unauthorized access, and to assure the integrity and availability of \nCommerce data. In this connection, the Secretary has also recently \nappointed a Senior Advisor for Privacy, another area important to \noverall IT security.\n    Second, the Secretary has ordered the implementation of a \nDepartment-wide IT restructuring plan. The plan provides the \nDepartmental Chief Information Officer (CIO) with the authority to \nguide individual agency CIOs as they address IT security problems. This \noversight function ensures that appropriate action will be taken at the \nagency level to implement new Departmental IT policies. In the past, \nthe Departmental CIO apparently had little management authority, and \npolicy often stalled when it reached the agencies. I believe that the \nnew priority given this matter by Secretary Evans and me, our agency \nheads and our CIOs will produce positive results.\n    The plan also gives each of our CIOs the authority to manage IT \nsecurity, IT planning and operations, and IT capital investment review. \nThis new approach is in sharp contrast to the old way of doing business \nin which CIOs apparently were not key members of the Commerce \nmanagement team.\n    Third, Commerce has established an IT Security Task Force, which \nwill work under my personal oversight. This Task Force will improve \nCommerce IT security by developing a comprehensive, Department-wide IT \nsecurity program. The Task Force is made up of individuals with \nexpertise in IT security management, including people from NIST, which \nhas a critical Government-wide role in developing standards and \nguidelines for effective IT security programs. We also have enlisted \nthe assistance of the National Security Agency. We appreciate NSA's \nwillingness to share its institutional knowledge and leadership in this \nfield as part of the Task Force.\n    The new Task Force is already working on a fast track to develop an \neffective IT Security Program for the Department and to identify \nactions that Commerce should take quickly to bolster its IT security \nposture. These recommendations for short-term action will be made in \nthe context of the Corrective Action Plans already developed by \nCommerce agencies in response to specific concerns identified in the \nGAO review.\n    Furthermore, the program developed by the Task Force will address \nthe assessment of risks throughout the Department and the means for \nproviding security commensurate with those risks. The Task Force will \nprovide a roadmap for updating the Department's IT security policies, \ndevelop an oversight process with compliance testing as a key \ncomponent, and plan a Department-wide IT security awareness training \nprogram.\n    The Task Force is also addressing specific issues, including \nstrengthening access controls for the Department's IT systems, \nsegregating assigned duties consistent with mitigating risk, and \ndeveloping policies and procedures for authorizing, testing, reviewing \nand documenting software changes prior to implementation. Special \nattention is being given to network security, an area the GAO audit \nsingled out in light of the Department's reliance on network \nconnectivity to carry out its mission. The Task Force is designing \nrecovery plans for the Department's sensitive systems; developing a \nDepartment-wide IT security incident detection and response process; \nand looking at other areas essential to a comprehensive Commerce IT \nSecurity Program.\n    The Secretary and I are committed to supporting the efforts of the \nCommerce IT Security Task Force and to implementing its recommendations \nthroughout the Department. Under the leadership of our agency heads and \nour CIOs, and guided by the efforts of this Task Force, we are \nconfident that we are moving in the right direction, and that the \nDepartment's IT security program will be effective.\n    Again, thank you for this opportunity to discuss the IT security \ninitiatives underway at the Department of Commerce. Secretary Evans and \nI appreciate that effective IT security is vital to the Department's \nmission, and I am pleased that this important issue is among the first \nI have devoted my time and attention to after having been sworn in last \nweek. I would be pleased to respond to any questions you may have.\n\n    Mr. Greenwood. Thank you very much, Mr. Bodman.\n    We are delighted to have you here. We are delighted to see \nthe prompt response to an issue that this subcommittee thinks \nis crucial to our Nation's security, and we are very optimistic \nthat in the short time you have been here you have recognized \nthis problem, grappled with it, and are prepared, you as well \nas the Secretary, prepared to move the department in the right \ndirection.\n    Let me ask you a question. GAO notes in its testimony that \nIT management at the department has been very decentralized \nover the years, 14 different data centers, 20 independently \nmanaged E-mail systems, hundreds and possibly thousands of \nseparate networks managed by individual bureaus or offices \nwithin bureaus and lots of different connections to the \nInternet, so much so that we are still not sure the department \neven knows about all of them.\n    How would the reforms you have discussed this morning \naddress what appears to be one of the fundamental problems \npreventing the department from implementing an effective \nsecurity program?\n    And, Mr. Pyke, if you would like to comment, you can do so \nas well.\n    Mr. Bodman. Well, let me comment generally, and then I will \nask Mr. Pyke to give you more factual information.\n    First of all, I think that is an accurate statement. We \nhave a very formidable task to bring to ground the management \nof the information systems that currently reside within the \nCommerce Department.\n    The Commerce Department is difficult enough to manage \nbecause of the highly disparate nature of the various bureaus \nthat reside therein. On top of that, we have a set of systems, \nmost of which are interrelated, that have grown a bit like \nTopsy over the years and that do not use a common approach.\n    And so we have had a department-wide effort to try to bring \nmore common systems such that they can be managed in a more \nreasonable way, and that has been underway for some time.\n    I will ask Mr. Pyke to speak to that.\n    So we think that the competence and capability of this task \nforce will enable us to start getting our arms around this \nissue, but I would be misrepresenting the facts if I were to \ntell you that we were going to be done in any short period of \ntime. This is a long-time fix, and it will require our \nattention over many years, and we expect to put a program in \nplace initially led by Mr. Pyke, and I hope led by him for many \nyears, that will deal with it.\n    Tom, do you want to speak to that?\n    Mr. Greenwood. Let me insert another question, Mr. Pyke, \nthat is related to that so that maybe you can answer both at \nthe same time.\n    And that is can you describe the number of Commerce \npersonnel in these bureaus and at headquarters that are \ndedicated to computer security and their level of training and \nother job duties? So when you talk about what you are going to \nbe able to do, also if you could tell us how well equipped you \nare in terms of person power.\n    Mr. Pyke. Thank you, Mr. Chairman.\n    The CIO management structure that has now been put into \nplace and empowered by the Secretary and the Deputy Secretary, \nwhich includes the department level CIO and CIOs for each of \nthe Commerce agencies, is now in the position to get on top of \nthe extensive IT systems and networks that the department has. \nIt is going to take a while to bring the necessary discipline \nin the area of IT security into the management of all of those \nsystems and networks.\n    It is important that at the departmental level we provide \nsuitable guidance that is generic and strong guidance that \nprovides a basis for the individual bureaus or agencies to get \nmoving and to devote the necessary resources to IT security.\n    As the Deputy Secretary said, the department's mission is \nbroad, and the various agencies have diverse activities. And so \nit is important that each one of them have a CIO leader who I \nwork very closely with, who is in a position to address the \nspecific kinds of issues relative to IT security and IT \nmanagement in general, on a continuing basis, that relate to \nthat agency's mission and the kinds of systems they have.\n    At the present time, we have a very small number of people \nat the department level devoted to IT security. We are \nincreasing that number of people and the amount of contract \nsupport very substantially very fast.\n    As was mentioned in earlier testimony, basically up until \nvery recently we had a single person and a couple of \nassistants, and we are moving very fast now to bring on \nadditional people and have already begun doing that.\n    At the bureau level, some of the bureaus have a significant \nstaff. At NOAA, for example, there are several people, about \nthree government folks and several contractor folks who spend \nfull-time on IT security, and there are dozens of others across \nthe bureau that spend a lot of their time on IT security.\n    One of the things we are going to be doing is to make sure \nthat each of the bureaus has an appropriate number of \nindividuals who devote their time to IT security and to \nmanaging the program and making sure all of the technical \nprocesses are in place.\n    Mr. Greenwood. Let me ask you kind of an organizational \nchart question, a twofold question.\n    First off, looking at your position, describe if you would \nall of your responsibilities to the extent that this computer \nsecurity is a subset of your total duties. Do a similar \nexplanation for us for the CIOs of the different bureaus, and \nthen if you could explain to me, so I am interested in to what \nextent this is a subset of their duties, and explain to me what \nis changing, if anything, in terms of your ability to directly \ncommand, if you will, activities on the part of the CIOs at the \nvarious bureaus.\n    Mr. Pyke. First, the general role of the CIO at the \ndepartment level is to oversee all of the department's \ninformation technology activities, both its planning, \ndevelopment of policy at the departmental level, providing \nguidance relative to procedures, standards, and guidelines that \nneed to be administered on a department-wide level, to monitor \nthe compliance of the entire department, all of the bureaus \nwith the policies, with the standards, with the guidelines.\n    And with regard to IT security, that includes actually \nconducting compliance testing, including penetration testing of \na kind similar to what both GAO and the Inspector General's \nOffice have been doing, and in fact, that function we expect to \nbe carried out also at the Bureau level.\n    The planning functions of the CIO at the department level, \nas well as at the bureau level, include systematic review of \nproposals for new expenditures in IT, budget initiatives, \nreview in terms of all the way from return on investment to \nconsistency with our IT architecture, which guides our planning \nand guides our implementation of systems, to the plans for \noperating the systems and plans for implementing them, and \nnothing gets through our review without an IT security plan \nbeing an integral part of each proposal.\n    We also carry out control reviews of ongoing information \ntechnology projects and programs across the department, and we \nare involved in evaluating after the fact how development \nefforts have gone and putting that information in the hands of \nthe bureaus to build on.\n    So at the department level it is policy, procedures, \nguidance, compliance testing. At the bureau level the CIOs also \nare responsible for any specialized policy guidance that is \nnecessary, procedures that may be unique to the bureaus, with \noversight of the operations of IT within each of those \ninformation technology computer systems and networks within \neach of the bureaus, and with making sure that the policies and \nprocedures that are provided at the departmental level, and in \npart, provided on a Federal Government-wide level, are \nfollowed.\n    We expect that the bureau CIOs will include compliance \ntesting as part of their portfolio, too, and so what we will be \ndoing at the departmental level will be to oversee them and, on \na sampling basis, analogous to what the IG and what the GAO \nhave been doing----\n    Mr. Greenwood. So it will be your responsibility to make \nsure the CIOs and the bureaus have the resources they need so \nthat the buck will to some extent stop with you. If a bureau or \nCIO says, ``I am sorry that we are not doing the things that we \nshould be doing. We do not have the resources,'' that is when \nthey call you back, and then that is when Mr. Bodman decides \nwhether he is embarrassed again.\n    Mr. Pyke. Yes, except this time we have two things in \nplace. No. 1, we have this strong directive from the top to the \nagency heads themselves to get on top of IT security and to put \nthe necessary resources into it, and this should be a big help \nto each of the CIOs and provide their marching orders basically \nfrom the top.\n    Second, you asked about the reporting relationship a moment \nago. Each of the CIOs in the bureaus, each of those CIOs have a \ndual reporting responsibility. They report first to their \nagency head or the deputy head, and they also report to me. \nThey also report to the Commerce CIO.\n    And in fact, when it gets to the end of the year, I have a \ncut at their performance evaluation in collaboration with their \nline manager. So they receive guidance from the CIO. They \nreceive direction from the CIO. They are evaluated, in part, in \ntheir performance through the CIO. And I'm in a position to \nhelp them get the resources they need.\n    But the person in charge of the resources when it comes \nright down to it is their agency head, and the agency head has \nnow received appropriate direction.\n    Mr. Bodman. If I could add.\n    Mr. Greenwood. Please, sir.\n    Mr. Bodman. At the risk of contradiction, the buck stops at \nthe Secretary. The buck stops with me, and it is our \nresponsibility, and that is how every general manager must feel \nin order to make this work.\n    And this system that has been put in place calls for this \ndual reporting that Mr. Pyke has referred to quite correctly, \nand it is the only way that I am aware of, at least from my \nprior experience, when you have a crucial staff function to \nhave it work, whether it is financial reporting, whether it is \nsafety management, whether it is environmental management. It \nhas to be handled at the local basis with an empowered \nindividual who works for the local management, but who is \naudited and advised by a central, capable person. That is Mr. \nPyke.\n    And we believe that that dual reporting and that dual \nresponsibility will work, but make no mistake. The ultimate \nresponsibility, sir, is ours.\n    Mr. Greenwood. Very well. I appreciate that.\n    I would like to ask about the broader question, Mr. Bodman, \nof critical infrastructure. This will be my last question, and \njust for your information, we are aware that you have a \ncommitment at noon.\n    Mr. Bodman. Thank you, sir.\n    Mr. Greenwood. And we will get you out of here in about 15 \nminutes at the most.\n    As I understand it, the department has assigned one person \nat the headquarters level to work on these critical issues with \nlittle or no support or funding to oversee the bureau's efforts \nto identify, assess, and then fix vulnerabilities in its \ncritical systems.\n    As you know, the IG issued a report last year on this topic \nwhich was critical of the lack of progress from the \ndepartment's efforts to date. I want to read you some comments \nthat were written by the department's CIO office in response to \nlast year's IG audit of computer security policies and \nmanagement.\n    ``Given the lack of priority in funding by the Clinton \nadministration in the area of critical infrastructure \nprotection, we must disagree with the IG assertion that using \ninformation as security assessments scheduled to be performed \non the department's critical infrastructure system would result \nin more systems being certified while realizing significant \nsavings. In the event that the Bush administration raises the \npriority of critical infrastructure through the application of \nfunding, we will take advantage of assessments gained through \nthis avenue.''\n    What do you and the Secretary plan to do about this \nimportant issue, given that your department has so many systems \nand assets critical to our national and economic security and \nthe health and safety of our citizens?\n    Mr. Bodman. Well, I cannot speak to the views of the \nprevious CIO. I have never met the gentleman.\n    I can tell you that the approach that we have put in place \nthat I have described will, in fact, deal with these issues. I \ndo believe that these are crucial. I do believe that--I am not \nquite sure I understood the quote in its entirety, but I do \nbelieve that the efforts that we will put in will bear fruit.\n    In my view this is not so much a matter of additional \nfunding. We may find that we need additional funding, but this \nis more a matter of priority. This is more a matter of \nmanagement. This is a matter of placing importance on this \nfunction at the proper level so that we can deal with it. That \nis what this is about.\n    I do not think it is a matter principally of money, and so \nwe can count heads. We can count dollars, and we may need \nadditional heads and additional dollars, but this is more about \nthe people understanding that this has to be dealt with. This \nis more a matter of the bureau heads of the bureau CIOs \nunderstanding that we will deal with this and that we are going \nto do it.\n    Tom, do you want to add?\n    Mr. Greenwood. The Chair recognizes the gentleman from \nNorth Carolina to inquire.\n    Mr. Burr. Mr. Secretary, welcome. Mr. Pyke.\n    Mr. Secretary, let me thank you for one thing. I have been \non the oversight committee for 7 years. You are the first--my \nmemory is not great. I do not know if I could remember my \npassword--but you may be the first; I think you are the first \nperson who has testified who has ever, one, taken \nresponsibility regardless of how long they have been there and, \ntwo, not used funding as a reason why it could not be \naccomplished.\n    So if you keep those two things in the right perspective, I \nhave more confidence in any answer you can give me that we will \nmake tremendous progress at closing some of the problems that \nwe have got.\n    Mr. Bodman. Thank you, sir.\n    Mr. Burr. Let me ask you two fairly lengthy questions, and \nmy purpose for doing it is that these might be areas that you \nhave not looked at, and I would be remiss if I did not double \ncheck with both of you to ask on that short term list. Did \npassword management make it on that list today?\n    From the conversation I had with Mr. Frazier, is password \nmanagement now on that very quick to do list?\n    Mr. Bodman. Yes, it did. It sure did.\n    Mr. Burr. Thank you.\n    Mr. Bodman. Today it will be done.\n    Mr. Burr. Let me discuss and focus on BXA for a minute, \nwhich is one of the more sensitive bureaus within the \ndepartment and the subject of negative audits by both the IG \nand GAO.\n    The IG issued a report in June 1999 regarding BXA's \nmanagement of its computer system, particularly the ECASS \nsystem, which is the export control licensing system. At that \ntime the IG found that BXA did not have a security plan for the \nsystem. The risk assessment was 5 years old, and BXA had not \nconducted a security review of this system since the last Bush \nadministration, all of which had long been required under \nFederal law and under the policy directives.\n    And let me say my understanding of ECASS, given the nature \nof the licensing process that goes on, is that other agencies \nwith direct interest in that process would be electronically \nlinked: Department of Defense, the State Department, possibly \nthe intelligence community.\n    I won't ask you to assess whether that system is air gapped \nin any way, but I would have some belief that it is probably \nnot from some of the things that I have heard today. Therefore, \nI would think that it is very susceptible to a potential entry \npoint that sends them into some of the most sensitive areas \nsingularly through the ECASS system.\n    In response to the department's pledge to undertake those \nefforts promptly, yet as I understand GAO found the same things \nwith respect to the ECASS nearly 2 years later: still no \nsecurity plan, no risk assessment, and no security review \nconducted.\n    Do you know why these issues weren't addressed by now? And \nhow can we be confident that the department will take seriously \nthese issues in the future?\n    Mr. Bodman. First, I can tell you that we take it \nseriously. We take it so seriously that I am going to ask Mr. \nPyke to give you a detailed answer rather than my trying to \nparaphrase what he told me before we walked in here.\n    Mr. Burr. Thank you.\n    Mr. Pyke. Mr. Burr, the problems with ECASS and Bureau of \nExport Administration are being addressed, and they will be \naddressed even more intensively as get the strengthened IT \nsecurity program in place. As GAO conducted its audit, as they \nmade specific findings of weaknesses, attempts were made on the \nspot, in a very short period of time, to correct those specific \nfindings.\n    The bureau has also prepared and put in place a corrective \naction plan that has attempted to address, either already in \nmany cases, but certainly very quickly, all of the specific \nissues that GAO identified.\n    As a part of the task force effort that we have now put in \nplace at the department level, we are not only looking \ngenerically at computer security and all of the elements of a \ncomplete program, but we are looking at all of the specific \nfindings of GAO and of the Inspector General over the last 2 to \n3 years, to generalize on those, and to provide very quick \nadvice and guidance to the bureaus, including the individuals \nin BXA responsible for ECASS.\n    So all of the findings in each of the agencies can be \nresponded to in a general sense by all of the bureaus. All of \nthis is being applied toward ECASS, and I can assure you that \nattention is being given by the CIO in BXA and by us to the \nspecial concerns that have been expressed about ECASS, and some \nsteps have already been made, as I say, some steps, and we will \nwork with them to make sure that things are completely taken \ncare of in an appropriate way and that adequate protection is \nin place relative to the risks that they are confronted with.\n    Mr. Burr. I appreciate that answer, and I think you \nunderstand the sensitivity of where someone might venture if, \nin fact, the correct level of security does not exist within \nthat system.\n    Mr. Bodman, I note that NIST computer security personnel \nplayed a prominent role in your new task force, but I cannot \nhelp but be concerned about that, given that despite it, its \npurported role is the government's expert on computer security.\n    NIST itself fared rather poorly in the recent IG \npenetration test and was the subject of a repeat finding in \n1999 and 2000 regarding the lack of security plans for its \nsystem.\n    In addition, the self-assessments that were performed by \nthe bureau last year revealed that NIST was just as bad, if not \nworse, than most of the bureaus when it came to complying with \nthe Federal guidelines on computer security, including those \nthat NIST itself had crafted.\n    Should we be concerned? If we were concerned before this \nhearing, should we be concerned after this hearing?\n    Mr. Bodman. That is not one I am going to burden Mr. Pyke \nwith answering since at one point in his life he was \nresponsible for the information operations at NIST.\n    Mr. Burr. That is why I directed the question to you.\n    Mr. Bodman. I think it is entirely consistent with what we \nhave been saying. This is not a problem with technology. This \nis a problem with management. This is a problem with priority.\n    And to the extent that this becomes a matter that the \nbureau manager feels a responsibility for, then it will be \ndealt with, and to the extent that it is not something that the \nbureau leadership feels responsible for, it will not be dealt \nwith because it is not something that the human being naturally \ndoes.\n    This is something that is easily ignored, just given the \nnature of the fact that we all like to do something. We all \nhave our own jobs. The thing that gives me great pleasure each \nday is not worrying about my password management. I have other \nthings that I like to do that I am, I think, a little better at \nsince I seem to have difficulty remembering the password from \ntime to time.\n    And so I think the fact that we are using the technical \nskills at NIST as a part of this is entirely understandable and \nbears no relationship to how that particular agency was \nevaluated with respect to the management of its information.\n    Mr. Burr. I thank you for that answer.\n    As a member of this committee, my goal every year is the \nhope that I will not see the same witnesses on the same issue \nat any point in the future. That goal has not been fulfilled \nyet, but I have reason to believe that as it relates to the \nsecurity issue and you being here, this might be the last time \nthat we have this conversation, unless it is to report on the \nprogress that you have made.\n    I thank you.\n    Mr. Bodman. I thank you, sir.\n    Mr. Burr. Thank you, Mr. Chairman.\n    Mr. Greenwood. I thank the gentleman.\n    And on that point, the report on progress, might we expect \na report in 6 months from the department as to how you have \nresponded to these issues?\n    Mr. Bodman. We would be happy to report, sir, whenever you \nwish.\n    Mr. Greenwood. Okay. We appreciate that.\n    Again, thank you for your presence, for your testimony, for \nyour good work. Welcome to Washington, and we look forward to \nworking with you on a number of issues.\n    Thank you again.\n    Mr. Bodman. Thank you very much.\n    Mr. Greenwood. This hearing is adjourned.\n    [Whereupon, at 11:45 a.m., the subcommittee was adjourned.]\n    [Additional material submitted for the record follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T4853.001\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.002\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.003\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.004\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.005\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.006\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.007\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.008\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.009\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.010\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.011\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.012\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.013\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.014\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.015\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.016\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.017\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.018\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.019\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.020\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.021\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.022\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.023\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.024\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.025\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.026\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.027\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.028\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.029\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.030\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.031\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.032\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.033\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.034\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.035\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.036\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.037\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.038\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.039\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.040\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.041\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.042\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.043\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.044\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.045\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.046\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.047\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.048\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.049\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.050\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.051\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.052\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.053\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.054\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.055\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.056\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.057\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.058\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.059\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.060\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.061\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.062\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.063\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.064\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.065\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.066\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.067\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.068\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.069\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.070\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.071\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.072\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.073\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.074\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.075\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.076\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.077\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.078\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.079\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.080\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.081\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.082\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.083\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.084\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.085\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.086\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.087\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.088\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.089\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.090\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.091\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.092\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.093\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.094\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.095\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.096\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.097\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.098\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.099\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.100\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.101\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.102\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.103\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.104\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.105\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.106\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.107\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.108\n    \n    [GRAPHIC] [TIFF OMITTED] T4853.109\n    \n\x1a\n</pre></body></html>\n"